Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Go to Source
Author: Anna Markovskaya

Skygofree — a Hollywood-style mobile spy

Most Trojans are basically the same: Having penetrated a device, they steal the owner’s payment information, mine cryptocurrency for the attackers, or encrypt data and demand a ransom. But some display capabilities more reminiscent of Hollywood spy movies.

We recently discovered one such cinematic Trojan by the name of Skygofree (it doesn’t have anything to do with the television service Sky Go; it was named after one of the domains it used). Skygofree is overflowing with functions, some of which we haven’t encountered elsewhere. For example, it can track the location of a device it is installed on and turn on audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.

Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or tablet to a Wi-Fi network controlled by the attackers — even if the owner of the device has disabled all Wi-Fi connections on the device. This lets the victim’s traffic be collected and analyzed. In other words, someone somewhere will know exactly what sites were looked at and what logins, passwords, and card numbers were entered.

The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.

The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp. In the latter case, the developers again showed savvy — the Trojan reads WhatsApp messages through Accessibility Services. We have already explained how this tool for visually or aurally impaired users can be used by intruders to control an infected device. It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request.

Last but not least, Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos.

However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data.

The promise of fast Internet

We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.

The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.

Forewarned is forearmed

To date, our cloud protection service has logged only a few infections, all in Italy. But that doesn’t mean that users in other countries can let their guard down; malware distributers can change their target audience at any moment. The good news is that you can protect yourself against this advanced Trojan just like any other infection:

  1. Install apps only from official stores. It’s wise to disable installation of apps from third-party sources, which you can do in your smartphone settings.
  2. If in doubt, don’t download. Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions — any of these things should raise flags.
  3. Install a reliable security solution — for example, Kaspersky Internet Security for Android. This will protect your device from most malicious apps and files, suspicious websites, and dangerous links. In the free version scans must be run manually; the paid version scans automatically.

  1. We recommend that business users deploy Kaspersky Security for Mobile — a component of Kaspersky Endpoint Security for Business — to protect the phones and tablets employees use at work.

Go to Source
Author: Anna Markovskaya

Loapi — this Trojan is hot!

Virus writers are creating all sorts of unpleasantness for Android device owners. We all know about the theft of personal data that later turns up on the black market. And about money leaking out of credit cards. But what about a Trojan that can make your device literally go up in smoke? Well, it’s here.

How does jack-of-all-trades Loapi operate

Users pick up the Loapi Trojan by clicking on an ad banner and downloading a fake AV or adult-content app (the most likely vehicles for this Trojan). After installation, Loapi demands administrator rights — and it doesn’t take no for an answer; notification after notification appears on the screen until the desperate user finally gives in and taps OK.

If the smartphone owner later tries to deprive the app of administrator rights, the Trojan locks the screen and closes the settings window. And if the user tries to download apps that genuinely protect the device (for example, a real AV, not a fake one), Loapi declares them to be malware and demands their removal. Another notification to that effect pops up endlessly, until the user throws in the towel.

Icons of fake apps in which Loapi conceals itself

Because of Loapi’s modular structure, it can switch functions on the fly at a remote server’s command, downloading and installing the necessary add-ons all by itself. Let’s take a look at some consequences of an encounter with the new Trojan.

1. Unwanted ads

Loapi relentlessly plagues the owner of the infected smartphone with banner and video ads. This module of the Trojan can also download and install other apps, visit links, and open pages in Facebook, Instagram, and VKontakte — apparently to drive up various ratings.

2. Paid subscriptions

Another module of the Trojan can sign up users to paid services. Such subscriptions usually need to be confirmed by SMS — but that doesn’t stop Loapi either. It has yet another special module that sends a text message to the required number, and does so secretly. What’s more, all messages (both outgoing and incoming) are immediately deleted.

3. DDoS attacks

The Trojan can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources. To do so, it uses a built-in proxy server and sends HTTP requests from the infected device.

4. Cryptomining

Loapi also uses smartphones to mine Monero tokens. It is this activity that can overheat your device as a result of the prolonged operation of the processor at maximum load. During our research, the battery of the test smartphone overcooked 48 hours after the device was infected.

