Rockingham School District Loses $314,000 to Emotet Malware Infection

The Rockingham school district in North Carolina identified that Emotet malware had been downloaded to its network in late November. The cost of tackling the infection was a massive $314,000.

The malware was sent using spam emails, which arrived in multiple users’ inboxes. The attack incorporate a commonly used ploy by cybercriminals to get users to download malware.

The emails seemed to have been sent by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attached file. The emails seem genuine and were similar to many other legitimate emails received everyday.

The emails requested that the recipient open and review the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s computer.

Soon after those emails were received and opened, staff started to experience problems. Internet access appeared to have been blocked for some users. Reports from Google saying email accounts had been shut down due to spamming started to be received. The school district investigated and discovered several devices and servers had been infected with malware.

Emotet malware is a network worm that can spread across a network. Infection on one machine will see the virus sent to other vulnerable devices. The worm installs a type of banking malware on infected devices that is used to steal victims’ credentials such as online banking information.

Emotet is a very advanced malware variant that is hard to detect and erase. The Rockingham school district discovered just how troublesome Emotet malware infections can be when efforts were made to remove the worm. The school district was able to successfully clean some infected machines by re-imaging the devices; however, the malware simply re-infected those devices.

Resolving the attack required assistance from security specialists, but even with expert help the recovery process is expected to take up to four weeks. 10 ProLogic ITS engineers will spend around 1,200 on site re-imaging machines. 12 servers and possibly up to 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup will be as high as $314,000.

Attacks such as this are far from rare. Cybercriminals target a wide range of flaws to install malware on business computers and servers. In this case the attack used gaps in email defenses and a lack of security awareness of staff. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads using the Internet.

To safeguard against Emotet malware and other viruses and worms layered defenses is necessary. An advanced spam filtering solution can ensure malicious emails are not broadcasted, endpoint detection systems can identify atypical user behavior, antivirus solutions can possibly detect and prevent infections, while web filters can block web-based attacks and drive-by downloads. End users are the last line of security and should therefore be trained to identify malicious emails and websites.

Only a combination of these and other cybersecurity defenses can keep companied secure. Luckily, with layered defenses, it is possible to avoid expensive malware and phishing attacks such as the one suffered by the Rockingham school district.

Dating and Valentine’s Day Email Scams Pose Problems for Businesses

Dating scams are on the rise significantly in January and this trend has continued in February. Most people would have notice a significant increase in the amount of emails arriving into their inboxes on a daily basis.

The emails seem to have been broadcasted sent by Russian women who are looking for a romantic interest. Unsolicited emails from attractive women who include attached of suggestive pictures and messages stating that the recipient is particularly attractive are certain to be spam, yet the emails are quite  effective. The FBI’s figures  show that around $230 million is lost to these scams alone on an annual basis. In 2016, the FBI were contacted with almost 15,000 complaints in relation to financial losses as a result of dating and romance cyber scams.

There were two major increases in spam email volume between January 15 and 17 and January 29 and February 2 when around 35 million dating spam messages were broadcast using the Necurs botnet. Over 230 million messages were sent in a two-week long campaign in January. The chief focus of the campaign is to obtain credit card details, payments for airplane flights to bring the women over to the US, but in many cases the purpose is to trick the email recipient into downloading malware.

Criminals use all manner of tactics to entice users to open files. Another effective technique, emphasized by security awareness training firms KnowBe4 and PhishMe, is the use of eCards, particularly on Valentine’s Day. Links are sent that appear to be from authentic eCard sites that ask users to click the link to view a Valentine’s day card from a secret admirer. The aim is to deliver malware.

Valentine’s day email hacking campaigns in 2016 also include messages alerting the recipient about the failed delivery of flowers from Interflora and email attachments purporting to be delivery receipts.

It is probably that these emails are being opened that makes defending against them a significant security worry for businesses. One single click is all it takes for malware to be downloaded, and since many malware variants can quickly spread laterally, one click could be all it takes to compromise an entire database.

Rockingham School District Pay $314,000 to Resolve Emotet Malware Infection

In November 2017 the Rockingham school district in North Carolina discovered Emotet malware had been installed on its network, resulting in a payment of $314,000 to resolve the infection.

The malware was sent via spam emails, which landed in multiple users’ inboxes. The attack involved a regularly used ploy by cybercriminals to get users to downlad malware.

The emails seemed to have been shared by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attachment. The emails appeared genuine and were similar to many other legitimate emails received on a consistent basis.

The emails requested the recipient to open and check the attached invoice; however, doing so would see malware installed on the email recipient’s computer.

Not long after those emails were received and opened, staff started to experience issues. Internet access appeared to have been disabled for some users. Reports from Google saying email accounts had been shut down due to spamming began to be received. The school district investigated and saw that several devices and servers had been infected with malware.

Emotet malware is a network worm that can spread across a network. Infection on one machine alone will see the virus transmitted to other vulnerable devices. The worm leaves a type of banking malware on infected devices that is used to obtain victims’ credentials including online banking details.

Emotet is a very advanced malware variant that is difficult to identify and hard to delete. The Rockingham school district noticed just how problematic Emotet malware infections can be when efforts were made to remove the worm. The school district was able to properly clean some infected machines by reimaging the devices; however, the malware then easily re-infected those computers.

Tackling the attack required assistance from security specialists, but even with expert help the recovery steps are expected to take up to a month. 10 ProLogic ITS engineers will spend around time on site reimaging 1,200 machines. 12 servers and potentially up to 3,000 end points must be reimaged to delete the malware and stop reinfection. The estimated cost of cleanup will be $314,000.

Attacks such as this quite common. Cybercriminals attack a wide range of vulnerabilities to install malware on business computers and servers. In this instance the attack took advantage of gaps in email defenses and a lack of security awareness of staff. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads over the Internet.

To safeguard against Emotet malware and other viruses and worms layered defenses are needed. An advanced spam filtering solution can make sure malicious emails are not issued, endpoint detection systems can detect atypical user behavior, antivirus solutions can possibly detect and prevent infections, while web filters can prevent web-based attacks and drive-by downloads. End users are the last line of defense and should therefore be trained to spot malicious emails and websites.

Only a combination of these and other cybersecurity measure can keep organizations well safeguarded. Luckily with layered defenses, costly malware and phishing attacks such as the one experienced by the Rockingham school district can be avoided.

Redboot Malware Encrypts Files and Replaces MFT

RedBoot, a new malware threat, been identified by cyber security researchers. This threat is not unlike NotPetya as it appears to be a form of ransomware, when in it is really a wiper.

RedBoot malware can encrypt files, making them inaccessible, encrypted and allocated the .locked extension. Once the encryption process is finished, a ‘ransom’ note is displayed to the user, providing an email address to use to discover how to unlock the encrypted files. Like NotPetya, RedBoot malware also alters the master boot record.

RedBoot incorporates a module that overwrites the current master boot record and it also seems that changes are carried out on the partition table, but there is currently no mechanism for undoing those changes. There is also no command and control server and even though an email address is given, no ransom demand appears to be be made. RedBoot is therefore a wiper, not ransomware.

In it’s current guise the malware causes permanent damage, even if it is the intention of the developer is to use this malware to extort money from victims. It is strange that an incomplete version of the malware has been released and advance notice has been released about a new version that is about to be made public, but it does give businesses time to ready themselves.

The attack vector has yet to be identified, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The security measures that should be put in place are therefore the same as for stopping any malware variant.

A spam filtering solution should be put in place to block malicious emails, users should be warned to the threat of phishing emails and should be shown how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown people.

IT teams should make sure all computers and servers are fully patched and that SMBv1 has been turned off or SMBv1 vulnerabilities have been addressed and antivirus software should be downloaded on all computers.

It is also important to back up all systems to ensure that in the event of an attack, systems can be restored and data rescued.

AdultSwine Malware Leads to Google App Store Deletions

Over  60 apps have now been taken down from Google Play Store as they were loaded with AdultSwine Malware – a type of malware variant that displays pornographic advertisements on users’ devices. Most of the apps that contained the malware were targeted at children, including Drawing Lessons Lego Star Wars, Mcqueen Car Racing Game, and Spinner Toy for Slither. The applications had been installed by between 3.5 and 7 million users before they were discovered and deleted.

