Skip to content

Most antivirus programs fail to detect this cryptocurrency-stealing malware

November 17, 2018

Traditional antivirus software has a tough time detecting malware used in the campaign.

A new, active campaign is using malware capable of dancing around traditional antivirus solutions in order to empty cryptocurrency wallets.

The malware is being used in the DarkGate campaign, a previously undetected hacking operation uncovered this week by enSilo security researchers.

According to the team, DarkGate is currently underway in Spain and France, targeting Microsoft Windows PCs by way of torrent files.

Torrent files are most commonly associated with pirated content, but the technology itself is not illegal and can be used by consumers and businesses alike to share files of large sizes.
In this case, however, the infected .torrent files masquerade as pirated versions of popular television shows and films including The Walking Dead.

The DarkGate malware uses a variety of obfuscation techniques to circumvent traditional antivirus solutions.
The malware’s command-and-control (C2) structure, which allows operators to send commands remotely and for the malware to transfer stolen data, is cloaked in DNS records from legitimate services including Akamai CDN and AWS.

By hiding the C2 under the skirts of reputable DNS services, this allows the malware to pass a reputation check when it comes to shady services or bulletproof hosting platforms which have become associated with malware and criminal campaigns.

In addition, DarkGate uses vendor-based checks and actions, including a method known as “process hollowing” to avoid detection by AV software.
This technique requires a legitimate software program to be loaded in a suspended state — but only to act as a container for malicious processes which are then able to operate instead of the trustworthy program.

DarkGate will also perform a number of checks in an attempt to ascertain whether or not it has landed in a sandbox environment — used by researchers to analyze and unpack malicious software — and will perform a scan for common AV systems, such as Avast, Bitdefender, Trend Micro, and Kaspersky.

The malware also makes use of recovery tools to prevent files critical to its operation from being deleted.

enSilo says that the malware author “invested significant time and effort into remaining undetected,” and during testing, it was found that “most AV vendors failed to detect it.”

When executed, DarkGate implements two User Account Control (UAC) bypass techniques in order to gain system privileges, download, and execute a range of additional malware payloads.

These packages give DarkGate the ability to steal credentials associated with a victim’s cryptocurrency wallets, execute ransomware payloads, create a remote access tunnel for operators to hijack the system, and also implement covert cryptocurrency mining operations.

According to enSilo, the C2 is overseen by human operators who act when they are alerted to new infections related to cryptocurrency wallets by installing the remote access tools necessary to compromise virtual coin funds.



Meet the malware which hijacks your browser and redirects you to fake pages

August 29, 2018

The malware is currently being distributed through the RIG exploit kit.

The RIG exploit kit, which at its peak infected an average of 27,000 machines per day, has been grafted with a new tool designed to hijack browsing sessions.

The malware in question, a rootkit called CEIDPageLock, has been distributed through the exploit kit in recent weeks.

According to researchers from Check Point, the rootkit was first discovered in the wild several months ago.

CEIDPageLock was detected when it attempted to tamper with a victim’s browser. The malware was attempting to turn their homepage into, a legitimate Chinese directory for weather forecasts, TV listings, and more.

The researchers say that CEIDPageLock is sophisticated for a browser hijacker and now a bolt-on for RIG has received “noticeable” improvements.

Among the new additions is functionality which permits user browsing activities to be monitored, alongside the power to change a number of websites with fake home pages.

The malware targets Microsoft Windows systems.
The dropper extracts a 32-bit kernel-mode driver which is saved in the Windows temporary directory with the name “houzi.sys.”
While signed, the certificate has now been revoked by the issuer.

When the driver executes, hidden amongst standard drivers during setup, the dropper then sends the victim PC’s mac address and user ID to a malicious domain controlled by a command-and-control (C&C) server.
This information is then used when a victim begins browsing in order to download the desired malicious homepage configuration.

If victims are redirected from legitimate services to fraudulent ones, this can lead to threat actors obtaining account credentials, victims being issued malicious payloads, as well as the gathering of data without consent.

They then either use the information themselves to target their ad campaigns or sell it to other companies that use the data to focus their marketing content,” the team says.

The latest version of the rootkit is also packed with VMProtect, which Check Point says makes an analysis of the malware more difficult to achieve.
In addition, the malware prevents browsers from accessing antivirus solutions’ files.

CEIDPageLock appears to focus on Chinese victims.
Infection rates number in the thousands for the county, and while Check Point has recorded 40 infections in the United States, the spread of the malware is considered “negligible” outside of China.

At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill,” Check Point says.
CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor.”

According to Trend Micro, exploit kits are still making inroads in the cybersecurity landscape. RIG remains the most active, followed by GrandSoft and Magnitude.


This malware delivers either ransomware or cryptocurrency mining software to your PC

July 6, 2018

Rakhni Trojan has evolved to examine the infected PC to determine which form of malware will be best to install.

An ever-evolving form of malware has added a new tactic which sees it choose to deliver ransomware or a cryptojacker depending on the circumstances of the infected victim.

If an infected computer contains a bitcoin wallet, the malware will install file-encrypting ransomware — if there’s no pre-existing cryptocurrency folder and the computer is capable of mining cryptocurrency, a miner will be downloaded and installed for the purposes of exploiting the PC’s power to generate cryptocurrency.

The cryptocurrency miner is the latest addition to Rakhni Trojan, a malware family that has existed since 2013 and has continually evolved over its five-year existence.
It appears that that those behind the malware are looking to exploit the rise of cryptocurrency mining malware while also combining it with their traditional attacks.

It’s just another example of the cynical attitude of criminals to their victim.
They will in any case try to benefit from the victim: by direct extortion of money or by unauthorized use of user resources in their own needs
,” Orkhan Mamedov, malware analyst at Kaspersky Lab told ZDNet.

Researchers at Kaspersky Lab have been analysing Rakhni since it first emerged and have detailed its recent addition of a cryptocurrency miner.

Like many cyber attacks, the Rakhni campaign begins with a phishing email sent out to potential victims.
This particular campaign focuses on Russia, with over 95 percent of victims in the country and the spam emails written in Russian.

In this instance, the emails are designed to look like messages concerning financial documents and come with a Microsoft Word attachment in which a malicious payload is waiting.
The user is encouraged to enable editing so that the payload can take advantage of the macros required to ensure infection.

The victim is then encouraged to open an embedded PDF, which isn’t launched — with a malicious executable being launched instead and the user’s computer becoming infected with the malware. An error message is displayed in order to avoid the user becoming suspicious about the lack of a PDF being opened.

Once installed, Rakhni performs environmental checks on the compromised computer in order to aid it coming to the decision over whether to install ransomware or a miner.

If a cryptocurrency wallet is already on the computer, ransomware will be downloaded and executed on the machine — but only after the system has been idle for two minutes — resulting in files being encrypted with a ‘.neitrino’ extension.

Victims are presented with a ransom note written in Russian which demands payment in three days and an email contact address for the attacker.

The ransom note warns the victim that using third-party decryptors can corrupt files and even the original decryptor would not be able to decrypt them.
The last sentence of the ransom note informs the victim that all requests will be processed by an automatic system
,” said Mamedov.

However, despite this threat, decryption tools for Rakhni are available.

If no wallet is on the machine, a miner is downloaded instead — and it appears to be able to exploit the power of the victim’s processor to provide the attackers with either Monero or Dashcoin cryptocurrency — as they’re much simpler to mine than bitcoin is, along with providing additional anonymity.

In order to disguise the miner as a trusted process, the attacker signs it with a fake Microsoft Corporation certificate.

In the event that conditions on the compromised machine aren’t deemed acceptable for either installing ransomware or a miner, Rakhni has another trick up its sleeve: it uses a worm-like function in an effort to copy itself onto other machines on the network and unleash its malicious operations from there.

Despite a downturn in infections, ransomware is still a successful means for cyber criminals to make money — but the addition of the miner demonstrates that those behind Rakhni are open to new attack techniques, especially when they are as subtle as mining.


This new Windows malware wants to add your PC to a botnet – or worse

June 20, 2018

The intentions of and delivery method of Mylobot are unknown – but it appears to be the work of a sophisticated attacker who could deliver trojans, ransomware and more.

A new malware campaign is roping systems into a botnet and providing the attackers with complete control over infected victims, plus the ability to deliver additional payloads, putting the victims’ devices at risk of Trojans, keyloggers, DDoS attacks and other malicious schemes.

The malware comes equipped with three different layers of evasion techniques which have been described by the researchers at Deep Instinct who uncovered the malware as complex, rare and “never seen in the wild before“.

Dubbed Mylobot after a researcher’s pet dog, the origins of the malware and its delivery method are currently unknown, but it appears to have a connection to Locky ransomware — one of the most prolific forms of malware during last year.

The sophisticated nature of the botnet suggests that those behind it aren’t amateurs, with Mylobot incorporating various techniques to avoid detection.

They include anti-sandboxing, anti-debugging, encrypted files and reflective EXE, which is the ability to execute EXE files directly from memory without having them on the disk.
The technique is not common and was only uncovered in 2016, and makes the malware ever harder to detect and trace.

On top of this, Mylobot incorporates a delaying mechanism which waits for two weeks before making contact with the attacker’s command and control servers — another means of avoiding detection.

The reason to do 14 days of sleep is to avoid any network and malicious activity, thus bypassing cyber security solutions like endpoint detection and response, threat hunting and sandboxing,” Tom Nipravsky, Deep Instinct security researcher told ZDNet.

Once installed on a system Mylobot shuts down Windows Defender and Windows Update, while also blocking additional ports on the firewall — all tactics to ensure that its malicious activity can operate without being impeded.

In addition to this, it actively targets and deletes any other instances of malware which have previously been installed on the machine, even specifically aiming for other botnets.

The thinking behind this is simple — eliminating the competition in order to ensure the attackers gain control over the largest network of infected computers to make the most profit from abusing the compromised machines as possible.

Once a computer is part of the botnet, the attacker can take complete control of the system and further payloads and instructions can be delivered from the command and control server.

The expected damage here depends on the payload the attacker decides to distribute.
It can vary from downloading and executing ransomware and banking trojans, among others
,” said Nipravsky.

This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in the enterprise.”

Researchers haven’t detailed what additional payloads are being downloaded, but analysis of the command and control domains related to Mylobot uncovered connections to Locky ransomware and other malware.

According to our research, the IP of the C&C server was first seen on November 2015, and is linked to DorkBot, Locky and Ramdo,” Nipravsky said.

With the C&C having been active for two and a half years, it indicates those behind Mylobot have been active for some time — and they use tactics which suggest a well-resourced operation.

The botnet is trying to connect to 1,404 different domains — at the time of writing this research, only one was alive.
This is an indication for big resources in order to register all those domains
,” said Nipravsky.

The malware isn’t widespread and it still remains unclear who the attacker behind Mylobot is, how the malware is delivered or even what their ultimate goal is — but one thing researchers have concluded from the complexity of the scheme is that it isn’t an amateur operation.

We haven’t found any indication about who the author is, but based on the code, this is someone who knows what they’re doing,” said Nipravsky.


This new Android malware delivers banking trojan, keylogger and ransomware

June 17, 2018

Researchers uncover a form of malware that’s still in development – but it has the potential to become a nasty threat.

An experimental form of Android malware delivers a banking trojan, a keylogger and ransomware to those unfortunate to fall victim to it.

Uncovered by security researchers at security company ThreatFabric, the malware was first thought to be an updated version of Lokibot – but as it contain various new features researchers are labelling it as a new form of malware – MysteryBot.

However, MysteryBot and LokiBot share the same command and control server, indicating a strong link between the two forms malware, with the potential that they’ve been developed by the same attacker.

The malware is also potentially potent, with the trojan capable of controlling the functionality of the infected devices, including the ability to read messages, gather contact information and more.

There are also commands for stealing emails and remotely starting applications, but these particular tools don’t appear to be active yet, suggesting that this malware is still in the development phase.

While many Android malware families concentrate on attacking older versions of the Google operating system, MysteryBot has the capability to actively target Android versions 7 and 8 using overlay screens designed to look like real bank websites, but are in fact run by the attackers, the researchers said.

Fake websites of a wide variety of banks across the world are able to be displayed to the victim, ensuring that the attackers can cast a wide net for stealing entered credentials.

Once active on the device, the malware is listed as a fake version of Adobe Flash Player.
However, researchers haven’t detailed how the payload is initially delivered onto the device.

Researchers say that the way the malware records keylogging in an innovative new way, by determining which key has been pressed by its location on the screen in relation to others, something it can do when the keyboard is held both horizontally and vertically, the researchers explain in a blog post.

However, as with other features of the malware, the keylogger still appears to be in development as there’s currently no way for the logged keys to be stored on the command server.

On top of the ability to infect victims with a trojan and a keylogger, those behind MysteryBot have also been experimenting with a ransomware tool.
The embedded ransomware feature enables the malware to individually encrypt files and store them in a passworded ZIP archive.

When the encryption is complete, a message accuses the victim of having watched adult content and demands that an email address be contacted to gain a password – and presumably pay for the privilege.

However, the ransomware element of MysteryBot doesn’t appear to be sophisticated. Not only because it requires contact via email, but that the password is only eight characters long, which in theory could be guessed by brute-force.

Secondly, victims are assigned an ID between 0 and 9999 and since there’s no verification of existing ID, it’s possible the attackers could duplicate the Ids and make it impossible for victims to retrieve files.

But despite some of the capabilities of MysteryBot currently being underdeveloped, the malware is still a potential threat.

The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of personal identifiable information in order to perform fraud,” wrote researchers.

MysteryBot isn’t currently widespread and is still under development, but users should be wary of any applications they download which ask for an excessive number of permissions.


Google in court over ‘clandestine tracking’ of 4.4m iPhone users

May 23, 2018

Google’s in trouble again over the “Safari Workaround”: the iPhone shakedown for personal information from millions of iPhone users.

In 2012, the workaround got the search giant fined by the US Federal Trade Commission (FTC) for $22.5m, fined again a year later for $17m after it got sued by dozens of states, and now has the UK’s Google You Owe Us campaign out for its own pound of flesh.

Make that a few pounds of flesh: The Google You Owe Us campaign has started the process of getting its own comeuppance, and the US fines pale in comparison to what the British group is after.

Monday marked day one in London’s high court, where the collective action is suing the company for what could be as much as £3.2bn (USD $4.3b), according to court filings.

It alleges “clandestine tracking and collation” of information that included race, physical and mental health, political leanings, sexuality, social class, financial data, shopping habits and location data.
On the campaign’s site, it alleges that Google’s Safari Workaround tracked iPhone users’ internet browsing history, which Google then used to sell a targeted advertising service.

Google You Owe Us first launched a “representative action” (similar to a class action in the US) in November 2017.
The action alleges that the search giant:

Took our data by bypassing default privacy settings on the iPhone Safari browser which existed to protect our data, allowing it to collect browsing data without our consent.

On Monday, Google You Owe Us lawyers told the high court that Google collected personal information from 4.4 million iPhone users in the UK.

Richard Lloyd, former director of the UK consumer champion Which?, is heading up the collective action.
His lawyer, Hugh Tomlinson QC, told the court that Google bypassed the privacy settings of Apple’s Safari browser on iPhones between August 2011 and February 2012 in order to divide people into categories so as to target marketing at them.

For this purpose, Google allegedly aggregated the data and shuffled users into groups for targeted marketing that included categories such as “football lovers” or “current affairs enthusiasts.”

Bloomberg reports that if the group action has its way in court, each affected iPhone user could receive £750 (approx. $1,000).

Google You Owe Us says don’t worry about whether you’re part of the claim: just sit back and let Richard Lloyd and the lawyers take care of the case.
To see if you were affected by Google’s actions, or if you don’t want to be part of the claim, you can read more on the group’s FAQ page.

Google has said that there’s no evidence that the Safari Workaround resulted in any information being disclosed to third parties; that it’s impossible to identify those who may have been affected; that the claim’s got no chance of success; and that the claim relates to events that are six years old and which have already been addressed.

Google in court over ‘clandestine tracking’ of 4.4m iPhone users

Twitter Urges Users to Change Passwords Due to Glitch

May 4, 2018

Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone.
While the company did not specify how many passwords were impacted, a Reuters report pegged the number at more than 330 million.

I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost.
We’re sharing this information so everyone can make an informed decision on the security of their account.”

The spokesperson declined to comment on the timeframe of the glitch and how many users were impacted.

“Due to a bug, passwords were written to an internal log before completing the hashing process,” said Parag Agrawal, CTO of Twitter, in a blog post.
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

Users who opened their accounts Thursday evening received a prompt from Twitter asking them to consider changing their password on all services where they used the password.

Twitter said that it masks passwords through hashing using bcrypt, which replaces the actual password with a random set of numbers and letters stored in its system.
However, the glitch caused passwords to be written into the company’s internal computer system before the hashing process was completed.

Agrawal said in a tweet that Twitter is sharing the information about the glitch to help users “make an informed decision about their account security.”

Security researcher Troy Hunt told Threatpost that the real world risk of the glitch to users is likely very low:
I can see how it would happen – logs are often largely automated – but clearly it’s a massive oversight,” he said.
By the same token, if the extent of the issue is that the passwords were captured to internal logs, the logs weren’t exposed and they’ve subsequently cleaned that up, the real world risk is likely very low.”

The news parallels another incident earlier this week, where Github also disclosed that it had discovered a recently introduced bug exposing a small number of users’ passwords in plain text.
GitHub also uses bcrypt to hash passwords.

Twitter found itself in hot water earlier in the week after disclosing that it sold data access to a Cambridge Analytica-linked researcher.
This expounded on already tightening concerns by the security community about how social media companies protect private user data.