5. Downloading new modules

Now for the most interesting bit. At the command of a remote center, the malware can download new modules — that is, adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware, or a banking Trojan. In the code of the current version, our experts discovered functions that have yet to be deployed and are clearly intended for use further down the line.

How to protect yourself from the Loapi Trojan

As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.

  • Install apps only from official stores. Google Play has a dedicated team responsible for catching mobile malware. Trojans do occasionally infiltrate official stores, but the chances of encountering one there are far lower than on dubious sites.
  • Disable the installation of apps from unknown sources for added security. To do so, in Settings go to Security and ensure that the Unknown sources check box is not selected.

  • Don’t install what you don’t really need. As a general rule, the fewer applications you install, the more secure your device is.
  • Get a reliable and proven AV for Android and regularly scan your device with it. Even free applications, such as the basic version of Kaspersky Internet Security for Android, offer good protection.

Go to Source
Author: Anna Markovskaya

Silence like a cancer grows

In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready.

We saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.

The attacks are currently still ongoing.

Technical details

The cybercriminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank. The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver:

Spear-phishing email in Russian.

Malicious .chm attachment

md5 dde658eb388512ee9f4f31f0f027a7df
Type Windows help .chm file

The attachment we detected in this new wave is a “Microsoft Compiled HTML Help” file. This is a Microsoft proprietary online help format that consists of a collection of HTML pages, indexing and other navigation tools. These files are compressed and deployed in a binary format with the .CHM (compiled HTML) extension. These files are highly interactive and can run a series of technologies including JavaScript, which can redirect a victim towards an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed. This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL:

Part of start.htm embedded file

The goal of the script is to download and execute an obfuscated .VBS script which again downloads and executes the final dropper

Obfuscated VBS script that downloads binary dropper

Dropper

md5 404D69C8B74D375522B9AFE90072A1F4
Compilation Thu Oct 12 02:53:12 2017
Type Win32 executable

The dropper is a win32 executable binary file, and its main goal is to communicate with the command and control (C&C) server, send the ID of the infected machine and download and execute malicious payloads.

After executing, the dropper connects to the C&C using a GET request, sends the generated victim ID, downloads the payloads and executes them using the CreateProcess function.

C&C connect request string with ID

C&C connect procedure

Payloads

The payloads are a number of modules executed on the infected system for various tasks like screen recording, data uploading etc.

All the payload modules we were able to identify are registered as Windows services.

Monitoring and control module

md5 242b471bae5ef9b4de8019781e553b85
Compilation Tue Jul 19 15:35:17 2016
Type Windows service executable

The main task for this module is to monitor the activity of the victim. In order to do so it takes multiple screenshots of the victim´s active screen, providing a real-time pseudo-video stream with all the victim´s activity. A very similar technique was used in the Carbanak case, where this monitoring was used to understand the victim´s day to day activity.

The module is registered and started by a Windows service named “Default monitor”.

Malicious service module name

After the initial startup, it creates a Windows named pipe with a hardcoded value – “\\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB}”. This pipe is used for sharing data in malicious inter-process communications between modules.

Named pipe creation

The malware decrypts a block of data and saves it as a binary file with the hardcoded name “mss.exe” in a Windows temporary location, and later executes it using the CreateProcessAsUserA function. This dropped binary is the module responsible for the real-time screen activity recording.

Then, the monitoring module waits for a new dropped module to start in order to share the recorded data with other modules using the named pipe.

Screen activity gathering module

md5 242b471bae5ef9b4de8019781e553b85
Compilation Tue Jul 19 15:35:17 2016
Type Windows 32 executable

This module uses both the Windows Graphics Device Interface (GDI) and the Windows API to record victim screen activity. This is done using the CreateCompatibleBitmap and GdipCreateBitmapFromHBITMAP functions. Then the module connects to the named pipe created by the previously described module and writes the data in there. This technique allows for the creation of a pseudo-video stream of the victim’s activity by putting together all the collected bitmaps.

