Skip to content

Locky ransomware is back from the dead again – with new ‘Diablo’ variant

August 16, 2017

One of the most successful families of file-encrypting malware is back — again — with a new spam campaign.

One of the most successful families of ransomware has returned once again, with a new email spam campaign designed to infect victims with the file-encrypting malware.

Locky was one of the first major forms of ransomware to become globally successful and at one point was one of the most common forms of malware in its own right.

However, attacks distributing Locky have declined this year, and while it was once the king of ransomware, its title has been usurped — Cerber now dominates the market.

But that doesn’t mean Locky no longer poses a threat.
After going dark for a few months — even to the point where it wasn’t being distributed at all — the ransomware is once again being spread through the Necurs botnet.

But this time it’s being distributed with a new file extension called Diablo6, according to Malwarebytes researchers who’ve observed the new campaign.
The new Diablo variant calls back to a different command and control server than previous Locky campaigns.

Like other ransomware families, Locky is distributed via the use of spam emails; this particular campaign sends them in the form of PDF attachments with embedded .DOCM files.

If the user downloads the attachment and enables macros as the payload requests, they’ll soon find that they’ve lost access to the files on their computer and are told that they need to pay a ransom in order to get the “private key” from the “secret server” of the attackers.

While Locky is far less prevalent than it has been, it remains a risk to organisations because of its strong cryptography and the fact that those behind it still update and alter the payload and the tactics used to deliver it.

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time,” said ‎Marcelo Rivero, intelligence analyst at Malwarebytes.

It isn’t the first time Locky has reappeared after seemingly disappearing.
It appeared to cease activity over Christmas 2016, leading researchers to speculate that its developers had taken a break over the holiday season.
Sure enough, it re-emerged in January and infections have been spiking and dropping ever since.

The sudden reappearance of Locky could potentially be attributed to decryption tools for Jaff ransomware being made available for free in June.
Jaff appeared in May and was spread by the same Necurs botnet used to distribute Locky.

Cybercriminals deploy ransomware because it allows them to reap high rewards using little effort.
Therefore, it could be the case that once Jaff — which demanded a ransom of $4,000 and used a decryptor almost identical to that of Locky — was cracked by security professionals, the criminals behind it have simply gone back to using Locky.

While those behind Locky have yet to be identified, researchers have noted that the ransomware will delete itself from the infected machine if the local language is Russian, possibly pointing towards the geographic location of the developers.


Android app stores flooded with 1,000 spyware apps

August 10, 2017

Three fake messaging apps in the Google Play Store discovered to be distributing stealthy data-stealing SonicSpy malware – and that’s just a fraction of the activity by this group.

Hackers have flooded Android app stores – including the official Google Play store – with over one thousand spyware apps which have the capability to monitor almost every action on an infected device.

Dubbed SonicSpy, the malware can silently record calls and audio, take photos, make calls, send text messages to numbers specified by the attackers, monitor calls logs and contacts and monitor information about Wi-Fi access points.

In total, SonicSpy can be ordered to remotely perform 73 different commands and its suspected to be the work of malware developers in Iraq.

Marketed as a messaging application, the malware performs the advertised messaging function in order to avoid users getting suspicious of the download, while all the while stealing their data and transferring it to a command and control server.

SonicSpy has been uncovered by researchers at Lookout after they discovered three versions of it live in the official Google Play app store, each advertised as a messaging service.

Google has since removed the malicious apps – called soniac, hulk messenger and troy chat – from its store, but many other versions remain available on third-party application markets and the malware could’ve been downloaded thousands of times.
At the time of removal from Google Play, soniac had been downloaded between 1,000 and 5,000 times.

When downloaded from Google Play, Sonic Spy will hide itself from the victim and remove its launcher icon from the smartphone menu, before connecting to a command and control server and attempting to download and install a modified version of the Telegram app.

This custom app contains the malicious features which allow the attackers to gain significant control over the device.
It’s unclear if the attackers are targeting specific users, or if they’re trying to get hold of any information they can from anyone who downloads the malware.

Researchers analysed samples of SonicSpy and have found that it contains similarities to a spyware called Spynote, which was first uncovered in the middle of last year.

Both Sonic Spy and Spynote share code, make use of dynamic DNS services and they both run on the non-standard 2222 port, leading Lookout to suggest that the two families of malware have been built by the same hacking operation.

Tricking users into using a fully functioning application while it secretly exfiltrates data to the attackers is also noted as a tactic used by the same attack group.
The account behind the malicious apps is called ‘iraqwebservice’ leading researchers to suggest the campaign is of Iraqi origin.

Whoever is behind the malware, “Spoofing an encrypted communications app also shows the actor’s interest in gathering sensitive information,” said Michael Flossman, Security Research Services Tech Lead at Lookout.

And while SonicSpy has been removed from the Google Play Store for now, Flossman warns that it could potentially get into it again.

The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future,” he said.

Google keeps the vast majority of its 1.4 billion Android users safe from malware, but malicious apps still regularly get through to the official store.


LastPass has moved two previously free features to the paid plan and doubled the price

August 6, 2017

LastPass is one of the most popular password managers on the market, but it’s getting a price hike today.
It’s going to be twice as expensive going forward, but the good news is you’re getting some more features for the money.
The bad news is those features used to be free.
Users of the free account won’t be completely losing out, though

Before today, LastPass was $12 per year, but now it’s $24.
The free version of LastPass will lose support for emergency access and unlimited sharing, which are heading to the more expensive premium version.
Emergency access lets you designate trusted contacts who can request access to your passwords in the event of an emergency.
Anyone on the free version already using this feature will still have access.
Sharing on the new free account will only be available in one-to-one format, but the premium account lets you share to as many people as you want.
Additionally, premium users retain the shared folder option.

The free account continues to have multi-device support, which was added just last year.
I assume that was one of the big drivers of premium sign ups, so that might have something to do with the price increase.
It would be hard to take that away, so LastPass is upping the price and fiddling with the other features.


Kaspersky Lab hands out free anti-virus

July 26, 2017

In a bid to ‘secure the whole world’, the Russian security firm is offering up free anti-virus protection globally.

Kaspersky Lab has announced that it will be offering free anti-virus protection for everyone by rolling out the base version of its software globally at no charge.

In a blog post authored by the security firm’s chief, Eugene Kaspersky explains that an increase in the number of installations of Kaspersky Free is expected to positively affect the quality of protection of all users, since the “big-data-bases will have more numbers to work with to better hone the machine learning”.

The free version contains the bare essentials, Kaspersky said, which includes file, email, and web antivirus; automatic updates, self-defence; quarantine; and a handful of additional features the blog post does not list.

This arsenal ensures convenient and safe web surfing … working with USB sticks and other portable storage media, and protection against both phishing and infected files being run,” he wrote. “In short, the indispensable basics that no one on the planet should do without.”

The free antivirus won’t be competing with the security vendor’s paid-for versions, Kaspersky said, which cover additional features such as parental control, online payment protection, and secure VPN connection.

Though it features just the bare basics, it still packs a punch — a punch we’re no less proud of,” the blog post continues.

Russia, Ukraine, Belorussia, China, Finland, Sweden, Norway, and Denmark already have the free software available after participating in the company’s pilot program.
The “first APAC wave” — including Australia and New Zealand — the US, Canada, the Caribbean, and Kazakhstan are due for rollout this week; Africa, the Middle East, and Turkey can access the free software as of early September; followed shortly by Brazil, LatAm, India, and Hong Kong.

The free-ware will be available come October in the United Kingdom, Ireland, DACH, Italy, France, Spain, Portugal, Israel, Maghreb, Benelux, Eastern Europe, Japan, and South Korea; while Vietnam and Thailand will need to wait until November.

According to Kaspersky, giving the software away in the piloted regions “cranked up” the company’s market share “considerably”.

Not that increasing market share is our aim; our aim is to raise the overall level of protection on the internet,” the chief explained.

Earlier this month, the Trump administration removed Kaspersky Lab from two lists of approved vendors used by government agencies to purchase technology equipment, Reuters reported, amid concerns the Russian-based company’s products could be used by the Kremlin to gain entry into United States networks.

According to the report, Kaspersky products have been removed from the US General Services Administration’s (GSA) list of vendors for contracts that cover information technology services and digital photographic equipment.

Government agencies will still be able to use Kaspersky products purchased separate from the GSA contract process, the report states.

The removal follows the accusations from US intelligence agencies that Russia hacked into Democratic Party emails, thus helping Donald Trump to election victory, despite President Vladimir Putin proclaiming his country has never engaged in hacking activities, but some “patriotic” individuals may have.


This ransomware lets crooks spot their victim on a map

July 25, 2017

Ransomware has always been sinister – now it’s creepy too.

As if ransomware wasn’t sinister enough, a simple to use and easy to buy form of the file-encrypting malware now provides its users with the ability to track victims on Google Maps.

First appearing on the cybercriminal market in September last year, the Philadelphia ransomware is available for $400 and the developers offers a ‘ransomware-as-a-service’ package which provides support and updates for the malicious software.

The RaaS kit is even promoted to potential customers with adverts complete with slick marketing videos and promotional screenshots boasting of a ‘Full Lifetime License’ from its creators, complete with regular support.

That support includes software for managing attacks, including the ability to list all of the infected machines — not just by displaying the country the victim is in, but their location and IP address as well.

The feature is designed to help give the ransomware’s users an insight to where they’ve made successful attacks — including the set ransom amount for that target and their operating system.

It’s the operational part of running your ‘hacking business’ in order to manage the machines under control — a critical element of a non-technical person’s ability to leverage this tool and monetise it,” Dan Schiappa, senior vice president of the Sophos Enduser and Network Security Group, told ZDNet.

While its a certainly a creepy new addition to the scammers’ arsenal, there’s perhaps some level of reassurance in the fact that the vast majority of Philadelphia users aren’t anywhere near this level of sophistication.
The ransomware comes with a ‘mercy’ feature which is designed to gives cybercriminal an option if they grow a conscience and feel sympathy for the victim.

There’s rare cases of the bleeding heart hacker who finds out they’ve encrypted photos of someone’s a dead relative and they give mercy,” said Schiappa.

But more often it is used by technically-incompetent crooks to decrypt their own systems when they infect them by accident.

One of the primary reasons we’ve seen is that people — particularly non-sophisticated customers — will infect themselves,” said Schiappa. “They infect themselves, infect their friends, or they’re using machines they want to clean and infect again just as they’re testing things, that’s what that’s about.”

Like the developers’ other product, Stampado — a much cheaper, but far less flexible ransomware — Philadelphia is sold on the dark web, but access to ransomware is advertised on the open web with introduction videos and a how-to guide.

It’s idiot-proof. It’s taken something that could be very sophisticated and technical and put it in the hands of those with malicious intent.
That massively increases the scope of the use of the attacks
,” said Schiappa.

Fortunately, there is some good news in that some strains of Philadelphia have been cracked and [url=][b][color=blue]free decryption tools are available[/b][/color][/url].


New details emerge on Fruitfly, a near-undetectable Mac backdoor

July 24, 2017

The malware went largely undetected for several years and is only detectable on a handful of security products, but the “fully featured” Mac backdoor can take control of an entire computer.

Six months after it was discovered, the first Mac malware of the year is still causing a stir.

The recently discovered Fruitfly malware is a stealthy but highly-invasive malware for Macs that went undetected for years.
The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, and keyboard and mouse.

But despite its recent discovery, little is known about the malware.

Given how rare Mac malware is, especially one with all the hallmarks of what could be a nation state attacker, Patrick Wardle, a former NSA hacker who now serves as chief security researcher at ‎Synack, got to work.

Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged.
The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said.
Nevertheless, the malware still works well on modern versions of macOS, including Yosemite.
Fruitfly connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.

But what it does, and why, aren’t widely known.

It’s not the most sophisticated Mac malware,” said Wardle in a Signal call last week, but he described it as “feature complete.”
Like others, he wasn’t sure what the malware did exactly on first glance.

Instead of reverse-engineering the malware’s code to see what it did, he took a novel approach of creating his own command and control server to interact directly with a sample of the malware in his lab.

I had to figure out how to create a command and control server that could speak the ‘language’ of the malware,” he said.
That let him fully deconstruct what the malware did simply by “asking” the malware the right questions, giving him an unprecedented view into its capabilities.

He found that he could take complete control of an infected Mac, including its keyboard and mouse, take screenshots of the display, remotely switch on the webcam, and modify files. The malware can also run commands in the background, and even kill the malware’s process altogether — likely in an effort to avoid detection.

The most interesting feature is that the malware can send an alert when the user is active,” said Wardle, so that the attacker can then avoid interfering with the computer to remain stealthy. “I haven’t seen that before,” he said.
He even found that some commands supported additional parameters.
What he called the “second byte” to each command would offer more granular options. He explained that he could take screenshots of the display of varying quality — a useful feature for low-bandwidth connections or trying to evade network detection.

He noticed that the malware was communicating out to primary servers that were offline.
But some of the backup servers were available.

Armed with his Python-based command and control scripts, he registered some domains, and fired up his servers.
And that’s when his screen began to fill up with victims’ computers connecting to his servers, one after the other.

I thought — ‘f**k!’ — I have to be responsible here,” he said.
When the malware connects, you get the IP address, name of the user, and the computer name (which is typically the full name of the user).
I just logged the connections and parsed the computer names, then closed the connection,” he said.

The early analysis was that as many as 90 percent of the victims were in the US, with no obvious connection between the users, he said.
It was just a general smattering of users.”

But questions remain over where the malware came from, and what purpose it performs.

Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

He also wasn’t sure on the exact delivery method of the malware, but suggested it could infect a computer through a malicious email attachment.

Wardle has since informed and is now working with law enforcement on the matter, handing over the list of victims and command and control servers.

You have to realize that this kind of re-exposes the fact that you can be an ordinary person and still be victim of a really insidious attack,” he said.
This is just another illustration that Macs are just as vulnerable as any other computer.”

In part for that reason, Wardle spends his spare time developing free-to-download Mac tools to protect against this kind of attack, including Oversight, which notifies users when their microphone or webcam becomes active; essentially protecting against some of the features of this malware.

It’s not surprising that this malware wasn’t detected for five or more years, because current Mac security software is often rather ineffective,” he said.
Most don’t even look for this kind of activity.”

Wardle is set to talk about the malware in more detail at the Black Hat conference in Las Vegas on Wednesday.

Apple did not respond to a request for comment.


This Android ransomware threatens to expose your browsing history to all your contacts

July 11, 2017

LeakerLocker forgoes using encryption, instead choosing threats to make money out of victims.

A form of Android ransomware which threatens to send the victim’s private information and web history to all of their contacts has been discovered in the official Google Play app store.

Uncovered by researchers at McAfee, LeakerLocker doesn’t actually encrypt the victims’ files, but instead claims to have made a backup of data stored on the device and threatens to share it with all of the user’s phone and email contacts.

Those behind the malware demand $50 in exchange for not leaking personal data including photos, Facebook messages, web history, emails, location history and more, playing on fears of potential embarrassment rather than any form of cryptography.

Two applications in the Google Play Store contained the malware, Wallpapers Blur HD, which has been downloaded between 5,000 and 10,000 times, and Booster & Cleaner Pro, which has been downloaded between 1,000 and 5,000 times.

The combined number of downloads means that up to 15,000 people have fallen victim to this ransomware, which has been in the Google Play Store since at least April. Both apps have good review scores, suggesting that those behind the scheme have been giving them fake reviews.

Once downloaded, LeakerLocker asks for vast swathes of permissions, including the ability to manage calls, read and send messages, and have access to contacts — overreaching for the apps the malware is claiming to be — before communicating with a receiver, initiating the malicious activity and locking the homescreen of the device with the extortion threat.

It’s true that the malware can gain access to private information — thanks to its victims granting permissions at installation time — but not all the private data LeakerLocker claims to have access to can be seen or leaked.

However, analysis of the code shows it’s capable of at least accessing an email address, some contact information, Chrome browser history, text messages and calls, and photos from the camera.

Snippets of this data are chosen at random to convince the victim that all their data has been copied — although at this point the information hasn’t actually been copied, but it could happen if the control server issues relevant instructions.

This basic form of ransomware demands the ransom via credit card, although researchers advise infected victims not to pay because there’s is no guarantee that the information will be released or not used to blackmail victims again.

McAfee researchers have reported LeakerLocker to Google, which says it’s “investigating” — and it appears that the two apps including the malware have been removed from the Google Play store.