New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

pos-malware-dns

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.

A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.

Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.

Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.

Besides using ‘unusual’ DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.

“We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests,” Forcepoint researchers said in a blogpost published Thursday.

“Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.”

The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.

It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.

Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it’s unclear “at present whether this is a reflection of the malware still being in a relatively early stage of development/testing.”

Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint’s tests have shown that the malware is indeed capable of doing so successfully.

Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.

It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it’s just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” LogMeIn noted.

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as “nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications,” but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.

Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect onto targeted systems.

Go to Source

Watch Out! New Cryptocurrency-Mining Android Malware is Spreading Rapidly

Due to the recent surge in cryptocurrency prices, threat actors are increasingly targeting every platform, including IoT, Android, and Windows, with malware that leverages the CPU power of victims’ devices to mine cryptocurrency.

Just last month, Kaspersky researchers spotted fake antivirus and porn Android apps infected with malwarethat mines Monero cryptocurrency, launches DDoS attacks, and performs several other malicious tasks, causing the phone’s battery to bulge out of its cover.

Now, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new piece of wormable Android malware, dubbed ADB.Miner, that scans wide-range of IP addresses to find vulnerable devices and infect them to mine digital cryptocurrency.

According to the researchers, ADB.Miner is the first Android worm to reuse the scanning code programmed in Mirai—the infamous IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns.

ADB.Miner scans for Android devices—including smartphones, smart TVs, and TV set-top boxes—with publicly accessible ADB debug interface running over port 5555 and then infects them with a malware that mines Monero cryptocurrency for its operators.

Android Debug Bridge (ADB) is a command-line tool that helps developers debug Android code on the emulator and grants access to some of the operating system’s most sensitive features.

It should be noted that almost all Android devices by default come with the ADB port disabled, so botnet would target only those devices that have manually been configured to enable port 5555.

Besides mining Monero cryptocurrency, ADB.Miner installed on an infected device also attempts to propagate itself by scanning for more targets on the Internet.

Researchers did not reveal exactly how or by exploiting which ADB flaw hackers are installing malware onto Android devices.

However, the researchers believed hackers are not exploiting any vulnerability that targets any specific device vendor since they found devices from a wide range of manufacturers impacted.

According to the researchers, the infection started on January 21, and the number of attacks has increased recently. As of Sunday, the researchers detected 7,400 unique IP addresses using the Monero mining code—that’s more than 5,000 impacted devices in just 24 hours.

Based on the scanning IP addresses, the highest number of infection has been noticed in China (40%) and South Korea (31%), the researchers estimated.

In order to fight against such malware Android users are advised not to install unnecessary and untrusted applications from the app store, even from Google Play Store, and keep your devices behind a firewall or a VPN.

Go to Source

Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit

cryptocurrency-mining-malware

2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals.

Several cybersecurity firms are reporting of new cryptocurrency mining viruses that are being spread using EternalBlue—the same NSA exploit that was leaked by the hacking group Shadow Brokers and responsible for the devastating widespread ransomware threat WannaCry.

Researchers from Proofpoint discovered a massive global botnet dubbed “Smominru,” a.k.a Ismo, that is using EternalBlue SMB exploit (CVE-2017-0144) to infect Windows computers to secretly mine Monero cryptocurrency, worth millions of dollars, for its master.

Active since at least May 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to the researchers.

“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the researchers said.

The botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million, at the rate of roughly 24 Monero per day ($8,500) by stealing computing resources of millions of systems.

monero-cryptocurrency-mining-malware

The highest number of Smominru infection has been observed in Russia, India, and Taiwan, the researchers said.

The command and control infrastructure of Smominru botnet is hosted on DDoS protection service SharkTech, which was notified of the abuse but the firm reportedly ignored the abuse notifications.

According to the Proofpoint researchers, cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computers and also using leaked NSA’s RDP protocol exploit, EsteemAudit (CVE-2017-0176), for infection.

“As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators,” the researchers concluded.

“The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes.”

Another security firm CrowdStrike recently published a blog post, reporting another widespread cryptocurrency fileless malware, dubbed WannaMine, using EternalBlue exploit to infect computers to mine Monero cryptocurrency.

Since it does not download any application to an infected computer, WannaMine infections are harder to detect by antivirus programs. CrowdStrike researchers observed the malware has rendered “some companies unable to operate for days and weeks at a time.”

Besides infecting systems, cybercriminals are also widely adopting cryptojacking attacks, wherein browser-based JavaScript miners utilise website visitors’ CPUs power to mine cryptocurrencies for monetisation.

Since recently observed cryptocurrency mining malware attacks have been found leveraging EternalBlue, which had already been patched by Microsoft last year, users are advised to keep their systems and software updated to avoid being a victim of such threats.

Go to Source

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

crossrat-spying-malware

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.

Wide-range of cybercriminals are now using a new piece of ‘undetectable’ spying malware that targets Windows, macOS, Solaris and Linux systems.

Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.

Although the report revealed about the group’s successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.

CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.

According to researchers, Dark Caracal hackers do not rely on any “zero-day exploits” to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.

CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

crossrat-malware

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.

CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware

Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it’s running on and then installs itself accordingly.

Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.

Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.

CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.

As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to ‘flexberry(dot)com‘ on port 2223, whose information is hardcoded in the ‘crossrat/k.class’ file.

CrossRAT Includes Inactive Keylogger Module

crossrat-commands

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.

Interestingly, Patrick noticed that the CrossRAT has also been programmed to use ‘jnativehook,’ an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.

“However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete,” Patrick said.

How to Check If You’re Infected with CrossRAT?

Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.

For Windows:

  • Check the ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run\’ registry key.
  • If infected it will contain a command that includes, java, -jar and mediamgrs.jar.

For macOS:

  • Check for jar file, mediamgrs.jar, in ~/Library.
  • Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

For Linux:

  • Check for jar file, mediamgrs.jar, in /usr/var.
  • Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.

How to Protect Against CrossRAT Trojan?

malware-crossrat-windows-linux-mac

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.

“As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java,” Patrick said.

“Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra).”

Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.

Go to Source

Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs

dns-rebinding-attack-hacking-exploit

A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers.

Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment.

To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.

Google’s Project Zero team researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the “DNS Rebinding” attack that allows any website to act as a bridge between the external server and your localhost.

Just last week, Ormandy revealed a similar vulnerability in a popular Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them.

By simply creating a DNS entry to bind any attacker-controlled web page with localhost (127.0.0.1) and tricking users into visiting it, hackers can easily send privileged commands to the Blizzard Update Agent using JavaScript code.

Although a random website running in a web browser usually cannot make requests to a hostname other than its own, the local Blizzard updater service does not validate what hostname the client was requesting and responds to such requests.

Blizzard DNS Rebinding Attack — Proof of Concept Exploit

Ormandy has also published a proof-of-concept exploit that executes DNS rebinding attack against Blizzard clients and could be modified to allow exploitation using network drives, or setting destination to “downloads” and making the browser install malicious DLLs, data files, etc.

Ormandy responsibly reported Blizzard of the issue in December to get it patched before hackers could take advantage of it to target hundreds of millions of gamers.

However, after initially communication, Blizzard inappropriately stopped responding to Ormandy’s emails and silently applied partial mitigation in the client version 5996.

“Blizzard was replying to emails but stopped communicating on December 22nd. Blizzard is no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution,” Ormandy says.

“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”

After the Ormandy’s report went public, Blizzard contacted and informed him that a more robust Host header whitelist fix to address the issue entirely is currently being developed for deployment.

Ormandy is also checking other big games vendors with a user base of over 100 Million to see if the problem can be replicated.

Go to Source

Nearly Half of the Norway Population Exposed in HealthCare Data Breach

Cybercriminals have stolen a massive trove of Norway’s healthcare data in a recent data breach, which likely impacts more than half of the nation’s population.

An unknown hacker or group of hackers managed to breach the systems of Health South-East Regional Health Authority (RHF) and reportedly stolen personal info and health records of some 2.9 million Norwegians out of the country’s total 5.2 million inhabitants.

Health South-East RHA is a healthcare organisation that manages hospitals in Norway’s southeast region, including Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder.

The healthcare organisation announced the data breach on Monday after it had been alerted by HelseCERT, the Norwegian CERT department for its healthcare sector, about an “abnormal activity” against computer systems in the region.

HelseCERT also said the culprits behind the data breach are “advanced and professional” hackers, although it is still unknown as to whether they were managed to exfiltrate data successfully and if so, how many people may have been impacted.

So far there’s also no evidence if the stolen data theft has had any consequences for or effects on patients’ safety. However, the healthcare organisation assured that security “measures had been taken to limit the damage caused by the burglary.

“We are in a phase where we try to get an overview. It’s far too early to say how big the attack is. We are working to acquire knowledge of all aspects, ” NorCERT director Kjetil Nilsen told Norwegian publication VG.

“Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities.”

Why Do Hackers Want Your Health Data?

Digital healthcare has been growing to satisfy the demands of connected healthcare technology that provides better treatment and improved patient care.

We know that any organisation with a computer is at risk from cyber-attacks both from criminals wanting to extort money and state-sponsored hackers wanting to cause chaos.

Since the healthcare sector is part of the critical national infrastructure, alongside water, electricity and transport, it becomes an attractive target for hackers.

Believe it or not, your medical records are worth more to hackers than your stolen credit card details on the dark web markets.

Financial data has a finite lifespan, but the information contained in health care records—which includes names, birth dates, policy numbers, diagnosis codes, social security number and billing information—has a much longer shelf life and is rich enough for identity theft.

Fraudsters can use this data to create fake identities to do all illegal kinds of stuff in your name, combine a patient number with a false provider number and file fake claims with insurers, and even file fake tax returns using your stolen addresses, phone numbers and employment history.

How to Protect Yourself After a Data Breach?

If you are a one of those affected by the healthcare breach, you will have to remain vigilant against fraud for the rest of your lives, because the risk of identity theft isn’t short term, unlike in case of credit cards fraud.

You may follow the following steps to protect yourself:

1) Monitor Your Accounts: Watch out if someone using your information do not ever try to take over or transfer money out of your existing accounts. Don’t forget that thieves with stolen details on you can get through your security questions, including the last four digits of your social and street address. Also, watch for any unauthorised activity or transfers on your current financial accounts.

2) File Your Taxes Early: With the stolen information in the hands, cyber thieves could hook your tax refund by filing your taxes early and claiming it for themselves. So, to avoid any such problems, file your taxes as early as possible.

3) Stay Vigilant: The foremost thing to protect against any breach is to stay vigilant, as nobody knows when or where your stolen identities will be used. So, affected consumers will simply have to stay mindful forever.

Go to Source

Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely

There’s a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users’ computers. That’s according to a researcher with Google’s Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.

Researcher Tavis Ormandy published the proof-of-concept attack code last week, along with a detailed description of the underlying vulnerability it exploited. Normally, Project Zero withholds publication of such details for 90 days or until the developer has released a fix. In this case, however, Ormandy’s private report to Transmission included a patch that completely fixed the vulnerability. The researcher went ahead and disclosed the vulnerability last Tuesday—only 40 days after the initial report—because Transmission developers had yet to apply it. Ormandy said the publication would allow Ubuntu and other downstream projects to independently install the fix.

“I’m finding it frustrating that the Transmission developers are not responding on their private security list,” Ormandy wrote in Tuesday’s public report. “I suggested moving this into the open so that distributions can apply the patch independently.”

A Transmission development official told Ars that he expected an official fix to be released “ASAP” but was not specific. He said the vulnerability was present only when users enabled remote access and disabled password protection. He said people who run the unpatched version of Transmission as a daemon should ensure they have enabled password protection.

DNS rebinding strikes again

Ormandy’s proof-of-concept attack exploits a Transmission function that allows users to control the BitTorrent app with their Web browser. The researcher said most people don’t enable password protection because they assume the JSON RPC interface can only be controlled by someone with physical access to the computer running Transmission. Using a hacking technique known as domain name system rebinding, Ormandy devised a way that the Transmission interface can be remotely controlled when a vulnerable user visits a malicious site. He said he confirmed his exploit works on Chrome and Firefox on Windows and Linux and that he expects other platforms and browsers are also affected.

Attackers can exploit the flaw by creating a DNS name they are authorized to communicate with and then making it resolve to the localhost name of the vulnerable computer. In a separate posting publishing the patch, Ormandy wrote:

  1. A user visits http://attacker.com, which has an <iframe> to a subdomain the attacker controls.
  2. The attacker configures their DNS server to respond alternately with 127.0.0.1and 123.123.123.123 (an address they control) with a very low TTL.
  3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire (or force it to expire by flooding the cache with lookups), then they have permission to read and set headers.

Among the things an attacker can do is change the Torrent download directory to the user’s home directory. The attacker could then command Transmission to download a Torrent called “.bashrc” which would automatically be executed the next time the user opened a bash shell. Attackers could also remotely reconfigure Transmission to run any command of their choosing after a download has completed. Ormandy said the exploit is of “relatively low complexity, which is why I’m eager to make sure everyone is patched.”

In a tweet, Ormandy said the vulnerability was the “first of a few remote code execution flaws in various popular torrent clients.” He didn’t name the other apps because the 90-day Window hasn’t closed yet.

While last week’s disclosure has the most immediate consequences for Transmission users, its lessons about the dangers of DNS rebinding are broadly applicable to people using a wide range of apps.

“I regularly encounter users who don’t accept that websites can access services on localhost or their intranet,” Ormandy wrote. “These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website ‘transfers’ execution somewhere else. It doesn’t work like that, but this is a common source of confusion.”

Go to Source
Author: Dan Goodin

OnePlus Site’s Payment System Reportedly Hacked to Steal Credit Card Details

This year’s first bad news for OnePlus users—a large number of OnePlus customers are reporting of fraudulent credit card transactions after buying products from the Chinese smartphone manufacturer’s official online store.

The claim initially surfaced on the OnePlus support forum over the weekend from a customer who said that two of his credit cards used on the company’s official website was suspected of fraudulent activities.

The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website,” the customer wrote.

Later a good number of users posted similar complaints on OnePlus, Twitter and Reddit forums, saying they also became a victim of credit card fraud.

Many of the customers claimed that their credit cards had been compromised after they bought a new phone or some accessories directly from the OnePlus official website, indicating that the leak might have been through the company itself.

Cybersecurity firm Fidus also published a blog post detailing the alleged issue with the OnePlus website’s on-site payment system. The firm suspected that the servers of the OnePlus website might have been compromised.

OnePlus

According to Fidus, OnePlus is currently conducting the transactions itself on-site, which means that all billing information along with all credit card details entered by its customers flow through the OnePlus official website and can be intercepted by attackers.

“Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus wrote.

Fidus went on to clarify that their findings did not in any way confirm that the OnePlus website was breached; instead, they suggested the attacks might have come from the Magento eCommerce platform—which is used by OnePlus and is “a common platform in which credit card hacking takes place.”

OnePlus has quickly responded to the issue on its forum, confirming that it does not store any credit card information on its website and all payment transactions are carried out through its PCI-DSS-compliant payment processing partner.

Only credit card-related information of users who have enabled the “save this card for future transactions”feature is stored on OnePlus’ official servers, but even they are secured with a token mechanism.

“Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit,” a company’s staffer using the name ‘Mingyu’ wrote.

The Chinese smartphone maker also confirms that purchases involving third-party services like PayPal are not affected.

oneplus-credit-card-hacking

OnePlus does not reveal much information on the incident but confirms that its official website is not affected by any Magento vulnerability.

The company confirms that oneplus.net was indeed built on the Magento eCommerce, but said since 2014, it has entirely been re-built using custom code, adding that “credit card payments were never implemented in Magento’s payment module at all.”

There are almost 100 claims of fraudulent credit card transactions on the OnePlus support forums. OnePlus announces a formal investigation into the matter, and advises affected users to contact their bank to reverse the payment.

Go to Source

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users

macos-dns-hijacker-malware

A security researcher has revealed details of a new piece of undetectable malware targeting Apple’s Mac computers—reportedly first macOS malware of 2018.

Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.

DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.

First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend’s computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.

After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a ‘DNS Hijacker,‘ which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.

macos-root-certificate-malware

OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Patrick said.

By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.

Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:

  • Take screenshots
  • Generate simulated mouse events
  • Perhaps persist as a launch item
  • Download and upload files
  • Execute commands
The motive, author(s) behind the malware, and how it is spreading are currently unknown.
However, Patrick believes that the attackers could be using lame methods like malicious emails, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users.

To check if your Mac computer is infected with MaMi malware, go to the terminal via the System Preferences app and check for your DNS settings—particularly look for 82.163.143.135 and 82.163.142.137.

virustotal-dns-changer-mawlare

According to VirusTotal, a multi-engine antivirus scanner, none of 59 popular antivirus software is detecting this malware at this moment, so you are advised to use a 3rd-party tool such as a firewall that can detect and block outgoing traffic.

You can also install a free open-source firewall for macOS named ‘LuLu,’ created by Patrick and available at GitHub, which blocks suspicious traffic and prevents OSX/MaMi’s from stealing your data.

Go to Source