Techie Feeds

7 tips to stay cyber safe this summer

Malwarebytes - Fri, 07/21/2017 - 15:00

You’ve probably already seen the back-to-school ads on TV and rolled your eyes a little bit. We’re with you: There’s still plenty of summer left. That’s why we want to remind you about some of the cybersecurity pitfalls you might encounter during the remainder of the summer season.

Whether you’re home with the kids or heading out on vacation, here are some ways you can tighten up your security profile and avoid spending the rest of the summer reclaiming your identity or filing credit card insurance claims.

1. Monitor your children’s Internet habits during summer break.

Without homework and extracurricular activities for young students, summer days and nights are often spent lounging around on a tablet, cell phone, or laptop, browsing the Internet for funny cat videos or swapping faces on social media platforms. Parents may already enforce safe surfing habits during the school year, but with a more lax schedule may come a more lax attitude.

Be sure to set limits for Internet usage, whether that’s hours spent, sites visited, or apps and video games allowed. It’s also important to discuss online predatory behaviors, from cyberbullying to sexual exploitation (with an age-appropriate audience). Don’t just send your kids off to a room to Internet with abandon. Give them the skills (or possibly the parental controls) to navigate the online world safely.

2. Beware of fraudulent hotel booking sites.

Planning a trip to cap off an incredible summer? Make sure you’re using reputable booking sites for travel. A 2015 study by the American Hotel & Lodging Association found that about 15 million hotel bookings are impacted by rogue travel scams each year. Fraudulent websites or call centers often pretend to have an affiliation with certain hotels, when in fact they have none. This can result in being charged for hidden fees, losing rewards points, incorrect accommodations, fake reservations, and more.

The safest way to avoid being scammed is to book directly through a hotel’s website. Use third-party sites as resources to see available options. If you do want to consider a third-party site, call up the hotel directly to inquire if they are, in fact, affiliated. In addition, be wary of sites that urge you to book one of the last remaining rooms or don’t allow you to see a breakdown of fees.

3. Research hotels’ security policies before you book.

According to cybersecurity expert Matt Suiche, hotels are being targeted more frequently by criminals. Guest credit cards are kept on file for room charges and opportunities for additional spending at spas, restaurants, bars, and shops on premise make these properties attractive targets. In April 2017, InterContinental said that 1,200 of its franchise hotels in the United States, including the Holiday Inn and Crowne Plaza, were victims of a three-month cyberattack aimed at stealing customer payment card data. Also this year, 14 Trump hotels were targeted by hackers raiding personal data such as credit card numbers, expiration dates, and security codes, as well as some phone numbers and addresses of hotel customers.

When booking your hotel, you can ask about privacy and security policies in place for protecting customer data. Does the hotel have cybersecurity software? Is data stored in a secure computer/network? Who has access to it? Their policy should cover this information and more.

4. Watch out for public wifi in airports and hotels.

Yes, free wifi is a wonderful thing. How else would you stream Netflix in your hotel room instead of watching the room service menu options on your TV? However, free wifi is also public, which means that any person in the hotel or airport can access that account with (or without) a simple password. Wifi that isn’t password-protected is especially vulnerable. Add thousands of people accessing it daily and you’ve got a recipe for data breach.

So what to do? Use up your mobile data? That’s one (expensive) way to deal with it. What we recommend, for the layperson, is to avoid sites where you need to login, sites with sensitive info (banking, healthcare, etc.), and especially stay away from making purchases over an unsecured connection. If you absolutely need to access sensitive info on this summer trip—perhaps it’s for business rather than pleasure—you’ll want to look into using a virtual private network, or VPN. In fact, if you are traveling for business and staying at a luxury hotel, you might be vulnerable to a spear-phishing campaign called DarkHotel if you use the in-house wifi network. Better get that VPN cracking.

5. Don’t announce to the world that you’ll be away from your house on vacation.

The lead-up to the vacation is almost as good as the vacation itself, no? It’s hard not to get swept up in the excitement and jump on Facebook to tell all your friends about your upcoming trip. Problem is, unless you are ruthlessly private about what you share (and social media platforms are constantly updating their policies, making it easier for people to find your information that you didn’t intend to), people who aren’t your friends will see that announcement, too. And really, how well do you know that girl you passed in the hallway in high school 30 years ago?

Discussing your travel plans (specifically the dates you’ll be gone) opens you up to a physical security issue. Criminals are known to watch social media in order to target homes they know will be vacant for robbery. So best to wait until you get back until you start posting those trip photos.

6. Look closely at ATM scanners and gas pumps.

Heading to a concert and need to gas up? Hitting up an ice cream truck at the beach and forgot your cash? Be extra careful when stopping at gas pumps or ATMs, especially those unaffiliated with a bank. ATMs and gas pumps are targets for cybercriminals, who might attach skimmers in order to pilfer bank account or credit card data (and eventually drain those accounts).

Before you swipe your card, give the card reader a good tug. If there’s a skimmer attached, it’ll likely pop right off the top. In addition, take a look around the ATM or gas pump for small cameras (smaller than your typical surveillance camera). They’d be pointing down at the keypad in order to capture your zip code or pin number.

7. Avoid credit card fraud.

Easier said than done, we know. This one is extra tricky when traveling abroad. Pick-pocketers steal wallets or credit cards might be accidentally left behind and lo and behold: someone’s charging $2,537.45 worth of train tickets. While many card companies can track fraud and refund you the charges, the hassle of reporting and waiting, especially when overseas, is probably the last thing you want to deal with while sunning yourself in Phuket.

A few ground rules for traveling with credit cards: don’t take them all. Select one or two with high credit limits and low foreign transaction fees. Make copies of the credit cards you’re bringing with you so you can see the numbers and customer service phone number. Leave one copy with a friend and bring another with you. (Just don’t store it in the same place as your credit cards.) And finally, make sure you alert your credit card company of your travel plans so they don’t freeze your account.

Summer is a time to kick back and enjoy. So don’t spend it on the phone with your bank and the IRS. Take these precautions and you can be sure to end this easy-breezy season on a light and carefree note.

The post 7 tips to stay cyber safe this summer appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hansa Market on Dark Web was controlled by Dutch police

Malwarebytes - Thu, 07/20/2017 - 17:53

In a simultaneous press conference issued by the Dutch police and US Attorney General Jeff Sessions we learned that the Dark Web market places Alphabay and Hansa market have been seized and shut down by international cooperating authorities.

As it turned out Hansa Market was already under control of the Dutch police for 27 days. After the take-down by Canadian, US, and Thai authorities of Alphabay a lot of their customers moved to Hansa Market, which was at that time already under control of the Dutch police. They even had to put a temporary stop on new customers for a while, there were just too many. This was all part of an international plan to get insight in the trafficking of drugs and guns. The Hansa Market website software had been changed so it would reveal details about the identity of these customers.

This lead to the arrest of 4 major drug dealers in the Netherlands alone. Also, police departments in other countries have been tipped off about dealers in their countries, but no details were available on how many arrests were made due to these tips. The Dutch police stipulated that the criminal activities they were involved in during this time were allowed as part of the infiltration of a criminal organization.

US Attorney general Jeff Sessions warned criminals they are not as safe on the Dark Web as they like to think: “You cannot hide… we will find you.”

Hansa Market was also a market place for malware and stolen data, but as of now, we have no details of any arrests or discoveries were made in these fields.

External links: (Dutch)


The post Hansa Market on Dark Web was controlled by Dutch police appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Terror EK actor experiments with URL shortener fraud

Malwarebytes - Wed, 07/19/2017 - 21:25

Terror EK is an exploit kit made from a mishmash of stolen code and with very limited distribution. In the past few months, we have seen a few minor updates to its code base which remains largely simplistic in comparison to professional-grade exploit kits of the past such as Angler EK, or modern-day Astrum EK.

We recently observed activity from one actor that appears to be doing some experiments with the toolkit. This post takes a look at a malvertising chain that leads to Terror EK in which the individual had set up his own redirect and bogus fraud page.


This particular infection flow started with malvertising related to adult and file sharing traffic. The final redirection to the exploit landing page was handled via a bogus site acting as a direct referrer to Terror EK.

Exploit Kit

As mentioned by Cisco Talos, Terror EK collects some information about the user such as plugins that are installed, and their version which it then sends back to its server. Compared to earlier versions of Terror EK that loaded multiple Flash files at once, it now uses a single one that can target Flash Player up to version


This campaign dropped the Neurevt bot which downloaded a secondary payload shortly after. The malware’s purpose is to cycle through a predefined list of URLs and open up a new browser window to the next URL every 90 seconds. This list is maintained via a simple user interface hosted on the same IP address as the initial redirector to the exploit kit. This makes us think that the threat actor is managing his small own operation from end to end.

All these URLs are AdFly shortened links for fake remedies spam. AdFly typically pays you a small amount of money each time a new user clicks your link and visits the final URL. The way this business model works is by showing ads for a few seconds before allowing you to visit the URL you were looking for.

While the malware was running in our sandbox, one of such ads pushed a tech support scam:

However, using this piece of malware to generate revenue via AdFly seems like a pretty inefficient method. Indeed, AdFly will very quickly detect the suspicious activity when those links are visited from the same computer at short intervals.

Upon notification, AdFly terminated all the fraudulent shortened links.


Like other exploit kits, Terror EK relies on software vulnerabilities that have already been patched. The distribution we have witnessed so far has mostly been via malvertising but on a small scale.

Malwarebytes blocks Terror EK’s exploits and associated malicious traffic.

Indicators of compromise (IOCs):

Terror EK

188.226.159 .188/e71cac9dd645d92189c49e2b30ec627a/22ba13789663b77e4a7d9e849f42041f 188.226.159 .188/22ba13789663b77e4a7d9e849f42041f/683909/595c2c275d50e 188.226.159 .188/uploads/ufj.swf 188.226.159 .188/d/22ba13789663b77e4a7d9e849f42041f/?q=r4&r=3cd3ad4d7992a73038ad37c07e219138&e=cve20150313

Malware drop


The post Terror EK actor experiments with URL shortener fraud appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, the final: Tools section

Malwarebytes - Wed, 07/19/2017 - 15:00

So far in this series, we have handed you some methods to recognize and remediate adware. We used this diagram as a guideline.


During this journey, we have touched upon several free tools that we used to get some insight on what type of infection we were dealing with and where the adware could be hiding. Our objective has been to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit.

This, the final part of the series, will provide you with download-locations and a description of the tools. One word of warning: even though all the tools are free for personal use, that doesn’t make them less powerful. If you want to use these tools to remediate a problem, make sure you know what you are doing or have some kind of backup at hand, in case anything goes terribly wrong. If you want to learn more about removing malware, there are several online schools that offer free malware removal training.

The tools Process Explorer (Microsoft/Sysinternals)


We used Process Explorer to identify the process that belongs to a window and to identify parent/child processes and look at DLLs and handles. An introduction to Process Explorer and some more advanced information can be found on our blog.

Resource Monitor (Microsoft)

Built into Windows since Windows 7.

We explained how to use Resource Monitor to check which processes are connecting where.

FileASSASSIN (Malwarebytes)


FileAssassin is a tool to delete any type of locked file.

Malwarebytes anti-rootkit BETA (Malwarebytes)


Malwarebytes anti-rootkit BETA is the tool of choice when you are dealing with difficult to remove and even invisible infections.

FRST (Farbar)


There is a 32-bit and 64-bit version. Make sure you download the correct one for your system.

The Farbar Recovery Scan Tool (FRST) is a very useful diagnostic tool. It can also be used as a manual remediation tool, but I want to focus on reading the scan output it produces and which sections to focus on when we are looking for adware. So unless you have cured the problem using Process Explorer, MBAM, MBAR or FileAssassin we are now going to have a look at FRST. FRST works equally well in normal or safe mode and when a machine has boot up problems it will even work in the Windows Recovery Environment.

The output of the FRST scans is nicely formatted in a way that makes it easy to check most of the problem areas that we have pointed out during the course of this series.

Browser sections

These are divided per installed browser and there is a general section.

==================== Internet (Whitelisted) ====================

This section contains information like DNS servers that are in use in the format:

Tcpip\Parameters: [DhcpNameServer] {IP address 1} {IP address 2}

Tcpip\..\Interfaces\{CLSID}: [DhcpNameServer] {IP address 1} {IP address 2}

Internet Explorer:


This section has the add-ons for Internet Explorer listed in the format:

BHO: {name} -> {CLSID} -> {path + filename} [{date of install}] [{signed-by-company-name}]

It also list other items like Startpage, Searchscopes, Handlers, Toolbars, Filters and ActiveX objects



This section holds the extensions for Firefox in the format:

FF Extension: {name} – {folder to the extension} [{date of install}] [{signed-by-company-name}]

And the Plugins in these format types:

FF Plugin: @{company}/{name} -> {path + filename} [{date of install}] ({signed-by-company-name})

FF Plugin ProgramFiles/Appdata: {path + filename} [date of install}] ({signed-by-company-name})

It also list other information about Firefox like Homepage, Default search engine and the presence of user.js files.



This section holds the extensions for each Chrome profile in these formats:

CHR Extension: ({name}) – {path to the extension folder} [{date of install}]

CHR HKLM\...\Chrome\Extension: [{extension identifier string}] – [{update_url}]

It also lists information about the Homepage and policies that may be active.



This section holds the extensions for Opera in the format:

OPR Extension: ({name}) – {path to the extension folder} [{date of install}]

It also shows StartupUrls and StartMenuInternet where applicable.

Loaded modules

You can find some information about loaded modules in the section:

==================== Loaded Modules (Whitelisted) ==============

In the format:

{Date/time on system} – {Date/time created}  - {filesize} {permissions} () {path to file}\{filename + extension}

Note: it lists only unsigned files. Even if the files are signed by known malware publishers, they will not be listed.

Scheduled Tasks

Scheduled Tasks are flagged in the Addition log of FRST in the following format:

Task: {CLSID} - System32 or Windows\Tasks\{jobname} => {path to the file}\{filename} [date] (signature)


Services are reported along with their startup method and whether they are running or not.




The startup type numbers are:







In the format:

{Letter}{number}{name of the service};{path to the file}{byte-size creation-date}{signed by}

LSP hijackers

As the order of the LSP layers is stored in the Winsock Service Provider you will find LSP entries listed in the Winsock section of a FRST log.


Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)

The catalog numbers are important to keep in mind. Whenever you want to remove a Winsock:Catalog9 entry, it is recommended to use “netsh winsock reset”. This is to avoid the user ending up with a broken internet connection. You may have to repeat this after a reboot.

DNS hijackers and proxies

 On the victim’s computer there are a few options for DNS hijacks:

  • Alternative or altered hosts file. If the user has a non-standard hosts file FRST will report in Addition.txt: There are more than one entries detected in hosts”. This is not necessarily bad. Some security programs use the hosts file as a block-list.
  • The DNS servers are listed in the “Other Areas” section. This also requires additional research as most DNS servers are legitimate.
  • Proxies are listed in the “Internet” section of the FRST log.
Uninstall list

Programs that are listed in the list of installed Programs and Features can be found in the “Installed Programs” section of the Addition log including “hidden” entries.


Alternate Data Streams have a special section for themselves. Note that this section is white-listed, as are many others.  The format looks like this:

AlternateDataStreams: {Path to the file}:{name of the stream} [number of bytes]


Hijackers using the Windows Management Instrumentation can be spotted in the Addition log. Example:

WMI_ActiveScriptEventConsumer_ASEC: < ===== ATTENTION


I really enjoyed sharing some of the knowledge that I gathered over the years and I’m also glad I now have it in a relatively organized fashion. I hope you, the readers have found it useful too. Or entertaining at least. Feel free to let us know in the comments.


Part 1

  • Identify the process
  • Clear browser caches
  • Remove browser extensions

Part 2

  • Proxies
  • Winsock hijackers
  • DNS hijackers

Part 3

  • Type of software
  • Uninstall
  • Remove file
  • Replace file

Part 4

  • Scheduled tasks
  • Services

Part 5

  • DLL’s
  • Handles
  • Parent process

Part 6

  • ADS
  • Rootkits
  • Fileless infections

Part 7

  • Tools to investigate with

The post Adware the series, the final: Tools section appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 10 – July 16)

Malwarebytes - Mon, 07/17/2017 - 19:43

Last week, we took a look at some of your malware infection stories, took a stroll through the basics of PowerShell, explored a piece of .NET malware, and shone the spotlight on the Petya ransomware family. Elsewhere, the following stories were taking place:

Latest updates for Consumers

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (July 10 – July 16) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Keeping up with the Petyas: Demystifying the malware family

Malwarebytes - Fri, 07/14/2017 - 16:29

Last June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine.

Since there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this small guide on the background of the Petya family.

The origin of Petya

The first Petya ransomware was released around March 2016  by a person/group calling themselves Janus Cybercrime Solutions. This group was advertising their affiliate program, giving other criminals a chance to distribute their malware. Janus Cybercrime Solutions was represented also on Twitter by appropriate accounts, first by @janussec, and then by @JanusSecretary.

The names “Janus” and “Petya” were inspired by the James Bond movie, GoldenEye. The threat actor was consistent with the chosen theme, too—the profile picture of the linked Twitter account was from one of the characters of the movie, a computer programmer/hacker named Boris Grishenko.

Unique features

From the very beginning, Petya has been a unique ransomware because it has features that are not common for this type of malware. While most of the ransomware can only encrypt files one by one, Petya denies users access to the full system by attacking low-level structures on the disk.

Petya is always installed by some dropper, which is a Windows executable (on each version of Petya the dropper is replaced with a new one).

During installation, the Petya installer overwrites the disk with Petya’s kernel and boot loader. Because of this, the affected machine boots the malicious kernel instead of the legitimate OS. On the first run, it displays a fake CHKDSK screen:

Instead of checking the disk, in reality, it encrypts the Master File Table (MFT) with Salsa20. This way, the ransomware makes the disk inaccessible. When encryption is finished, two screens are displayed: a blinking skull followed by the ransom demand. This is how affected system screens look like in the first version of Petya:

Official releases

So far, there are 4 releases of Petya ransomware by its original author, Janus:

  • 1.0 (Red Petya) – Attacks only MFT
  • 2.0 (Green Petya + Mischa) – Attacks either the MFT or files (a variant of the attack depends on the privileges with which the sample was deployed)
  • 2.5 (Green Petya + Mischa) – Same as 2.0 but with improvements
  • 3.0 (Goldeneye) – Attacks both the MFT and files, using UAC bypass to auto-elevate its privileges

Recently, Janus released the master key that can unlock all official versions described above. You can read more about it in this blog post.

These Petya releases can be identified by the theme colors. We’ve put together a small gallery below:

Red Petya

Green Petya


GoldenEye was the latest official release of Petya and was last seen around December 2016.

Unofficial releases (pirated versions)

Since Petya is powerful, other cybercriminals have been attracted to use it. However, not all of them want to join the affiliate program and pay its creator. Similar to legitimate software, Petya has pirated versions. So far, we observed two unofficial releases:

  • PetrWrap  – uses Petya’s low-level component as well as patched Petya’s DLL, wrapped by a new loader. It’s based on Green Petya.
  • EternalPetya – also called NotPetya, ExPetr, etc. The malware based on GoldenEye, used in the attack on Ukraine. The high-level layer (PE file) has been rewritten.

The pirated versions can be identified by the modified look. In both cases, the original Petya’s skull has been removed.



While PetrWrap was a fully-functional ransomware, EternalPetya seems unfinished or broken on purpose because the Salsa key that used to encrypt the MFT cannot be recovered. Once encrypted, data cannot be decrypted, even by the malware authors.

Same as the original GoldenEye, EternalPetya encrypts also files with the selected extensions before attacking the MFT. Files are encrypted using different algorithms and keys than the MFT (RSA + AES, while the MFT is encrypted using Salsa20). On July 4, the distributors of EternalPetya raised the ransom demand and offered to sell the private RSA key that can potentially help in unlocking encrypted files but not the MFT. Below is the message from the attackers [source]:


In addition to malware based on the original Petya, copycats also have started to appear. They have nothing in common with Petya’s code, they only try to imitate its look or some of its features. Some examples are SatanaRansomware or Petya+, a .NET imitation of Petya discovered by @LawrenceAbrams.


Ransomware piracy is becoming common and this triggers more problems to the victims. Often, the authors of such pirated malware don’t care to give the data back. They just use the reputation of known ransomware to scam victims into paying. In addition to the described cases, we have also encountered several versions of pirated DMALocker, wherein some of the variants corrupt the data that make recovery hard or even impossible.

Petya is a powerful malware. And to make things worse, it is also very easy to modify and repurpose. Even if the official line of Petya has been discontinued, we can expect the pirated versions to still be around.

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post Keeping up with the Petyas: Demystifying the malware family appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A .NET malware abusing legitimate ffmpeg

Malwarebytes - Wed, 07/12/2017 - 15:00

There is a growing trend among malware authors to incorporate legitimate applications in their malicious package. This time, we encountered a malware downloading a legitimate ffmpeg. Thanks to it, this simple spyware written in .NET got a powerful feature. Most of the malware is sufficient with sending screenshots, made periodically on the infected machine. This malware goes a step further and records full videos, spying on user activities. In this post, we will have a look at this and the other threats possessed by this sample.

Analyzed samples

Downloaded plugins:

Behavioral analysis

The JS file drops the contained executable inside the %TEMP% folder and then runs it. The executable installs itself under the random name, creating its own folder in %APPDATA%. Persistence is achieved with the help of run key. Additional copy of the malware is also dropped in the startup folder:

During it’s run, the executable creates .tmp files inside it’s installation folder. File content is not encrypted and if we look inside we can notice that it is saving keystrokes and logging the running applications:

Another interesting thing we noted is, that the malware downloads legitimate applications: Rar.exe, ffmpeg.exe and related DLLs: DShowNet.dll, DirectX.Capture.dll

The malware has been observed closing and deleting some applications while it is running. During the tests, it removed i.e. ProcessExplorer and baretail from the attacked machine.

