Sofacy APT turns to the East

We at Kaspersky Lab monitor, report, and protect against a lot of threat actors, some of which are known internationally and sometimes featured in the news. It doesn’t matter which language the threat actor speaks, it’s our duty to know about it, investigate it, and protect our customers from it.

One of the most active threat actors is a Russian-speaking APT called Sofacy, also known as APT28, Fancy Bear, and Tsar Team, infamous for its spear phishing campaigns and cyberespionage activities. In 2017, it shifted focus in a way worthy of an update here.

We’ve been watching Sofacy since 2011 and are pretty familiar with the instruments and tactics the threat actor is using. Last year, the main change was that it moved beyond the NATO countries it was actively spear phishing in the beginning of the year and onto countries in the Middle East and Asia — and farther — in Q2 2017. Earlier, Sofacy also targeted the Olympic Games, the World Anti-Doping Agency (WADA), and the Court of Arbitration for Sports (CAS).

Sofacy uses different tools for different target profiles. For example, in early 2017 a campaign called Dealer’s Choice targeted mostly military and diplomatic organizations (mainly in NATO countries and Ukraine); later, the hackers were using two other tools, which we call Zebrocy and SPLM, to target companies of different profiles including science and engineering centers and press services. Both Zebrocy and SPLM were heavily modified last year, with SPLM (which also goes by the name Chopsticks) becoming modular and using encrypted communications.

The usual infection scheme starts with a spear-phishing letter containing a file with a script that downloads the payload. Sofacy is known for finding and exploiting zero-day vulnerabilities and using those exploits to deliver the payload. The threat actor maintains a high level of operational security and really focuses on making its malware harder to detect — which, of course, makes it harder to investigate.

In cases of highly sophisticated targeted campaigns such as Sofacy, thorough incident investigation is vital. It will allow you to figure out what information malefactors were after, understand their motives, and detect the presence of any sleeping implants.

To do that, your security system needs not only advanced protective solutions but also an endpoint detection and response system. Such a system detects threats at early stages, and helps analyze events that predated the incident. Having skilled experts doesn’t hurt, either. As a solution, we offer the Threat Management and Defense platform, which incorporates Kaspersky Anti Targeted Attack, Kaspersky Endpoint Detection and Response, and expert services.

You can find more information on the threat actor’s activity in 2017, including technical details, on Securelist. Further, at the start of this year, our researchers found some interesting shifts in Sofacy’s behavior that we will highlight at the SAS 2018 conference. If you are interested in APTs and building defense against them, don’t forget to get a ticket — or at least visit our blogs frequently during the SAS.

Go to Source
Author: John Snow

Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Go to Source
Author: Anna Markovskaya

Skygofree — a Hollywood-style mobile spy

Most Trojans are basically the same: Having penetrated a device, they steal the owner’s payment information, mine cryptocurrency for the attackers, or encrypt data and demand a ransom. But some display capabilities more reminiscent of Hollywood spy movies.

We recently discovered one such cinematic Trojan by the name of Skygofree (it doesn’t have anything to do with the television service Sky Go; it was named after one of the domains it used). Skygofree is overflowing with functions, some of which we haven’t encountered elsewhere. For example, it can track the location of a device it is installed on and turn on audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.

Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or tablet to a Wi-Fi network controlled by the attackers — even if the owner of the device has disabled all Wi-Fi connections on the device. This lets the victim’s traffic be collected and analyzed. In other words, someone somewhere will know exactly what sites were looked at and what logins, passwords, and card numbers were entered.

The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.

The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp. In the latter case, the developers again showed savvy — the Trojan reads WhatsApp messages through Accessibility Services. We have already explained how this tool for visually or aurally impaired users can be used by intruders to control an infected device. It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request.

Last but not least, Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos.

However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data.

The promise of fast Internet

We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.

The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.

Forewarned is forearmed

To date, our cloud protection service has logged only a few infections, all in Italy. But that doesn’t mean that users in other countries can let their guard down; malware distributers can change their target audience at any moment. The good news is that you can protect yourself against this advanced Trojan just like any other infection:

  1. Install apps only from official stores. It’s wise to disable installation of apps from third-party sources, which you can do in your smartphone settings.
  2. If in doubt, don’t download. Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions — any of these things should raise flags.
  3. Install a reliable security solution — for example, Kaspersky Internet Security for Android. This will protect your device from most malicious apps and files, suspicious websites, and dangerous links. In the free version scans must be run manually; the paid version scans automatically.

  1. We recommend that business users deploy Kaspersky Security for Mobile — a component of Kaspersky Endpoint Security for Business — to protect the phones and tablets employees use at work.

Go to Source
Author: Anna Markovskaya

Xiaomi Mi Robot vacuum cleaner hacked

The story of the Internet and its Things may seem as star-crossed a tale as any, but it does not need to be hopeless. Although security researchers Dennis Giese and Daniel Wegemer eventually managed to hack into the Xiaomi Mi Robot vacuum cleaner, their research shows that the device is much more secure than most other smart things are.

In their talk at Chaos Communication Congress 34, which was held in Leipzig recently, the researchers explained how the device’s software works and which vulnerabilities they had to use to finally crack its protection.

Xiaomi Mi Robot vacuum cleaner hacked

Hacking the Mi Robot with tinfoil

When they started their research, Giese and Wegemer were amazed to find that the Xiaomi vacuum cleaner has more powerful hardware than many smartphones do: It is equipped with three ARM processors, one of which is quad core. Sounds pretty promising, right? So, for starters, Giese and Wegemer tried to use several obvious attack vectors to hack the system.

First, they examined a unit to see if there was a way in through the vacuum cleaner’s micro USB port. That was a dead end: Xiaomi has secured this connection with some kind of authentication. After that, the researchers took the Mi Robot apart and tried to find a serial port on its motherboard. This attempt was likewise unsuccessful.

Their second hacking method was network based. The researchers tried to scan the device’s network ports, but all ports were closed. Sniffing network traffic didn’t help, either; the robot’s communications were encrypted. At this point, I’m already rather impressed: Most other IoT devices would have been hacked by now because their creators usually don’t go this far in terms of security. Our recent research on how insecure connected devices are illustrates it perfectly.

However, let’s get back to the Xiaomi Mi Robot. The researchers’ next attempt was to attack the vacuum cleaner’s hardware. Here, they finally succeeded — by using aluminum foil to short-circuit some of the tiny contacts connecting processor to motherboard, causing the processor to enter a special mode that allows reading and even writing to flash memory directly through the USB connection.

That’s how Giese and Wegemer managed to obtain Mi Robot firmware, reverse-engineer it, and, eventually, modify and upload it to the vacuum cleaner, thereby gaining full control over the unit.

Hacking the Mi Robot wirelessly

But cracking stuff open and hacking hardware is not nearly as cool as noninvasive hacks. After reverse-engineering the device’s firmware, the researchers figured out how to hack into it using nothing more than Wi-Fi — and a couple of flaws in the firmware’s updating mechanism.

Xiaomi has implemented a pretty good firmware-update procedure: New software arrives over an encrypted connection, and the firmware package is encrypted as well. However, to encrypt update packages, Xiaomi used a static password — “rockrobo” (don’t use weak passwords, kids). That allowed the researchers to make a properly encrypted package containing their own rigged firmware.

After that, they used the security key they obtained from Xiaomi’s smartphone app to send a request to the vacuum cleaner to download and install new firmware — not from Xiaomi’s cloud but from their own server. And that’s how they hacked the device again, this time wirelessly.

Inside the Mi Robot’s firmware

Examining the firmware, Giese and Wegemer learned a couple of interesting things about Xiaomi smart devices. First, the Mi Robot firmware is basically Ubuntu Linux, which is regularly and quickly patched. Second, it uses a different superuser password for each device; there’s no master password that could be used to mass-hack a whole lot of vacuum cleaners at once. And third, the system runs a firewall that blocks all ports that could be used by hackers. Again, hats off to Xiaomi: By IoT standards, this is surprisingly good protection.

The researchers also learned something disappointing about Mi Robot, however. The device collects and uploads to Xiaomi cloud a lot of data — several megabytes per day. Along with reasonable things such as device operation telemetry, this data includes the names and passwords of the Wi-Fi networks the device connects to, and the maps of rooms it makes with its built-in lidar sensor. Even more disturbing, this data stays in the system forever, even after a factory reset. So if someone buys a used Xiaomi vacuum cleaner on eBay and roots it, they can easily obtain all of that information.

Concluding this post, it’s worth emphasizing that both of the techniques Giese and Wegemer used enabled them to hack only their own devices. The first one required physical access to the vacuum cleaner. As for the second, they had to obtain the security key to make an update request, and those keys are generated every time the device is paired with the mobile app. The security keys are unique, and it’s not that easy to get them if you don’t have access to the smartphone that is paired with the Xiaomi device you’re going to hack.

All in all, it doesn’t look like the Xiaomirai is nigh. Quite the contrary: The research shows that Xiaomi puts much more effort into security than most other smart device manufacturers do, and that is a hopeful sign for our connected future. Almost everything can be hacked, but if something takes a lot of effort to hack, it’s less likely that criminals will bother trying — they are usually after easy money.

Go to Source
Author: Alex Drozhzhin

Loapi — this Trojan is hot!

Virus writers are creating all sorts of unpleasantness for Android device owners. We all know about the theft of personal data that later turns up on the black market. And about money leaking out of credit cards. But what about a Trojan that can make your device literally go up in smoke? Well, it’s here.

How does jack-of-all-trades Loapi operate

Users pick up the Loapi Trojan by clicking on an ad banner and downloading a fake AV or adult-content app (the most likely vehicles for this Trojan). After installation, Loapi demands administrator rights — and it doesn’t take no for an answer; notification after notification appears on the screen until the desperate user finally gives in and taps OK.

If the smartphone owner later tries to deprive the app of administrator rights, the Trojan locks the screen and closes the settings window. And if the user tries to download apps that genuinely protect the device (for example, a real AV, not a fake one), Loapi declares them to be malware and demands their removal. Another notification to that effect pops up endlessly, until the user throws in the towel.

Icons of fake apps in which Loapi conceals itself

Because of Loapi’s modular structure, it can switch functions on the fly at a remote server’s command, downloading and installing the necessary add-ons all by itself. Let’s take a look at some consequences of an encounter with the new Trojan.

1. Unwanted ads

Loapi relentlessly plagues the owner of the infected smartphone with banner and video ads. This module of the Trojan can also download and install other apps, visit links, and open pages in Facebook, Instagram, and VKontakte — apparently to drive up various ratings.

2. Paid subscriptions

Another module of the Trojan can sign up users to paid services. Such subscriptions usually need to be confirmed by SMS — but that doesn’t stop Loapi either. It has yet another special module that sends a text message to the required number, and does so secretly. What’s more, all messages (both outgoing and incoming) are immediately deleted.

3. DDoS attacks

The Trojan can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources. To do so, it uses a built-in proxy server and sends HTTP requests from the infected device.

4. Cryptomining

Loapi also uses smartphones to mine Monero tokens. It is this activity that can overheat your device as a result of the prolonged operation of the processor at maximum load. During our research, the battery of the test smartphone overcooked 48 hours after the device was infected.

5. Downloading new modules

Now for the most interesting bit. At the command of a remote center, the malware can download new modules — that is, adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware, or a banking Trojan. In the code of the current version, our experts discovered functions that have yet to be deployed and are clearly intended for use further down the line.

How to protect yourself from the Loapi Trojan

As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.

  • Install apps only from official stores. Google Play has a dedicated team responsible for catching mobile malware. Trojans do occasionally infiltrate official stores, but the chances of encountering one there are far lower than on dubious sites.
  • Disable the installation of apps from unknown sources for added security. To do so, in Settings go to Security and ensure that the Unknown sources check box is not selected.

  • Don’t install what you don’t really need. As a general rule, the fewer applications you install, the more secure your device is.
  • Get a reliable and proven AV for Android and regularly scan your device with it. Even free applications, such as the basic version of Kaspersky Internet Security for Android, offer good protection.

Go to Source
Author: Anna Markovskaya

LokiBot: If not stealing, then extorting

Remember the Hydra of ancient mythology? The many-headed serpent that grew two heads when one was chopped off? A similarly dangerous beast has appeared in the Android malware zoo.

 

LokiBot as a banking Trojan

How do ordinary banking Trojans behave? They present the user with a fake screen that simulates the mobile banking interface. Unsuspecting victims enter their login credentials, which the malware redirects to the attackers, giving them access to the accounts.

How does LokiBot behave? Roughly the same way, but it simulates not only a banking app screen, but also WhatsApp, Skype, and Outlook client interfaces, displaying notifications purporting to come from these applications.

This means that a person can receive a fake notification, supposedly from their bank, saying that funds have been transferred to their account, and seeing the good news. then log in to the mobile banking client for confirmation. LokiBot even makes the smartphone vibrate when it displays the notification about the alleged transfer, which helps hoodwink even clued-in users.

But LokiBot has other tricks in store: It can open a browser, navigate to specific pages, and even use an infected device to send spam, which is basically how it distributes itself. Having pinched money from your account, LokiBot keeps going, sending a malicious SMS to all contacts in the phone book to infect as many smartphones and tablets as possible, and even replying to incoming messages if necessary.

If an attempt is made to remove LokiBot, the malware reveals another facet: To steal funds from a bank account, it needs administrator rights; if you try to deny it permission, it mutates from a banking Trojan into ransomware.

 

LokiBot as ransomware. How to unlock infected smartphone

In this case, LokiBot locks the screen and displays a message accusing the victim of viewing child pornography and demanding ransom; it also encrypts data on the device. Examining LokiBot’s code, researchers discovered that it uses weak encryption and doesn’t work properly; the attack leaves unencrypted copies of all files on the device, only under different names, so restoring the files is relatively simple.

However, the device screen is still locked, and the malware creators ask for about $100 in Bitcoin to unlock it. But you don’t have to oblige: After rebooting the device in safe mode, you can strip the malware of administrator rights and delete it. To do so, you first need to determine which version of Android you have:

  • Select Settings.
  • Select the General tab.
  • Select About the device.
  • Find the line Android version — the numbers below it indicate your OS version

To enable safe mode on a device with Version 4.4 to 7.1, do the following:

  • Press and hold the power button until a menu appears with the option Power off or Disconnect power source.
  • Press and hold Power off or Disconnect power source.
  • In the Turn on safe mode menu that appears, click OK.
  • Wait for the phone to reboot.

Owners of devices with other versions of Android should look online for information about how to enable safe mode for their particular phone.

Unfortunately, not everyone knows about this method of killing the malware: LokiBot victims have already coughed up nearly $1.5 million. And with LokiBot available on the black market for a mere $2,000, it is likely that the criminals responsible have repaid their investment many times over.

 

How to protect against LokiBot

In effect, the measures that can be taken to protect against LokiBot are applicable to any mobile malware. Here’s how to protect yourself:

– Never click on suspicious links — that’s how LokiBot spreads.

– Download apps only via Google Play — but be cautious even in the official store.

– Install a reliable security solution on your smartphone and tablet. Kaspersky Internet Security for Android detects all variants of LokiBot. With the paid version, there’s no need to scan the smartphone after installing each new application.

Go to Source
Author: Alexandra Golovina

CryptoShuffler: Trojan stole $140,000 in Bitcoin

Imagine that one day you decide to use Bitcoin to pay for, say, a pizza. You copy the wallet address from the pizzeria’s website, enter the required amount, and click the Send button. The transfer goes through, but the pizza doesn’t arrives. The pizzeria owners say they never received the payment. What’s going on? Don’t get mad at the pizza guys — it’s all down to CryptoShuffler.

Unlike cryptoransomware, this Trojan avoids flashy effects, instead doing its best to slip under the radar. It resides quietly in the computer’s memory and monitors the clipboard — the temporary storage area for cut/paste operations.

As soon as CryptoShuffler spots the address of a cryptocurrency wallet on the clipboard (it’s quite easy to distinguish these addresses by line length and specific characters), it replaces the address with another. As a result, the cryptocurrency transfer does indeed go through, and in the amount specified by the payer, only the recipient is not the pizzeria, but the intruders behind CryptoShuffler.

Having studied the Trojan, Kaspersky Lab discovered that the malware targets not only Bitcoin, but also Ethereum, Zcash, Monero, Dash, Dogecoin (yes, it’s real), and other cryptocurrencies as well. Substituting Bitcoin wallets is the Trojan’s most lucrative activity — at the time of publication the attackers had snagged slightly more than 23 BTC (about $140,000 at the current exchange rate).

The other cryptocurrency wallets belonging to CryptoShuffler’s creators were found to contain sums ranging from tens to thousands of dollars.

It took the Trojan a little more than a year to collect that money. Peak activity in late 2016 was followed by a slump, but then in June 2017, CryptoShuffler reawakened.

This Trojan clearly demonstrates that an infected computer or smartphone will not necessarily slow down or display ransom messages. On the contrary, many kinds of malware try to keep a low profile and to operate as stealthily as possible; the longer they remain undetected, the more money they will make for their creators.

So our advice to all cryptocurrency users is to remain vigilant and get protected. Our products detect CryptoShuffler as Trojan-Banker.Win32.CryptoShuffler.gen, and, needless to say, block all its actions.

Go to Source
Author: Marvin the Robot

KRACK: Your Wi-Fi is no longer secure

Most vulnerabilities go unnoticed by the majority of the world’s population even if they affect several million people. But this news, published today, is probably even bigger then the recently disclosed Yahoo breach and affects several billion people all over the world: Researchers have found a bunch of vulnerabilities that make all Wi-Fi networks insecure.

A paper published today describes how virtually any Wi-Fi network that relies on WPA or WPA2 encryption can be compromised. And with WPA being the standard for modern Wi-Fi, that means pretty much every Wi-Fi network in the world is vulnerable.

The research is quite complicated, so we won’t go through it in detail and will just briefly highlight the main findings.

How KRACK works

Researchers have found out that devices based on Android, iOS, Linux, macOS, Windows, and some other operating systems are vulnerable to some variation of this attack, and that means almost any device can be compromised. They called this type of attack a key reinstallation attack, or KRACK for short.

In particular, they describe how an attack on Android 6 devices works. To execute it, the attacker has to set up a Wi-Fi network with the same name (SSID) as that of an existing network and target a specific user. When the attacker detects that the user is about to connect to the original network, they can send special packets that make the device switch to another channel and connect to the fake network with the same name.

After that, using a flaw in the implementation of the encryption protocols they can change the encryption key the user was using to a string of zeroes and thus access all of the information that the user uploads or downloads.

One may argue that there’s another layer of security — the encrypted connection to a site, e.g., SSL or HTTPS. However, a simple utility called SSLstrip set up on the fake access point is enough to force the browser to communicate with unencrypted, HTTP versions of websites instead of encrypted, HTTPS versions, in cases where encryption is not correctly implemented on a site (and that is true for quite a lot of websites, including some very big ones).

So, by using this utility in their fake network, the attacker can access the users’ logins and passwords in plain text, which basically means stealing them.

 

What can you do to secure your data?

The fact that almost every device in almost every Wi-Fi network is vulnerable to KRACK sounds quite scary, but — like pretty much any other type of attack — this one is not the end of the world. Here are a couple of tips on how to stay safe from KRACK attacks in case anyone decides to use them against you.

  • Always check to make sure there’s a green lock icon in the address bar of your browser. That lock indicates that an HTTPS (encrypted and therefore secure) connection to this particular website is being used. If someone attempts to use SSLstrip against you, the browser will be forced to use HTTP versions of websites, and the lock will disappear. If the lock is in place, your connection is still secure.
  • The researchers warned some network appliance manufacturers (including the Wi-Fi Alliance, which is responsible for standardizing the protocols) in advance of releasing their paper, so most of them have to be in the process of issuing firmware updates that can fix the issue with key reinstallation. So check if there are fresh firmware updates for your devices and install them as soon as possible.
  • You can secure your connection using a VPN, which adds another layer of encryption to the data transferred from your device. You can read more on what a VPN is and how to choose one, or grab Kaspersky Secure Connection right away.

Go to Source
Author: Alex Perekalin

NRansom: Ransomware that demands your nudes

Ransomware has been called the scourge of the Internet for quite a while. It’s really one of the twenty-first century’s main cyberthreats, and recently it has taken … quite a turn. Researchers from MalwareHunterTeam have discovered a new strain of ransomware, called nRansom, that blocks victims’ computers, but instead of requiring money to unlock the computer, it demands nude photos.

NRansom: Ransomware that demands your nudes

This ransomware seems to be not a cryptor, but rather a blocker, which means that in case of infection it doesn’t encrypt your files, but simply blocks access to your computer. The ransom note that appears on the screen informs victims that the only way to get back access to their computers is to send the aforementioned pictures: ten of them, nude, and demonstrably of the victims.

They state that they will somehow verify those nudes really belong to the victim before sending the code that unlocks the computer.

At this point, nRansom has been seen only as a file called nRansom.exe, which means it affects only Windows users.

We can only speculate on what the criminals are planning to do with any photos they manage to get. They’ll probably use the pictures to shame the victims and extort either more nudes or money.

As always, we advise you not to pay the ransom if your computer gets infected. The word “pay” in this case is as legitimate as in any other; private information is no less payment than money.

Kaspersky Internet Security detects nRansom as Trojan-Ransom.MSIL.Agent.zz and neutralizes it right away. In case the blocker has somehow sneaked onto your PC, you can unblock the computer by pressing Ctrl + Alt + Shift + F4 simultaneously. It’s necessary to run a full scan of your system after that. You can read more about that here.

That technique is available in all of our flagship security solutions, and it works against all blockers, in case they somehow get onto your computer. However, if you always keep protection running, that scenario is highly unlikely; Kaspersky Internet Security neutralizes almost all ransomware species before they can do anything at all, and any that manage to sneak in under the radar are detected by System Watcher when they attempt to do anything malicious.

Go to Source
Author: John Snow

Bulk messaging malware in Facebook Messenger

Some time ago, an antivirus expert from our Global Research and Analysis Team, David Jacoby, discovered multiplatform malware that was distributed through Facebook Messenger. A few years ago, similar outbreaks were occurring quite often, but none have appeared lately; Facebook was doing a lot to prevent similar attacks.

First a preliminary report was published. At that time, Jacoby still had not had enough time to research many details about how the malware operated, but now he has, and we are ready to share them. From a user’s perspective, here’s how the infection progressed.

  • The user received a message in Facebook Messenger from a friend. The message contained the word “Video,” the name of the sender, a random smiley, and a short link. It might look like this, for example:

  • The link redirected to Google Drive, where the user saw something resembling a video player with a picture of the original sender in the background and what looked like a Play button.
  • If the victim attempted to play back the “video” in Google Chrome, they were redirected to a page that looked much like a YouTube page and offered to install an extension for Chrome.
  • If the user agreed to the installation, then the extension began to send out malicious links to their friends — and everything followed the same algorithm for each of them over again.
  • Users of other browsers were persistently reminded to update their Adobe Flash Player instead of being offered the extension. The file they downloaded turned out to be adware — essentially, malefactors used advertisements to earn their money.

Jacoby, along with Frans Rosen, a researcher with whom he has been working on a project called “Hunting bugs for humanity,” have analyzed this malicious campaign and worked out how it operates.

The page that users were redirected to after following the link in Facebook Messenger was basically a PDF file that had been published to Google Drive. It opened as a preview. The file had a picture from a user’s Facebook page — the user whose identity was used to spread the malware — an icon for playing back the video shown over the picture, and the link that the victim opened by trying to click the playback button.

Clicking the link led friends of the victim to this page.

The link caused several redirections, landing the user on one of several websites. Victims using browsers other than Google Chrome ended up on a website offering to download adware masked as an update for Adobe Flash Player.

Browsers other than Google Chrome offered to download adware disguised as Adobe Flash Player.

In the case of Chrome, that was just the beginning: If the victim agreed to install the extension offered on the landing page, it began monitoring what websites the user opened. As soon as the victim navigated to Facebook, the extension stole their login credentials and the access token and sent them to the malefactors’ server.

A fake YouTube page offering to install Google Chrome extensions.

The crooks had found an interesting bug in Facebook. As it turned out, the unsecure Facebook Query Language (FQL), which was disabled a year ago, was not completely wiped out; it was blocked for applications, but with a few exceptions. For example, Facebook Pages Manager, a macOS application, still uses FQL. Thus, to gain access to the “locked out” feature, malware simply has to act on behalf of the application.

By using the stolen credentials and accessing the obsolete Facebook feature, the crooks could request that the social network send them the contact list of the victim, cull those who were not currently online, and randomly select 50 new victims from the remainder. Then, those users were bulk-messaged with a new link to Google Drive with a PDF file preview generated with the picture of the person on whose behalf the new messaging wave commenced. All in all, a vicious cycle.

It is worth noting that among other things, the malicious script “liked” a specific Facebook page, apparently to collect statistics for the infection. In the course of the attack, Jacoby and Rosen observed, the malefactors changed several of the specific pages, possibly as Facebook closed the previous ones. Judging by the number of “likes,” there were tens of thousands of victims.

One of the pages that infected users “liked.”

Their analysis of the code revealed that the malefactors were initially planning to use localized messages but then changed their minds and resorted to the short and simple “Video.” The localization function‘s code showed that the crooks were primarily interested in Facebook users from several European countries such as Turkey, Italy, Germany, Portugal, France (also, francophone Canada), Poland, Greece, Sweden, and all countries with English-speaking users.

The mutual effort of several companies has put an end to the infection’s spread for now. Nonetheless, this story is a great reminder that extensions for browsers are not as harmless as they may seem. To stay safe and not fall victim to similar malicious campaigns, avoid installing browser extensions without absolute confidence that they are safe, that they will not steal your data, and that they won’t track your online activities.

Also, clicking every link, even links that seem to be from someone you know, is out of the question. It is always a good idea to make sure that it is really your friend on the other end of the line, not some criminal who took control of your friend’s account.

Go to Source
Author: Alex Drozhzhin