Techie Feeds

Amazon third party sellers: A new threat

Malwarebytes - Fri, 04/14/2017 - 15:00

On Monday, the Wall Street Journal reported a wave of hijacked Amazon seller accounts that proceeded to fleece buyers for large sums of money. As reported here, attackers would use credentials harvested from other breaches to take over the account, then either simply redirect funds to their own deposit account or create lots of fake “sales” to collect money from buyers, but never deliver goods. Pretty good scam, right? So how do we defend against it?

First, we’ve talked about credential dumps before and why they’re a security risk. In brief, a breach on a third party site that isn’t all that important to you can yield credentials that can be reused on sites that are much more important. (Please do not reuse passwords.) While you can’t control how a third party chooses to protect your password, you can implement control measures on your end like Two Factor Authentication. While Amazon doesn’t appear to have documentation on how to do this for a seller account, their support forum makes reference to its recent release as a feature here. The thread also has some great advice for sellers who suspect their account has been breached:

That’s all well and good for sellers, but how do you protect yourself from a bogus third party seller? First, do not rely on feedback alone. Sellers can easily purchase bots to generate positive feedback for themselves in bulk. Further, Amazon seller fraud generally runs on a cycle of several weeks. The fake seller will collect orders within that timeframe, then at the threshold where a defrauded buyer is able to tell Amazon “Hey I never received the item,” they’ll take their money and close the account. If they’re able to do this before attracting significant scrutiny, a new account can be opened and the process can start again. A simple way to not get caught by this sort of scam is:

Don’t use third party sellers

Simple, but not easy. Let’s say you’re a vintage electronics collector and you want to buy this sweet click wheel iPod.

It says Apple right there in the header, so it must be a refurbished product, right? But, if you look further down you’ll see a very optimistic sales price and

Fulfilled by Amazon. Which means…

So while Amazon will ship that snazzy iPod to you, they can’t tell you how reliable the seller is, if the iPod actually is an iPod, or something closer to a P-P-P-Powerbook. What you really want is “Ships from and Sold By Amazon,” as seen here:

Buying only “Ships from and sold by,” can be harder than it looks. Sales analysis here shows that third party sellers make up a significant portion of Amazon’s profits and are projected to increase sharply over the near term. According to CNBC, roughly 40% of Amazon’s unit sales come from third parties and the number can be higher for certain types of products. While it is increasingly frustrating to avoid bogus sellers, the company does provide extensive support after the fact and will guarantee that purchases are delivered and are as advertised.

Amazon third party sellers have consistently had issues with fraud and counterfeit goods. Now we can add a new threat to the pile of attacks against sellers themselves. Keep yourself safe by using a quality password with two-factor authentication enabled and try to stick with the seller you know, rather than someone offering a price that might be a little too good.

The post Amazon third party sellers: A new threat appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Report: Cybercrime climate shifts dramatically in first quarter

Malwarebytes - Thu, 04/13/2017 - 09:00

The first quarter of 2017 brought with it some significant changes to the threat landscape and we aren’t talking about heavy ransomware distribution either. Threats which were previously believed to be serious contenders this year have nearly vanished entirely, while new threats and infection techniques have forced the security community to reconsider collection and analysis efforts.

In our second Cybercrime Tactics & Techniques report (read the first one here), we are going to take a deep look at what threats got our attention the most during the first three months of the year, what we expect to happen moving through the next quarter and a behind the scenes interview with one of our Malwarebytes Labs analysts. Here is a sneak peek at what we are going to cover:

  • Cerber ransomware took over as the top dog as far as distribution and market share.
  • Locky ransomware has dropped off the map, likely due to the desired change by the controllers of the Necurs spam botnet; however, with a lack of new Locky versions being developed since before the beginning of the year, the fate of its creators are unknown.
  • The Mac threat landscape saw a surge of new malware and backdoors in Q1 2017, including a new Mac ransomware (FindZip).
  • On the Android side, two notable malware families have been causing a lot of trouble. HiddenAds.lck, which locks the device from being able to remove the app, therefore allowing for more advertisement revenue for the creators, and Jisut, a mobile ransomware family that has been spreading like wildfire.
  • In the exploit kit world, RIG continues to have the greatest market share of the few exploit kits that are still active and we expect this to continue. RIG exploit kit remains on top mainly due to its lack of competition rather than its technical sophistication.
  • Malicious spam campaigns have also started utilizing password protected zipped files and protected Office documents to evade auto analysis sandboxes utilized by security researchers.
  • In social media scams, users were bombarded with links to WWE nude photo dumps that lead to gift card survey scams.
  • Tech support scammers, finding difficulty working with North American payment processors, have begun accepting alternate forms of payment, such as Apple gift cards and bitcoin.

Looking ahead to the second quarter of the year:

  • We expect to see continued heavy distribution of Cerber through Q2 2017 due to new developments made to the malware design and its continued use of the ransomware as a service (RaaS) model.
  • As far as Cerber losing its crown, it is unlikely within the next quarter that any competitor will rise in market share enough to dethrone Cerber, barring something happening to the developers of Cerber and their ability to develop and distribute the ransomware.
  • The continued heavy development of Mac malware throughout Q2 is highly likely.
  • The Android ransomware Jisut is expected to continue its trend of high distribution and spread. We predict the same for HiddenAds.lck.
  • Distribution mechanisms are likely going to develop new features and functionality, be it through social engineering tactics utilized by exploit kits and malicious spam or from the discovery of new exploits, potentially revitalizing the exploit kit market.
  • Finally, in the world of scams, we expect to see an uptick of ‘exit scams’ and tech support scammers utilizing social media advertising to scam each other. At the same time, we predict the increase collaboration of PUPs and TSS through the spread of tech support scammer advertisements being pushed alongside potentially unwanted programs.
Download full report here


Thanks for reading and safe surfing!

The post Report: Cybercrime climate shifts dramatically in first quarter appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is a Zero-Day?

Malwarebytes - Wed, 04/12/2017 - 15:00

You have probably heard the term zero-day or zero-hour malware, but what exactly does it mean?

It’s simple: it just means the malware is using a software vulnerability for which there is currently no available defense or fix. The vulnerability allows the malware to perform actions on your system that should not be permitted, such as running arbitrary code. Such malicious actions can impact the confidentiality, integrity, or availability of your system.

If a vulnerability is known already (i.e. not a zero-day), then chances are the software vendor has patched it, and/or security software vendors have added defenses against it. So you can protect yourself against known vulnerabilities simply by keeping your software, including your anti-malware defense, up to date. But these precautions will not protect you against zero-days.

You can think of the search for new vulnerabilities as a race. When security researchers and good guys find them, they warn the software vendor so the vulnerability can be patched. The best practice (what’s called “responsible disclosure“) is to initially do this privately, so the bad guys won’t get a head’s up. Once some time has passed, allowing the vulnerability to be patched, the finding is made public. At this time, it might get a CVE number from the Mitre Corporation so that any interested party may refer to the vulnerability using a standard name.

Unfortunately, the bad guys are also in this race. They look for vulnerabilities in order to accomplish their ends, which generally involve ripping you off in some way. They try to find undisclosed vulnerabilities and create malware that takes advantage of them.

So are we defenseless against zero-day attacks? Happily, the answer is no. Anti-Exploit software like Malwarebytes Anti-Exploit can monitor your system for the sorts of actions associated with zero-day exploits and shut them down before they harm your system. If you’d like to learn more about the technical details, you may read about them in this blog post about how Malwarebytes Anti-Exploit works.

The post What is a Zero-Day? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns

Malwarebytes - Tue, 04/11/2017 - 21:12

Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).

Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.

In the meantime, there has been much noise and some activity from an exploit kit that appeared late last year and which we wrote about in early January. Because of similarities with Sundown EK, we initially thought that it was simply a new variant but it was actually from a different actor and called Terror EK by Spider Labs.

In this post Angler era, we have been accustomed to one hit wonders or bogus kits stolen and repackaged for sale under a different name. Simon Kenin over at Trustwave tracked and exposed the activities of  the author of the Terror EK, going by the handle @666_KingCobra, in various underground forums. To make matters more complicated, there is a thing right now with rebranding and Terror EK has been known to be called Blaze, Neptune, or even Eris.

With all this noise, it’s usually a good idea to look at what is actively being seen in the wild versus what may be advertised here and there. Once we see an exploit kit in various distribution campaigns we know it is at least worth looking at.

Malvertising campaigns

We have been monitoring this particular campaign for some time and this is the instance of Terror EK most known about. Various ad networks (low quality traffic) are pushing this at the moment.

Main landing page:

IE exploits:

Call to Flash exploits:

Call to Silverlight exploit:

Malware payload: Smoke Loader

Compromised sites campaign

This is a newer campaign we started to notice just a few days ago with the landing and payloads slightly different.

Redirection to EK:

The compromised websites are leveraged to redirect to the exploit kit landing page in two different ways (but both are implemented). The first is the server 302 redirect call:

But there is also another one done via script injection:

We see both of them in use, but each pushes their own flavour of Terror EK (classic one shown above via malvertising or the newer one). For example, the redir via script injection loads which in turn calls the ‘classic’ Terror landing:

Landing page:

This one stuffs everything into the landing page (rather than via multiple sessions). No lorem ipsum here, but some pretty lengthy text which precedes the various calls for exploits.

IE exploits:

Flash exploits:

Payload deployment (remember ‘Sub fire()‘?)

Malware payload: Andromeda

More copycats on the horizon

Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here.

If it weren’t for active distribution campaigns, there would be very little to write about those numerous variants until they brought in something more serious to the table.

