Thursday, June 30, 2016

Feedly:Threats RSS Feed - Symantec Corp.. JS.Downloader!gen21



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:SANS Internet Storm Center, InfoCON: green. ISC Stormcast For Friday, July 1st 2016 http://ift.tt/294lbtv, (Fri, Jul 1st)



from SANS Internet Storm Center, InfoCON: green

...

Feedly:Threats RSS Feed - Symantec Corp.. EXP.CVE-2016-2208



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:We Live Security. ‘Fansmitter’ malware can extract data from air-gapped computers



from We Live Security

Fansmitter, a new malware with the capability to extract data from air-gapped computers, has been developed by scientists in Israel.

The post ‘Fansmitter’ malware can extract data from air-gapped computers appeared first on We Live Security.

Feedly:Publications - The Citizen Lab. Release: DIY Transparency Report Tool



from Publications - The Citizen Lab

Release: DIY Transparency Report Tool

June 30, 2016

Tagged: , , , ,

Categories:

Christopher Parsons

,

Reports and Briefings

,

Research News

The Telecommunications Transparency Project is happy to announce the release of the DIY Transparency Report Tool, which is designed the help small- and medium-sized organizations produce holistic transparency reports. The Project is associated with the Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, and the project was funded through the Canadian Internet Registration Authorities’s .CA Community Investment Program.

The DIY Transparency Report tool helps smaller organizations produce holistic transparency reports. Such reports comprehensively explain to customers, citizens, and government agencies alike how an organization retains data, its policies for disclosing information to government agencies, and the regularity at which it does disclose information to such agencies. The tool is designed to guide organizations through the process of developing their own holistic report, while empowering them to customize their reports to reflect their organizational profile. And, critically, the tool is entirely open source and operates where the organization decides, so sensitive information is never disclosed to another party until the organization makes that decision.

Using this tool, organizations can create data retention guides, government requests handbooks, and government requests reports.

  • A data retention guide can help companies rapidly identify to third-parties, including users and government agencies, whether they possess information of interest to those parties. Moreover, evaluating the data under an organization’s control can clarify whether data is being retained for a clear, and overtly stated, business purpose for an appropriate period of time. Principle 8 of Canada’s federal commercial privacy legislation, the Personal Information and Protection of Electronic Data Act (PIPEDA), asserts that “personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” Consequently, developing a data retention guide can dovetail with an organization’s efforts to ensure it is complying with Canadian privacy law.
  • A government requests handbook details how an organization responds to requests from government agencies for information which may be controlled or accessible to the organization. Such handbooks help organizations professionally respond to such requests and assist government agencies format and communicate requests in a manner that will be quickly addressed by an organization. These handbooks might explain a little about an organization, whether the organization responds to voluntary (i.e. non-court ordered) disclosure requests, how requests from foreign government agencies are handled, whether costs might be sought for providing lawful assistance, and whether the organization will seek to notify its users of any requests. Such handbooks will also clearly identify to whom, and how, government requests should be made and how the organization requires requesters to prove they are genuinely government agents.
  • Government requests reports summarize the number, and kind, of requests that an organization has received over the period of time covered by the holistic transparency report. Such reports list different kinds of request-types, such as voluntary types of requests, court-ordered types of requests, as well as foreign requests as well as preservation requests, along with how organizations responded to such requests. Responses might include fully, partially, or refusing/being unable to provide responses, and might also note the number of affected persons/accounts which were notified of the government agencies’ request and possible subsequent disclosures.

Download DIY Transparency Report Documentation || Download DIY Transparency Report Application Code

Project Support

CIP-Logo

This project was funded through the Canadian Internet Registration Authority’s .CA Community Investment Program. Through the Community Investment Program, .CA funds projects that demonstrate the capacity to improve the Internet for all Canadians. The .CA team manages Canada’s country code top-level domain on behalf of all Canadians. A Member-driven organization, .CA represents the interests of Canada’s Internet community internationally.

Feedly:Fortinet Blog | News and Threat Research - All Posts. Cracking Locky’s New Anti-Sandbox Technique



from Fortinet Blog | News and Threat Research - All Posts

The last few weeks saw new variants of the Locky ransomware that employs a new anti-sandbox technique. In these new variants, Locky’s loader code uses a seed parameter from its JavaScript downloader in order to decrypt embedded malicious code and execute it properly. For example, the downloaded Locky executable is executed by the JavaScript in the following manner: sample.exe 123 Below is a screenshot of it in action: This new trick may pose challenges for automated Locky tracking systems that utilize sandboxing due to the following...

Feedly:Fortinet Blog | News and Threat Research - All Posts. Wrapping Financial Services in a Security Blanket: How the Fortinet Security Fabric enhances the security of Financial Services organizations.



from Fortinet Blog | News and Threat Research - All Posts

The Enterprise security market has grown extremely complicated over the past decade. This complexity is being compounded as the business of Financial Services moves from person-to-person transactions to automated high-speed machine-to-machine operations and workflows. We originally designed security systems that protect people from other people – vaults, teller cages, guards, armored cars, alarms, and security cameras. These tools allowed us to trust people as business partners.  This has all changed. Financial Services is moving to...

Feedly:Threats RSS Feed - Symantec Corp.. Trojan.Scarcruft!g1



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:Threats RSS Feed - Symantec Corp.. Trojan.Scarcruft



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:Security News - Software vulnerabilities, data leaks, malware, viruses. Study finds new tool to measure homeland security risks



from Security News - Software vulnerabilities, data leaks, malware, viruses

Researchers have validated a new risk assessment tool that can be used by the Department of Homeland Security to help evaluate decisions and priorities in natural disasters, terrorist events, and major accidents.

Feedly:Threats RSS Feed - Symantec Corp.. Trojan.Cryptolocker.AV



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:Security Intelligence | TrendLab.... Brazilians Migrate to Telegram, Cybercriminals Follow Suit



from Security Intelligence | TrendLab...

Staple product offerings like online banking Trojans and tutorials for aspiring cybercriminals are still being peddled in the Brazilian underground market. While old crimeware remain the same, we observed that these young and brazen cybercriminals (two words that aptly describe the Brazilian cybercriminals of today), have switched communication platforms. After the temporary shutdown on WhatsApp last December, cybercriminals changed messaging tools to avoid unwanted attention from law enforcement agencies. Although this shift may be coincidental, the secure messaging features of Telegram, a cloud-based messenger similar to WhatsApp, may make it ripe for abuse.

Brazilian courts required WhatsApp to provide information in relation to criminal investigations at the end of 2015. A court order was issued to telecom providers to block access to WhatsApp, due to failure to abide, forcing users (including cybercriminals) to look for new means to communicate with others. Prior to enforcing the order, WhatsApp had 93 million users in Brazil. This has since dwindled when users moved to  Telegram.

From WhatsApp to Telegram: Why?

Popularity sometimes comes with a price. Such was WhatApp’s and is now Telegram’s case in Brazil. Cybercriminals have long been abusing WhatsApp and similar chat apps for illicit business transactions. So what made Telegram a likely substitute?

Users find Telegram appealing due to features such as seamless multi-device access, “secret chats” with a self-destruct timer wherein you can indicate when the messages will be deleted, file-sharing of different file types of up to 1.5 GB, and “chat groups and channels.” We believe cybercriminals opted for Telegram because, like WhatsApp, it encrypts the messages sent over its network. That said, law enforcement agencies can’t easily prove the illicit nature of cybercriminal transactions conducted via the service. Users can also create and chat with large groups of people at the same time, much like forum pages, where a lot of cybercriminal deals and communications occur.

Telegram can host groups with up to 5,000 members. The only thing users had to do is create a nickname (without ties to an email address) to join a group. In the course of doing research, we found two Telegram groups, with around 10,000 users in total, engaging in suspicious activities such as selling hacked accounts and credit card details, among others. Nicknames don’t necessarily make for easy identification compared with email addresses.

Fig1_telegram_group

Fig2_telegram_group

Figures 1 and 2. Telegram groups engaged in suspicious activities

Telegram lets users create “channels” where they can choose to hide their phone numbers even to other members. For bad guys, this translates to “anonymity.” Members who want to buy any of the product offerings in these “channels” can just send the administrator (most likely the seller) a private message to avail of crimeware.

What products are offered on Telegram channels?

The product offerings sold in the channels we’ve seen include stolen credit cards and credentials to hacked Netflix accounts. What’s interesting though is that these wares are available for free. Peddlers may just be trying to build a reputation of notoriety, hoping to be recognized as the best hackers.

Fig3_stolencc

Figure 3. Stolen credit/debit card data, including proof of validity, posted on a Telegram channel

In some channels, cybercriminals even encouraged group participation, asking successful users of stolen credentials to show proof via screenshots. We also saw a “personal” channel whose solo owner complained about how other groups copied his materials.

Fig4_stolennetflix

Figure 4. Sample stolen Netflix credentials

Fig5_proofstolenCC

Figure 5. Proof that the stolen credentials work

Fig6_listofstolen

Figure 6. List of stolen credit card credentials

Another staple find were phishing pages, one of which spoofed a popular online store in Brazil. We also saw ads for fake pages.

fig10_fakeamericas

Figure 7.  A post advertising a fake page of Americas, an online shopping store

(Translation: Americas Fake Page
For those whose requested me
There is)

fig11_code

fig12_code

Figures 8 and 9. Codes of a sample phishing page pertaining to an online store in Brazil

Going mobile

With the growing number of smartphone users in Brazil, it’s not surprising that the people behind the suspicious Telegram channels target mobile users, too. We’ve seen various rogue apps with different capabilities offered in these channels. Some of these malicious apps are premium abusers and have capability of generating credit card information.

Fig7_apks

Fig8_fakeapps

Figures 10 and 11. Fake apps that offer free streaming services

(Translation: Soon I’ll share few accounts with you. Let’s start your cracked Spotify downloads.
– Image –
Cracked Spotify APP to use limitless, you can unlimited hear musics with no ads! Your just have to login with a new created credential. Or login with a Facebook account. )

Fig9_ccability

Figure 12. Sample app with credit-card-credential-generating capability

What’s in it for young, bold  cybercriminals?

Based on some posts we found, the sellers of stolen credentials are still in high school, most likely younger than 20 years old. We’re not sure if they work alone or in groups. But most are certainly self-taught/self-starters, obtaining knowledge and skills by joining and participating in forums–judging by the number of hacking/carding tutorials and how-to guides they share with other group members.

fig13_proofofage

Figure 13. Proof of a Brazilian cybercriminal’s age

(Translation: Folks, I’m going to school, at 6:30 PM I’ll send more ccs, tks)

Brazilian underground players considered cybercrime as their lucrative job due to the quick monetary gains. It doesn’t help that any aspiring cybercriminal can easily learn the ropes through a myriad of cybercrime training manuals shared or sold underground or available in the Deep Web.

Conclusion

The use of the Surface web and popular messaging tools shows how unfazed these Brazilian cybercriminals are to go against law enforcement. We believe this may change in the future especially if there is collaboration between Brazilian law enforcement and security researchers. In the same manner, we have notified Telegram about the abuse in their service.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Brazilians Migrate to Telegram, Cybercriminals Follow Suit

Feedly:Threats RSS Feed - Symantec Corp.. Trojan.Cryptolocker.AU



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:Securelist / All Updates. Facebook malware: tag me if you can



from Securelist / All Updates

On the morning of 26th June, news of a phishing campaign hit the Israeli media. Thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment.

Kaspersky Lab decided to investigate. We quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. We also found that the attack was not confined to Israel, but was hitting targets worldwide.

The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating their legitimate browser session and replacing it with a malicious one that included a tab to the legitimate Facebook login page. This was designed to lure the victim back into the social network site.

Upon logging back into Facebook the victim’s session was hijacked in the background and a new file was downloaded. This represented the second stage of the attack, as embedded in this file was an account-takeover script that included a privacy-settings changer, account-data extractor and other tools that could be used for further malicious activity, such as spam, identity theft and generating fraudulent ‘likes’ and ‘shares’. Further, the malware infection loop began again as malicious notifications were sent to all the victim’s Facebook friends.

The Kaspersky Security Network (KSN) recorded almost ten thousand infection attempts around the globe in the space of just 48 hours.

Facebook Malware: Tag Me If You Can

Malicious JavaScript file spike hits thousands of victims

Facebook has now mitigated this threat and is blocking techniques used to spread malware from infected computers. It says that it has not observed any further infection attempts. Google has also removed at least one of the culprit extensions from the Chrome Web Store.

Top targets

The most affected countries were Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and, finally, Israel.

On a pie chart we can more easily see how the infection spread around the globe:

Facebook Malware: Tag Me If You Can

It’s worth mentioning that people using Windows-based computers to access Facebook were at the greatest risk. Those using Windows OS phones could have been at risk too, although this is less likely. Users of Android and iOS mobile devices were completely immune since the malware uses libraries which are not compatible with these mobile operating systems.

Facebook Malware: Tag Me If You Can

Malware downloaded from an Android device with invalid format error

The infection process

The infection seemed to begin when victims received a notification of a Facebook “mention” that appeared to come from a friend:

Facebook Malware: Tag Me If You Can

This provided the attackers with a rabbit hole through which they could hijack the user’s Facebook session and permissions and send out malicious notifications to the victim’s Facebook friends. During our investigation we found the script that was responsible for the delivery of the malicious notification. This script was triggered when the user of a compromised machine attempted to login to Facebook via a malicious Chrome shortcut.

Initial infection

Clicking on the notification redirects the user to an empty post containing a link to Google Docs. This link automatically downloads a JavaScript file called comment_27734045.jse and is a Trojan downloader.

File: comment_27734045.jse
Language: JavaScript
Size: 5.31 KB
MD5: 9D3DF2A89FDB7DA40CEB4DE02D605CFA
SHA1: 6D658331FE6D7F684FEE384A29CE95F561A5C2EA

The malicious file above was involved in the specific attack discussed in this blogpost. A Trojan downloader generator was discovered residing in the following domains:

#1 http://ift.tt/29hGURi
#2 http://ift.tt/297qSNk

Facebook Malware: Tag Me If You Can

A Facebook post that delivered the JSE malware downloader

http://ift.tt/29hGScn

Unbeknown to the victim, the JavaScript file executes a batch file which calls a pre-downloaded utility called “AutoIt.exe”, with one argument – ekl.au3. This file is an AutoIT script and the executable is simply a compiler that runs it.

The malicious code starts after a #NoTrayIcon; initializing variables and immediately starting to send arguments to the decryption routine located at the end of the script. The majority of the payloads are encrypted. However the decryption key is hardcoded and the standard function can be copied outside of the code and automated for safe decryption.

Func YK69395P92380($KS50476D12399,$JF22904R13060)
$KS50476D12399 = BinaryToString($KS50476D12399)
$YK28157F62492 = _Crypt_DecryptData($KS50476D12399, $JF22904R13060, $CALG_AES_256)
$YK28157F62492 = BinaryToString($YK28157F62492)
Return $YK28157F62492
EndFunc

Or in a more simplified way:

Func Decrypt($encrypted_input,$key)
$encrypted_input = BinaryToString($encrypted_input)
$decrypt_output = _Crypt_DecryptData($payload, $key, $CALG_AES_256)
$decrypted_output = BinaryToString($decrypted_output)
Return $decrypted_output
EndFunc

The function takes two arguments. One is a hexadecimal string which represents the encrypted payload and the other is a the key. The encryption algorithm used in _Crypt_DecryptData() is CALG_AES_256, 256 bit AES, which is hardcoded as well.

The code is generally pretty straightforward. Even without decrypting the encrypted content one can spot the stored variables being used: ProcessExists, ProcessClosed, DirCreate, AppDataDir, RegRead, FileDelete, DesktopDir and so on. In addition, the author left comments for the reader which can be very helpful.

The full code snippet can be found here: http://ift.tt/297r2nZ

Background check

The Trojan downloader is not new. It was spotted more than a year ago bearing Turkish variables and comments in its files. The alleged actor in this instance, known also as BePush/Killim, used innovative techniques to spread malware through social networks. It is known to favour multi-layered obfuscation, mainly in JavaScript, and utilize multi-layered URL shorteners, third-party hosting providers and multi-stage payloads.

The group obfuscate their infrastructure using Cloudflare and register domains with WHOIS guard privacy protection. They also monitor each infection using third party analytics scripts.

We have found that this particular threat actor seems to prefer using the following providers: Amazon AWS, Google, WhosAmungUs, TinyURL, Bitly, Cloudflare and more, suggesting that it favours freeware over paid services.

What’s on the menu?

Once executed, the malicious script opens a socket to one of its command and control (C&C) servers, calling up a dozen files and downloading them one after the other from the C&C server, all with the same image extension (.jpg). The script then replaces this extension with the real ones. We’ve documented the following file extensions:

exe – utility to load malicious .au3 scripts.
bat – batch file that executes the binary, appending .au3 scripts as arguments.
au3 – malware code.
zip – empty zip.
json – manifest for Chrome extension configurations.
dat – malware version.
js – additional scripts supporting the Chrome extension and scripts to collect victims’ statistics.

Looking at the JSE file content, the first code segment is an array of strings. These strings are simply appended to the code and are in this form for the sake of code obfuscation.

Facebook Malware: Tag Me If You Can

Strings stored in the JSE file containing the C&C server and malicious files

At the top we see the strings responsible for opening the connection with the remote C&C server, followed by those for reading the files and changing their extension. The %APPDATA%, ExpandEnvironmentStrings and Mozila represent the actual location where the malicious files will be stored.

Looking at the destination folder of the malicious files we see a weird-looking variable name: Mozklasor. This translates to “Purple Folder” in Turkish, and points to Turkish-speaking threat actors, as mentioned above.

Facebook Malware: Tag Me If You Can

Creating %AppData%\Mozila directory to transfer malicious files

After a successful download, we can browse to the Mozila folder in the AppData and examine the changes that have been made in it. In addition to the files residing in our fake Mozila directory, the JavaScript also executes the run.bat file which loads the executable file with one of its scripts as argument.

Facebook Malware: Tag Me If You Can

We notice that a set of files has been added. In addition, a script has been executed in the background, closing our browsers, adding Chrome shortcuts to our desktop and relaunching the browsers in infected mode with a malicious extension embedded in the opened instance, alongside some registry manipulations we were not aware of. This behaviour occurred after the JavaScript file had executed the batch file run.bat, which calls the autoit.exe utility and loads it with ekl.au3.

Facebook Malware: Tag Me If You Can

Browsers closed unexpectedly and new apps were added on the desktop

The malware terminated the Chrome process we were browsing in. In the same situation the most natural behaviour for a victim would be to look for the nearest browser application and execute it. Once the browser shortcut is executed, we notice two suspicious items.

Facebook Malware: Tag Me If You Can

Victim is lured into opening a malicious Chrome shortcut

The browser opens with an additional tab containing the Facebook login page. The threat actor believed that users who (like us) had been browsing through Facebook before encountering the malware, would simply expect the browser to restore the website. An important note for the sharp-eyed is that the restore window is open. This means that the Facebook page has not yet been restored by the user.

The second (tiny) item is an extension that had been silently added to the Chrome extensions list. It appears as an [a-z] one character with grey background in the top right-hand side.

Looking in the Mozila folder again we can identify a Manifest.json file which points to the fact that the infection process involves an extension.

Facebook Malware: Tag Me If You Can

A malicious extension is being added to Chrome

Facebook Malware: Tag Me If You Can

Browser extension permissions in detail

Alongside the permissions that the extension receives, it loads an external script (bg.js). This script is responsible for protecting it from being deleted. It also contains a listener to outgoing DNS-resolving queries sent via the URL bar, and blocks a large number of black-listed web domains.

fbmalware_eng_13

Black-listed domains which are blocked from access

If the user attempts to access one of these websites, the browser will return the following error:

Facebook Malware: Tag Me If You Can

Black-listed domains blocked

When the victim eventually decides to access their account on Facebook, a remote script will be loaded from the C&C and executed on the client-side. It is a rather large JavaScript file (~80KB) which is responsible for taking over the account and spreading the malware to other Facebook users.

Following a successful login attempt, the JavaScript file data.js will load and redirect the user to a page that suggests in Spanish that “Before logging back into your account it is recommended to clear your cookies. It can be done via the Settings menu in Google Chrome, watch this tutorial if don’t know how.” The attackers request this in order to get new user-session identifiers. In the malicious code, the string c_user is mentioned. This cookie, among others, is a session cookie and can potentially offer significant value to attackers.

Facebook Malware: Tag Me If You Can

After logging in, it can be seen that the attack was executed and that the user’s entire Facebook list was notified by the victim about a new URL. Upon clicking on this URL, the user’s friends will also become malware hosts and the infection process will loop again, through their friends.

Facebook Malware: Tag Me If You Can

Lateral Movement

Once the Chrome browser has been opened with the malicious extension, the Facebook page also opens in a new tab, luring a user into a connection. Once connected, a script starts to run in the background. This script iterates through three domains to capture the login attempt and send a malicious script that will regenerate the initial infection through Facebook.

Facebook Malware: Tag Me If You Can

Upon the Facebook login attempt the malware captures the traffic

Once the malware recognizes the Facebook login attempt, it releases a malicious data.js JavaScript file which launches the attack, inviting other Facebook members with a “mention” and a malicious link. In addition, the extension acts as a Man-In-The-Middle and can capture the entire traffic between the victim and the servers he request data from. This allows the actor to steal data and redirect it to his command and control servers or wrap the data in a log file and send it over a different channel.

Facebook Malware: Tag Me If You Can

The data in the JavaScript payload can be decrypted using a web proxy such as Fiddler, allowing for the inspection of the embedded URL, with a ready-to-download Trojan script.

Inspecting the code, a readable string looks very familiar. It is the initial infection link from the beginning of the article. In addition to the infection routine, an account-takeover script has also been also embedded in the same file with a privacy-settings changer, account data extractor and other tools.

fbmalware_eng_19

To sum it up, the delivery of the malware was found to be very efficient and made its way through thousands of users in only 48 hours. The fast reaction from consumers and the media proved to be the core power driving awareness of this campaign. The social media network and service providers were also fast in blocking the attack.

Q&A:

Am I infected?

The easiest way to check if you are infected is to open your Chrome browser and look for the extension named thnudoaitawxjvuGB. For a more thorough check, click Start > Run > copy the following command: %AppData%\Mozila if the folder and files such as “autoit.exe” and “ekl.au3” are in it, the computer is infected.

I was infected, what can I do?

Logout from your Facebook account, close the browser and disconnect the network cable from your computer. It is recommended that you ask an expert to check the computer and clean out any remaining malware. In addition, install an updated anti-virus program.

Kaspersky Lab products detect and block the threat, preventing it from infecting the machine.

A friend mentioned me in a post. Should I click on it?

Yes, keep using your social media as you did in the past. Just be aware that files which you do not recognize should not be installed on your computer or mobile phone.

I opened the file through my mobile phone, am I infected?

If you don’t have a Windows phone you cannot be infected through your smartphone. This malware is compatible only with Windows environments.

How can I prevent myself from becoming a victim?

The more we use the Internet, the greater the risk of becoming a target. However, service providers such as cloud storage, social networks and security products work day and night to stay one step ahead of the threats and keep their users safe. If possible, exercise caution when going online and try not to let others lure you into content, however tempting, if you have any concerns about it.

IOCs:

comment_27734045.jse 9D3DF2A89FDB7DA40CEB4DE02D605CFA Trojan-Downloader.Agent.JS.lee
Autoit.exe Legitimate software
Ff.zip Empty zip file
Sabit.au3
Up.au3
Force.au3
88C2B5DC9B7862590B859FC2FCDEAF87 Trojan.Win32.Autoit.fdi
Manifest.json 3C874BA389652FF33E535E5B3373FFDC Trojan.JS.Extension.g
Bg.js B50005F142A547CF8CD579EFAB0139DC Trojan.JS.Agent.diw
Ekl.au3 25C440B66B6C33F4F6A84A992DBB956B Trojan.Win32.Autoit.fdj
Run.bat Autoit.exe loader
Ping.js Used for whos.amungs.us analytics
Ping2.js Used for whos.amungs.us analytics
ver.dat Contains version: 1.5
data.js 1a48f277b8e99d5a9b6526e0b51edad4 Trojan.JS.Agent.diw

Malicious URLs:

http://ift.tt/297r1Qz
http://ift.tt/29hGNoT
http://ift.tt/297qUoa
http://ift.tt/29hGRoE
http://ift.tt/297qYV8
http://ift.tt/29hGzON
http://ift.tt/297qUop
http://ift.tt/29hGU3T
http://ift.tt/29hGNoT
hxxp://corneliuspettus [.]com/fil.php
http://ift.tt/297rbYj
hxxp://corneliuspettus [.]com/data.js
http://ift.tt/29hGIBI
http://ift.tt/297r2Eu

Domains:

Friendsmu[.]com
Appcdn[.]co
Userexperiencestatics[.]net
Corneliuspettus[.]com
lllllllllll[.]top

Feedly:We Live Security. How to bulletproof your social media accounts



from We Live Security

Social media platforms are increasingly being targeted, as Facebook CEO Mark Zuckerberg found out earlier this month. Here, we look at how to keep your accounts secure.

The post How to bulletproof your social media accounts appeared first on We Live Security.

Feedly:Securelist / All Updates. YSTS X: The highlights of the COOLEST security conference in Brazil



from Securelist / All Updates

One day after BSides LatAm, it was the turn of another security conference in Brazil: You Shot The Sheriff, now in its tenth edition. Happening on one of the coolest days in Sao Paulo, the event took place at Villa Bisutti, where the whole event was very well organised.

The welcome coffee was a good opportunity to meet some friends and also make new ones, as the majority of the security professionals from Brazil and also other countries were attending the event.

Luiz, Nelson and Willian opened the event by talking about the difference between the first edition to the tenth, showing that it has become much more mature and professional but is still a challenge to make it happen. They also talked of their work to keep the event the same size, as they believe that increasing the number of attendees could decrease of the quality of the event, something they work hard to improve with each edition.

After that, Anchises Moraes from RSA opened the talks by presenting about the stone age and the computing era, comparing the information gathered from paintings on cave walls that could lead us to an understanding of what happened at that time, to the information that we are storing on internet that will stay visible to the next generation.

blog_shot_the_sheriff_01

Following this, Andrey Plastunov talked about a different attack scenario, where instead of targeting the normal user it targets developers, by infecting source code, attacking source control and continuous integration software in order to steal credentials. He explained that in most cases the developer has too much access, allowing the attackers to steal information that usually is not found on normal users’ computers, like remote desktop connections, FTP accounts and so on.

blog_shot_the_sheriff_02

Our own Dmitry Bestuzhev attracted attention with his talk about the mobile weapons used for cyber-espionage, by explaining in detail the level of information that could be gathered from samples found in the wild targeting Android, Windows Phone and also the almost untouchable iOS. In his talk Dmitry drew attention to the point that nowadays, where there is extensive end-to-end encryption, it is easier to collect the desired information by infecting the device rather than attacking software encryption.

blog_shot_the_sheriff_03

After this talk lunch was available as well as the beer and drinks, and at this time people could take time to talk with the presenters, sponsors and friends. The environment was really cool and next to the bar was the preferred place to get together with other participants.

When the sessions restarted, it was the turn of Emmanuel Goldstein, 2600 hacking magazine editor, to talk about the challenging work of running a hacking magazine without any publicity; he also encouraged people to listen to what young people and hackers have to share, as they have too much to say that will also help us.

Another very interesting technical talk was presented by Igor, who did a live demonstration of creating a portable BTS (Base Transceiver Station) in order to perform a main-in-the-middle attack to intercept calls and SMS messages on 2G networks. On the stage he made a call to one of the participants and then reproduced the intercepted content.

In summary, it was an amazing event with excellent organization, a mix of technical and non-technical talks and a very selected group of security professionals, where you had a chance to talk and make connections. Of course I could not forget to mention the party at the end where the participants had another chance to enjoy beer and other good drinks as well as networking.

Feedly:Virus alerts. June 2016 virus activity review from Doctor Web



from Virus alerts

June 30, 2016

The first summer month was quite eventful in terms of information security. At the beginning of June, Doctor Web specialists finished the research of the Bolik banking Trojan and soon after that, they found a fileless advertising Trojan named Trojan.Kovter.297. Besides, the number of Trojans for accounting software has increased: first, a dangerous ransomware Trojan, which was spread by a dropper written in 1C incorporated programming languages, was registered. Then our security researchers found a spyware Trojan—Trojan.PWS.Spy.19338—able to log keystrokes in different applications including accounting ones. In addition, virus makers continued to attack Google Play: our analytics detected Trojans in Android applications twice this month.

PRINCIPAL TRENDS IN JUNE

  • New polymorphic banking Trojan
  • Spread of a Trojan for 1C software
  • New fileless advertising Trojan—Trojan.Kovter
  • Spread of a dangerous spyware Trojan—Trojan.PWS.Spy.19338

Threat of the month

Most of Russian companies choose 1C accounting programs. Virus makers also follow this trend to contrive new threats. Therefore, Doctor Web analytics have already encountered applications written in 1C programming language. Yet, 1C.Drop.1 differs from its counterparts by its architecture and purpose—this Trojan is designed as a fully-featured dropper that saves the Trojan.Encoder.567 ransomware Trojan on disk and runs it.

screen Trojan.Encoder.567 #drweb

The Trojan is distributed via email titled “Our BIC code has been changed” that contains an external data processor for 1C:Enterprise. If the user opens the file in 1C:Enterprise, the Trojan sends out its copy to all contractors whose email addresses are specified in the database. Then it retrieves Trojan.Encoder.567, saves it on disk and runs the ransomware program. This dangerous encoder encrypts files on the computer’s disks and demands a ransom for their decryption. 1C.Drop.1 supports the following 1C databases:

  • Trade Management 11.1
  • Trade Management (basic) 11.1
  • Trade Management 11.2
  • Trade Management (basic) 11.2
  • Accounting 3.0
  • Accounting (basic) 3.0
  • 1C:Comprehensive Automation 2.0

For more information about this incident, refer to the news article.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt!

  • Trojan.MulDrop

    А Trojan that can install other malicious programs on the computer.
  • Trojan.InstallCore.1903

    A Trojan that can install unwanted and malicious applications.
  • Trojan.Zadved

    This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites. In addition to this, the malware can replace advertisements displayed on different Internet resources.
  • Trojan.DownLoader

    A family of malicious programs designed to download other malware to the compromised computer.
  • Trojan.LoadMoney

    A family of downloader programs generated by servers belonging to the LoadMoney affiliate program. These applications download and install unwanted software on the victim's computer.

According to Doctor Web statistics servers

According to Doctor Web statistics servers #drweb

  • JS.Redirector

    A family of malicious scripts that are written in JavaScript and designed to automatically redirect users to another webpages.
  • JS.Downloader

    A family of malicious scripts that are written in JavaScript and designed to download and install other malware programs on the computer.
  • BackDoor.IRC.NgrBot.42

    A fairly common Trojan, which is known to information security researchers since 2011. Malicious programs of this family are able to execute intruder-issued commands on infected machine controlled by cybercriminals via the IRC (Internet Relay Chat) text-messaging protocol.
  • Trojan.InstallCore.1903

    A Trojan that can install unwanted and malicious applications.
  • Trojan.Zadved

    This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites.

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic #drweb

  • JS.Redirector

    A family of malicious scripts that are written in JavaScript and designed to automatically redirect users to another webpages.
  • JS.Downloader

    A family of malicious scripts that are written in JavaScript and designed to download and install other malware programs on the computer.

    A malicious program belonging to the family of banking Trojans. This application poses a threat to users of e-banking services (RBS), because it allows cybercriminals to steal confidential information by intercepting data submitted through forms in the browser window and by embedding the malicious code into bank webpages.

  • Trojan.PWS.Turist

    A Trojan designed to steal login credentials and other private information necessary to access online banking applications (including ones that require Smart Cards for authorization)
  • Trojan.Encoder.858

    A malicious program belonging to the family of encryption ransomware Trojans that encrypt files and demand a ransom for decryption of compromised data.

Encryption ransomware

Encryption ransomware #drweb

The most common ransomware programs in June 2016:

In June, Trojan.Encoder.4860, also known as JS.Crypt, has become more popular among attackers. Its key feature lies in the fact that the Trojan is written in JScript. It is distributed under the name of “RAA virus”, and all locked files are appended with the *.locked extension. When Trojan.Encoder.4860 finishes to encrypt all files on the computer, it locates the following RTF document in root folders:

screen <b>Trojan.Encoder.4860</b> #drweb

At present, Doctor Web specialists have not yet developed a new technique that will help to encrypt files corrupted by this malware.

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Preventive Protection Data Loss Prevention

Other threats

In June, Doctor Web security researchers examined Trojan.Bolik.1, a dangerous virus targeting Russian bank clients. The virus is designed to steal money from bank accounts and to monitor user activity. It also steals private information and can spy on the user. The Trojan has borrowed a lot of features from its predecessors Zeus (Trojan.PWS.Panda) and Carberp.

Upon cybercriminals’ command, Trojan.Bolik.1 checks open-for-write folders for the presence of executable files in the Windows system or on connected USB devices and then infects them. Dr.Web Anti-virus detects programs infected by this virus as Win32.Bolik.1. Every such program contains Trojan.Bolik.1 in encrypted form and other necessary information.

Trojan.Bolik.1 controls data transmitted by Microsoft Internet Explorer, Chrome, Opera, and Mozilla Firefox to steal information entered into input forms. Besides, the malware program can take screenshots and perform the keylogger functions. Trojan.Bolik.1 is also able to create its own proxy server and web server for file sharing with virus makers. To learn more about this Trojan, read our review.

Yet another Trojan was detected by our specialists—Trojan.Kovter.297. It can run several windows of Microsoft Internet Explorer simultaneously, visits websites specified by virus makers and generates traffic for them by following advertising links and banners. Therefore, attackers make money on affiliate programs and advertisers. Their key feature lies in the fact that their payload is located not in a file but directly in the computer’s memory. Necessary files needed for their operation are stored in the Windows system registry.

screen Trojan.Kovter.297 #drweb

For more details about Trojan.Kovter.297, refer to the article.

In the end of June, Doctor Web specialists discovered a group of malicious programs that included Trojan.PWS.Spy.19338, a spyware Trojan for accounting software. This Trojan is mainly designed to log keystrokes in such applications as 1C of various versions and SBIS++. It also collects information about the system and sends clipboard data to attackers. you can learn more about Trojan.PWS.Spy.19338 in the news article.

In June, our security researchers detected a Trojan for Linux—Linux.BackDoor.Irc.13—which a modification of Linux.BackDoor.Tsunami; yet, it cannot carry out DDoS attacks. This Trojan executes commands recieved via the IRC (Internet Relay Chat) text-messaging protocol.

Virus makers continued to target Apple users in June: Doctor Web specialists discovered new Trojan for OS X—Mac.BackDoor.SynCloud.1. Once launched, it extracts logins and passwords of all users authorized in the system at the moment. Then it sends this information to the server. Mac.BackDoor.SynCloud.1 downloads an executable file or a script written in Python and executes them. It can also perform other functions—for example, update itself. All transmitted information is encrypted.

Dangerous websites

During June 2016, 1,716,920 URLs of non-recommended sites were added to Dr.Web database.

May 2016 June 2016 Dynamics
+550,258 +1,716,920 +212%
Non-recommended websites

Malicious and unwanted programs for mobile devices

In June, Doctor web security researchers detected several malicious applications being spread via Google Play—Android.Valeriy.1.origin is one of them. This Trojan is able to load dubious websites and display them as advertisements in order to get users’ mobile phone number and subscribe them to chargeable services. Then a certain subscription fee is written off from the user’s mobile account every day. The Trojan can also download malicious programs and execute JavaScript scripts.

Yet another malware program—Android.PWS.Vk.3—was discovered on Google Play as well. This Trojan was represented as a media player for VK music. It prompted the user to enter their login and password for the VK user account and then sent this private information to cybercriminals.

Among the most noticeable June events related to mobile malware, we can mention

  • Detection of a Trojan that opens suspicious websites as advertisements on Google Play.
  • Detection of a Trojan that steals logins and passwords from VK user profiles.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews Laboratory-live

Web Analytics