While the malicious apps have been deleted, users who have already downloaded the infected apps onto their devices must remove the apps to delete the malware. Simply deleting the apps from the Play Store only stops more users from being infected. Google has revealed that it will show warnings on Android phones that have the malicious apps downloaded to warn users to the malware infection. It will be up to users to then uninstall those apps to delete the AdultSwine malware infection.

Applications Being Targeted by AdultSwine Malware

  • Addon GTA for Minecraft PE
  • Addon Pixelmon for MCPE
  • Addon Sponge Bob for MCPE
  • AnimePictures
  • Blockcraft 3D
  • CoolCraft PE
  • DiadelosMuertos
  • Dragon Shell for Super Slither
  • Draw Kawaii
  • Draw X-Men
  • Drawing Lessons Angry Birds
  • Drawing Lessons Chibi
  • Drawing Lessons Lego Chima
  • Drawing Lessons Lego Ninjago
  • Drawing Lessons Lego Star Wars
  • Drawing Lessons Subway Surfers
  • Easy Draw Octonauts
  • Exploration Lite: Wintercraft
  • Exploration Pro WorldCraft
  • fidgetspinnerforminecraft
  • Fire Skin for Slither IO app
  • Five Nights Survival Craft
  • Flash Skin for Slither IO app
  • Flash Slither Skin IO
  • Girls Exploration Lite
  • Guide Clash IO
  • Guide Vikings Hunters
  • HalloweenMakeUp
  • halloweenskinsforminecraft
  • How to Draw Animal World of The Nut Job 2
  • How to Draw Batman Legends in Lego Style
  • How to Draw Coco and The Land of the Dead
  • How to Draw Dangerous Snakes and Lizards Species
  • How to Draw Real Monster Trucks and Cars
  • Invisible Skin for Slither IO app
  • Invisible Slither Skin IO
  • Jungle Survival Craft 1.0
  • Jurassic Survival Craft Game
  • Mcqueen Car Racing Game
  • Mine Craft Slither Skin IO
  • Moviesskinsforminecraft
  • Pack of Super Skins for Slither
  • Paw Puppy Run Subway Surf
  • Pixel Survival – Zombie Apocalypse
  • Players Unknown Battle Ground
  • San Andreas City Craft
  • San Andreas Gangster Crime
  • Shin Hero Boy Adventure Game
  • skinsyoutubersmineworld
  • Spinner Toy for Slither
  • Stickman Fighter 2018
  • Subway Banana Run Surf
  • Subway Bendy Ink Machine Game
  • Subway Run Surf
  • Temple Bandicoot Jungle Run
  • Temple Crash Jungle Bandicoot
  • Temple Runner Castle Rush
  • ThanksgivingDay
  • ThanksgivingDay2
  • Virtual Family – Baby Craft
  • Woody Pecker
  • youtubersskins
  • Zombie Island Craft Survival

AdultSwine malware, and the apps that infect users, were i discovered and analyzed by security experts at CheckPoint. The researchers note that once installed onto a device, the malware sends data about the user to its command and control server and carries out three malicious activities: Displaying advertisements, registering users to premium services, and installing scareware to trick victims into paying for security software that is not required. Information is also obtained from the infected device which can possibly be used for a variety of malicious reasons.

The advertisements are shown when users are playing games or looking at the Internet, with the adverts coming from genuine ad networks and the AdultSwine library. The AdultSwine malware library uses extreme adverts containing hardcore pornographic images. Those images are displayed on screen without warning.

The scareware says the victim’s device has been infected with a virus that can only be removed with download of an anti-malware app from the Google Play Store, although the virus removal tool is a fake application. Users are warned that their phone will be rendered unusable if the app is not installed, with a countdown timer used to add urgency.

Subscribing for premium services requires the user to supply further details, which is done through pop-up phishing adverts. The user is informed they have won a prize, but that they must answer four questions to claim their prize. The details they supply are used to register for premium services.

Users can often reduce the risk of a malware infection by only downloading apps from official app stores, although this most recent malware campaign has shown that even official stores can be infiltrated and have malicious apps uploaded.

Google does review all apps for malware, but new varieties of malware can be sneaked into Google Play Store from time to time. Google has revealed that from the end of January it will be unveilng out a new service called Google Play Protect that is capable of scanning previously installed apps to ensure they are still safe to use.

