Techie Feeds

Fake Spectre and Meltdown patch pushes Smoke Loader malware

Malwarebytes - Fri, 01/12/2018 - 20:50

The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.

While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, the same fraudulent domain has a link to a ZIP archive ( containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

Indicators of compromise

Fraudulent site:


Fake patch (Smoke Loader): CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Smoke Loader callbacks:

coolwater-ltd-supportid[.]ru localprivat-support[.]ru service-consultingavarage[.]ru

The post Fake Spectre and Meltdown patch pushes Smoke Loader malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WPA3 will secure Wi-Fi connections in four significant ways in 2018

Malwarebytes - Fri, 01/12/2018 - 17:30

CES, the annual consumer electronics extravaganza in Las Vegas, isn’t just a showcase for virtual reality and poorly-timed power outages. It’s also an opportunity to get a peek at the future of network security.

That’s why on the first day of CES, the Wi-Fi Alliance announced the newest security protocol for Wi-Fi devices: WPA3. The new protocol is the most significant upgrade to Wi-Fi security since WPA2 was ratified in 2004.

Details are thin, but the announcement outlined four new security capabilities that will protect wireless connections in the years to come.

1. Protection against brute force “dictionary” attacks

Despite a generation of irritated admins requesting that users choose stronger passwords, the most popular passwords are still common words like “password” or “football.” That makes networks vulnerable to simple brute force attacks that systematically submit every word in the dictionary as a password. Online tutorials of this Wi-Fi hack are trivially easy to find.

WPA3 should make that issue a thing of the past by “delivering robust protections even when users choose passwords that fall short of typical complexity recommendations.” Some security experts have speculated that this refers to a type of key exchange called Dragonfly. According to the Internet Engineering Task Force (IETF), Dragonfly “employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.”

2. Easier Internet of Things (IoT) security

WPA3 promises to “simplify the process of configuring security for devices that have limited or no display interface.” That’s a nod to the growing number of devices that are enhanced by network connections, such as smart door locks, home personal assistants, and (apparently) toothbrushes. Since IoT devices rarely have a graphical interface, it’s difficult to configure them for optimal security. You can’t type a password directly on a toothbrush, after all. This can naturally lead to less secure connections and vulnerable devices. Hackers could, for example, access your smart speakers and play whatever audio they want in your living room.

The Wi-Fi Alliance hasn’t yet offered details on how WPA3 overcomes this challenge. But researchers have successfully enhanced security on IoT devices by configuring them with a smartphone.

3. Stronger encryption

WPA2 requires a 64-bit or 128-bit encryption key. But WPA3 uses a stronger standard: 192-bit encryption and alignment with the Commercial National Security Algorithm (CNSA) Suite. This promises consumers the kind of beefier security that’s currently used to protect governments and corporations.

4. Secure public Wi-Fi

Public Wi-Fi connections, like the kind you might use in a coffee shop or library, are always less secure than private ones. That’s partly due to the inherent security limitations of open wireless networks, and party due to the fact that librarians and coffee shop owners aren’t typically network security masters. The new standards promise to “strengthen user privacy in open networks through individualized data encryption.” Though the announcement doesn’t offer specifics on how that will be achieved.

Curiously, during its CES announcement, the Wi-Fi Alliance made no mention of KRACK, the vulnerability in WPA2 that impacted all Wi-Fi devices. However, Mathy Vanhoef, the researcher who discovered the vulnerability, wrote several enthusiastic tweets about WPA3.

In one, he speculates that WPA3 will include Opportunistic Wireless Encryption. This enables connection on an open network without a shared and public Pre-Shared Key (PSK). That’s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), thus allowing them access to a data stream. In other words, the new protocol should help prevent hackers from snooping on your web browsing while you’re at Starbucks.

Before we start to see the benefits of WPA3, the Wi-Fi Alliance has to certify hardware that uses the security protocol. So there’s no telling when people can start enjoying the enhanced security protections. But you shouldn’t be surprised if you start seeing devices that use the new protocol later this year.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

The post WPA3 will secure Wi-Fi connections in four significant ways in 2018 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Alleged creator of Fruitfly indicted for 13 years of spying

Malwarebytes - Fri, 01/12/2018 - 16:43

Way back at the start of last year, we took a look at something called Fruitfly, a Mac backdoor using old code that had been around for a long time and could (deep breath) upload files to computers, record images and video, snoop around in victims’ information, take screenshots, and also log keystrokes. The malware, made up of just two files, was a mixture of “wow, that’s clever,” ancient system calls, and basic persistence techniques. Possessing the ability to download additional files from a Command and Control server, alongside a seemingly overt interest in being able to capture images, we also discovered Windows versions of the files communicating with the same C&C.

At the time, a lot of questions were raised about what it was being used for, alongside the possibility that professional hacking groups were behind its creation.

With that in mind, news has broken that a 28-year-old man, Phillip R. Durachinsky of North Royalton, Ohio, has been charged with using this piece of malware since the age of 15(!) to allegedly:

watch, listen to, and obtain personal data from unknowing victims, as well as produce child pornography.

Very serious allegations. In addition to being charged with 16 counts of charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft, it’s also claimed he’s the creator of Fruitfly, which would be quite the revelation. From the indictment:

…from 2003 through Jan. 20, 2017, [Durachinsky is alleged] to have orchestrated a scheme to access thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy…[he] used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, Internet searches, and potentially embarrassing communications.

The “medical records” reference leaps out. From our linked blog:

The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure…and which seems to be targeting biomedical research centers.

That would definitely appear to sync up with the medical record pilfering, and we’re wondering what else will come out in the wash by the time this one has passed through the courts.

According to the indictment, Durachinsky also used stolen login credentials to access and download information from third-party websites. He’s further alleged to have watched and listened to victims without their knowledge or permission, and intercept oral communications taking place in the room where the infected computer was located. In some cases, Durachinsky’s malware alerted him if a user typed words associated with pornography. He apparently saved millions of images and often kept detailed notes of what he saw.

Reading through the charges paints more and more of a disturbing picture.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” said Acting Assistant Attorney General Cronan. “This case is an example of the Justice Department’s continued efforts to hold accountable cybercriminals who invade the privacy of others and exploit technology for their own ends.”

Getting away with more than a decade of stealing data like this on such a grand scale is quite the feat, and one hopes the victims of the most salacious offenses receive justice.

The post Alleged creator of Fruitfly indicted for 13 years of spying appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Meltdown and Spectre fallout: patching problems persist

Malwarebytes - Thu, 01/11/2018 - 14:00

Last week, the disclosure by multiple teams from Graz and Pennsylvania University, Rambus, Data61, Cyberus Technology, and Google Project Zero of vulnerabilities under the aliases Meltdown and Spectre rocked the security world, sending vendors scurrying to create patches, if at all possible, and laying bare a design flaw in nearly all modern processors.

The fallout from these revelations continues to take shape, as new information on the vulnerabilities and the difficulties with patching them comes to light daily. In the days since Meltdown and Spectre have been made public, we’ve tracked which elements of the design flaw, known as speculative execution, are vulnerable and how different vendors are handling the patching process. By examining the applied patches’ impact against one of our own products, Adwcleaner, we found that they are, indeed, causing increases in CPU usage, which could result in higher costs for individuals billed by Cloud providers accordingly.

What is speculative execution?

Speculative execution is an effective optimization technique used by most modern processors to determine where code is likely to go next. Hence, when it encounters a conditional branch instruction, the processor makes a guess for which branch might be executed based on the previous branches’ processing history. It then speculatively executes instructions until the original condition is known to be true or false. If the latter, the pending instructions are abandoned, and the processor reloads its state based on what it determines to be the correct execution path.

The issue with this behaviour and the way it’s currently implemented in numerous chips is that when the processor makes a wrong guess, it has already speculatively executed a few instructions. These are saved in cache, even if they are from the invalid branch. Spectre and Meltdown take advantage of this situation by comparing the loading time of two variables, determining if one has been loaded during the speculative execution, and deducing its value.

As explained in our post last week, the potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. On cloud environment, these vulnerabilities allow extracting data from the host and other VMs.

Example of speculative execution

Using the Project Zero example below, the process will evaluate the condition if(untrusted_offset_from_caller < arr1->length) at a later time, and start a speculative execution of both branches, leading to two different index2 values. This example corresponds to variant 1 of Spectre (CVE-2017-5753) and works on most Intel, AMD, ARM, and IBM CPUs.

struct array { unsigned long length; unsigned char data[]; }; struct array *arr1 = ...; /* small array */ struct array *arr2 = ...; /* array of size 0x400 */ /* >0x400 (OUT OF BOUNDS!) */ unsigned long untrusted_offset_from_caller = ...; if (untrusted_offset_from_caller < arr1->length) { unsigned char value = arr1->data[untrusted_offset_from_caller]; unsigned long index2 = ((value&1)*0x100)+0x200; if (index2 < arr2->length) { unsigned char value2 = arr2->data[index2]; }

If the processor predicts that the condition is true, value will load:

unsigned char value = arr1->data[untrusted_offset_from_caller];

Based on value, it’s possible to load index2, which can be 0x200 or 0x300 due to the bitwise operation:

unsigned long index2 = ((value&1)*0x100)+0x200;

The second condition is then executed and the last instruction loads value2 as arr2->data[0x200] or arr2->data[0x300].

Once the initial condition has been evaluated and the processor notices that the execution flow above is wrong, the value of value2 stays in the L1 cache. It’s then possible to compare the loading time of arr2->data[0x200] and arr2->data[0x300], and deduce which one has been evaluated during the speculative execution. From there, it’s easy to figure out related variables: Here the value of arr1->data[untrusted_offset_from_caller] is a value that shouldn’t be possible to retrieve according to the expected code flow, since it allows to leak out-of-bound memory.

In order to exploit this behaviour, the code pattern above has to be present on the victim’s machine. As detailed in Jann Horn’s writeup, a locally installed software, a JIT (Javascript is a particularly interesting candidate), or an interpreter (he used eBPF) meet the requirements.

Four variants

While it was initially reported that Spectre and Meltdown correspond to three vulnerabilities, four variants actually exist:

Variants 1 and 2 of Spectre impact Intel, IBM, ARM, and AMD CPUs. Meltdown appears to be exclusive to Intel CPUs, and allows attackers to read privileged memory from an unprivileged context, still using the speculative execution feature. Its variant 3a is exploitable on a few ARM CPUs only.

The fact that these vulnerabilities impact the CPUs themselves make them difficult to patch. A software-only solution may bring important performance issues, as would a hardware-only fix. Thus, various hardware vendors have been working together in the past months working on fixes. However, while major players like Amazon and Microsoft got early access to the vulnerabilities reports, other providers did not. They discovered the vulnerabilities at the same time as the disclosure on January 3.

Vendors band together

Those who weren’t in on the secret formed a task group with other providers in order to exchange information and to pressure hardware manufacturers. Scaleway, OVH, Linode, Packet, Digital Ocean, Vultr, Nexcess, and have been part of it, later joined by Amazon, Tata Communications, and also parts of the RedHat and Ubuntu teams. On January 9, part of the researchers (Moritz Lipp, Daniel Gruss, Michael Schwarz from the Graz University of Technology) who discovered the vulnerabilities also joined in.

Some Open-Source developers also explained that they had not received any information prior the public disclosure, but were actively working on providing patches.

We have received *no* non-public information. I’ve seen posts elsewhere by
other *BSD people implying that they receive little or no prior warning, so
I have no reason to believe this was specific to OpenBSD and/or our

Mitigations began to land upstream in the Linux kernel shortly after the public disclosure to address the vulnerabilities separately. Some require a hardware-vendor-issued microcode to be applied to the processor in order to make the software patch effective. Most of these patches are simply workarounds, however, to avoid making the CPU behave as explained above. We may expect some hardware change in future generations of processors at some point, but there’s no easy, quick fix for now.

Available patches for hardware and OSes

The upstream Linux patch for Meltdown (variants 3 and 3a) takes advantage of KPTI (Kernel Page Table Isolation) and has been backported to Linux 4.14, 4.9 and 4.4. It’s is available in most distribution’s official kernels. Debian has shipped it in most releases, as RedHat has done. Ubuntu published theirs a few hours ago, although some critical issues have been discovered and quickly addressed. Tails published an update, too. The patches for ARM64 haven’t been merged yet but are expected to be merged later.

Variant 1 (Spectre) requires changes to compilers behaviour and Intel suggests adding LFENCE (see 3.1 Bounds Check Bypass Mitigation; other vendors have other suggestions) as a barrier to stop speculation in specific places. This means that the kernel and software has to be recompiled in order to avoid making the processor use the speculative execution when it’s problematic. Again, although we may expect hardware changes in future generations of Intel chips, we can’t expect this to happen for a long time.

Variant 2 (also Spectre) requires both a microcode patch from CPU vendors and a patch from the kernel to leverage IBRS (Indirect Branch Speculation Feature), STIBP, and IBPB. Another suggestion called “retpoline” has been introduced by Paul Turner from Google and is also being implemented in various compilers, including GCC and LLVM, even though some questions still remain about its efficiency on certain CPU models.

Vulnerability (Linux) Software mitigation Hardware mitigation Meltdown (3 & 3a)
KPTI Not needed Spectre 1 n/a n/a Spectre 2 IBRS / Retpoline Microcode

Proprietary vendors have also published several updates:

  • Apple addressed the two Meltdown variants in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Spectre is being mitigated in iOS 11.2.2 and the macOS 10.13.2 Supplemental Update, even though only recompiled software are an effective mitigation for variant 1.
  • Google has included some mitigations for the three variants in its Android Security Bulletin on January 5. Note that further mitigations are expected in next month’s updates, especially a kernel with KPTI.

Regarding Microsoft, the process has been bumpier. They’ve released various fixes for the platform, but made several requirements for the patches for Spectre and Meltdown to be effective:

  1. If an antivirus solution is register in the Windows Security Center, it needs to set the following registry key:
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”

Only then can the January Patch Tuesday patch be applied. Note that Malwarebytes users have been able to successfully receive the patch since its publication.

2. As pointed out by Kevin Gaumont, a specific manipulation must be done on Windows Server to apply the patch and enable it. After creating the following keys and restarting the host, the mitigation should be in place:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

A few moments later, users began to report computers running with AMD processors becoming unbootable after applying the patch. Microsoft has stopped delivering the patch to those configurations while working with AMD to find a solution.

Available software patches

Apart from hardware manufacturers and OS vendors, software editors have also been quick to mitigate the exploitation of Spectre. Browser vendors and virtualization solutions are particularly exposed to these vulnerabilities and have been the fastest to respond.

  • Xen published an advisory sharing details about the vulnerabilities in its hypervisor’s scope alongside a documentation page explaining how to mitigate.
  • Mozilla released Firefox 57.0.4 soon after publishing an article explaining how they managed to exploit Spectre remotely using Javascript and WebAssembly. This update makes time source less precise, thus making the exploitation a lot more unreliable while more in-depth fixes are engineered.
  • Google Chrome followed shortly after with an explanatory article about how Spectre could be exploited using WebKit’s JavascriptCore and listing the upcoming mitigations in Webkit.

Numerous Proof of Concepts have been published to demonstrate the exploitation of the different variants, from reconstructing an image to applying it against a specifically-crafted Intel SGX enclave. It’s also possible to test if mitigations are in place: Microsoft released a solution that can be used remotely based on the new PowerShell SpeculationControl module, and several solutions are available on Linux-based OSes.

Patches impact on AdwCleaner’s infrastructure

Disclaimer: The following is not a benchmark, but feedback based on what we have observed in our hardware environment and software stack. The observed behaviour is highly dependent on the workload, and there may be no changes observed in yours.

As part of our security process, we’ve applied fixes as soon as they were made available by our distributions and hosting providers. We were expecting some performance increase, especially on AdwCleaner storage backend, but it was hard to quantify.

CPU load before and after KPTI patch on AdwCleaner storage backend.

After applying the new Linux kernel with the KPTI backport, we’ve observed a 10 to 15 percent increase of CPU usage. (We applied the patch slightly before 00:00 UTC on January 6). These servers do not take advantage of PCID, which could make the difference in performance less visible. As this usage increase appears to be the new baseline for some time, this is likely to at least temporary lead to important cost increases for users of providers billing based on CPU usage, although some providers are reported working with severely impacted customers.

As the situation still evolves quickly every day, some updates may be added to both the original story and this blogpost.

Particularly interesting literature:

The post Meltdown and Spectre fallout: patching problems persist appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Of princes and perpetrators: Beware of getting ensnared in 419 scams

Malwarebytes - Wed, 01/10/2018 - 18:44

We’ve mentioned before that 419 scams don’t always originate from Nigeria. It’s a very simple and popular scam that can be attempted by pretty much anyone with a flair for social engineering. Indeed, 419 scams are so associated with the region that many scammers in non-Nigerian countries know they have an additional layer of “It wasn’t me” potentially obfuscating their identity.

This may help the non-Nigeria based criminal better hide once life savings have been stolen. Law enforcement and the victims themselves are probably going to make assumptions about who’s doing the money swiping, which simply helps the actual criminal go deeper underground.

By the same token, 419 scammers seek to obfuscate their location further by making use of so-called money mules: innocent victims tangled up in scams, sending stolen money to and from a variety of bank accounts. More often than not, they’re enticed by the prospect of too-good-to-be-true job adverts posted online, typically in the field of remote work administration or “payroll management.”

A fancy-sounding title, the promise of big money for little work, and an awful lot of “we’ll explain how that thing works later,” and you have yourself a money mule.

What’s so good about having an army of disposable web flunkies at your disposal?

When the cops come calling, they make a beeline for the point of least resistance (the scammer pulling strings is supposed to be based in Nigeria, remember?) In practice, this probably means your recently retired grandfather looking for a bit of extra pocket cash, or your penniless friend at University is going to jail. If you’re a money mule, you’re engaged in illegal activity and can be prosecuted for it. “I didn’t know” won’t save you.

Take this individual, recently charged with no less than 269 counts of wire fraud and money laundering.

From the Slidell Police department Facebook page:

Slidell Police financial crimes investigators arrested , 67-year-old, Michael Neu (Slidell,LA), for 269 counts of Wire Fraud and Money Laundering. Neu is suspected to have been the “middle man”, and participated in hundreds of financial transactions, involving phone and internet scams, designed to con money from victims across the United States. Some of the money obtained by Neu was subsequently wired to co-conspirators in the Country of Nigeria. The investigation is on-going, but is extremely difficult as many leads have led to individuals who live outside of the United States. Slidell Police Chief Randy Fandal hopes this arrest serves as a reminder for Slidell residents to be leery of such scams. Chief Fandal said, “If it sounds too good to be true, it probably is. Never give out personal information over the phone, through e-mail, cash checks for other individuals, or wire large amounts of money to someone you don’t know. 99.9 percent of the time, it’s a scam.”

Reports are a little confused, as some articles claim he’s the mastermind while others (including the police statement up above) plainly state he’s the middleman. Additional details are thin on the ground, so we don’t really know at this stage if he was “merely” responsible for wiring money, or if he was physically typing out “Hello, I’m a Prince” emails to hoodwink potential victims.

Either way, he’s in a whole lot of trouble with law enforcement and though some of the pieces mention “co-conspirators in Nigeria,” it’s unlikely any of them will be caught. In effect, whether unaware of what was really going on, or an active participant (and it’s entirely possible some money mules will happily get involved for a bigger cut of the proceeds), what we have here is a fall guy within easy reach of the police.

Wait, did I just say “active participant?” I sure did. And guess what? It’s not just retirees wandering into trouble. Younger folks are also getting in on the act, often due to lack of cash and the idea that this might be a safe, fast way to make some money. Data from 2017 suggests that more than 8,500 people aged between 18 to 24 had their bank accounts used by criminals.

Given that a lot of money muling can tie directly into crimes such as drug distribution and people trafficking, those individuals will probably have a short, sharp dose of reality when the police come knocking. As Cifas, a UK fraud prevention service, points out, loans, contracts, and other financial services may be hard to come by should your bank account be closed due to laundering—and that’s before you get to the part where you could spend up to 14 years in prison for it.

All things considered, not a sensible career choice. If you’re approached by strangers offering too-good-to-be-true job opportunities—especially for remote work and handling money/sending said cash through various bank accounts—give it a wide berth. You’ll probably be very glad that you did.

The post Of princes and perpetrators: Beware of getting ensnared in 419 scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RIG exploit kit campaign gets deep into crypto craze

Malwarebytes - Tue, 01/09/2018 - 17:11

There isn’t a day that goes by without a headline about yet another massive spike in Bitcoin valuation, or a story about someone mortgaging their house to purchase the hardware required to become a serious cryptocurrency miner.

If many folks are thinking about joining the ‘crypto craze’ movement, they may be surprised to learn that they already have. We’ve documented in-browser miners before on this blog, or what we call drive-by cryptomining, but drive-by download attacks such as those via the RIG exploit kit want a piece of the action, too. While the latter is not a new trend, we have noticed an increase in malware payloads from EKs that are coin miners, and we think this is going to be something to follow for 2018.


Today, we take a look at a prolific campaign that is focused on the distribution of coin miners via drive-by download attacks. We started to notice larger-than-usual payloads from the RIG exploit kit around November 2017, a trend that has continued more recently via a campaign dubbed Ngay.

What happened is that the initial dropper contained additional binaries that contributed to its oversized nature as depicted below. Droppers from this campaign have contained one or more coin miners consistently, for at least Monero and lesser known but still popular other currencies such as Bytecoin.

One payload leads to two different coin miners.

For the same attack, these two processes will mine for the well-known Monero and Electroneum cryptocurrencies. When both executables are running, the CPU usage on the victim’s computer is maxed at 100 percent.


The Ngay campaign, identified as such by Nao_Sec, is one of several malvertising chains that relies on the RIG exploit kit to distribute its payloads. Recently, we observed a more complex redirection chain involving bestadbid and various XML feeds upstream, eventually trickling down to the more familiar redirect to RIG.

Infection flow showing redirection to RIG EK, followed by coin miner payloads

iframe to RIG EK is inserted in Ngay’s template page

The dropped binary from RIG EK contains two other artifacts that each lead to a different coin miner and are launched in a rather unusual procedure. In the following sections, we will study their deployment mechanism.

Monero miner

Monero is one of the most well-known digital currencies that, contrary to Bitcoin, does not require special hardware and provides additional privacy benefits. Threat actors have jumped on it in via large-scale drive-by mining attacks, with the help of coin miner-purposed malware.

Here the Monero miner is downloaded after a convoluted process that also aims at registering it permanently as a running service. The extracted binary from the RIG EK payload (3yanvarya.exe) is an installer that drops several .NET modules:

.NET modules extracted from one of the two artifacts contained in RIG EK’s payload

starter.exe uses an exploit (Invoke-MS16-032) copied from this GitHub repository (It even re-uses the original license!) to elevate privileges:

Code snippet showing PowerShell code designed to elevate privileges

foxcon.exe contains two sub-modules inside: Hydra and Hand, which purport to protect and manage services:

Hydra and Hand: two modules in charge of miner services

services.exe is a service to download and manage the miner:

Miner is downloaded from a remote IP address

Finally, the Monero miner (series64.exe) is retrieved and can start the mining activity. The overall process can be summarized in the diagram below.

“C:\Windows\TEMP\series64.exe” -o -u x -p x -k -B –max-cpu-usage=30 –safe

Overview of the Monero miner deployment

Electroneum miner

Electroneum, the “mobile friendly” digital currency, has only been recently introduced but became popular almost immediately. The Android app allows anyone to mine and manage their wallet, but miners running desktop platforms can also participate.

Malware authors are abusing it via a malicious coin miner binary that is dropped from dp.exe in yet another unusual redirection chain. Indeed, it involves the URL shortener to retrieve a fake PNG image containing instructions for the download and eventual launch of the miner itself.

“C:\Users\[username]\AppData\Roaming\bvhost\bvhost.exe” -o -u etnkKc…

Overview of the Electroneum miner deployment


As cryptocurrencies become more and more popular, we can only expect to see an increase in malicious coin miners, driven by the prospect of financial gains and increased anonymity. As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors. Indeed, they can put hundreds of thousands of compromised machines to work mining for the latest and hottest digital currency around.

For end users, the threat of a coin miner infection may seem less impactful than, say, a banking Trojan, but perhaps that is only true in the short term. Not only can existing malware download additional payloads over the course of time, but the illicit gains from cryptomining contribute to financing the criminal ecosystem, costing billions of dollars in losses.

This particular RIG EK campaign is noteworthy for its focus on cryptominers and the way it unconventionally and at times inefficiently loads them. We will keep monitoring the drive-by download landscape to report on any change in payloads from other threat actors.

Many thanks to @hasherezade for help studying the binaries.

Indicators of compromise

RIG EK dropper


Redirections to downloader script *.lolkekss[.]us bit[.]ly/2lXCGUy

Downloader script for Electroneum miner (fake PNG)


Electroneum miner (bvhost.exe) 115776615-884492032168661957.preview.editmysite[.]com/uploads/1/1/5/7/115776615/be 13CE8C6C8E9E4A06880A5F445A391E9E26BB23FCD0C6F4CC495AA5B80E626C0B

Monero miner (series64.exe) F651B1C5AE7B55B765994EB6630C45A0A7F1E43EBABD801CB8B3B26BDDB09D17

Additional miner loaders via RIG EK (SHA256, size in bytes, date found):

24ff04ef166cbc94d88afd0c7a3cba78dfe2f2d9e02a273a60fcc45ced5cb484,1732969,2017-12-29 d68c5095bd7b82e28acd4df5514a54db6d6d340ada860b64b932cb014fe1ecb3,1513983,2018-01-02 5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f,1732965,2018-01-02 2876ceb760c5b37e03ebb3cabbfb25a175e8c3556de89af9dd9941fda183bc79,1840725,2018-01-03 bba35503156eee0aa6ecef7aa76bbe3e6d26791585aac328f895278cd1c09cb2,2819600,2018-01-04

The post RIG exploit kit campaign gets deep into crypto craze appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 1-8)

Malwarebytes - Tue, 01/09/2018 - 15:48

New year, new threats, as 2018 gets underway.

On our blog, we had dubious searches aplenty for those hunting for Malwarebytes information, and we also covered the huge Meltdown/Spectre bug, affecting hardware going back to 10 years.

Other news
  • Coin miners are at it again, with a proof of concept for hacking public Wi-Fi and injecting cryptomining code into browsing sessions. (source: The Register)
  • Around 240k people have been tied up in a “privacy incident” over at the DHS. (source: DHS)
  • Browser makers are looking to mitigate risks from Meltdown and Spectre. (Source: Help Net Security)
  • 36 rogue apps wound up on the Google Play store, reminding us to be extra vigilant even when on an official site. (Source: Trend Micro)
  • Yet another cryptominer doing the rounds, this time dragging Linux machines into a cash spinning botnet. (source: F5)
  • Face recognition: nice idea, but being fooled by photographs is a bit much. (source: Naked Security)
  • A well put together phishing mail is causing headaches for those who may have purchased items from retailer Debenhams. (Source: South Wales Argus)
  • Unusually, you may be able to reclaim money lost to wire fraud scams, regardless of where you live. This doesn’t happen often, so check it out if you’ve been stung! (Source: Birmingham Mail)
  • Malware-laden emails laced with more malware are being used to steal data related to the Winter Olympics. (Source: BBC)

Stay safe, everyone!

The post A week in security (January 1-8) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Meltdown and Spectre: what you need to know

Malwarebytes - Thu, 01/04/2018 - 15:53

The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case. 


Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on LinuxmacOS, and Windows 10 Insider Edition.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

  1. Keep computers up to date.
  2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (AmazonOnline.netDigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

The post Meltdown and Spectre: what you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Search engine shenanigans: Malwarebytes mentions aren’t what they seem

Malwarebytes - Wed, 01/03/2018 - 17:22

Thing might be a touch quiet at the moment as we ease into 2018, but that doesn’t mean dubious antics and dodgy dealings aren’t still making waves online. As a matter of fact, should you go searching for some of our researchers, their blog posts, or just a couple of notable quotables from news sources, you may find yourself redirected to all manner of websites you’d really rather avoid.

Here’s how it usually works: Scammers take some keywords, or maybe a few stand out sentences, or even just bits of a blog. They then insert the text into the sourcecode of a website. From there, they either use that as the final destination, or use the word-stuffed HTML as a landing page which redirects to the end website. That site could be harmless, or spam, or something filled with attacks on your computer.

Search engine poisoning used to be quite a problem whenever a major news incident occurred, and you’d regularly find pages of malware, hijacks, and fake antivirus cluttering up genuine search entries.

Search engines worked on their algorithms, and these days it’s surprisingly tricky to wind up on a fake batch of bogus results related to a breaking news story. Should a scammer avoid breaking new and focus on more general search queries, however, they may be able to dodge detection and seed the results they need. Case in point:

That last one, for example, leads to a redirect landing page. Here’s the HTML snippet in question:

Click to enlarge

That site bounces visitors off to what appears to be a page masquerading as a forum. It’s a weird forum, given that every link on page simply leads to more advert URLs and a variety of sign ups.

Click to enlarge

Note that what the program asks for will change depending on how you arrive on the page, and also note that they claim you need to offer up credit card details to prove you’re not a bot.

Click to enlarge

Here’s one of the final destinations we came across from the “forum” link:

Click to enlarge

Other final destinations we’ve seen from some of the URLs floating around in search results include lots of “pay for social media prowess” type efforts:

Click to enlarge

We’ve also seen a few pornography redirects where my own name is concerned. For example:

Click to enlarge

There’s also spamblogs, partly in English, partly in Russian, which contain a mixture of ripped security articles and random porn photographs.

Elsewhere, we even have memes getting in on the action:

There’s nothing wrong with doing a bit of extra digging on content you may have enjoyed throughout the previous year, but please keep an eye on those URLs popping up in recent search results. If the sample text looks a bit like jibberish, or the website URL contains a .php or just looks a little random, you may wish to stick to either our own URL or that of a reputable news source you recognise. While we haven’t seen anything malicious in the sense of drive-by installs or other harmful activity, there’s a whole raft of rotating ad pages on offer here and no real way to know where you’re going to end up before clicking.

Here’s to a safe and secure 2018!

The post Search engine shenanigans: Malwarebytes mentions aren’t what they seem appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IPv6, it’s waiting for you

Malwarebytes - Wed, 12/27/2017 - 16:00

IPv6 is an expression IT professionals are likely to have seen or heard at one time, but what exactly is it? Let us give you a quick introduction, and then try to explain what it does differently by comparing it to its predecessor, IPv4.

IPv4 and IPv6 are both Internet communications protocols designed as an identification and location systems for networked devices. This allows people to direct traffic to a specific address. IPv6 is short for Internet Protocol version 6. Naturally, that means IPv4 is version 4. In case you are wondering, version 5 was so short-lived that it never reached any importance.

Why the change?

One reason to replace IPv4 was the number of possible IP addresses associated, which was at approximately 4.2 billion. The authority that handed out the IPv4 blocks (IANA) ran out of IPv4 blocks in the beginning of 2011. The number of possible addresses was limited because the IPv4 addresses are only 32 bits long. With IPv6, the address is 128 bits long (both types are hexadecimal), so the number of possible addresses went up to 3.4 × 1038. That’s a lot of addresses.

Pros and Cons of IPv6

Using IPv6 means that you don’t need Network Address Translating (NAT), which basically comes down to showing 1 external IP to the outside world. Regardless of which device you are using, others will always see the same IP with NAT. IPv6 gives every device a unique address, although the first 64 bits (the network address) are the same. So if you move the device into another LAN, you will get the first 64 bits of that network.

In the early days of IPv6, the last 64 bits were often based on the devices’ MAC address, but this opened possibilities to track devices across networks—which then posed a privacy issue. The lack of NAT also means with IPv6 you no longer need port-forwarding if you want to relay traffic to a certain node in the network. The contact can be established at the unique IPv6 address.

IPv6 offers data-security at the IP level. With IPv6, it is possible to use Internet Protocol Security (IPsec) during the data transport. This enables the use of encrypted traffic and authentication. The authentication means the receiver can be sure about who the sender is, there is no spoofing, and no man-in-the middle. End-to-end encryption was possible in IPv4, but only as an option (e.g. by using a VPN), and it was added as an afterthought. The Secure Neighbor Discovery (SEND) protocol plays an important role in the authentication part.

IPv6 offers the possibility of mobile nodes. The traffic intended for a node that (temporarily) has a different IP can be forwarded to the current IP.

Latency can be higher when using IPv6. In theory, it could be faster, but in real-world use it is slower because not every peer is able to use IPv6. Packets may have to travel around these peers because of this.

Bigger packet headers are caused by the longer addresses. The sender and receiver have a longer address so the headers grow accordingly.

Firewalls have to be considered at the device level. Since IPv6 addresses open up direct access to devices, not everything can be checked at the network router level. Especially when your servers have IPv6 enabled by default and your firewall is not configured accordingly, malware and breaches are not far away to take advantage.

Take action for a safe transition
  • Be ready for IPv6 before you start using it, as it may require a complete makeover of your network design. Study up on IPv6 before you’re forced to make the change.
  • Consider what needs to be done to maintain or better your current security posture.
  • Research how the transition can help you to improve security.
  • Plan the transition in a way so that your environment stays secure during each step of the process.
  • When purchasing new equipment, make sure it will still be useful after the transition to IPv6. Most new devices will be compatible, but will they still be needed?

Since there is no more room to continue using IPv4, we should get ready for IPv6. Several large ISPs and mobile operators are already migrating to IPv6 along with a lot of other major online services. It’s time It professionals do the same.

The post IPv6, it’s waiting for you appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Facebook phishers want you to “Connect with Facebook”

Malwarebytes - Fri, 12/22/2017 - 16:00

As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.

These landing pages, adorned with very large and very fake “Login with Facebook” buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.

HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can’t just assume a “secure” site is also a safe one. There could well be a phisher lurking in the distance.

The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven’t seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)

The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to “Login to Facebook” to “comfirmation your account!!!” [sic]

Click to Enlarge


Click to Enlarge

…”Connect with Facebook.”

There’s a few other designs out there, but they’re nowhere near as common as the two above. Here’s one of the alt-designs:

Click to Enlarge

The word salad on the fake Facebook security page reads as follows:

Dear Facebook users Your account is reported to have violated the policies that are considered annoying or insulting Facebook users. Please confirm your account with accurate data to avoid blocking. Note: if you do not verify your account permanently disabled automatically. Thanks, the Facebook team

Regardless of which landing page you kickstart the process from, the end result is the same—you’ll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:

Click to Enlarge

After that, they go straight for security questions:

Click to Enlarge


The text on the page reads as follows:

We will temporarily lock your account. Please answer a few security questions to ensure that the actual owner of your account. We will provide 1X24 hours, to verify the identity of your account. If you do not confirm, the system will automatically shut down your Facebook account permanently. This information will help us to restore your Facebook account

Upon hitting the “Protect your account” button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We’ve seen Facebook scams a lot less complicated than this also ask for payment information, so we’re a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.

We’re certainly not complaining, mind.

At time of writing, many of the secondary sites appear to have been taken down, though there’s still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.

URLs you should avoid:

(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php

We’re working on having the last of these sites taken offline, but please be careful around any websites claiming they’ll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or “bad behaviour” on your part. If in doubt, visit the official Facebook site directly and take things from there. There’s a good chance it’s just someone trying to ruin your festive fun, and that definitely doesn’t fall under the season for giving.

The post Facebook phishers want you to “Connect with Facebook” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The seven most colossal data breaches of 2017

Malwarebytes - Thu, 12/21/2017 - 16:00

By Logan Strain

If it seems like the words “leak,” “compromised data,” and “breach” are constantly in the news, it’s not just you. The frequency of major data breaches is increasing. According to the Identity Theft Resource Center, the number of breaches is expected to top 1,500 in 2017. That’s a 37 percent annual increase over 2016, which itself was a record year for exposed personal data.

But while most data breaches are small and contained, this year saw a handful of spectacularly bad security fails. Here are the most massive sets of compromised data and data breaches of 2017.

1. Equifax

Let’s start with the Mother of All Breaches.

Equifax, one of the four major credit reporting agencies, revealed in September that cybercriminals had penetrated their network. The breach exposed the data of 143 million Americans—basically, every single adult in the country. Exposed information included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers.

It gets worse. Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people were also exposed.

In response, Equifax offered a suite of identity theft protection services to all Americans, regardless of whether they were impacted or not. The services, which include up to $1 million in ID theft insurance and social security number monitoring, are free for anyone who signs up by January 31, 2018. (Though we doubt the efficacy of these identity theft protection services and don’t recommend people purchase them.)

2. Uber

This data breach actually occurred in 2016. But due to general shadiness on Uber’s part, we didn’t learn about it until November of this year. Compromised data included the names, email addresses, and phone numbers of 50 million Uber customers. The personal data of about 7 million drivers were also exposed, including around 600,000 driver’s license numbers.

Hackers pulled off the data heist by first getting access to a private GitHub site used by Uber engineers. From there, they learned Uber’s Amazon Web Services login credentials and accessed the personal data. The hackers then used the data to blackmail Uber. In an attempt to keep the incident under wraps, Uber executives paid the hackers $100,000 to delete the data and keep quiet.

The incident only came to light after new Uber CEO Dara Khosrowshahi discovered it and reported the incident to regulatory authorities.

In a blog post, Khosrowshahi said that “None of this should have happened, and I will not make excuses for it.”

3. Edmodo

Adults aren’t the only ones getting their info compromised. In May, Motherboard reported that social learning platform Edmodo was hacked. The service, which is used by educators and students, has around 78 million users—and a hacker named “nclay” claimed that he acquired the account data of 77 million of them.

The data was put up for sale on the Dark Web, but apparently, accounts for a site that is primarily used to assign homework and create lesson plans aren’t particularly valuable. The hacker priced the entire database of data at just over $1,000.

4. Verizon

Did you call Verizon customer service in the first six months of 2017? Then it’s possible your data was inadvertently exposed.

ZDnet reported that Nice Systems, an Israel-based company, failed to secure an Amazon S3 storage server that contained records for 14 million Verizon customers. The compromised records include customer names, cell phone numbers, and account PINs.

Fortunately, Verizon was able to protect the data before anyone else could access it. In a statement to CNBC, a Verizon spokesperson said, “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”

5. Deep Root Analytics

The data analytics firm Deep Root Analytics, which was contracted by the Republican National Committee, revealed that they the exposed data of 198 million citizens. That means almost two out every three Americans were impacted. Exposed information includes names, birthdates, phone numbers, and, most troubling, voter registration details.

The breach was discovered by security researcher Chris Vickery on June 12. His analysis revealed that the firm’s database was stored on an Amazon cloud server without password protection for about two weeks. Anyone had the ability to download the 1.1 terabytes worth of data.

6. Sonic Drive-In

Millions of customers who only wanted to order a cheeseburger and a shake may have inadvertently gave their credit card info to identity thieves.

The fast-food chain Sonic Drive-In acknowledged that an unknown number of restaurant payment systems were compromised and customer credit card information was breached. Security researcher Brian Krebs revealed that stolen credit card numbers made their way to underground markets where cybercriminals buy and sell sensitive financial data.

7. All WiFi devices

In 2017 we also discovered that essentially all data transmitted over WiFi networks is vulnerable. Computer scientist Mathy Vanhoef announced that a vulnerability in WPA2 encryption protocol made WiFi networks accessible without login credentials. Hackers are able to access WiFi data through a key reinstallation attack, or KRACK. It’s unknown if any data was actually stolen using this method, but the vulnerability has existed since the beginning of WiFi.

Fortunately, tech companies started releasing patches shortly after the problem was discovered. Earlier this month Apple fixed the security hole for all iPhones. And several routers manufacturers have released updated firmware that protects against KRACK attacks.

The growing number (and size) of data breaches indicates that threats are outpacing security measures taken by organizations. Until companies can improve their security posture, the responsibility for keeping data breaches from doing serious damage will fall on individuals.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

The post The seven most colossal data breaches of 2017 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammers make browser lockers more resilient

Malwarebytes - Wed, 12/20/2017 - 16:29

Tech support scammers have been relying on fraudulent pop-ups for many years in order to scare potential victims into calling for remote assistance. These so-called browser lockers (or browlocks) typically originate from malicious ads (malvertising) that can appear on any website, including trusted online portals.

The purpose of browser lockers is not only to scare but also to create the illusion that the computer has been locked, which is not quite true. What’s happened is simply that the browser is stuck in between a flurry of alert dialogs that won’t seem to go away, no matter how many times they are clicked on.

Google Chrome is often the most-targeted browser because of its dominant market share, but pop-ups come in as many different flavors as browser types, with landing pages specific to those browsers. For example, a particularly vicious technique abused the history.pushState HTML5 API to literally freeze machines while displaying the fake pop-up.

Historically, browser makers have let users down by not being to handle those tricks cleanly. However, they appear to have taken note, fixing many of the issues that have to do with poor user experience, while also suggesting other ways for (legitimate) webmasters to send notifications, for example via the proper Notifications API.

Unfortunately, crooks are adapting as well. Despite browser developers’ best intentions, browlocks are still the best bet to scam innocent folks. The following shows a browser locker that went into full screen mode after the user clicked somewhere on the page. Pressing the Escape key to exit full screen (as instructed by the browser) triggered a malicious loop in the code that prevented closing the fraudulent pop-up (without resorting to Task Manager):

This is a similar technique to what we reported on recently with persistent drive-by mining attacks in that it uses a pop-under as a “helper.” There are actually three different layers in play to make this work:

  • a background window in full screen mode
  • another window that is superimposed (triggered on click or Escape key)
  • the pop-under (triggered on click)

The crooks have positioned and sized the pop-under in such a way that it only displays the “Stay” part of the “Leave” or “Stay” dialog window, leaving users very little choice.

Keep in mind that at the same time the user is trying to close the page, a constant reminder is being played on the computer speakers, to add to the victim’s distress:

From a technical stand point, browser lockers are on the low side of the scale compared to malware such as ransomware. However, they benefit from great distribution channels via malvertising, guaranteeing that millions of people are affected by them. Consider that scammers charge an average of $400 per victim, and you soon realize that this is a highly-profitable business.

On this blog, we have long said that awareness is critical in order to avoid falling for tech support scams, but we also recognize that browsers have a big role to play in how they handle and block such annoying alerts. Unfortunately, scammers try to trick people by abusing regular warnings and creating fake buttons. In the case mentioned above, it would have been possible to close the page from the beginning by clicking on the top window’s X before it went into full screen mode. But if a user can be enticed to perform a certain action, they essentially lock themselves out.

The rule of thumb here is to avoid panicking and simply close the browser via the Task Manager (if all else fails). Remember that the pop-ups themselves are usually harmless. You are safe as long as you haven’t dialed the toll-free number that is being advertised.

The post Tech support scammers make browser lockers more resilient appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lo lo lo Loapi Trojan could break your Android

Malwarebytes - Tue, 12/19/2017 - 18:43

Kaspersky has found what they deem as a jack of all trades malicious app they call Trojan.AndroidOS.Loapi. Like the Trojan AsiaHitGroup we discovered last month on Google Play, this malware can do all the things—it’s a downloader, dropper, SMS Trojan, and can push ads all from the same malicious app. If left to its own devices, it could overheat the phone by taxing the processor, make the battery bulge, and essentially leave your Android for dead.

It seems creating Swiss army knife malware—lumping several uniquely malicious features into one catch-all malicious app—is becoming a trend. At least this time, the Loapi Trojan didn’t make it onto Google Play.

Loapi capabilities

For the purpose of hiding itself, Loapi poses (mostly) as a fake antivirus or, on the other end of the spectrum, adult content apps. It then asks for device administrator permissions to lock the screen of the mobile device, among other things. Furthermore, it takes the damage to another level by attempting to trick the user into thinking genuine anti-malware scanners are the real threat, and prompts to uninstall them if found. If that weren’t enough, it comes with a host of other features, including:

With everything going on in the background, Loapi puts an extreme load on the mobile device. This can lead to the Android literally blowing up from heat produced by the maxed-out processor and battery.

To state the obvious: This Loapi Trojan is quite nasty.

Darn it, tell me if you detect it or not already!

So, do we detect this monster? You bet we do! Our Malwarebytes for Android detection name is Android/Trojan.Dropper.Agent.BGT. You’ll be delighted to know that we’ve been on top of this bad boy since October.

In Malwarebytes for Android, detection of this infection is primarily done by our advanced deep scanner, which uses heuristic methodology to find malware, such as this Trojan, deeply embedded in the device. Deep scan is a feature in our Premium version. Therefore, if you want to stay protected in real time against Loapi, we recommend you upgrade to Premium after your free 30-day trial of Malwarebytes for Android. Stay safe out there!

The post Lo lo lo Loapi Trojan could break your Android appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 11–17)

Malwarebytes - Mon, 12/18/2017 - 18:45

Last week we explained what fast flux is and how it’s being abused, we showed you all kinds of Bitcoin-related scams, presented a video recording of a tech support scammer trying to sell free software, and pointed out some free software to keep an eye on your Internet traffic. We also informed you about an ad server found predominantly on adult websites, which has taken the lead in the number of URLs blocked by our web protection module.

Other news
  • South Korea is preparing a bill that will ban minors and foreigners from trading in cryptocurrencies or opening investment accounts for them within South Korea. (Source: Techspot)
  • Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this flaw over the past few months. (Source: The Hacker News)
  • Intel will implement a hardware lock on management engine equipped chips to defend against patch rollbacks. (Source: The Register)
  • Dutch security firm Fox-IT handled a security breach in an exemplary way after a man-in-the-middle (MitM) attack. (Sources: Fox-IT and Security Affairs)
  • Lawsuit based on a surreptitiously recorded phone call claims Google doesn’t refund advertisers who spend money on fraudulent clicks. (Source: Business Insider)
  • Australian airport hack was “a near miss,” says government’s cybersecurity expert, and could easily have been prevented. (Source: Hot for Security)
  • Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers warned. (Source: ZDNet)
  • A two-decade-old security hole lets hackers unlock encrypted data and was found in the software of at least eight IT vendors and open-source projects. (Source: The Register)
  • MoneyTaker, a cybercriminal group believed to be operating out of Russian-speaking territories, has hit at least 20 banks and financial companies and stolen millions of US dollars in the process. (Source: BleepingComputer)
  • Politicians from California, Washington, and New York said they’ll use a mix of legislative action and legal moves to fight the FCC’s repeal of net neutrality regulation, shortly after the vote. (Source: Cnet)

Stay safe, everyone!

The post A week in security (December 11–17) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: upping the ante on Adups

Malwarebytes - Mon, 12/18/2017 - 16:00

Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.

We thought they cleaned up their act

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.

They call it FWUpgradeProvider

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.

The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.

Cannot remove, cannot disable

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.

Click to view slideshow. Now what!?

Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.

However, we may have found a method that can disable FWUpgradeProvider (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater. This tool was created by the powerful XDA Developers forum user gatesjunior. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider are running. For a full tutorial, see Disabling Adups via Debloater posted on our support forum.

Deep breaths

Regretfully, the solution listed above isn’t much of a solution—it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.

As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.

So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.

The post Mobile Menace Monday: upping the ante on Adups appeared first on Malwarebytes Labs.

Categories: Techie Feeds, an ad server for adult sites, tops Malwarebytes detections

Malwarebytes - Fri, 12/15/2017 - 23:30

There is a belief that most of what you’ll find on adult websites is going to harm your system. In many cases, this has proven to be true, but overall the adult industry has made numerous efforts to protect their customers and audience. While we would like to tell you that it’s completely safe to surf adult websites these days, we do still need to stay vigilant. That’s why Malwarebytes has started blocking two new domains that are ad servers often seen in adult traffic:


What you are likely seeing when you are doing some adult…research.

The reason why we are preventing traffic to any of those hostnames is based on reports from our customers of malicious redirects and fraud, and our own collection tools—and has nothing to do with the fact that these are sites serving porn. For example, here is a redirection from main.exosrv[.]com, which takes users to a fake online pharmacy website:

Click to view slideshow.

Here at Malwarebytes, we do our best to protect users by blocking not just malicious sites, but also scam sites, with fake pharmaceutical sites being one of the most common we encounter. Due to this, ads.exosrv[.]com has become our top malicious URL detection, totaling over 4 million blocks in one day, which is due to the huge amount of traffic the main domain receives.

Breakdown of blocks for this domain by country

Our goal at Malwarebytes continues to be the protection of our users, which is why we are taking an aggressive approach on blocking certain ad networks stepping over the line. Visiting adult sites is perfectly legal. Getting scammed on account of it is not.

Stay safe

Beyond keeping an up-to-date security solution installed on your system (like Malwarebytes), it’s advised to do the following when surfing any website:

  • Utilize an ad blocker to keep malicious advertisements away from your system.
  • Utilize a script blocker to keep malicious scripts from running in your browser. (Many ad blockers do this, too.)
  • Utilize safe or private browsing tools so less of your personal information is provided to websites.
  • Keep some kind of anti-exploit technology running in the background to prevent drive-by exploits from infecting your system. Malwarebytes also has this functionality baked into it.
  • Don’t follow the white rabbit! Visit websites that are known and trusted, have high reviews and/or are easy to find. The worst stuff online usually won’t be found by clicking on a Google link.

Thanks for reading!

The post, an ad server for adult sites, tops Malwarebytes detections appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammer tries to sell free software

Malwarebytes - Fri, 12/15/2017 - 16:13

AmericaGeeks is your typical tech support scam company, but with an extra warming glow of attitude, greed, and complete all-around rudeness. Most scams will gladly take your money by buttering up the victim while simultaneously scaring them into thinking that they are in a dangerous situation with their computer or device. They then swoop in to heroically “help” them.

AmericaGeeks instead jumps straight to the point of rude behavior and scare tactics to scam their victims. They do an amazing job of dehumanizing and belittling the user, all while scamming them out of their money. This trait was what made AmericaGeeks shine through the rest.

AmericaGeeks Tech Support has a campaign sending out browser lockers, like the one above. They are posing as Microsoft, sending out warnings to users stating that their computer is infected and they need to contact them immediately. I called them at 877-658-9988, this was the number that was listed on the pop-up. I used a computer that was clean of any infections and allowed them access.

Below is the connect screen they used.

Obviously uncomfortable not knowing which of his company’s pop-ups resulted in the call, the tech wandered about for 10 to 15 minutes, at one point trying to log in to my router using default credentials.

The tech then ran a diagnostic and told me the computer was infected and that I had no security. What is interesting is the tool, ToolWiz, seems to be a rather legit application that is like Ccleaner, and is completely free for anyone to use. This scam is using ToolWiz to mislead users with its results, which are below:

According to the tech, I had 196 infections on my system, but he would fix them for free with the purchase of antivirus software. He suggested that I purchase either Webroot or Norton. As you can see below, he wanted to overcharge me for the cost of the software to make money. It is also important to note that I did not have “196 infections.” The tool simply found 196 Temporary Files, Registry Keys, and other benign objects to remove. When I confronted him about the price, he was flustered and made up some excuse that I was paying a higher price because I was getting antivirus, anti-malware, anti-Trojan, and anti-spyware, and they were all separate (which they are not).


Buyer beware: educate yourself, ask a friend, and never call any number that pops up on your screen claiming that your system is infected. Below are all the indicators we could find associated with this particular scam.

Primary indicators
Using the same phone number

The post Tech support scammer tries to sell free software appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Free tools: Internet traffic monitoring

Malwarebytes - Thu, 12/14/2017 - 19:40

Are you an amateur analyst or security enthusiast looking for free tools to do some basic Internet traffic monitoring? You’ve come to the right place. Not everyone is versed in the use of robust tools like Wireshark (even though it is worth the trouble of learning if you have to do network traffic analysis on a regular basis). So let’s take a look at some free, simple tools to get started.

There are several alternatives to Wireshark for Windows systems, and we will shed a little light on the ones that we like the most. Each has its own strength, and therefore it will depend on your specific needs to select the program that’s right for you. We have focused on tools that you can use on a local system and that run on the same system, to the exclusion of remote traffic monitoring and network monitoring software.

URL Revealer by Kahu security

URL Revealer is a web proxy that will capture requests and then drop them. I use it primarily to find out what a script or program is trying to download, especially when I have no interest in the files it’s trying to download. This happens a lot when we already know what malware will be downloaded but want to know the domains they’ll be coming from (so we can block them). The program is a command line utility. You can use the –o switch to write the log to a text file, from which you can easily harvest the resulting domains. The beauty of the dropped requests is that any dropper or downloader will assume the download it tried first is off-line and will move on to try the next one. This way you can grab all the options the downloader tries without getting actual malware on your system.

TCPView and Tcpvcon by Microsoft sysinternals

TCPView is a program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and the state of active TCP connections. Since TCPView also shows you which program is responsible for which connection, it is very suitable to figure out which process is communicating on that strange port you noticed.

A cryptominer in a Chrome process

The program Tcpvcon that comes with TCPView is a command line utility which is very similar to netstat. The –c switch exports the output as a CSV file.

Fiddlercap by Telerik

Fiddlercap is the little brother of Fiddler, and it’s so easy to use that specialists often ask users to use it and capture a small portion of traffic so they can remotely analyze if there are any bugs. The tool creates a .saz file, which allows the specialist to replay the events in Fiddler or Wireshark. This is ideal to find bugs on sites or observe strange browser behavior. Fiddler itself is a free web debugging proxy for any browser, system, or platform. But there’s a bit of a learning curve to use its full potential.

BitMeter 2 by Codebox Software

If you are only interested in how much of your bandwidth is being used—maybe because your ISP has restricted your usage—then BitMeter 2 might be what you are looking for. It displays your current usage and you can set an alarm to warn you when your usage reaches a certain percentage of your cap.

Built-in Windows tools

It’s sometimes easy to forget Windows comes with built-in tools like Resource Monitor that can show you the current usage by the application on the Network tab.

And if you’re running Windows 10, you can use the App history tab in Task manager to see the usage from the date when Windows 10 began monitoring your apps. You can also click the Delete usage history link to reset the data usage counter, otherwise it will reset automatically every 30 days.


Do you have your own favorites? Please let us know about them in the comments! But, no URLs please, or your post will be “automagically” blocked by our filters.

The post Free tools: Internet traffic monitoring appeared first on Malwarebytes Labs.

Categories: Techie Feeds

There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market

Malwarebytes - Wed, 12/13/2017 - 19:53

Bitcoin! Black gold! Texas tea!

Only one of these is currently worth ridiculous amounts of money (and technically numbers two and three are the same thing). Whether you’re in possession of lots of Bitcoins, or in full bandwagon panic “must buy 20 graphics cards before the bubble bursts” mode, you should be aware that lots of awful people want in on your precious haul. Indeed, the past week or so has seen an explosion of Bitcoin-centric scams, fakeouts, and all-around bad behaviour as scammers look to cash in at your expense.

The huge value of Bitcoin, plus the launch of Bitcoin futures, has attracted so many scammers that it’s difficult to keep up, whether it’s fake endorsements from well-known traders or plain-old RATs targeting would-be investors. Fake news, malware, bogus wallets, and even Bitcoin laundering via self-made music loaded onto the iTunes store—everyone seems to have gone a little Bitcoin crazy.

The top 6 trending searches on the @AppStore are crypto currency based. I’ve never seen a “theme” in here.

— Cesar Kuriyama (@CesarKuriyama) December 13, 2017

Bitcoin is here to stay—but what is it?

Bitcoin is a digital currency created by someone claiming to be Satoshi Nakamoto (which may well be an alias), and it’s all about digital wallets, mining, and hoping someone doesn’t steal millions overnight. It’s even being used as a volatile talking point related to ads, scripts, and blocking—from random websites to free wi-fi services, everyone is getting in on the action.

In this chaotic mess of bubbles, adverts, scams, and mistaken identities, the price of Bitcoin has gone through the roof. The reasons for which are multifaceted and also involve people endlessly talking about it. It may well be something off in the distance for many people, or some weird Internet thing you keep hearing people mention in horribly confusing terms, but make no mistake, it’s becoming mainstream. In fact, Bitcoin is rising so suddenly that people are taking out mortgages so they can get in on the Bitcoin action .(Tip: You probably don’t want to do this).

An avalanche of chicanery

This past week, we’ve seen quite a few things you may want to steer clear of—from mobile to survey scams. It’s frankly overwhelming and for many of us, there’s simply no way to tell the good from the bad from the mildly shoulder shrugging.

For example, someone has taken ye olde survey scam and remixed it for the coin collective:

Advertised on Youtube (until the video was pulled down, anyway), this site claims to generate Bitcoins with a 100 percent success rate. Sure does beat all that cumbersome mining and electricity use, and this is a definite boon for someone trying to jam a GTX1080 graphics card into a netbook. The site itself, located at bitcoingenerator(dot)space, is exactly what you’d expect a survey scam to look like, except it’s asking for Bitcoin addresses instead of how many Xbox Live points you want.

Users need to be verified by filling in a selection of geotargeted surveys. You don’t need me to tell you that survey scams are junk. They’ve been around forever, and are the absolute bottom rung of unimaginative, cookie-cutter fakeouts that never give you what you want. They’re the first thing to fall out of the “In case of scam emergency, break glass” box.

Seeing one suddenly throwing itself on the Bitcoin bandwagon is a bit of an eye-opener though, and something we should take notice of. People will seemingly do pretty much anything to nab some free coins, including clicking this shortened link roughly 34k times to play a game of snake-as-Bitcoin-faucet.

Sadly, the landing page is dead at time of writing, so we have no way of knowing if this one ever got off the ground. It could well be legit, but keep in mind that sites and videos will claim to offer up all manner of faucets. Not all of them will play nice, so on your own snakey visage be it, and be especially cautious around any downloadable executables.

Repackaging the tech support scam

Elsewhere, we have our old friend the tech support scam marching in the direction of coin-related antics. Or at least, scammers using some of the hallmarks of the tech support scam in an effort to part Bitcoin traders using Kraken from their digital currency. A good while ago, I covered fake EA support accounts who wait for the real thing to go “out of office,” then slide into conversations before directing victims to phishing links. This has a bit of a similar feel, with scammers waiting for trading sites to go offline due to maintenance/bad luck/DDoS/whatever, then jump into hashtags on social media with links to fake support sites, including phony “support” over the phone. It all ends in phishing and vanished coins.

Old tricks, new victims, unfortunately.

Ignore that part of your brain that says, “Well, it’s just one coin or whatever,” because the problem is these things are so highly-valued right now that takes just one being swiped to cause major problems. And that, in turn, makes coins the absolute number one hot target on the block right now. Or, to put it another way:

That is an astonishing amount of cash to be cheated out of, and it’ll only get worse as scammers come up with the path of least resistance for obtaining illicit Bitcoins. It also seems like this has been going on for a while, so sites dealing in and around coins should consider bulking out their security hints and tips for new (and even experienced) Bitcoiners.

If you’re feeling a little swamped with the perils of Bitcoin, that’s understandable. Potential bubble + massive bandwagon + huge array of services + large corporations taking an interest + hordes of newcomers who have no idea what’s legit and what isn’t charging into the fray = please pass me the headache tablets.

Something we’ve been seeing recently is sites offering “crypto debit cards” if visitors invest certain amounts into their linked wallets. Is that real? Fake? A good deal? What’s the benefit for doing this? What on earth does this mean in the terms and conditions?

Why do you have to be in a SEPA country? What is a SEPA country? All of these questions and more can be yours, for the low, low price of total and utter confusion. Make no mistake: if you want to make serious cash, you’re going to have to do some serious research.

Cornering the market on best practices

If you’re totally new to Bitcoin, your most likely first port of call may well be one of the numerous exchanges out there. You’d do well to heed the following advice from digital crime writer Joseph Cox:

  • use unique password
  • create a new email account (don’t share it)
  • put 2FA on both the email and the exchange account (if SMS, don’t share number, but preferably Google Auth)
  • don’t trade over PayPal (scam)

— Joseph Cox (@josephfcox) December 8, 2017

  • Don’t log into exchanges over Tor, unless you really have to for some reason, and can use a hidden service (malicious exit nodes to steal logins, etc)\Verification on exchanges helps you and the seller, do it
  • Keep trades through the exchange’s system, to ensure you get $$

— Joseph Cox (@josephfcox) December 8, 2017

Whatever your way in, please take some time to read up on the pros and cons of digital currency. Unless you understand the basics, even the simplest of easy-to-spot Bitcoin scams may well elude your radar until it’s too late. Considering the huge sums at play, and the breakneck pace being set by all things digital currency, it’s never been more important to be fully aware of the risks as well as the benefits of cashing in your crypto-chips.

The post There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds