Skip to content

This malware delivers either ransomware or cryptocurrency mining software to your PC

July 6, 2018

Rakhni Trojan has evolved to examine the infected PC to determine which form of malware will be best to install.

An ever-evolving form of malware has added a new tactic which sees it choose to deliver ransomware or a cryptojacker depending on the circumstances of the infected victim.

If an infected computer contains a bitcoin wallet, the malware will install file-encrypting ransomware — if there’s no pre-existing cryptocurrency folder and the computer is capable of mining cryptocurrency, a miner will be downloaded and installed for the purposes of exploiting the PC’s power to generate cryptocurrency.

The cryptocurrency miner is the latest addition to Rakhni Trojan, a malware family that has existed since 2013 and has continually evolved over its five-year existence.
It appears that that those behind the malware are looking to exploit the rise of cryptocurrency mining malware while also combining it with their traditional attacks.

It’s just another example of the cynical attitude of criminals to their victim.
They will in any case try to benefit from the victim: by direct extortion of money or by unauthorized use of user resources in their own needs
,” Orkhan Mamedov, malware analyst at Kaspersky Lab told ZDNet.

Researchers at Kaspersky Lab have been analysing Rakhni since it first emerged and have detailed its recent addition of a cryptocurrency miner.

Like many cyber attacks, the Rakhni campaign begins with a phishing email sent out to potential victims.
This particular campaign focuses on Russia, with over 95 percent of victims in the country and the spam emails written in Russian.

In this instance, the emails are designed to look like messages concerning financial documents and come with a Microsoft Word attachment in which a malicious payload is waiting.
The user is encouraged to enable editing so that the payload can take advantage of the macros required to ensure infection.

The victim is then encouraged to open an embedded PDF, which isn’t launched — with a malicious executable being launched instead and the user’s computer becoming infected with the malware. An error message is displayed in order to avoid the user becoming suspicious about the lack of a PDF being opened.

Once installed, Rakhni performs environmental checks on the compromised computer in order to aid it coming to the decision over whether to install ransomware or a miner.

If a cryptocurrency wallet is already on the computer, ransomware will be downloaded and executed on the machine — but only after the system has been idle for two minutes — resulting in files being encrypted with a ‘.neitrino’ extension.

Victims are presented with a ransom note written in Russian which demands payment in three days and an email contact address for the attacker.

The ransom note warns the victim that using third-party decryptors can corrupt files and even the original decryptor would not be able to decrypt them.
The last sentence of the ransom note informs the victim that all requests will be processed by an automatic system
,” said Mamedov.

However, despite this threat, decryption tools for Rakhni are available.

If no wallet is on the machine, a miner is downloaded instead — and it appears to be able to exploit the power of the victim’s processor to provide the attackers with either Monero or Dashcoin cryptocurrency — as they’re much simpler to mine than bitcoin is, along with providing additional anonymity.

In order to disguise the miner as a trusted process, the attacker signs it with a fake Microsoft Corporation certificate.

In the event that conditions on the compromised machine aren’t deemed acceptable for either installing ransomware or a miner, Rakhni has another trick up its sleeve: it uses a worm-like function in an effort to copy itself onto other machines on the network and unleash its malicious operations from there.

Despite a downturn in infections, ransomware is still a successful means for cyber criminals to make money — but the addition of the miner demonstrates that those behind Rakhni are open to new attack techniques, especially when they are as subtle as mining.



This new Windows malware wants to add your PC to a botnet – or worse

June 20, 2018

The intentions of and delivery method of Mylobot are unknown – but it appears to be the work of a sophisticated attacker who could deliver trojans, ransomware and more.

A new malware campaign is roping systems into a botnet and providing the attackers with complete control over infected victims, plus the ability to deliver additional payloads, putting the victims’ devices at risk of Trojans, keyloggers, DDoS attacks and other malicious schemes.

The malware comes equipped with three different layers of evasion techniques which have been described by the researchers at Deep Instinct who uncovered the malware as complex, rare and “never seen in the wild before“.

Dubbed Mylobot after a researcher’s pet dog, the origins of the malware and its delivery method are currently unknown, but it appears to have a connection to Locky ransomware — one of the most prolific forms of malware during last year.

The sophisticated nature of the botnet suggests that those behind it aren’t amateurs, with Mylobot incorporating various techniques to avoid detection.

They include anti-sandboxing, anti-debugging, encrypted files and reflective EXE, which is the ability to execute EXE files directly from memory without having them on the disk.
The technique is not common and was only uncovered in 2016, and makes the malware ever harder to detect and trace.

On top of this, Mylobot incorporates a delaying mechanism which waits for two weeks before making contact with the attacker’s command and control servers — another means of avoiding detection.

The reason to do 14 days of sleep is to avoid any network and malicious activity, thus bypassing cyber security solutions like endpoint detection and response, threat hunting and sandboxing,” Tom Nipravsky, Deep Instinct security researcher told ZDNet.

Once installed on a system Mylobot shuts down Windows Defender and Windows Update, while also blocking additional ports on the firewall — all tactics to ensure that its malicious activity can operate without being impeded.

In addition to this, it actively targets and deletes any other instances of malware which have previously been installed on the machine, even specifically aiming for other botnets.

The thinking behind this is simple — eliminating the competition in order to ensure the attackers gain control over the largest network of infected computers to make the most profit from abusing the compromised machines as possible.

Once a computer is part of the botnet, the attacker can take complete control of the system and further payloads and instructions can be delivered from the command and control server.

The expected damage here depends on the payload the attacker decides to distribute.
It can vary from downloading and executing ransomware and banking trojans, among others
,” said Nipravsky.

This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in the enterprise.”

Researchers haven’t detailed what additional payloads are being downloaded, but analysis of the command and control domains related to Mylobot uncovered connections to Locky ransomware and other malware.

According to our research, the IP of the C&C server was first seen on November 2015, and is linked to DorkBot, Locky and Ramdo,” Nipravsky said.

With the C&C having been active for two and a half years, it indicates those behind Mylobot have been active for some time — and they use tactics which suggest a well-resourced operation.

The botnet is trying to connect to 1,404 different domains — at the time of writing this research, only one was alive.
This is an indication for big resources in order to register all those domains
,” said Nipravsky.

The malware isn’t widespread and it still remains unclear who the attacker behind Mylobot is, how the malware is delivered or even what their ultimate goal is — but one thing researchers have concluded from the complexity of the scheme is that it isn’t an amateur operation.

We haven’t found any indication about who the author is, but based on the code, this is someone who knows what they’re doing,” said Nipravsky.


This new Android malware delivers banking trojan, keylogger and ransomware

June 17, 2018

Researchers uncover a form of malware that’s still in development – but it has the potential to become a nasty threat.

An experimental form of Android malware delivers a banking trojan, a keylogger and ransomware to those unfortunate to fall victim to it.

Uncovered by security researchers at security company ThreatFabric, the malware was first thought to be an updated version of Lokibot – but as it contain various new features researchers are labelling it as a new form of malware – MysteryBot.

However, MysteryBot and LokiBot share the same command and control server, indicating a strong link between the two forms malware, with the potential that they’ve been developed by the same attacker.

The malware is also potentially potent, with the trojan capable of controlling the functionality of the infected devices, including the ability to read messages, gather contact information and more.

There are also commands for stealing emails and remotely starting applications, but these particular tools don’t appear to be active yet, suggesting that this malware is still in the development phase.

While many Android malware families concentrate on attacking older versions of the Google operating system, MysteryBot has the capability to actively target Android versions 7 and 8 using overlay screens designed to look like real bank websites, but are in fact run by the attackers, the researchers said.

Fake websites of a wide variety of banks across the world are able to be displayed to the victim, ensuring that the attackers can cast a wide net for stealing entered credentials.

Once active on the device, the malware is listed as a fake version of Adobe Flash Player.
However, researchers haven’t detailed how the payload is initially delivered onto the device.

Researchers say that the way the malware records keylogging in an innovative new way, by determining which key has been pressed by its location on the screen in relation to others, something it can do when the keyboard is held both horizontally and vertically, the researchers explain in a blog post.

However, as with other features of the malware, the keylogger still appears to be in development as there’s currently no way for the logged keys to be stored on the command server.

On top of the ability to infect victims with a trojan and a keylogger, those behind MysteryBot have also been experimenting with a ransomware tool.
The embedded ransomware feature enables the malware to individually encrypt files and store them in a passworded ZIP archive.

When the encryption is complete, a message accuses the victim of having watched adult content and demands that an email address be contacted to gain a password – and presumably pay for the privilege.

However, the ransomware element of MysteryBot doesn’t appear to be sophisticated. Not only because it requires contact via email, but that the password is only eight characters long, which in theory could be guessed by brute-force.

Secondly, victims are assigned an ID between 0 and 9999 and since there’s no verification of existing ID, it’s possible the attackers could duplicate the Ids and make it impossible for victims to retrieve files.

But despite some of the capabilities of MysteryBot currently being underdeveloped, the malware is still a potential threat.

The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of personal identifiable information in order to perform fraud,” wrote researchers.

MysteryBot isn’t currently widespread and is still under development, but users should be wary of any applications they download which ask for an excessive number of permissions.


Google in court over ‘clandestine tracking’ of 4.4m iPhone users

May 23, 2018

Google’s in trouble again over the “Safari Workaround”: the iPhone shakedown for personal information from millions of iPhone users.

In 2012, the workaround got the search giant fined by the US Federal Trade Commission (FTC) for $22.5m, fined again a year later for $17m after it got sued by dozens of states, and now has the UK’s Google You Owe Us campaign out for its own pound of flesh.

Make that a few pounds of flesh: The Google You Owe Us campaign has started the process of getting its own comeuppance, and the US fines pale in comparison to what the British group is after.

Monday marked day one in London’s high court, where the collective action is suing the company for what could be as much as £3.2bn (USD $4.3b), according to court filings.

It alleges “clandestine tracking and collation” of information that included race, physical and mental health, political leanings, sexuality, social class, financial data, shopping habits and location data.
On the campaign’s site, it alleges that Google’s Safari Workaround tracked iPhone users’ internet browsing history, which Google then used to sell a targeted advertising service.

Google You Owe Us first launched a “representative action” (similar to a class action in the US) in November 2017.
The action alleges that the search giant:

Took our data by bypassing default privacy settings on the iPhone Safari browser which existed to protect our data, allowing it to collect browsing data without our consent.

On Monday, Google You Owe Us lawyers told the high court that Google collected personal information from 4.4 million iPhone users in the UK.

Richard Lloyd, former director of the UK consumer champion Which?, is heading up the collective action.
His lawyer, Hugh Tomlinson QC, told the court that Google bypassed the privacy settings of Apple’s Safari browser on iPhones between August 2011 and February 2012 in order to divide people into categories so as to target marketing at them.

For this purpose, Google allegedly aggregated the data and shuffled users into groups for targeted marketing that included categories such as “football lovers” or “current affairs enthusiasts.”

Bloomberg reports that if the group action has its way in court, each affected iPhone user could receive £750 (approx. $1,000).

Google You Owe Us says don’t worry about whether you’re part of the claim: just sit back and let Richard Lloyd and the lawyers take care of the case.
To see if you were affected by Google’s actions, or if you don’t want to be part of the claim, you can read more on the group’s FAQ page.

Google has said that there’s no evidence that the Safari Workaround resulted in any information being disclosed to third parties; that it’s impossible to identify those who may have been affected; that the claim’s got no chance of success; and that the claim relates to events that are six years old and which have already been addressed.

Google in court over ‘clandestine tracking’ of 4.4m iPhone users

Twitter Urges Users to Change Passwords Due to Glitch

May 4, 2018

Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone.
While the company did not specify how many passwords were impacted, a Reuters report pegged the number at more than 330 million.

I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost.
We’re sharing this information so everyone can make an informed decision on the security of their account.”

The spokesperson declined to comment on the timeframe of the glitch and how many users were impacted.

“Due to a bug, passwords were written to an internal log before completing the hashing process,” said Parag Agrawal, CTO of Twitter, in a blog post.
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

Users who opened their accounts Thursday evening received a prompt from Twitter asking them to consider changing their password on all services where they used the password.

Twitter said that it masks passwords through hashing using bcrypt, which replaces the actual password with a random set of numbers and letters stored in its system.
However, the glitch caused passwords to be written into the company’s internal computer system before the hashing process was completed.

Agrawal said in a tweet that Twitter is sharing the information about the glitch to help users “make an informed decision about their account security.”

Security researcher Troy Hunt told Threatpost that the real world risk of the glitch to users is likely very low:
I can see how it would happen – logs are often largely automated – but clearly it’s a massive oversight,” he said.
By the same token, if the extent of the issue is that the passwords were captured to internal logs, the logs weren’t exposed and they’ve subsequently cleaned that up, the real world risk is likely very low.”

The news parallels another incident earlier this week, where Github also disclosed that it had discovered a recently introduced bug exposing a small number of users’ passwords in plain text.
GitHub also uses bcrypt to hash passwords.

Twitter found itself in hot water earlier in the week after disclosing that it sold data access to a Cambridge Analytica-linked researcher.
This expounded on already tightening concerns by the security community about how social media companies protect private user data.


This password-stealing malware uses Facebook Messenger to spread further

May 2, 2018

A spike infections follows an update to the password and cryptocurrency-stealing malware.

A form of malware which uses fake Facebook Messenger messages to spread has suddenly surged back into life and has developed new tricks to steal passwords, steal cryptocurrency and engage in cryptojacking.

First uncovered in August last year, the malware used phishing messages over Facebook Messenger to direct victims to fake versions of websites like YouTube, at which point they are encouraged to download a malicious Chrome extension.

The malware has remained under the radar since then, at least until April when it appears to have suddenly spiked in activity, targeting Facebook users around the world.

Analysis by researchers at security company Trend Micro – which has dubbed the malware FacexWorm – said that while the malicious software is still spread via Facebook and exploits Google Chrome, many of its capabilities have been completely reworked.

New abilities include the capability to steal account credentials from selected websites, such as Google as well as cryptocurrency websites.
It also pushes cryptocurrency scams of its own and mines infected systems for additional currency.

But in order to conduct any of this activity, the malware needs to be installed on the system of a victim.
Victims received a link out of the blue from a Facebook contact which directs them to a fake YouTube page.

This page asks the victim to install a codec extension to play the video.
If run, this extension will install FacexWorm, which asks for permissions to access the site and change data.

This worm enables contact with the command and control server to access Facebook.
This connection results in more fake YouTube links being sent to contacts to continue the spread of the malware.

Researchers note that if the link is sent to a user who isn’t using Google Chrome, the link diverts to a random advert – perhaps a remnant of the original function of the malware.

FacexWorm itself is a clone of a normal Google Chrome extension, but injected with malicious code.
This is delivered by downloading additional JavaScript code each time the browser is opened and whenever a new website is opened.

If the malware is coded to retrieve credentials from that site, it retrieves additional Javascript in order to execute additional behaviours, which include stealing login credentials.

In addition to this, the malware targets those using cryptocurrency trading platforms by searching for keywords like ‘blockchain’ and ‘etherium’ in the URL.

If this is detected, FacexWorm sends users to a scam webpage which asks the user to send anywhere between 0.5 and 10 of the Ether cryptocurrency for ‘wallet address verification’ with a promise it will send more back.
Obviously, if a user does this, they’ll get nothing back at all – fortunately, researchers say nobody has sent money to the address.

However, the attackers also attempt to maliciously earn cryptocurrency via other means, including the use of attacker-controlled referral links which provide them with some income each time users buy currency via the link.

FacexWorm also injects the victim with a cryptocurrency miner.
Researchers say the miner uses just 20 percent of the infected system’s CPU, a tactic likely adopted to ensure the miner isn’t discovered.

But the malware does contain a mechanism to keep itself hidden; if the extension management tab is opened, FacexWorm will immediately close it, a protection method also used by malicious extensions such as DroidClub.

While Trend Micro says malicious extensions are quickly removed from the Chrome Web Store, the attackers are quick to re-upload them.
ZDNet has contacted Google, but hadn’t received a response at the time of writing.

Facebook is aware of the malware and said that Messenger can stop the spread of malicious links.

We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger.
If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners
,” the company said in a statement.

In order to avoid becoming infected in the first place, Trend Micro warns users to: “Think before sharing, be more prudent against unsolicited or suspicious messages, and enable tighter privacy settings for your social media accounts.”


This malware targets Facebook log-in details, infects over 45,000 in just days

April 20, 2018

StressPaint malware is “developed professionally” and could be be harvesting accounts for anything from credential selling and identity theft, to malvertising and propaganda campaigns, warn researchers.

Users who download a painting software advertised as a tool for stress relief might soon find themselves stressed out because the program is actually a front for malware which steals their Facebook credentials and payment information.

StressPaint‘ first appeared a few days ago and at the time of writing has infected over 45,000 Facebook users.
The attacks appear to specifically target users who operate Facebook pages and have configured a payment method into the account.

Uncovered by Radware, the malware has quickly spread around the world with a high infection rate, indicating what researchers say “indicates this malware was developed professionally“.

It’s also suggested that the attackers could go after Amazon users in a future campaign, given it has a dedicated section in a control panel used in the campaign which has been analysed by researchers.

An infection campaign is carried out via phishing emails and users are socially engineered to believe they’re visiting a real website – AOL is used as a hook in many of the attacks.
However, the website they’re being driven to is in fact a front for the malicious activity.

The site promotes software called ‘Relieve Stress Paint‘ and urges the user to download it for free.
If they do download and run the file, a window opens to show a basic painting program to the user, to give the impression that nothing suspicious happening while the malware runs in the background.

However, once ‘Relieve Stress Paint‘ is launched, the malware immediately runs and drops files onto the system and it will look to steal information from that moment – then subsequently each time the computer is restarted.

StressPaint steals information by copying the content of Chrome browser cookies and login date files.
If saved Facebook credentials are found, they’re sent to a C2 server.

Once the stolen credentials are validated, additional information is collected on the compromised account, including the number of friends, whether the account manages a page or not, or if a payment method is connected to the account.

Security tools, like anti-virus or endpoint detection and response, always look for suspicious active processes on the system and general credential stealing methods like key logging or hooking,” Adi Raff, security research team leader at Radware told ZDNet.

We believe that the process of the malware is only active on the system for less than a minute on specific occasions (like first run, computer restart and stress pain tool rerun) and that the data theft is done from a copy of Chrome files (cookies/login data) which helps the malware stay undetected“.

Currently, the attacks only appear to be collecting data, but researchers suggest the stolen information could be used for profit in a number of ways.
They include selling the credentials on underground forums, extorting victims by threatening to reveal personal information, espionage, profit from stolen payment information and identity theft.

However, it’s suggested the fact the attackers are looking for accounts with pages and users with large amounts of friends means those behind the campaign – who’ve not been identified – are playing a long game.

With the stolen credentials, access to web pages and payment details, the group can launch malicious advertisement campaigns, whether to make profit or spread more malwares.
They can use small amounts from each user without raising suspicion and collect a critical mass to launch any activity
,” warn researchers, who say the same applies to propaganda.

With the same information, instead of advertising a product or a service, they can run a campaign to promote their agenda and reveal people/personal identities.”

Radware has disclosed the research to Facebook. “We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted,” Pete Voss, Facebook communications manager told ZDNet.

In order to avoid falling victim to a StressPaint attack, Radware urges users to be careful what they click.

To stay protected, people need to make sure that they are downloading applications from legitimate sites and always double check the site in the browser before downloading,” said Raff.