Skip to content

This ransomware-spreading botnet will now screengrab your desktop too

October 18, 2017

New payload bundled within Necurs botnet attacks allows those carrying out malicious campaigns to check if they’re working and improve updates.

Attackers behind one of the world’s most notorious botnets have added another string to their bow, allowing them to take screenshots of the desktops of victims infected with malware.

Having previously been inactive for much of the first half of the year, the Necurs botnet has recently undergone a resurgence, distributing millions of malicious emails – large swathes of which have most recently been spreading Locky ransomware.

It’s also been known to deliver the Trickbot banking trojan, indicating the attackers behind it have their fingers in many pies.

But not happy with just that, wow those behind Necurs – a zombie army of over five million hacked devices – are also attaching a downloader with the functionality to gather telemetery from infected victims.

Uncovered by researchers at Symantec, the Necurs downloader can take screengrabs of infected machines and send them back to a remote server. It also contains an error-reporting feature which sends information back to the attackers on any issues the downloader encounters when performing its activities.

This functionality suggests the attackers are actively attempting to gather operational intelligence about the performance of their campaigns in much the same way legitimate software vendors collect crash reports in order to improve their products. However, in this case, the reports are designed to help the attackers spot problems and improve the chances of the malicious payload doing its job.

After all, you can’t count on the victims to report back errors and issues,” note the researchers.

Like other Necurs campaigns, these attacks begin with a phishing email – this time using the lure of a phony invoice. If this attachment is opened, it’ll download a JavaScript which will in turn download a Locky or Trickbot payload, depending on the particular campaign.

Once loaded onto the system, the downloader also runs a PowerShell script that takes a screen grab and saves it to a file named ‘generalpd.jpg’ which is saved and uploaded to a remote server for further analysis by the attackers.

The last month or so has seen Necurs more active than at any point this year, with a high focus on distributing Locky, to such an extent that it’s almost reclaimed its crown as the king of ransomware.

In order to remain as protected as possible against threats distributed by the Necurs botnet, Symantec recommends security software, operating systems and other applications are always kept up to date and to be extremely suspicious of unsolicited emails – especially if they contain links or attachments.



Chinese backdoor malware resurfaces after more than a decade

October 17, 2017

The malware affects Windows 7 and up to Windows 8.1, the researchers confirmed.

Security researchers found a sophisticated remote access trojan that has resurfaced after more than a decade since it was first released.

The new malware, dubbed “Hacker’s Door” by researchers at Cylance, is operated by what’s thought to be a Chinese advanced persistent threat hacker group known as Winnti.

The malware has many similarities to a remote access trojan (RAT) of the same name that first debuted in 2004 but was updated with new features in 2005.

The research, published Tuesday, found the new malware is largely based on the decade-old malware, but it has been adapted and modified to infect newer 64-bit systems.

The new version comprises of a backdoor and a rootkit, allowing the malware access to the operating system’s core, which gives the attacker access to system information, listing processes, and running commands.
The researchers also found the malware can grab screenshots and files, covertly download additional tools, and open telnet and remote access port.
The tool can also extract Windows user’s credential from the current session and grab system information.

The new version looks to support Windows 7 and up to Windows 8.1, said the researchers.
The researchers are looking to see if Windows 10 is affected, but they can’t confirm at the time of writing.

It’s not known what kind of operation Winnti APT group is using the malware for, but historically the hackers are focused on using remote access trojans for financial fraud.

The group is known to focus on large pharmaceutical companies and the video game industry, but Cylance senior threat researcher Tom Bonner said Hacker’s Door was detected in the aerospace industry this time around.

Like in previous cases, the malware was sold by the author and signed with a certificate stolen certificate — making it easier to infect machines by bypassing protections designed to detect unsigned code.

It is highly likely that this tool will continue to be uncovered as part of targeted attacks for some time, as the ease of use and advanced functionality makes ‘Hacker’s Door’ the perfect RAT for any adversary’s arsenal,” the researchers said.


New Adobe Flash Vulnerability Lets Hackers Plant Malicious Software on Your PC

October 16, 2017

Affects all unpatched Linux, Mac, Chrome OS and Windows PCs

As long as Adobe’s Flash Player plugin is still alive and installed on your personal computer, it will only cause damage to it.
Adobe Flash is often described as a security vulnerability, as it it’s full of security flaws and Adobe won’t patch them as fast as they should

The latest, as reported by Reuters, is said to let hackers plant malicious software on your personal computer.
The malware was discovered by security firm Kaspersky Lab and it’s called FinSpy or FinFisher, which is usually used for surveillance by law enforcement agencies.

According to the report, Kaspersky Lab was actively tracking a hacker group called BlackOasis, which apparently managed to install malicious software on computers using the security vulnerability in the Adobe Flash Player plugin, before connecting those computers back to servers in Netherlands, Switzerland, or Bulgaria.

The BlackOasis group is using FinSpy to target UN (United Nations) officials and Middle Eastern politicians, as well as regional news correspondents, activists, and opposition bloggers, but victims were also reported in the United Kingdom, Russia, Africa, Iraq, Iran, and Afghanistan.

Adobe Flash will die in 2020

Adobe Systems said earlier this year that it would put its vulnerable and buggy Adobe Flash Player plugin to sleep for good more than two years from now, in 2020, but, until then, people are still vulnerable to attacks and malware like FinSpy, so Adobe needs to do a better job at keeping their software up-to-date, at all times.

They already released a security update to fix the said issue allowing hackers to plant malicious software, which affected the popular Google Chrome, Microsoft Edge, and Internet Explorer web browsers.
However, users also need to make sure they keep their apps and operating systems up-to-date, always, if they don’t want hackers to hold their data for ransom.


WPA2 Going the Way of WEP After Wi-Fi Researchers Find Critical Flaw

October 16, 2017

It’s a massive problem that’s going to get bigger

The WPA2 (Wi-Fi Protected Access II) protocol that’s used by most Wi-Fi networks today has been compromised, and a way to intercept traffic between computers, phones, and access points has been found.

Today’s Internet and network connections rely on specific tools that are taken for granted, most of the time.
From time to time, a way to compromise these protocols sends everybody running for the fences.
Let’s just remember the OpenSSL problem, for just a moment.

Now, a similar problem has been identified in the WPA2 protocol that’s used by Wi-Fi networks.
Whenever you connect your device to a Wi-Fi network, you are probably using the WPA2 security protocols, and you feel safe.
Well, you shouldn’t feel safe at all.
It turns out that the protocol is vulnerable and that communications between client and host can be intercepted.

WPA2 has been KRACKed

Security researchers have discovered a way to compromise the communications between a host and client that’s using the WPA2 protocol.
According to a notification sent by US-CERT, via Ars Technica, says that “the impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.”

The moniker for the attack is currently “KRACK,” although it not official just yet.
And, as usual, there are good news and bad news, and the bad ones outweigh all the rest.
The following vulnerabilities have been noted: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.

This means that we should start to see patches for these problems soon, but it’s important to know that many of the devices we’re using today, like routers, for example, won’t get these patches.

How to protect yourself

If you’re worried about your router, there is nothing that you can really do about it.
Check to see that if you get an update and if not be prepared to get a new one that’s protected.

The same goes for phones, tablets, PC, and all the rest.
If you have an old device that’s not receiving updates anymore, you’re going to be exposed to this issue as well.

It’s important to mention that if you’re using a Wi-Fi network to browse a HTTPS secured website, you should be fine, but anything else is problematic.

Please keep in mind that this new KRACK attack is a major one and that you need to keep an eye on patches and your security for now on, for the devices you own and are using the WPA2 protocol.


More details have surfaced regarding the newly discovered vulnerabilities, and researchers have published all the details and proof of concept on what is now the official website.


Yahoo: All Our 3 Billion Users Were Hacked

October 4, 2017
tags: ,

Company admits that more users were actually hacked in 2013

The Yahoo hack saga continues, this time with more information provided by the company itself, who reckoned in a statement that more users were actually hacked in 2013 than it previously revealed.

Yahoo said in September 2016 that 500 million accounts got hacked in 2013 as part of what it described as a state-sponsored attack, albeit absolutely no specifics on the hacking group or the country behind the breach were provided.

Yahoo, however, released an updated statement in December to bump the figure to 1 billion, saying that it discovered evidence that twice as many accounts were hacked than it initially thought.

3 billion accounts compromised

And now the company returns with another statement, revealing that its original investigation actually pointed to a wrong number.
So the hack didn’t affect 500 million or 1 billion accounts, but 3 billion records, which represented the entire userbase of Yahoo at that time.
This means that all Yahoo users in 2013 were exposed following the breach.

Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected,” Yahoo said in the latest statement.

It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts.
The company required all users who had not changed their passwords since the time of the theft to do so

The only good thing here is that the breach didn’t expose information like bank accounts, credit card data, or passwords, with hackers managing to compromise accounts using stolen Yahoo source code.

If there still are any Yahoo users out there, it goes without saying that they must change their passwords as soon as possible, even though it’s pretty clear that this is an advice coming way too late given the hack happened in 2013. Judging from its statement, Yahoo believes that it reacted well by “taking action to protect accounts” and confirming the breach 3 years after it happened.


Not sure which ransomware has infected your PC? This free tool could help you find the right decryption package

September 27, 2017

A new tool analyses the ransom note and the encrypted file in order to offer the appropriate decryption tool – if it exists.

The success of ransomware means the number cyber criminals are looking to cash in on the file-encrypting malware appears to be ever increasing, whether they build it themselves or buy it from distributors in underground online marketplaces.

With new ransomware variants appearing all the time – recent new discoveries include PrincessLocker and Defray – and malicious developers continually updating tried and tested ransomware families such as Locky, it can be difficult for the average user to understand what they’ve been infected with should they fall victim to an attack.

Especially, as one recent report claims, there’s been a 750 percent increase in ransomware families since 2015.

In order to help victims Bitdefender has released a free software suite that identifies which family and sub-version of ransomware has locked the victim’s data and leads them to the appropriate decryption tool – if it exists.

The Bitdefender Ransomware Recognition Tool analyses the ransom note and the encrypted file samples to identify the strain of ransomware and suggest a decryption tool based on indicators of confidence.
If the ransomware has an associated decryption tool, the platform provides a link to it in order to allow the victim to retrieve the files for free.

Ransomware has become one of the most prolific criminal businesses to date.
The immediate payoff and the huge amounts of money have made ransomware a very common occurrence
,” Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender told ZDNet.

Our new tool aims at helping as many people get back their data without paying for the ransom in order to minimise the impact on the user, as well as to minimise the profitability of such businesses“.

While also involved with No More Ransom – the collaborative partnership involving law enforcement and cyber security firms coming together to provide a decryption tool portal for ransomware families – Bitdefender wants to reduce the number of steps victims need to take before getting their hands on a decryption tool.

Bitdefender Ransomware Recognition wants to be a standalone tool that does the identification and then automatically downloads the proper decryption tool, if one is available.
We plan to release more decryption utilities in the near future in order to cover all potentially decryptable infection case
,” said Botezatu.

However, one of the reasons ransomware is so successful is because the crytography behind the more sophisticated families is hard to crack – which means researchers aren’t able to break them down and reverse engineer them to create a decryption tool.


This malware just got more powerful by adding the WannaCry trick to its arsenal

September 25, 2017

The Retefe banking trojan is now using the EternalBlue exploit that helped spread WannaCry to make attacks more effective.

A trojan banking malware campaign has returned and now it’s leveraging EternalBlue — the leaked NSA surveillence exploit — to target Swiss financial institutions.

Developed by the NSA but revealed to the world by a hacking group, the EternalBlue Windows security flaw exploits a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using worm-like capabilities.

It was by using the EternalBlue exploit that May’s WannaCry ransomware attack was able to spread so quickly.
The tool was soon adopted by cybercriminal groups looking to make their malware more powerful — and now it’s being used to steal credentials and cash from Swiss banks by the group behind the Retefe malware.

Active since 2013, the Retefe banking trojan isn’t as notorious as the likes of Dridex, but targets banks in the UK, Switzerland, Austria, Sweden, and Japan.
It has also been known to target Mac users.

Unlike other banking trojans, which rely on webinjects to hijack online banking sessions, Retefe routes traffic to and from the target banks through proxy servers hosted on the TOR network.
These proxy sites host phishing pages designed to look like the the targeted bank’s login page in order to steal credentials from victims, providing access to accounts for theft and fraud.

Retefe is typically delivered via phishing emails containing malicious Microsoft Office documents containing embedded Package Shell Objects — although some contain malicious macros instead.
If the user runs the file, a PowerShell command will run the malicious payload and install the code.

Now researchers at Proofpoint have discovered that the payload contains the configuration for EternalBlue, with code taken from a publically available proof-of-concept for the exploit posted in a dump on GitHub.
The tool is now used to download the PowerShell script which installs Retefe.

While the addition of EternalBlue, malware can spread across networks.
This particular installation of the exploit lacks the module responsible for infinitely spreading the malware as WannaCry did.

However, researchers note that the attackers behind Retefe could be merely experimenting with EternalBlue for now — and that they could roll out the leaked exploit in full force in future.

It is possible that the addition of limited network propagation capabilities may represent an emerging trend for the threat landscape as 2018 approaches,” wrote Proofpoint researchers.

Indeed, those behind Retefe aren’t the only threat actors looking to leverage EternalBlue to make malware more powerful.
The attack group behind the Trickbot malware has also been experimenting with deploying the exploit.

Following the public release of the leaked NSA hacking tools, Microsoft released patches designed to protect users from falling victim to attacks using EternalBlue.

However, as demonstrated by the extent which WannaCry spread, many organisations simply aren’t applying the critical updates released to prevent them from becoming victims of attacks leveraging the tools.