Malwarebytes users are protected against this exploit kit and its payloads.



Classic Terror EK patterns:

New Terror EK patterns:

Flash exploits:

7c9c76fbf156fbc5bffbfce1033d06a35b64cee49c01b09df47fa2642ad1a0b6 890f8756e6ab3bd62a2c3fbd098471e17db56808b19018119c0ad4a26ed7060f 97f107853c99b0de95a3e5b84ad1435e31cb42bd05d495d585e18f81a59a362d



Smoke Loader:


The post Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mastodon: different social network, additional risks

Malwarebytes - Tue, 04/11/2017 - 15:00

Mastodon is a social network that’s a few months old and it’s been mentioned on news sites quite a lot recently, leading users to sign up to an instance and check it out.

I have noticed that some of the new people seem to be treating it like any other social network and not realizing that its differences can open up some opportunities that less scrupulous individuals could take advantage of if these new users aren’t aware of the risks.

Mastodon’s decentralization is its key selling point: no one person “owns” the entire network. Anyone can set up a Mastodon server (“instance” in the community parlance) that can communicate with anyone over the entire network. (There are differences: some instances can choose to only allow contact with certain other instances or even no other instances.) In some ways, this is a good thing: the main benefit cited has been a lack of advertising directly from the social network itself, which removes certain threats that have been seen on other social networks – for example, phishing on Twitter via sponsored posts, or malvertising on Facebook leading to tech support scams.


Usernames aren’t unique

However, usernames on Mastodon are not unique across the entire network; only per instance. If you registered as @somerandomuser on the instance, your full Mastodon username would be; some other person could register as @somerandomuser on the instance, and therefore be Users are, quite naturally, describing this situation using a comparison with email addresses.

As phishing exists via email, similar attacks could occur on Mastodon, with a malicious user registering on a Mastodon instance with the username of someone on another instance, cloning their profile, and trying to social engineer their followers, for example. Those on another instance will see the full Mastodon username with the instance name, but this can be cut off with usernames that are long enough, on some clients (like the web one). For an example, see the screenshot below, where‘s username is not visible:

There is a way to show the full URL to the user’s profile including their instance: hover over their display name or profile picture – both are links to the profile of a user. Of course, a malicious user could set up an instance of their own with a domain name very similar to an existing instance, so be sure to double check the URL.


No verified accounts

Additionally, due to the decentralization, there is no concept of “verified accounts” like you would find on centralized social networks — however, some Mastodon users have taken to putting green checkmark emojis in their display names as a joke. This means that you cannot trust any corporate account that is in any “mainstream” Mastodon instance. Mastodon being decentralized would instead allow for corporate entities to set up their own Mastodon instances, so their instance name would prove that they are who they say they are – just like a company’s support email address could be email addresses, they could thus have Mastodon accounts of or Time will tell whether this will actually take place (and this would actually be a good thing as it would allow for companies to own their own social media presence); however, some Mastodon users have suggested that big brands would just do the bare minimum (that is, creating an account on a Mastodon instance that already exists) – this could make their customers more vulnerable to social engineering attempts than they would be otherwise.
I would also like to point out that there have been plans mentioned about allowing a user to set a URL and verifying that they control that site via TXT record; however, it is unknown if this will end up getting implemented.


No deleting accounts

Another situation that occurs due to the downside is that you are unable to delete accounts on Mastodon (you can ask your instance administrator to delete your account, but parts of it will remain in other instances). You will also be unable to delete toots that have been federated to other instances. Deleting Mastodon accounts (or federated toots) actually makes no sense due to the decentralization – using the email analogy again, you can change your email address but people you sent emails to will still have messages you previously sent to them. Given that centralized social networks means people seem to have started to forget the rule that “if you post something on the Internet, it stays on the Internet forever” (via people copying to other places), it’s debatable whether this is a good or bad thing. The granular privacy settings on Mastodon means that if you’re worried about this, you can set your toots to never leave the instance you’re on and tell your friends to sign up on the same instance as you.


Mastodon is a style of social network that will be a new idea to many newcomers. It’s still in development, so there’s some missing functionality that can lead to additional risk (and some of that functionality does not make sense to this style of social network, anyway). You will want to be more careful on Mastodon; making a mistake could be more costly there.

The post Mastodon: different social network, additional risks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

GameStop customer data allegedly siphoned in possible breach

Malwarebytes - Mon, 04/10/2017 - 22:05

GameStop, a well-known retailer of video games, electronics, and wireless services, confirmed with KrebsOnSecurity that they are currently investigating reports of hackers breaching their network and siphoning customer information.

After receiving notice from a third party that payment card data has been on sale on a website, a spokesperson from GameStop said, “That day a leading security firm was engaged to investigate these claims. Gamestop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.”

KrebsOnSecurity further notes that the stolen data may have included customer card numbers, their expiration dates, names, addresses, and card verification values (CVV2)—the three numbers at the back of the card beside the signature strip that is typically not recorded into systems of online merchants. Stolen CVV2s suggests that malware may have been present on GameStop’s transaction site.

If you, dear Reader, have used your debit or credit card on GameStop’s website between mid-September of 2016 to early February of this year, it’s advisable that you check (or backtrack, too, if you can) your statements for questionable charges against your card. If you see any, give your bank a call and report those said charges.

Lastly, when purchasing online, it is best to use a credit card over a debit card as the former usually has better overall fraud protection than the latter.

The post GameStop customer data allegedly siphoned in possible breach appeared first on Malwarebytes Labs.

Categories: Techie Feeds

ShadowBrokers fails to collect 1M bitcoins – releases stolen information

Malwarebytes - Mon, 04/10/2017 - 17:49

ShadowBrokers finally made good on their promise to release the decryption key to unlock the stolen ‘auction’ file purportedly filled with NSA hacking tools.

Over the weekend, the hacking group ShadowBrokers released the decryption key for the ‘auction’ file that was included in the dump of information from last summer that the group claimed they acquired from Equation Group – reportedly a well-known hacking team responsible for highly sophisticated malware campaigns such as Flame and Stuxnet and possibly associated with certain 3-letter government agencies.

While the group’s get-rich-quick plan to sell the auction file for the astronomical asking price of 1M bitcoins (roughly $1,186,510,000.00 US Dollar as of today) may have ended with spectacular failure, the team has made good on their promise to ultimately release the stolen information should the requested payoff not be received. It’s difficult, if not impossible for us to verify the claims from the hackers or to place attribution to the appropriate group, but there are interesting bits of information contained within the archive and we will document some of the early discoveries here.

The release of the key came in a highly politicized tirade directed to President Donald Trump touching on everything from Obamacare and Goldman Sachs, to Syria, Steven Bannon, and John McCain. The epic rant discusses the Alien and Sedition Act of 1798, Social Collectivism, White Privilege, Russia, and even Magog (I had to look it up too. It seems most applicable to the Islam interpretation of the word. Courtesy of Wikipedia). For the inference of being American citizens and in the eyes of any High School English teacher, it’s a cringe-worthy read filled with grammatical, spelling, and punctuation errors (although, good use of the Oxford comma), and seems to use a variety of written dialects and cultural references throughout. All of which appear to be deliberate false-flags to help conceal the identity of the person/group associated with the original attack.



There are a number of tools in the dump with notes and code that indicate possible exploits against various software and products. A majority of the files seem to target Linux and Solaris-based servers. Though many of the exploits are dated from many years ago, some as far back as 2003, it’s possible they are still usable on legacy systems. While we can’t confirm the authenticity of the following exploits, we will provide a small snippet from the collection below.

ElatedMonkey is a local privilege escalation exploit against the cPanel Remote Management Web interface current through at least version 24:


ElginGamble is a ‘public’ vulnerability affecting Linux 2.6.13 – to create a cron script capable of spawning a root shell:


PTrace/ForkPTY is a kernel exploit affecting Linux 2.2 – 2.4:


EngageNaughty is an Apache and SSL exploit:


EasyStreet appears to be some sort of UDP exploit utilizing sendmail:


EBBSHAVE is a vulnerability affecting Solaris RPC services version 2.10:


EXCELBERWICK is a remote exploit against xmlrpc.php on Unix based systems:



Aside from the partial selection of exploits posted above, the dump also contains a number of tools, utilities, and scripts to deploy once successful exploitation of the system occurs.


Strifeworld is a TCP session recorder that dates from 2001:


EndlessDonut helps deploy monitoring agents and to maintain a clean record: is an encompassing script that assists with the deployment of various RATs and system monitors. It’s a curious footnote that the Ford Motor Company IP address appears within a number of files under the ‘example’ section: is a PERL script, that as pointed out by x0rz, impersonates a Chinese browser with a fake accept-language:


A number of documents reference the deployment of RATs (Remote Access Trojans) to compromised machines. The vast majority of these files appear to target various Solaris, Linux, and FreeBSD clients – just based off their naming conventions. Additional analysis of these files will surely be published in coming days:


There also appears to be a number of tools, documents, or scripts that reference cell phone information. is a script that takes CDR records and makes them pretty. CDR records are data records that are created when call information or other telecommunications transactions (text messages) passes through a processing facility or device. These are accompanied by ‘definition’ files, which to the best of my understanding, helps parse the collected data for specific phones:


Within the file, there are strings and IP addresses relating to the Russian division of Sprint Telecom:


The information contained in this dump is extensive and it will take security researchers some time to digest. While many of the exploits appear to be public and quite old, it’s not out of the realm of possibility these vulnerabilities aren’t still useful on legacy systems.

