TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked

The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware.

Point-of-sale malware has been at the root of many breaches, including massive thefts at retailers Target in 2013 and Home Depot in 2014; in each case attackers were able to extract more than 100 million payment card and customer records from point-of-sale terminals by scraping card data before it was encrypted and sent to the payment processor. Both retail giants paid tens of millions of dollars in settlements, and in Target’s case, its chief executive officer resigned his position.

Industry Collaboration on Detection and Prevention

TreasureHunter has been known and investigated since 2014, but until now investigators have had to reverse-engineer its code in order to analyze it. Now with the full code available, analysts have previously unseen insight into the malware’s operation. Flashpoint analysts, who discovered the source code leak in March, proactively collaborated with researchers at Cisco Talos, who reviewed and improved protections, and advanced-detection mechanisms, in an effort to disrupt potential copycats who may have their hands on the source code.

In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code. Notably, the original developer appears to be a Russian speaker who is proficient in English. Originally, this malware appears to have been developed for the notorious underground shop dump seller “BearsInc,” who maintained presence on various low-tier and mid-tier hacking and carding communities (below is a graphical representation of such an operation on the Deep & Dark Web). It’s unknown why the source code was leaked at this time.

A graphical representation of a typical cybercrime dump shop ecosystem.

Image 1: A graphical representation of a typical cybercrime dump shop ecosystem.

One Leak Can Spawn Many Variants

TreasureHunter behaves like many other point-of-sale malware samples. Once an attacker has access to a Windows-based server and the point-of-sale terminal, the malware is installed and it establishes persistence by creating a registry key that runs the malware at startup. It then enumerates running processes, and scans device memory looking for track data, including primary account numbers (PANs), separators, service codes, and more. It then establishes a connection with the attacker’s command and control server and sends the stolen data to the criminal.

The leak of the builder adds another dimension to the availability of the TreasureHunter payload and configurations. In the past, malware source code leaks such as the Zeus banking Trojan have spawned numerous variants, including Citadel, which cost organizations hundreds of millions in losses. PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware which led to the creation of the ProPoS and Katrina variants. The actor behind the TreasureHunter leak said:

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs ( not at a very high rate, but it still does ) and besides that , since now you have the source code, it can be update anytime for your own needs.”

For researchers, the availability of the source code opens the door into new avenues of analysis and proactive visibility into such activity on the underground. This affords organizations such as Flashpoint the ability to collaborate with others in the industry such as Cisco Talos in this case to improve existing protections and force attackers back to the drawing board.

Source-Code Level Insight

The code project appears to be called internally trhutt34C, and was written in pure C with no C++ features. It was compiled originally in Visual Studio 2013 on Windows XP. Based on analysis, researchers believe the developer intended to improve and redesign various features including anti-debugging, code structure improvement, and gate communication logic. With the goal of additional features to be improved, the developer hoped frustrate malware analysis and subsequent research; the actor left behind a note that said: “We want the malware researchers screamin’!”

A snapshot of the TreasureHunter source code.

Image 2: A snapshot of the TreasureHunter source code.

The unfinished project included continued improvement code snippets, below:

  • TO DO for the next version of the client (0.2 Beta):
    • Replace all Unicode versions of functions with ANSI versions. Now why did I ever go for wide-char in the first place?..
  • Improve the code structure:
    • Replace all the if – else constructs that are rendered needless by return commands;
    • Organize the includes;
    • Give the code proper commenting so that I am able to modify and improve it after not having seen it for some time (if such a thing happens).
    • Make scan exceptions and service codes configurable.
    • Add the following commands to the gate communication logic:
    • Download and execute for updating;
    • Remote CMD command execution;
    • Remote self-removal for emergency cases.
    • Add anti-debugging:
      • Use self-debugging by creating a child process (may be improved later by reversing the tables);
      • Improve the MD5 function and use it to find debuggers by signatures (maybe to be added in future versions);
      • Use GetTickCount to detect parts of code being stepped through (maybe to be added in a “heuristical” joint algorithm with the abovementioned);
      • Upon finding a debugger, destroy the critical section and/or start creating new threads infinitely until the application crashes.
      • Maybe also kill processes and delete debuggers and/or decompilers permanently. We want the malware researchers screamin’!
  • Add better persistency and timeouts to gate communication.
  • Add local saving of data if the gate can’t be reached for a certain period of time.
  • Add the option to run the program as a service on Windows XP.
  • Improve the code structure and add comments to avoid future confusion.
  • Add error handling and backup restart in case of crash or heap overflow (malloc fail).
  • Improve the Clingfish system (so that a clingfish thread doesn’t do the same thing as the main thread right after being spawned).
  • Debug the system information extraction mechanism further (on different OS versions).
  • Improve the track-finding algorithm to make it faster.