Network communication

The malware communicates with the CnC server over TCP using port 98.

The server sends to the client a command “idjamel” and the client responds with the basic info collected about the victim machine, such as machinename/username, the operating system installed, and a list of running processes. After the beaconing, the server sends to the client the configuration, i.e. list of the targeted banks.

Bot saves the configuration in the registry:

After that, the CnC sends a set of Base64 encrypted PE files. The content of each file is prepended by its name. The non-malicious helper binaries cab be identified by the keyword: “djamelreference”. Malicious plugins are identified by “djamelplugin”.

Downloading DShowNET.dll:

Downloading a plugin – remotedesktop.dll (e907ebeda7d6fd7f0017a6fb048c4d23):

The ffmpeg application is downloaded from the URL (pointed by the CnC):

Following the address we can see some dummy page, that may possibly be owned by the attackers. The Facebook like button points to the account “AnonymousBr4zil”:

The bot reports to the server about the running applications, i.e. sending the text from the title bars encoded in Base64:




Process Explorer - Sysinternals: [testmachine\tester] Inside Unpacking

The sample is packed with the help of CloudProtector – (thanks to @MalwareHunterTeam for the tip). It is the same protector that was used in some other cases that we analyzed earlier (read more here). Just like in the previous case, it decrypts the payload using the custom algorithm and the key supplied in the configuration. Then, decrypted executable is loaded in the memory with the help of the RunPE technique (also known as ProcessHollowing).

The core

The unpacked payload is the layer containing all the malicious features. It is not further obfuscated, so we can easily decompile it (i.e. using dnSpy) and read the code.

We can see some classes with descriptive names, i.e. ProtectMe, ScreemCapture, SocketClient.

At the first sight, we can see the purpose of this malware: spying the user and backdooring the infected machine.

The class Form1 is the main module, responsible for communicating with the CnC and coordinating actions. It contains hardcoded data used for the malware installation and the address of the CnC server:

The victim name is copied from the binary and saved in the registry key:

In case the bot detected a software for e-Carte Bleue (a French payment card), it adds the corresponding string to the identifier, and also sends additional information to the server:

Each module runs independently, started in a new thread:

Video recording

We can see the fragment of code responsible for downloading the ffmpeg application:

The main goal of the malware authors is to spy on user’s banking activities. That’s why, the video recording event is triggered when the victim opens a particular site, related to online banking. The list of targets is supplied by the CnC and saved in the registry under the key “ve”, for example:

Periodically, the check is made, whether the target from the list has been open in the browser. In case if it was detected, the malware deploys video recorder:

The function “VeifyingTime” compares the title bar with the supplied string.

Videos are recorded with the help of the ffmpeg application:

After that they are sent to the CnC, encoded in Base64:

The malware also has a feature of making simple screenshots, saved as JPG. The pictures and the captured logs are periodically compressed by the Rar application, and then also sent to the CnC:


The kyl class name stands for keylogger:

It has also the ability to enumerate opened windows:

This is the class responsible for creating the .tmp file that was mentioned before:

Protect Me

This class is responsible for disabling the applications that may be used to monitor malware’s activity:


The basic functionality of the bot can be extended by additional plugins, downloaded from the CnC:

In the observed case, the bot downloaded two plugins, giving to it capabilities typical for a RAT:

processmanager.dl, written in 2015:

and remotedesktop.dll, written in 2016:

In contrary to the main module and the previous plugin, the remotedesk.dll is obfuscated. Names of its classes and variables are no longer meaningful:


This malware is prepared by an unsophisticated actor. Neither the binary nor the communication protocol is well obfuscated. The used packer is well-known and easy to defeat. However, the malware is rich in features and it seems to be actively maintained. It’s capabilities of spying on the victim and backdooring the attacked machine should not be taken lightly because even a simple threat actor can cause a lot of damage when neglected.

This malware is detected by Malwarebytes as Backdoor.DuBled.

The post A .NET malware abusing legitimate ffmpeg appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Learning PowerShell: The basics

Malwarebytes - Tue, 07/11/2017 - 15:00

I bet I went about learning PowerShell the wrong way, so I may need your help, readers of this blog. If only to organize my knowledge and use it for the fight against malware and not just to figure out how it was used in malware.

The first serious look I had at PowerShell was when I was trying to figure out what some piece of malware was doing. But the most important lessons I learned back then was that PowerShell is very versatile and that its execution policy is hardly stopping anyone from performing malicious acts on an infected computer.

Both of these properties make it a powerful weapon in the hands of hackers, pen testers, and malware authors. Given the current tendency to use legitimate tools and programs in an attack, I want to learn more about it and see how we can use it to our advantage. Sort of as white hat hackers would.

Bypassing the execution policy

The PowerShell execution policy is what controls how much PowerShell can do on the system at hand. The possible settings can be found in this Technet article about Using the Set-ExecutionPolicy Cmdlet, where “Restricted” is the default setting.

But one of the first things I noticed was how trivial it is to bypass this restriction. The easiest way to run your PowerShell program is to “pipe” it and add a -executionpolicy bypass switch. This will ensure the command will run without taking the current execution policy into consideration. If the script is too complex to pipe, you can encode the entire script (base64) and use the switch –EncodedCommand. For malware authors, this has the added benefit that it will take the average user a lot longer to figure out what was done.

Basics Cmdlets

But let’s start with the basics first. PowerShell uses so-called cmdlets. These cmdlets typically perform a task and return a .NET object that can be piped to the next command. They are NOT standalone executables like some of the commands that we used in the command prompt, but rather .NET framework classes.

Naming convention

Windows PowerShell uses a verb-noun pair for the names of cmdlets and their derived classes. This makes it easy to understand what to expect. For example, if we look at the cmdlet ConvertTo-Xml it should be clear enough to figure out what will happen when you use it. And for cmdlets that aren’t so clear, or when you’d like to know more about the cmdlet or its syntax you can use the Get-Help cmdlet.


Another important thing to know about in this context, however, especially when reverse engineering a script, are aliases. A lot of cmdlets have an alias that triggers the cmdlet, but that doesn’t use the naming convention for them. For example, the alias del is in use for the cmdlet Remove-Item. An overview of the basic cmdlets, aliases, and functions can be obtained by running Get-Command which will show you an extensive list.

This was a quick summary of the working knowledge I have together with some de-obfuscation techniques and a lot of “looking stuff up”, it has been enough to serve my purpose of being able to figure out what others were doing. But I feel it’s time to learn some more, and since I learn best using the hands-on method, in the next post we will be doing some basic programming.

See you then!

The post Learning PowerShell: The basics appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Roundup: your malware infection stories

Malwarebytes - Mon, 07/10/2017 - 18:15

You hear the cautionary tales all the time. So-and-so didn’t have an antivirus in place and was infected with malware. Such-and-such business had limited cybersecurity infrastructure and was hit with a ransomware attack. You think: Sure, but it probably won’t happen to me. I’m a safe surfer. I’ve got good computer hygiene.

Turns out, it can happen to anyone—even those who follow cybersecurity news. A couple months ago, we sent out a survey to our newsletter subscribers with the following question:

Have you been infected with malware or ransomware? Tell us your story. How did it happen? How did you respond? What changes, if any, did you make to your cybersecurity habits afterwards?

We asked, and you answered. We want to thank all who participated and agreed to share their malware infection stories. It takes guts to come forward, but each of your contributions help better inform all of us, whether that’s by helping a newbie avoid a rookie mistake or preventing a veteran IT professional from being ensnared by cutting-edge criminal tactics.

While there were so many interesting stories to choose from, we decided to pick just a few to highlight infection methods past and present, various types of malware, and different approaches to solving the problem. [Editor’s note: These responses have been lightly edited for grammar and spelling.] Without further ado.

Cleaning up a floppy mess

This was a quite a few years back. A friend of mine worked for a bank as a security officer and the bank gave me this small tower computer for free. I had just started working on computers (had a small floppy disk drive). I could not get it to boot up. I used all my known floppy disks that worked in the past, but still could not get it to boot. So I ran the usual antivirus programs (Norton and McAfee), and lo and behold, they found the virus but could not clean it.

After researching the Internet, I found another program called Trend Micro and followed their instructions, making six boot disks on another computer. I proceeded to boot the infected machine. Well, it found and cleaned the virus, which turned out to be a boot sector virus (memory resident). It infects your memory chips as well as the BIOS. I have never come across another virus like this since. And I hope to never have to deal with these new ransomware infections. That is why I use and pay for Malwarebytes today and the past few years.

Special delivery: ransomware

I was expecting a long-anticipated delivery from Federal Express when a message, ostensibly from FedEx, appeared in my inbox, telling me there was a problem with my delivery. Naturally, I opened it and found that it included a couple attachments. The body of the email informed me that additional information on the status of my delivery would be available in the attachments. Even though both attachments had unusual extensions, I fell for it and clicked on one of the attachments. Too late. The virus encrypted a huge number of files and tagged them with a label called Osiris. Everything was backed up on the cloud so I didn’t pay, but it took days to restore my files. The next day, I purchased Malwarebytes and wiped the virus off my system. I should have made the purchase immediately because it takes hours and hours for the virus to work its way through the computer, encrypting files as it goes. It’s kind of like cancer: If you start treatment early enough, you can save yourself a lot of misery.

Total restore

It started with getting a message every morning that I could not send data. I started researching. My virus software was current and not reflecting any problem. My CCleaner would no longer work, and my computer was password protected. But I had virtually been locked out of using my computer. I no longer could change any settings, could not do a system restore, could not go into safe mode, the computer would not defragment—nothing. I could not change network settings; everything had been overridden, and I did not have permission to change anything. Even my email accounts could not be used. Many nights and weekends were spent [figuring it out]. I had to disconnect the Internet so no one could access.

Finally, Microsoft recommended Malwarebytes. I purchased and downloaded it. It Immediately found severe Trojans and viruses. Although it was able to contain and give me a little access to things, after consulting with an IT professional, I ended up having to restore my computer to factory condition. I had to purchase a lot of new software, but thankfully I had an external drive which I did not keep hooked up to the computer where I had saved all my important documents and pictures. Malwarebytes got me back on the road to recovery, so to speak, and I shared my story and recommendations to others.

Navy files for ransom

I was infected with ransomware a number of years ago when I was the national president of a US Navy organization. My whole computer was corrupted, and they sent me a link with instructions on how to recover my files. I notified the FAA about my problem, and they said do not pay. I called Microsoft for help and they wanted my desktop at their shop. They had it for 10 days. I had been backing up my system weekly, but kept my external hard drive on. I lost the files, but hope to recover them someday. I since backup weekly but unplug and turn off my new hard drive. I also purchased Malwarebytes on the recommendation of my computer guru, who has 35 years of computer experience. BTW, the instructions were to purchase bitcoins from Europe.

Rage against the ransomware

Roughly seven years ago, I got hit by ransomware. Everything, even the restore files, refused to load. It was everywhere and was demanding money. I had no idea what to do and neither did anyone else, including a computer expert. It was completely hopeless. My despair, grief, and rage over what had been done to me for no reason was useless against it. My wife at the time had not been hit, and she researched online to discover an answer recommending Malwarebytes. We followed the steps, and Malwarebytes wiped it out in less than one minute. Ever since, I have been a firm believer in Malwarebytes, and every computer I have had since then has used it. The peace of mind knowing I have the most powerful and, in my case, proven cybersecurity money can buy means my computer is one thing I do not have to worry about.

Social media psych-out

I was on Facebook watching video a friend posted. Then my screen went to a Microsoft page and said you’ve been infected with the Lazarus virus. At the same time, my phone rang. The web page asked if I wanted to talk to specialist, and before I could click it, the voice on phone said, “I’m from Microsoft, and we have taken over your computer. Let us fix your problem.”

I shut down my Facebook and did a free Malwarebytes and Avast scan. But it was too late: They had compromised my tower computer. I then took it to my computer expert. He installed a new hard drive and instructed me to buy Malwarebytes. He installed free Avast. I have no idea how they got my phone number or name. No idea how all this happened, but it wiped out all my sites and financials.

Roku scam

I have a Roku device on one of my TVs, and I installed a second device on the TV that my wife watches most of the time. I was having problems with the installation. (My fault, as I had mistakenly covered the sensor, and the unit was not responding to the remote.) After changing batteries with no results, I decided to call Roku. I got a number from Google on my cell phone, and hit dial. Instead of dialing the number listed, another number was dialed, and I got an operator (with a very hard to understand accent). She directed me to go to my computer, as she said that the problem was not with the Roku device but in my computer network. (I should have known better).

The operator then directed me to let her have control of my computer to see what the problem was, and soon stated that the computer was infected with ransomware. She showed me a screen that supported her claim that ransomware was present. She then told me that it would be $149 to fix the problem, and when I was hesitant, she told me it would be over $1,000 to fix it if I let it go. I hung up the phone and called a person who helps with IT problems, and he told me that it was a scam, and that I needed to run my Malwarebytes program to make sure that nothing was infecting my computer.

Fortunately, nothing was found. I also figured out my problem with the Roku, and it is fine. However, this goes to show how dangerous the environment is and how easily an unsuspecting person can be fooled and taken in by one of the scams that are out there.

Karma chameleon

One time, I got one from an email. Now, I usually am safe from that vector, but I had just installed WhatsApp earlier that day. The email, from everything I could see, seemed to legit come from WhatsApp. They were supposedly testing a new version of the app with video calling, and when I looked through the news, rumors abounded that they were actually doing that, and indeed as time has shown, they were. So, it looked totally legit from every angle I could find. I downloaded the file and installed it. Suddenly, my default search provider changed in all my browsers (Chrome, Firefox, Opera, IE, and Edge) to something I’ve never heard of before or since. I tried to Google search the provider, but all search engines other than them were now blocked. I looked them up on my phone and found out it was part of a virus. Oh boy, what have I done now?

Now the infection was in high gear, popping up error messages through Windows itself, telling me each of the programs I had open was allowing virus traffic through and closing them without my choice. Then it stopped allowing me to open any program. This included Malwarebytes. (Or so they thought.)

Eventually, it really went nuts and restarted the computer to install a rootkit. I got it to start up in safe mode without networking in case it was receiving instructions from somewhere else. This did slow it down for sure. Then I pulled the trump card: Malwarebytes Chameleon mode. It opened a help file instead of like a program. It found the culprit, including the rootkit. It got the whole infection in one go. I was almost back. This time when I restarted, I did so in safe mode with networking. Then I opened all browsers and removed the new homepage and search engine, setting them back to how they were supposed to be. No trace left of that malware. Thanks, Malwarebytes. You earned my money that day for sure. You saved my bacon.

The post Roundup: your malware infection stories appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 03 – July 09)

Malwarebytes - Mon, 07/10/2017 - 17:18

Last week, we released our second quarter Cybercrime Tactics & Techniques report, where we revealed that ransomware outbreaks were dominant during this quarter. You can read the full report on the post below:

Report: Second quarter dominated by ransomware outbreaks

Our researchers continue to share our findings on EternalPetya, the malware that made headlines across the globe due to its similarities with WanaCryp0r (a.k.a. WannaCry). In case you don’t want to read all our blog posts, we made a summary post of what we know so far about EternalBlue and the attack.

Meanwhile, Senior Security Researcher Jérôme Segura revealed that threat actors behind malvertising campaigns may be using such outbreaks as a diversion from their schemes. At least that was what the group called AdGholas was doing. Segura saw a new wave of drive-by download attacks pushing the Astrum exploit kit.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Hackers Find ‘Ideal Testing Ground’ For Attacks: Developing Countries. “Security researchers are increasingly looking in countries outside the West to discover the newest, most creative and potentially most dangerous types of cyberattacks being deployed. As developing economies rush to go online, they provide a fertile testing ground for hackers trying their skills in an environment where they can evade detection before deploying them against a company or state that has more advanced defenses.” (Source: The New York Times)
  • Senators Introduce ‘Cyber Hygiene’ Bill. “The Promoting Good Cyber Hygiene Act, introduced by Hatch and Sen. Ed Markey (D-Mass.), would direct the National Institute of Standards and Technology to establish a set of baseline voluntary best practices for safeguarding against cyber intrusions that would be updated annually.” (Source: The Hill)
  • Windows 10 Will Use Protected Folders To Thwart Crypto Ransomware. “Windows 10 Fall Creators Update (the next major update of Microsoft’s popular OS) is scheduled to be released in September, and will come with major new end-to-end security features. As announced last week, the Enhanced Mitigation Experience Toolkit (EMET) is making a partial comeback, along with new vulnerability mitigations, in a new feature called Windows Defender Exploit Guard.” (Source: Help Net Security)
  • SLocker Mobile Ransomware Starts Mimicking WannaCry. “The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom. After laying low for a few years, it had a sudden resurgence last May.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • Now Criminals Are Ringing Up British MPs To Ask Them Their Passwords. “Hot on the heels of reports that the passwords of British politicians and their staff are being sold on the web by criminals, and an attack on the Houses of Parliament’s email system, it has now been revealed that some MPs have been receiving some rather phishy phone calls.” (Source: Graham Cluley’s Blog)
  • ‘Smishing’ Scams Target Your Text Messages. Here’s How To Avoid Them. “While the name of this growing threat might sound funny, being a victim of it is no joke. Similar to a “phishing” scam — where computer users receive an authentic-looking email that appears to be from their bank, Internet Service Provider (ISP), favorite store, or other organization – ‘smishing’ messages are sent to you via SMS (text message) on your mobile phone.” (Source: USA Today)
  • 65% Of Major US Banks Have Failed Web Security Testing. “Websites run by some of the largest banks in the US have scored the poorest in a new security and privacy analysis audit. The non-profit Online Trust Alliance (OTA) Alliance anonymously audited more than 1,000 websites, ranking their security and privacy practices. None of the sites investigated knew about the test.” (Source: IBS Intelligence)
  • Horcrux Is a Password Manager Designed for Security and Paranoid Users. “Two researchers from the University of Virginia have developed a new password manager prototype that works quite differently from existing password manager clients. The research team describes their password manager — which they named Horcrux — as “a password manager for paranoids,” due to its security and privacy-focused features and a unique design used for handling user passwords, both while in transit and at rest.” (Source: Bleeping Computer)
  • Why Kodi Boxes Can Pose A Serious Malware Threat. “When new streaming devices, such as the Amazon Firestick and Apple TV, were first introduced, many were intrigued by the ease by which they could watch ‘over the top’ content from the Internet, such as Netflix or Hulu, on their living room televisions.” (Source: Help Net Security)
  • As World’s Largest Dark Web Market Vanishes, Dodgy Links Promise A Way Back In. “On Wednesday, AlphaBay, the largest market on the dark web disappeared. Since AlphaBay is wholly inaccessible, customers and vendors are locked out of their accounts, and, perhaps more importantly, cut off from any bitcoins they stored on the site. In order to purchase items on AlphaBay, users need to send bitcoins to the site’s own wallets.” (Source: Motherboard)


Latest updates for Businesses
  • U.S. Warns Businesses Of Hacking Campaign Against Nuclear, Energy Firms. “Since at least May, hackers used tainted ‘phishing’ emails to ‘harvest credentials’ so they could gain access to networks of their targets, according to a joint report from the U.S. Department of Homeland Security and Federal Bureau of Investigation.” (Source: Reuters)
  • Basic Cybersecurity Hygiene Tips Are Ransomware Vaccine. “Some companies that were hit told their employees to not use internal information technology systems and shut down email. Although that may be one way to halt the cyberattack’s spread, companies can take other steps to maintain business continuity and help lessen the impact of any future attack, the pros said.” (Source: Bloomberg BNA)
  • Six Things to Do to Secure Your Linux System. “I bring this up only to illustrate that the next malware round can strike at anytime and on any platform. In fact, on Tuesday, at the same time Petya was wrecking havoc on Windows, a patch was made available for a vulnerability in systemd, the default init system in most modern Linux distributions, that could be leveraged by remote attackers to run malicious code by using a specially crafted DNS response.” (Source: Windows IT Pro)
  • Small Businesses ‘Dying’ Because Of Cyber Threat. “The managing director of a major cyber security player has warned small businesses to take the cyber threat more seriously. Paul Harris, managing director of Manchester-based Secarma, says that half of all cyber-attacks are upon small firms which could be destroyed overnight.” (Source: Business Cloud)
  • IoT Fuels Growth Of Linux Malware. “Malware targeting Linux systems is growing, largely due to a proliferation of devices created to connect to the Internet of Things. That is one of the findings in a report WatchGuard Technologies, a maker of network security appliances, released last week.” (Source: Linux Insider)
  • At $30,000 For A Flaw, Bug Bounties Are Big And Getting Bigger. “Hackers are being paid as much as $30,000 for finding a single critical flaw in a company’s systems, and the amount companies are willing to pay is increasing. While the use of such bug hunting programmes is still limited, some large organisations are offering hackers rewards for spotting flaws in their systems.” (Source: ZDNet)
  • Don’t Fear GDPR – It’s The Key To Create A Culture Of Secure IT. “Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it’s important that CIOs and IT directors not only focus on this critical deadline but also look beyond it.” (Source: SC Magazine UK)


Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (July 03 – July 09) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Report: Second quarter dominated by ransomware outbreaks

Malwarebytes - Thu, 07/06/2017 - 19:06

The second quarter of 2017 brought ransomware to unprecedented levels with worldwide outbreaks that went almost out of control. In scenarios reminiscent of yesteryears worms, WannaCry created global panic as it used a critical vulnerability in the SMBv1 protocol to propagate like wildfire.

Within hours, hundreds of thousands of machines in over 150 countries were infected and as investigations into the attacks went on, it was discovered that other threat actors had also been leveraging the leaked government-created exploits.