But after spending ample time on a weekend pouring over the data, I fail to find the value in ShadowBrokers initial asking price of 1M bitcoins for an archive filled with publicly known (and probably patched) vulnerabilities dating as far back as 2003. Nothing appears to be more recent than 2013, so the information is likely obsolete and possibly not even used. This appears to be either a massive failure on the part of ShadowBrokers or a giant prank done for the lulz as there is no way they could have possibly thought this sort of information was worth anywhere near what was being asked.  But there is still a lot of information to be analyzed, so time may prove otherwise to this initial assessment.  We will continue to analyze the included information and Windows based files and update this post if new information becomes available.

Regardless, another public disclosure of valuable information reminds us once again the value in OPSEC and secure data retention.

The post ShadowBrokers fails to collect 1M bitcoins – releases stolen information appeared first on Malwarebytes Labs.

Categories: Techie Feeds

USPS-themed malspam now delivering 1-2-3 knock-out

Malwarebytes - Mon, 04/10/2017 - 15:00

We’ve detected an uptick in USPS-themed malspam walloping users with a 1-2-3 knock-out of nasty malware designed to infiltrate your system and steal all your most valuable information. This malware-laced email is actively being distributed with various Subject and Body messages containing references to missing and/or late USPS parcels.

Example of USPS-themed malspam

Should receivers of this mail be convinced of the content and validity of the enclosed message, and thus, be inclined to unpack the included file titled “” and then proceed against all better known judgement to launch the included JavaScript file titled Delivery-Details.js, they will be subjected to a slew of malware designed to commandeer their PC and steal their most valuable financial information.

Deobfuscated Javascript showing server addresses


This particular downloader, known by some as JS/Nemucod or simply JS/Downloader by others, is a well-known JavaScript downloader that is sent out via spam email. Historically this downloader will install 1 or 2 different malware families to infected machines, but the most recent campaign has upped that to 3 different malware families being installed post-detonation.

Shows installed payloads

The 3 malware families are all different in their design but make no mistake about it, all 3 will compromise your security and put your financials at risk.

Trojan.Nymaim is first to come down the line using filename exe1[1].exe. This Trojan provides attackers with remote access to infected machines allowing for everything, from the collection of banking credentials to backdoor functionality allowing attackers full use of the machine.

Trojan.Nymaim at execution

Trojan.Kovter comes down next in the form of exe2[1].exe and using a fancy WinAmp icon and NullSoft description. Trojan.Kovter is known as fileless malware by its ability to execute code directly through the registry. This Trojan also has the ability to steal personal information, download additional malware, or grant attackers full use of the machine. The below image shows how Trojan.Kovter manages it’s ‘fileless’ capabilities with the use of Javascript commands embedded within the Windows registry.

Finally, exe3[1].exe is identified as Trojan.Boaxxe, which as you may guess is also a Trojan with backdoor and stealing capabilities. This Trojan scans the PC for any trace of information deemed valuable by the creators and transmits this information to the attacker’s server for use in further attacks. Information is saved in the form of encrypted registry strings that are continuously updated by the malware.

Information harvesting


Taken together, these 3 malware families will take hold of your machine, drain your bank accounts, and leave you high and dry. So just be wary of suspicious looking shipping notices arriving via email and never install files received in email without certainty of their origin.

But should you find yourself curious by the contents of this email message and tempted to install the included Javascript file in the attempts of finding that lost USPS package, then have no worries because you can rest assured that Malwarebytes has your back.



Delivery-Details.js  –  877480DBDE4FCFF9E21E294EF6B64E50

Exe1[1].exe – F22807784588C2117457634494943729

Exe2[1].exe – B10A08A1ACB1B42CA91032EBED613A2A

Exe3[1].exe – 423213BD6A167D4B7DEEC18E7B18E13E

The post USPS-themed malspam now delivering 1-2-3 knock-out appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Apr 03 – Apr 09)

Malwarebytes - Mon, 04/10/2017 - 14:59

Last week, we gave an overview of what might happen once the bill the US Congress passed in late March takes effect; familiarized readers with the “3-2-1 rule”, which is very helpful in protecting valuable data against ransomware, and pushed out a follow up post on Diamond Fox, a bot used by the Nebula exploit kit. In case you want a refresher of part 1, click here.

Lead analyst Jérôme Segura documented a malvertising campaign affecting users of iOS, a notable deviation of potential targets. Users were enticed to download a ‘free’ VPN app called My Mobile Secure via rogue ads on Torrent sites.

Finally, our experts dished out a list of the five dumbest cyber threats that (unfortunately) work.

Below are notable news stories and security-related happenings:

  • Facebook Turns To Image Recognition to Thwart Revenge Porn. “Revenge porn is the province of the jilted and the jealous, the malicious and the envious. Typically it happens when two people in a relationship share intimate or sexual pictures or videos via text or email; post-break-up, or in the hands of ‘frenemies,’ this content may be posted publicly as payback for heartbreak or other perceived transgressions. It can be enormously damaging for victims, especially younger teen girls.” (Source: InfoSecurity Magazine)
  • IoT Malware Starts Showing Destructive Behavior. “Hackers have started adding data-wiping routines to malware that’s designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.” (Source: CSO)
  • New Malware Deliberately Destroys Unsecured IoT Devices. “Cybersecurity experts are warning of a new type of malware strain that uses known default user credentials to attack unsecured Internet of Things (IoT) devices and destroy them, reports Bleeping Computer. Discovered by cybersecurity firm Radware, BrickerBot has two versions – BrickerBot.1 and BrickerBot.2 – and was found to be active since March 20, targeting only Linux BusyBox-based devices with Telnet ports left open.” (Source: Dark Reading)
  • 20,000-bots-strong Sathurbot Botnet Grows By Compromising WordPress Sites. “A 20,000-bots-strong botnet is probing WordPress sites, trying to compromise them and spread a backdoor downloader Trojan called Sathurbot as far and as wide as possible.” (Source: Help Net Security)
  • “iCloud Mail” Phishing Emails Doing Rounds. “The latest email phishing campaign targeting Apple users is aimed at gathering as much information as possible from unfortunate victims. The email, made to look like it comes from Apple, bids targets welcome to iCloud Mail, but warns that the company has been unable to confirm their account information, and that their account has, therefore, been suspended.” (Source: Help Net Security)
  • Matrix Ransomware Spreads To Other PCs Using Malicious Shortcuts. “Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.” (Source: Bleeping Computer)
  • Hackers Empty ATMs By Drilling One Small Hole. “Hackers are using a combination of low and high-tech attacks to make ATMs spit out cash, according to Kaspersky researcher Igor Soumenkov, who presented this novel attack at this year’s Security Analyst Summit, taking place in St. Maarten this week.” (Source: Bleeping Computer)
  • Hackers Steal $30M from IRS Via Student Loan Tool. “Hackers managed to breach the IRS’s Data Retrieval Tool, which is used by parents to transfer financial information for their kids using the Free Application for Federal Student Aid. The system has been shut down until the IRS can figure out which of the requests were made by legitimate students, and which were made by criminals.” (Source: Softpedia)
  • Update Your iPhone To Avoid Being Hacked Over Wi-Fi. “It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched. As we mentioned last week, the recent iOS 10.3 and Mac OS 10.12.4 updates included numerous fixes dealing with ‘arbitrary code execution with kernel privileges’.” (Source: Sophos’ Naked Security Blog)
  • Wonga Data Breach Puts Up To 245,000 UK Current And Former Customers At Risk. “If you are one of those affected, my advice is to be very wary of unsolicited phone calls and emails that might be from scammers attempting to exploit the information. You would also be wise to keep a close eye on your finances for any unexpected transactions.” (Source: Graham Cluley’s Blog)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Apr 03 – Apr 09) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The top 5 dumbest cyber threats that work anyway

Malwarebytes - Sat, 04/08/2017 - 15:00

The common conception of cyber attacks is kind of like bad weather: ranging from irritating to catastrophic, but always unpredictable. Hackers are simply too sophisticated to draw any reliable judgments on and we shouldn’t try. As it turns out, some hackers are fairly predictable in their successful use of really dumb attacks. Here’s a few.

1. The Browser Locker

Browser locker, better known as the fake blue screen of death, spraying gibberish errors at the user and imploring them to call an Indian boiler room to be scammed an average of $500. Some feature tweaks by the major browsers have pushed tech support scammers into more creative iterations, including registry hacks to replace the windows shell itself with a locker. But the browser locker still exists in bulk and still draws victims. Some lockers show some ingenuity, like manipulating the browser’s history function, but most are some variation of:


For x in range (a lot) {

Alert(“You have a virus, please call Scam Number”)



It’s a piece of novice level code that has caused hundreds of millions in losses. Mitigations are wide-ranging, including adblockers (most browser lockers are delivered via malvertising), turning off Javascript in the browser, not downloading software from third-party app stores, and simply force quitting a locked browser.

2. DDOS Extortion

With DDoS bots for sale, sometimes on the clearnet, denial of service itself is not the most sophisticated of attacks. DDoS extortion is one notch lazier; an attacker will simply send an email to a corporate security staff threatening massive attacks if a bitcoin ransom isn’t paid immediately. Given that the ransom in question has tended to be relatively low, companies in industries requiring continuous uptime have sometimes shrugged their shoulders and paid. If this happens to you, talk to your service provider to work out mitigations; don’t talk to the attacker.

3. SQL Injection

SQL Injection takes a modicum of technical skills to pull off, from finding the vulnerable site to executing and safely exfiltrating dumped files or data. So why is this a dumb attack? Because it was first publically discussed in 1998. It was in the OWASP top 10 in 2007 and 2010. It was #1 on the OWASP top 10 in 2013. This is a known, predictable attack with extensive mitigations, so continuing to see it so frequently is profoundly dumb.