The stolen dump structure is as follows. The structure contains the following key elements used to collect and operate with stolen dumps, such as unique machine information and where scraped data is from:

typedef struct dumpsHolder {
TCHAR *lpFileName;
int lpFileNameLength;
int procID;
char *trackArr;
int trackArrLength;
} dumpsHolder;

The credit card process scan works in exception mode:

char *scanExceptions[SCANEXCEPTIONSNUM] = {“System32”, “SysWOW64”, “\Windows\explorer.exe”};

The malware focuses on scraping credit card track data, focusing on the following service codes:

char *serviceCodes[SERVICECODESNUM] = {“101”, “201”, “121”, “231”, “221”, “110”};

Registry persistence for autostart in HKLMMicrosoftWindowsCurrentVersionRun runs as “jucheck.”

A registry key created by the malware for persistence

Image 3: A registry key created by the malware for persistence.

The source code is consistent with the various samples that have been seen in the wild over the last few years. TreasureHunterconfig.h shows definite signs of modification over the lifespan of the malware. Early samples filled all of the configurable fields with FIELDNAME_PLACEHOLDER to be overwritten by the builder. More recent samples, and the source code, instead writes useful config values directly into the fields. This makes the samples slightly smaller and uses fresh compiles to create reconfigured files.

The post TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked appeared first on Flashpoint.

Go to Source
Author: Flashpoint

RAT Gone Rogue: Meet ARS VBS Loader

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer.

Researchers at Flashpoint have seen and analyzed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums.

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.

Image 1: ARS VBS Loader's administrative login portal.

Image 1: ARS VBS Loader’s administrative login portal.

The new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments, and toll road notifications. Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware. AZORult was also used in campaigns targeting more than 1,000 Magento admin panels; in those attacks, the malware was used to scrape payment card information from sites running the popular free and open source ecommerce platform.

ARS VBS Loader targets only Windows machines and supports Windows 10, according to posts to a Russian-speaking forum going back to December. Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality but not Windows 10 support.

The loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems because of the relative ease in which attackers can obfuscate VBScript, Flashpoint analysts said. Obfuscation through a variety of means allows attackers to hide malware; if the malware is obfuscated with encryption or packing, it’s exponentially more difficult for antivirus to sniff out malicious code, for example.

Once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks, and the startup folder, ensuring persistence through reboots. ARS VBS Loader will connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, RAM, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

The botmaster, meanwhile, can remotely administer commands to bots through the PHP command-and-control application. Communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, Flashpoint analysts said.
The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial-of-service (DoS) attacks against websites, and loading additional malware from external websites.

The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied URL. There is also the plugin command where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.

The DDoS command is also noteworthy because it’s a unique capability; analysts said they have not seen this command used in the wild. The command tells bots to send a specified amount of HTTP POST requests to a particular URL. Since this is a simple application layer flooding attack, it is currently unknown how successful this attack would be against targets in the wild, analysts said, adding that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Analysts caution that users should be vigilant about not opening email attachments from unknown sources, and that it’s likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.

To download the indicators of compromise (IOCs) for the ARS VBS Loader, click here.

To download the Yara rule for the ARS VBS Loader, click here.

The post RAT Gone Rogue: Meet ARS VBS Loader appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Mobile Menace Monday: Fake WhatsApp can steal info from your phone

Last month, a blogger at My Online Security reported receiving a spam comment containing WhatsApp Plus. Going through the process, they downloaded an APK of this so-called WhatsApp Plus. Where they ended was as stated,

I am not certain exactly what this does, but from the sandbox reports it looks like it has the potential to steal information, photos, phone numbers etc from your mobile phone.  

Indeed, they are correct, as this is a variant of Android/PUP.Riskware.Wtaspin.GB, a Fake WhatsApp riskware that dates back to mid-2017.  But what makes this variant unique is where it leads us.

Whats in a Fake WhatsApp?

As our dear My Online Security blogger did, I too went through the process and downloaded/installed the APK aforementioned in the linked blog. Upon opening the app is the following greeting:

Of special interest is the gold logo in the middle with a URL and handle. Onward, I clicked on AGREE AND CONTINUE to find, oh no, I was out of date!

The message states, Please go to Google Play Store to download latest version — nah, I’d rather click the DOWNLOAD button. Where I was redirected was intriguing.

Into another realm of Fake WhatsApp

Where I landed was on the above URL from the shiny gold logo. Everything on the webpage is written in Arabic.

Here I was on the official website to download Watts Plus Plus WhatsApp—that unusual name could very well be an awkward Google translate, by the way.  Among numerous ads (a developer needs to make some ad revenue after all) was text explaining this developer’s WhatsApp version. Below is the (very) rough translation, with minor condensing to the most pertinent information:

What is Watts Plus Plus Whatsapp Plus?

Is a copy of WattsPlus developed by Abu, there may be no confidence in some users in the download of Whatsapp Plus, but this version has been checked files Wats through special programs and the result is positive is safe , and the version of Watts Plus is updated Abu periodically for the  last issue is a special version of the fans of Watts AP Plus:

Secure:  The antivirus software code has been checked, the Watsp files are encrypted in the Watspec servers and cannot be decrypted and can only be decrypted by Wattsp itself.

Updated to the latest version:  Watts August the company issued almost every two days a simple update, and is almost updated copies of our own every two months periodically until the copies contain only critical updates.

Four numbers in the same phone: In this version you can run up to four numbers in the same phone without a routine or any difficulty

Features

Hide the last appearance of friends completely with the property of hiding the reading and reception, and the disappearance of the current writing and running and hide that you have played a clip and your voice. And hide that you watched the case of your friend (Alasturi).

The possibility of changing the program line completely to many of the ready lines

Provides the security feature of the application by placing a secret number cannot open the application without it.

Provides security for conversations by placing a secret number cannot open the conversation without him.

You can send more than 100 photos at once to your friends.

And many other features

Hide what you saw the situation:  You can in the latest version of WhatsApp + WhatsApp Plus WhatSapp Plus AbuSamad AlRifa’i Hide that you watched the status of friends from privacy options from the top menu.

What is the best feature in WhatsApp Plus WhatsApp Plus What isApp Plus Abu Sadam Rifai  If we activate this option, no one will be able to see you online forever and will not show the date of your last appearance and no one will know you are online even while you are on the wattage .

Hide the second health:  The sender of the messages will not be able to tell you that you received the message.

Hides the blue ones:  The sender cannot tell you that you read the message but in return you know that he has read the messages and only shows you the blue ones.

Hide the current writing:  You can also in the new version and the latest version of WhatsApp + WhatsApp Plus whatsapp plus Abu Saddam Al – Rifai  hide hiding or typing on the other end of the conversation.

Hides recording:  When recording a track.

Hide playback signal:  ie, the sender cannot tell you have listened to the audio track.

Two-way operation:  You can run two versions of Wattsp on one device without a router by downloading Watts 1 and Watts 2.

See the status of people without entering the conversation:  You can see the status of people connected or last seen from the main screen of the program.

What stood out to me was all the abilities to hide oneself in various ways—very spy-like behavior.

Onward to the next version

Sifting through all the ads stating they were the download button, I finally came across the true download link. After updating, I once again came to the same screen shown above with the gold logo. This time, after pressing the AGREE AND CONTINUE button, the next screen asked to verify a phone number.

After doing so, a changelog appeared with fixes to the app’s hiding features.

Click to view slideshow.

Clicking OK to the changelog, what appears to be a functioning version of WhatsApp opens.

Click to view slideshow.

WhatsCode…ur…what’s in the code

The incriminating code of Android/PUP.Riskware.Wtaspin.GB is within receivers, services, and activities starting with com.gb.atnfas. This code is in various fake WhatsApp APKs. The only difference of the aforementioned version from above is the code points to the Arabic webpage to update.

After analyzing several different versions of PUP.Riskware.Wtaspin.GB, it appears all have different URLs from which to update. Thus, everyone is just copy catting the original source code and adding their own “update” website. So, who is the original author of this riskware? Is the Arabic developer, Abu, the originating author?

The code of this riskware is complex. The webpage of the developer claiming to be owner—not so complex. Although I won’t completely rule out the possibility, let’s just say I am skeptical.

No matter the true author or origin of this fake Whatsapp, I suggest sticking with the real WhatsApp on Google Play. Although Google Play has its faults, it’s tremendously safer than some of the sources I came across researching this riskware. Stay safe out there!

The post Mobile Menace Monday: Fake WhatsApp can steal info from your phone appeared first on Malwarebytes Labs.

Go to Source
Author: Nathan Collier

Compromised Magento Sites Delivering Malware

Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.

Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have also demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.

The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials. Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.

Once the attacker has control of the site’s Magento CMS admin panel, they have unfettered access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.

Flashpoint analysts said the compromised sites return an exploit in the form of a phony Adobe Flash Player update, which if launched by the user runs malicious JavaScript that downloads malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner. The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.

Image 1: Anatomy of the attack.

Image 1: Anatomy of the attack.

Flashpoint said that most of the victims among the 1,000 panels it is aware of are in the education and healthcare industries, and that the IP addresses of the compromised panels map to locations in the United States and Europe.

Analysts assess that this is likely only a set of a larger sample of compromised Magento panels.

Flashpoint is working with law enforcement to notify victims of these compromises.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

In the meantime, the rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords. The compromised IoT devices were corralled into a massive botnet that was pointed at a number of high-value targets including DNS provider Dyn, French webhost OVH, and journalist Brian Krebs’ website in order to carry out crippling distributed denial-of-service attacks. The DDoS attack against Dyn peaked at 1 terabyte-per-second and took a number of popular websites and services offline for the better part of day in October 2016, including Twitter, Spotify and GitHub.

Magento admins are advised to review CMS account logins and mitigate their exposure to brute-force attacks by enforcing the following password-hygiene practices:

  • Enforce organizational password complexity requirements.
  • Restrict users from recycling previously used passwords.
  • Enable two-factor authentication for sensitive systems, applications, databases, and remote access solutions.
  • Supply users with secure password managers to assist with password requirements.

The indicators of compromise (IOCs) for AZORult, Rarog, and the campaign targeting Magento are available for download here. The Yara rule is available for download here.

The post Compromised Magento Sites Delivering Malware appeared first on Flashpoint.

Go to Source
Author: Flashpoint

“Celebrating Stephen Hawking” with a 419 scam

The recently departed Stephen Hawking is apparently back from the dead, now a target for scammers wanting to extract some quick cash from the unwary in the form of a vaguely surreal 419 scam.

The whole thing begins with an email from, er, Stephen Hawking titled “Celebrating Stephen Hawking.”

hawking mail

Click to enlarge

The body text is a slightly mangled swipe job from this AP article over on NYTimes, explaining Hawking’s health condition, a potted biography, and a mention of his famous book, A Brief History of Time. At this point, you may be wondering what the point of this missive is—it appears to be some sort of peculiar In Memoriam-style infodump, with nothing particularly sinister going on.

However, it quickly becomes a little more interesting with this next section of content:

hawking mail second part

Click to enlarge

Celebrating Hawking of his late on age 76yrs.
Awarding to a Person whom answer these questions about Stephen Hawking
will be Rewarded with Sum of $8 Million Dollars

QUESTION AND ANSWER

(A) Who is Stephen Hawking wife?
(B) Where is Stephen Hawking from?
(C) Who is Stephen Hawking?

That’s right. Answer some questions about Stephen Hawking, and win a cash prize—a very large one, in fact, to the tune of a cool $8 million. If you’re thinking something along the lines of, “This is too good to be true,” you most definitely would be onto something.

The email links to a Verge article it says will provide the answers to the three questions. Amazingly, not only are the scammers seemingly willing to provide the answers to this impromptu quiz, but they’re also not providing the answers, because the article does no such thing. So a round of applause for our fake email friend for making me read something needlessly.

It goes on:

Notice: These three question will lead you to Eight Millions Dollars Cash.

Answer………………….

(A)
(B)
(C)

To E-mail:

Be reminded $8m Awaiting to your winning answer of these question.

Your’s Faithfully
Science Space

Thanks, “Science Space,” if that really is your name (because Stephen Hawking certainly isn’t). They will, of course, go on to call themselves “Scientist Space” a little later on in the mail chain because accuracy and consistency don’t appear to be a concern for our Hawking-themed scammers. Bad for them, and good for us, as you now have a few more peculiar aliases to add to the pile of “This is most definitely the fakest thing I’ve seen since last Wednesday.”

Anyway, I sent them a pile of deliberately incorrect answers to see if they actually would refuse to offer me the fake $8 million, or if the questions were utterly meaningless. Imagine my surprise to find that they really wanted me to jump through some research hoops, and were quite happy to send me an answer to get me started:

hawking reply

Click to enlarge

Oops Accurate answers Request…….. ….

Your Answers is incorrect.

Example Number One
A) Stephen William Hawking wife, her Name is……… Jane Beryl Hawking

You still have a chance to win to an accurate answers
to the left of the (2) questions

Terms
Scientist Space

Yes, they’re just straight up giving me the answers, and now I had to do some digging of my own. I sent a reply answering 2 and 3, and…

i'm a hawking winner

Click to enlarge

…………You Just won $8 Million Dollars Portfolio,………

Your Winning is ready to Claimed.
As it’s your readiness of Claiming your portfolio $8M
will need your following information to your Claimed

Your Name……………….
Address…………………..
Cell Phone………………
Age……………….
Height……..
Width……….
A copy of Gorv issue ID Card if any.

This is a hug money that will change your entirely life to your future generation.
Good-luck to your family will never surfer again bringing it to you by Late Dr Stephen William Hawking.
to your answers Award winner.

Terms
Scientist Space

Just like that, I’ve won $8 million. Hooray!

Except, not really. What I’ve actually won is a chance to lose all my money, and possibly become a money mule in the bargain. (Also, who asks for “width”?!) I’m afraid to say that neither Stephen Hawking nor anyone claiming to be representing him will be mailing you about cash prizes anytime soon.

This is just another poor attempt by scammers to make a quick buck off the name of a famous, recently deceased individual. Utterly reprehensible, and entirely fraudulent. Should you receive a mail along the lines of the above, report it, then delete. You won’t land a cool 8 mil, but you will be doing your part to prevent someone else from falling for the same scam.

(Thanks to Tane Piper for sending this over.)

The post “Celebrating Stephen Hawking” with a 419 scam appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Kotlin-based malicious apps penetrate Google market

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

Go to Source
Author: Gleb Malygin

Panic attack: Apple scams apply pressure

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails

First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.

fake apple cloud purchase

Click to enlarge

The general rule of thumb is to try and be as inconspicuous as possible, so we’re not really sure why the scammers went with one of the most well-known privacy advocates on the planet to fill in the personal information box. Not only that, but they used a randomly-grabbed address from a property website sporting nine bedrooms and four bathrooms.

Maybe the plan is to hit the potential victim with something so utterly ludicrous, that they’ve already clicked the link before they’ve had time to think about it. For a lot of people, simply seeing a “Thanks for the order of this thing that costs you money” would be enough to have panic set in.

The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page.

That link is down

Click to enlarge

The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

Someone else logged in

Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

ipod login

Click to Enlarge

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device

Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari

If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare

There’s also some dubious texts going around claiming to be from Apple Care:

final notification

It reads as follows:

Final Notification

Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at

appleid-revise(dot)com

Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases

We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

The post Panic attack: Apple scams apply pressure appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Bank robbers 2.0: digital thievery and stolen cryptocoins

Imagine running down the street (and away from law enforcement) with 2,000 pounds of gold bars. Or 1,450 pounds in $100 bills. With both of these physical currencies amounting to roughly US$64 million, you’d be making quite a steal…if you could get away with it.

That’s exactly what the next generation of thieves—bank robbers 2.0—did in December 2017, when they stole more than $60 million in Bitcoin* from the mining marketplace NiceHash. It turns out stealing Bitcoin is a lot less taxing on the body.

*Disclaimer: I used the value of Bitcoins as they were at the time of the robbery. Current values are volatile and change from minute to minute.

Crime these days has gotten a technical upgrade. By going digital, crooks are better able to pull off high-stakes sting operations, using the anonymity of the Internet as their weapon of choice. And their target? Cryptocurrency.

Old-school bank robbers

The amount of money stolen from NiceHash is comparable to arguably the biggest physical heist to date, the theft of nearly $70 million from a Brazilian bank in 2005. Noted in the Guinness Book of World Records, the robbers managed to get away with 7,716 pounds of 50 Brazilian real notes. There were 25 people involved—including experts in mathematics, engineering, and excavation—who fronted a landscaping company near the bank, dug a 78-meter (256-foot) tunnel underneath it, and broke through 1 meter (about 3.5 feet) of steel-reinforced concrete to enter the bank vault.

The largest bank robbery in the United States, meanwhile, was at the United California Bank in 1972. The details of this bank robbery were described by its mastermind, Amil Dinsio, in the book Inside the Vault. A gang of seven, including an alarm expert, explosives expert, and burglary tool designer, broke into the bank’s safe deposit vault and made off with cash and valuables with an estimated value of $30 million US dollars.

What these robberies have in common is that, in order to pull them off, there were large groups of criminals involved with various special skills. Most of the criminals of these robberies were either caught or betrayed—physical theft leaves physical traces behind. Today’s physical robbers run the risk of getting hurt or hurting others, or leaving behind prints or DNA. And they are often tasked with moving large amounts of money or merchandise without being seen.

heavy loot

Bank robbers 2.0

So here comes the bank robbers 2.0. They don’t have to worry about transporting stolen goods, fleeing the crime scene, digging or blowing things up. They are in no—immediate—physical danger. And if they’re smart enough, they work alone or remain anonymous, even to their accessories. Their digital thievery has been proven successful through several methods used to obfuscate their identity, location, and criminal master plan.

Social engineering

One of the most spectacular digital crimes targeted 100 banks and financial institutions in 30 nations with a months-long prolonged attack in 2013, reportedly netting the criminals involved over $300 million. The group responsible for this used social engineering to install malicious programs on bank employees’ systems.

The robbers were looking for employees responsible for bank transfers or ATM remote control. By doing so, they were able to mimic the actions required to transfer money to accounts they controlled without alerting the bank that anything unusual was going on. For example, they were able to show more money on a balance than was actually in the account. An account with $10,000 could be altered to show $100,000 so that hackers could transfer $90,000 to their own accounts without anyone noticing anything.

The alleged group behind this attack, the Carbanak Group, have not yet been apprehended, and variants of their malware are still active in the wild.

Ponzi schemes

Bitcoin Savings & Trust (BST), a large Bitcoin investment firm that was later proved to be a pyramid scheme, offered 7 percent interest per week to investors who parked their Bitcoins there. When the virtual hedge fund shut down in 2012, most of its investors were not refunded. At the time of its closing, BST was sitting on 500,000 BTC, worth an estimated $5.6 million. Its founder, an e-currency banker who went by the pseudonym pirateat40, only paid back a small sum to some beneficiaries before going into default. It was later learned that he misappropriated nearly $150,000 of his clients’ money on “rent, car-related expenses, utilities, retail purchases, casinos, and meals.”

Hacking

Even though details are still unclear, the NiceHash hack was reported as a security breach related to the website of the popular mining marketplace. Roughly 4,732 coins were transferred away from internal NiceHash Bitcoin addresses to a single Bitcoin address controlled by an unknown party. The hackers appear to have entered the NiceHash system using the credentials of one of the company’s engineers. As it stands now, it is unknown how they acquired those, although it’s whispered to be an inside job.

Stolen wallet keys

In September 2011, the MtGox hot wallet private keys were stolen in a case of a simple copied wallet.dat file. This gave the hacker access to not only a sizable number of Bitcoins immediately, but also the ability to redirect the incoming trickle of Bitcoins deposited to any of the addresses contained in the file. This went on for a few years until the theft was discovered in 2014. The damages by then were estimated at $450 million. A suspect was arrested in 2017.

Transaction malleability

When a Bitcoin transaction is made, the account sending the money digitally signs the important information, including the amount of Bitcoin being sent, who it’s coming from, and where it’s going. A transaction ID, a unique name for that transaction, is then generated from that information. But some of the data used to generate the transaction ID comes from the unsigned, insecure part of the transaction.As a result, it’s possible to alter the transaction ID without needing the sender’s permission. This vulnerability in the Bitcoin protocol became known as “transaction malleability.”

Transaction malleability was a hot topic in 2014, as researchers saw how easily criminals could exploit it. For example, a thief could claim that his transactions didn’t show up under the expected ID (because he had edited it), and complain that the transaction had failed. The system would then automatically retry, initiating a second transaction and sending out more Bitcoins.

Silk Road 2.0 blamed this bug for the theft of $2.6 million in Bitcoins in 2014, but it was never proven to be true.

Man-in-the-middle (by design)

In 2018, a Tor proxy was found stealing Bitcoin from both ransomware authors and victims alike. A Tor proxy service is a website that allows users to access .onion domains hosted on the Tor network without having to install the Tor browser. As Tor proxy servers have a man-in-the-middle (MitM) function by design, the thieves were able to replace the Bitcoin address that victims were paying ransom to and insert their own. This left the ransomware authors unpaid, which in turn left the victims without their decryption key.

Cryptojacking

Also known as drive-by mining, cryptojacking is a next-generation, stealthy robbing trick that covers all mining activities completed on third-party systems without the users’ consent. Stealing little amounts from many can amount to large sums. There are so many methods to achieve this that Malwarebytes’ own Jérôme Segura published a whitepaper about it.

Unlike drive-by downloads that push malware, drive-by mining focuses on utilizing the processing power of visitors’ computers to mine cryptocurrency, especially those that were designed to accommodate non-specialized processors. Miners of this kind come to us in advertisements, bundlers, browser extensions, and Trojans. The revenues are hard to guess, but given the number of blocks Malwarebytes records on Coinhive and similar sites daily, criminal profit margins could be potentially record-breaking.

Physical stealing of digital currency

This last one brings us full circle, as someone actually managed to steal Bitcoins the old-fashioned way. In January 2018, three armed men attempted to rob a Bitcoin exchange in Canada, but failed miserably as a hidden employee managed to call the police. However, others have had more success. The Manhattan District attorney is looking for the accomplice of a man that robbed his friend of $1.8 million in Ether at gunpoint. Apparently this “friend” got hold of the physical wallet and forced the victim to surrender the key needed to transfer the cryptocurrency into his own account.

Summary

As we can conclude from the examples above, there are many ways for cybercriminals to get rich quick. With a lot less risk of physical harm and even less hard labor, they can score larger amounts for less risk than the old-fashioned bank robbers. The only pitfall to robbing digital currency is how to turn it into fiat money without raising a lot of suspicion or losing a big chunk to launderers.

While the diminished use of violence is reassuring, it’s still beneficial to think about how we can avoid becoming a victim. Much of it has to do with putting too much trust in the wrong people. We are dealing with a very young industry that doesn’t have a lot of established names. So how can you avoid getting hurt by these modern thieves? Here are a few tips:

  • Don’t put all your eggs in one basket.
  • Use common sense when deciding who to do business with. A little background check into the company and its execs never hurt anyone.
  • Don’t put more money into cryptocurrencies than you can spare.

Additional links

The post Bank robbers 2.0: digital thievery and stolen cryptocoins appeared first on Malwarebytes Labs.

Go to Source
Author: Pieter Arntz

New Flash Player zero-day comes inside Office document

A new Flash Player zero-day has been found in recent targeted attacks, as reported by KrCERT. The flaw, which exists in Flash Player 28.0.0.137 and earlier versions, allows an attacker to remotely execute malicious code. On February 1, Adobe published a security advisory acknowledging this zero-day:

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Threat actors used a decoy Microsoft Excel document to lure their intended target (some South Korea users) in order to infect them with a remote administration tool named ROKRAT. While not obvious at first, an ActiveX object has been embedded into the document and contains the Flash exploit. Highlighting cells reveals a small white rectangle that represents the embedded object:

Upon opening the spreadsheet, one of several South Korean websites will be contacted via a GET request containing the following three parameters:

  • a unique identifier
  • the Flash Player version
  • the Operating System version

This is an important step because it retrieves a key used to decrypt the malicious shell code.

By the time we had access to this sample, the websites hosting it were down, which proved to be a showstopper in the exploitation and payload. Malwarebytes detects the remote administration tool that was dropped, as well as blocks the sites known to have hosted the key and payload.

Adobe has said it will issue a patch for this zero-day sometime during the week of February 5. In the meantime, users are advised to disable or uninstall the Flash Player. We expect that this exploit will be used in larger scale attacks, including via malicious spam. We will keep you updated of any further developments.

Indicators of compromise

1588-2040.co[.]kr/design/m/images/image/image.php?

SWF exploit

FEC71B8479F3A416FA58580AE76A8C731C2294C24663C601A1267E0E5C2678A0

The post New Flash Player zero-day comes inside Office document appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Boomerang spam bombs Malwarebytes forum—not a smart move

Tech support scammers are generally not the best and brightest. As such, they will occasionally post ads for their fake companies in the comment sections here or on the Malwarebytes forums. Last week, however, scammers struggled with configuring their spambots, resulting in spam bombs on the forum lasting roughly 72 hours, with a slow taper down for two more days.

Over six days, 246 spam accounts associated with this activity were banned. We wondered what threat actor group would exercise such phenomenally poor judgment, so we drilled down a bit into who these people are.

As it turns out, the majority of the spam was posted for a threat actor we were already familiar with: Boomerang Tech Solutions. Boomerang scams using an AV theme, so they need to use the Malwarebytes brand to appear properly comprehensive to victims. They will also look to legitimate AV customers for scam targeting. Over the past year, Boomerang has:

  • Posted ads to our forums
  • Posted ads to blog comment sections
  • Maintained Twitter accounts to direct traffic to their domains
  • Monitored the Facebook pages of various AV companies to find customers requesting tech support. They then targeted those customers with linked phone numbers, claiming to be the company in question.
  • Made outbound calls to victims as Malwarebytes, then subsequently deleted MBAM from victim systems

As you can imagine, this behavior has not endeared them to US-based merchant processors, leaving them with pay by check as the primary payment option. (More on why alternative payment options tend to be bad here.)

Indicators

Our counterfraud team has observed the following Indicators of Compromise (IOCs) related to Boomerang activity:

Website Twitter handle
Antivirus-support-number[.]com @Malwrebytes ‏
Boomerangtechnologies[.]info @malwarebytes4 ‏
www.antivirustechnicalhelp[.]com @malwarebytes_ ‏
www.wisdomsquad[.]com @malwarebytetech ‏
www.seccurityexperts[.]com @quickencontact2 ‏
liveantivirushelp[.]com n/a
antivirusconsulting[.]com n/a

www.bluenetworksecurity[.]com

How Boomerang rips us off

When Boomerang first came on our radar about a year ago, we called them up to see precisely how victims are being targeted. As you can see in the video of our call below, there’s nothing at all original here. Boomerang tells us that we are bedeviled by “illegal connections” sending our data overseas. The only slightly unusual parts are the relatively high quality of their website (most of these guys struggle with HTML), and the phone rep who told us that Malwarebytes does not protect from “viruses coming from the Internet.” Check out the video to see the standard Boomerang pitch.

How to stay safe

First and foremost, be a little extra suspicious of any company that is resistant to accept payment with a credit card. If they can’t process credit payments easily, there’s probably a good (bad) reason why. If you’ve had a run-in with these or any other tech support scammer (on our site, forum, or anywhere else), you can find information on what to do next here.

Have you been contacted by someone claiming to be us or our representative? See how to evaluate those claims here. Lastly, if you’ve dealt with anyone from Boomerang yourself, post to the comments below to let others know your experience. Stay suspicious and stay safe.

The post Boomerang spam bombs Malwarebytes forum—not a smart move appeared first on Malwarebytes Labs.

Go to Source
Author: William Tsing