Being forewarned is being forearmed; and, if organizations keep up-to-date with the latest malware alerts, they have the opportunity to take measures to prevent their network systems becoming infected with the latest malware strains.
Many malware alerts originate not from reports of malware infections themselves, but from vulnerabilities being identified in everyday software that a hacker could use to install an exploit kit. Our malware alerts explain what the vulnerabilities are, how they can be used to deliver malware and what patches exist to eliminate the vulnerability.
Of course, the best way to block exploit kits from downloading malware onto your organization´s network systems is to ensure that Internet users never visit a website harboring an exploit kit. This can be achieved by a simple adjustment of your web filtering solution. If your organization does not yet have a web filtering solution, speak with WebTitan today.
Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.
The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”
Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.
The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.
The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.
Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.
The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.
Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.
The EternalRocks worm is a new threat that comes hot on the heels of WannaCry ransomware. The self-replicating network work uses similar tactics to infect computers and spread to other connected devices; however, in contrast to the worm used to spread WannaCry ransomware, there is no kill switch. In fact, at present, there is also no malicious payload. That is unlikely to be the case for very long.
The WannaCry ransomware attacks were halted when a security researcher discovered a kill switch. Part of the infection process involved checking a nonsense domain that had not been registered. If no connection was made, the ransomware element would proceed and start encrypting files. By registering the domain, the encryption process didn’t start. Had the domain not been registered, the attacks would have been more far reaching, affecting more than the 300,000 computers believed to have been affected by the Friday 12 attacks.
New threats were predicted to be released in the wake of WannaCry, either by the same group or copycats. The EternalRocks worm therefore does not come as a surprise. That said, EternalRocks could be far more dangerous and cause considerably more harm than WannaCry.
The WannaCry ransomware attacks involved just used two exploits developed by the NSA – EternalBlue and DoublePulsar. EternalRocks uses six NSA hacking tools (EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch).
In addition to the Windows Server Message Block (SMBv1) and SMBv2 hacking tools, this threat uses a SMBv3 exploit in addition to a backdoor Trojan, the latter being used to spread infection to other vulnerable computers on a network. Two SMB reconnaissance tools have also been incorporated to scan open ports on the public Internet.
EternalRocks is also capable of hiding on the infected machine after deployment. With the WannaCry attacks, users were alerted that their computers had been compromised when the ransomware encrypted their files and a note was placed on the desktop.
Once on a computer, the EternalRocks worm waits for 24 hours before downloading the Tor browser, contacting the attackers, and replicating and spreading to other devices on the network.
The self-replicating network worm was discovered by security researcher Miroslav Stampar from CERT in Croatia. While the threat has only just been discovered, Stampar says the first evidence of infections dates back to May 3.
At present, the EternalRocks worm does not have any malicious payload. It neither installs malware nor ransomware, but that does not mean it poses no risk. Worms can be weaponized at any point, as was seen on Friday 12 May, when WannaCry ransomware was deployed.
For the time being, it is unclear how many computers have already been infected and how EternalRocks will be weaponized.
Preventing infection with EternalRocks worm and other similar yet to be released – or discovered – threats is possible by ensuring operating systems and software are patched promptly. Older operating systems should also be upgraded as soon as possible. As Kaspersky Lab reported, 95% of the WannaCry attacks affected Windows 7 devices. No Windows 10 devices were reportedly attacked.
A new Uiwix ransomware variant has been detected using EternalBlue to gain access to vulnerable systems. Businesses that have not yet patched they systems are vulnerable to this new attack.
In contrast to the WannaCry ransomware variant that was used in Friday’s massive ransomware campaign, Uiwix ransomware is a fileless form of ransomware that operates in the memory. Fileless ransomware is more difficult to detect as no files are written to the hard drive, which causes problems for many antivirus systems. Uiwix ransomware is also stealthy and will immediately exit if it has been installed in a sandbox or virtual machine.
Trend Micro reports that the new Uiwix ransomware variant also “appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”
As with WannaCry ransomware, the ransomware is not being spread via email. Instead the attackers are searching for vulnerable systems and are taking advantage of SMB vulnerabilities and attacking computers over TCP port 445. Infection with Uiwix sees the Uiwix extension added to encrypted files. The ransom demand to supply keys to decrypt locked files is $200.
The threat does not appear to be as severe as WannaCry, as the attackers are manually targeting vulnerable systems. Crucially, the ransomware lacks the wormlike properties of WannaCry. If one machine is infected, the ransomware will not then spread to other networked devices.
Since the WannaCry attacks, many businesses have now implemented the MS17-010 patch and have blocked EternalBlue attacks. Microsoft has also released a patch for Windows XP, Windows Server 2003, and Windows 8, allowing users of older, unsupported Windows versions to secure their systems and prevent attacks.
However, the search engine Shodan shows there are still approximately 400,000 computers that have not yet been patched and are still vulnerable to cyberattacks using the EternalBlue exploit.
Another threat that uses the EternalBlue and DoublePulsar exploits is Adylkuzz; however, the malware does not encrypt data on infected systems. The malware is a cryptocurrency miner than uses the resources of the infected computer to mine the Monero cryptocurrency. Infection is likely to see systems slowed, rather than files encrypted and data stolen.
Other malware and ransomware variants are likely to be released that take advantage of the exploits released by Shadow Brokers. The advice to all businesses is to ensure that software is patched promptly and any outdated operating systems are upgraded. Microsoft has issued a patch for the older unsupported systems in response to the WannaCry attacks, but patches for Windows Server 2003, Windows XP and Windows 8 are unlikely to become a regular response to new threats.
The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe. The massive ransomware campaign saw 61 NHS Trusts in the UK affected.
As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.
The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.
The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.
This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.
For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.
The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.
Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.
The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.
There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.
Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.
A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.
A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.
A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.
Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.
Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.
Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.
The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.
Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.
The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.
A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.
If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.
The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.
The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.
The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.
While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk. Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment. The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.
The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.
A sophisticated new malware threat has been discovered that is being used to target a wide range of industry sectors and infect systems with RAT/malware.
The campaign is being used to spread multiple malware variants and gain full access to systems and data. While many organizations have been attacked, the threat actors have been targeting IT service providers, where credential compromises can be leveraged to gain access to their clients’ environments.
The threat actors are able to evade detection by conventional antivirus solutions and operate virtually undetected.
The campaign has been running since at least May 2016 according to a recent alert issued by the National Cybersecurity Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security.
The campaign is still being investigated, but due to the risk of attack, information has now been released to allow organizations to take steps to block the threat and mitigate risk. NCCIC categorizes the threat level as medium.
While threat detection systems are capable of identifying intrusions, this campaign is unlikely to be detected. The attack methods used by the threat actors involve impersonating end users leveraging stolen credentials. Communications with the C2 are encrypted, typically occurring over port 443 with the domains frequently changing IP address. Domains are also spoofed to appear as legitimate traffic, including Windows update sites.
Two main malware variants are being used in this campaign – the remote administration Trojan (RAT) REDLEAVES and the PLUGX/SOGU Remote Access Tool. PLUGX malware has been around since 2012, although various modifications have been made to the malware to prevent detection.
PLUGX allows the threat actors to perform a range of malicious activities such as setting connections, terminating processes, logging off the current user and modifying files. It also gives the threat actors full control of the compromised system and allows the downloading of files. READLEAVES offers the threat actors a typical range of RAT functions including system enumeration.
NCCIC has released Indicators of Compromise (IOCs) to allow organizations to conduct scans to determine whether they have been infected and further information will be published when it becomes available.
While anti-virus solutions should be used, they are unlikely to offer protection against this malware campaign. NCCIC warns organizations that there is no single security solution that can prevent infection, therefore a multi-layered defense is required. The aim of organizations should be to make it as difficult as possible for the attackers to gain access to their systems and install malware and operate undetected.
NCCIC offers several suggestions to help organizations improve their defenses against attack. Since phishing emails are used to fool end users into revealing their credentials, anti-phishing solutions should be employed to prevent the emails from reaching end users’ inboxes.
Other mitigations are detailed in NCCIC’s recent report, which can be downloaded from US-CERT on this link.
Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.
It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.
That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.
The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.
New Infection Method Used in Latest Locky Ransomware Attacks
The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.
The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.
If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.
The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.
The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.
The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.
One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.
Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.
Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.
Exploit kits have been one of the attack vectors of choice for cybercriminals, although research from Trustwave shows exploit kit activity has been in decline over the past 12 months. Trustwave reports exploit kit activity fell by around 300% over the course of 2016.
Exploit kits are used to probe for vulnerabilities in web browsers and web browser plugins. When a user visits a website hosting an exploit kit, their browser is probed for flaws. If a flaw is found, it is exploited to silently download malware and ransomware.
However, as the middle of the year approached, exploit kit activity started to fall. There are many possible reasons why exploit kit activity has declined. Efforts have increased to make browsers more secure and defenses against exploit kits have certainly been improved.
Adobe Flash vulnerabilities were the most exploited, but last year Adobe started issuing patches faster, limiting the opportunity for the attackers to exploit flaws. The fall in exploit kit activity has also been attributed to the takedown of cybercriminal gangs that extensively used and developed exploit kits. In 2016, the Russian outfit Lurk was broken up and a number of high profile arrests were made. Lurk was the outfit behind the infamous Angler exploit kit. Angler, along with Neutrino, Nuclear and Magnitude were extensively used to download malware and ransomware.
The recently published 2017 IBM X-Force Threat Intelligence Index shows spam email volume increased around the middle of 2016 and there was a marked increase in malicious email attachments. Spam email has now become the attack vector of choice, but that doesn’t mean exploit kits have died. Exploit kits are still being used in attacks, but at a much-reduced level.
Exploit kits are now being used in smaller, more targeted attacks on specific geographical regions, rather than the global attacks using Angler, Nuclear and Magnitude.
Over the past few months, exploit kit activity has started to rise and new exploit kits have been discovered. Late last year, the DNSChanger exploit kit was discovered. While most exploit kits target vulnerabilities in browsers, the DNSChanger exploit kit targets vulnerabilities in routers.
Researchers from Zscaler’s ThreatLabz report there has been an increase in exploit kit activity in the first quarter of 2017. The researchers have noticed a new KaiXin campaign and Neutrino activity has increased. The researchers also detected a new exploit kit called Terror. The Terror exploit kit has been compiled from other exploit kits such as Sundown. The RIG EK continues to be one of the most commonly used kits and has been found to be delivering the ransomware variants Cerber and Locky.
Malicious email attachments may still be the attack vector of choice for spreading ransomware and malware payloads, but the threat from exploit kits is still significant and should not be ignored.
To find out how you can improve your defenses against exploit kits, contact the TitanHQ team today.
The source code for the NukeBot Trojan has been published online on a source-code management platform. The code for NukeBot – or Nuclear Bot as it is also known – appears to have been released by the author, rather than being leaked.
To date, the NukeBot Trojan has not been detected in the wild, even though it was first seen in December 2016. The NukeBot Trojan was developed by a hacker by the name of Gosya. The modular malware has a dual purpose. In addition to it functioning like a classic virus, it also works like an anti-virus program and is capable of detecting and eradicating other installed malware. The modular design means additional components and functionality can easily be added. When attempting to sell the malware in December last year, the author said further modules would be developed.
The release of the code for the NukeBot Trojan is understood to be an effort by the author to regain trust within the hacking community. IBM says Gosya is a relatively new name in hacking circles, having joined cybercrime forums in late 2016.
While newcomers need to build trust and gain the respect of other hacking community members, Gosya almost immediately listed the malware for sale soon after joining underground communities and failed to follow the usual steps taken by other new members.
Gosya may have developed a new malware from scratch, but he failed to have the malware tested and certified. No test versions of the malware were provided and underground forum members discovered Gosya was using different monikers on different forums in an attempt to sell his creation. Gosya’s actions were treated as suspicious and he was banned from forums where he was trying to sell his malware.
While other hackers may have been extremely dubious, they incorrectly assumed that Gosya was attempting to sell a ripped malware. The NukeBot Trojan was not only real, it was fully functional. There was nothing wrong with the malware, the problem was the actions taken by Gosya while attempting to sell his Trojan.
While many new malware variants are developed using sections of code from other malware – Zeus being one of the most popular – the NukeBot Trojan appears to be entirely new. Back in December, when the malware was first detected and analyzed, researchers from Arbor Networks and IBM X-Force verified that the malware was fully functional and had viable code which did not appear to have been taken from any other malware variant. The malware even included an admin control panel that can be used to control infected computers.
Now that the source code has been released it is likely that Gosya will be accepted back in the forums. The source code will almost certainly be used by other malware developers and real-world NukeBot attacks may now start.
A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.
A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.
A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.
One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.
Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.
The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.
Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.
Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.
A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.
The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.
MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.
The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.
MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.
POS Malware Infections Can be Devastating
A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.
While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.
Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.
POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.
This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.
There is a new ransomware threat that businesses should be aware of, but PetrWrap ransomware is not exactly anything new. It is actually a form of ransomware that was first discovered in May last year. PetrWarp ransomware is, to all intents and purposes, almost exactly the same as the third incarnation of Petya ransomware. There is one key difference though. PetrWrap ransomware has been hijacked by a criminal gang and its decryption keys have been changed.
The criminal organization behind PetrWrap ransomware have taken Petya ransomware, for which there is no free decryptor, and have exploited a vulnerability that has allowed them to steal it and use it for their own gain. The attackers have simply added an additional module to the ransomware that modifies it on the fly. After all, why bother going to all the trouble of developing your own ransomware variant when a perfectly good one already exists!
Petya ransomware is being offered to spammers and scammers under an affiliate model. The ransomware authors are loaning the ransomware to others and take a percentage of the profits gained from ransoms that are paid. This is a common tactic to increase overall profits, just as retailers pay affiliate marketers to sell their products for a commission. In the case of ransomware-as-a-service, this allows the authors to infect more computers by letting others do the hard work of infecting computers.
Yet the gang behind PetrWrap has chosen not to give up a percentage of the profits. They are keeping all of the ransom payments for themselves. The module modifies and repurposes the malware code meaning even the Petya ransomware authors are unable to decrypt PetrWrap ransomware infections.
Kaspersky Lab research Anton Ivenov says “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.” He pointed out the significance of this, saying “the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be.”
Petya – and PetrWrap ransomware – is not a typical ransomware variant in that no files are encrypted. While Locky, CryptXXX, and Samsa search for a wide range of file types and encrypt them to prevent users from accessing their data, Petya uses a different approach. Petya modifies the master boot record that launches the operating system. The ransomware then encrypts the master file table. This prevents an infected computer from being able to locate files stored on the hard drive and stops the operating system from running. Essentially, the entire computer is taken out of action. The effect however is the same. Users are prevented from accessing their data unless a ransom is paid. Petya and PetrWrap ransomware can spread laterally and infect all endpoint computers and servers on the network. Rapid detection of an infection is therefore critical to limit the harm caused.
Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?
Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.
Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.
Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.
While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.
ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.
Malware Protection at the ISP Level
Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.
ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.
ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.
An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.
The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.
The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.
The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.
If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.
ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections
Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.
ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.
WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.
If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.
A restaurant malware attack has resulted in the theft of the credit and debit card numbers of more than 355,000 customers, according to Krebs on Security. A breach was suspected to have occurred when credit unions and banks started to notice a flurry of fraudulent purchases. The breach was traced to the fast food restaurant chain Arbys.
While there have been numerous instances of credit card fraud reported in the past few days, the Arbys data breach was first identified in January. Industry partners contacted Arbys regarding a potential breach of credit/debit card numbers. At that point, the incident was only thought to have affected a handful of its restaurants.
The malware infection was soon uncovered and the FBI was notified, although the agency requested that Arby’s did not go public so as not to impede the criminal investigation. However, a statement has recently been released confirming that Arby’s is investigating a breach of its payment card systems.
Upon discovery of the breach, Arby’s retained the services of cybersecurity firm Mandiant to conduct a forensic analysis. The Mandiant investigation is continuing, although rapid action was taken to contain the incident and remove the malware from Arby’s payment card systems. The investigation revealed that the incident only impacted certain corporate-owned stores. None of the franchised stores were infected with malware. Arbys has more than 3,300 stores across the United States, more than 1,000 of which are corporate-owned.
PSCU, an organization serving credit unions, was the first to identify a potential breach after receiving a list of 355,000 stolen credit card/debit card numbers from its member banks. It is currently unclear when the restaurant malware attack first occurred, although the malware is currently thought to have been actively stealing data from October 25, 2016 until January 19, 2017, when the malware was identified and removed.
This is of course not the first restaurant malware attack to have been reported in recent months. The restaurant chain Wendys suffered a similar malware attack last year. That incident also resulted in the theft of hundreds of thousands of payment card details before the malware was discovered and removed. Similar payment card system malware infections were also discovered by Target and Home Depot and resulted in huge numbers of card details being stolen.
Details of how the malware was installed have not been released, although malware is typically installed when employees respond to spear phishing campaigns. Malware is also commonly installed as a result of employees clicking on malicious links contained in spam emails or being redirected to malicious sites by malvertising. In some cases, malware is installed by hackers who take advantage of unaddressed security vulnerabilities.
Once malware has been installed it can be difficult to identify, even when anti-virus and anti-malware solutions are in use. As was the case with the latest restaurant malware attack, data theft was only identified when cybercriminals started using the stolen payment card information to make fraudulent purchases.
Protecting against malware attacks requires multi-layered cybersecurity defenses. Good patch management policies are also essential to ensure that any security vulnerabilities are remediated promptly. Anti-spam and anti-phishing solutions can greatly reduce the volume of messages that make it through to employees’ inboxes, while malicious links and redirects can be blocked with a web filtering solution. A little training also goes a long way. All staff members with computer access should receive anti-phishing training and should be instructed on security best practices.
Regular scans should be performed on all systems to search for malware that may have evaded anti-virus and anti-malware solutions. Since a restaurant malware attack will target payment card systems, those should be frequently scanned for malware. Rapid detection of malware will greatly reduce the damage caused.
This month, security researchers have discovered cybercriminals are conducting social media ransomware attacks using Facebook Messenger and LinkedIn. Social media posts have long been used by cybercriminals to direct people to malicious websites containing exploit kits that download malware; however, the latest social media ransomware attacks are different.
According to researchers at CheckPoint Security, the social media ransomware attacks take advantage of vulnerabilities in Facebook Messenger. Images are being sent through Facebook Messenger with double extensions. They appear as a jpeg or SVG file, yet they have the ability to download malicious files including ransomware. The files are understood to use a double extension. They appear to be images but are actually hta or js files.
CheckPoint says “The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file.” The report goes on to say “This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” No technical details have been released as CheckPoint claim the vulnerability has yet to be fixed by Facebook.
Facebook responded to Blaze’s claim saying the problem was not related to Messenger, but involved bad Chrome extensions. Facebook said the problem had been reported to the appropriate parties.
Ransomware Attacks on the Rise
According to the Kaspersky Security Network, ransomware attacks on SMBs have increased eightfold in the past 12 months. The problem is also getting worse. More than 200 ransomware families have now been discovered by security researchers, and new forms of the malicious file-encrypting software are being released on a daily basis.
Any business that is not prepared for a ransomware attack, and has not implemented security software to protect computers and networks, is at risk of being attacked. A recent survey conducted by Vanson Bourne on behalf of SentinelOne showed that 48% of organizations had been attacked with ransomware in the past 12 months. Those companies had been attacked an average of 6 times.
How to Prevent Social Media Ransomware Attacks
Social media ransomware attacks are a concern for businesses that do not block access to social media platforms in the workplace. It is possible to prevent employees from accessing social media websites using WebTitan, although many businesses prefer to allow employees some time to access the sites. Instead of blocking access to Facebook, businesses can manage risk by blocking Facebook Messenger. With WebTitan, it is possible to block Facebook Messenger without blocking the Facebook website.
If WebTitan is installed, webpages that are known to contain malware or ransomware downloaders will be blocked. When individuals link to these malicious websites in social media posts, employees will be prevented from visiting those sites. If a link is clicked, the filtering controls will prevent the webpage from being accessed.
To find out more about how WebTitan can protect your organization from web-borne threats such as ransomware and to register for a free trial of WebTitan, contact the Sales Team today.
It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.
While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.
200 Ransomware Families Now Discovered
As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.
The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.
Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.
More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.
Massive Campaign Spreading New Locky Ransomware Variant
One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.
Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.
There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.
Ransomware Problem Unlikely to Be Solved Soon
Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.
Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.
Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.
Are you Prepared for a Ransomware Attack?
With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.
Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.
An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.
Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.
Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.
With attacks increasing, there is no time to wait. Now is the time to get prepared.
Another day passes and another ransomware variant emerges, although the recently discovered Ranscam ransomware takes nastiness to another level. Ranscam ransomware may not be particularly sophisticated, but what it lacks in complexity it more than makes up for in maliciousness.
The typical crypto-ransomware infection involves the encryption of a victim’s files, which is accompanied by a ransom note – often placed on the desktop. The ransomware note explains that the victim’s files have been encrypted and that in order to recover those files a ransom must be paid, usually in Bitcoin.
Since many victims will be unaware how to obtain Bitcoin, instructions are provided about how to do this and all the necessary information is given to allow the victim to make the payment and obtain the decryption key to unlock their files.
There is usually a time-frame for making payment. Usually the actors behind the campaign threaten to permanently delete the decryption key if payment is not received within a specific time frame. Sometimes the ransom payment increases if payment is delayed.
Ranscam Ransomware will not Allow Victims to Recover Their Files
Rather than encrypting files and deleting the decryption key, Ranscam ransomware threatens to delete the victim’s files.
The ransomware note claims the victim’s files have been encrypted and moved to a hidden partition on their hard drive, which prevents the files from being located or accessed. The payment requested by the actors behind this scam is 0.2 Bitcoin – Around $133 at today’s exchange rate.
While the ransom note claims that the victim’s files will be moved back to their original location and will be decrypted instantly once payment is received, this is not the case.
Unfortunately for the victims, but the time the ransom note is displayed, the victim’s files have already been deleted. Paying the ransom will not result in the encrypted files being recovered. A decryption key will not be provided because there isn’t one.
Researchers at Talos – who discovered the Ranscam ransomware variant – noted that the ransomware authors have no way of verifying if payment has been made. The ransomware only simulates the verification process. There is also no process built into the ransomware that will allow a victim’s files to be recovered.
Backup Your Files or Be Prepared to Lose Them
Many ransomware authors have a vested interest in ensuring that a victim’s files can be recovered. If word spreads that there is no chance of recovering encrypted files, any individual who has had their computer infected will not pay the ransom demand. Locky, CryptoWall, and Samsa ransomware may be malicious, but at least the thieves are honorable and make good on their promise. If they didn’t, discovering that files had a locky extension would be a guarantee that those files would be permanently lost.
There are new ransomware variants being released on an almost daily basis. Many of the new variants are simplistic and lack the complexity to even allow files to be recovered. The discovery of Ranscam ransomware clearly shows why it is essential to make sure that critical files are regularly backed up. Without a viable backup, there is no guarantee that files can be recovered and you – or your organization – will be at the mercy of attackers. Not all will be willing – or able to – recover encrypted files.
The developers of CryptXXX ransomware have made some updates to the malicious software recently. A new campaign has also been launched which is seeing an increasing number of Joomla and WordPress websites compromised with malicious code that directs visitors to sites containing the Neutrino exploit kit.
The latest CryptXXX crypto-ransomware variant no longer changes the extension of files that have been encrypted, instead they are left unchanged. This makes it more difficult for system administrators to resolve an infection by restoring files from backups, as it is much harder to determine exactly which files have been encrypted.
The ransomware developers have also changed the ransom note that is presented to victims and the Tor address for payment has also been changed. The payment site has been changed frequently, having used names such as Google Decryptor and Ultra Decryptor in the past. The authors have now changed the site to Microsoft Decryptor. This is the second time the payment site has been renamed since June 1. Unfortunately for victims that experience difficulties making the payment, there is no method of contacting the attackers to explain about payment issues.
CryptXXX crypto-ransomware has previously been spread using the Angler exploit kit, although the ransomware is now being distributed using Neutrino. Neutrino is primarily used to exploit vulnerabilities in PDF reader and Adobe Flash to download CryptXXX.
CryptXXX Crypto-Ransomware and CryptoBit Distributed in RealStatistics Campaign
WordPress and Joomla sites are being infected at a high rate, with 2,000 sites currently infected as part of the latest campaign according to Sucuri. The company’s researchers have suggested that the actual figure may be closer to 10,000 websites due to the limited range of sites that they have been observing.
It is unclear how the websites are being infected, although it has been suggested that outdated Joomla and WordPress installations are the most likely way that the attackers are gaining access to the sites, although outdated plugins on the websites could also be used to inject malicious Analytics code. The campaign is being referred to as “Realstatistics” due to the URL that is placed into the PHP template of infected sites.
The latest campaign has also been used to push other ransomware variants on unsuspecting website visitors. Palo Alto Networks researchers discovered eight separate Cryptobit variants that were being pushed as part of the latest Realstatistics campaign. The attackers now appear to be using Cryptobit less and have switched to CryptXXX crypto-ransomware in recent days.
Security researchers at ESET have discovered a dangerous new Mac backdoor program which allows attackers to gain full control of a Mac computer. Mac malware may be relatively rare compared to malware used to infect PCs, but the latest discovery clearly demonstrates that Mac users are not immune to cyberattacks. The new OS X malware has been dubbed OSX/Keydnap by ESET. This is the second Mac backdoor program to be discovered in the past few days.
OSX/Keydnap is distributed as a zip file containing an executable disguised as a text file or image. If the file is opened, it will download the icloudsyncd backdoor which communicates with the attackers C&C via the Tor network. The malware will attempt to gain root access by asking for the users credentials in a pop up box when an application is run. If root access is gained, the malware will run each time the device is booted.
The malware is capable of downloading files and scripts, running shell commands, and sending output to the attackers. The malware is also able to update itself and also exfiltrates OS X keychain data.
Second Mac Backdoor Discovery in Days
The news of OSX/Keydnap comes just a matter of hours after security researchers at Bitdefender announced the discovery of another Mac backdoor program called Eleanor. Hackers had managed to get the Backdoor.MAC.Eleanor malware onto MacUpdate. It is hidden in a free downloadable app called EasyDoc Converter.
EasyDoc Converter allowed Mac users to quickly and easily convert files into Word document format; however, rather than doing this, the app installed a backdoor in users’ systems. Infections with Eleanor will be limited as the app does not come with certificate issued to an Apple Developer ID. This will make it harder for many individuals to open the app.
However, if users do install the app, a shell script will be run that will check to see if the malware has already been installed and whether Little Snitch is present on the device. If the Little Snitch network monitor is not installed, the malware will install three LaunchAgents together with a hidden folder full of executable files used by the malware. The files are named to make them appear as if they are dropbox files.
The LaunchAgents open a Tor hidden service through which attackers can communicate with a web service component, which is also initiated by the LaunchAgents. A Pastebin agent is also launched which is used to upload the Mac’s Tor address to Pastebin where it can be accessed by the attackers. The Mac backdoor program can reportedly be used for remote code execution, to access the file system, and also to gain access to the webcam.