The Shark Ransomware Project that appeared in July 2016 has rebranded as the Atom Ransomware Affiliate Program, offering an improved service for crooks that want to start a life in cyber-crime.

We don’t know why the project rebranded, but there have been several reports from security vendors and various media publications that have broken down the project’s mode of operation and analyzed every facet of its service. Ransomware operators don’t like public exposure, so it might be safe to say that the Shark team, now Atom, is looking for a fresh start.

Just like Shark, the service is still available on the public Internet, which is strange because most of its rivals prefer the anonymity and safety provided by the Tor network.

The Atom homepage still runs on WordPress, but unlike its predecessor, hides its admin panel login much better. Nevertheless, if you look at the site’s homepage, you still find traces of the Ninja Forms WordPress plugin code.

The biggest change between Atom and Shark is the new Atom Payload Builder, a downloadable EXE that allows crooks to compile their customized version of the Atom ransomware.

The main difference between the Atom builder and the old Shark one is that it generates a fully working payload executable, rather just a configuration code that was used as an argument to the Shark exe file. This greatly reduces the complexity of getting a ransomware build up and running for a distributor.

At the time of writing, the builder is at version 1.02, and features three options: a Bitcoin address where the user wants to receive his cut from the profits, the ransom demand fee (in Bitcoin), and the list of file extensions that should be targeted for encryption.

After users compile their own version of the ransomware, they are free to decide on the distribution method they wish to use. Options include exploit kits, email spam, IM spam, and others. Atom devs don’t provide any clues or hints as to how the payload should be distributed, but rather leave it up to their affiliates.

What they provide is a unique ransomware affiliate ID that is hardcoded inside their version of the Atom ransomware. The ID is sent to the Atom RaaS master server with each infection and allows the Atom team to track infections across different users.

Using this tracking code, an affiliate can view data about their installs inside a web panel that they can access from the Atom homepage. This panel shows the number of victims infected by an Atom variant with that particular ID, how many of the victims paid, and what amount of money the crook has earned.

Just like Shark, the Atom team requires a 20 percent cut from the ransom demand each victim pays. There is no guarantee that people entering this informal business agreement with the Atom team would ever receive their money. All Atom ransom payments are actually sent to the Bitcoin wallet controlled by the Atom team, which then “promises” to redirect money to its users.

There is no honor among ransomware operators, as it was recently proven by the operator of the Petya and Mischa ransomware, who leaked the decryption keys for one of his rivals that ran the Chimera RaaS project.

When an Atom ransomware infection takes hold, the ransomware starts an EXE file which doubles as the ransom note and the ransomware decrypter.

The ransomware locks the user’s files via the AES-256 algorithm and uses HTTPS to send the decryption key and a unique victim ID to the RaaS C&C servers.

This initial beacon also includes the settings customized by each RaaS user, such as the ransomware campaign ID, the ransom decryption fee, and the crook’s Bitcoin address.

Though the Atom service offers a professional looking web site, its focus seems to be the availability of its service to as many crooks as possible. This may explain why its operators chose to host their website on the public Internet and not on the Dark Web. This may leave the door open for potential bugs in the ransomware code that may allow security researchers to crack Atom in the near future.

KNOWLEDGE BELONGS TO THE WORLD

The post Shark Ransomware Rebrands as Atom for a Fresh Start appeared first on Information Security Newspaper.

Research published last week by the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel reveals that it only takes about 6,000 smartphones infected with malware to launch a DDoS attack capable of shutting down 911 emergency services in a US state.

To cripple 911 services across the entire US, attackers would need a botnet with as little as 200,000 devices, which is a pretty large number, but something that nation-state attackers would be willing to invest and create.

Researchers say that in its current state, the 911 emergency system has no defenses to protect itself against such attacks.

Mobile operators are required by current FCC regulations to forward any 911 call to emergency call centers, called public safety answering points (PSAP), regardless of the caller’s IMSI or IMEI identifiers. There is currently no system in place to blacklist repeated callers.

Nation-states could build huge botnets

During their investigation, Israeli researchers said that attacks can come from mobile phones infected with malware belonging to legitimate users, or from special laboratories, specifically built to carry out attacks. The cost of a botnet of 6,000 smartphones capable of launching attacks would be around $100,000, researchers estimated.

To scale the number to 200,000 smartphones, an attacker would have to invest between $3.3 and $3.4 million to build a DDoS cannon capable of shutting down the US 911 system and causing havoc around the country.

Taking into account that countries invest billions of dollars in military budgets, the initial investment is a low figure, and threat actors could build bigger botnets if they chose to, for better results.

Attacks can be anonymous, impossible to detect

Researchers that worked on the attack methodology also say that attacks can be carried out anonymously by using malware embedded in the phone’s baseband firmware.

The malware would randomize the phone’s IMSI (SIM card-related) and IMEI (phone-related) identifiers for each attack, so mobile operators would not be able to blacklist the callers at their level. If 911 call centers implement a blacklisting system in the future, these randomized identifiers would be able to bypass them as well.

To make the attack even more powerful, researchers configured the malware they developed for their own tests to dial the 911 number continually. As soon as the previous connection was closed, the malware would start another.

The malware would also insert audio inside the call, in an attempt to keep 911 operators busy as much as possible and deny service for real users.

Full 911 shutdown is possible with enough determination and mobile bots

Tests with the 6,000 mobile botnet revealed that the DDoS attack blocked 911 access to 50 percent of users inside a state. If the attacker would want a complete service shutdown with a 90 percent denial rate, then the botnet’s size would have to be increased to 50,000.

911 DDoS attacks on the whole US level with the 200,000 botnet yielded a 33.3 percent denial rate for users across the country.

The 911 emergency system, according to the Department of Homeland Security, is one of the 16 critical services across the US, which should be protected and safeguarded at all times, not just in times of war.

Defensive measures need to be taken since mobile botnets have been spotted in the wild by CloudFlare.In September 2015, a mobile botnet of 650,000 smartphones, mostly located in China, launched classic HTTP DDoS attacks against local websites.

Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post US 911 Emergency Services Can Be Shut Down by DDoS Attacks From Mobile Botnets appeared first on Information Security Newspaper.

A Brazilian Infosec research group, Morphus Labs, just discovered a new Full Disk Encryption (FDE) Ransomware this week, dubbed Mamba.

Mamba, as they named it, uses a disk-level encryption strategy instead of the conventional file-based one. This may be just the beginning of a new era for the Ransomwares.

In this article, Renato Marinho (@renato_marinho), the researcher responsible for the finding, explains more about this new threat [1].

1. About Mamba

“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152”. This message is all that remains for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison.for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison..for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison.

It seems that the disk level Ransomware family is growing. A similar Ransomware, called Petya, got famous march this year because of the disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data.disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data..disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data..disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data..disk encryption strategy, although some analysis [2] says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor [3] to strongly encrypt the data.

We found Mamba last September 7, during an incident response procedure for a multinational company that had some servers compromised by this malware in Brazil, EUA and India subsidiaries.

The goal of this article is to share some Mamba analysis results and to get some collaboration to better understand this threat and its intrusion vectors.