Google advises only downloading apps for children that have been approved by Google as being ‘Designed for Families’. Those apps may include adverts, but they have been vetted and strict rules apply covering the advertisements that can be shown.

It is also vital to download some form of anti-malware solution – from a reputable and well-known company – that will review installed content and apps for malware.

Malware Attack at Forever 21 POS Continued for 7 Months

A recently identified Forever 21 POS malware attack has resulted in customers’ credit card data being accessed. While malware attacks on retail POS systems are now a regular occurance, in the case of the Forever 21 POS malware attack, the security breach is significant due to the length of time malware was enabled on its systems. Hackers first obtained access to its POS system seven months before the infection was noticed.

The Forever 21 POS malware infections were first discovered in October, when a third-party connected credit card fraud to customers who had previously visited Forever 21 stores. The possible malware infections were reviewed and a third-party cybersecurity firm was called in to help.

Forever 21 first made the public announcement about a data breach in November, although the investigation has been constant and now new details about the attack have been released.

The investigation has shown that the attack was extensive and impacted many POS devices used in its U.S. stores. The Forever 21 POS malware attack began on April 3, 2017, with further devices infiltrated over the following 7 months until action was taken to safeguard its systems on November 18, 2017. Forever 21 reports that some POS devices in its stores were only accessed for a few days, others for a few weeks, while some were compromised for the entire seven months.

Reacting to the increased threat of cyber attacks on retailers, Forever 21 started deploying encryption technology on its payment processing systems in 2015; however, the investigation showed the encryption technology was not always enabled.

While the encryption technology was enabled, the hackers would have been unable to obtain the credit card details of its customers, although the information could be stolen at times when the encryption technology was switched off.

Additionally, some devices that were compromised by the malware maintained logs of completed credit card transactions. When the encryption technology was not enabled, details of completed transactions were stored in the logs and could therefore be read by the hackers. Since those logs included details of transactions prior to the malware infections, it is possible that customers who visited affected Forever 21 stores before to April 3, 2017 may also have had their credit card details obtained.

Each store uses many POS devices to take payments from customers, and in most cases only one device per store was infiltrated. The attackers focused their efforts on stores where POS devices did not have encryption turned on. Additionally, the hackers main aim appeared to be to find and infect devices that kept logs of transactions.

On the majority of POS devices, the hackers searched for track data read from payment cards, and in most instances, while the number, expiry date and CVV code was obtained, the name of the card holder was not.

The review into the Forever 21 POS malware attack is still active, and currently it is unclear exactly how many of the company’s 700+ stores have been impacted, how many devices were infected, and how many customers have had their credit and debit card details obtained. However, it is reasonable to expect that an attack of this duration will have impacted many thousands of customers.

The exact type of malware used in the attack is not known, and no reports have been issued that indicate how the hackers obtained access to its systems. It is not yet known if stores outside the US have been impacted.

Osiris Ransomware New Locky Variant Being Spread

Hackers use a variety of methods and attack vectors to spread malicious files including ransomware and malware. Exploit kits are commonly used as they can be placed on websites and used to silently probe visitors’ browsers for flaws in plugins such as Adobe Flash, Microsoft Silverlight, and Oracle Java. Those weaknesses are used to download malware. Malvertising – malicious web adverts – are often used to advise users to these malicious webpages; however, all too often, links to these websites are sent using spam email.

The increase in malware and ransomware attacks over the past few years has lead to many groups to start providing security awareness training to staff members. Workers are instructed never to click on a link contained in an email unless they are sure that it is authentic.

However, even with security awareness guidance, a great many workers inadvertently infect their computers with malware or mistakenly install ransomware. One of the biggest issues is not malicious links in spam email but malicious attachments. Hackers have increased the use of malicious file attachments in the 12 months, especially to infect end users with ransomware.

One of the largest ransomware threats in the past year has been Locky. Locky has been spread using exploit kits in the past, although spam email is now mainly used to infect users.

The group responsible for Locky frequently updates the ransomware, as well as the tactics used to fool end users into downloading the malicious file-encryptor. The most recent Locky variant – Osiris ransomware – encrypts files and adds the .osiris extension to encrypted files.

Locky is often spread via malicious macros in Word documents. Usually, the malicious Word documents claim to be invoices, purchase orders, or alerts of missed parcel deliveries.