Ransomware continued to be the most distributed type of malware, topping 70% of all threats in June with the likes of Cerber, Troldesh, and Jaff. Interestingly, we witnessed other payloads delivered alongside ransomware, infecting users with Cerber, Kovter, Nymain, and Boaxxee all at once.

In this report, we will provide a quick update on the ransomware that does not want to die off, namely Locky and also review the latest outbreak with the rebranded Petya that wreaked havoc in the Ukraine and affected several multinational companies.

With all this ransomware buzz, we can’t forget about the “other threats” which, as a matter of fact, were also somewhat influenced by the aforementioned events. Malvertising was the major engine behind drive-by download attacks that leveraged various exploit kits, most notably RIG EK, Magnitude EK and Astrum EK.

We noted new and somewhat unexpected tech support scam campaigns, with for instance the use of spam and fake Amazon notifications. Typically those come with malicious attachments but in this instance, they contained links that ultimately locked up the user’s browser and urged to dial the so-called Microsoft technicians.

Finally, this report wouldn’t be complete without our usual Researcher Spotlight section, featuring Jean-Philippe ‘Tinfoil Hat’ Taggart.

Download full report here

Thanks for reading and safe surfing!

The post Report: Second quarter dominated by ransomware outbreaks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

All this EternalPetya stuff makes me WannaCry

Malwarebytes - Thu, 07/06/2017 - 18:15

Another week goes by and yet again we have another ransomware family spreading via the reported NSA toolkit that was published months ago by the notorious hacking group that goes by the name ShadowBrokers.

Security researchers can’t seem to catch a break when it comes to holidays and significant malware variants being unleashed to the wild. While many of us may have been enjoying the nice summer holiday or celebrating American Independence Day by blowing up small pieces of it, @hasherezade was hard at work deconstructing this particular piece of code and filling us in on the technical details and discoveries as they were being made.

We’ll take what we know and what we’ve learned and try to summarize the mind-boggling technical information into a simple structure that even my dear mother will be able to understand (love you, Mom!).


So what happened?

Sometime prior to June 27th, Ukrainian software company M.E.Doc was reportedly infiltrated by an unknown group of hackers. The attackers managed to remain undetected within the company network for an (as of yet) unknown period of time and were able to leverage a number of resources to eventually grant themselves access to the source code and update mechanisms of the widely used M.E.Doc software.

M.E.Doc makes and distributes accounting software that is targeted primarily towards Ukrainian residents and business entities, as well as a few others outside of the national boundaries. There are reports that this software is government mandated within Ukraine, although we can find no factual reference for this claim. Regardless, the software is used by a significant percentage of the Ukrainian population and a number of organizations outside of Ukraine.

Using the systemwide access afforded with the previous breach of the M.E.Doc system, the attackers were able to spend some time to understand the network infrastructure and to become familiar with the M.E.Doc sourcecode.

On June 27th, the attackers used the software update mechanisms of the M.E.Doc software to distribute a newly compiled version of the popular accounting software that contained malicious code which infected systems with a ransomware variant. Any system configured to automatically perform updates would have been infected without any user interaction required.

Once infection occurs, the code is configured to use the same EternalBlue and DoublePulsar modules that were used in the WannaCry incident to spread to other vulnerable systems on the network. This allows the malicious code to infect not only machines utilizing the M.E.Doc software but also any other machine on the network.

In addition to EternalBlue and DoublePulsar, 3rd party researchers uncovered the use of an additional NSA derived exploit, EternalRomance, being used to infect any machine that connects to the affected network. This particular exploit uses two built-in Windows administrative tools, called PSExec and WMI, to help execute malware on remote connections. In essence, this allows the malware to infect all machines that it can – which would include any home machine connected to the enterprise server via VPN.

After susceptible machines have been infected with the ransomware, the Master File Table (MFT) and the Master Boot Record (MBR) of the computer are encrypted and the MBR is overwritten to display the ransom note.

Both the Master File Table and the Master Boot Record are used to provide instructions to the PC on what to do after the power button is pressed and where important files are located on disk. Without proper configuration of both of these files, computer systems can’t boot properly and thus will fail to do so.


Why the strange name for the malware?

As researchers began understanding the code, all sorts of various names were thrown out as a means to name the malware family. NotPetya, Expetr, EternalPetya, and even simply Petya have all been used to describe the malware. It seems strange that so many researchers came up with a similar naming convention, but here is where this particular infection gets interesting.

This specific methodology of infection is synonymous with the Petya ransomware family. Furthermore, the language of the ransom note, plus information within the decompiled malware code led researchers to initially suspect the same malware author had been responsible for both variants. But as researchers further dissected the code, a few key differences began to emerge.

First, Petya differed from EternalPetya in the fact that the newly discovered code was utilizing the NSA derived EternalBlue, DoublePulsar, and EternalRomance modules to spread to connected machines on the network. This would have been a new evolution in the propagation methodology of the original Petya.

Second, the malware appeared to be an edited version of the Petya ransomware rather than a newly compiled version. @hasherezade did a terrific job of breaking this all down in the post titled EternalPetya Yet Another Stolen Piece in the package.

In the post, @hasherezade explains that the original Petya ransomware code has been craftily modified, rather than complied from scratch, to allow reuse of previous malware code. This has a number of advantages for the new author such as a decreased workload in writing ransomware from the ground up and helping to misdirect attribution by (among other things) excluding possible language clues that we have seen with other strains.

Third, the self-proclaimed author of the original Petya ransomware family, @JanusSecretary, posted to a dormant Twitter account claimingwe’re back havin a look in “notpetya” maybe it’s crackable with our privkey



This, along with the information that the original malware had been edited rather than compiled, leads to the conclusion that Janus was not likely involved with the dissemination of the code, but rather merely a scapegoat for the EternalPetya authors.


If not @JanusSecurity, who can we blame?

As is typical with these sorts of malicious malware strains, attribution can be difficult if not impossible. Malware authors take significant steps to cover their tracks and utilize a number of anonymizing services to hide their origin, intent, and methodologies.

TOR, proxies, and VPN’s are used to conceal identifying connection information. Bitcoin and other digital currencies are used to conceal payment information. Cryptocurrency tumblers are used to mix up digital currency transactions thus confusing the trail back to the original source. And in at least this case, a well-known ransomware family was ripped off as a means to confuse the original author.

While we can’t fully rule out involvement in EternalPetya by @JanusSecretary, the information indicates this probably not to be the case. There would have been no need to go through the trouble of modifying the original malware variant when a new variant could more easily be compiled with the new information.

So who else could it have been?

It’s all the rage these days to blame Russia for any and everything related to malicious activity and the Ukrainian government wasted no time in doing so.

On July 1st, the Ukraine State Security Service, SBU, claimed that the same hackers who attacked its power grid in December 2016 were also responsible for the EternalPetya outbreak. The Ukrainian government was quick to blame Russia for the EternalPetya attack, but a spokesman for the Kremlin dismissed the claims as “unfounded blanket accusations”. The Russian government also pointed out that its own companies were impacted by the attack including Russia’s state-owned oil company, Rosneft, and Russian steel maker, Evraz.

Indeed, we have found no indications that EternalPetya was a Russian, or state-sponsored attack and we have seen no Indicators of Compromise (IOC’s) to indicate otherwise.

Rather, the most plausible explanation is that a group of sophisticated attackers managed to gain access to a widely used software company and used that access to distribute a modified version of a known ransomware variant as a means to extort payments from infected users.

While this is little more than speculation at this point, all indicators point to this being the most plausible explanation.

unoptimized code is an indicator of re-use


Can the encrypted files be retrieved?

In short, it’s probably not likely. As with the WannaCry outbreak, the authors of this malware variant made some critical mistakes in the payment and decryption methodologies. As @hasherezade points out in the post titled EternalPetya and the lost Salsa20 key, ‘after being read and used for the encrypting algorithm, the stored Salsa key is erased from the disk’.

In previous Petya versions, the Salsa key, basically the key that can lock or unlock the contents, was encrypted with the attackers public key and converted to a hashed string. This meant that although the Salsa key is erased from disk as we’ve seen with EternalPetya, the key was still available to the attackers who had the private key to decrypt it.

In essence, the authors of the EternalPetya variant erased the key that was vital in decrypting the files, thus leaving the decryption of files highly unlikely.

This flaw with the decryption key is what caused the initial contradiction of this particular malware variant in being called a ‘wiper’ vs ‘ransomware’. Regardless of the designation, victims are paying a ransom with the hopes of obtaining their files. There is no guarantee that payment will successfully restore files and those who pay always gamble with this risk. This is by very definition the behavior of ransomware.

In addition to that, the email address that the attackers configured the malicious code to display has since been terminated by the email provider. This leaves no ability for infected users to contact the attackers and arrange for the decryption of files.

So unless a future decryptor emerges that utilizes a masterkey or a flaw in the encryption routine, it remains unlikely that infected users have a means to restore their files.


So then, what’s next?

On July 3rd, the head of Ukraine’s Cyber Police suggested that M.E.Doc is under investigation and will potentially face charges related to the incident. As reported by APNews: Col. Serhiy Demydiuk, the head of Ukraine’s National Cyber Police unit, said in an interview with The Associated Press that Kiev-based M.E. Doc’s employees had blown off repeated warnings about the security of their information technology infrastructure.

“They knew about it,” he told the AP. “They were told many times by various anti-virus firms. … For this neglect, the people in this case will face criminal responsibility.”

On July 4th, Ukrainian federal police seized several computer servers used by M.E.Doc. Video quickly appeared online reportedly showing the Ukrainian federal police storming the M.E.Doc facility and establishing control over the property. While I admittedly don’t speak Ukrainian, and for all I know these guys could be talking about rescuing kittens, I believe this video to accurately depict the raid on the M.E.Doc facility.


Additionally, as of this writing, the M.E.Doc website is offline as are the other domains listed as using the same IP. For all intents and purposes, at least for the time being, M.E.Doc may be done operating as a software entity.

It would be important to note that current M.E.Doc users shouldn’t use or upgrade the software until further notice, but with the developments surrounding the confiscation of the M.E.Doc servers, I’m not sure users should be holding their breath in anticipation.


What did we learn?

Apparently, we learned little from the WannaCry outbreaks of months past. While the crafty infection of the M.E.Doc servers indeed provided a unique distribution method, the successful use of the NSA derived exploits leaves little excuse for the infection of network connected machines.

It begins to get difficult to have sympathy for apathetic I.T. admins who have failed to apply available updates to address the vulnerabilities targeted within the EternalBlue, DoublePulsar, and EternalRomance exploits. These issues have been thoroughly discussed and have garnered worldwide attention.

Mitigation techniques exist for all of the exploit-driven distribution methodologies and include everything from applying Microsoft updates to manually disabling SMB functionality.

We could recommend to these I.T. admins that had they been equipped with Malwarebytes Endpoint Protection, which includes anti-exploit and anti-ransomware technologies, they would have protected their users from this sort of attack – but honestly, I’m not sure they would listen even if we did.

So instead, we’ll focus our message towards the loyal readers of this blog and to people like my dear mother who need understand that malicious attacks can come from any avenue and at any time. Never under estimate the security of the data on your machine, as you may wake up one morning to find all of your most valuable documents either held ransom or worse, completely unrecoverable no matter how much money is paid.

Ensure that valuable documents are routinely backed up and saved to offline or cloud storage solutions. And ensure that you use a reliable and technically advanced security product such as Malwarebytes to help protect your sensitive information and ensure you don’t fall victim to this sort of devastating attack.

While it may not be the most ideal solution, a strong defensive strategy is best in the current age of highly evolving and sophisticated malware that is capable of destroying all of your most important files in a matter of seconds.

The post All this EternalPetya stuff makes me WannaCry appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The key to old Petya versions has been published by the malware author

Malwarebytes - Thu, 07/06/2017 - 17:06

As research concluded, the original author of Petya, Janus, was not involved in the latest attacks on Ukraine. His original malware was pirated and extended by an unknown actor (read more here). As a result of the recent events, Janus probably decided to shut down the Petya project. Similarly to the authors of TeslaCrypt, he released his private key, allowing all the victims of the previous Petya attacks, to get their files back.

(The author of Petya has been known for previously leaking the keys of his rival, Chimera ransomware – details here).

What exactly happened?

Yesterday, Janus has made a public announcement on Twitter:

The message contained a link to the file, hosted at service.

The linked file was encrypted and password protected:

After guessing the password and decrypting the package with the help of openssl, I got the following plaintext:

Congratulations! Here is our secp192k1 privkey: 38dd46801ce61883433048d6d8c6ab8be18654a2695b4723 We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the "Personal Code" which is BASE58 encoded.

The verification process will take some time, but so far it seems that this is Janus’ private key for all the previous Petyas.

Can it help in case of EternalPetya/NotPetya?

This key cannot help in case of EternalPetya, since, in this particular case, the Salsa keys are not encrypted with Janus’ public key, but, instead of this, erased and lost forever (read more). It can only help the people who were attacked by Petya/Goldeneye in the past.

What is the value added by having this key?

Just to recall, the first version of Petya, Red Petya, has been successfully cracked by leo_and_stone. Based on his work, various decryptors have been released, i.e. antipetya live CD.

The error in the second version – a.k.a. Green Petya, revealed by me, was not as severe. Yet, it allowed for writing a bruforcer. Thanks to the GPU-based solution implemented by procrash, the process of cracking the Salsa key has been sped up to 3 days.

Higher versions fixed the flaws to an extent making cracking of the Salsa key no longer possible.

Thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back.

Further research related to the verification of the obtained material and the decryptor is in progress. We will keep you updated, please stay tuned!


Goldeneye – the last Petya version released by Janus:

Goldeneye Ransomware – the Petya/Mischa combo rebranded


This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordp.

The post The key to old Petya versions has been published by the malware author appeared first on Malwarebytes Labs.

Categories: Techie Feeds

AdGholas malvertising thrives in the shadows of ransomware outbreaks

Malwarebytes - Wed, 07/05/2017 - 16:05

The latest wave of ransomware following the WannaCry outbreak has kept everyone very busy and been the topic of many conversations. In the meantime, other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific malvertising gang of the moment, dubbed AdGholas.

Exposed a few times this year by ProofPoint and TrendMicro, AdGholas is playing a whack-a-mole game with the ad industry to distribute malware onto unsuspecting users with the help of the Astrum exploit kit.

A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the malvertising operators are able to quickly roll out and activate a fake advertising infrastructure for a few days before getting banned.

On June 28 (which is about ten days after it was last publicly reported), we started seeing a new wave of drive-by download attacks distributed globally pushing the Astrum exploit kit. Sure enough, it was associated with AdGholas activity via a decoy website. Behind the fake ad banners for ‘expert essays’ designed to trick ad agencies, laid code to exploit and infect users who simply happened to visit popular websites.

The fraudulent website expert-essays[.]com, which was registered June 22, is using a certificate from Let’s Encrypt, and is a replica from There are only a few minor visual differences between the two, and a cursory review would reveal the copycat. However, it is easier said than done in an industry dominated by automation and volume.

After getting caught, AdGholas came back up again on July 1st and 2nd – perhaps a long holiday week-end in the US may have seemed like the right timing – via a new decoy site, jet-travels[.]com, with the same modus operandi:

From AdGholas to Astrum EK

We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of redirect is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity.

The redirect tag hosted on expert-essays[.]com loads a landing page for the Astrum exploit kit with:

[“javascript:%27<meta http-equiv=refresh content=\\\”0;url=”,”\\\”>%27″,”https:\/\/\/7pkzi\/-fb2j5s48sv4b\/nlo17hdt0cexguqnir\/kqh-xya-c6do32smjwh9mnc0″,”ae0a5bca85a8f0e1″]

The group behind Astrum EK is also very sneaky, making good use of SSL, domain shadowing and other server side tricks that render traffic collection and replay a challenge. In the current exploit kit landscape, domain shadowing has been slowed down and the popular RIG EK is mainly resorting (other than for a few exceptions) to IP addresses, in lieu of shadowed domains. As far as serving the content, plain HTTP is the norm, setting Astrum EK apart from the rest.

For a long time banking Trojans were the payload of choice for Astrum EK. This seemed to fit in with the elusive and muffled nature of the exploit kit. However, according to ProofPoint, new AdGholas/Astrum infection chains have recently been dropping ransomware. Although it’s a change from those threat actors’ style, cashing in on the ransomware frenzy makes sense.

Containment and protection

Malvertising continues to affect users on a large scale and is a relied upon infection vector for threat actors. The recent and renewed activity from sophisticated groups like AdGholas is something to watch out for in a drive-by landscape dominated by malvertising-borne attacks more so than from compromised sites.

Ad-blockers are one of several layers end users can rely on, but it is worth noting that even ad-blockers can be bypassed and do not fix the most common underlying issue which is outdated software. In other words, patching machines regularly immediately raises the difficulty level for an attacker to compromise your system. However, knowing that threat actors like AdGholas and Astrum EK are advanced and have employed zero-days, it is also important to use a signature-less and proactive defense to handle those cases.

We’re happy to report that Malwarebytes users were protected against these malvertising campaigns already.

Indicators of compromise (IOCs)


expert-essays[.]com jet-travels[.]com

Astrum Exploit Kit:

uniy[.]clamotten[.]com comm[.]clamotten[.]com comp[.]computer-tutor[.]info lexy[.]computer-tutor[.]info sior[.]ccnacertification[.]info kvely[.]our-health[.]us nuent[.]mughalplastic[.]com mtive[.]linksaffpixel[.]com cons[.]pathpixel[.]com sumer[.]pathlinkaff[.]com nsruc[.]ah7xb[.]com ction[.]ah7xb[.]com nstru[.]onlytechtalks[.]com const[.]linksaffpixel[.]com quely[.]onlytechtalks[.]com coneq[.]modweave[.]com SWF: 4ad7556a7ef85be260a8c10cfbc855234f0e9b8880db2be17ad0ad1d6e52909e

The post AdGholas malvertising thrives in the shadows of ransomware outbreaks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (June 26 – July 02)

Malwarebytes - Mon, 07/03/2017 - 19:24

Last week, we offered our readers tips on how to detect phishing attempts, gave an overview of Google’s Be Internet Awesome campaign, supplemented an ongoing series on adware, and introduced the Malwarebytes Endpoint Protection to those who aren’t already in the know.

We also pushed out a number of blog posts revolving around the latest ransomware outbreak that hit the EU: EternalPetya. You can read more about it in these posts:

Mobile Menace Monday: Fake WannaCry Scanner

Below are notable news stories and security-related happenings from last week:

  • Cybersecurity Battleground Shifting To Linux And Web Servers. “Despite an overall drop in general malware detection for the quarter, Linux malware made up more than 36 percent of the top threats identified in Q1 2017. This attack pattern demonstrates the urgent need for heightened security measures to protect Linux servers and Linux-dependent IoT devices, according to WatchGuard Technologies.” (Source: Help Net Security)
  • UK Energy Industry Cyber-attack Fears Are ‘Off The Scale’. “He said the danger posed to energy systems was coming to the fore now because of the trend away from well-protected, centralised large power stations and towards decentralised power, such as lots of small, flexible gas power plants and solar panels on homes.” (Source: The Guardian)
  • What It Will Take For Cybersecurity To Become Common Sense. “In March, the Pew Research Center surveyed more than 1,000 American adults on what they knew about cybersecurity. The survey asked what’s two-factor authentication, what is a virtual private network and how secure is public Wi-Fi. On average, people only answered five out of the 13 questions correctly. Only 1 percent of respondents got every question right.” (Source: CNET)
  • Fireball Malware: Ticking Time Bomb Or All Hot Air? “Both Check Point and Microsoft agreed that the malware originated from a Chinese digital marketing agency called Rafotech, which uses the code to infect machines, hijack browsers and steal personal information. The company’s fake search engines rank among the world’s top 10,000 websites and occasionally break the top 1,000. It claims to have around 300 million users worldwide, which is suspiciously close to the 250 million infections reported by Check Point.” (Source: Security Intelligence)
  • Hollywood At Risk Without Better Encryption. “The summer blockbuster season has begun with movies such as Sony Pictures Entertainment Inc.’s Spider-Man: Homecoming set to launch. Summer is no longer re-run land for television with shows such as Home Box Office Inc.’s Game of Thrones beginning its next season soon. However, if the movie and television industries aren’t careful about their data security, hackers and other cybercriminals might pirate these prizes or try to hold them hostage.” (Source: Bloomberg)
  • How Snapchat Shares Your (And Your Kids’) Location. “Snap Map shows that, security- and privacy-wise, Snapchat’s come a long way since its early days, with its infamous ‘disappearing’ photos and video messages that never actually went away at all, either on your phone or on its own servers.” (Source: Sophos’s Naked Security Blog)
  • Criminalization Of DNS For Phishing Continues To Advance. “Cybercriminals have been shifting their tactics markedly, by registering more and more domain names, rather using web servers and domains they have hacked into. These ‘malicious domain registrations’ accounted for half of all the domain names used for phishing in 2016, according to APWG.” (Source: Help Net Security)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (June 26 – July 02) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

EternalPetya – yet another stolen piece in the package?

Malwarebytes - Fri, 06/30/2017 - 16:53

Since June 27th we have been investigating the outbreak of the new Petya-like malware armed with an infector similar to WannaCry. Since day one, various contradicting theories started popping up. Some believed that this malware is a rip-off of the original Petya, while others think that it is another step in Petya’s evolution. However, those were just different opinions and none of them were backed up with enough evidence to hold solid. In this post, we will try to fill this gap by making step-by-step comparisons of the current kernel and the one on which it is based (Goldeneye Petya).

Why is it important to know whether or not the code was recompiled?

Answering this question and collecting enough evidence is crucial for further discussions on attribution. The source code of the original Petya has never been leaked publicly, so in case it was recompiled it proves that the original Petya’s author, Janus, is somehow linked to the current outbreak (either this is his work or he has sold the code to another actor).

In this analysis, we hope to identify if this malware could have been the work of anyone with the appropriate skills to modify the compiled binary or not. Doing so would not entirely disprove Janus as the creator, but his involvement becomes less likely.

Anyways, let’s take a look at the code.


Looking at the sectors, we can find that the layout of EternalPetya is identical to Goldeneye. Full comparison:

Petya kernel:

  • Petya Goldeneye: sector 1
  • Petya Eternal: sector 1

Data sector:

  • Petya Goldeneye: 32
  • Petya Eternal: 32

Verification sector:

  • Petya Goldeneye: 33
  • Petya Eternal: 33

Original MBR (xored with 7)

  • Petya Goldeneye: 34
  • Petya Eternal: 34
Hexadecimal comparison

Comparing both kernels at hexadecimal level, we can see tiny differences at various points. However, there are big portions of code that are identical in both.

The screenshots below show fragments of the (current) EternalPetya on the left, and Goldeneye on the right.

Its interesting that, at some point, the layout of the same strings in the memory was shifted:

As mentioned, the data sector starts in both cases at the same offset. This sector stores the random Salsa20 key and nonce, which are generated per victim, and this is identical in both cases. However, in Goldeneye the victim ID is much longer, which is not surprising taking into the account the fact that in the past it was supposed to be the encrypted backup of the Salsa key, and now it is just an arbitrary string, so it’s length doesn’t really matter.

The Bootloader

The first thing that struck me as different was the bootloader. Fragment of the hexdump (as before: EternalPetya on the left, and Goldeneye on the right.):

Functionality-wise, it is the same in both cases. It is supposed to read 32 (0x20) sectors from the disk, starting from sector 1, and load them into memory at the address 0x8000. However, the opcodes that are used in both cases to do the same operations are a bit different.

This is the old bootloader, used in Goldeneye:

And this is the bootloader used in the EternalPetya version:

My first impression upon seeing this was that the code was recompiled with different settings, however, another possibility also exists. The total length of the different fragments are the same – so, we cannot exclude the possibility that someone manually edited them inside the pre-compiled binary.

Optimizations – and why it matters

So far we’ve seen some interesting changes, but they were not enough to prove or disprove whether the code was recompiled. However, the breakthrough in the research may lie in the interesting observation made by David Buchanan.

The Salsa20 Key expansion was modified using a hexeditor, NOT by modifying the source

— David Buchanan (@David3141593) June 29, 2017

His theory was based on compiler optimization, which ensures that the same character will not need to be stored in the memory twice. We can see this rule applied in examining the code responsible for storing a string in the memory. Inside of Goldeneye’s key expansion function, we can find that this kind of optimization absolutely happens – every character is unique, no character is loaded twice:

But in the corresponding fragment of the current kernel, we can find that this rule is broken. The character ‘d’ repeats and optimization was not applied:

If the same code was generated by a compiler, this fragment would look identical to other repeated characters:

mov al, 'd' mov [bp+var_B], al mov [bp+var_3], al

This is a very strong argument against the theory of the code being recompiled. But anyway, let’s continue the analysis and see if we can find even more evidence.

Closer look at the changes

In a previous post I presented a fast comparison of the current kernel vs Goldeneye, done with the help of IDA plugin, BinDiff:

We can see that significant modifications have been made only in the functions related to displaying the information screen. Let’s check how exactly these changes have been applied.

main_info_screen (offset 0x8426):

Changes of the main_info_screen pointed out by the BinDiff (left: current, right: Goldeneye):

As we can see, the call to a function at 0x008848E was replaced with NOPs (No Operation). This is a common practice used to remove an unwanted function in case of patching compiled binaries. Yet, sometimes it can be also introduced by #Ifdefs. The rest of the code matches the previous version, even using the same offsets. However, the addresses to the displayed strings are different in both binaries:

The unreferenced function is still present in the current binary:

…and called in some other places of code:

Comparison to the Goldeneye’s call graph, it lacks one of the references, but the other ones are consistent:

sub_86E0 (offset 0x86E0):

Another change is in the function itself, that is also a part of the information screen. It is not referenced from any other place in the code:

As we can see, it is called at the beginning of the function:

In the Goldeneye kernel, the corresponding function was the one responsible for printing the skull:

The first jump leads to the loop responsible for displaying the skull and waiting for the key to be pressed by the user. Fragment of the code:

Looking inside the EternalPetya code, we are almost sure that this function was patched post-compilation, rather than recompiled. The first jump, that was supposed to lead to the loop leads directly to the function end:

The original code is still in the binary, but it is never referenced (dead code).

Are the patches reversible?

I thought as a finishing touch of this research it would be interesting to reverse the changes and bring the dead code back to life. As an input, I used the dumped code of:

My version (reverse patch): (7957520271edf003742db63fc250c231).

Indeed, after applying the patches, we are back to seeing the same blinking screen, only the skull is gone (the corresponding strings has been overwritten):


I think the presented evidence is enough to prove, that the code was not recompiled from the original source (in contrary to what I initially suspected). Thus, the involvement of the original Petya author, Janus, seems unlikely. It seems in this case he was just chosen as a scapegoat by some different actor.

The edits made in the code are well crafted – the person doing them was fluent in assembly and knew exactly what to change and why. While the first impression of this malware appeared to be a clear recompilation of the modified Petya source code, after doing a deeper analysis, we have identified numerous nuances that show otherwise.

EternalPetya seems to be a patchwork made of code stolen from various sources. In addition to the modified version of the GoldenEye Petya kernel, we found the leaked NSA exploits from the “Eternal” series as well as legitimate applications, such as PsExec.

It is common practice among unsophisticated actors (script-kiddies) to steal and repurpose someone else’s code. However, in this case, the composition was done well by a person or team with immense knowledge and careful execution. A possible reason for using so many stolen elements, apart from saving actor’s time, could have been to throw off any obvious signs of attribution.

There are still many mysteries to solve about this malware which creates many theories that, until proven true, are nothing more than speculation.


Read also:

EternalPetya and the lost Salsa20 key

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordp

The post EternalPetya – yet another stolen piece in the package? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

EternalPetya and the lost Salsa20 key

Malwarebytes - Thu, 06/29/2017 - 16:39

We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry. The research is still in progress, and the full report will be published soon.

In this post, we will focus on some new important aspects of the current malware. The low-level attack works in the same style as the first Petya, described here. As before, the beginning of the disk is overwritten by the malicious Petya kernel and bootloader. When the malicious kernel is booted, it encrypts the Master File Table with Salsa20 and in this way, makes the disk inaccessible.

The code from Petya’s kernel didn’t change much, but the new logic implemented in the high-level part (the Windows executable) caused the change in the malware’s mission. In the past, after paying the ransom, the Salsa key from the victim was restored and with its help, the Petya kernel was able to decrypt the Master File Table. Now, the necessary key seems to be lost for eternity. Thus, the malware appears to have only damaging intentions.

Let’s have a look at the implementation and discuss the details.

How is the disk encrypted?

The low level attack affecting the Master File Table hasn’t changed since Goldeneye. It is executed by the Petya kernel.

The Salsa20 algorithm that was implemented incorrectly in the early versions of Petya and caused it to be cracked has been fixed in version 3 (read more here). Now it looks almost the same as in Goldeneye (that was the 4th step in the evolution) and it does not seem to have any bugs. Thus, once the data is encrypted, having the valid key is the only way to restore it.

Here’s a comparison of the changes in the code between the current version and the Goldeneye one.

Looking inside the code, we can see that the significant changes have been made only to the elements responsible for displaying the screen with information.

How is the Salsa key generated?

Generating the Salsa key and the nonce, as before, is done by the PE file (in the higher level of the infector), inside the function that is preparing the stub to be written on the disk beginning.

In all versions of Petya, a secure random generator was used. We can find it in the current version as well—it uses CryptGenRandom.

The generated Salsa key and nonce are stored in the dedicated sector for further use by the kernel during encryption.

Example of the stored data:

The byte at the offset 0x4000 is the flag: 0 means that the disk is not encrypted yet, 1 means encrypted.

From the offset 0x4001, the Salsa20 key starts. It is 32 bytes long. After that, at offset 0x4021 there is the random Salsa20 nonce.

What happens with the Salsa key after the encryption?

After being read and used for the encrypting algorithm, the stored Salsa key is erased from the disk. You can see the comparison of the disk image before and after the encryption phase.

As you can see, after use the key is erased.

What is the relationship between the victim ID and the Salsa key?

In the previous versions of Petya, the victim ID was, in fact, the victim’s Salsa20 key, encrypted with the attacker’s public key and converted to Base58 string. So, although the Salsa key is erased from the disk, a backup was still there, accessible only to the attackers, who had the private key to decrypt it.

Now, it is no longer true. The victim ID is generated randomly, BEFORE the random Salsa key is even made. So, in the current version, the relationship of the Salsa key and the victim ID is none. The victim ID is just trash. You can see the process of generating it on the video.


According to our current knowledge, the malware is intentionally corrupt in a way that the Salsa key was never meant to be restored. Nevertheless, it is still effective in making people pay ransom. We have observed that new payments are being made to the bitcoin account. You can see the link to the bitcoin address here:

If you are a victim of this malware and you are thinking about paying the ransom, we warn you: Don’t do this. It is a scam and you will most probably never get your data back.

We will keep you posted with the updates about our findings.


Microsoft’s report about the new version of Petya

About the previous version (Goldeneye):

Goldeneye Ransomware – the Petya/Mischa combo rebranded


This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post EternalPetya and the lost Salsa20 key appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Solution Corner: Malwarebytes Endpoint Protection

Malwarebytes - Wed, 06/28/2017 - 15:00

We’ve been busy here at Malwarebytes with several product announcements recently. Malwarebytes Incident Response was released in late April, providing threat detection and remediation via our new cloud-based platform. Right on its heels, leveraging the same platform is Malwarebytes Endpoint Protection, our latest endpoint security solution for business. This latest release unifies a number of technologies onto a single agent on the endpoint and adds a new machine learning detection engine into our layered approach to protection.

Best-Informed Telemetry

As we’ve mentioned before, Malwarebytes threat detection is driven by the industry’s best-informed telemetry. Because Malwarebytes is the gold standard in remediation, we see more than 500,000 consumer and enterprises download Malwarebytes every day when their existing solutions fail them. And every day, more than 3 million remediation events are processed. This telemetry of the malware that is “succeeding” provides us the insight to understand the tactics, techniques, and procedures the attackers are leveraging.

Multi-Vector Protection

To provide the best protection possible, Malwarebytes Endpoint Protection delivers Multi-Vector Protection (MVP) with 7 unique layers of technology. These layers fall into two general categories: rules-based and behavior-based. The rules-based layers address the known threats (and their variants). The malware that is unknown is handled by the behavior-based technologies. The telemetry that we described above validates the effectiveness of our behavior technologies (and ensures we minimize FP issues) while informing our rules-based approaches.

The rules-based layers include Web Protection and Payload Analysis.

  • Web Protection: prevents the endpoint from connecting to malicious websites and downloading malicious payloads. In the event that a malicious payload does make its way onto an endpoint, it prevents the malware from connecting to command and control servers.
  • Payload Analysis: uses heuristic rules to identify entire families of known and relevant malware.

The Behavioral-based layers are “signature-less” technologies that include Application Hardening, Exploit Mitigation, Application Behavior, Ransomware Mitigation, and our new machine learning engine – Anomaly Detection.

  • Application Hardening reduces the vulnerability surface, making the endpoint more resilient. This also proactively detects fingerprinting attempts made by advanced exploit attacks.
  • Exploit Mitigation proactively detects and blocks attempts to compromise application vulnerabilities and remotely execute code on the endpoint.
  • Application Behavior ensures applications behave as intended, preventing them from being leveraged to infect the endpoint.
  • Ransomware Mitigation detects and blocks ransomware from encrypting files by using behavioral monitoring technology.
  • Anomaly Detection is our new machine-learning approach. While traditional machine learning approaches have focused on malware classification (training the machine learning algorithm on known malware in order to identify unknown malware), we’ve taken a different approach by focusing on known good files. The space of known good files is significantly easier to represent well, resulting in a model that performs very well over time.  Most importantly, this new engine fits into our layered approach to prevention.

It’s critical to note that our remediation capabilities are included as part of Malwarebytes Endpoint Protection because we know we can’t be 100% effective 100% of the time.  So when something does get through, as soon as we know about it, we’ll be able to find and thoroughly remove the infection.

Malwarebytes cloud platform

Malwarebytes Endpoint Protection is the second solution to be offered on our new single, unified endpoint agent and delivered via our cloud-based management platform. This new platform eases deployment of Malwarebytes Endpoint Protection (as well as Malwarebytes Incident Response). Additionally, larger organizations benefit from effortless, unlimited scalability and quick time-to-value.

In addition to managing the deployment, the cloud management console also centrally manages security policy and threat visibility across all endpoints in your organization. The cloud platform also enables endpoint Asset Management by delivering dozens of endpoint system details such as network interfaces, storage devices, memory objects, installed software, software updates, startup programs, and more.

Malwarebytes Endpoint Protection will be available for sale on June 28th.   I encourage you all to learn more about this new solution and more importantly, give it a try!

The post Solution Corner: Malwarebytes Endpoint Protection appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 6

Malwarebytes - Wed, 06/28/2017 - 15:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

In this part of the series, we are going to have a look at types of adware that are very hard to find and remove. Luckily these are rare, but there are a few adware authors out there that are not afraid to swat a fly with an elephant gun. These hard to find and sometimes hard to remove types of malware, because that is what they are, even if their objective is “only” to show you advertisements, the methods they are using qualify them as malware, not as potentially unwanted.


ADS is short for Alternate Data Streams. It’s a feature on Windows NTFS systems where you can append any kind of data to a file using the $DATA attribute of the file. The convenient part for the adware author is that the regular user will not see the ADS attached to any file unless he uses some special tools or is familiar enough with Powershell to hunt them down. Another opportunity given to the (ab)users of ADS is the wide range of storage options. You can append a complete executable file or just a script that you can execute by feeding it as an argument to the proper program. If ADS were not technically considered files, using ADS in combination with a registry key for persistence, this method would qualify as a file-less infection. But at least they are hard to find and it can be used in very much the same way.


Where Alternate Data Streams are hard to find, rootkits are invisible even for the Operating System (Windows in our case). By definition, a Rootkit is a software that hides itself or another application. The name, however, is derived from the fact that a rootkit has administrator level access (Unix: root) for the system. While there are many tools around that can detect and remove rootkits, the consensus among experts is that a system that has been infected with a rootkit, should never be fully trusted and it’s better to reformat the system drive and re-install the Operating System. This is harsh and some rootkits can be fully removed, but it is sound advice in many cases. You can find more information about the types of rootkits in our threat description “Rootkits”.

File-less infections

File-less infections come in different forms and sizes, but the ones we see most of the time in adware are encoded Powershell commands hidden in the registry. Famous examples are Poweliks and Kovter. Another file-less infection we have seen in use was the WMI hijacker, that used Windows Management Instrumentation to add a site as an argument to each browser shortcut it could find. Effectively making sure that the affected user was always hijacked to their search site.

Malwarebytes Anti-Rootkit (beta)

If you run into any of these hard to find and remove adware infections and Malwarebytes is unable to remediate them, please download our very special tool for these cases Malwarebytes Anti-Rootkit BETA or look in the Malware Removal Self-Help Guides section of our forums to see if we have posted a special removal guide for your problem. Malwarebytes Anti-Rootkit BETA will usually be able to install ad run when other tools are not and it will free the way for Malwarebytes to help you clean out the rest of the infection(s).


Part 1

  • Identify the process
  • Clear browser caches
  • Remove browser extensions

Part 2

  • Proxies
  • Winsock hijackers
  • DNS hijackers

Part 3

  • Type of software
  • Uninstall
  • Remove file
  • Replace file

Part 4

  • Scheduled tasks
  • Services

Part 5

  • DLL’s
  • Handles
  • Parent process

Part 6

  • ADS
  • Rootkits
  • Fileless infections

Up next, part 7

  • Tools to investigate with


Pieter Arntz

The post Adware the series, part 6 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Petya-esque ransomware is spreading across the world

Malwarebytes - Tue, 06/27/2017 - 20:26

UPDATE 6/27/2017 1653 PST: Based on information released by security researchers, a Ukrainian accounting software company called Me Doc pushed an update at around 10:30 GMT this morning, which installed the malware on the “victim zero” system. Then, using a mix of PSExec, WMI, and EternalBlue, it was able to spread to every other computer on the network. Me Doc has claimed that this isn’t the case, however, so we won’t 100 perfect confirm that this was the source of the original infection vector.

You are correct. Here you go, this is not my work. #Petya #NotPetya #CISO #CSO

— John Lockie (@thedefensedude) June 27, 2017

At this point, it would be a good idea (if you are running any Me Doc software) to not update said software until they have announced that their servers are clean.

UPDATE 6/27/2017 1515 PST: Researchers have discovered what might be a “Vaccine” for the current version of the Petya-Esque ransomworm. You can give it a shot and see if it works for you, but keep in mind that basically as soon as the linked article was created, the creators of this attack have likely already modified their source to negate the defense. Good luck!

UPDATE 6/27/2017 1430 PST: If you’re thinking about paying the ransom for this threat–don’t bother. The e-mail service which hosted the address which victims were instructed to send payment to has closed the account. So, at this point trying to pay the ransom will result in a returned e-mail. Unfortunately, recovering files from payment is no longer possible at the moment, the attackers may provide their victims with alternative forms of payment transactions.

Ringing with echoes of WanaCrypt0r, a new strain of ransomware being called Petya/NotPetya is impacting users around the world, shutting down firms in Ukraine, Britain, and Spain.


Petya, created in July 2016, started off as one of the next-generation ransomware strains that utilizes an MBR (Master Boot Record) locker. In the early days of ransomware, strains that modified the startup of a system were popular, but they had died off for many years. Today, not long after its one year anniversary, Petya has come back with a vengeance and a nasty new distribution method.

As to whether or not this malware is the same Petya that we have dealt with in the past, many other researchers, including our own, claim that the malware is heavily influenced and likely developed by the creators of Petya. This malware has indicators and code that matches previous versions of Petya, but with additional functionality.

Kaspersky Lab analysts say new attacks are not a variant of Petya ransomware as publicly reported, but a new ransomware they call NotPetya

— Patrick O'Neill (@HowellONeill) June 27, 2017

We are not going to claim attribution or even confirm what family we are dealing with until more analysis has been completed and more evidence is available. What we can say for sure is that this ransomware uses tactics rarely seen in the wild.

Infection vector

Taking a page out of WannaCry’s book, this new ransomware utilizes the same EternalBlue SMB exploit that was used in the outbreak that occurred more than a month ago. There are also currently reports that this attack uses email spam to distribute infected Office documents in efforts to rapidly spread and distribute the ransomware. This malware also includes the ability to use PSExec on a system it has administrative credentials on, allowing it to execute duplicates of the malware on any system on the network.

However, not all of these reports have been confirmed by Malwarebytes staff, so its true original infection vector beyond SMB exploitation is up in the air. But the combination of the PSExec method with the EternalBlue exploit gives this malware a lot of power in its ability to spread across a network.


After execution, the ransomware infects the system at a low level, modifying the MBR and presenting the user with the following prompt:

After a reboot, instead of loading into the operating system installed on the computer, the user is faced with a faux Check Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files! We know this is a fake screen based on strings found within the malware itself:


This is done to buy the ransomware more time to encrypt all the relevant files on the system without being stopped by the user.

The MFT (Master File Table) and the MBR are also encrypted. The MBR is overwritten to display the ransom note, which makes it impossible to boot the system without remediation—meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware’s purpose and its demands. The attack affects users by encrypting anywhere from a single file to the entire system.

While this situation could have been easily avoided by simply keeping all antivirus database and operating system updates current, the now-infected users must pay $300 in Bitcoins to regain access to their files.

An interesting aspect of this attack is the targeted filetypes. The intended victims are rather different from Petya or 'normal' ransomware.

— Yonathan Klijnsma (@ydklijnsma) June 27, 2017

As stated on Twitter by @ydklijnsma, it would appear that the file types being targeted are aimed more toward the programs that developers would use, such as, .vbs, .ova, .vbox, and so on. This makes it appear like target of these attacks are likely businesses and especially firms that specialize in software development.

Unfortunately, unlike WannaCry, Petya does not have a “killswitch” readily available or known.  has a “vaccine” that could potentially work to stop the infection, although our own tests have shown that in many cases, it doesn’t. Windows 10 systems seem to have a fighting chance by using this method but based on our tests, Windows 7 gets infected every time.

Zero-hour protection

Malwarebytes detected this ransomware in the zero hour, meaning those that have Malwarebytes Premium or our standalone anti-ransomware technology have been protected from the instant this attack began. Both Malwarebytes business users and consumers users are protected if they are using the latest version of the above products.

We detect this ransomware as either Ransom.Petya or Ransom.Petya.EB

Full protection from this threat can also be achieved by:

  • Updating and deploying security software with anti-ransomware capabilities
  • Updating and securing operating systems on your network, including checking for any open SMB ports on any Internet-facing systems
  • Locking down user accounts from having administrative powers and possibly even removing/shutting down admin systems that might utilize the PSExec method of spreading the malware
  • If you are a business owner, making sure your users are aware of this current threat
  • Opening emails with a high degree of scrutiny in the near future
Click to view slideshow.

We are going to regularly update this post to inform you about new developments with this attack, a deeper look at its spread, and possible motivations/infection methods. In addition, we are currently working on a post that analyzes the malware binary to its core. Expect that shortly.

Thanks for reading and safe surfing!

Special Thanks:

The post Petya-esque ransomware is spreading across the world appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds