CoinVault: Caught red-handed

Way back in 2015, Kaspersky Lab helped Dutch cyberpolice catch the creators of one of the very first pieces of ransomware, CoinVault. The decryptor we developed for it inspired the NoRansom portal, where we upload tools for unlocking files after various encryption attacks. Although CoinVault’s creators were caught a while ago, the first court hearing took place recently, and our expert Jornt van der Wiel attended.

CoinVault ran riot in 2014 and 2015 through dozens of countries around the world. Our experts estimate the number of victims at more than 10,000. Behind the attacks were two Dutch brothers, aged 21 and 25, who developed and distributed the Trojan. Every victim received a ransom demand for 1 bitcoin, which at the time was worth about 200 euros. The pair snagged about 20,000 euros as a result.

CoinVault was ahead of its time. In addition to encryption, it had features that we still see in ransomware Trojans today. For example, the victim was allowed to decrypt one file free. Mentally, this plays into the hands of the cybercriminals: When victims realize they are one click away from recovering their vital data, the temptation to pay up becomes stronger. The on-screen timer is another of CoinVault’s psychological teasers, inexorably counting down to a higher ransom demand.


Double Dutch

We studied CoinVault and described its structure in detail in late 2014. The malware authors took great pains to hide it from security solutions and hinder its analysis. The ransomware can determine, for example, whether it is being run in a sandbox, and its code is heavily obfuscated.

Nevertheless, our experts were able to get to the source code and find a clue that ultimately led to the criminals’ arrest: It contained some comments in Dutch. It was fairly likely that the malware hailed from the Netherlands.

We passed the information to the Dutch cyberpolice, and within a few months they reported the successful capture of the campaign masterminds. Thanks to our cooperation with the Dutch police, we managed to obtain the keys from the C&C server and develop a data decryption tool.


Lady Justice weighs the evidence

The police collected almost 1,300 statements from victims of the ransomware. Some of them appeared in court personally to demand compensation. One victim, for example, had their vacation ruined by the ransomware. They estimated the damage at 5,000 euros, saying that this sum would enable them to pay for another trip.

Another victim asked for the ransom to be paid back in the same coin — bitcoin. Since the attack, the cryptocurrency exchange rate has risen almost thirtyfold, so if the court satisfies the claim, it will be the first time that an injured party has earned money from a ransomware attack.

At the recent hearing, the prosecutors demanded punishment in the form of three months’ imprisonment, followed by a nine-month suspended sentence and 240 hours’ community service. The defense asked the court not to put the brothers behind bars, arguing that the defendants had cooperated with the investigation, plus one is irreplaceable in his current job and the other is in college. The verdict will be delivered at the next hearing, on July 26.


Trespassers will be prosecuted

We always say that giving in to criminals only encourages them. The trial of the CoinVault creators shows that even seemingly anonymous cybercriminals cannot escape punishment. But instead of waiting three years for justice, it’s better to protect yourself in advance. Remember our standard tips:

  • Don’t click on suspicious links and don’t open suspicious e-mail attachments.
  • Make regular backups of important files.
  • Use a reliable security solution.

Go to Source
Author: Anna Markovskaya

Rakhni Trojan: To encrypt and to mine

We recently posted that ransomware is giving way to miners at the top of the online threat rankings. In line with this trend, the Trojan ransomware Rakhni, which we’ve been watching since 2013, has added a cryptocurrency mining module to its arsenal. What’s interesting is that the malware loader is able to choose which component to install depending on the device. Our researchers figured out how the updated malware works and where the danger lies.

Our products spotted Rakhni in Russia, Kazakhstan, Ukraine, Germany, and India. The malware is distributed mainly through spam mailings with malicious attachments. The sample that our experts studied, for example, was disguised as a financial document. This suggests that the cybercriminals behind it are primarily interested in corporate “clients.”

A DOCX attachment in a spam e-mail contains a PDF document. If the user allows editing and tries to open the PDF, the system requests permission to run an executable file from an unknown publisher. With the user’s permission, Rakhni swings into action.


Like a thief in the night

When it’s started, the malicious PDF file appears to be a document viewer. First, the malware shows the victim an error message explaining why nothing has opened. Next, it disables Windows Defender and installs forged digital certificates. Only when the coast seems clear does it decide what to do with the infected device — encrypt files and demand ransom or install a miner.

Finally, the malicious program tries to spread to other computers inside the local network. If company employees have shared access to the Users folder on their devices, the malware copies itself onto them.


Mine or encrypt?

The selection criterion is simple: If the malware finds a service folder called Bitcoin on the victim’s computer, it runs a piece of ransomware that encrypts files (including Office docs, PDFs, images, and backups) and demands a ransom payment within three days. Details of the ransom, including how much, the cybercriminals kindly promise to send by e-mail.

If there are no Bitcoin-related folders on the device, and the malware believes it has enough power to handle cryptocurrency mining, it downloads a miner that surreptitiously generates Monero, Monero Original, or Dashcoin tokens in the background.


Go to Source
Author: Julia Glazova

Data-thieving Chrome extension

Owners of software stores (Google, Apple, Amazon, et al.) have to fight malware just as intensely as security solution vendors do. Like any circle, the process is never-ending: Cybercriminals write malware that worms its way into online stores, whereupon it gets named and shamed (not to mention deleted), the security policy is updated to avoid repeat incidents, and the cybercriminals contrive a way to sneak their creation past the new policy into the store.


We always recommend installing apps from official sources only, but that doesn’t mean that such sites are malware-free, just that there’s less of it than elsewhere. And although Google Play is fairly safe, the Chrome Web Store is a different kettle of piranha. In it, our experts recently discovered a malicious extension that targets users’ bank data.

A Trojan banker in your browser

The culprit was an extension named “Desbloquear Conteúdo” (Portuguese for “Unblock contents”), which essentially carried out a man-in-the-middle attack. When the user visited their bank’s website, a malicious script redirected the traffic through a proxy server belonging to the cybercriminals, allowing them to analyze it and pick out what they wanted.

The malware also contained scripts designed to extract certain information entered by users online. For example, when a user signed visited the bank’s login web-page, the malware used a screen overlay perfectly matching the bank’s interface but replacing the login, password, and one-time confirmation code fields with its own. When the user pressed the login button, the malware copied the data for itself.

The domain on which the crooked C&C server was located used the same IP address as other domains previously exposed as malicious, which was one of the reasons the scheme caught our researchers’ attention. Once they’d confirmed their suspicions, the researchers contacted Google, and the malware was quickly removed from the Chrome Web Store.

Remember that during installation, Chrome extensions request access permissions that often give them near-limitless powers on your computer. Most malicious programs need just one permission: “Read and change all your data on the websites you visit” — which is pretty powerful.

So, handle extensions with extreme caution — they’re not necessarily benign, although they’re so easy to install, it’s easy to assume they can’t be powerful or do any harm.

Protecting against malicious browser extensions

Here are some tips that will help fend off malware masquerading as a handy browser extension:

  • Install only extensions that you trust completely. There is no one perfect test for trust, unfortunately, but at least stick to extensions supplied by reputable developers.
  • Don’t add extra extensions if you have no real need for them.
  • If an extension is no longer necessary, remove it. You can always install it again if need be.
  • Use a tried-and-tested security solution such as Kaspersky Internet Security. All new Chrome extensions are automatically sent to us for analysis, so even in the very latest extensions, malware has no place to hide.

Go to Source
Author: Marvin the Robot

Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Go to Source
Author: Anna Markovskaya

Skygofree — a Hollywood-style mobile spy

Most Trojans are basically the same: Having penetrated a device, they steal the owner’s payment information, mine cryptocurrency for the attackers, or encrypt data and demand a ransom. But some display capabilities more reminiscent of Hollywood spy movies.

We recently discovered one such cinematic Trojan by the name of Skygofree (it doesn’t have anything to do with the television service Sky Go; it was named after one of the domains it used). Skygofree is overflowing with functions, some of which we haven’t encountered elsewhere. For example, it can track the location of a device it is installed on and turn on audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.

Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or tablet to a Wi-Fi network controlled by the attackers — even if the owner of the device has disabled all Wi-Fi connections on the device. This lets the victim’s traffic be collected and analyzed. In other words, someone somewhere will know exactly what sites were looked at and what logins, passwords, and card numbers were entered.

The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.

The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp. In the latter case, the developers again showed savvy — the Trojan reads WhatsApp messages through Accessibility Services. We have already explained how this tool for visually or aurally impaired users can be used by intruders to control an infected device. It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request.

Last but not least, Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos.

However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data.

The promise of fast Internet

We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.

The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.

Forewarned is forearmed

To date, our cloud protection service has logged only a few infections, all in Italy. But that doesn’t mean that users in other countries can let their guard down; malware distributers can change their target audience at any moment. The good news is that you can protect yourself against this advanced Trojan just like any other infection:

  1. Install apps only from official stores. It’s wise to disable installation of apps from third-party sources, which you can do in your smartphone settings.
  2. If in doubt, don’t download. Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions — any of these things should raise flags.
  3. Install a reliable security solution — for example, Kaspersky Internet Security for Android. This will protect your device from most malicious apps and files, suspicious websites, and dangerous links. In the free version scans must be run manually; the paid version scans automatically.

  1. We recommend that business users deploy Kaspersky Security for Mobile — a component of Kaspersky Endpoint Security for Business — to protect the phones and tablets employees use at work.

Go to Source
Author: Anna Markovskaya

Loapi — this Trojan is hot!

Virus writers are creating all sorts of unpleasantness for Android device owners. We all know about the theft of personal data that later turns up on the black market. And about money leaking out of credit cards. But what about a Trojan that can make your device literally go up in smoke? Well, it’s here.

How does jack-of-all-trades Loapi operate

Users pick up the Loapi Trojan by clicking on an ad banner and downloading a fake AV or adult-content app (the most likely vehicles for this Trojan). After installation, Loapi demands administrator rights — and it doesn’t take no for an answer; notification after notification appears on the screen until the desperate user finally gives in and taps OK.

If the smartphone owner later tries to deprive the app of administrator rights, the Trojan locks the screen and closes the settings window. And if the user tries to download apps that genuinely protect the device (for example, a real AV, not a fake one), Loapi declares them to be malware and demands their removal. Another notification to that effect pops up endlessly, until the user throws in the towel.

Icons of fake apps in which Loapi conceals itself

Because of Loapi’s modular structure, it can switch functions on the fly at a remote server’s command, downloading and installing the necessary add-ons all by itself. Let’s take a look at some consequences of an encounter with the new Trojan.

1. Unwanted ads

Loapi relentlessly plagues the owner of the infected smartphone with banner and video ads. This module of the Trojan can also download and install other apps, visit links, and open pages in Facebook, Instagram, and VKontakte — apparently to drive up various ratings.

2. Paid subscriptions

Another module of the Trojan can sign up users to paid services. Such subscriptions usually need to be confirmed by SMS — but that doesn’t stop Loapi either. It has yet another special module that sends a text message to the required number, and does so secretly. What’s more, all messages (both outgoing and incoming) are immediately deleted.

3. DDoS attacks

The Trojan can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources. To do so, it uses a built-in proxy server and sends HTTP requests from the infected device.

4. Cryptomining

Loapi also uses smartphones to mine Monero tokens. It is this activity that can overheat your device as a result of the prolonged operation of the processor at maximum load. During our research, the battery of the test smartphone overcooked 48 hours after the device was infected.

5. Downloading new modules

Now for the most interesting bit. At the command of a remote center, the malware can download new modules — that is, adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware, or a banking Trojan. In the code of the current version, our experts discovered functions that have yet to be deployed and are clearly intended for use further down the line.

How to protect yourself from the Loapi Trojan

As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.

  • Install apps only from official stores. Google Play has a dedicated team responsible for catching mobile malware. Trojans do occasionally infiltrate official stores, but the chances of encountering one there are far lower than on dubious sites.
  • Disable the installation of apps from unknown sources for added security. To do so, in Settings go to Security and ensure that the Unknown sources check box is not selected.

  • Don’t install what you don’t really need. As a general rule, the fewer applications you install, the more secure your device is.
  • Get a reliable and proven AV for Android and regularly scan your device with it. Even free applications, such as the basic version of Kaspersky Internet Security for Android, offer good protection.

Go to Source
Author: Anna Markovskaya

Silence like a cancer grows

In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready.

We saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.

The attacks are currently still ongoing.

Technical details

The cybercriminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank. The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver:

Spear-phishing email in Russian.

Malicious .chm attachment

md5 dde658eb388512ee9f4f31f0f027a7df
Type Windows help .chm file

The attachment we detected in this new wave is a “Microsoft Compiled HTML Help” file. This is a Microsoft proprietary online help format that consists of a collection of HTML pages, indexing and other navigation tools. These files are compressed and deployed in a binary format with the .CHM (compiled HTML) extension. These files are highly interactive and can run a series of technologies including JavaScript, which can redirect a victim towards an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed. This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL:

Part of start.htm embedded file

The goal of the script is to download and execute an obfuscated .VBS script which again downloads and executes the final dropper

Obfuscated VBS script that downloads binary dropper


md5 404D69C8B74D375522B9AFE90072A1F4
Compilation Thu Oct 12 02:53:12 2017
Type Win32 executable

The dropper is a win32 executable binary file, and its main goal is to communicate with the command and control (C&C) server, send the ID of the infected machine and download and execute malicious payloads.

After executing, the dropper connects to the C&C using a GET request, sends the generated victim ID, downloads the payloads and executes them using the CreateProcess function.

C&C connect request string with ID

C&C connect procedure


The payloads are a number of modules executed on the infected system for various tasks like screen recording, data uploading etc.

All the payload modules we were able to identify are registered as Windows services.

Monitoring and control module

md5 242b471bae5ef9b4de8019781e553b85
Compilation Tue Jul 19 15:35:17 2016
Type Windows service executable

The main task for this module is to monitor the activity of the victim. In order to do so it takes multiple screenshots of the victim´s active screen, providing a real-time pseudo-video stream with all the victim´s activity. A very similar technique was used in the Carbanak case, where this monitoring was used to understand the victim´s day to day activity.

The module is registered and started by a Windows service named “Default monitor”.

Malicious service module name

After the initial startup, it creates a Windows named pipe with a hardcoded value – “\\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB}”. This pipe is used for sharing data in malicious inter-process communications between modules.

Named pipe creation

The malware decrypts a block of data and saves it as a binary file with the hardcoded name “mss.exe” in a Windows temporary location, and later executes it using the CreateProcessAsUserA function. This dropped binary is the module responsible for the real-time screen activity recording.

Then, the monitoring module waits for a new dropped module to start in order to share the recorded data with other modules using the named pipe.

Screen activity gathering module

md5 242b471bae5ef9b4de8019781e553b85
Compilation Tue Jul 19 15:35:17 2016
Type Windows 32 executable

This module uses both the Windows Graphics Device Interface (GDI) and the Windows API to record victim screen activity. This is done using the CreateCompatibleBitmap and GdipCreateBitmapFromHBITMAP functions. Then the module connects to the named pipe created by the previously described module and writes the data in there. This technique allows for the creation of a pseudo-video stream of the victim’s activity by putting together all the collected bitmaps.

Writing bitmaps to pipe

C&C communication module with console backconnect

md5 6A246FA30BC8CD092DE3806AE3D7FC49
Compilation Thu Jun 08 03:28:44 2017
Type Windows service executable

The C&C communication module is a Windows service, as are all the other modules. Its main functionality is to provide backconnect access to the victim machine using console command execution. After the service initialization, it decrypts the needed Windows API function names, loads them with LoadLibrary and resolves with GetProcAddress functions.

WinAPI resolving

After successful loading of the WinAPI functions, the malware tries to connect to the C&C server using a hardcoded IP address (185.161.209[.]81).


The malware sends a special request to the command server with its ID and then waits for a response, which consists of a string providing the code of what operation to execute. The options are:

  • “htrjyytrn” which is the transliteration of “reconnect” (“реконнект” in russian layout).
  • “htcnfhn” which is the transliteration of “restart” (“рестарт” in russian layout).
  • “ytnpflfybq” which is the transliteration of “нет заданий” meaning “no tasks”

Finally the malware receives instructions on what console commands to execute, which it does using a new cmd.exe process with a parameter command.

Instruction check

The described procedure allows attackers to install any other malicious modules. That can be easily done using the “sc create” console command.

Winexecsvc tool

md5 0B67E662D2FD348B5360ECAC6943D69C
Compilation Wed May 18 03:58:26
Type Windows 64 executable

Also, on some infected computers we found a tool called the Winexesvc tool. This tool basically provides the same functionality as the well-known “psexec” tool. The main difference is that the Winexesvc tool enables the execution of remote commands from Linux-based operating system. When the Linux binary “winexe” is run against a Windows server, the winexesvc.exe executable is created and installed as a service.


Attacks on financial organization remain a very effective way for cybercriminals to make money. The analysis of this case provides us with a new Trojan, apparently being used in multiple international locations, which suggests it is an expanding activity of the group. The Trojan provides monitoring capabilities similar to the ones used by the Carbanak group.

The group uses legitimate administration tools to fly under the radar in their post-exploitation phase, which makes detection of malicious activity, as well as attribution more complicated. This kind of attack has become widespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in their attacks. We will continue monitoring the activity for this new campaign.

The spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with already compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of spreading, at least among financial organizations.


The effective way of protection from targeted attacks focused on financial organizations are preventive advanced detection capabilities such as a solution that can detect all types of anomalies and scrutinize suspicious files at a deeper level, be present on users’ systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.

The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.


Kaspersky lab products detects the Silence trojan with the following verdicts:

Full IOC’s and YARA rules delivered with private report subscription.





CryptoShuffler: Trojan stole $140,000 in Bitcoin

Imagine that one day you decide to use Bitcoin to pay for, say, a pizza. You copy the wallet address from the pizzeria’s website, enter the required amount, and click the Send button. The transfer goes through, but the pizza doesn’t arrives. The pizzeria owners say they never received the payment. What’s going on? Don’t get mad at the pizza guys — it’s all down to CryptoShuffler.

Unlike cryptoransomware, this Trojan avoids flashy effects, instead doing its best to slip under the radar. It resides quietly in the computer’s memory and monitors the clipboard — the temporary storage area for cut/paste operations.

As soon as CryptoShuffler spots the address of a cryptocurrency wallet on the clipboard (it’s quite easy to distinguish these addresses by line length and specific characters), it replaces the address with another. As a result, the cryptocurrency transfer does indeed go through, and in the amount specified by the payer, only the recipient is not the pizzeria, but the intruders behind CryptoShuffler.

Having studied the Trojan, Kaspersky Lab discovered that the malware targets not only Bitcoin, but also Ethereum, Zcash, Monero, Dash, Dogecoin (yes, it’s real), and other cryptocurrencies as well. Substituting Bitcoin wallets is the Trojan’s most lucrative activity — at the time of publication the attackers had snagged slightly more than 23 BTC (about $140,000 at the current exchange rate).

The other cryptocurrency wallets belonging to CryptoShuffler’s creators were found to contain sums ranging from tens to thousands of dollars.

It took the Trojan a little more than a year to collect that money. Peak activity in late 2016 was followed by a slump, but then in June 2017, CryptoShuffler reawakened.

This Trojan clearly demonstrates that an infected computer or smartphone will not necessarily slow down or display ransom messages. On the contrary, many kinds of malware try to keep a low profile and to operate as stealthily as possible; the longer they remain undetected, the more money they will make for their creators.

So our advice to all cryptocurrency users is to remain vigilant and get protected. Our products detect CryptoShuffler as Trojan-Banker.Win32.CryptoShuffler.gen, and, needless to say, block all its actions.

Go to Source
Author: Marvin the Robot

Taxi Trojans are on the way

You’re in a hurry, trying to get to work, a business meeting, a date. So you launch your favorite app for booking a taxi as usual, but this time, it prompts you to enter your credit card number. Does that seem suspicious? It may not — apps forget information, and all you have to do is add your card number again.

However, after some time you notice money disappearing from your account. What happened? You may be the unlucky winner of a mobile Trojan. This kind of malware has been caught recently stealing bank data by impersonating the interfaces of taxi-booking apps.

The Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version “Faketoken.q,” and by now it has learned a significant number of tricks.

After getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.

The icon of the installed Faketoken Trojan

First, the Trojan is interested in the user’s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal’s server. Second, the Trojan also checks which apps the smartphone’s owner uses.

When Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.

The overlaying window matches the colors of the original app’s interface. In this window, the Trojan prompts the user to enter the number of his or her credit card, including the verification code from the back of the card.

The Faketoken.q Trojan impersonates taxi-booking apps popular in Russia

Actually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets — as well as apps for booking taxis.

During the very stage of stealing money from the user, Faketoken resorts to another ruse, intercepting all incoming SMS messages, hiding them from the user, and forwarding them to the criminals’ server, where one-time passwords for payment confirmation from those messages are extracted.

How banking Trojans bypass two-factor authentication

Judging by the small number of attacks that we have registered and the UI artifacts, which you can see in one of the screenshots above, we’d say the researchers at our antivirus laboratory got their hands on one of the test versions of the Trojan, not the final one.

We must give the assiduous creators of Faketoken their due. They will most likely improve the Trojan, and a wave of infection incidents may sprout from the “commercial” version at some point.

Currently the Trojan is focused on users in Russia, but as we’ve seen many times in the past, cybercriminals constantly steal ideas from each other, so it won’t take long for them to adopt the same trick in other countries. A lot of city dwellers have taxi-booking apps installed these days, so this trick represents a good opportunity for malware creators.

Below you can find several pieces of advice on how to protect yourself against Faketoken and similar mobile Trojans that steal card numbers and intercept SMS messages with one-time passwords used to confirm payments.

  • It is imperative that you go into Android’s settings and prohibit the installation of apps from unknown sources. To block installation from unknown sources, go to Settings -> Security and uncheck Unknown sources.

  • Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well). You can learn more about Android permissions in this article.

Go to Source
Author: Alex Drozhzhin

Ztorg Trojan: Infect yourself for 5 cents

A lot of ads on the Internet promote easy ways to earn money. They tend to lead to fishy places — say, a post from an alleged mother of three who stays at home, earning several thousand dollars a day, and says you can do the same. But there are other ways to earn some easy money, too, that may seem much more plausible.


For example, some services offer to pay you for installing apps. The money amounts to pocket change — about 5 cents per app — but the work is pretty effortless, so some people find it attractive nonetheless. This kind of scheme is especially popular among children — install 50 apps and get a $2.50 to buy some gear for your favorite character in an online game.

The Google Play app store has quite a few applications that are in fact app exchanges. You download one of those, install it, see a list of apps for which you can get paid, download a couple of those on the list, install them, play a couple of minutes — and profit!

That looks rather mundane — even legitimate. Indeed, many software developers place a high value on the number of app downloads, and such a scheme increases that number, even if it isn’t exactly honest. No wonder developers are willing to pay for it. There doesn’t seem to be a catch — or is there?

Money for nothing, malware for free

Of course there is — otherwise, why would we write about it? It turns out that, among other things, such app exchanges may urge you to download malware, in particular the infamous Ztorg Trojan. That’s the Trojan downloaded from Google Play 500,000 times disguised as a guide for the popular game Pokémon Go.

Guide for Pokémon Go is not the only app containing Ztorg. Roman Unuchek, the Kaspersky Lab expert who discovered Ztorg in the app, explored the applications distributed via these exchanges for several months. He found out that every month new apps appeared that were in fact just a disguise for Ztorg.

What Ztorg actually does

All of these applications have two things in common. First, their download numbers increase rapidly — by tens of thousands per day. Second, if you look at their user reviews in the Google Play store, many mention that people downloaded those apps for money, credits, bonuses, or something like that.

One of Ztorg infected apps in Google Play

The Ztorg Trojan hasn’t changed. After installation, it collects information about the system and the device and sends it to the command-and-control (C&C) server. The server responds with files that enable the malware to gain root access to the device, after which crooks have the freedom to do whatever they want: show ads, download other Trojans, whatever.

Ztorg also spreads through ads. You click on a banner and download the app, install it, and get infected. Very easy!

What’s interesting is that Ztorg shows its victims ads from the very same networks through which it spreads itself. The networks are legitimate; many other applications use them to try to monetize themselves. It’s just that the networks’ security guys missed the important point that they were advertising malware.

To be fair, Ztorg’s developers hid the malicious functionality, and it is not evident when studying the app. For example, Ztorg evaluates its environment and won’t run in a sandbox (a test environment).

Most malvertising banners do not link directly to the app download page but rather take users to a page that redirects to another page, which redirects to another page, and then to another page. Unuchek counted up to 27 such redirects before finally getting to the download. Moreover, the app can delay downloading malicious files from the C&C server for up to 90 minutes — by that time a tester would probably have decided that the app wasn’t doing anything malicious.

Actually, obfuscation is exactly the trick that was getting the malicious applications into the official Google Play store for a year and a half. Other Trojans lurk in there as well so you should not blindly trust all applications from this or any store.

The moral

How can you avoid becoming a victim of such attacks and letting scammers into your phone? We have two tips for you:

  • Download applications only from trustworthy developers or, better, from official app stores. You still may encounter Trojans, but they are far less prevalent in official stores.

Go to Source
Author: John Snow