Being forewarned is being forearmed; and, if organizations keep up-to-date with the latest malware alerts, they have the opportunity to take measures to prevent their network systems becoming infected with the latest malware strains.
Many malware alerts originate not from reports of malware infections themselves, but from vulnerabilities being identified in everyday software that a hacker could use to install an exploit kit. Our malware alerts explain what the vulnerabilities are, how they can be used to deliver malware and what patches exist to eliminate the vulnerability.
Of course, the best way to block exploit kits from downloading malware onto your organization´s network systems is to ensure that Internet users never visit a website harboring an exploit kit. This can be achieved by a simple adjustment of your web filtering solution. If your organization does not yet have a web filtering solution, speak with WebTitan today.
As one ransomware-as-a-service operation shuts down, another is vying to take its place. Sodinokibi ransomware attacks are increasing and affiliates are trying to carve out their own niche in the ransomware-as-a-service operation.
Developing ransomware and staying one step ahead of security researchers is important, but what made the GandCrab operation so successful were the affiliates conducting the campaigns that generated the ransom payments. The GandCrab developers have now shut down their operation and that has left many affiliates looking for an alternative ransomware variant to push.
Sodinokibi ransomware could well fill the gap. Like GandCrab, the developers are offering their creation under the ransomware-as-a-service model. They already have a network of affiliates conducting campaigns, and attacks are on the increase.
As is the case with most ransomware-as-a-service operations, spam email is one of the most common methods of ransomware delivery. One Sodinokibi ransomware campaign has been detected that uses spoofed Booking.com notifications to lure recipients into opening a Word document and enabling macros. Doing so triggers the download and execution of the Sodinokibi payload.
Download websites are also being targeted. Access is gained the websites and legitimate software installers are replaced with ransomware installers. Managed Service Providers (MSPs) have also been targeted. The MSP attacks have exploited vulnerabilities in RDP to gain access to MSP management consoles.
Two cases have been reported where an MSP was compromised and malicious software was pushed to its clients through the client management console. In one case, the Webroot Management Console and the Kaseya VSA console in the other.
Recently, another attack method has been detected. Sodinokibi ransomware is being distributed through the RIG exploit kit. Malvertising campaigns are directing traffic to domains hosting RIG, which is loaded with exploits for several vulnerabilities.
With so many affiliates pushing Sodinokibi ransomware and the wide range of tactics being used, no single cybersecurity solution will provide full protection against attacks. The key to preventing attacks is defense in depth.
TitanHQ can help SMBs and MSPs secure the email and web channels and block the main attack vectors. Along with security awareness training and good cybersecurity best practices, it is possible to mount a formidable defense against ransomware, malware, and phishing attacks.
For many people, Game of Thrones Season 8 is the TV highlight of the past 12 months, but not all fans of the series are keen to pay for the channel to watch the latest installments of this hugely popular series.
Some fans are turning to P2P file sharing sites to download the latest episodes, but hackers are ready and waiting. Many illegal video files of Game of Thrones episodes have been embedded with malware, most commonly adware and Trojans.
Research from Kaspersky Lab revealed Trojans to be the most common form of malware to be embedded in rogue video files. A third of all fake TV show downloads that have been impregnated with malware include a Trojan.
When one of these infected files is opened after it has been downloaded, the Trojan is launched and silently runs in the background on the infected device.
Many of the Trojans embedded into video files are brand new. These zero-day malware variants are not detected by traditional AV solutions as their signatures are not present in malware definition lists. That means malware infections are likely to go undetected. When signatures are updated, the malware may continue to run until a full system scan is completed. Either way, during the time that the malware is active it could be collecting a range of sensitive data including usernames and passwords.
Malware can also be installed that gives the attacker access to an infected device and the ability to run commands, change programs, download further malware variants, and add the infected device to a botnet.
File sharing websites offer an easy way of distributing malware. Users of the platforms voluntarily download the files onto their computers. However, only a small percentage of internet users visit P2P file sharing sites. Hackers therefore have turned to other methods to get users to execute their infected video files.
Prior to the release date of Game of Thrones Season 8, offers of free access to the TV show were being distributed via email. Campaigns were also detected offering episodes in advance of the release date to tempt GOT fans into installing malicious software or visiting malicious websites.
It is no surprise that fake Game of Thrones video files have been embedded with malware, given the huge popularity of the show. However, Game of Thrones fans are not the only people targeted using this tactic of malware distribution. In the past few months, malware has been detected in fake videos files claiming to be the latest episodes of the Walking Dead, Suits, and the Vikings to name but a few.
Some people feel the risk of a malware infection from downloading pirated video files to be low, or they do not even consider the risks. That is bad news for businesses. When employees ignore the risks and download illegal files at work, they risk infecting their network with malware.
The easiest solution to prevent illegal downloads at work and the visiting of other malicious websites is to use a web filtering solution. A web filter – WebTitan for instance – can be configured to prevent users from accessing file sharing and torrents websites. WebTitan uses a continuous stream of ActiveWeb URLs from over 550 million end users, which provides important threat intelligence to TitanHQ’s machine learning technology. This allows new, malicious URLs to be identified, and users are then prevented from visiting those malicious URLs.
Blocking email attacks is simple with SpamTitan. SpamTitan blocks 99.97% of spam emails to prevent malicious messages from reaching end users, including messages offering free access to Game of Thrones and other TV shows. In addition to dual AV engines to protect against known malware, SpamTitan also now has a sandboxing feature. Suspicious attachments can be safely executed and analyzed in the sandbox to identify potentially malicious actions. The sandboxing feature provides superior protection against zero-day malware which AV software does not block.
With both of these solutions in place, businesses will be well protected against malware, ransomware, botnets, viruses, and phishing attacks.
Each solution is available with a range of different deployment options to suit the needs of all businesses. For a product demonstration and further information, contact the TitanHQ team today.
Anatova ransomware is a new cryptoransomware variant that appears to have been released on January 1, 2019. It is stealthy, can infect network shares, has already been used in attacks in many countries around the world. It could well prove to become a major ransomware threat in 2019.
Ransomware has somewhat fallen out of favor with cybercriminals as cryptocurrency mining malware offers greater potential for profit. The development of new ransomware variants has slowed, but new variants are still emerging and the threat from ransomware is not going away any time soon. Ransomware attacks are still profitable for cybercriminals and as long as that remains the case the attacks will continue.
Anatova ransomware was identified and named by security researchers at McAfee. The name was taken from the name on the ransomware note. The previously unknown ransomware variant has been used in at least 10 countries, with over 100 Anatova ransomware attacks identified in the United States, more than 65 in Belgium, and over 40 in France and Germany.
Not only does the ransomware variant employ a range of techniques to avoid detection, infection can cause major damage and widespread file encryption. Further, the modular design allows the developers to easily add new functionality in the future.
Most of the strings in Anatova ransomware have been encrypted and different keys are required to decrypt them. Those keys have been embedded in the executable. 90% of calls are dynamic and use non-suspicious Windows APIs and standard C-programming language.
Once downloaded and executed, the ransomware performs a check of the name of the logged in user against a list of encrypted names and will exit if there is a match. Names that prompt an exit include tester, lab, malware, and analyst. These names are commonly used on virtual machines and sandboxes. A check will also be performed to determine the country in which the device is located. The ransomware will exit if the device is in any CIS country, Egypt, Syria, Morocco, Iraq, or India.
Anatova ransomware scans for files smaller than 1MB and checks for network shares, although care is taken not to disrupt the operating system during this process and raise a flag before files are encrypted. Once files have been identified, the encryption routine starts. The ransomware uses its own key, so each victim requires a separate key to unlock the encryption.
Once the encryption process has run, the ransom note is dropped on the desktop, the memory is cleaned, and volume shadow copies are overwritten 10 times to ensure files cannot be recovered from local backup files.
The ransom demand is relatively high – Around $700 (10 DASH) per infected machine. Since multiple devices can be infected with a single installation, the total ransom demand could well be considerable.
What is not 100% certain is how the ransomware is being distributed. McAfee detected one sample on a P2P file sharing network which masquerades as a free software program complete with game/application icon to encourage users to download and run the installer. Other attack vectors may also be used. Based on the current distribution vector, a web filter will offer protection against attacks if P2P file sharing/torrents sites are blocked.
The researchers believe Anatova ransomware has been created by highly skilled malware authors who are currently distributing a prototype of the ransomware. More widespread attacks are to be expected once this testing phase has been completed.
A new form of MongoLock ransomware is actively being used in a global campaign. A 0.1 BTC ransom is demanded, although file recovery may not be possible. The ransomware immediately deletes files and formats backup drives and a recoverable copy may not be retained by the attackers.
MongoLock ransomware was first detected in January 2017. A major campaign involving the ransomware was detected in September 2018 with the latest attacks having been ongoing since December 2018. The attackers are gaining access to unprotected or poorly protected MongoDB databases and are deleting data and replacing the databases with a new database. Inside the database is a file called readme that contains the ransom demand.
The attackers claim to have exported the database before encrypting it. Victims are required to make a 0.1 BTC payment to a supplied Bitcoin wallet or contact the attackers via email. Many victims have chosen to pay the ransom; however, there is no guarantee that data can be recovered. It is unclear whether the attackers are making a copy of the database or are simply deleting it.
The attacks are automated and scripts are used to delete the database and create the ransomware note, but the scripts are not always effective. Even if it is the intention of the attackers to obtain a copy of the database, that may not always happen.
The latest version of MongoLock ransomware also conducts a scan of local drives and deletes important data, including files saved to the Desktop, My Documents folder, Recent files, favorites, and any backup files that can be located. The drives are then formatted. This makes payment of the ransom all the more likely. Users are advised they have just 24 hours to make payment before the database is permanently deleted.
The file deletion routine is executed after the files have been uploaded to the attackers’ C2 server, so they can potentially be recovered if the ransom payment is made. However, if the computer is taken offline, file deletion continues but no copy of the file will be obtained by the attackers.
These attacks are primarily conducted on exposed MongoDB databases, which can easily be found using the Shodan search engine. Any businesses that uses MongoDB should ensure that the databases are properly secured, and that authentication is required to gain access. It is also important to ensure the databases cannot be accessed remotely over the Internet.
It is also essential to adopt a good backup strategy. The 3.2.1 approach is recommended. Make three backups, stored on two separate devices, with one copy stored securely off site on a non-networked device.
A malvertising campaign has been detected that delivers two forms of malware: The new, previously unknown Vidar information stealer and subsequently, the latest version of GandCrab ransomware.
The packaging of multiple malware variants is nothing new of course, but it has become increasingly common for ransomware to be paired with information stealers. RAA ransomware has been paired with the Pony stealer, njRAT and Lime ransomware were used together, and Reveton ransomware is used in conjunction with password stealers.
These double-whammy attacks help threat actors increase profits. Not everyone pays a ransom, so infecting them with an information stealer can make all infections profitable. In many cases, information can be obtained and sold on or misused and a ransom payment can also be obtained.
The latest campaign uses the Vidar information stealer to steal sensitive information from a victim’s device. The Vidar information stealer is used to obtain system information, documents, browser histories, cookies, and coins from cryptocurrency wallets. Vidar can also obtain data from 2FA software, intercept text messages, take screenshots, and steal passwords and credit/debit card information stored in browsers. The information is then packaged into a zip file and sent back to the attackers’ C2 server.
The Vidar information stealer is customizable and allows threat actors to specify the types of data they are interested in. It can be purchased on darknet sites for around $700 and is supplied with an easy to use interface that allows the attacker to keep track of victims, identify those of most interest, find out the types of data extracted, and send further commands.
Vidar also acts as a malware dropper and has been used to deliver GandCrab ransomware v5.04 – The latest version of the ransomware for which no free decryptor exists.
While many ransomware variants are delivered via spam email or are installed after access to systems is gained using brute force tactics on RDP, this campaign delivers the malicious payload through malvertising that directs traffic to a websites hosting the Fallout or GrandSoft exploit kits. Those EKs exploits unpatched vulnerabilities in Internet Explorer and Flash Player. The campaign targets users of P2P file sharing sites and streaming sites that attract large amounts of traffic.
Infection with the Vidar information stealer may go undetected. New malware variants such as this may be installed before AV software malware signatures are updated, by which time highly sensitive information may have been stolen, sold on, and misused. If GandCrab ransomware executes, files will be permanently encrypted unless a ransom is paid or files can be recovered from backups.
Businesses can protect against attacks such as these by ensuring that all operating systems and software are promptly patched. Drive-by downloads will not occur if the exploits for vulnerabilities used by the exploit kit are not present.
An additional, important protection is a web filter. Web filters prevent users from visiting websites known to host exploit kits and also sites that commonly host malicious adverts – torrents sites for instance. By carefully controlling the sites that employees can access, businesses can add an extra layer of protection while avoiding legal liability from illegal file downloads and improving productivity by blocking access to non-work-related websites.
For further information on web filters for businesses and MSPs, contact the TitanHQ team today.
New figures released by anti-virus firms McAfee and Symantec have shown the extent to which hackers are using cryptocurrency mining malware in attacks on consumers and businesses.
Cryptocurrency mining malware hijacks system resources and uses the processing power of infected computers to mine cryptocurrencies – Validating transactions so they can be added to the blockchain public ledger. This is achieved by solving difficult computational problems. The first person to solve the problem is rewarded with a small payment.
For cryptocurrency mining to be profitable, a lot of processing power is required. Using one computer for mining cryptocurrency will generate a few cents to a few dollars a day; however, hackers who infect thousands of computers and use them for cryptocurrency mining can generate significant profits for little work.
The use of cryptocurrency mining malware has increased considerably since Q4, 2017 when the value of Bitcoin and other cryptocurrencies started to soar. The popularity of cryptocurrency mining malware has continued to grow steadily in 2018. Figures from McAfee suggest cryptocurrency mining malware has grown by 4,000% in 2018.
McAfee identified 500,000 new coin mining malware in the final quarter of 2017. In the final quarter of 2018, the figure had increased to 4 million. Figures from Symantec similarly show the scale of the problem. In July 2018, Symantec blocked 5 million cryptojacking events. In December, the firm blocked 8 million.
There are many different ways of infecting end users. Hackers are exploiting unpatched vulnerabilities to silently download the malware. They package coin mining malware with legitimate software, such as the open-source media player Kodi, and upload the software to unofficial repositories.
One of the easiest and most common ways of installing the malware is through email. Spam emails are sent containing a hyperlink which directs users to a website where the malware is silently downloaded. Links are similarly distributed through messaging platforms such as Slack, Discord, and Telegram. One campaign using these messaging platforms included links to a site that offered software that claimed to fix coin mining malware infections. Running the fake software installer executed code on the computer which silently downloaded the malware payload.
Unlike ransomware, which causes immediate disruption, the presence of cryptocurrency mining malware may not be noticed for some time. Computers infected with coin mining malware will slow down considerably. There will be increased energy usage, batteries on portable devices will be quickly drained, and some devices may overheat. Permanent damage to computers is a possibility.
The slowdown of computers can have a major impact for businesses and can result in a significant drop in productivity if large numbers of devices are infected. Businesses that have transitioned to cloud computing that are charged for CPU usage can see their cloud bills soar.
Anti-virus software can detect known coin mining malware, but new malware variants will be unlikely to be detected. With so many new malware variants now being released, AV software alone will not be effective. It is therefore important to block the malware at source. Spam filters, such as SpamTitan, will help to prevent malicious emails from reaching end users’ inboxes. Web filters, such as WebTitan, prevent users from accessing infected websites, unofficial software repositories, and websites with coin-mining code installed that uses CPU power through browser sessions.
A new variant of capitalinstall malware is being used in targeted attacks on a variety of organizations, in particular those in the healthcare and retail industries.
The main purpose of capitalinstall malware is to install an adware package named Linkury that is used to hijack browser sessions on Windows devices. When Linkury adware has been installed, web search results can be altered to display results which would otherwise not be displayed. An infected machine will display unwanted adverts but could also download unwanted programs, some of which may pose a security risk.
Capitalinstall malware has been linked to various malicious websites, although the adware package is actually being hosted on Azure blog storage which is often trusted by organizations and is often whitelisted.
The malware is installed via an executable file that has been packaged inside an ISO file, with the ISO file hosted on websites that offer keys to unlock popular software such as Adobe Creative Cloud.
Upon running the file, a crack for the software claims to be installing and the user is directed to a website where they are urged to install other programs and browser add-ons, such as cryptocurrency miners, with various enticing reasons provided for installing those programs.
This method of distributing unwanted and potentially harmful software is likely to grow in popularity as it offers a way of bypassing security solutions by taking advantage of inherent trust in cloud storage providers.
A web filtering solution can offer protection against downloads of unwanted programs by preventing end users from visiting potentially malicious websites. WebTitan scans and assesses web pages in real time and prevents users from accessing malicious websites and other sites that violate corporate Internet usage policies. With WebTitan in place, users can be prevented from visiting websites that are used for distributing potentially unwanted programs (PUPs) and malware.
In addition to technical controls, it is important to cover the risks of installing unauthorized software in security awareness training, especially the use of software license cracks. These executable files commonly have spyware, adware, and other forms of malware packaged into the installers.
One of the ways that threat actors install malware is through malvertising – The placing of malicious adverts on legitimate websites that direct visitors to websites where malware is downloaded. The HookAds malvertising campaign is one such example and the threat actors behind the campaign have been particularly active of late.
The HookAds malvertising campaign has one purpose. To direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that runs when a visitor lands on a web page. The visitor’s computer is probed to determine whether there are any vulnerabilities – unpatched software – that can be exploited to silently install files.
In the case of the Fallout exploit kit, users’ devices are checked for several known Windows vulnerabilities. If one is identified, it is exploited and a malicious payload is downloaded. Several malware variants are currently being delivered via Fallout, including information stealers, banking Trojans, and ransomware.
According to threat analyst nao_sec, two separate HookAds malvertising campaigns have been detected: One is being used to deliver the DanaBot banking Trojan and the other is delivering two malware payloads – The Nocturnal information stealer and GlobeImposter ransomware via the Fallout exploit kit.
Exploit kits can only be used to deliver malware to unpatched devices, so businesses will only be at risk of this web-based attack vector if they are not 100% up to date with their patching. Unfortunately, many businesses are slow to apply patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Consequently, a security solution is needed to block this attack vector.
HookAds Malvertising Campaign Highlights Importance of a Web Filter
The threat actors behind the HookAds malvertising campaign are taking advantage of the low prices offered for advertising blocks on websites by low quality ad networks – Those often used by owners of online gaming websites, adult sites, and other types of websites that should not be accessed by employees. While the site owners themselves are not actively engaging with the threat actors behind the campaign, the malicious adverts are still served on their websites along with legitimate ads. Fortunately, there is an easy solution that blocks EK activity: A web filter.
TitanHQ has developed WebTitan to allow businesses to carefully control employee Internet access. Once WebTitan has been installed – a quick and easy process that takes just a few minutes – the solution can be configured to quickly enforce acceptable Internet usage policies. Content can be blocked by category with a click of the mouse.
Access to websites containing adult and other NSFW content can be quickly and easily blocked. If an employee attempts to visit a category of website that is blocked by the filter, they will be redirected to a customizable block screen and will be informed why access has been prohibited.
WebTitan ensures that employees cannot access ‘risky’ websites where malware can be downloaded and blocks access to productivity draining websites, illegal web content, and other sites that have no work purpose.
Key Benefits of WebTitan
Listed below are some of the key benefits of WebTitan
No hardware purchases required to run the web filter
No software downloads are necessary
Internet filtering settings can be configured in minutes
Category-based filters allow acceptable Internet usage policies to be quickly applied
An intuitive, easy-to-use web-based interface requires no technical skill to use
No patching required
WebTitan Cloud can be applied with impact on Internet speed
No restriction on devices or bandwidth
WebTitan is highly scalable
WebTitan protects office staff and remote workers
WebTitan Cloud includes a full suite of pre-configured and customizable reports
Reports can be scheduled and instant email alerts generated
Suitable for use with static and dynamic IP addresses
White label versions can be supplied for use by MSPs
Multiple hosting options are available
WebTitan Cloud can be used to protect wired and wireless networks
For further information on WebTitan, for details of pricing, to book a product demonstration, or register for a free trial, contact the TitanHQ team today.
Further information on WebTitan is provided in the video below:
A new ransomware threat has been detected called FilesLocker which is currently being offered as ransomware-as-a-service (RaaS) on a TOR malware forum. FilesLocker ransomware is not a particularly sophisticated ransomware variant, but it still poses a significant threat.
FilesLocker ransomware is a dual language ransomware variant that displays ransom notes in both Chinese and English. MalwareHunterTeam has identified a Chinese forum on TOR where it is being offered to affiliates to distribute for a cut of the ransom payments.
Unless advertised more widely, the number of affiliates that sign up may be limited, although it may prove popular. There are several features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will increase to 75% if sufficiently high numbers of infections can be generated.
While relatively small and simple, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it deletes Windows shadow copies to hamper attempts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.
No server is required and the ransomware is effective on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily monitor infections through a tracking feature which displays infections by country.
There is no free decryptor for FilesLocker ransomware. Recovery will only be possible by restoring files from backups.
While news of a new RaaS offering is never good, there has at least been some good news on the ransomware front this week, at least for some victims.
Free Decryptor Developed for GandCrab Ransomware
GandCrab ransomware is another RaaS offering that has been available since January 2018. It has been widely adopted, with many affiliates signing up to distribute the ransomware over the past 10 months.
A GandCrab ransomware decryptor was developed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were leaked online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been several further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.
This week, Bitdefender has announced that after collaboration with the Romanian Police, Europol and other law enforcement agencies, a new decryption tool has been developed that allows GandCrab ransomware victims to decrypt files for free, provided they have been attacked with version 1, 4, or 5 of the ransomware.
The version can be determined by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a random 10-character extension.
The free GandCrab ransomware decryptor has been uploaded to the NoMoreRansom Project website. Bitdefender is currently working on a free decryptor for v2 and v3 of GandCrab ransomware.
The past few months have seen an increase in new, versatile malware downloaders that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is determined on the users’ system.
Marap malware and Xbash are two notable recent examples. Marap malware fingerprints a system and is capable of downloading additional modules based on the findings of the initial reconnaissance. XBash also assesses the system, and determines whether it is best suited for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.
Stealthy sLoad Downloader Used in Highly Targeted Attacks
A further versatile and stealthy malware variant, known as the sLoad downloader, can now be added to that list. SLoad first appeared in May 2018, so it predates both of the above malware variants, although its use has been growing.
The primary purpose of sLoad appears to be reconnaissance. Once downloaded onto a system, it will determine the location of the device based on the IP address and performs several checks to ascertain the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes running on the system, compares against a hardcoded list, and will exit if certain security software is installed to avoid detection.
Provided the system is suitable, a full scan of all running processes will be performed. The sLoad downloader will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of taking screenshots and searches the browser history looking for specific banking domains. All of this information is then fed back to the attackers’ C2 server.
Once the system has been fingerprinted, further malware variants are downloaded, primarily banking Trojans. Geofencing is used extensively by the threat actors using sLoad which helps to ensure that banking Trojans are only downloaded onto systems where they are likely to be effective – If the victim uses one of the banks that the Trojan is targeting.
In most of the campaigns intercepted to date, the banking Trojan of choice has been Ramnit. The attacks have also been highly focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being targeted by Ramnit. Other malware variants associated with the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.
The sLoad downloader is almost exclusively delivered via spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been several email subjects used, most commonly the emails relate to purchase orders, shipping notifications, and missed packages.
The emails contain Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will download the ZIP file if clicked.
The sLoad downloader may be stealthy and versatile, but blocking the threat is possible with an advanced spam filter. End user training to condition employees never to click on hyperlinks from unknown senders nor open attachments or enable macros will also help to prevent infection. Web filtering solutions provide an additional layer of protection to block attempts to download malicious files from the Internet.
The U.S. midterm elections have been attracting considerable attention, so it is no surprise that cybercriminals are taking advantage and are running a midterm elections SEO poisoning campaign. It was a similar story in the run up to the 2016 presidential elections and the World Cup. Whenever there is a major newsworthy event, there are always scammers poised to take advantage.
Thousands of midterm elections themed webpages have sprung up and have been indexed by the search engines, some of which are placing very highly in the organic results for high-traffic midterm election keyword phrases.
The aim of the campaign is not to influence the results of the midterm elections, but to take advantage of public interest and the huge number of searches related to the elections and to divert traffic to malicious websites.
What is SEO Poisoning?
The creation of malicious webpages and getting them ranked in the organic search engine results is referred to as search engine poisoning. Search engine optimization (SEO) techniques are used to promote webpages and convince search engine algorithms that the pages are newsworthy and relevant to specific search terms. Suspect SEO practices such as cloaking, keyword stuffing, and backlinking are used to fool search engine spiders into rating the webpages favorably.
The content on the pages appears extremely relevant to the search term to search engine bots that crawl the internet and index the pages; however, these pages do not always display the same content. Search engine spiders and bots see one type of content, human visitors will be displayed something entirely different. The scammers are able to differentiate human and bot visitors through different HTTP headers in the web requests. Real visitors are then either displayed different content or are redirected to malicious websites.
Midterm Elections SEO Poisoning Campaign Targeting 15,000+ Keywords
The midterm elections SEO poisoning campaign is being tracked by Zscaler, which notes that the scammers have managed to get multiple malicious pages ranking in the first page results for high traffic phrases such as “midterm elections.”
However, that is just the tip of the iceberg. The scammers are actually targeting more than 15,000 different midterm election keywords and are using more than 10,000 compromised websites in the campaign. More sites are being compromised and used in the campaign each day.
When a visitor arrives at one of these webpages from a search engine, they are redirected to one of many different webpages. Multiple redirects are often used before the visitor finally arrives at a particular landing page. Those landing pages include phishing forms to obtain sensitive information, host exploit kits that silently download malware, or are used for tech support scams and include various ruses to fool visitors into installing adware, spyware, cryptocurrency miners, ransomware or malicious browser extensions. In addition to scam sites, the campaign is also being used to generate traffic to political, religious and adult websites.
This midterms elections SEO poisoning campaign poses a significant threat to all Internet users, but especially businesses that do not control the content that can be accessed by their employees. In such cases, campaigns such as this can easily result in the theft of credentials or malware/ransomware infections, all of which can prove incredibly costly to resolve.
One easy-to-implement solution is a web filter such as WebTitan. WebTitan can be deployed in minutes and can be used to carefully control the content that can be accessed by employees. Blacklisted websites will be automatically blocked, malware downloads prevented, and malicious redirects to phishing websites and exploit kits stopped before any harm is caused.
For further information on the benefits of web filtering and details of WebTitan, contact the TitanHQ team today.
A new and improved version of Azorult malware has been identified. The latest version of the information stealer and malware downloader has already been used in attacks and is being distributed via the RIG exploit kit.
Azorult malware is primarily an information stealer which is used to obtain usernames and passwords, credit card numbers, and other information such as browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities added.
Azorult malware was first identified in 2016 by researchers at Proofpoint and has since been used in a large number of attacks via exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more commonly, malicious Word files containing malware downloaders.
Back in 2016, the malware variant was initially installed alongside the Chthonic banking Trojan, although subsequent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen multiple threat actors pair the information stealer with a secondary ransomware payload.
Campaigns have been detected using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the initial aim is to steal login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been obtained, the ransomware is activated, and a ransom payment is demanded to decrypted files.
A new version of the Azorult was released in July 2018 – version 3.2 – which contained significant improvements to both its stealer and downloader functions. Now Proofpoint researchers have identified a new variant – version 3.3 – which has already been added to RIG. The new variant was released shortly after the source code for the previous version was leaked online.
The new variant uses a different method of encryption, has improved cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and an updated admin panel. The latest version has a lower detection rate by AV software ensuring more installations.
If your operating systems and software are kept fully patched and up to date you will be protected against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many companies are slow to apply patches, which need to be extensively tested. It is therefore strongly advisable to also deploy a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan prevents end users from visiting malicious websites such as those hosting exploit kits.
The latest version of Azorult malware was first listed for sale on October 4. It is highly probable that other threat actors will purchase the malware and distribute it via phishing emails, as was the case with previous versions. It is therefore strongly advisable to also implement an advanced spam filter and ensure that end users are trained how to recognize potentially malicious emails.
The use of fake software updates to spread malware is nothing new, but a new malware campaign has been detected that is somewhat different. Fake Adobe Flash updates are being pushed that actually do update the user’s Flash version, albeit with an unwanted addition of the XMRig cryptocurrency miner on the side.
The campaign uses pop-up notifications that are an exact replica of the genuine notifications used by Adobe, advising the user that their Flash version needs to be updated. Clicking on the install button, as with the genuine notifications, will update users’ Flash to the latest version. However, in the background, the XMRig cryptocurrency miner is also downloaded and installed. One installed, XMRig will run silently in the background, unbeknown to the user.
The campaign was detected by security researchers at Palo Alto Network’s Unit 42 team. The researchers identified several Windows executable files that started with AdobeFlashPlayer that were hosted on cloud servers not controlled by Adobe.
An analysis of network traffic during the infection process revealed most of the traffic was linked to updating Adobe Flash from an Adobe controlled domain, but that soon changed to traffic through a domain associated with installers known to push cryptocurrency miners. Traffic was later identified over TCP port 14444 that was associated with the XMRig cryptocurrency miner.
Further analysis of the campaign revealed it has been running since mid-August, with activity increasing significantly in September when the fake Adobe Flash updates started to be distributed more heavily.
End users are unlikely to detect the downloading and installation of the XMRig cryptocurrency miner, but there is likely to be a noticeable slowdown in the speed of their computer. The installation of the XMRig cryptocurrency miner may be stealthy, but when it runs it uses almost all of the computer’s CPU for cryptocurrency mining. Any user that checks Task Manager will see Explorer.exe hogging their CPU. As with most cryptocurrency miners, XMRig mines Monero. What is not currently known is which websites are distributing the fake Adobe Flash updates, or how traffic is being generated to those sites.
Any notification about a software update that pops up while browsing the internet should be treated as suspicious. The window should be closed, and the official website of that software provider should be visited to determine if an update is necessary. Software updates should only ever be downloaded from official websites, in the case of Adobe Flash, that is Adobe.com.
The Palo Alto researchers note “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”
In May, security researchers at Proofpoint discovered a spam email campaign that was distributing a new banking Trojan named DanaBot. At the time it was thought that a single threat actor was using the DanaBot Trojan to target organizations in Australia to obtain online banking credentials.
That campaign has continued, but in addition, campaigns have been identified in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was conducted targeting U.S. banks.
The DanaBot Trojan is a modular malware written in Delphi that is capable of downloading additional components to add various different functions.
The malware is capable of taking screenshots, stealing form data, and logging keystrokes in order to obtain banking credentials. That information is sent back to the attackers’ C2 server and is subsequently used to steal money from corporate bank accounts.
An analysis of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly suggests that the campaigns in each region are being conducted by different individuals and that the DanaBot Trojan is being offered as malware-as-a-service. Each threat actor is responsible for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates running campaigns. In total, there appears to currently be 9 individuals running distribution campaigns.
The country-specific campaigns are using different methods to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to distribute the Trojan in the United States.
The U.S. campaign uses a fax notice lure with the emails appearing to come from the eFax service. The messages look professional and are complete with appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message.
Clicking on the button will download a Word document with a malicious macro which, if allowed to run, will launch a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.
Proofpoint’s analysis of the malware revealed similarities with the ransomware families Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group responsible for both of those ransomware threats.
The U.S. DanaBot campaign is targeting customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase. It is likely that the campaigns will spread to other countries as more threat actors are signed up to use the malware.
Preventing attacks requires defense in depth against each of the attack vectors. An advanced spam filter is required to block malspam. Users of Office 365 should increase protection with a third-party spam filter such as SpamTitan to provide better protection against this threat. To prevent web-based attacks, a web filtering solution should be used. WebTitan can block attempts by end users to visit websites known to contain exploit kits and IPs that have previously been used for malicious purposes.
End users should also trained never to open email attachments or click on hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are genuine. Businesses in the United States should also consider warning their employees about fake eFax emails to raise awareness of the threat.
A new version of GandCrab ransomware (GandCrab v5) has been released. GandCrab is a popular ransomware threat that is offered to affiliates under the ransomware-as-a-service distribution model. Affiliates receive a cut of the profits from any ransoms payed by individuals they manage to infect.
GandCrab was first released in January 2018 and fast grew into one of the most widely used ransomware variants. In July it was named the top ransomware threat and is regularly updated by the authors.
There have been several changes made in GandCrab v5, including the change to a random 5-character extension for encrypted files. The ransomware also uses an HTML ransom note rather than dropping a txt file to the desktop.
Bitdefender released free decryptors for early versions of the ransomware, although steps were taken by the authors to improve security for version 2.0. Since version 2.0 was released, no free decryptors for GandCrab ransomware have been developed.
Recovery from a GandCrab v5 infection will only be possible by paying the ransom – approximately $800 in the Dash cryptocurrency – or by restoring files from backups. Victims are only given a limited time for paying the ransom before the price to decrypt doubles. It is therefore essential that backups are created of all data and for those backup files to be checked to make sure files can be recovered in the event of disaster.
Since this ransomware variant is offered under the ransomware-as-a-service model, different vectors are used to distribute the ransomware by different threat actors. Previous versions of the ransomware have been distributed via spam email and through exploit kits such as RIG and GrandSoft. GandCrab v5 has also been confirmed as being distributed via the new Fallout exploit kit.
Traffic is directed to the exploit kit using malvertising – malicious adverts that redirect users to exploit kits and other malicious websites. These malicious adverts are placed on third party advertising networks that are used by many popular websites to provide an extra income stream.
Any user that clicks one of the malicious links in the adverts is redirected to the Fallout exploit kit. The Fallout exploit kit contains exploits for several old vulnerabilities and some relatively recent flaws. Any user that has a vulnerable system will have GandCrab ransomware silently downloaded onto their device. Local files will be encrypted as well as files on all network shares, not just mapped drives.
Whenever a new zero-day vulnerability is discovered it doesn’t take long for an exploit to be incorporated into malware. The publication of proof of concept code for a Task Scheduler ALPC vulnerability was no exception. Within a couple of days, the exploit had already been adopted by cybercriminals and incorporated into malware.
The exploit for the Task Scheduler ALPC vulnerability allows executable files to be run on a vulnerable system with System privileges and has been incorporated into GandCrab v5. The exploit is believed to be used to perform system-level tasks such as deleting Windows Shadow Volume copies to make it harder for victims to recover encrypted files without paying the ransom. Microsoft has now issued a patch to correct the flaw as part of its September Patch Tuesday round of updates, but many companies have yet to apply the patch.
The most important step to take to ensure that recovery from a ransomware attack is possible is to ensure backups are created. Without a viable backup the only way of recovering files is by paying the ransom. In this case, victims can decrypt one file for free to confirm that viable decryption keys exist. However, not all ransomware variants allow file recovery.
Preventing ransomware infections requires software solutions that block the main attack vectors. Spam filtering solutions such as SpamTitan prevent malicious messages from being delivered to inboxes. Web filters such as WebTitan prevent end users from visiting malicious sites known to host exploit kits. Remote desktop services are often exploited to gain system access, so it is important that these are disabled if they are not required, and if they are, they should only be accessible through VPNs.
Patches should be applied promptly to prevent vulnerabilities from being exploited and advanced antimalware solutions should be deployed to detect and quarantine ransomware before files are encrypted.
A new malware threat – named Viro botnet malware – has been detected that combines the file-encrypting capabilities of ransomware, with a keylogger to obtain passwords and a botnet capable of sending spam emails from infected devices.
Viro botnet malware is one of a new breed of malware variants that are highly flexible and have a wide range of capabilities to maximize profit from a successful infection. There have been several recently discovered malware variants that have combined the file-encrypting properties of ransomware with cryptocurrency mining code.
The latest threat was identified by security researchers at Trend Micro who note that this new threat is still in development and appears to have been created from scratch. The code is dissimilar to other known ransomware variants and ransomware families.
Some ransomware variants are capable of self-propagation and can spread from one infected device to other devices on the same network. Viro botnet malware achieves this by hijacking Outlook email accounts and using them to send spam email containing either a copy of itself as an attachment or a downloader to all individuals in the infected user’s contact list.
Viro botnet malware has been used in targeted attacks in the United States via spam email campaigns, although bizarrely, the ransom note dropped on the victims’ desktops is written in French. This is not the only new ransomware threat to include a French ransom note. PyLocky, a recently detected new ransomware threat that masquerades as Locky ransomware, also had a French ransom note. This appears to be a coincidence as there are no indications that the two ransomware threats are related or are being distributed by the same threat group.
With Viro botnet, Infection starts with a spam email containing a malicious attachment. If the attachment is opened and the content is allowed to run, the malicious payload will be downloaded. Viro botnet malware will first check registry keys and product keys to determine whether its encryption routine should run. If those checks are passed, an encryption/decryption key pair will be generated via a cryptographic Random Number Generator, which are then sent back to the attacker’s C2 server. Files are then encrypted via RSA and a ransom note is dropped on the desktop.
Viro botnet malware also contains a basic keylogger which will log all keystrokes on an infected machine and send the data back to the attacker’s C2 server. The malware is also capable of downloading further malicious files from the attacker’s C2.
While the attacker’s C2 server was initially active, it has currently been taken down so any further devices that are infected will not have data encrypted. Connection to the C2 server is necessary for the encryption routine to start. Even though the threat has been neutralized this is expected to only be a brief hiatus. The C2 is expected to be resurrected and larger distribution campaigns can have been predicted.
Protecting against email-based threats such as Viro botnet malware requires an advanced spam filtering solution such as SpamTitan to prevent malicious messages from being delivered to end users. Advanced antimalware software should be installed to detect malicious files should they be downloaded, and end users should receive security awareness training to help them identify security threats and respond appropriately.
Multiple backups should also be created – with one copy stored securely offsite – to ensure files can be recovered in the event of file encryption.
Xbash malware is one of several new malware threats to be detected in recent weeks that incorporate the file-encrypting properties of ransomware with the coin mining functionality of cryptocurrency mining malware.
This year, several cybersecurity and threat intelligence companies have reported that ransomware attacks have plateaued or are in decline. Ransomware attacks are still profitable, although it is possible to make more money through cryptocurrency mining.
The recent Internet Organized Crime Threat Report released by Europol notes that cryptojacking is a new cybercrime trend and is now a regular, low-risk revenue stream for cybercriminals, but that “ransomware remains the key malware threat”. Europol notes in its report that a decline has been seen in random attacks via spam email, instead cybercriminals are concentrating on attacking businesses where greater profits lie. Those attacks are highly targeted.
Another emerging trend offers cybercriminals the best of both worlds – the use of versatile malware that have the properties of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the opportunity to obtain ransom payments as well as the ability to mine for cryptocurrency. If the malware is installed on a system that is not ideally suited for mining cryptocurrency, the ransomware function is activated and vice versa.
Xbash malware is one such threat, albeit with one major caveat. Xbash malware does not have the ability to restore files. In that respect it is closer to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and demands a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not result in keys being supplied to unlock encrypted files, as currently files are not encrypted. The malware simply deletes MySQL, PostgreSQL, and MongoDB databases. This function is activated if the malware is installed on a Linux system. If it is installed on Windows devices, the cryptojacking function is activated.
Xbash malware also has the ability to self-propagate. Once installed on a Windows system it will spread throughout the network by exploiting vulnerabilities in Hadoop, ActiveMQ and Redis services.
Currently, infection occurs through the exploitation of unpatched vulnerabilities and brute force attacks on systems with weak passwords and unprotected services. Protection against this threat requires the use of strong, unique non-default passwords, prompt patching, and endpoint security solutions. Blocking access to unknown hosts on the Internet will prevent communication with its C2 if it is installed, and naturally it is essential that multiple backups are regularly made to ensure file recovery is possible.
Kaspersky Lab determined there has been a doubling of these multi-purpose remote access tools over the past 18 months and their popularity is likely to continue to increase. This type of versatile malware could well prove to be the malware of choice for advanced threat actors over the course of the next 12 months.
A new exploit kit has been detected that is being used to deliver Trojans and GandCrab ransomware. The Fallout exploit kit was unknown until August 2018, when it was identified by security researcher Nao_sec. Nao_sec observed the Fallout exploit kit being used to deliver SmokeLoader – a malware variant whose purpose is to download other types of malware.
Nao_sec determined that once SmokeLoader was installed, it downloaded two further malware variants – a previously unknown malware variant and CoalaBot – A HTTP DDoS Bot that is based on August Stealer code. Since the discovery of the Fallout exploit kit in August, it has since been observed downloading GandCrab ransomware on vulnerable Windows devices by researchers at FireEye.
While Windows users are being targeted by the threat group behind Fallout, MacOS users are not ignored. If a MacOS user encounters Fallout, they are redirected to webpages that attempt to fool visitors into downloading a fake Adobe Flash Player update or fake antivirus software. In the case of the former, the user is advised that their version of Adobe Flash Player is out of date and needs updating. In the case of the latter, the user is advised that their Mac may contain viruses, and they are urged to install a fake antivirus program that the website claims will remove all viruses from their device.
The Fallout exploit kit is installed on webpages that have been compromised by the attacker – sites with weak passwords that have been brute-forced and those that have out of date CMS installations or other vulnerabilities which have been exploited to gain access.
The two vulnerabilities exploited by the Fallout exploit kit are the Windows VBScript Engine vulnerability – CVE-2018-8174 – and the Adobe Flash Player vulnerability – CVE-2018-4878, both of which were identified and patched in 2018.
The Fallout exploit kit will attempt to exploit the VBScript vulnerability first, and should that fail, an attempt will be made to exploit the Flash vulnerability. Successful exploitation of either vulnerability will see GandCrab ransomware silently downloaded.
The first stage of the infection process, should either of the two exploits prove successful, is the downloading of a Trojan which checks to see if certain processes are running, namely: filemon.exe, netmon.exe, procmon.exe, regmon.exe, sandboxiedcomlaunch.exe, vboxservice.exe, vboxtray.exe, vmtoolsd.exe, vmwareservice.exe, vmwareuser.exe, and wireshark.exe. If any those processes are running, no further action will be taken.
If those processes are not running, a DLL will be downloaded which will install GandCrab ransomware. Once files are encrypted, a ransom note is dropped on the desktop. A payment of $499 is demanded per device to unlock the encrypted files.
Exploit kits will only work if software is out of date. Patching practices tend to be better in the United States and Europe, so attackers tend to rely on other methods to install their malicious software in these regions. Exploit kit activity is primarily concentrated in the Asia Pacific region where software is more likely to be out of date.
The best protection against the Fallout exploit kit and other EKs is to ensure that operating systems, browsers, browser extensions, and plugins are kept fully patched and all computers are running the latest versions of software. Companies that use web filters, such as WebTitan, will be better protected as end users will be prevented from visiting, or being redirected to, webpages known to host exploit kits.
To ensure that files can be recovered without paying a ransom, it is essential that regular backups are made. A good strategy is to create at least three backup copies, stored on two different media, with one copy stored securely offsite on a device that is not connected to the network or accessible over the Internet.
The CamuBot Trojan is a new malware variant that is being used in vishing campaigns on employees to obtain banking credentials.
Cybercriminals Use Vishing to Convince Employees to Install CamuBot Trojan
Spam email may be the primary method of delivering banking Trojans, but there are other ways of convincing employees to download and run malware on their computers.
In the case of the CamuBot Trojan the method used is vishing. Vishing is the voice equivalent of phishing – The use of the telephone to scam people, either by convincing them to reveal sensitive information or to take some other action such as downloading malware or making fraudulent bank transfers.
Vishing is commonly used in tech support scams where people are convinced to install fake security software to remove fictitious viruses on their computers. The campaign used to install the CamuBot Trojan is a variation on this theme and was uncovered by IBM X-Force researchers.
The attack starts with some reconnaissance. The attackers identify a business that uses a specific bank. Individuals within that organization are then identified that are likely to have access the bank accounts used by the business – payroll staff for example. Those individuals are then contacted by telephone.
The attackers claim that they are calling from the bank and are performing a check of security software on the user’s computer. The user is instructed to visit a webpage where a program will run a scan to find out if they have an up-to-date security module installed on their computer.
The fake scan is completed, and the user is informed that their security module is out of date. The caller then explains that the user must download the latest version of the security module and install it on their computer.
Once the file is downloaded and executed, it runs just like any standard software installer. The user is advised of the minimum system requirements needed for the security module to work and the installer includes the bank’s logo and color scheme to make it appear genuine.
The user is guided through the installation process, which first requires them to stop certain processes that are running on their computer. The installer displays the progress of the fake installation, but in the background, the CamuBot Trojan is being installed. Once the process is completed, it connects to its C2 server.
The user is then directed to what appears to be the login portal for their bank where they are required to enter their login credentials. The portal is a phishing webpage, and the credentials to access the users bank account are captured by the attacker.
Many banks require a second factor for authentication. If such a control is in place, the attackers will instruct the user that a further installation is required for the security module to work. They will be talked through the installation of a driver that allows a hardware-based authentication device to be remotely shared with the attacker. Once that has been installed and approved, the attackers are able to intercept any one-time passwords that are sent by the bank to the user’s device, allowing the attackers to take full control of the bank account and authorize transactions.
The CamuBot Trojan shows that malware does not need to be stealthy to be successful. Social engineering techniques can be just a effective at getting employees to install malware.
The CambuBot Trojan campaign is primarily being conducted in Brazil, but the campaign could be rolled out and used in attacks in other countries. The techniques used in this campaign are not new and have ben used in several malware campaigns in the past.
Consequently, it is important for this type of attack to be covered as part of security awareness training programs. Use of a web filter will also help to prevent these attacks from succeeding by blocking access to the malicious pages where the malware is downloaded.
A massive MagnetoCore malware campaign has been uncovered that has seen thousands of Magneto stores compromised and loaded with a payment card scraper. As visitors pay for their purchases on the checkout pages of compromised websites, their payment card information is sent to the attacker’s in real time.
Once access is gained to a website, the source code is modified to include the MagnetoCore malware, which is hidden among legitimate files in the Magnetocore.net domain.
The hacking campaign was detected by Dutch security researcher Willem de Groot. Over the past six months, the hacker behind the campaign has loaded MagnetoCore malware on at least 7,339 Magneto stores. The number of compromised websites is believed to be increasing at a rate of around 50 or 60 new stores per day.
Site owners have been informed of the MagentoCore malware infections, although currently more than 5,170 Magneto stores still have the script on the site.
The campaign was discovered when de Groot started scanning Magneto stores looking for malware infections and malicious scripts. He claims that around 4.2% of Magneto stores have been compromised and contain malware or a malicious script.
While a high number of small websites have been infected, according to de Groot, the script has also been loaded onto the websites of multi-million-dollar publicly traded companies, suggesting the hacker behind the attack has been able to steal tens, or most likely, hundreds of thousands of payment cards.
With a full set of payment card data selling for between $5 and $30 per card on darknet marketplaces, the individual(s) or hacking group behind the campaign has likely made a substantial profit.
Further information on the threat actor(s) responsible for the attacks has come from RiskIQ, which reports that the MagnetoCore malware campaign is part of much larger payment card scraping campaign known as MageCart. RiskIQ reports that MageCart has been in operation since at least 2015 and says the campaign being run by three groups. One of the groups was responsible for the TicketMaster breach reported in June that affected 5% of its customers.
All three groups are using the same tactics as part of a single campaign. It is likely the MagnetoCore malware campaign is being run by the same individuals responsible for MageCart.
Access to the sites is gained through a simple but time-consuming process – Conducting a brute force attack to guess the password for the administrator account on the website. According to de Groot, it can take months before the password is guessed. Other tactics known to be used are the use of malware such as keyloggers to obtain the login credentials and the exploitation of vulnerabilities in unpatched content management systems.
Preventing website compromises requires the use of very strong passwords and prompt patching to ensure all vulnerabilities are addressed. CMS systems should also be updated as soon as a new version is released.
It is also important for site owners to conduct regular scans of website CMSs to search for malicious scripts or code alterations, and to use a security solution that alerts the webmaster when a code change is detected on a website.
Unfortunately, finding out that a site has been compromised and removing the malicious code will not be sufficient. A painstaking check of the codebase is required as multiple backdoors are often added to compromised websites to ensure access can still be gained should the malicious code be discovered and removed.
A hacking group has succeeded in infecting hundreds of thousands of routers with VPNFilter malware. The scale of the malware campaign is astonishing. So far more than half a million routers are believed to have been infected with the malware, prompting the FBI to issue a warning to all consumers and businesses to power cycle their routers.
Power cycling the router may not totally eradicate the malware, although it will temporarily disrupt communications and will help to identify infected devices, according to a May 25 public service announcement issued by the FBI.
All users have been advised to change the password on their router, install firmware updates if they are available, and disable the router’s remote management feature.
According to the U.S. Department of Justice, the malware campaign is being conducted by the Sofacy Group, also known as Fancy Bear and APT28. The hacking group has ties to the Russian government with some believing the hacking group is directed by Russia’s military intelligence agency.
While most of the infected routers and NAS devices are located in Ukraine, devices in more than 50 countries are known to have been infected with the malware. VPNFilter malware is a modular malware with a range of different functions that include the ability to capture all information that passes through the router, block network traffic and prevent Internet access, and potentially, the malware can totally disable the router. The infected routers could also be used to bring down specific web servers in a DDoS attack.
Many common router models are vulnerable including Linksys routers (E1200, E2500, WRVS4400N), Netgear routers (DGN2200, R6400, R7000, R8000, WNR1000, WNR2000), Mikrotik RouterOS for Cloud Core Routers (V1016, 1036, 1072), TP-Link (R600VPN), QNAP (TS251, TS439 Pro and QNAP NAS devices running QTS software).
The motive behind the malware infections is not known and neither the method being used to install the malware. The exploitation of vulnerabilities on older devices, brute force attacks, and even supply chain attacks have not been ruled out.
The FBI has taken steps to disrupt the malware campaign, having obtained a court order to seize control of a domain that was being used to communicate with the malware. While communications have now been disrupted, if a router has been compromised the malware will remain until it is removed by the router owners.
How to Update Your Router
While each router will be slightly different, they can be accessed by typing in 192.168.1.1 into the browser and entering the account name and password. For many users this will be the default login credentials unless they have been changed during set up.
In the advanced settings on the router it will be possible to change the password and disable remote management, if it is not already disabled. There should also be an option to check the firmware version of the router. If an update is available it should be applied.
You should then either manually power cycle the router – turn it off and unplug it for 20 seconds – or ideally use the reboot settings via the administration panel.
DrayTek Discovers Actively Exploited Zero Day Vulnerability
The Taiwanese broadband equipment manufacturer DrayTek has discovered some of its devices are at risk due to a zero-day vulnerability that is being actively exploited in the wild. More than 800,000 households and businesses are believed to be vulnerable although it is unknown how many of those devices have been attacked to date.
The affected devices are Vigor models 2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220 and BX2000, 2830nv2; 2830; 2850; and 2920.
The vulnerability allows the routers to be compromised via a Cross-Site Request Forgery attack, one where a user is forced to execute actions on a web application in which they are currently authenticated. While data theft is possible with this type of attack, the attackers are using this attack to change configuration settings – namely DNS settings. By making that change, the attackers can perform man in the middle attacks, and redirect users from legitimate sites to fake sites where credentials can be stolen.
A firmware update has now been released to correct the vulnerability and all users of vulnerable DrayTek devices are being encouraged to check their DNS settings to make sure they have not been altered, ensure no additional users have been added to the device configuration, and apply the update as soon as possible.
When accessing the router, ensure no other browser windows are open. The only tab that should be open is the one used to access the router. Login, update the firmware and then logout of the router. Do not just close the window. Also ensure that you set a strong password and disable remote access if it is not already disabled.
Many small businesses purchase a router and forget about it unless something goes wrong and Internet access stops. Firmware updates are never installed, and little thought is given to upgrading to a new model. However, older models of router can be vulnerable to attack. These attacks highlight the need to keep abreast of firmware updates issued by your router manufacturer and apply them promptly.
HTTPS phishing websites have increased significantly this year, to the point that more HTTPS phishing websites are now being registered than legitimate websites with SSL certificates, according to a new analysis by PhishLabs.
If a website starts with HTTPS it means that a SSL certificate is held by the site owner, that the connection between your browser and the website is encrypted, and you are protected from man-in-the-middle attacks. It was not long ago that a green padlock next to the URL, along with a web address starting with HTTPS, meant you could be reasonably confident that that the website you were visiting was genuine. That is no longer the case, yet many people still believe that to be true.
According to PhisLabs, a recent survey showed that 80% of respondents felt the green padlock and HTTPS indicated the site was legitimate and/or secure. The truth is that all it means is traffic between the browser and the website is encrypted. That will prevent information being intercepted, but if you are on a phishing website, it doesn’t matter whether it is HTTP or HTTPS. The end result will be the same.
Over the past couple of years there has been a major push to move websites from HTTP to HTTPS, and most businesses have now made the switch. This was in part due to Google and Firefox issuing warnings about websites that lacked SSL certificates, alerting visitors that entering sensitive information on the sites carried a risk. Since October, Google has been labelling websites as Not Secure in the URL via the Chrome browser.
Such warnings are sufficient to see web visitors leave in their droves and visit other sites where they are better protected. It is no surprise that businesses have sat up and taken notice and made the switch. According to Let’s Encrypt, 65% of websites are now on HTTPS, compared to just 45% in 2016.
However, it is not only legitimate businesses that are switching to secure websites. Phishers are taking advantage of the benefits that come from HTTPS websites. Namely trust.
Consumer trust in HTTPS means cybercriminals who register HTTPS sites can easily add legitimacy to their malicious websites. It is therefore no surprise that HTTPS phishing websites are increasing. As more legitimate websites switch to HTTPS, more phishing websites are registered with SSL certificates. If that were not the case, the fact that a website started with HTTP would be a clear indicator that it may be malicious and cybercriminals would be at a distinct disadvantage.
What is a surprise is the extent to which HTTPS is being abused by scammers. The PhishLabs report shows that in the third quarter of 2017, almost a quarter of phishing websites were hosted on HTTPS pages. Twice the number seen in the previous quarter. An analysis of phishing sites spoofing Apple and PayPal showed that three quarters are hosted on HTTPS pages. Figures from 2016 show that less than 3% of phishing sites were using HTTPS. In 2015 it was just 1%.
While checks are frequently performed on websites before a SSL certificate is issued, certification companies do not check all websites, which allows the scammers to obtain SSL certificates. Many websites are registered before any content is uploaded, so even a check of the site would not provide any clues that the site will be used for malicious purposes. Once the certificate is obtained, malicious content is uploaded.
The PhishLabs report also shows there is an approximate 50/50 spread between websites registered by scammers and legitimate websites that have been compromised and loaded with phishing webpages. Just because a site is secure, it does not mean all plugins are kept up to date and neither that the latest version of the CMS is in use. Vulnerabilities exist on many websites and hackers are quick to take advantage.
The rise in HTTPS phishing websites is bad news for consumers and businesses alike. Consumers should be wary that HTTPS is no guarantee that website is legitimate. Businesses that have restricted Internet access to only allow HTTPS websites to be visited may have a false sense of security that they are protected from phishing and other malicious sites, when that is far from being the case.
For the best protection, businesses should consider implementing a web filter that scans the content of webpages to identify malicious sites, and that the solution is capable of decrypting secure sites to perform scans of the content.
For more information on how a web filter can help to protect your organization from phishing and malware downloads, give the TitanHQ sales team a call today.
The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code.
The Terdot Trojan is not new, having first appeared in the middle of last year, although a new variant of the credential-stealing malware has been developed and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the UK.
The new variant includes several new features. Not only will the Terdot Trojan steal banking credentials, it will also spy on social media activity, and includes the functionality to modify tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also modify emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself spread.
Further, once installed on a device, Terdot can download other files. As new capabilities are developed, the modular Trojan can be automatically updated.
The latest variant of this nasty malware was identified by security researchers at Bitdefender. Bitdefender researchers note that in addition to modifying social media posts, the Trojan can create posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, spelling further misery for victims.
Unfortunately, detecting the Terdot Trojan is difficult. The malware is downloaded using a complex chain of droppers, code injections and downloaders, to reduce the risk of detection. The malware is also downloaded in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently picked up by many AV solutions.
“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” warns Bitdefender.
Protecting against threats such as banking Trojans requires powerful anti-malware tools to detect and block downloads, although businesses should consider additional protections to block the main attack vectors: Exploit kits and spam email.
Cybercriminals are delivering Smoke Loader malware via a new malvertising campaign that uses health tips and advice to lure end users to a malicious website hosting the Terror Exploit Kit.
Malvertising is the name given to malicious adverts that appear genuine, but redirect users to phishing sites and websites that have been loaded with toolkits – exploit kits – that probe for unpatched vulnerabilities in browsers, plugins, and operating systems.
Spam email is the primary vector used to spread malware, although the threat from exploit kits should not be ignored. Exploit kits were used extensively in 2016 to deliver malware and ransomware, and while EK activity has fallen considerably toward the end of 2016 and has remained fairly low in 2017, attacks are still occurring. The Magnitude Exploit it is still extensively used to spread malware in the Asia Pacific region, and recently there has been an increase in attacks elsewhere using the Rig and Terror exploit kits.
The Smoke Loader malware malvertising campaign has now been running for almost two months. ZScaler first identified the malvertising campaign on September 1, 2017, and it has remained active throughout October.
Exploit kits can be loaded with several exploits for known vulnerabilities, although the Terror EK is currently attempting to exploit two key vulnerabilities: A scripting engine memory corruption vulnerability (CVE-2016-0189) that affects Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also attempted.
Patches have been released to address these vulnerabilities, but if those patches have not been applied systems will be vulnerable to attack. Since these attacks occur without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious adverts.
Smoke Loader malware is a backdoor that if installed, will give cybercriminals full access to an infected machine, allowing them to steal data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not new – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to prevent detection. Smoke Loader malware has also been associated with the installation of the TrickBot banking Trojan and Globelmposter ransomware.
To protect against attacks, organizations should ensure their systems and browsers are updated to the latest versions and patches are applied promptly. Since there is usually a lag between the release of a new patch and installation, organizations should consider the use of a web filter to block malicious adverts and restrict web access to prevent employees from visiting malicious websites.
For advice on blocking malvertisements, restricting Internet access for employees, and implementing a web filter, contact the TitanHQ team today.
Last year, the Mirai botnet was used in massive DDoS attacks; however, the IoT Reaper botnet could redefine massive. The Mirai botnet, which mostly consisted of IoT devices, was capable of delivering DDoS attacks in excess of 1 terabit per second using just 100,000 malware infected devices.
The IoT Reaper botnet reportedly includes almost 2 million IoT devices, and infections with Reaper malware are growing at an alarming rate. An estimated 10,000 new IoT devices are infected and added to the botnet every day.
Researchers at Qihoo 360, who discovered the new botnet, report that the malware also includes in excess of 100 DNS open resolvers, making DNS amplification – DNS Reflection Denial of Service (DrDoS) – attacks possible.
Check Point has also been tracking a new botnet that includes an estimated 1 million devices, with 60% of the devices the firm tracks infected with the botnet malware. Check Point has called the botnet IoTroop, although it is probable that it is the same botnet as Qihoo 360 has been tracking. Check Point says it is “forming to create a cyber-storm that could take down the Internet.”
While the IoT Reaper botnet has existed for some time, it was not identified until September this year. Previously, the malware used to enslaves IoT devices was installed by taking advantage of default and weak passwords. However, that has now changed, and infections have been growing at an alarming rate as a result.
IoT Reaper is using nine different exploits for known vulnerabilities that have yet to be patched, with routers, cameras, and NVRs being targeted from more than 10 different manufacturers including router manufacturers Netgear, D-Link, Linksys, and surveillance camera manufacturers AvTech, Vacron, and GoAhead.
Unfortunately, while PC users are used to applying patches to keep their computers secure, the same cannot be said for routers and surveillance cameras, which often remain unpatched and vulnerable to infection.
At present the intentions of the actors behind the botnet are not known, but it is highly likely that the botnet will be used to perform DDoS attacks, as has been the case with other IoT botnets. Even though the number of enslaved devices is substantial, researchers believe the botnet is still in the early stages of development and we are currently enjoying the quiet before the storm.
If a botnet involving 100,000 devices can deliver a 1 terabit per second attack, the scale of the DDoS attacks with IoT Reaper could be in the order of tens of terabits per second. Fortunately, for the time being at least, the botnet is not being used for any attacks. The bad news is those attacks could well start soon, and since the malware allows new modules to be added, it could soon be weaponized and used for another purpose.
Popup warnings of missing fonts, specifically the Hoeflertext font, are being used to infect users with malware. The Hoeflertext warnings appear as popups when users visit compromised websites using the Chrome or Firefox browsers. The warnings flash up on screen with the website in the background displaying jumbled or unreadable text.
Hoeflertext is a legitimate font released by Apple in 1991, although popup warnings that the font is missing are likely to be a scam to fool users into downloading Locky Ransomware or other malware.
Visitors to the malicious websites are informed that Hoeflertext was not found, which prevents the website from being displayed. The popup contains an option to “update” the browser with a new font pack, which will allow the website content to be displayed.
This is not the first time the Hoeflertext font scam has been used. NeoSmart Technologies discovered the scam in February this year, although recently both Palo Alto Networks and SANS Internet Storm Center have both report it is being used in a new campaign.
Another version of the campaign is being used to deliver the NetSupport Manager remote access tool (RAT). In this case, the file downloaded is called Font_Chrome.exe, which will install the RAT if it is run. The researchers suggest the RAT is being favored as it offers the attackers a much wider range of capabilities than ransomware. The RAT is commercially available and has been used in several malware campaigns in the past, including last year’s campaign using hacked Steam accounts.
The RAT, once installed, gives the attackers access to the infected computer allowing them to search for and steal sensitive information and download other malware.
The actors behind this campaign have been using spam email to direct users to the malicious websites where the popups are displayed. The SANS Internet Storm Center says one campaign has been identified using emails that appear to have been sent via Dropbox, asking the user to verify their email address to complete the sign-up process.
Clicking on the ‘verify your email’ box will direct the user to a malicious website displaying fake Dropbox pages where the popups appear. Internet Explorer users do not have the popups displayed, instead they are presented with a fake anti-virus alerts linked to a tech support scam.
The latest campaign shows why it is so important for businesses to use an advanced spam filtering solution to block malicious messages. A web filtering solution is also beneficial to prevent end users from visiting malicious websites in case the messages are delivered and opened. Along with security awareness training for employees to alert them to the risks of email and web-based attacks such as this, businesses can protect themselves from attack.
In November last year, the San Francisco Municipal Transportation Agency (Muni) was attacked with Mamba ransomware. The attackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to unlock the encryption. Muni refused to pay up, instead opting to recover files from backups. However, the Mamba ransomware attack still proved costly. The attack took its fare system out of action and passengers had to be allowed to travel for free for more than a day. The average take on fares on a weekend day is $120,000.
It has been relatively quiet on the Mamba ransomware front since that attack, although this month has seen several Mamba ransomware attacks, indicating the gang behind the malware is back in action. Those attacks are geographically targeted with businesses in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first detected the attacks.
Mamba ransomware uses DiskCryptor for full disk encryption rather than searching for and encrypting certain file types. That means a Mamba ransomware attack will prevent the operating system from running.
Once installed, the malware forces a reboot of the system and modifies the Master Boot Record and encrypts disk partitions and reboots again, this time victims are presented with a warning screen advising data have been encrypted. The attacks share some similarities with the NotPetya (ExPetr) attacks of June.
The algorithms used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk is encrypted, victims face permanent file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the latest attacks make no mention of payment of a ransom. Victims are just instructed to email one of two email addresses for the decryption key.
The reason for this approach is it allows ransoms to be set by the attackers on an infection by infection basis. Once the extent of encryption is determined and the victim is identified, the attackers can set the ransom payment accordingly.
It is currently unclear whether the attackers hold the keys to unlock the encryption and whether payment of the ransom will result in file recovery. Kaspersky reports that the group behind this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the intention is not to obtain ransoms but to sabotage businesses.
Businesses can enhance their defences against this and other malware variants by implementing WebTitan.
WebTitan is a web filtering solution for the enterprise that allows businesses to prevent end users from visiting malicious websites, such as those used for phishing and for downloading malware and ransomware. By blocking access to malicious sites and carefully controlling access to sites known to carry a high risk of malware delivery – file sharing websites for example – businesses can prevent web-based malware attacks.
2017 has seen a major rise in malware attacks on schools. While cybercriminals have conducted attacks using a variety of different malware, one of the biggest problems is ransomware. Ransomware is malicious code that encrypts files, systems and even master file tables, preventing victims from accessing their data. The attack is accompanied by a ransom demand. Victims are required to pay a ransom amount per infected device. The ransom payments can range from a couple of hundred dollars to more than a thousand dollars per device. Ransom demands of tens of thousands of dollars are now common.
Data can be recovered from a backup, but only if a viable backup of data exists. All too often, backup files are also encrypted, making recovery impossible unless the ransom is paid.
Ransomware attacks can be random, with the malicious code installed via large-scale spam email campaigns involving millions of messages. In other cases, schools are targeted. Cybercriminals are well aware that cybersecurity defenses in schools are often poor and ransoms are more likely to be paid because schools cannot function without access to their data.
Other forms of malware are used to record sensitive information such as login credentials. These are then relayed back to the attackers and are used to gain access to school networks. The attackers search for sensitive personal information such as tax details, Social Security numbers and other information that can be used for identity theft. With ransomware, attacks are discovered immediately as ransom notes are placed on computers and files cannot be accessed. Keyloggers and other forms of information stealing malware often take many months to detect.
Recent malware attacks on schools have resulted in entire networks being sabotaged. The NotPetya attacks involved a form of malware that encrypts the master file table, preventing the computer from locating stored data. In this case, the aim of the attacks was to sabotage critical infrastructure. There was no way of recovering the encrypted MFT apart from with a full system restore.
The implications of malware attacks on schools can be considerable. Malware attacks on schools result in considerable financial losses, data can be lost or stolen, hardware can be rendered useless and educational institutions can face prosecution or law suits as a result of attacks. In some cases, schools have been forced to turn students away while they resolve infections and bring their systems back online.
Major Malware Attacks on Schools in 2017
Listed below are some of the major malware attacks on schools that have been reported in 2017. This is just a very small selection of the large number of malware attacks on schools in the past 6 months.
Minnesota School District Closed for a Day Due to Malware Attack
Malware attacks on schools can have major consequences for students. In March, the Cloquet School District in Minnesota experienced a ransomware attack that resulted in significant amounts of data being encrypted, preventing files from being accessed. The attackers issued a ransom demand of $6,000 for the keys to unlock the encryption. The school district is technology-focused, so without access to its systems, lessons were severely disrupted. The school even had to close for the day while IT support staff restored data. In this case, sensitive data were not compromised, although the disruption caused was severe. The ransomware is understood to have been installed as a result of a member of staff opening a phishing email that installed the ransomware on the network.
Swedesboro-Woolwich School District Suffers Cryptoransomware Attack
The Swedesboro-Woolwich School District in New Jersey comprises four elementary schools and has approximately 2,000 students. It too suffered a crypto-ransomware attack that took its computer systems out of action. The attack occurred on March 22, resulting in documents and spreadsheets being encrypted, although student data were apparently unaffected.
The attack took a significant part of the network out of action, including the District’s internal and external communications systems and even its point-of-sale system used by students to pay for their lunches. The school was forced to resort to pen and paper while the infection was removed. Its network administrator said, “It’s like 1981 again!”
Los Angeles Community College District Pays $28,000 Ransom
Ransomware was installed on the computer network of the Los Angeles County College District, not only taking workstations out of action but also email and its voicemail system. Hundreds of thousands of files were encrypted, with the incident affecting most of the 1,800 staff and 20,000 students. A ransom demand of $28,000 was issued by the attackers. The school had no option but to pay the ransom to unlock the encryption.
Calallen Independent School District Reports Ransomware Attack
The Calallen Independent School District in northwestern Corpus Christi, TX, is one of the latest victims of a ransomware attack. In June, the attack started with a workstation before spreading to other systems. In this case, no student data were compromised or stolen and the IT department was able to act quickly and shut down affected parts of the network, halting its spread. However, the attack still caused considerable disruption while servers and systems were rebuilt. The school district also had to pay for improvements to its security system to prevent similar attacks from occurring.
Preventing Malware and Ransomware Attacks on Schools
Malware attacks on schools can occur via a number of different vectors. The NotPetya attacks took advantage of software vulnerabilities that had not been addressed. In this case, the attackers were able to exploit the vulnerabilities remotely with no user interaction required. A patch to correct the vulnerabilities had been issued by Microsoft two months before the attacks occurred. Prompt patching would have prevented the attacks.
Software vulnerabilities are also exploited via exploit kits – hacking kits loaded on malicious websites that probe for vulnerabilities in browsers and plugins and leverage those vulnerabilities to silently download ransomware and malware. Ensuring browsers and plugins are 100% up to date can prevent these attacks. However, it is not possible to ensure all computers are 100% up to date, 100% of the time. Further, there is usually a delay between an exploit being developed and a patch being released. These web-based malware attacks on schools can be prevented by using a web filtering solution. A web filter can block attempts by end users to access malicious websites that contain exploit kits or malware.
By far the most common method of malware delivery is spam email. Malware – or malware downloaders – are sent as malicious attachments in spam emails. Opening the attachments results in infection. Links to websites that download malware are also sent via spam email. Users can be prevented from visiting those malicious sites if a web filter is employed, while an advanced spam filtering solution can block malware attacks on schools by ensuring malicious emails are not delivered to end users’ inboxes.
TitanHQ Can Help Schools, Colleges and Universities Improve Defenses Against Malware
TitanHQ offers two cybersecurity solutions that can prevent malware attacks on schools. WebTitan is a 100% cloud-based web filter that prevents end users from visiting malicious websites, including phishing sites and those that download malware and ransomware.
WebTitan requires no hardware, involves no software downloads and is quick and easy to install, requiring no technical skill. WebTitan can also be used to block access to inappropriate website content such as pornography, helping schools comply with CIPA.
SpamTitan is an advanced spam filtering solution for schools that blocks more than 99.9% of spam email and prevents malicious messages from being delivered to end users. Used in conjunction with WebTitan, schools will be well protected from malware and ransomware attacks.
To find out more about WebTitan and SpamTitan and for details of pricing, contact the TitanHQ team today. Both solutions are also available on a 30-day no-obligation free trial, allowing you to test both products to find out just how effective they are at blocking cyberthreats.
The RoughTed malvertising campaign was rampant in June, causing problems for 28% of organizations around the world according to Check Point.
Malvertising is the name given to adverts that redirect users to malicious websites – sites hosting exploit kits that download malware and ransomware, phishing kits that gather sensitive information for malicious purposes or are used for a variety of scams.
Malvertising campaigns pose a significant threat because it is not possible to avoid seeing the malicious adverts, even if users are careful about the websites they visit. Malicious adverts are displayed through third party ad networks, which are used on a wide range of websites. Even well known, high traffic websites such as the BBC, New York Times, TMZ and MSN have all been discovered to have displayed malicious adverts. Cybercriminals only need to place their adverts with one advertising network to see their adverts displayed on many thousands of websites.
The RoughTed malvertising campaign was first identified in May, although activity peaked in June. By that time, it had resulted in infections in 150 countries throughout North and South America, Europe, Africa, Asia and Australasia.
It is sometimes possible to block malvertising using ad blockers, which prevent adverts from being displayed; however, the RoughTed malvertising campaign can get around these controls and can bypass ad blockers ensuring adverts are still displayed.
A web filtering solution can be useful at preventing categories of websites from being accessed that commonly host malicious adverts – sites hosting pornography for example – although due to the wide range of websites that display third party adverts, it would not be possible to eradicate risk. That said, an advanced web filtering solution such as WebTitan offers excellent protection by blocking access to the malicious sites rather than the malvertising itself.
Websites are rapidly added to blacklists when they are detected as being used for nefarious purposes. WebTitan supports blacklists and can block these redirects, preventing end users from visiting malicious sites when they click on the ads.
In addition to blacklists, WebTitan URL classification uses a multi-vector approach to deeply analyze websites. The URL classification uses link analysis, content analysis, bot detection and heuristic analysis to identify websites as malicious. These advanced techniques are used to block ad fraud, botnets, C2 servers, sites containing links to malware, phishing websites, spam URLs, compromised websites and malware distribution sites including those hosting exploit kits. The URL classification system used by WebTitan leverages data supplied by 500 million end users with the system continuously updated and optimized.
If you want to protect your organization from the actions of your end users and block the majority of online threats, contact the TitanHQ team today for further information on WebTitan and take a closer look at the web filtering solution in action.
A massive global cyberattack is underway involving Petya ransomware. Ukraine has been hit particularly hard although companies all over Europe have reported that systems have been taken out of action and ransoms demanded. Social media websites are awash with reports of disruption to services across a wide range of industries and countries. The attacks appear to have started in Russia/Ukraine but spread rapidly across Europe, with reports emerging that companies in India have also been affected.
The attacks appear to involve a variant of Petya ransomware – a particularly nasty ransomware variant for which there is no kill switch or free decryptor. Petya ransomware takes the Master File Table (MFT) out of action rather than encrypting individual files. Consequently, the attacks occur faster than with other ransomware variants. Without access to the MFT, computers are unable to locate files stored on the hard drive. Those files remain unencrypted, but cannot be accessed.
The ransom demand to unlock the infection is understood to be approximately $300, although that figure will need to be multiplied by the number of devices affected.
Another WannaCry Style Global Ransomware Attack
The WannaCry ransomware attacks used exploits stolen from the NSA, which were published online by Shadow Brokers. Those exploits worked on unpatched systems, exploiting vulnerabilities to automatically download a network worm and WannaCry ransomware. The attacks spread rapidly – around the world and within organizations.
This wave of attacks appears to be similar. The attacks started happening this morning with the Russian cybersecurity firm Group-IB one of the first to suggest this was a WannaCry-style attack involving an NSA exploit. That has since been confirmed by other cybersecurity firms. Fabian Wosar of Emisoft said he has confirmed that the infection is spreading using the same EternalBlue exploit as WannaCry, as has MalwareHunterTeam.
Organizations that applied the patch issued by Microsoft in March were protected from WannaCry and will likely be protected from this Petya ransomware attack. Following WannaCry, Microsoft issued patches for unsupported operating systems to prevent further attacks from occurring. However, judging by the number of attacks that have already occurred, the WannaCry attacks did not spur some companies into action. Many have still not patched their systems.
Several well-known companies have reported they are under attack and have had servers and computers taken out of action, with companies in Russia, Ukraine, France, Spain, Denmark, India and the UK all understood to have been affected. Companies that have confirmed they have been attacked include:
Russia – Oil company Rosneft and metal maker Evraz
Ukraine – Boryspil Airport, aircraft manufacturer Antonov, two postal services, the Ukraine government, the Ukraine national bank. The Cernobyl nuclear powe plant has also been attacked, as have many other energy companies in the country.
Denmark – Shipping firm A.P. Moller-Maersk, including APM Terminals which runs shipping container ports around the world.
France – Construction firm Saint Gobain
International – Companies reportedly affected include the law firm DLA Piper, advertising firm WPP, food manufacturer Mondalez and U.S pharmaceutical firm Merck.
Time will tell whether this Petya ransomware attack will be on a similar scale to WannaCry. Since it is currently occurring it will likely be a few days before the true scale of the attack becomes known.
The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.
Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.
However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.
In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.
The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.
Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.
The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.
An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.
However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.
With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.
Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.
The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”
Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.
The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.
The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.
Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.
The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.
Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.
The EternalRocks worm is a new threat that comes hot on the heels of WannaCry ransomware. The self-replicating network work uses similar tactics to infect computers and spread to other connected devices; however, in contrast to the worm used to spread WannaCry ransomware, there is no kill switch. In fact, at present, there is also no malicious payload. That is unlikely to be the case for very long.
The WannaCry ransomware attacks were halted when a security researcher discovered a kill switch. Part of the infection process involved checking a nonsense domain that had not been registered. If no connection was made, the ransomware element would proceed and start encrypting files. By registering the domain, the encryption process didn’t start. Had the domain not been registered, the attacks would have been more far reaching, affecting more than the 300,000 computers believed to have been affected by the Friday 12 attacks.
New threats were predicted to be released in the wake of WannaCry, either by the same group or copycats. The EternalRocks worm therefore does not come as a surprise. That said, EternalRocks could be far more dangerous and cause considerably more harm than WannaCry.
The WannaCry ransomware attacks involved just used two exploits developed by the NSA – EternalBlue and DoublePulsar. EternalRocks uses six NSA hacking tools (EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch).
In addition to the Windows Server Message Block (SMBv1) and SMBv2 hacking tools, this threat uses a SMBv3 exploit in addition to a backdoor Trojan, the latter being used to spread infection to other vulnerable computers on a network. Two SMB reconnaissance tools have also been incorporated to scan open ports on the public Internet.
EternalRocks is also capable of hiding on the infected machine after deployment. With the WannaCry attacks, users were alerted that their computers had been compromised when the ransomware encrypted their files and a note was placed on the desktop.
Once on a computer, the EternalRocks worm waits for 24 hours before downloading the Tor browser, contacting the attackers, and replicating and spreading to other devices on the network.
The self-replicating network worm was discovered by security researcher Miroslav Stampar from CERT in Croatia. While the threat has only just been discovered, Stampar says the first evidence of infections dates back to May 3.
At present, the EternalRocks worm does not have any malicious payload. It neither installs malware nor ransomware, but that does not mean it poses no risk. Worms can be weaponized at any point, as was seen on Friday 12 May, when WannaCry ransomware was deployed.
For the time being, it is unclear how many computers have already been infected and how EternalRocks will be weaponized.
Preventing infection with EternalRocks worm and other similar yet to be released – or discovered – threats is possible by ensuring operating systems and software are patched promptly. Older operating systems should also be upgraded as soon as possible. As Kaspersky Lab reported, 95% of the WannaCry attacks affected Windows 7 devices. No Windows 10 devices were reportedly attacked.
A new Uiwix ransomware variant has been detected using EternalBlue to gain access to vulnerable systems. Businesses that have not yet patched they systems are vulnerable to this new attack.
In contrast to the WannaCry ransomware variant that was used in Friday’s massive ransomware campaign, Uiwix ransomware is a fileless form of ransomware that operates in the memory. Fileless ransomware is more difficult to detect as no files are written to the hard drive, which causes problems for many antivirus systems. Uiwix ransomware is also stealthy and will immediately exit if it has been installed in a sandbox or virtual machine.
Trend Micro reports that the new Uiwix ransomware variant also “appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”
As with WannaCry ransomware, the ransomware is not being spread via email. Instead the attackers are searching for vulnerable systems and are taking advantage of SMB vulnerabilities and attacking computers over TCP port 445. Infection with Uiwix sees the Uiwix extension added to encrypted files. The ransom demand to supply keys to decrypt locked files is $200.
The threat does not appear to be as severe as WannaCry, as the attackers are manually targeting vulnerable systems. Crucially, the ransomware lacks the wormlike properties of WannaCry. If one machine is infected, the ransomware will not then spread to other networked devices.
Since the WannaCry attacks, many businesses have now implemented the MS17-010 patch and have blocked EternalBlue attacks. Microsoft has also released a patch for Windows XP, Windows Server 2003, and Windows 8, allowing users of older, unsupported Windows versions to secure their systems and prevent attacks.
However, the search engine Shodan shows there are still approximately 400,000 computers that have not yet been patched and are still vulnerable to cyberattacks using the EternalBlue exploit.
Another threat that uses the EternalBlue and DoublePulsar exploits is Adylkuzz; however, the malware does not encrypt data on infected systems. The malware is a cryptocurrency miner than uses the resources of the infected computer to mine the Monero cryptocurrency. Infection is likely to see systems slowed, rather than files encrypted and data stolen.
Other malware and ransomware variants are likely to be released that take advantage of the exploits released by Shadow Brokers. The advice to all businesses is to ensure that software is patched promptly and any outdated operating systems are upgraded. Microsoft has issued a patch for the older unsupported systems in response to the WannaCry attacks, but patches for Windows Server 2003, Windows XP and Windows 8 are unlikely to become a regular response to new threats.
The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe. The massive ransomware campaign saw 61 NHS Trusts in the UK affected.
As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.
The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.
The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.
This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.
For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.
The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.
Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.
The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.
There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.
Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.
A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.
A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.
A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.
Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.
Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.
Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.
The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.
Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.
The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.
A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.
If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.
The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.
The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.
The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.
While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk. Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment. The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.
The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.
A sophisticated new malware threat has been discovered that is being used to target a wide range of industry sectors and infect systems with RAT/malware.
The campaign is being used to spread multiple malware variants and gain full access to systems and data. While many organizations have been attacked, the threat actors have been targeting IT service providers, where credential compromises can be leveraged to gain access to their clients’ environments.
The threat actors are able to evade detection by conventional antivirus solutions and operate virtually undetected.
The campaign has been running since at least May 2016 according to a recent alert issued by the National Cybersecurity Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security.
The campaign is still being investigated, but due to the risk of attack, information has now been released to allow organizations to take steps to block the threat and mitigate risk. NCCIC categorizes the threat level as medium.
While threat detection systems are capable of identifying intrusions, this campaign is unlikely to be detected. The attack methods used by the threat actors involve impersonating end users leveraging stolen credentials. Communications with the C2 are encrypted, typically occurring over port 443 with the domains frequently changing IP address. Domains are also spoofed to appear as legitimate traffic, including Windows update sites.
Two main malware variants are being used in this campaign – the remote administration Trojan (RAT) REDLEAVES and the PLUGX/SOGU Remote Access Tool. PLUGX malware has been around since 2012, although various modifications have been made to the malware to prevent detection.
PLUGX allows the threat actors to perform a range of malicious activities such as setting connections, terminating processes, logging off the current user and modifying files. It also gives the threat actors full control of the compromised system and allows the downloading of files. READLEAVES offers the threat actors a typical range of RAT functions including system enumeration.
NCCIC has released Indicators of Compromise (IOCs) to allow organizations to conduct scans to determine whether they have been infected and further information will be published when it becomes available.
While anti-virus solutions should be used, they are unlikely to offer protection against this malware campaign. NCCIC warns organizations that there is no single security solution that can prevent infection, therefore a multi-layered defense is required. The aim of organizations should be to make it as difficult as possible for the attackers to gain access to their systems and install malware and operate undetected.
NCCIC offers several suggestions to help organizations improve their defenses against attack. Since phishing emails are used to fool end users into revealing their credentials, anti-phishing solutions should be employed to prevent the emails from reaching end users’ inboxes.
Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.
It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.
That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.
The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.
New Infection Method Used in Latest Locky Ransomware Attacks
The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.
The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.
If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.
The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.
The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.
The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.
One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.
Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.
Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.
Exploit kits have been one of the attack vectors of choice for cybercriminals, although research from Trustwave shows exploit kit activity has been in decline over the past 12 months. Trustwave reports exploit kit activity fell by around 300% over the course of 2016.
Exploit kits are used to probe for vulnerabilities in web browsers and web browser plugins. When a user visits a website hosting an exploit kit, their browser is probed for flaws. If a flaw is found, it is exploited to silently download malware and ransomware.
However, as the middle of the year approached, exploit kit activity started to fall. There are many possible reasons why exploit kit activity has declined. Efforts have increased to make browsers more secure and defenses against exploit kits have certainly been improved.
Adobe Flash vulnerabilities were the most exploited, but last year Adobe started issuing patches faster, limiting the opportunity for the attackers to exploit flaws. The fall in exploit kit activity has also been attributed to the takedown of cybercriminal gangs that extensively used and developed exploit kits. In 2016, the Russian outfit Lurk was broken up and a number of high profile arrests were made. Lurk was the outfit behind the infamous Angler exploit kit. Angler, along with Neutrino, Nuclear and Magnitude were extensively used to download malware and ransomware.
The recently published 2017 IBM X-Force Threat Intelligence Index shows spam email volume increased around the middle of 2016 and there was a marked increase in malicious email attachments. Spam email has now become the attack vector of choice, but that doesn’t mean exploit kits have died. Exploit kits are still being used in attacks, but at a much-reduced level.
Exploit kits are now being used in smaller, more targeted attacks on specific geographical regions, rather than the global attacks using Angler, Nuclear and Magnitude.
Over the past few months, exploit kit activity has started to rise and new exploit kits have been discovered. Late last year, the DNSChanger exploit kit was discovered. While most exploit kits target vulnerabilities in browsers, the DNSChanger exploit kit targets vulnerabilities in routers.
Researchers from Zscaler’s ThreatLabz report there has been an increase in exploit kit activity in the first quarter of 2017. The researchers have noticed a new KaiXin campaign and Neutrino activity has increased. The researchers also detected a new exploit kit called Terror. The Terror exploit kit has been compiled from other exploit kits such as Sundown. The RIG EK continues to be one of the most commonly used kits and has been found to be delivering the ransomware variants Cerber and Locky.
Malicious email attachments may still be the attack vector of choice for spreading ransomware and malware payloads, but the threat from exploit kits is still significant and should not be ignored.
To find out how you can improve your defenses against exploit kits, contact the TitanHQ team today.