Writing bitmaps to pipe

C&C communication module with console backconnect

md5 6A246FA30BC8CD092DE3806AE3D7FC49
Compilation Thu Jun 08 03:28:44 2017
Type Windows service executable

The C&C communication module is a Windows service, as are all the other modules. Its main functionality is to provide backconnect access to the victim machine using console command execution. After the service initialization, it decrypts the needed Windows API function names, loads them with LoadLibrary and resolves with GetProcAddress functions.

WinAPI resolving

After successful loading of the WinAPI functions, the malware tries to connect to the C&C server using a hardcoded IP address (185.161.209[.]81).

C&C IP

The malware sends a special request to the command server with its ID and then waits for a response, which consists of a string providing the code of what operation to execute. The options are:

  • “htrjyytrn” which is the transliteration of “reconnect” (“реконнект” in russian layout).
  • “htcnfhn” which is the transliteration of “restart” (“рестарт” in russian layout).
  • “ytnpflfybq” which is the transliteration of “нет заданий” meaning “no tasks”

Finally the malware receives instructions on what console commands to execute, which it does using a new cmd.exe process with a parameter command.

Instruction check

The described procedure allows attackers to install any other malicious modules. That can be easily done using the “sc create” console command.

Winexecsvc tool

md5 0B67E662D2FD348B5360ECAC6943D69C
Compilation Wed May 18 03:58:26
Type Windows 64 executable

Also, on some infected computers we found a tool called the Winexesvc tool. This tool basically provides the same functionality as the well-known “psexec” tool. The main difference is that the Winexesvc tool enables the execution of remote commands from Linux-based operating system. When the Linux binary “winexe” is run against a Windows server, the winexesvc.exe executable is created and installed as a service.

Conclusion

Attacks on financial organization remain a very effective way for cybercriminals to make money. The analysis of this case provides us with a new Trojan, apparently being used in multiple international locations, which suggests it is an expanding activity of the group. The Trojan provides monitoring capabilities similar to the ones used by the Carbanak group.

The group uses legitimate administration tools to fly under the radar in their post-exploitation phase, which makes detection of malicious activity, as well as attribution more complicated. This kind of attack has become widespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in their attacks. We will continue monitoring the activity for this new campaign.

The spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with already compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of spreading, at least among financial organizations.

Recommendations

The effective way of protection from targeted attacks focused on financial organizations are preventive advanced detection capabilities such as a solution that can detect all types of anomalies and scrutinize suspicious files at a deeper level, be present on users’ systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.

The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.

IOC’s

Kaspersky lab products detects the Silence trojan with the following verdicts:

Backdoor.Win32.Agent.dpke
Backdoor.Win32.Agent.dpiz
Trojan.Win32.Agentb.bwnk
Trojan.Win32.Agentb.bwni
Trojan-Downloader.JS.Agent.ocr
HEUR:Trojan.Win32.Generic
Full IOC’s and YARA rules delivered with private report subscription.

MD5
Dde658eb388512ee9f4f31f0f027a7df
404d69c8b74d375522b9afe90072a1f4
15e1f3ce379c620df129b572e76e273f
D2c7589d9f9ec7a01c10e79362dd400c
1b17531e00cfc7851d9d1400b9db7323
242b471bae5ef9b4de8019781e553b85
324D52A4175722A7850D8D44B559F98D
6a246fa30bc8cd092de3806ae3d7fc49
B43f65492f2f374c86998bd8ed39bfdd
cfffc5a0e5bdc87ab11b75ec8a6715a4

 

Source: https://securelist.com/the-silence/83009/

 

CryptoShuffler: Trojan stole $140,000 in Bitcoin

Imagine that one day you decide to use Bitcoin to pay for, say, a pizza. You copy the wallet address from the pizzeria’s website, enter the required amount, and click the Send button. The transfer goes through, but the pizza doesn’t arrives. The pizzeria owners say they never received the payment. What’s going on? Don’t get mad at the pizza guys — it’s all down to CryptoShuffler.

Unlike cryptoransomware, this Trojan avoids flashy effects, instead doing its best to slip under the radar. It resides quietly in the computer’s memory and monitors the clipboard — the temporary storage area for cut/paste operations.

As soon as CryptoShuffler spots the address of a cryptocurrency wallet on the clipboard (it’s quite easy to distinguish these addresses by line length and specific characters), it replaces the address with another. As a result, the cryptocurrency transfer does indeed go through, and in the amount specified by the payer, only the recipient is not the pizzeria, but the intruders behind CryptoShuffler.

Having studied the Trojan, Kaspersky Lab discovered that the malware targets not only Bitcoin, but also Ethereum, Zcash, Monero, Dash, Dogecoin (yes, it’s real), and other cryptocurrencies as well. Substituting Bitcoin wallets is the Trojan’s most lucrative activity — at the time of publication the attackers had snagged slightly more than 23 BTC (about $140,000 at the current exchange rate).

The other cryptocurrency wallets belonging to CryptoShuffler’s creators were found to contain sums ranging from tens to thousands of dollars.

It took the Trojan a little more than a year to collect that money. Peak activity in late 2016 was followed by a slump, but then in June 2017, CryptoShuffler reawakened.

This Trojan clearly demonstrates that an infected computer or smartphone will not necessarily slow down or display ransom messages. On the contrary, many kinds of malware try to keep a low profile and to operate as stealthily as possible; the longer they remain undetected, the more money they will make for their creators.

So our advice to all cryptocurrency users is to remain vigilant and get protected. Our products detect CryptoShuffler as Trojan-Banker.Win32.CryptoShuffler.gen, and, needless to say, block all its actions.

Go to Source
Author: Marvin the Robot

Taxi Trojans are on the way

You’re in a hurry, trying to get to work, a business meeting, a date. So you launch your favorite app for booking a taxi as usual, but this time, it prompts you to enter your credit card number. Does that seem suspicious? It may not — apps forget information, and all you have to do is add your card number again.

However, after some time you notice money disappearing from your account. What happened? You may be the unlucky winner of a mobile Trojan. This kind of malware has been caught recently stealing bank data by impersonating the interfaces of taxi-booking apps.

The Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version “Faketoken.q,” and by now it has learned a significant number of tricks.

After getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.

The icon of the installed Faketoken Trojan

First, the Trojan is interested in the user’s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal’s server. Second, the Trojan also checks which apps the smartphone’s owner uses.

When Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.

The overlaying window matches the colors of the original app’s interface. In this window, the Trojan prompts the user to enter the number of his or her credit card, including the verification code from the back of the card.

The Faketoken.q Trojan impersonates taxi-booking apps popular in Russia

Actually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets — as well as apps for booking taxis.

During the very stage of stealing money from the user, Faketoken resorts to another ruse, intercepting all incoming SMS messages, hiding them from the user, and forwarding them to the criminals’ server, where one-time passwords for payment confirmation from those messages are extracted.

How banking Trojans bypass two-factor authentication

Judging by the small number of attacks that we have registered and the UI artifacts, which you can see in one of the screenshots above, we’d say the researchers at our antivirus laboratory got their hands on one of the test versions of the Trojan, not the final one.

We must give the assiduous creators of Faketoken their due. They will most likely improve the Trojan, and a wave of infection incidents may sprout from the “commercial” version at some point.

Currently the Trojan is focused on users in Russia, but as we’ve seen many times in the past, cybercriminals constantly steal ideas from each other, so it won’t take long for them to adopt the same trick in other countries. A lot of city dwellers have taxi-booking apps installed these days, so this trick represents a good opportunity for malware creators.

Below you can find several pieces of advice on how to protect yourself against Faketoken and similar mobile Trojans that steal card numbers and intercept SMS messages with one-time passwords used to confirm payments.

  • It is imperative that you go into Android’s settings and prohibit the installation of apps from unknown sources. To block installation from unknown sources, go to Settings -> Security and uncheck Unknown sources.

  • Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well). You can learn more about Android permissions in this article.

Go to Source
Author: Alex Drozhzhin

Ztorg Trojan: Infect yourself for 5 cents

A lot of ads on the Internet promote easy ways to earn money. They tend to lead to fishy places — say, a post from an alleged mother of three who stays at home, earning several thousand dollars a day, and says you can do the same. But there are other ways to earn some easy money, too, that may seem much more plausible.

 

For example, some services offer to pay you for installing apps. The money amounts to pocket change — about 5 cents per app — but the work is pretty effortless, so some people find it attractive nonetheless. This kind of scheme is especially popular among children — install 50 apps and get a $2.50 to buy some gear for your favorite character in an online game.

The Google Play app store has quite a few applications that are in fact app exchanges. You download one of those, install it, see a list of apps for which you can get paid, download a couple of those on the list, install them, play a couple of minutes — and profit!

That looks rather mundane — even legitimate. Indeed, many software developers place a high value on the number of app downloads, and such a scheme increases that number, even if it isn’t exactly honest. No wonder developers are willing to pay for it. There doesn’t seem to be a catch — or is there?

Money for nothing, malware for free

Of course there is — otherwise, why would we write about it? It turns out that, among other things, such app exchanges may urge you to download malware, in particular the infamous Ztorg Trojan. That’s the Trojan downloaded from Google Play 500,000 times disguised as a guide for the popular game Pokémon Go.

Guide for Pokémon Go is not the only app containing Ztorg. Roman Unuchek, the Kaspersky Lab expert who discovered Ztorg in the app, explored the applications distributed via these exchanges for several months. He found out that every month new apps appeared that were in fact just a disguise for Ztorg.

What Ztorg actually does

All of these applications have two things in common. First, their download numbers increase rapidly — by tens of thousands per day. Second, if you look at their user reviews in the Google Play store, many mention that people downloaded those apps for money, credits, bonuses, or something like that.

One of Ztorg infected apps in Google Play

The Ztorg Trojan hasn’t changed. After installation, it collects information about the system and the device and sends it to the command-and-control (C&C) server. The server responds with files that enable the malware to gain root access to the device, after which crooks have the freedom to do whatever they want: show ads, download other Trojans, whatever.

Ztorg also spreads through ads. You click on a banner and download the app, install it, and get infected. Very easy!

What’s interesting is that Ztorg shows its victims ads from the very same networks through which it spreads itself. The networks are legitimate; many other applications use them to try to monetize themselves. It’s just that the networks’ security guys missed the important point that they were advertising malware.

To be fair, Ztorg’s developers hid the malicious functionality, and it is not evident when studying the app. For example, Ztorg evaluates its environment and won’t run in a sandbox (a test environment).

Most malvertising banners do not link directly to the app download page but rather take users to a page that redirects to another page, which redirects to another page, and then to another page. Unuchek counted up to 27 such redirects before finally getting to the download. Moreover, the app can delay downloading malicious files from the C&C server for up to 90 minutes — by that time a tester would probably have decided that the app wasn’t doing anything malicious.

Actually, obfuscation is exactly the trick that was getting the malicious applications into the official Google Play store for a year and a half. Other Trojans lurk in there as well so you should not blindly trust all applications from this or any store.

The moral

How can you avoid becoming a victim of such attacks and letting scammers into your phone? We have two tips for you:

  • Download applications only from trustworthy developers or, better, from official app stores. You still may encounter Trojans, but they are far less prevalent in official stores.

Go to Source
Author: John Snow

WannaCry: On screens everywhere!

The outbreak of Trojan ransomware WannaCry has already caused a heap of trouble to all kinds of businesses. However, we expect that companies whose infrastructures employ embedded systems are feeling particularly unhappy with the authors of this malware.

Companies whose infrastructures employ embedded systems are feeling particularly unhappy with the authors of WannaCry

Theoretically, embedded systems should not be interesting to ransomware actors — it’s doubtful that anyone would pay ransom for a purely utilitarian system that holds no valuable data and whose hard drive is routinely reformatted anyway. But WannaCry does not choose its targets. As a result of the peculiar nature of the vulnerability it exploits, WannaCry has spread itself widely across local networks and infected all unpatched and unprotected machines.

Out of the blue

It would be unfair to say that this plague has been an eye-opener: The problem of insufficient security of embedded systems is not new, and it’s long been known that they traditionally have less (if any) protection than workstations and servers. But WannaCry brought the issue into the spotlight.

When speaking of embedded system, ATMs and POS terminals may come to mind. And indeed, some of them got infected, although they tend to have some protection installed because of regulations and because they are frequently seen in threat models. The infection of such systems as information panels, medical equipment, and vending machines looked like a bigger deal — to say the least.

The owners of infected embedded systems don’t feel any better knowing they didn’t pay ransom to criminals; they still suffered noticeable damage.

  • Inoperable vending machines, ATMs, or automated ticket kiosks mean cash shortfalls.
  • A ransom note on a publicly accessible screen tells customers “Our security is bad.” It’s hard to assess the damage such a message does to a company’s reputation. Will a client who sees that message come back?
  • Infected terminals require repairs. If you use hundreds of terminals, you can count how much money you’re going to spend, especially given the geographical distribution and urgency with which your personnel have to reinstall operating systems and make changes in security settings. And some devices may use outdated software that is challenging or even impossible to reinstall.

Going by the trolling in social networks, these screens did not go unnoticed.

How to solve the problem

Why do embedded systems lack protection? There are two reasons. First, until now their security was often overlooked. Second, they tend to run on old hardware and use low-bandwidth Internet channels and outdated operating systems. They seem simply unfit to run security solutions on top of their hardware resources.

We have to admit that in a way, WannaCry has helped the world by highlighting the first problem. And it’s true that protecting embedded systems with traditional antimalware solutions may not be the most effective approach. That is exactly why we developed Kaspersky Embedded Systems Security specifically for a broad range of embedded systems. It’s less resource-intensive than a desktop security solution, but it prevents infection by employing a number of desktop-class security features.

In the case of a cryptomalware attack (including WannaCry), the solution works as follows:

  • Default Deny mode is the core technology of the product. It precludes execution of any code, including scripts, if they haven’t been whitelisted. So even if cryptomalware has been able to penetrate a system, for example, by hiding in a legitimate software package, it won’t be able to execute itself.
  • The Process Memory Protection component analyzes the integrity of processes in memory and prevents attempts to exploit vulnerabilities both known and unknown.
  • Kaspersky Embedded Systems Security includes a centrally controlled firewall, which allows for quick disabling of the port used by a vulnerability once it is discovered.
  • Technology that controls USB devices when they are attached further enhances the solution. This prevents infection by an untrusted USB device, for example, something that may happen during maintenance.
  • The antimalware module, available as an option, cleans the system of any infected files.

According to our records, none of the devices protected by Kaspersky Embedded Systems Security has been affected by the WannaCry plague. This solution currently protects hundreds of thousands of embedded systems around the world, so it’s fair to say that it has passed this serious real-life test. Therefore, if your network infrastructure includes embedded systems running Windows Embedded, we strongly recommend trying our solution.

Go to Source
Author: Dmitry Zveginets

Powered by WPeMatico

How to properly update Windows to protect your computer from WannaCry

By now, everyone has heard about the WannaCry ransomware attack. So far we have two posts about it: one with a general overview of what happened, and another with advice for businesses. But it’s become clear that not everyone understands how to patch the Windows vulnerability that is exploited by WannaCry, which allows it to travel from one PC to another. So here, we’ll explain what to do and where to find the necessary patches.

How to properly update Windows to protect your computer from WannaCry

1. Find out what version of Windows is running on your computer

First of all, it is important to note that the WannaCry can infect only devices on Windows. If your device runs on macOS, iOS, Android, Linux, or any other operating system, then the malware can’t harm those devices.

Yet, it does pose a serious threat to devices running Windows. But different Windows versions require different patches. So, before installing something, you have to figure out what version of Windows you are running.

To do this:

  • Press the Windows key + R on your keyboard;
  • In the “Run” box that appears on your screen, type winver and click “OK.”

A window showing your Windows version will open.