4. Business Email Compromise

Sometimes, bosses are jerks. Sometimes when a boss is a jerk, their subordinates are too frightened to question an order from the boss, regardless of how out of character it might be. Attackers have weaponized this cliché of the business world by posing as the aforementioned jerk boss and demanding that large amounts of money be wired to overseas accounts as soon as possible. This scam, which is not much more complicated than shouting “Give me money!” is called Business Email Compromise and has cost US victims $960,708,616 since 2013. There is a reasonably simple mitigation against business email compromise: if you are a boss, don’t be a jerk. Environments, where individual contributors are comfortable asking the boss for clarification if they give an unusual order, stand a much better chance of defending against this attack.

5. Macro Malware

In the old days, MS Office had macros enabled by default. This made for a great malware delivery vector, with malicious attachments that would run all sorts of arbitrary code when opened.  Eventually, Microsoft had enough and switched Office macro support to off by default. Criminals have gotten around this restriction by simply asking the user to enable macros and thereby the malicious code. Here’s the technique cropping up in 2014, and here it is again last month. The defense against macro malware is to not enable macros, no matter how politely an attacker asks. More broadly, a collaborative document editing environment that eliminates the need to pass files around the office can defend against a wide variety of malicious attachments.

In summary, a great many cyber threats are not sophisticated nation-state level, well thought out attacks. The bulk, in fact, tends to be the least effort required for success, which sometimes turns out to be not very much effort at all.

The post The top 5 dumbest cyber threats that work anyway appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malvertising on iOS pushes eyebrow-raising VPN app

Malwarebytes - Thu, 04/06/2017 - 17:10

There is a preconceived idea that malvertising mostly affects the Windows platform. Certainly, when it comes to malicious adverts, Internet Explorer is a prime target for malware infections. However, malvertising can produce different outcomes adapted to the device the user is running.

Case in point, we discovered this scareware campaign that pushes a ‘free’ VPN app called My Mobile Secure to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is infected with viruses.

“We have detected that your Mobile Safari is (45.4%) DAMAGED by BROWSER TROJAN VIRUSES picked up while surfing recent corrupted sites.”

Such alerts on mobile devices are not new and sadly common place via many ad networks these days. Usually, aggressive affiliates remunerated per lead will use these kinds of tactics to drive traffic to game apps or even tech support scams.

Thankfully for the latter, Apple has released an update to their mobile operating system (iOS 10.3.1) to avoid so-called “browser lockers” via incessant JavaScript popups that prevented users from closing the offending page. Having said that, social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material.

Network traffic

This malvertising chain starts off with an ad call from Propeller Ads Media, goes through Real Time Bidding (RTB) via AdMetix, is redirected to RevenueHits, and finishes off with scammy advertisers.

‘Free’ VPN app

This fake website advertises the MyMobileSecure VPN to remove “infected applications and files”. Tapping on ‘Remove Virus’ opens up the App Store to download this app.

The MyMobileSecure developer, VoiceFive is a comScore, Inc. company, “a leading global market research company that studies and reports on Internet trends and behavior.” In order to activate the free VPN app, users must join the MobileXpression research community, and this is where things get interesting.

From “The MobileXpression email account is a part of the software download package for iPhones and iPads. The email account is there to provide you with a better way to stay in touch with MobileXpression and also make sure our software works correctly.”

If the product is free, you are the product

According to their website, MobileXpression is a market research panel designed to understand the trends and behaviors of people using the mobile Internet. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc.

As an aside, the topic of VPNs is particularly hot at the moment, on the heels of an upcoming bill (S.J. Res. 34) that would allow Internet Service Providers (ISPs) to sell data about your online habits to advertisers. Many people are rushing into installing the first VPN they can get their hands on, which is a terrible idea considering many companies out there are very shady and far worse than your own ISP.

Free does not mean Open Source or risk-free for that matter. But the fact of the matter is that people tend to gravitate towards free products, especially if those are pushed aggressively via hungry advertisers. For this reason, users should pay even more attention before installing a free app.

If the reason you want to install a VPN is because you are truly worried about your online privacy, then you really ought to read the fine print. This particular VPN app has some concerning statements:

If you shop around for other VPN providers, you will see the exact opposite when it comes to data collection and logging. Here are some examples:

  • [VPN x] never logs where you go on the Internet. If anyone asks, the best we can do is shrug our shoulders.
  • [VPN y] makes it impossible to identify the type of traffic or protocol you are using, even for your ISP.
  • [VPN z] doesn’t store any connection logs whatsoever. In addition, we do not log bandwidth usage, session data or requests to our DNS servers.

Some even provide Bitcoin as a mode of payment to completely anonymize the registration process, via a throwaway email address for example.

VPN providers and trust

Often times, affiliates are not properly policed and we observe scare tactics to force the installation of various pieces of software. It’s important to note that those affiliates are normally distinct from the software vendors themselves, but scammy behaviors end up reflecting poorly on everyone.

In this particular case, one cannot help but feel that this VPN application comes with some serious baggage and unfortunately the average user will not take the time to review the fine details. If the intent is to use a VPN to anonymize your online activities, this does almost the opposite.

One statement from mobileXpression is particularly striking:

We make commercially viable efforts to automatically filter confidential personal information such as UserID, password, credit card numbers, and account numbers. Inadvertently, we may collect personal information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information.

This summarizes the issue quite clearly: said data should never be collected in the first place because some very unfortunate things can happen once it is logged in a database. Haven’t there been enough data breaches lately to be seriously concerned with what kind of data a company may collect (inadvertently or not)?

Choosing the right VPN application these days has become very challenging due to the renewed interest in online privacy (there are other reasons people buy VPNs as well, such as to bypass geo-restrictions from services like Netflix, the BBC, etc). It’s important to take the time to review the companies behind those products, their policies, and real reviews, not fake or sponsored ones. At the end of the day, you are placing your data and trust in someone else’s hands.

Kudos to CloudFlare for terminating the scareware domain in less than five minutes.


The post Malvertising on iOS pushes eyebrow-raising VPN app appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Diamond Fox – part 2: let’s dive in the code

Malwarebytes - Thu, 04/06/2017 - 15:00

In a previous post we made an initial analysis of a Diamond Fox bot delivered by the Nebula Exploit Kit (more about the campaign can be found here). We described the way to unpack the protection layer in order to get the core, written in Visual Basic, that can be decompiled. In this second part of the series, we will take a deeper look into the code and analyze the bot’s features and code design.

Analyzed samples

988e9fa903cc2fbb80e7221072fb2221 – Diamond Fox Crystal (final VB payload)

3ef960da3e4bc4bc7c05d02fbf121d4e – old Diamond Fox (final VB payload)


In the release that is sold on the black market, the authors included a changelog describing all versions up to the current one (codenamed Crystal). Below, you can see the related fragment:

Crystal Version [+] Loader core recoded [+] Improved Size: 17.5 kb [+] Added unlimited panel list [+] Added domain generation algorithm [+] Added RunOne startup [+] Added Polices startup [+] Added auto-screenshots [+] added Install redirects [+] Added Anti-WinPcap [+] Added Anti-Virustotal VM [+] Added Anti-Emulation [-] Removed Anti-Wine [-] Moved Startup Persistance to Persistance [+] Added Botkiller [+] Added Anti-Avast Sandbox [+] Added PE configuration storage [+] Improved Configuration preview [+] Added optional usb spread on lite bot [+] Added RDP plugin [+] Added VNC Grabber [+] Added remote shell [+] Added Close bot command [+] Added Shutdown PC command [+] Improved web panel installer [+] Added Restart PC command [+] Added more bot selection options on tasks [+] Improved task manager [+] Added search on reports [+] Improved panel settings [+] Added Layer7 DDoS [+] Added reports bars statistics [+] Added New/dead bots per week statistics [+] Updated Geodata [+] Added Bot remover tool [+] Added DGA tool [+] Improved real-time notifications on panel [+] Added Desktop/Laptop Detection [+] Added administrator detection [+] Improved bot full information [+] Added mark as favorite [-] removed %PROGRAMFILES% installation path [+] added %USERPROFILE% installation path [-] removed %WINDIR% installation path [+] added %LOCALAPPDATA% installation path [-] Removed winlogon startup [+] Added schtaks startup [-] Removed Anti-apateDNS [-] Removed Anti-Norman [-] Removed Anti-wiresshark [-] Removed Xor Encryption [+] Added captcha on web panel login [+] Added antibruter forcer on web panel login [+] Added new panel logo [+] Improved Crypto wallet stealer (+24) [+] Improved Homepage changer (added internet explorer) [+] Improved Keylogger(added clipboard detector and window title trigger) [+] Improved bot speed [+] Improved bot compatibility [+] Improved bot stability [-] Removed Services tab on web panel [+] Added protected folder on installation [+] Now the webpanel can be installed on windows without errors Decompiling

As we mentioned in the previous post, Diamond Fox is written in Visual Basic and after unpacking it can be decompiled by VB Decompiler. Unfortunately, the results of the decompilation are not fully accurate and some parts of the code are difficult to analyze. However, we can still figure out the most important actions performed by the malware.

We provided a partially cleaned version of the decompiled code:

Execution flow

Diamond Fox starts its execution from decrypting and parsing the configuration – in this edition, it is stored in the section “L!NK“. Then, depending on the configuration, some further features are enabled or disabled. For example, it may deploy defensive checks – against sandboxes and Virtual Machines.

The stored parameters are encrypted and they are decrypted at runtime – however, the decryption function is no longer a simple XOR known from the previous versions:

(see a partially cleaned version of this function: )

Along with the features that can be enabled or disabled depending on the configuration, Diamond Fox offers features that are controlled from the CnC.

Reading response from the CnC:

Parsing commands and executing appropriate actions (commands are identified by numbers – from 0 to 25):


Let’s have a look inside the code and follow the features mentioned by the authors.

[+] Loader core recoded

The code of the malware has been reorganized and its big portions have been rewritten. It can be noticed at first sight if we decompile the new version and compare it versus the old one. In the current version everything is in one module, while in the previous cases the code was subdivided into various modules.

Old Diamond Fox decompiled (fragment):

We can see the code subdivided on modules with descriptive names, making analysis easier. In the new version, we will not find this familiar layout.

Decompiled code of Diamond Fox Crystal (the new one):

The new version introduced a different way of storing the configuration. Now, the encrypted configuration is in the dedicated section named “L!NK“.

[+] Added domain generation algorithm

In the analyzed sample this feature was not enabled and the CnC address was static. However, looking at the code we can find a domain generation algorithm (DGA) is based on the current date:

(see a partially cleaned version of this function:

[+] Added Anti-Emulation

Checking if the sample is not running in a VM or sandbox by attempting to load DLLs associated with the virtual environment:

  • vboxmrxnp
  • SbieDll
  • snxhk
  • pthreadVC

It comes also with a set of blacklisted volume serial numbers, identifying popular sandboxes:

  • AC79B241
  • 70144646
  • 6C78A9C3
[+] Added Desktop/Laptop Detection

Checking if it is running on the laptop by testing battery presence:

[+] Added PE configuration storage

The section L!NK is used not only to store initial configuration, but also some fetched data.

The random ID of the bot is generated and stored:

[+] Improved Crypto wallet stealer (+24)

We can find in the code strings used to search several crypto wallets:

MultiBit, Armory, Electrum, digital, -LTC, MultiDoge, BitcoinDark, Unobtanium, Dash, Bit, Lite, Name, PP, Feather, Nova, Prime, Terra, Dev, Anon, Pay, World, Quark, Infinite, Doge, Asic, Lotto, Dark, Mona

Analyzing the code deeper, we find that first the .wallet files are searched:

The found data is grabbed and passed into another function:

That function is responsible for posting the grabbed content to the CnC server:

[+] Added captcha on web panel login

We can observe it if we try to follow the address of the CnC captured during the behavioral analysis. Indeed, near to the credential fields we can see a very simple captcha:

[+] Added new panel logo

The authors of Diamond Fox put a lot of effort to make a graphic design attractive for the user. This time, the panel comes with a set of logos that are randomly changing on page refresh. This feature may seem fancy and redundant in a malware; however, it shows the effort put on the user experience.

[+] Improved Keylogger(added clipboard detector and window title trigger)

As we saw during behavioral analysis, Diamond Fox generates neatly formatted reports about captured users’ activities. They include Clipboard content and the title of the main window, where the particular text was typed:


Diamond Fox Crystal has been solidly refactored in comparison to the older versions. Removing descriptive modules’ names made analysis more difficult. Due to the change in the method of encrypting configuration, now retrieving its content is not as trivial.

Overall, Diamond Fox comes with typical features that we can expect from the stealer. In spite of some improvements, the code quality is still nothing impressive.

Appendix – about an elder version of Diamond Fox

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post Diamond Fox – part 2: let’s dive in the code appeared first on Malwarebytes Labs.

Categories: Techie Feeds

3, 2, 1, GO! Make backups of your data!

Malwarebytes - Wed, 04/05/2017 - 15:00

With the recent proliferation of ransomware, a type of malware that encrypts your data and holds it hostage until payment is received, what should be done to protect valuable data?

One of the best defences against this threat is having a good backup strategy. This protects your data against all sorts of unpleasant mishaps. How frequently you make them, what you make them to, where they are stored, as well as deploying the automation required to maintain said backup regimen is also crucial. We should all be familiar with making backups, but there is a useful rule of thumb called the “3-2-1 rule”.

A good backup regimen could mean the difference between surviving a catastrophic event such as ransomware or shutting down the business. Let’s use an example file called “Important_stuff.txt” to explain how this all works.

3 Different copies!

For an effective backup plan, you should have at least 3 different copies of this file. A good example would be:

  • One on a workstation, stored locally for editing or on a local server, for ease of access.
  • One stored on a cloud backup solution.
  • One stored on a long-term storage such as a drive array, replicated offsite, or even an old school tape drive.

This diversity of backups is there to ensure your documents are available with added redundancy. If the hard drive on your workstation fails, you have a backup on the server. Server down? The cloud copy is still an option.

If the ransomware did its thing while the server share was mounted to your workstation, it might also be encrypted. Here the cloud copy would save the day.

This is the reason why having 3 different copies is a good idea.


2 Different forms of media!

In the example given above, we had 3 copies of our file. The type of media this file is saved to is also important. The hard drive of the workstation and the external share are the fundamentally the same, but the cloud storage is different, as is the tape drive and the disk.

The different media rule most probably harkens back to the days of tape drive backups. If your backup regimen lacked diversity and consisted of only tape drives, it was vulnerable to a failure of the tape drive reader.

This scenario is where the main hard drive fails and the tape drive reader ALSO fails. As tape drives were a long-term storage option, it wouldn’t be uncommon for a new tape drive reader to become hard to source. This means trying to find a new or functioning reader could become difficult making your backups are inaccessible.

The takeaway is that media diversity is equally important. You could store “Important_stuff.txt” on multiple different media, just as long as all your eggs aren’t all in the same technological basket.

Having a diversity of media helps reduce the chances that all possible avenues of recovery will be inaccessible through equipment failure.

1 Copy stored offsite!

One copy of the backup should be stored offsite. If the head office burns down, it won’t matter how many backups you had. In our example, storing “Important_stuff.txt” on a tape drive and having it in a safety deposit box at your bank would negate the “office-burning-down” scenario as well as the perfect storm of ransomware encrypting everything.

Offsite copies will help mitigate a localized event.


A word on security.

You should make all best efforts to secure these backups. For an attacker, “Important_stuff.txt” is something that is immediately identified as a high-value item. Remember that if you store your backup in the cloud, the stuarts of this cloud could have access to them. Portable drives are, well… portable, and by this I mean they can be portable in someone else’s pocket!

  • Use strong passwords on that offsite cloud service. Select cloud backup solutions that are zero-knowledge. (The stuarts of the cloud don’t have access to your data in unencrypted form!)
  • Encrypt the data backed up to external solutions.
  • Store these backups in a safe place, preferably under lock and key.

The examples above where encryption is used are how it is beneficial, as opposed to how it is used by ransomware authors.


Good automation and discipline!

The single greatest obstacle to a proper 3-2-1 backup regimen is the discipline required to maintain it. A good way to mitigate this is to automate the backup process. The backing up of “Important_stuff.txt” should be transparent to its owner.

Having backups gives you the option to deny ransomware authors by choosing the painful option and restoring from backups…

You could also install our product to mitigate ransomware attacks. (This should not be thought of as a replacement for a good backup strategy!)


Payment must be the absolute last resort.

Any option other than paying the cybercriminals for a decryption key is preferable. This is why when we see news reports recommending paying the ransom we collectively shake our heads. Encouraging familiarity with the Bitcoin ecosystem isn’t bad at all. Crypto-currencies are fascinating. Having some stored on hand for a quick payment, however, implies a fundamental failure.

Remember, when you pay the bad guys, you reinforce the viability of these types of attacks. You are teaching them that ransomware works.


The post 3, 2, 1, GO! Make backups of your data! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Your ISP, browsing history, and what to do about it

Malwarebytes - Tue, 04/04/2017 - 17:17

In late March, Congress approved a bill lifting restrictions imposed on ISPs last year concerning what they could do with information such as customer browsing habits, app usage history, location data, and Social Security numbers. They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. For more on the particulars of the bill, you can see reports on the Washington Post and Ars Technica. Given that the repealed restrictions hadn’t yet come into effect, the immediate impact of the new bill is somewhat unclear. But given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad retargeting

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scam companies prefer to draw their staff directly from complicit drug detoxes and rehabs, largely in order to ensure a compliant, desperate employee base. So the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly. Perhaps if my browser history correlates to those of low income or unemployed people, my ads would fill with work from home scams. Or low literacy search phrasing, in conjunction with low income, could get me directed to multi-level marketing scams. There are a cornucopia of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.



As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking apps’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP address identifying them, permanently. Stalking via metadata has been seen as an issue before and it will most likely happen again.


Browser History Ransom

We’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomware and tech support scams, when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.


Time to Breach

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder on the dark web. Think that’s hyperbolic? In 2015 Comcast published the personal data of almost 75,000 California customers due to operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach?

But this is bad and I don’t want this?

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPN providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

  • Do they keep logs of your activity?
  • How much identifiable data do they keep on you?
  • Do they have physical control over their own VPN servers?
  • What countries are their servers located in?

Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s fairly easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

Calling your congressman

Privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find your representatives here and here.

In conclusion, strong online privacy can sometimes be an inconvenience for those of us trying to catch cybercriminals. But its loss hurts all of us. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?

The post Your ISP, browsing history, and what to do about it appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Mar 27 – Apr 02)

Malwarebytes - Mon, 04/03/2017 - 15:00

Do we have blogs for you! Last week, we cracked open a big book of definitions on what packers, crypters, and protectors are, dug into preinstalled mobile Adware, and warned of World of Warcraft phishing involving “free” pets. Elsewhere, we explained what exploits actually are and why they’re a big deal, explained the workings of Sage ransomware, took a deep dive into a website compromise campaign, the money problems of tech support scammers, and advised you to avoid a night at the movies.

Below are notable news stories and security-related happenings:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Mar 27 – Apr 02) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Steam spammers have a night at the movies

Malwarebytes - Fri, 03/31/2017 - 15:00

Users of gaming platform Steam have the ability to upload images from games, post messages, and more besides, into their social network stream. They also have the option to upload game-related artwork. Spammers occasionally make use of this feature to sling some spam at the gaming masses.

We’ve spotted one such example in the wild, in the form of a profile claiming to be IMDB offering up free movies. Below you can see they’ve uploaded six decidedly non-game related images, all of which claim a movie is but a click away.

There’s also some spam text accompanying the various pictures in an attempt to gain some search engine juice and also to provide a link for would-be movie watchers to click on.

Some of the links are in the flavor text, a few are only viewable if you enlarge the image, and more still are posted as standalone comments underneath the original picture.

As for where they go, it’s worth noting that Steam’s link filter will warn people that they’re about to move away from Steam (generally, this is there to try and help deter phishing but also serves as fair warning for any other scam you can think of).

Should they continue on with their journey, they’ll end up in a variety of locations.

We looked at three links, which were:


Of the three links, all of them initially land on a “Watch this movie” page with what appears to be a movie player embedded and various pieces of movie-related text scattered about the place.

After that, though:

1. One of our links took us to a survey page, which asks the visitor to fill in personal info on offers in return for “something”. It’s fair to say we’d be very cautious about doing this, as more often than not you never receive the desired prize(s) after handing over a bunch of PII.

2. Another link took us to a movie site which says “sign up for free”, but also wants you to pay a monthly billing fee to continue membership (we looked at the Terms & Conditions, but we couldn’t pin down an exact number).

3. Possibly the worst of the bunch, this one suggests Finding Dory is available to watch.

Clicking the box, however, takes visitors to an Ad rotator URL which drops us off at a variety of non-child friendly links. Various adult webcams, surveys, and related sites all lie in wait.

So, you know, whoops.

Accounts such as the one pushing the above links tend to get deleted or cleaned up (if it’s been hijacked) fairly quickly. Don’t make life easier for the spammers – ignore all of their attempts to give you a night at the movies and report them to Steam. With any luck, they’ll be ejected from the cinema before the trailers are over.


Christopher Boyd

The post Steam spammers have a night at the movies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammers and their banking woes

Malwarebytes - Thu, 03/30/2017 - 15:00

We all know about tech support scams by this point. We know how they cold call, lie their way into your computer, and steal your money. Unfortunately for the scammers, banks know this as well, making it quite difficult at times to maintain an account to store the criminal’s ill-gotten gains. So how does the enterprising criminal cash out with your money? Let’s take a look.

High-risk payment processors

When a business owner is involved with a line of work that traditional payment processors don’t want to be involved with—typically pornography, pharma, and gambling—they use high-risk processors. In exchange for the perceived higher risk of processing payments in industries known for fraudulent activity, the processor takes a higher fee. The traditional tech support scam model used to rely heavily on these companies, typically through an Indian intermediary to offer an extra layer of anonymity.


However, as the spotlight on tech support scams grew brighter and victims increasingly initiated chargebacks, high-risk processors have increasingly dropped overseas tech support companies in order to protect their relationships with more legitimate businesses, as well as the credit card companies who monitor customer chargeback rates. The processors that haven’t given up tech support yet tend to levy extra restrictions against overseas customers in their contractual agreements, as demonstrated in the example contract below.



So barred from traditional banks and losing access to high-risk processors, tech support scammers have gotten a little creative. An increasingly common method we’ve seen for payment is Apple or iTunes gift cards. The idea being the scammer gets a commodity that is easily laundered on the dark web and the victim sees Apple on their credit card statement, rather than FAKE COMPANY XYZ. This has the added benefit of making it extra tough for the victim to produce evidence that ties back to the scammer.

Apple has some pretty good advice on the subject here.

Suffice it to say, legitimate tech support companies do not do this. Malwarebytes has observed tech support scammers using Apple/iTunes gift cards, Amazon gift cards, Bitcoin, and even sending a FedEx guy to physically pick up a check. Non-standard payment methods like these are usually a pretty good signal that the tech support business in question has a hard time getting access to a credit card processor and you probably shouldn’t do business with them.

Lastly, scammers might collect payment using direct bank transfers via Automated Clearing House (ACH). Criminals love this method because it only requires two pieces of information to work—you account number and a routing number. Also, non-business victims only have 60 days to report losses in order to recover funds. More on ACH fraud here.

So if you’re ever on the phone with a support company that is insistent that you pay with third party gift cards, ask the operator, “Why can’t I use my credit card?” You might get some very creative answers. But the best defense when encountering this is to simply hang up the phone. If you’ve allowed the scammer remote access to your computer, close the window as well, or just disconnect your internet. For more on how to stay safe from tech support scams or find out more on what to do if you’ve had a run-in with them, check out our post here.

The post Tech support scammers and their banking woes appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Websites compromised in ‘Decimal IP’ campaign

Malwarebytes - Wed, 03/29/2017 - 23:00

When looking at malicious traffic, one of the things we are interested in are the hosts involved in a particular attack. For example, we check the hostnames or IP addresses that were serving up malicious code.

Before getting further, let’s define a few concepts to better understand the topic we are discussing today. A host name can be:

  • A domain name (i.e.
  • A fully qualified domain name (i.e.
  • An IP address (i.e.

It’s not as usual, but IP addresses can indeed be directly used as the URL and when that happens it is called an IP-Literal Hostname (see Eric Lawrence’s post on this subject).

IP addresses (IPv4) follow the dot-decimal notation which is four numbers, each ranging from 0 to 255, separated by dots. But then, to make things a little more complicated, we have exceptions, such as the non-dotted IP literals, in decimal (http://2130706433/) or octal form (http://017700000001/).

This takes us to a recent infection chain for the RIG exploit kit where we came across such an occurrence. The host was:


While for us humans it makes little sense that this could even resolve, Internet Explorer and Chrome (Edge doesn’t seem to) can handle it just fine and convert that into a proper IP address (

We observed websites that had been hacked and were pushing this non-orthodox URL via 302 redirects (the HTTP response code indicating that the site has moved to a new location):

HTTP/1.1 302 Found Server: nginx/1.10.1 Content-Type: text/html Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/5.3.10-1ubuntu3.23 Access-Control-Allow-Origin: * Location: http://1760468715/ Vary: Accept-Encoding

This in turn leads to another redirector performing the final call to the RIG EK landing page and infecting the user with the Smoke Loader malware, as shown below:

Upon Googling for that particular string (1760468715), we can find many sites that have been injected with the Decimal IP redirect:

There is a thread on StackExchange about a website owner dealing with such an infection and trying to find how to locate it. Some folks suggest to grep the entire server for the incriminating string, while others recommend a complete wipe and reinstallation.

Perhaps the malicious actors are trying to avoid some IP filters or maybe make identification harder by using a less common URL format. In any case, Malwarebytes users are protected from accessing this rogue server, no matter how the URL is formatted.

And if you wonder about real life purposes of these non-dotted IP-literal URLs and want to participate in the debate, feel free to join this 16 year old thread:



Decimal IP:1760468715 IPv4 dot-decimal:

Payload (Smoke Loader):


The post Websites compromised in ‘Decimal IP’ campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: Sage ransomware

Malwarebytes - Wed, 03/29/2017 - 15:00

Sage is yet another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product.

Analyzed samples Distribution method

Most often, Sage is dropped by downloader scripts distributed via phishing e-mails (office documents with malicious macros or standalone JS files). In the analyzed case, the sample was dropped via a JavaScript file.

Behavioral analysis

After being deployed, Sage deletes the original sample and runs another copy, dropped in %APPDATA% (names of the dropped files are different for different machines – probably generated basing on GUID):

The dropped copy deploys itself once again, with a parameter ‘g’. Example:

"C:\Users\tester\AppData\Roaming\FkGtk5ju.exe" g

After finishing its work, that dropped copy is also being deleted with the help of a batch script dropped in the %TEMP% folder.

The content dropped in %TEMP% is shown on the below picture. We can see the batch scripts and the BMP that is being set as a wallpaper:

Sample contents of the batch scripts is given below. As we can see, the ping command is used to delay operations.

Just in case the system gets restarted before the encryption finished, Sage sets a link in the Startup folder, so that it can continue after the reboot:

However, if the ransomware successfully completed encryption process and deleted itself, the link is left abandoned.

After finishing, the wallpaper is changed. In version 2.2 the wallpaper looks very similar to 2.0, except the font is green instead of red:

At the end of the execution, the ransom note !HELP_SOS.hta opens automatically:

In addition to the written information, Sage 2.2 plays a voice message informing about the infection. It is deployed via WScript running the default Microsoft voice-to-speech service – just like in the case of Cerber.

Some content is left in %APPDATA%:

Encrypted files are added to the “sage”extension and their icons are changed:

Visualization of a file – before and after encryption:

Files with the same plaintext produce different ciphertexts, that leads to the conclusion that each file is encrypted with a new key.

Sage can work well without internet connection, however, if connected it sends data via UDP (similarly to Cerber):

The traffic is encrypted:

Page for the victim

The ransom note contains a link to the page for the victim. Encrypted and Base64 encoded key of the victim is passed via URL to the server of attackers. Example: http://7gie6ffnkrjykggd.onion/login/AQAAAAAAAAAAv4NRzsVPkfwPPWixq2mqtFwGWlZTeCDpL_BGPyeJFhDA

The key can be also pasted via field on the website:

Keep in mind that the first login on the page for the victim triggers the timer to start. From this moment, the countdown to the price increment is running.

The website is protected by a simple captcha and allows for a simple customization – the victim can choose one of the supported languages (currently 17):

The page contains typical information, such as the amount of ransom to be paid and further instructions:

The malware allows to test decryption capabilities by permitting the victim to upload some encrypted files (the size of the file must be lesser than 15 KB):

However, the result is not available instantly:

After some hours, the decrypted version of the uploaded file is indeed available to download:


Sage is delivered packed by various crypters. After defeating the first layer we obtain second PE file – the malicious core, that is not further obfuscated.

At the beginning of the execution, Sage generates the Victim ID/key and saves it in the .tmp file dropped in %APPDATA% folder. Then, it removes backups from the system:

Executed commands:

vssadmin.exe delete shadows /all /quiet bcdedit.exe /set {default} recoveryenabled no bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Sage enumerates through the files, and if they matched the defined criteria, they are getting encrypted. First, the malware creates a file with the same name as the attacked one, but with three dots at the end.

Both files coexist in the system until the encrypting is finished.

Then, the original file is deleted and the newly created one – renamed with the extension .sage:

At the end, only the .sage file is left:

What is attacked?

Sage comes with a long list of the attacked extensions, that is hard-coded in the binary:

dat mx0 cd pdb xqx old cnt rtp qss qst fx0 fx1 ipg ert pic img cur fxr slk m4u mpe mov wmv mpg vob mpeg 3g2 m4v avi mp4 flv mkv 3gp asf m3u m3u8 wav mp3 m4a m rm flac mp2 mpa aac wma djv pdf djvu jpeg jpg bmp png jp2 lz rz zipx gz bz2 s7z tar 7z tgz rar ziparc paq bak set back std vmx vmdk vdi qcow ini accd db sqli sdf mdf myd frm odb myi dbf indb mdb ibd sql cgn dcr fpx pcx rif tga wpg wi wmf tif xcf tiff xpm nef orf ra bay pcd dng ptx r3d raf rw2 rwl kdc yuv sr2 srf dip x3f mef raw log odg uop potx potm pptx rss pptm aaf xla sxd pot eps as3 pns wpd wps msg pps xlam xll ost sti sxi otp odp wks vcf xltx xltm xlsx xlsm xlsb cntk xlw xlt xlm xlc dif sxc vsd ots prn ods hwp dotm dotx docm docx dot cal shw sldm txt csv mac met wk3 wk4 uot rtf sldx xls ppt stw sxw dtd eml ott odt doc odm ppsm xlr odc xlk ppsx obi ppam text docb wb2 mda wk1 sxm otg oab cmd bat h asx lua pl as hpp clas js fla py rb jsp cs c jar java asp vb vbs asm pas cpp xml php plb asc lay6 pp4 pp5 ppf pat sct ms11 lay iff ldf tbk swf brd css dxf dds efx sch dch ses mml fon gif psd html ico ipe dwg jng cdr aep aepx 123 prel prpr aet fim pfb ppj indd mhtm cmx cpt csl indl dsf ds4 drw indt pdd per lcd pct prf pst inx plt idml pmd psp ttf 3dm ai 3ds ps cpx str cgm clk cdx xhtm cdt fmv aes gem max svg mid iif nd 2017 tt20 qsm 2015 2014 2013 aif qbw qbb qbm ptb qbi qbr 2012 des v30 qbo stc lgb qwc qbp qba tlg qbx qby 1pa ach qpd gdb tax qif t14 qdf ofx qfx t13 ebc ebq 2016 tax2 mye myox ets tt14 epb 500 txf t15 t11 gpc qtx itf tt13 t10 qsd iban ofc bc9 mny 13t qxf amj m14 _vc tbp qbk aci npc qbmb sba cfp nv2 tfx n43 let tt12 210 dac slp qb20 saj zdb tt15 ssg t09 epa qch pd6 rdy sic ta1 lmr pr5 op sdy brw vnd esv kd3 vmb qph t08 qel m12 pvc q43 etq u12 hsr ati t00 mmw bd2 ac2 qpb tt11 zix ec8 nv lid qmtf hif lld quic mbsb nl2 qml wac cf8 vbpf m10 qix t04 qpg quo ptdb gto pr0 vdf q01 fcr gnc ldc t05 t06 tom tt10 qb1 t01 rpf t02 tax1 1pe skg pls t03 xaa dgc mnp qdt mn8 ptk t07 chg #vc qfi acc m11 kb7 q09 esk 09i cpw sbf mql dxi kmo md u11 oet ta8 efs h12 mne ebd fef qpi mn5 exp m16 09t 00c qmt cfdi u10 s12 qme int? cf9 ta5 u08 mmb qnx q07 tb2 say ab4 pma defx tkr q06 tpl ta2 qob m15 fca eqb q00 mn4 lhr t99 mn9 qem scd mwi mrq q98 i2b mn6 q08 kmy bk2 stm mn1 bc8 pfd bgt hts tax0 cb resx mn7 08i mn3 ch meta 07i rcs dtl ta9 mem seam btif 11t efsl $ac emp imp fxw sbc bpw mlb 10t fa1 saf trm fa2 pr2 xeq sbd fcpa ta6 tdr acm lin dsb vyp emd pr1 mn2 bpf mws h11 pr3 gsb mlc nni cus ldr ta4 inv omf reb qdfx pg coa rec rda ffd ml2 ddd ess qbmd afm d07 vyr acr dtau ml9 bd3 pcif cat h10 ent fyc p08 jsd zka hbk bkf mone pr4 qw5 cdf gfi cht por qbz ens 3pe pxa intu trn 3me 07g jsda 2011 fcpr qwmo t12 pfx p7b der nap p12 p7c crt csr pem gpg key

In order to access all the files without any interference, Sage searches and terminates any associated processes. Processes are identified by their names:

msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe agntsvc.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe

As it is common in ransomware, some paths are excluded from the attack. In this case, blacklisted are not only system directories, but also others, related to popular games like “League of Legends”, “steamapps”, “GOG Games”, and etc.

tmp Temp winnt 'Application Data' AppData ProgramData 'Program Files (x86)' 'Program Files' '$Recycle Bin' '$RECYCLE BIN' Windows.old $WINDOWS.~BT DRIVER DRIVERS 'System Volume Information' Boot Windows WinSxS DriverStore 'League of Legends' steamapps cache2 httpcache GAC_MSIL GAC_32 'GOG Games' Games 'My Games' Cookies History IE5 Content.IE5 node_modules All Users AppData ApplicationData nvidia intel Microsoft System32 'Sample Music' 'Sample Pictures' 'Sample Videos' 'Sample Media' Templates

Some countries (recognized by keyboard layouts) are also excluded from the attack. Below is the function checking if the selected keyboard layout is present in the system:

Systems with the following keyboard layouts are omitted by Sage 2.2: Belarusian, Kazak, Ukrainian, Uzbek, Sakha, Russian, Latvian.

How does the encryption works?

Sage uses two cryptographic algorithms: Elliptic Curves and ChaCha20. ChaCha20 is used to encrypt content of each file, while ECC is used to protect the randomly generated keys.

Each random key is retrieved using a cryptographically secure generator (SystemFunction036). The filled buffer is preprocessed by a simple algorithm:

Victim ID

At the beginning of the execution, Sage creates a random buffer and encrypts it using ECC. The buffer created in the first round of encryption we will refer as a Victim ID and the output of the next rounds – as Encrypted Victim ID.

In the first round, the random value is encrypted using ECC, producing the Victim ID.

In the second round, the same random value is encrypted using ECC along with another buffer, that is hardcoded in the binary. The output is processed in the similar way like the random buffer:

In the third round, the resulting buffer is again encrypted by ECC – producing the Encrypted Victim ID.

Both output buffers are kept in the memory of the application and used further (also they are saved in the TMP file dropped in %APPDATA% folder).

The part highlighted on the screenshot is the Victim ID (after that, next 32 bytes are the Encrypted Victim ID):

The victim ID is also saved in the ransom note, in Base64* encrypted version:

*The character set is slightly modified in comparison to the classic Base64. In order to decode it as Base64 we must replace ‘-‘ with ‘+’ and ‘_’ with ‘/’ for example the ID: AQAAAAAAAAAAGwsZ-IAO5_pntzI3UnC8VweSZXaKQ0gTJ9PRS8AkiAnA is Base64: AQAAAAAAAAAAGwsZ+IAO5/pntzI3UnC8VweSZXaKQ0gTJ9PRS8AkiAnA

In addition, the Victim ID is also saved in each and every encrypted file:

The Encrypted Victim ID takes part in encrypting file’s content (as a key unique per victim).

File encryption

At the beginning of the file encrypting function, a new 32 bytes long key is generated (unique per each file).

The random number is encrypted with the help of ECC twice:

  • Individually – to make the key1 that is stored in the file
  • Along with the Encrypted Victim’s ID – to make the key2, used by ChaCha20

As we can see, the key2 is used to initialize the cryptographic function’s context. ChaCha20 can be recognized by typical constants used in the initialization function:

The file is encrypted chunk by chunk (the maximal chunk size is 0x20000) with the help of ChaCha20:

At the end of the file, the first derived key (key1) and some additional data is appended:

Appended data is separated from the encrypted file’s content by two hard-coded markers: 0x5A9EDEAD and 0x5A9EBABE

Markers at the end of the encrypted file:

After the first marker Sage stores the following information: Victim ID, Key1, size of the original file.

Network communication

Sage does not need any data from the CnC in order to work. However, as mentioned before, it may generate some UDP traffic. It is because it has capabilities to send some data about the attacked system. Depending on the configuration, the data may be sent either via UDP or via HTTP POST request. The data is encrypted before being sent – also with the help of ChaCha20 algorithm. In the observed case, the ChaCha20 key was a buffer filled with 0 bytes.

Examples of the data sent to the CnC

Sage sends the generated keys to the CnC, i.e.:

Compare with the buffer before encryption:

The same data is also formatted into a human-readable form, like shown below. However, so far we didn’t observed any use of this data. It may be some unfinished feature, that will be developed further in new versions of this product. Formatted equivalent of the above buffer:

[bin(33) 01CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, 4, { "v": 1, "gpk": bin(32) CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, "pk": bin(32) 2BB7BD5394B845629C90BB2B43D9655DC9C86347C4C695AB18150D7031B9E41F, }]

Other examples – collected information about the attacked machine:

[bin(33) 01CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, 3, { "s": { "w": { "v": [ 6, 1, false, false, 7601, 1, 0, ], "u": "tester", "p": "TESTMACHINE", }, "c": " Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz", "m": 232, "k": [68486165, 4026598409, 4026991637], }, "i": 12288, "w": null, }] Adding icons

Interesting and uncommon feature deployed by Sage is the change of icons for the used datatypes. Padlock icon is added to the encrypted files with the .sage extension and the key icon is added to the files with .hta extensions (that are used for the ransom notes). Icon change is implemented via setting appropriate registry keys:


Sage, similar to Spora, uses a complex way of deriving keys. So far, there is no solution that would allow recovering files without paying the ransom – that’s why we recommend focusing on prevention instead. Malwarebytes 3.0 Premium users are protected from Sage ransomware as long as it is installed prior to being infected.

Appendix  – Fortinet about Sage 2.0

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post Explained: Sage ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What are exploits? (And why you should care)

Malwarebytes - Wed, 03/29/2017 - 14:00

Exploits: they’re not your mama’s cyberthreats. At one point in the not-so-distant past, exploits were responsible for delivering 80 percent of malware to people’s systems. But exploits seem to be experiencing a lull today. Does this mean they’re gone for good and we can all let down our guard? Or is this simply the calm before the storm? Let’s break down this stealthy threat so you can not only know your enemy, but also be appropriately prepared should the exploit attacks return.


What is an exploit?

An exploit is a program or piece of code that finds and takes advantage of a security flaw in an application or system so that cybercriminals can use it for their benefit, i.e., exploit it.

Cybercriminals frequently deliver exploits to computers as part of a kit, or a collection of exploits, that is hosted on websites or hidden on invisible landing pages. When you land on one of these sites, the exploit kit automatically fingerprints your computer to see which operating system you are on, which programs and you have running, and most importantly, whether any of these have security flaws, called vulnerabilities. It is basically looking at your computer for weaknesses to exploit—not unlike the Trojans did with Achilles’ heel.

After discovering vulnerabilities, the exploit kit uses its pre-built code to essentially force the gaps open and deliver malware, bypassing many security programs.

So are exploits a form of malware? Technically, no. Exploits are not malware themselves, but rather methods for delivering the malware. An exploit kit doesn’t infect your computer. But it opens the door to let the malware in.


How do exploits attack?

People most often come across exploit kits from booby-trapped high-trafficked websites. Cybercriminals typically choose popular, reputable sites in order to reap the highest return on their investment. This means the news sites you read, the website you use to browse real estate, or the online store where you buy your books are all possible candidates. Sites such as,, and have been compromised in the past.

So you’re surfing the web, stopping by a website you love, and the compromised site redirects you in the background, without opening any new browser windows or alerting you in any other way so that you can be scanned for suitability for infection. Based on this, you are either selected for exploitation or discarded.

How is your favorite website compromised? In one of two ways: 1. A piece of malicious code is hidden in plain sight on the website (via good old-fashioned hacking) 2. An advertisement that is displayed on the website has been infected. These malicious ads, known as malvertising, are especially dangerous, as users don’t even need to click on the ad in order to be exposed to the threat. Both methods, hacked sites or malvertising, immediately redirect you (point your web browser) to an invisible landing page that is hosting the exploit kit. Once there, if you have vulnerabilities on your computer, it’s game over.

The exploit kit identifies vulnerabilities and launches the appropriate exploits in order to drop malicious payloads. These payloads (the malware) can then execute and infect your computer with all kinds of bad juju. Ransomware is a particular favorite payload of exploit kits these days.


Which software is vulnerable?

In theory, given enough time, every piece of software is potentially vulnerable. Specialist criminal teams spend lots of time pulling apart programs so they can find vulnerabilities. However, they typically focus on the applications with the highest user-base, as they present the richest targets. As with all forms of cybercrime, it’s a numbers game. Top application targets include Internet Explorer, Flash, Java, Adobe Reader, and Microsoft Office.


How security folks fight it

Software companies understand that the programs they develop may contain vulnerabilities. As incremental updates are made to the programs in order to improve functionality, looks, and experience, so too are security fixes made to close vulnerabilities. These fixes are called patches, and they are often released on a regular schedule. For example, Microsoft releases a cluster of patches for their programs on the second Tuesday of each month, known as Patch Tuesday.

Companies may also release patches for their programs ad-hoc when a critical vulnerability is discovered. These patches essentially sew up the hole so exploit kits can’t find their way in and drop off their malicious packages.

The problem with patches is they often aren’t released immediately after a vulnerability is discovered, so criminals have time to act and exploit. The other problem is that they rely on users downloading those “annoying” updates as soon as they come out. Most exploit kits target vulnerabilities that have already been patched for a long time because they know most people don’t update regularly.

For software vulnerabilities that have not yet been patched by the company who makes them, there are technologies and programs developed by cybersecurity companies that shield programs and systems known to be favorites for exploitation. These technologies essentially act as barriers against vulnerable programs and stop exploits in multiple stages of attack, that way, they never have a chance to drop off their malicious payload.


Types of exploits

Exploits can be grouped into two categories: known and unknown, also called zero-day exploits.

Known exploits are exploits that security researchers have already discovered and documented. These exploits take advantage of the known vulnerabilities in software programs and systems (that perhaps users haven’t updated in a long time). Security professionals and software developers have already created patches for these vulnerabilities, but it can be difficult to keep up with all the required patches for every piece of software—hence why these known exploits are still so successful.

Unknown exploits, or zero-days, are used on vulnerabilities that have not yet been reported to the general public. This means that cybercriminals have either spotted the flaw before the developers noticed it, or they’ve created an exploit before developers get a chance to fix the flaw. In some cases, developers may not even find the vulnerability in their program that led to an exploit for months, if not years! Zero-days are particularly dangerous because even if users have their software fully updated, they can still be exploited, and their security can be breached.


Biggest exploit offenders

The three exploit kits most active in the wild right now are named RIG, Neutrino, and Magnitude. RIG remains the most popular kit, and it’s being used in both malvertising and website compromising campaigns to infect people’s machines with ransomware. Neutrino is a Russian-made kit that’s been used in malvertising campaigns against top publishers, and it preys on Java vulnerabilities (also to deliver ransomware). Magnitude is using malvertising to launch its attacks as well, though it’s strictly focused on countries in Asia.

Two lesser-known exploit campaigns, Pseudo-Darkleech and EITest, are currently the most popular redirection vehicles using compromised websites. These offenders inject code into sites such as WordPress, Joomla, or Drupal, and automatically redirect visitors to an exploit kit landing page.

As with all forms of cyberthreats, exploits, their methods of delivery, and the malware they drop are constantly evolving. It’s a good idea to stay on top of the most common forms to make sure the programs they target are patched on your computer.


Current exploit kit landscape

Right now, the exploit scene is pretty bleak, which is a good thing for those in the security industry and, essentially, for anyone using a computer. This is because in June 2016, Angler, a sophisticated exploit kit that was responsible for nearly 60 percent of all exploit attacks the year before, was shut down. There hasn’t been any other exploit kit that’s built up the same level of market share since.

Threat actors have been a bit gun shy about running back to exploit kits, for fear of another Angler takedown. Once Angler was dismantled, cybercriminals turned their focus back to some more traditional forms of attack, including phishing and emails with malicious attachments (malspam). But rest assured, they’ll be back once a new, more reliable exploit kit proves effective in the black market.


How to protect against exploits

The instinct may be to take little to no action to protect against exploits, since there’s not a lot of exploit-related cybercriminal activity right now. But that would be like choosing not to lock your doors since there hasn’t been a robbery in your neighborhood in a year. A couple of simple security practices can help you stay ahead of the game.

First, make sure you keep your software programs, plugins, and operating systems updated at all times. This is done by simply following instructions when reminded by those programs that updates are ready. You can also check settings from time to time to see if there are patch notifications that may have fallen off your radar.

Second, invest in cybersecurity that protects against both known and unknown exploits. Several next-generation cybersecurity companies, including Malwarebytes, have started integrating anti-exploit technology into their products.

So you can either kick back and pray that we’ve seen the last of exploits. Or, you can keep your shields up by consistently updating your programs and operating systems, and using top-notch anti-exploit security programs. The smart money says exploits will be back. And when they return, you won’t have a weak heel to expose to them.

The post What are exploits? (And why you should care) appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds