Skip to content

New Spider ransomware threatens to delete your files if you don’t pay within 96 hours

December 12, 2017

Attackers behind new ransomware campaign are offering a “really easy” tutorial video in order to ensure they make money from their criminal activities.

A new form of ransomware has emerged and is being distributed through malicious Office documents, infecting victims with file-encrypting malware.

Uncovered by researchers at Netskope, the ‘Spider Virus‘ ransomware campaign was first detected on December 10 and is ongoing.

Like many ransomware schemes, the attack begins with malicious emails to potential victims.
The email subjects and the lure documents indicate the attackers are keen on targeting victims in the Balkans.
It’s currently unknown where the attackers are operating from.

The malicious Microsoft Office attachment contains obfuscated macro code which — if macros are enabled — allows a PowerShell to download the first stage of the ransomware payload from a host website.

Following this, the PowerShell script decodes the Base64 string and performs operations to decode the final payloads in an .exe file — which contains the Spider ransomware encryptor.

PowerShell then launches the encryptor, encrypting the user’s files, adding a ‘.spider’ extension to them and then displaying a ransom note.

The note tells the victim they’ve been infected with the Spider Virus and that they need to make a bitcoin payment for “the right key” in order to get their files back.

The attackers also issue a threat that if the payment isn’t received within 96 hours, their files will be deleted permanently.
They add victims shouldn’t “try anything stupid” as the ransomware has “security measures” which delete the files if the victim tries to retrieve them without paying the ransom.

The Spider ransomware note is available in two languages.

An additional note provides the victim with instructions on how to download the Tor browser required to access the payment site, how to generate a decryption tool, and how to purchase bitcoin.

This may seem complicated to you, actually it’s really easy“, the note says — adding that there’s also a video tutorial inside a ‘help section’.
It’s common for ransomware distributors to provide this sort of ‘service’ to victims, because if the victims can’t pay the ransom, the criminals won’t make money from their campaign.

The attackers behind Spider offer a tutorial video to victims to ensure that they can buy bitcoin to pay the ransom.

The Spider ransomware is still being distributed in what researchers refer to as a “mid-scale campaign”.

As well as educating employees about the danger of ransomware and backing up critical files, businesses can protect themselves from becoming infected by Spider — and many other forms of file-encrypting malware — by removing macros, which are used as an attack vector.

In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources,” said Netscope’s Amit Malik.

Because Spider is a brand new form of ransomware, there’s currently no free decryption tool available for victims to retrieve files.



Keylogger uncovered on hundreds of HP PCs

December 11, 2017

For the second time this year, HP has been forced to issue an emergency fix for pre-installed keylogger software.

Hewlett Packard has issued an emergency patch to resolve a driver-level keylogger discovered on hundreds of HP laptops.

The bug was discovered by Michael Myng, also known as “ZwClose.”
The security researcher was exploring the Synaptics Touchpad SynTP.sys keyboard driver and how laptop keyboards were backlit and stumbled across code which looked suspiciously like a keylogger.

In a blog post, ZwClose said the keylogger, which saved scan codes to a WPP trace, was found in the driver.

While logging was disabled by default, given the right permissions, it could be enabled through changing registry values and so should a laptop be compromised by malware, malicious code — including Trojans — could take advantage of the keylogging system to spy on users.

I messaged HP about the finding,” Myng said. “They replied terrifically fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace.”

HP has acknowledged the issue.
In a security advisory, HP said:

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners.

A party would need administrative privileges in order to take advantage of the vulnerability.
Neither Synaptics nor HP has access to customer data as a result of this issue.”

A CVSS score of 6.1 has been issued, together with updated firmware and drivers for hundreds of laptops, both commercial and consumer.

Affected products include HP G2 Notebooks, the HP Elite x2 1011 G1 tablet, HP EliteBooks, HP ProBooks, and HP ZBook models, among others.

The researcher said that a fix will also be included in Windows Update.

Back in May, security firm Modzero discovered a keylogger in the Conexant HD audio driver package, installed in dozens of HP devices.
HP quickly rolled out a patch which resolved the issue, which could be used to collect data including passwords, website addresses, and private messages.


Android security: Sneaky three-stage malware found in Google Play store

November 15, 2017

Tens of thousands of users have downloaded two newly uncovered forms of malware.

Another crop of Android apps hiding malware have been discovered in – and removed from – the Google Play store.

Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.

Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.

Some of the malicious apps identfied by ESET.

Following the initial download, the app doesn’t request the suspicious permissions associated with malware and will initially mimic the activity the user expects – the latter is an increasingly common tactic by malicious software developers.

However, alongside this user-facing activity, the app secretly decrypts and executes a payloads in a multi-step process.
The malicious app decrypts and executes a first-stage payload which when in turn decrypts and executes a second-stage payload.
This second-stage payload contains a hardcoded URL which the malware uses to download a third-stage payload containing another malicious app.

All of this is going on in the background without the user’s knowledge until, after a five minute wait, they’re prompted to install or update an app.
This is disguised to look as if it is a form of legitimate software such as update for Adobe Flash Player or the Android system itself when it it in fact the third-stage of the malware’s dropping process.

The installation request asks for permission for intrusive activities such as reading contacts, sending and receiving alls and text messages and the ability to modify and delete the contents of storage.
If permission is given to install this ‘update’, Trojan Dropper delivers the third-stage payload which decrypts and executes the final payload in the form of the malware itself.

Once installed on the device, Trojan Dropper is used to install other forms of malware – the malware has been spotted attempting to deliver the MazarBot banking trojan and various forms of spyware, but researchers note it can be used to deliver any malicious payload of the criminals’ choice.

Researchers analysed the URL used to deliver the final download and found that almost 3,000 users – mostly based in The Netherlands – reached this stage of the infection. ESET has informed Google of the apps, which have now been removed from the store.

ESET’s report comes at the same time as researchers at Malwarebytes have uncovered a new form of Android trojan malware masquerading as multiple apps in the Play Store.

Disguised as innocuous looking apps such as an an alarm clock, a QR code reader, a photo editor and a compass, thousands of users have downloaded AsiaHitGroup malware from the Google Play store.

Based on data from Google Play, the apps present in the Play store that are infected with Android/Trojan.AsiaHitGroup have been installed 10,700 to 22,000 times,” Nathan Collier Senior Malware Intelligence Analyst told ZDNet.

Like other forms of malware, AsiaHitGroup appears to look legitimate, even coming with the advertised function.
However, in this instance, the user only gets one chance to use the app, because after it is closed the icon disappears.

But rather than becoming inactive, AsiaHitGroup disguises itself as the phone’s ‘download manager’ in the downloaded apps and continues to carry out its malicious activity – which in this case involves tracking the user’s location and distributing adware in order to generate money. Researchers say the geolocation tools ensure that the malware only targets users in Asia.

Like Trojan Dropper, AsiaHitGroup uses obfuscation techniques to hide itself within the Google Play store.

In both cases, users with Google Play Protect enabled would have been protected from the malicious apps, but these are just the latest instances of malware finding its way into official application marketplace for Android users – BankBot banking data stealing malware was recently found in the store for the third time.

Google says it has a stringent security process for stopping malicious software getting into the Play store and that it keeps the vast majority of its 1.4 billion Android users safe from malware.


Fileless attacks surge in 2017, security solutions are not stopping them

November 15, 2017

By 2018, they are expected to account for 35 percent of all cyberattacks.

Fileless attacks are on the rise and are predicted to comprise 35 percent of all attacks next year, according to the Ponemon Institute.

A new national survey conducted by Barkly and the Ponemon Institute titled “2017 State of Endpoint Security Risk,” released on Wednesday, suggests that this method of cyberattack is becoming more popular — and traditional antivirus solutions are doing little to stop the trend.

After surveying 665 IT security professionals in the enterprise, the organizations discovered that faith in traditional file-scanning and antivirus software has become ashes in the wake of new, more innovative methods of compromising PCs and computer networks.

We are in the midst of a significant shift in endpoint security,” Barkley and Ponemon say in the report.
The majority of organizations are replacing or augmenting these solutions with new security tools designed to stop fileless attacks, though many remain skeptical such attacks can be stopped at all.”

Fileless attacks dismiss traditional methods of compromise, such as downloading and executing malicious files on a victim’s system, as they can be detected by security solutions.

Instead, these attacks leverage exploits or launch scripts from memory, which can infect endpoints without leaving a trail behind.

According to the report, 70 percent of those surveyed said that the security risk to their organization has increased in the past 12 months, and as fileless attacks often exploit gaps between traditional security solutions and next-generation alternatives, much of the risk can be blamed on an increase in this type of attack.

The survey results estimate that 29 percent of attacks the enterprise faced this year were fileless, up 20 percent year-on-year, and this rate is expected to rise to 35 percent in 2018.

When asked what respondents think is the biggest challenge or problem with current enterprise endpoint security solutions, a lack of adequate protection was cited as the top concern.

In addition, high numbers of false-positive alerts, as well as deployment & management complexity, were also considered problems that impact on security and productivity.

Less than a third of those who participated in the survey said they believe current security setups can prevent the new waves of threats that are being launched at companies.

In total, respondents said they believe the average cost of a successful attack is over $5 million, and when attackers do manage to get through endpoint security, the amount of damage caused equates to roughly $300 per employee — and endpoint security is becoming harder to manage.

According to the research, existing endpoint solutions are placing a strain on staff, resources, and productivity.
The average enterprise company utilizes around seven types of different endpoint solutions, which can make management difficult.

In total, 73 percent of respondents said it has become “more difficult” for enterprise companies to manage endpoint risk, and only a third said they have the resources to do so.

Endpoint security is undergoing a shift as traditional security systems are no longer enough in the face of fileless attacks, sophisticated ransomware, phishing campaigns, and compromise through supply chains.

While the enterprise is gradually moving away from relying only on traditional antivirus, the report suggests that this is not enough — as many businesses are simply supplementing with damage-limitation solutions rather than tackling attack vectors themselves.

Organizations can clearly benefit from endpoint security solutions designed to block new threats like fileless attacks, which are responsible for the majority of today’s endpoint compromises,” the organizations say.
To restore their faith in endpoint security’s effectiveness, new solutions need to address this crucial gap in protection without adding unnecessary complexity to endpoint management.”


Windows 10 tip: Turn on the new anti-ransomware features in the Fall Creators Update

October 25, 2017

A well-hidden feature in Windows 10 version 1709 prevents “unfriendly” apps (including most known strains of ransomware) from modifying files in protected folders.
Here’s how it works.

One of the most intriguing new features in Windows 10 version 1709 is a security setting that prevents unauthorized apps from gaining access to Windows system files and your personal data files.

With the Controlled Folder Access feature turned on, malicious and suspicious apps are blocked from changing files in known locations.
That’s a major roadblock for most known strains of ransomware, which do their dirty work by encrypting your personal files and demanding payment for the decryption key.

If you want to use this feature, you have to jump through a few hoops to turn it on. By default, it’s available in all Windows 10 editions but is off by default.

First, make sure you’re running the Fall Creators Update, version 1709.

In addition, you must have Windows Defender real-time protection enabled.
In this release, the Controlled Folder Access feature does not work with third-party antivirus software.

With those prerequisites out of the way, open Windows Defender Security Center.
Click Virus & threat protection >> Virus & threat protection settings and toggle the switch under Controlled folder access to On.

That’s all the configuration that’s required. But you can adjust the default settings using the two links beneath that:

  • Click Protected folders to display a list of the folders whose contents are currently being protected from tampering by a malicious or suspicious app.
    The default list includes data folders from the current user profile and from the Public profile.
  • Click Allow an app through Controlled folder access to manage a list of whitelisted apps.
    Most well-known apps are already whitelisted, but you can add a program to the list if you see a Controlled Folder Access error message from that app and know that it’s safe and trustworthy.
  • At any time, you can turn the feature off by going back to Windows Defender Security Center and toggling the Controlled folder access switch to the Off position.


    This ransomware-spreading botnet will now screengrab your desktop too

    October 18, 2017

    New payload bundled within Necurs botnet attacks allows those carrying out malicious campaigns to check if they’re working and improve updates.

    Attackers behind one of the world’s most notorious botnets have added another string to their bow, allowing them to take screenshots of the desktops of victims infected with malware.

    Having previously been inactive for much of the first half of the year, the Necurs botnet has recently undergone a resurgence, distributing millions of malicious emails – large swathes of which have most recently been spreading Locky ransomware.

    It’s also been known to deliver the Trickbot banking trojan, indicating the attackers behind it have their fingers in many pies.

    But not happy with just that, wow those behind Necurs – a zombie army of over five million hacked devices – are also attaching a downloader with the functionality to gather telemetery from infected victims.

    Uncovered by researchers at Symantec, the Necurs downloader can take screengrabs of infected machines and send them back to a remote server. It also contains an error-reporting feature which sends information back to the attackers on any issues the downloader encounters when performing its activities.

    This functionality suggests the attackers are actively attempting to gather operational intelligence about the performance of their campaigns in much the same way legitimate software vendors collect crash reports in order to improve their products. However, in this case, the reports are designed to help the attackers spot problems and improve the chances of the malicious payload doing its job.

    After all, you can’t count on the victims to report back errors and issues,” note the researchers.

    Like other Necurs campaigns, these attacks begin with a phishing email – this time using the lure of a phony invoice. If this attachment is opened, it’ll download a JavaScript which will in turn download a Locky or Trickbot payload, depending on the particular campaign.

    Once loaded onto the system, the downloader also runs a PowerShell script that takes a screen grab and saves it to a file named ‘generalpd.jpg’ which is saved and uploaded to a remote server for further analysis by the attackers.

    The last month or so has seen Necurs more active than at any point this year, with a high focus on distributing Locky, to such an extent that it’s almost reclaimed its crown as the king of ransomware.

    In order to remain as protected as possible against threats distributed by the Necurs botnet, Symantec recommends security software, operating systems and other applications are always kept up to date and to be extremely suspicious of unsolicited emails – especially if they contain links or attachments.


    Chinese backdoor malware resurfaces after more than a decade

    October 17, 2017

    The malware affects Windows 7 and up to Windows 8.1, the researchers confirmed.

    Security researchers found a sophisticated remote access trojan that has resurfaced after more than a decade since it was first released.

    The new malware, dubbed “Hacker’s Door” by researchers at Cylance, is operated by what’s thought to be a Chinese advanced persistent threat hacker group known as Winnti.

    The malware has many similarities to a remote access trojan (RAT) of the same name that first debuted in 2004 but was updated with new features in 2005.

    The research, published Tuesday, found the new malware is largely based on the decade-old malware, but it has been adapted and modified to infect newer 64-bit systems.

    The new version comprises of a backdoor and a rootkit, allowing the malware access to the operating system’s core, which gives the attacker access to system information, listing processes, and running commands.
    The researchers also found the malware can grab screenshots and files, covertly download additional tools, and open telnet and remote access port.
    The tool can also extract Windows user’s credential from the current session and grab system information.

    The new version looks to support Windows 7 and up to Windows 8.1, said the researchers.
    The researchers are looking to see if Windows 10 is affected, but they can’t confirm at the time of writing.

    It’s not known what kind of operation Winnti APT group is using the malware for, but historically the hackers are focused on using remote access trojans for financial fraud.

    The group is known to focus on large pharmaceutical companies and the video game industry, but Cylance senior threat researcher Tom Bonner said Hacker’s Door was detected in the aerospace industry this time around.

    Like in previous cases, the malware was sold by the author and signed with a certificate stolen certificate — making it easier to infect machines by bypassing protections designed to detect unsigned code.

    It is highly likely that this tool will continue to be uncovered as part of targeted attacks for some time, as the ease of use and advanced functionality makes ‘Hacker’s Door’ the perfect RAT for any adversary’s arsenal,” the researchers said.