2. Install the MS17-010 update that patches the vulnerability in Windows

Done with finding out the version? Here are the links to the updates for all of the Windows versions for which it has been released. Note that if you aren’t sure if you use 32-bit or 64-bit version of Windows, you can simply download both patches — one of them will work for you; trying to run the wrong one will bring up an error box but will do no harm.

When you click on the corresponding link, your system will download an executable file with an MSU extension. This is the required update. Simply double-click on the file to run it and follow the instructions of the set-up wizard. After the installation is done, reboot your system. That’s it: The vulnerability will be closed, and WannaCry will not be able to find its way onto your computer that easily.

3. Scan your computer for viruses

It is possible that WannaCry crawled into your computer before you patched the vulnerability. So, just in case, run a virus scan.

If you do not have an antivirus, then you can download a free 30-day trial version of Kaspersky Internet Security. If you already have it, then take the following steps:

  • Make sure the System Watcher module is enabled. To do that, go into the security solution’s settings, select Protection, and ensure that System Watcher is turned on.
  • Run a quick virus scan on your computer. To do that, click Scan in your antivirus solution interface. Then select Quick scan and then Run scan.
  • If the antivirus detects something with Trojan.Win64.EquationDrug.gen in the name, delete the detected file and reboot your computer.

That’s it: You are now protected from WannaCry. Now it’s time to take care of your relatives and friends who do not know how to protect their devices.

Go to Source
Author: Marvin the Robot

Powered by WPeMatico

WannaCry: What you need to know

The unprecedented outbreak of Trojan ransomware WannaCry has created a worldwide plague affecting home users and businesses. We have already posted some basics about WannaCry, and in this post we will provide further advice particularly for businesses. It is urgent and critical to know what WannaCry is, how it spreads, what dangers it poses, and how to stop it.

Embedded systems are particularly vulnerable to WannaCry

What should I do right now?

One of the key reasons the Trojan erupted so quickly is that it transmits itself using an exploit, entering through a known Windows vulnerability with no user intervention (mistakes) needed. And once one computer is infected, the malware it attempts to spread itself to all other systems in the local network.

Therefore, the very first action to take is to repair the vulnerability. System administrators need to take the following steps:

  • Install the Microsoft patch. It’s available not only for Windows 10, but for earlier versions as well: Windows 8, 7, Vista, even Windows XP and Server 2003. This patch closes the vulnerability that the ransomware uses to infect the systems within the local network.
  • If, for whatever reason, installing the patch is not possible, close port 445 using the firewall. That will block the worm’s network attack to prevent the infection. However, this measure should be viewed strictly as a stopgap. Closing this port will stop a number of important network services, so it isn’t a true solution.
  • Make sure that all systems in your network are protected. This point is vital: If you haven’t patched every system or closed the 445 port, one infected computer may infect all the others.
  • You may also use the free Kaspersky Anti-Ransomware Tool, which reliably protects from cryptomalware. It can also be used along with other antimalware solutions; it’s compatible with most known security solutions and does not interfere with their operation.

Kaspersky Anti-Ransomware Tool

If you already use Kaspersky Lab solutions

Current users are already protected from ransomware, including WannaCry. However, we recommend that you take a few extra preventive measures.

  • Confirm that you have Microsoft’s patch installed.
  • Make sure your security solution includes the System Watcher proactive behavior detection module, and confirm that it’s enabled. Instructions are here.
  • If there have been cases of infection in your local network, start a critical scan. This task will be launched automatically, but the sooner you act the better. In theory, the malware could have installed itself in the system but not started encrypting the files yet.
  • If the threat MEM:Trojan.Win64.EquationDrug.gen is detected during the scan, remove it and restart the system.

If there are embedded systems in your networks

Embedded systems are particularly vulnerable to WannaCry, mainly because they tend to be less well protected. And although ATMs and POS systems are usually protected using specialized solutions, the protection of such systems as information terminals is overlooked. However, bringing such systems back on track may cost a fortune, especially if your company operates hundreds of them.

We highly recommend using solutions that employ Default Deny mode. Kaspersky Embedded Systems Security was developed specifically for embedded systems, and it is an effective and resource-efficient protection solution.

Go to Source
Author: Nikolay Pankov

Powered by WPeMatico