2. The ransom message

As stated in the introduction of this article, the ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.

Figure 1: The ransom message at the beginning of the boot process

It’s not clear, but this new MBR also prompts the user for the decryption password.

3. Looking for the malware sample

As the whole data of the compromised servers HDD ware encrypted, including the Ransomware itself, we started to look for more information about it somewhere else.

The first strategy was looking for some parts of the ransom message in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text “contact us for decryption key” YOURID,  we received just one result from Google. It pointed to an analysis made using Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes.Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr [4] sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes.

Figure 2: Google results for parts of the ransom message

Searching the “141.exe” file hash at VirusTotal, we found some AV engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.

Figure 3: TrendMicro’s analysis for the “141.exe” sample

At the same time, we started to seek for the malware on other hosts of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”.of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”.

Conducting some dynamic analysis of “152.exe” with the TIV and Hybrid-Analysis [5] sandboxes, we started to find some similarities between the Mamba’s memory dump strings and the ransom message. To say the truth, we found exactly the message “You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152” – even the “YOURID” was the same! ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152” – even the “YOURID” was the same!

By the way, we found it very curious the fact that the “YOURID” information in the sandbox analysis be the same as the company’s compromised hosts. In other words, it seems like this is a static code.be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code.

4. Mamba’s initial analysis

To better understand how Mamba works, we started to perform some tests with it in our lab. In a first test, we basically ran the sample in a Windows 8.1 VM, but, unfortunately nothing happened unless a log file in the directory “C:\DC22” saying the password wasn’t informed.

On a second try, we gave a password as a parameter and the result was different. Some other files were created in the “C:\DC22”, as can be seen in the image below.

Figure 4: files created as the result of 152.exe execution with a password argument

After a few seconds, the Windows restarted and, when returned, the operating system was apparently normal and these were the messages found in the “log_file.txt”:

installing driver…

installing driver successfully..

getting share drive information…

Trying to create service…

creating service successfully. rebooting windows…

From this messages we got some more information:

– A new service was created – it doesn’t mention the name;

– They are apparently using the tool DiskCryptor;

– Maybe they intend to get some credentials from the machine using “netpass.exe”;

– The “netuse.txt” lists the shared folders mapped by the user;

So, we used Regshot to discover some more information about the changes caused by the malware in the SO, including the new service created by the malware. As the result, we discovered that one of the new services was called “DefragmentService”. We also discovered that the malware created a new user in the machine called “mythbusters” with the password “123456”.

These are the new service information:

Figure 5: Fake DefragmentService created by Mamba

So, according to this service, after the machine reboot, “152.exe” was expected to be called with the same parameters we give in the first run. We follow watching the machine process, but no 152.exe was running.

Then, we tried to reboot the machine again to check if the ransom message should appear, but the system booted up normally again.

Performing some analysis on “dcrypt.exe” and “dccon.exe”, the DiskCryptor GUI and command like, respectively, we found that the password parameter is preceded by a “-p”. So, we tried run “152.exe” with this parameter before diving into the reverse engineering job.

For our surprise, this time the encryption process worked and the ransom message was shown during the boot. The only thing to note here is that the password was the “-p” itself and not the password given by the following parameter as we expected. So, the thing is, Mamba was expecting a second argument to run properly.

The process that encrypted the disk was the “dccon.exe”, called by the “152.exe”. During the process, it was possible to follow the encryption with the command “dccon -info pt0” and the result was like follows:

Figure 6: Full disk encrypted by the Mamba Ransomware.

After the reboot, that didn’t occur automatically, the ransom message was shown exactly the same as the company’s compromised machines.

Figure 7: Lab machine compromised

At this stage, the log file looks like that:

installing driver…

installing driver successfully..

getting share drive information…

Trying to create service…

creating service successfully. rebooting windows…

Checking resources existence. They are OK…

driver installed before…

starting serviceMain…

ServiceMain: Entry

 ServiceMain: Performing Service Start Operations

ServiceMain: Waiting for Worker Thread to complete

ServiceWorkerThread: Entry

ServiceCtrlHandler: Entry

ServiceCtrlHandler: Exit

Starting Mount app…

Checking resources existence. They are OK…

driver installed before…

mount:start…

pass:

123456

mount:mounting share drive…

mount:OS is win2003 or lower…

mount:share drive not found …

mount:exit Mount…

start hard drive encryption…

Checking resources existence. They are OK…

driver installed before…

Trying to create service…

As we can see, at some moment, the password used to encrypt the disk was printed to the log file.

4. Next steps

We’ve found some good information about this threat until now, but we didn’t find the infection vector yet. We know that the password used to encrypt the disk is given as a parameter, so, there may exists some script or other binary that calls the “152.exe” code giving it the clear text password that will be used. We also think that the password is the same for all the victims or may be something related to the victims’ environment, like the hostname, or something like that.

The actors in charge of this campaign seems to making some money. We contacted the e-mail address and they asked 1 BTC per infected machine.

This is the reply message we received:

 andy saolis<w889901665@yandex.com>

Your HDD Encrypted By AES 2048Bit

send 1BTC Per HOST  to My Bitcoin Wallet , then we give you Decryption key For Your Server HDD!!

My Bitcoin Wallet Address :  1NLnMNMPbxWeMJVtGuobnzWU3WozYz86Bf

We Only Accept Bitcoin , it’s So easy!

you can use Brokers to exchange your money to BTC ASAP

it’s Fast way!

Here:

https://localbitcoins.com/

if You Don’t Have a Account in Bitcoin , Read it First :

https://bitcoin.org/en/getting-started

bitcoin Market :

https://blockchain.info/

https://www.okcoin.com/

https://www.coinbase.com/

https://bitcoinwallet.com

One point that caught our attention was the mention to “server” in the message reply. Would their strategy be to compromise just servers? Corroborates to that hypothesis the fact that the other machines with the “152.exe” file weren’t compromised.

The bitcoin wallet given by the cybercriminal received 4 BTC by the time of this writing.

Figure 8: Cybercriminal bitcoin wallet balance

As Renato Marinho has stated, Morphus Labs is open to collaborate with the information security community finding more information about this threat.  They have other samples of Mamba.

Source:http://securityaffairs.co/

KNOWLEDGE BELONGS TO THE WORLD

The post Mamba: The new Full Disk Encryption Ransomware Family Member appeared first on Information Security Newspaper.

A Dutch Computer Science student discovered the presence of a backdoor that could allow an attacker to silently install any app on Xiaomi phones.

KNOWLEDGE BELONGS TO THE WORLD

The post A backdoor on Xiaomi device allows silent and remote deliver of any app appeared first on Information Security Newspaper.

Weakness in certificate pinning protections may open users to MitM attacks. Mozilla officials say they’ll release a Firefox update on Tuesday that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.

The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).

While it probably would be challenging to hack a CA or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within reach of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. In 2011, for instance, hackers tied to Iran compromised Dutch CA DigiNotar and minted counterfeit certificates for more than 200 addresses, including Gmail and the Mozilla addons subdomain.

Update early and often

Friday’s advisory from Tor urges users to install the update as soon as possible. Shortly after this post went live, Mozilla officials said they planned to followed suit on Tuesday. According to a report posted Thursday by researcher Ryan Duff, production versions of Firefox are susceptible, although a nightly build version released on September 4 is not susceptible.

Duff said he was able to reproduce results published Tuesday by a different researcher that showed a Firefox-implemented protection known as “certificate pinning” was ineffective in preventing attacks using forged certificates. Certificate pinning is designed to ensure that a browser accepts only a specific certificate for a specific domain or subdomain and rejects all others, even if the certificates are issued by browser-trusted authority. Duff said the cause of the failure is linked to a form of static key pinning that’s not based on the HTTP Public Key Pinning protocol. More specifically, the failure is the result of Mozilla not properly extending the expiration dates for the static keys list which caused the pinning to go unenforced after they expired.

In a statement issued after this post went live, Mozilla officials issued the following statement:

We investigated this and a fix will be issued in the next Firefox release on Tuesday, September 20. We had fixed an issue with the broken automation on the Developer Edition on September 4, but a certificate pinning had expired for users of our Release and Extended Support Release versions. We will be turning on HPKP on the addons.mozilla.org server itself so that users will remain protected once they have visited the site even if the built-in pins expire. We will be changing our internal processes so built-in certificate pins do not expire prematurely in future releases.

Until Mozilla releases the update, Firefox users who are concerned they might be targeted by nation-sponsored adversaries should consider using a different browser or, alternately, configuring Firefox to stop automatically accepting extension updates.

Source:http://arstechnica.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Mozilla plans Firefox fix for same malware vulnerability that bit Tor appeared first on Information Security Newspaper.

Author says he’s not interested in launching DDoS attacks. Two weeks ago, a security researcher that goes by the name of MalwareMustDie had come across a new Linux trojan that according to him was the first ever Linux malware coded in the Lua language.

Reverse analysis of the code proved that the trojan targeted mainly IoT architectures and contained functionality to launch DDoS, and an unconfirmed function to bypass DDoS protection provided by Sucuri, a US web security vendor.

In LuaBot’s source code, the malware’s author had left a message that read “Hi. Happy reversing, you can mail me: [REDACTED .ru email address].”

LauBot coder answered a few questions

A French security researcher that goes by the name of x0rz had contacted the malware’s author and asked him a few questions. The answers have been published online.

According to this mini-interview, the crook says he doesn’t work in the infosec community, nor is he a cyber-criminal affiliated with any hacking crew.

He describes himself as a “nobody” and says his malware is “not harmful.” He bases this assessment on the fact that LuaBot, his malware, doesn’t steal router login credentials.

It’s not for DDoS, the LuaBot author says

The LuaBot author says he’s been working on the malware for years, and what initially started for fun, had now turned into profit.

He declined to name the type of activity he’s profiting from, but says he’s not running any DDoS stresser service like those “vDos kids.”

Further, he also states that he’s working with private individuals and that he’s not messing with banks or governments.

Further analysis reveals something interesting

The hacker also says he has his own zero-days which he uses to infect devices. A Brazilian security researcher that has also looked at the malware says the code seems to be targeting ARRIS routers.

This is the same researcher that last year has discovered three backdoors in ARRIS routers, affecting over 600,000 modems connected online.

“If we perform the same query nowadays (September/2016) we can see that the number of exposed devices was reduced to approximately 35.000,” Bernardo Rodrigues, the Brazilia research notes.

The researcher also claims that in its first stages of infection, LuaBot also uses firewall rules to block further access to the device from external connections, which is an obvious self-protection feature.

Nevertheless, the malware doesn’t include a boot persistence mechanism, and a router restart removes it from the device.

At the time of writing, there are no known reported attacks that fit LuaBot infections, and despite the presence of the HTTP flooding functions (for DDoS attacks), the malware and its purpose remain a mystery.

Source:http://news.softpedia.com/

KNOWLEDGE BELONGS TO THE WORLD

The post LuaBot Author Says His Malware Is “Not Harmful” appeared first on Information Security Newspaper.

Scammers will always try and imitate legitimate tools and services in an effort to trick people into harming their accounts and devices. If it isn’t fake logins, it’s dubious links on social media. If we’re wading knee deep in 419 emails, you can bet another round of tech support scams will be along in a minute.

In the realm of ransomware, confidence tricks reign supreme and while those antics usually involve screaming YOUR PC HAS BEEN LOCKED, YOU’VE BEEN LOOKING AT BAD THINGS AND NOW WE NEED SOME MONEY at the victim, they also need a way to have them run the file on offer. While some attacks involve exploits and automatically installing malware, not all ransomware authors have that luxury so they have to rely on different means.

What we’re seeing at the moment is what appears to be a kind of trial run for ransomware distribution. There’s a couple of Detox Ransomware files doing the rounds, and though they’re all broken in terms of functionality and / or download / dropper URLs, it’s still a possible sign of things shortly coming around the corner and worth giving a heads up on. No doubt we’ll likely see a fully functional version of what’s below and more besides in the near future:

Another DetoxCrypto sample, probably trying to fake @Malwarebytes with “Malwerbyte”.@BleepinComputer @demonslay335pic.twitter.com/0OJT14nklW

— MalwareHunterTeam (@malwrhunterteam) September 15, 2016

More #ransomware is on its way, beware of this one. Faking@Malwarebytes to fool you into opening @malwrhunterteamhttps://t.co/kZKjVrhx64

— Cyber 123 (@UK_Cyber123) September 15, 2016

From the file’s VirusTotal page:

Copyright Copyright © 2016
Product Malwerbyte
Original name Malwerbyte.exe
Internal name Malwerbyte.exe
File version 1.0.0.0
Description Malwerbyte
Comments Malwerbyte

They made a bit of a typo there, which is a quick and handy way to spot the fake. Additionally, the ransomware sample being looked at doesn’t encrypt files which further suggests this is either a trial run or just poorly coded Malware.

Users of Malwarebytes Anti-Malware will find we detect the above as Ransom.DetoxCrypto.

Should we see updates to this particular rollout, we will of course be back to take a second look. If you’re curious about versions of DetoxCrypto which are fully functional and the kind of mischief they get up to, then BleepingComputer will walk you through the perils of Pokemon Ransomware.

Source:https://blog.malwarebytes.com/

KNOWLEDGE BELONGS TO THE WORLD

The post PSA: DetoxCrypto Ransomware imitating Malwarebytes appeared first on Information Security Newspaper.

HDDCryptor, sometimes spelled HDD Cryptor and also identified as Mamba, is a new ransomware variant that rewrites a computer’s MBR (Master Boot Record) boot sectors and locks users out of their PCs. While we might hurry to classify this as a Petya clone, HDDCryptor predates both Petya and Satana, being spotted on the Bleeping Computer forums at the end of January this year.

The ransomware was never the focus point of a massive distribution campaign, which is why it never garnered any attention from security vendors and independent security researchers.

A revamped HDDCryptor returns

A surge of activity that appears to have started in the last days of August has brought HDDCryptor in the spotlight, with some research now available from Renato Marinho of Morphus Labs, and the Trend Micro team.

Trend Micro says the ransomware reaches computers after users download files from malicious websites. Crooks drop the malicious binary on the computer directly, or through an intermediary payload downloaded at a later stage.

This initial binary is named using a random three-digit number in the form of 123.exe. A hybrid analysisof the file doesn’t reveal too many initial clues.

When executed this initial binary drops the following files in a folder on the computer’s system root:

Two of these files are freely available and legitimate tools. Netpass.exe is a free network password recovery tool, and dcrypt.exe is the executable for DiskCryptor, an open source disk encryption utility.

To gain boot persistence, HDDCryptor creates a new user called “mythbusters” with password “123456,” and also adds a new service called “DefragmentService,” that runs at every boot. This service calls the ransomware’s original binary (the three-digit exe file).

The netpass.exe tool is executed first to scan for previously accessed network folders and extract credentials. The information on these network drives is stored in two local text files, one holding details about the mapped drives, and any credentials, if present.

HDDCryptor encrypts files and overwrites the MBRs

The infection process continues with dccon.exe and Mount.exe. Both these files use DiskCryptor to encrypt the user’s files. Dccon.exe encrypts files on the user’s hard drive, while Mount.exe encrypts files on all mapped network drives, even the ones currently disconnected, but that remained physically reachable.

After the encryption ends, the ransomware rewrites all the MBRs for all hard drive partitions with a custom boot loader. It then reboots the user’s computer without user interaction and shows the following message.

The January version of this ransomware showed the following message, using a different wording and another email address.

a

The January version used four-digit victim IDs, while the August-September infections now use a six-digit identifier instead.

In January, the ransomware authors were asking for the equivalent of $700 in Bitcoin, as one of the victims that posted on Bleeping Computer revealed. The full email ransom demand is below:

Here are our standard payment instructions.

Our bitcoin wallet address is (removed)
$700 is approx. 1.0520 BTC according to current exchange rate.

In case you have no prior experience with Bitcoin (and can't find
someone who has - which is the best option) here's a summary on
different ways to buy bitcoin:
https://en.bitcoin.it/wiki/Buying_Bitcoins_%28the_newbie_version%29

For example, you can buy bitcoins on coinbase.com (using your bank
account), localbitcoins.com (multiple payment methods, depending on
vendor), bitquick.co (cash deposit in local bank, seems to work pretty
fast but we have no personal experience with them) or virwox.com (they
accept cards and paypal, and on virwox.info you can find a tutorial on
buying bitcoins there).

Please note that for security reasons some websites will delay payment
for up to 48 hours (that's true for purchasing on virwox with paypal) so
please pay attention to terms of service. We won't be able to confirm
your transaction and send you the password during that delay period.

In our experience your best chance to make the transfer quickly is
to find an online seller with good reviews on localbitcoins.com. If you
use cash deposit to pay that seller your transaction should only take a
few hours. Also vendors can be really helpful on that website.

Alternatively you can look up bitcoin ATMs in your area - their fee is
usually a bit higher but that's one of the fastest ways to buy bitcoins.

For amounts up to $300 you can use circle.com - it allows to send money
from credit and debit cards almost instantly. You can also break up
bigger amounts and make several payments from different accounts if you
find it convenient.

After you purchase $700 worth of bitcoins you can just send them to our
bitcoin wallet directly from the website you've chosen - this way you
won't have to install bitcoin software, manage your own wallet etc. If
you find it difficult to transfer the indicated amount in a single
transaction you can break up the sum and make several transactions to
the same bitcoin address (possibly using different methods of purchasing
bitcoins).

After that we'll send you the password that'll let you boot Windows and
further instruction on permanently decrypting hard drives. We'll also
tell how we got in so you can fix it and prevent future incidents.

The ransom note received by Marinho in September is less verbose and less helpful than the one from January. The crook is now also asking for 1 Bitcoin (~$600).

Your HDD Encrypted By AES 2048Bit

send 1BTC Per HOST to My Bitcoin Wallet , then we give you Decryption key For Your Server HDD!!

My Bitcoin Wallet Address : (removed)

We Only Accept Bitcoin , it’s So easy!

you can use Brokers to exchange your money to BTC ASAP

it's Fast way!

Here:

https://localbitcoins.com/

if You Don't Have a Account in Bitcoin , Read it First :

https://bitcoin.org/en/getting-started

bitcoin Market :

https://blockchain.info/

https://www.okcoin.com/

https://www.coinbase.com/

https://bitcoinwallet.com/

-----------

At the time of writing, the Bitcoin wallet address associated with the September campaign shows that four victims have paid so far.

KNOWLEDGE BELONGS TO THE WORLD

The post HDDCryptor Ransomware Overwrites Your MBR Using Open Source Tools appeared first on Information Security Newspaper.

Two researchers have analyzed images Exif metadata included in the photos used by crooks to advertise their products on black marketplaces in the dark web.

Darknets are a privileged environment for crooks that intend to develop a prolific business protecting their anonymity, anyway, there are several aspects that they need to consider in order to leave tracks that could allow their identification.

In the past the analysis of EXIF metadata allowed law enforcement and intelligence agencies to track suspects, but now cyber criminals, including sellers in the principal black markets, have started to metadata the photos they posted. The trend was confirmed by a study conducted by two students at the Harvard University, Paul Lisker and Michael Rose.

“Our goal was to leverage a longitudinal archive of dark net markets (DNMs) to collect and analyze sale listing images with metadata containing location data.” the students explained in a post.

What is EXIF metadata?

“Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.” reads Wikipedia. 

Basically, every image took with a digital camera or a mobile device includes information, in the EXIF standard, such as the device used and the location of the shot. That data are written in the “exchangeable image file format” (EXIF) standard.

Paul Lisker and Michael Rose analyzed images of drugs and weapons used by crooks to advertise their product and services on black marketplaces in the dark web and saved them to a data repositorymaintained by an independent security researcher Gwern Branwen.

The archive is very interesting for security experts that intend to study the activities in the dark web, it includes data from some 83 dark markets and 40 associated forums. Information was collected from 2013 to 2015, totalling 44 million files or 1.5Tb of data.

“From 2013-2015, I scraped/mirrored on a weekly or daily basis all existing English-language DNMs as part of my research into their usage, lifetimes/characteristics, & legal riskiness; these scrapes covered vendor pages, feedback, images, etc. In addition, I made or obtained copies of as many other datasets & documents related to the DNMs as I could. This uniquely comprehensive collection is now publicly released as a 50GB (~1.6TB uncompressed) collection covering 89 DNMs & 37+ related forums, representing <4,438 mirrors, and is available for any research. This page documents the download, contents, interpretation, and technical methods behind the scrapes.” wrote Branwen.

The experts used bash scripts to search for EXIF data including longitude and latitude data among the images in the archive.

“In order to analyze the listing images inside each archive, we first searched for and compiled a list of the file path of all JPEG images to ensure that no file went untested. (Images used for listings were only in the JPEG format; any other image formats — PNG, GIF, etc. — were used for website graphics.) Then, using Python and bash scripts, we checked each image’s EXIF data for longitude or latitude data, saving the coordinates for each geotagged photo and its file path to a text file.” explained the student.

The experts found 229 unique images that contained geolocation data that would reference the location of the shot within a range of two kilometres.

The duo analysed roughly 223,471 unique dark market images, the vast majority don’t include the EXIF data.

“Out of these markets and forums, we located 2,276 total geotagged images, which after eliminating duplicates available over multiple days, gave 229 total unique images with associated coordinates. The coordinates—with decimals removed from the numbers to protect privacy—can be seen plotted in the map below. (The coordinates may be up to about one mile away from their true location.)” states the duo.

“In total, we analyzed 7,522,284 images from the entire DNM archive, representing 223,471* unique photos. Table 1 presents a summary of markets containing geotagged images:”

Most popular black markets like Agora stripped metadata from images published in the adv. In the case of Agora, the researchers noticed that EXIF metadata was absent on all images after 18 March 2014.

Below the conclusions of the study, the researchers highlighted that sellers and dark market websites are failing to remove EXIF metadata from images.

“First, it was common in many cases to observe sites, typically residential, surrounded by 5–10 tagged images separated by a few meters,” the students explained in a post.

“This suggests the behavior of sellers who are careless on a regular basis, rather than the occasional forgetfulness of not stripping data or purposeful manipulation.

Source:http://securityaffairs.co/

KNOWLEDGE BELONGS TO THE WORLD

The post Boffins analyzed EXIF metadata in photos on principal blackmarkets appeared first on Information Security Newspaper.

Keyloggers have always been present in attackers’ toolkits. They give attackers the power to record every keystroke from a victim’s machine and steal sensitive information. Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy. Written in .Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. It is being sold on underground forums via multiple subscription packages as shown in Figure 1.

Figure 1: iSpy keylogger subscription packages

iSpy keylogger infection
iSpy is delivered via spam email that has malicious JavaScript or Document as an attachment, which then downloads the keylogger payload. The main iSpy payload is usually compressed using a custom packer. So far, we have seen packers written in Visual Basic 6.0, AutoIt, and .Net. We have also seen a campaign of signed .NET crypter where iSpy was served. This crypter uses different digital certificates (mostly invalid certificates) and drops different malware samples, as shown in Table 1 below

Figure 2: Certificate used by .Net Crypter

Installation
The malware sample we analyzed was packed with a VB6 (native) custom packer. The packer uses the XOR-based method to decrypt the payload and contains obfuscated zombie code between instructions to slow down analysis. Figure 3 shows the installation and functionality overview of iSpy.

Figure 3: Installation workflow and functionality overview of iSpy

The second layer of packing contains multiple anti-VM and anti-analysis tricks, some of which include:

• Checks PEB flags for debugger presence
• Checks for sandbox and debugger using GetTickCount and Sleep
• Loops until cursor movement is detected
• Checks if screen resolution is 800 x 600 or more

Finally, it decrypts the payload file and injects the decrypted file into another instance of the same process using process hollowing technique as seen below:

Figure 4: Spawns process in Suspended mode for injection

The decrypted file is a loader file that contains a DLL and .NET binary in its resource section. It first loads the DLL file that further loads the final iSpy payload (.NET binary) using LoadDotNetPE export function.

The malware checks configuration settings to select the folder for dropping the executable. Based on the configuration, it drops itself into one of the following locations:

• %APPDATA%
• %LOCALAPPDATA%
• %USERPROFILE%\Documents
• %TEMP%

Figure 5: Installation function

After copying itself into any of the above mentioned locations, it deletes “Zone.Identifier” flag from Alternate Data Stream (ADS) to disable the security warning message that is displayed every time the malware file is executed.

Persistence
It creates an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU, based on configuration settings, to execute the malware on system startup.

Configuration
iSpy has many customizable features (Figure 6) including the functionality to record keystrokes, recover passwords, and retrieve serial keys from various software, then sending the stolen data over SMTP, HTTP, or FTP. It also has a web panel that helps the attacker to monitor the activity of iSpy infections.

Figure 6: iSpy configuration class

As mentioned earlier, depending on the configuration, it can send stolen data via three different methods: HTTP, SMTP, or FTP. FTP and SMTP credentials, directly encoded in the file, are encrypted using a custom encryption method. Function decrypt, in the class StringCipher, is used for the decryption of credentials as well as other strings. MUTEX value from the configuration is used as the key for decryption. For the HTTP method, iSpy uses the PHP_KEY authentication to upload data to C&C server.

Data stealing
The current sample, discussed in this blog, uses FTP for sending the stolen data to attacker. The FTP account – ftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the ftp credentials are embedded in the file itself. The website resolves to IP address “31.170.160.209” which belongs to comxa.com, which is owned by 000webhost Network, a provider of free hosting. We have notified comxa.com of the offending account.

After successful installation, iSpy collects computer information such as username, Windows version, and installed program details (AV, firewall, browser, etc.), and sends this information along with install notification (Figure 7) to a C&C server.

Figure 7: Installation notification contents

Keylogging code is the main component of this malware. It logs timestamped key presses and sends them to the attacker. It also contains code to steal the license keys of application software, such as Adobe Photoshop, Microsoft Office, and others. It also collects saved passwords from web browsers, email clients (such as Outlook), FTP clients (like FileZilla and CoreFTP), and games like Minecraft.

KillAV
iSpy has the functionality to disable antivirus programs by creating a sub-key of the program name under registry key, “Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\” and then setting “rundll32.exe” as the value of “Debugger” under that key. It also disables access to that newly created registry key by setting all RegistryRights to deny so it cannot be easily removed. After this change in registry, Windows will load “rundll32.exe” when the targeted process is started. As a result, the given AV process will not start. Below is the list of AV processes that iSpy targets:
“rstrui.exe”, “AvastSvc.exe”, “avconfig.exe”, “AvastUI.exe”, “avscan.exe”, “instup.exe”, “mbam.exe”, “mbamgui.exe”, “mbampt.exe”, “mbamscheduler.exe”, “mbamservice.exe”, “hijackthis.exe”, “spybotsd.exe”, “ccuac.exe”, “avcenter.exe”, “avguard.exe”, “avgnt.exe”, “avgui.exe”, “avgcsrvx.exe”, “avgidsagent.exe”, “avgrsx.exe”, “avgwdsvc.exe”, “egui.exe”, “zlclient.exe”, “bdagent.exe”, “keyscrambler.exe”, “avp.exe”, “wireshark.exe”, “ComboFix.exe”, “MSASCui.exe”, “MpCmdRun.exe”, “msseces.exe”, “MsMpEng.exe”

WebCam Snapshot & Screen grabber
If the webcam logger is configured, it will capture snapshots using the victim’s webcam. It saves the snapshot in %TEMP% folder with the prefix “snapshot” with the .PNG extension. It can then uploads the snapshot to “http://uploads.im/api?upload” (a legitimate image hosting website). It logs the URL path of uploaded snapshot and uploads the log’s data on a C&C server using the configured method.

Similarly, iSpy takes screen shots using .NET API CopyFromScreen and saves them to a file with the name “img.png” under the %TEMP% folder. Saved images are uploaded to the website mentioned above and a log of URL paths of uploaded files is sent to attacker.

Other features of iSpy:

• Website blocking (based on host file modification)
• File downloading
• Bot killer
• Fake message (it displays this message every time malware starts execution)
• Disabler (Taskmgr, Regedit, CMD)
• Runescape PinLogger(RuneScape is a fantasy MMORPG developed and published by Jagex, A Bank PIN is a security feature provided in game that players can use to protect their, virtual in game, banks.)
• Run Bind file (file to run along with malware)

Web panel interface
The current version of iSpy has a web panel where the attacker can monitor the infected system.

Figure 8: iSpy web panel

Conclusion
Commercial keyloggers are general-purpose data stealing tools used by criminals to collect as much data as possible about a victim. There are many commercially available keyloggers in the underground market and, unfortunately, using them is fairly easy, requiring little technical knowledge. In spite of the increased use of specialized tools, the keylogger remains a common, and quite potentially damaging, tool.

Source:https://www.zscaler.com

KNOWLEDGE BELONGS TO THE WORLD

The post iSpy Keylogger appeared first on Information Security Newspaper.

Hackers are increasingly targeting healthcare institutions with malware because of their poor cyber-security posture, reliance on legacy IT systems, third-party services and the need to access information as soon as possible in order to deliver great patient care. These are the conclusions released in a new report entitled McAfee Labs Threats Report: September 2016.

It says that hospitals paid almost $100,000 (£75,500) to a specific bitcoin account. In the first half of 2016, one “actor” (it could be a single hacker, but more likely a group) apparently received $121 million in ransomware (189,813 bitcoin), targeting various industries. This actor, according to the report, has had profits of $94 million in the first six months of this year.

“With cyber security threats including ransomware rising at such a rapid rate, organizations are having to come to terms with the fact that it’s fast becoming a question of ‘when’, not ‘if’, they suffer a breach”, said Raj Samani, CTO EMEA Intel Security. “As such, to stay ahead of cyber criminals, companies must think beyond simply implementing protection strategies, to putting systems in place to rapidly detect threats and correct their systems in the event of an attack”.

“Industries such as financial services and retail have been aware of this threat for some time and have largely taken measures to implement such strategies”, adds Samani. “It’s crucial that the likes of healthcare and manufacturing pick up the pace with cyber security. Vulnerabilities in these sectors provide hackers with access to extremely personal, valuable and often irreplaceable data and IP”.

Source:http://betanews.com

KNOWLEDGE BELONGS TO THE WORLD

The post Ransomware is lucrative: Attacker’s profits near $100 million appeared first on Information Security Newspaper.

In the past, we’ve seen superuser rights exploit advertising applications such as Leech, Guerrilla, Ztorg. This use of root privileges is not typical, however, for banking malware attacks, because money can be stolen in numerous other ways that don’t require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy. We had been watching the development of this malicious program closely and found that Tordow’s capabilities had significantly exceeded the functionality of most other banking malware, and this allowed cybercriminals to carry out new types of attacks.

Penetration

A Tordow Infection begins with the installation of a popular app, such as VKontakte, DrugVokrug, Pokemon Go, Telegram, Odnoklassniki or Subway Surf. In this particular case, we’re not talking about the original apps but copies that are distributed outside the official Google Play store. Malware writers download legitimate applications, disassemble them and add new code and new files.

Code added to a legitimate application

Anyone who possesses even a little knowledge of Android development can do it. The result is a new app that is very similar to the original, performs all the stated legitimate functions, but that also has the malicious functionality that the attackers need.

How it works

In the case in question, the code embedded in the legitimate app decrypts the file added by the cybercriminals in the app’s resources and launches it.

The launched file calls the attacker’s server and downloads the main part of Tordow, which contains links to download several more files – an exploit to gain root privileges, new versions of malware, and so on. The number of links may vary depending on the criminals’ intentions; moreover, each downloaded file can also download from the server, decrypt and run new components. As a result, the infected device is loaded with several malicious modules; their number and functionality also depend on what the Tordow owners want to do. Either way, the attackers get the chance to remotely control the device by sending commands from the C&C.

As a result, cybercriminals get a full set of functions for stealing money from users by applying the methods that have already become traditional for mobile bankers and ransomware. The functionality of the malicious app includes:

• Sending, stealing, deleting SMS.
• Recording, redirecting, blocking calls.
• Checking the balance.
• Stealing contacts.
• Making calls.
• Changing the C&C.
• Downloading and running files.
• Installing and removing applications.
• Blocking the device and displaying a web page specified by a malicious server.
• Generating and sending a list of files contained on the device; sending and renaming of files.
• Rebooting a phone.

Superuser rights

In addition to downloading modules belonging to the banking Trojan, Tordow (within the prescribed load chain of modules) also downloads a popular exploit pack to gain root privileges, which provides the malware with a new attack vector and unique features.

Firstly, the Trojan installs one of the downloaded modules in the system folder, which makes it difficult to remove.

Secondly, using superuser rights the attackers steal the database of the default Android browser and the Google Chrome browser if it’s installed.

Code for sending data from browsers to the server

These databases contain all the logins and passwords stored by the user in the browser, browsing history, cookies, and sometimes even saved bank card details.

Login and password from a specific site in the browser database

As a result, the attackers can gain access to several of the victim’s accounts on different sites.

And thirdly, the superuser rights make it possible to steal almost any file in the system – from photos and documents to files containing mobile app account data.

Source:https://securelist.com/

KNOWLEDGE BELONGS TO THE WORLD

The post The banker that can steal anything appeared first on Information Security Newspaper.

InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code.

The so-called “RAUM” tool has been actively used on uncovered underground affiliate networks based on a “Pay-Per-Install” model (PPI). This model leverages paying cybercriminals to distribute malware through modified torrent files that are joined with malware. Members of these networks are invited by special invitation only, with strict verification of each new member.

The threat actors’ infrastructure is based on a special monitoring system that provides them with the latest analytics of download trends along with several network nodes that are used for torrents leaches and their status monitoring. Despite the recent legal actions against famous torrent sites such as KickassTorrents, many torrent trackers are still actively used by cybercriminals for malicious file distribution under the umbrella of legitimate app and media file sharing. RAUM is a good example of a tool used by the Eastern European organized crime group known as “Black Team,” that has successfully commercialized such illegal activity by infecting thousands of innocent users.

According to expert statistics, malicious torrents infect over 12 million users a month, creating significant security risks for users on a myriad of platforms. In many instances, popular ransomware such as CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex, password stealing spyware Pony, and others were associated with the identified RAUM instances. We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network.

Fig. 1 – The Management Interface Panel (RAUM)

Fig .2 – The Dashboard of Malicious Torrents Management

Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others. In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files. In some cases, the lifespan of these seeded malicious files exceeded 1.5 months and resulted in thousands of successful downloads.

Initially, the bad actors have used the uTorrent client in order to distribute the files. More recently, they have deployed a special infrastructure that allows them to manage new seeds using a broad network of dedicated and virtual servers – including hacked devices.

Fig. 3 – The Architecture of Uncovered Malicious Torrent Distribution Networks

One of the most attractive categories for the monitoring and repackaging of torrents with malware is through various PC-based online-games along with the activation files for current operating systems including Microsoft Windows and Mac OS. In addition, several fake landing pages of torrent trackers proposing to install malware using search engine poisoning have also been identified.

Fig. 4 – Example of the Parsed Popular Torrent Files for Further Infection in the Bad Actors’ Monitoring System

All of the created malicious seeds were monitored by cybercriminals in order to prevent early detection by AV and had different statuses such as “closed,” “alive,” and “detected by antivirus.” Some of the identified elements of their infrastructure were hosted in the TOR network.

IOCs:

82.146.54.187
da0.eu
black-team.us
riqclchjyebc43np.onion

On September 17, 2016, Google started to warn Firefox and Chrome users visiting some of the identified trackers with malware, such as The Pirate Bay, that the site could contact malicious software. InfoArmor strongly recommends that extreme caution be taken when visiting torrent trackers or downloading pirated digital content, operating systems and business software.

Source:https://www.infoarmor.com

KNOWLEDGE BELONGS TO THE WORLD

The post InfoArmor Uncovers Malicious Torrent Distribution Network appeared first on Information Security Newspaper.

The website for Just For Men, a company that sells various products for men as its name implies, was serving malware to its visitors. Our automated systems detected the drive-by download attack pushing the RIG exploit kit, eventually distributing a password stealing Trojan.

In this particular attack chain we can see that the homepage of justformen[.]com has been injected with obfuscated code. It belongs to the EITest campaign and this gate is used to perform the redirection to the exploit kit. EITest is easy to recognize (although it has changed URL patterns) for its use of a Flash file in its redirection mechanism.

RIG EK has now taken over Neutrino EK as the most commonly used and seen toolkit in the wild. Neutrino EK, which had been the contender to Angler’s top spot has been relatively quiet lately.

We replayed the attack in our lab as shown in the video below. For more details and a traffic capture, please scroll down to the technical section of this post.

Technical details

We reported this incident to Combe, the parent company for Just For Men. Between the time we collected our traffic capture and writing of this blog, we noticed the site had changed. As of now, the site is running the latest version of WordPress according to this scan from Sucuri and does not appear to be compromised any more. Most website infections have to do with either the content management system (CMS) or one of its plugins being out of date.

Here’s at least one difference we noticed between our archived capture and the current version of the site:

The Yoast SEO plugin had been updated from version 3.07 (vulnerable) to version 3.5 (current version). It’s possible this was the vector of infection, but without access to the server logs, this is purely an assumption.

Here’s what happened when the site was still compromised:

Payload hash (Papras Trojan):

9af78ac26650d15ef64157f824fff1695b56edf5482ad08753e0c5e900fde58b

C2 callbacks:

• 217.70.184.38
• 173.239.23.228

Source:https://blog.malwarebytes.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Just For Men website serves malware appeared first on Information Security Newspaper.

Terbium Labs’ software can now be used to detect when data belonging to companies is being flogged in the underground.

Terbium Labs has announced the release of Dark Web data analytics software Matchlight to corporate players that wish to be alerted to the theft of data immediately — rather than days or months after the damage is done.

On Tuesday, the Baltimore, MD.-based company said Matchlight is now available through either a web portal or API at what Terbium calls a “reasonable price point” so both SMBs and larger enterprise players can access the service.

Now out of a private beta started in June 2015 with companies including MasterCard, IBM and LifeLock, the fully automated system allows companies to outsource part of their cybersecurity requirements and potentially mitigate the damage caused by data breaches.

Terbium Labs calls itself a company which protects the enterprise from “relentless attempts to steal data for personal, monetary or political gain.”

The Dark Web, a small section of the Deep Web which is not indexed by common search engines including Google and Bing, is the most prolific area to acquire data stolen from businesses.

If an individual jumps through the various hoops necessary to access this part of the Internet, they can buy anything from weaponry to counterfeit documents and data dumps — and stealing a person’s identity is cheap, with Trend Micro estimating that each data record isworth less than a dollar in underground marketplaces.

The purchase price may be cheap, but the damage caused to companies is not. According to the Ponemon Institute, the average cost of a data breach has gone over the $4 million mark, with the healthcare industry the heaviest hit.

Matchlight aims to mitigate the damage by tracing the source of data breaches and alert companies in real-time when their data has been detected in the Dark Web. This is achieved by “fingerprinting” files for tracking purposes — whether they are client lists, account credentials or sensitive documents — data feeds which monitor keywords, searches and data monitoring reports.

Tyler Carbone, COO of Terbium Labs commented:

“Attacks are inevitable and organizational data and intellectual property are always at risk. Even the most robust security can’t stop all of today’s sophisticated attacks and insider threats. We believe automating intelligence gathering is the key to minimizing the damage caused by a data breach.

We’re shifting the balance of power by providing organizations of all sizes with the tools to identify and rapidly counter information theft and fraud quickly, privately and affordably.”

Business users can trial the product for free, and afterward, monitoring begins at a cost of $5 per record per month.

Source:http://www.zdnet.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Matchlight Dark Web data leak detection software available worldwide appeared first on Information Security Newspaper.

A Check Point report suggests organisations’ security hasn’t kept pace to meet a ninefold rise in malicious software.

An exponential rise in malware means employees are at their highest-ever risk of accidentally installing malicious software onto an enterprise network — an event that happens every four seconds within the average company, a new report has warned.

Security researchers at Check Point analysed information on over 30,000 security incidents discovered by the company’s ThreatCloud prevention software at more than 1,000 companies across the globe.

They found that employees in industry, finance, government, and other sectors are very much taking a cavalier attitude to cybersecurity and downloading potentially harmful files to their company’s networks.

It’s unknown malware — malicious software which isn’t yet recognised by security systems — which is most likely to be downloaded by employees and according to Check Point, it happened every four seconds on average across the organisations analysed in the report. There were 971 unknown malware downloads per hour, representing nine times more downloads than the previous year, when the figure was 106 downloads per hour, the company said.

In many cases, it only takes a small modification to a malware’s code for it to become invisible to antivirus software programmes, allowing it to bypass defences and make its way onto corporate network where it could be used to conduct cyber espionage, steal data, or lockdown systems with ransomware.

If that wasn’t bad enough, researchers found that known malware — malicious software with a recognisable signature — is also being downloaded onto enterprise networks. If it’s known, then why isn’t it blocked? Because many organisations aren’t staying up to date with critical security patch management, thus enabling malicious actors to gain entry to their networks in circumstances that wouldn’t otherwise be possible if patching was properly done.

The rise of mobile devices is a significant factor in the increase in malware attacks. Each smartphone or tablet connected to the company Wi-Fi is yet another attack vector that malicious actors can potentially use in order to gain access to the network — and the enterprise is lagging behind when it comes to securing this space.

But while employees want to use their smartphones to access email and other services, the report points out “no one likes the idea of unilateral restrictions, nor the thought that they are being watched” — meaning that security is often a secondary consideration.

Nonetheless, organisations must take responsibility for protecting data because the report suggests that one in five employees will accidentally cause a data breach either through downloading malware or using malicious Wi-Fi hotspots designed with purpose of carrying out man-in-the-middle attacks to steal data.

But with such a wide variety of threats, there’s no one size fits all approach to securing the enterprise against malware and other cyberattacks.

“While no one technology or technique can hope to provide complete protection from all threat vectors, a well designed approach combining multiple methods of protection and detection can minimize successful attacks. With additional protections at the post infection stage, organizations can limit damage and lateral movement,” the report says.

Source:http://www.zdnet.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Tick, tock, tick, tock: New malware is hitting your network every four seconds appeared first on Information Security Newspaper.

KNOWLEDGE BELONGS TO THE WORLD

The post IoT devices being increasingly used for DDoS attacks appeared first on Information Security Newspaper.

Short Bytes: A recent study has suggested that people are inclined towards popping any random USB stick into their computers without a second thought. Interestingly, the Aussie hackers are exploiting this habit by putting malicious USB sticks in people’s mailboxes. The local cops have warned the residents of these devices and urged them to inform the police if such incident takes place.

KNOWLEDGE BELONGS TO THE WORLD

The post Don’t Touch It — Hackers Are Sending Malicious USB Sticks In Your Mail appeared first on Information Security Newspaper.

Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment. The malware, according to researcher Caleb Fenton with security firm SentinelOne, evades detection simply by counting the number of documents – or the lack thereof – that reside on a PC and not executing if a certain number are not present.

Fenton, who discovered the malware after several failed attempts to trigger the sample into acting maliciously, said the typical lack of documents in a virtual machine and sandboxed test environment make it easy, in this case, for malware authors to fly under the radar. “If malware can be smart enough to know when it’s being tested in a VM, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected by such tools,” Fenton said in a blog post outlining his research. A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found inside (“Intelligent Software Solutions Inc[.]doc”) looks for existing documents on targeted PCs. If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload. The malware-laced document is distributed via spam or phishing campaigns, according to SentinelOne. The malicious Word document looks for and takes advantage of a Windows feature called RecentFiles. The feature, as the name suggests, lists and gives easy access to recently viewed or created documents. When documents are detected via RecentFiles, the malware assumes the system is a valid target and goes into action triggering a PowerShell script that links the victim’s PC to a command-and-control server to download a low-level system keylogger. In another obfuscation technique, the malware uses an IP detection web service (Maxmind) to determine the network used by the targeted system. The IP address is cross referenced with a list of blacklisted IP addresses tied to security firms such as BlueCoat, Palo Alto and others. Those IPs are red flagged and stop the malware from executing, according to Fenton. Anti-VM or anti-sandbox checks by malware are hardly new. Fenton notes earlier this year researchers at Proofpoint observed a macro that look up the public IP address of the targeted PC and would not download the payload if it finds that the IP address is associated with a security vendor, certain cloud services or a sandbox environment. In June, Zscaler researchers found document-based macro attack code using multiple techniques to detect and evade virtual environments and automated analysis systems. One macro scanned for standard virtual environment strings and another looked for the presence of known analysis tools on the system. Fenton says these examples of macro code capable of detecting test environments mimic what researchers have been seeing with more sophisticated malware for years. “These document-detecting samples represent a new trend for VBA-based malware. We expect this type of evasion techniques in more sophisticated malware – not with less formidable macro malware,” Fenton told Threatpost. Malware authors, Fenton said, are realizing adding obfuscation code to malware can extend the life of their malware and increase profits. “It comes down to simple economics. The longer malware can go undetected, the more damage it can do in the wild.” Fenton suspects that researchers will see more anti-detection features from a wider range of malware authors in the months ahead.

Source:https://threatpost.com

KNOWLEDGE BELONGS TO THE WORLD

The post MALWARE EVADES DETECTION WITH NOVEL TECHNIQUE appeared first on Information Security Newspaper.

Why is it critical to stop ransomware at the gateway layer? Because email is the top entry point used by prevalent ransomware families. Based on our analysis, 71% of known ransomware families arrive via email. While there’s nothing new about the use of spam, ransomware distributors continue to employ this infection vector because it’s a tried-and-tested method. It’s also an effective way to reach potential victims like enterprises and small and medium businesses (SMBs) that normally use emails for communication and daily operations. Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions. Some of these file types can be used to code malware. In fact, as a security precaution, Microsoft turns off macros by default.

In this blog post, we examine various email file attachments and how ransomware affected the fluctuation in the use of these file types.

A look at email attachments

Trend Micro has already blocked and detected 80 million ransomware threats during the first half of the year; 58% of which came from email attachments. Throughout this year, we followedLocky’s spam campaign and how its ever changing email file attachments contributed to its prevalence.  Based on our monitoring, the rising number of certain file types in email attachments is due to Locky.

The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky.

Figure 1. Businesses are at risk to ransomware attacks as they are heavy users of productivity applications where macros are used.

In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download other ransomware families such asCryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments—which could explain how WSF became the second file type attachment most used by threats.

With WSF, two different scripting languages can be combined. The tactic makes it difficult to detect since it’s not a file type that endpoint solutions normally monitor and flag as malicious.Cerber was also spotted using this tactic in May 2016.

Figure 2. The rise in JS spam attachments from June to August is attributed to Locky. 

The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals.

Figures 3-4. Sample email message with .HTA attachment

Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat.

To block spam emails with JS, VBScript, WSF and HTA attachments, companies should use email solutions with different anti-spam filters such as heuristics and fingerprint technology.  In addition, solutions with blacklisting mechanism can block known malicious sender IPs.

To detect macro downloaders by Locky and Cerber, email solutions should have macro scanning feature that can detect any malicious macro components of threats.

Typical email subjects

Prevalent ransomware like Locky and Cerber did not deviate from using common subject lines for social engineering. Enterprises and small-medium businesses should watch out for subject lines including those that involve invoices, parcel delivery, confirmation of order, banking notifications, and payment receipts. Knowing these email subjects can actually aid employees in spotting emails with ransomware.

Here are other samples of subjects used:

• Documents requested
• Audit Report
• Budget Reports
• Emailing: (Label | Picture | Image)
• Message from “{RandomChar}”
• We could not deliver your parcel, #{RandomChars}, Problems with item delivery, n(RandomChars), Unable to deliver your item, #{RandomChars}
• Payment receipt
• Order Confirmation {RandomChars}
• Bill, Paid Bills

Figure 5. Sample of a spammed email message

Mitigation

One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files.  Gateway solutions should be in place to prevent ransomware from entering the network.

Because of the very nature of these threats, companies need a multilayered solution that can cover all their bases from exposure layer, endpoints, network, and servers.  It is also highly recommended that companies do backups to avoid succumbing into paying the ransom.  Earlier this year, we conducted a Security Preparedness survey where we asked decision makers, buyers, and end-users from small-medium to large enterprises if they do backups. Our survey revealed that 33% of the respondents either did not strictly implement their backup policy or were unaware if they had one.

Here’s an overview of Trend Micro products that can address ransomware from the gateway level and endpoints, to network and servers.

KNOWLEDGE BELONGS TO THE WORLD

The post Locky Ransomware Fuels Surge in .RAR, JavaScript Attachments appeared first on Information Security Newspaper.