from Understanding Java Code and Malware | Malwarebytes Unpacked
Last week, we discussed about another 419 scam, itemized 12 steps for secure online banking, differentiated two “intentional security holes”, spotlighted on an Instagram PlayStation scam and a compromise of NASA Kepler’s Twitter feed, and finally, we profiled Eleanor, a new Mac backdoor malware.
Senior Security Researcher Jérôme Segura revealed that malvertising is slowing down, but not entirely out. This observation followed the disappearance of the Angler exploit kit not so long ago. Segura spotted the latest campaign wherein it used fingerprinting techniques, which makes sure that it infects true targets and avoid security researchers. Nowadays, we’re seeing more infections via drive-by download from compromised sites rather than malicious ads.
For our PUP Friday post, we talked about OneClickDownloader, one of the top PUPs of the last quarter. You can read more about it on “One Click, Many Downloads”.
Notable news stories and security related happenings:
- Spam Campaign Distributing Locky Variant Zepto Ransomware. “According to Warren Mercer, security researcher for Cisco Talos, the newly spotted campaign started on Monday, June 27, when around 4,000 spam emails were caught by the security firm’s defenses. However, the campaign ramped up fast over the next couple of days, reaching as many as 137,731 emails in as little as 4 days, the researcher explains.” (Source: Security Week)
- UN Seeking Solutions To Stopping Drug Trade On Dark Web. “The issues is further exacerbated as users, both buyers and sellers are typically obfuscating their locations by using the TOR network. Although not a completely anonymizing solution, it does prove to be an additional hindrance for many unprepared law enforcement agencies throughout the globe. Even when particular users seem to be given them a helping hand from time to time.” (Source: Security Affairs)
- Researcher Pops Locks On Keylogger, Finds Admin’s Email Inbox. “Trustwave researcher Rodel Mendrez has gained access to the inbox of the criminal behind a commercial keylogger used to attack industries including finance, cloud services, logistics, foreign trade, and government. Mendrez’s reverse engineering effort found credentials buried within the Hawkeye keylogger that lead through redirection to the author’s inbox.” (Source: The Register)
- EU Looks To Protect Europe With £1.5bn Cybersecurity Programme. “The European Commission (EC) is trying to better equip Europe against cyberattacks by launching a public-private partnership on cybersecurity worth €1.8 billion (£1.5bn). The investment, which should be completed by 2020, is hoped to strengthen the competitiveness of Europe’s cybersecurity sector.” (Source: Tech Week Europe)
- A Double-Edged Sword: IAM Meets IoT. “Historically, the IAM relationship has been between a human and a device. More recently this has evolved to include smart objects such as cars and even houses. Devices, objects and services are now abundant in many forms within the enterprise IT ecosystem. As such, all IoT entities — such as people, applications, services and devices — within a given enterprise ecosystem need an identity.” (Source: Security Intelligence)
- Could Bitcoin Hold The Key To Stopping Ransomware? “All bitcoin transactions are stored on a public ledger called the blockchain, where anyone can view transactions between bitcoin users. Though the blockchain users preserve their anonymity by using screen names, the public websites where payments are logged can serve as clues for investigators trying to track down ransomware criminals.” (Source: Christian Science Monitor)
- Confusion Reigns Around Data Protection Requirements. “A further 42 per cent in the UK have looked into some aspects of the GDPR but not into the psuedonymisation tools that the legislation recommends. Approximately, one in five of those that have studied the psuedonymisation requirements in the GDPR admit that they are having trouble understanding it.” (Source: Help Net Security)
- Lenovo ThinkPad Zero-day Bypasses Windows Security. “Last week, Dmytro Oleksiuk, also known as cr4sh, released the code for his ThnkPwn proof of concept on Github, showing how it can be used to exploit a flaw in the unified extensible firmware interface (UEFI) driver for privilege escalation. This lets attackers remove the write protection for system flash memory, and allows them to run arbitrary code with full access to the entire victim system.” (Source: IT News Australia)
- ‘Mind-blowingly Awesome’ Telstra Phishing Scam Detected. “The email, which convincingly mimics the branding of the telco, informs the recipient that their bill has been paid twice by mistake. To receive their ‘charge back’ people are ‘requested to visit your account immediately and complete the claim’. It is signed by ‘Telstra executive Gerd Schenkel, Executive Director, Digital Sales and Service’.” (Source: CSO)
- Security Alert: Adwind RAT Spotted In Targeted Attacks With Zero AV Detection. “The RAT was last seen a few months ago, after having been apparently taken down in 2015. It infected almost half a million people and organizations worldwide. Now it has surfaced again, proving that cyber criminals are not ready to give up on using it. A zero percent detection rate associated with these attacks in bound to make potential targets anxious about the effectiveness of their current defenses.” (Source: Heimdal Security’s Blog)
- Lack Of Role Models Keeps Women Out Of Cyber Security. “Cyber security is mainly discussed in terms of passwords and hacking, she notes. ‘But there is a cultural aspect that involves psychological engagement, organisational psychology and is not just about security breaches.’ While clearly the jobs are rooted in technology, professionals working in the field do not necessarily need engineering or coding backgrounds. ‘Too frequently the specs are too technical’, says Ms Reid. ‘It might put women off.'” (Source: Financial Times)
- Just 47% Of Corporations Have Cyber Security Strategy To Combat Employee Blackmail, Bribes To Gain Access To Corporate Information: Report. “Specifically, the report found that while 94% of polled IT decision-makers are aware that criminal entrepreneurs are blackmailing and bribing employees to gain access to organizations, less than half (47%) admit that they do not have a strategy in place to prevent it. Results suggest the industrialization of cyber crime is disrupting digital enterprises, with BT and KPMG citing emerging threats from profit-orientated and highly organized cyber criminal enterprises.” (Source: Canadian Underwriter)
- Facebook Trojan Hits 10,000 Victims In 48 Hours. “Between June 24 – 27, cyber criminals used Facebook spam messages to distribute malware. For 48 hours the virus hijacked user accounts to perform various operations, such as giving likes and sharing unwanted content. A Kaspersky Lab security expert found out that the malware campaign was spreading among Facebook accounts in the form of a spam message received from a friend, informing users about being mentioned in a comment.” (Source: Virus Guides)
- Chinese Ad Firm Raking In $300K A Month Through Adfraud, Android Malware. “The same group of cybercriminals behind a strain of iOS malware uncovered last year have apparently diversified and now dabble in Android malware. The group, dubbed Yingmob, has been running a malware campaign named HummingBad that controls 10 million Android devices globally and rakes in $300,000 a month, researchers said on Friday.” (Source: Kaspersky’s ThreatPost)
- EasyDoc Malware Adds Tor Backdoor To Macs For Botnet Control. “Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor. Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor.” (Source: The Register)
- 20 Million Iranian Mobile Users’ Data Leaked But Operator Denies Being Hacked. “Iran’s second largest mobile operator, Irancell, lost the personal information of 20 million customers in a data leak last week – almost one-fourth of the country population – in the biggest known data breach in Iran’s cyber-history. A few days later, Iran’s cyber-police announced that they had arrested a 19 year-old computer student, accused of being responsible for disseminating the data.” (Source: SC Magazine)
- Facebook ‘Fake Friend’ Phishing Attack Uncovered – Here’s How To Spot It. “Facebook users have been receiving rogue messages from ‘friends’ who appear to have mentioned them in posts on the social network. Compromised devices were then used to hijack Facebook accounts and spread the infection through the victim’s own Facebook friends, Kaspersky Lab security experts say.” (Source: Telegraph)
- How Your Smartwatch Or Fitness Tracker Could Reveal Your ATM PIN. “Quick question – are you right or left handed? That’s a harmless enough question, but here’s the follow-up: do you wear a smartwatch or fitness tracker on that same wrist? If you do, then you may want to rethink whether that was a sensible choice after you’ve read about some fascinating research done by a group of scientists from Binghamton University.” (Source: Tripwire’s The State of Security Blog)
- Here’s How Secret Voice Commands Could Hijack Your Smartphone. “Voice recognition has taken off quickly on phones, thanks to services like Google Now and Apple’s Siri, but voice software can also make it easier to hack devices, warned Micah Sherr, a Georgetown University professor and one of the paper’s authors. The team found that they could mangle voice commands so that humans can barely recognize the words but software still can. The result condenses the words into a demonic growl.” (Source: CSO)
Safe surfing, everyone!
The Malwarebytes Labs Team
RELATED ARTICLES
July 26, 2012 - That’s right, this week some of the Malwarebytes gang will be out in Las Vegas for the hacker convention: DefCon 20! Who is going? Marcin Kleczynski – CEO Rebecca Kline – Director of Marketing Josh Hall-Bachner – Web Developer Doug Swanson – VP of Development Adam Kujawa – Me! What are we doing there? DefCon...
July 30, 2012 - As mentioned last week, the Malwarebytes crew made it out to DefCon this year to check out all of the interesting talks and presentations given by various members of the computer/intelligence security community. This blog is meant to summarize most of what we saw, giving a brief explanation of which talks we thought were the...
August 8, 2012 - My colleague Adam Kujawa recently wrote a great post about the Malwarebytes experience at the hacker convention DefCon this year. By popular demand, here’s a round-up of my top four favorite DefCon talks from a development perspective: 1. “Stiltwalker”, by “DC949” (http://ift.tt/28JOru2) I am sure everyone is familiar with reCAPTCHA. You have likely wasted hours...
August 24, 2012 - BitCoin is a new-ish form of digital currency. It allows people to perform financial transactions without the need for a bank or central authority and allows for a large amount of privacy. Transactions are currently limited to ones performed online and only by individuals and organizations that accept BitCoin as payment. However, in the next...
September 18, 2012 - In war, there are always two sides: the attackers and the defenders. A less focused on group is the researchers and developers. While soldiers are fighting a war on the front lines, scientists and engineers are researching and developing new weapons, defenses and tools; things that give their side an advantage. If one of these...