However, a recent campaign used to spread the Osiris ransomware variant switches from .DOC files to Excel spreadsheets (.XLS). Recipients of the emails are advised the Excel spreadsheet is an invoice. Opening the attached Excel spreadsheet will not automatically lead to an Osiris ransomware infection if macros have not been set to run automatically. The user will be shown with a blank spreadsheet and a prompt to switch on macros to view the content of the file.

Clicking on ‘Enable Content’ will initiate a VBA script that downloads a Dynamic Link Library (DLL) file, which is automatically run using the Windows file Rundll32.exe. That DLL file is used to install Osiris ransomware. Osiris ransomware encrypts a wide variety of file types and deletes Windows Shadow Volume Copies, stopping the user from restoring the computer to the configuration before the ransomware was downloaded. The only method of recovery from an Osiris ransomware infection is to pay the ransom demand or to delete the system and restore files from backups.

An advanced spam filtering solution like SpamTitan can be used to guard against the vast majority of email-borne threats. SpamTitan carries out a wide range of front line tests to rapidly discover spam email and prevent it from being delivered, including RBL, SPF, Greylisting and SMTP measures.

SpamTitan deploys two enterprise-class anti-virus engines to scan for malicious files – Bitdefender and ClamAV – to increase detection rates.

SpamTitan can also be set up to block specific files attachments typically used by cybercriminals to infect end users: EXE files and JavaScript files for example. The contents of compressed files are also automatically reviewed by SpamTitan.

Host-based tests are carried out to examine mail headers, while the contents of messages are hit with a Bayesian analysis to identify common spam signatures and spam-like content. Messages are also searched for malicious links.

These extensive reviews ensure SpamTitan spots 99.97% of spam emails, stopping malicious messages from being sent to end users. SpamTitan has also been independently tested and shown to have an exceptionally low false positive rate of just 0.03%.

If you want to keep your network secured from malicious spam emails and lessen reliance on employees’ spam detection abilities, get in touch with the TitanHQ team today. SpamTitan is available on a 30-day free trial, allowing you to fully test the product and find out the difference SpamTitan makes at your organization before committing to buy it.

Million Email a Month Campaign Distributing Adwind RAT

Antivirus software vendor Symantec has discovered a huge spam email campaign that is distributing Adwind RAT variants. While the Adwind RAT may appear to be a relatively harmless adware, this is not the case.

The most recent Adwind RAT variants have a wide variety of malicious functions, and act as keyloggers that can record login credentials and monitor user activity, capture screenshots, hijack the microphone and webcam to record audio and video, and as if that was not sufficient, the Adwind RAT allows the hacker to install further malicious files.

As is now common, the emails spreading Adwind RAT variants are realistic and appear to be authentic communications from actual firms. At a time when parcels are likely to arrive in the mail, the hackers have chosen a particularly relevant tactic to maximize the chance of emails being opened. Alerts about parcels that could not be sent.

Companies are also being targeted with malicious attachments claiming to be account statements, invoices, purchase order details, and payment receipts. The emails are well articulated and appear to have been sent from legitimate firms.

The spam emails have two malicious email attachments, a JAR file and what seems to be a PDF file. In the case of the latter, it has a double file extension, which will look like a PDF file if file extensions are not displayed. It is actually another JAR file. The files include layers of obfuscation in an attempt to bypass antivirus controls.

If the JAR files are run, they place a further JAR file and run VBS scripts which initiate legitimate Windows tools to review  the environment, discover the firewall in use, and other security products downloaded to the device. They then set about turning off monitoring controls.

The scheduling of this Adwind RAT campaign is perfect to catch out as many people as possible. The festive period is a particularly busy time, and the rush to identify bargains and purchase gifts online sees many Internet users let their guard down. Further, as many companies close over the festive period it gives the hackers more time to explore networks.

Infection with the Adwind RAT can result in sensitive data being stolen, and login credentials accessed, email accounts to be pilfered and abused and permission to be gained for viewing corporate bank accounts. A single successful download of the Adwind RAT can be lethal.

Massive Email Campaign see Adwind RAT Spreading Quickly

Antivirus software provider Symantec has discovered a huge spam email campaign that is sharing Adwind RAT variants. While the Adwind RAT may sound like seemingly harmless adware, that is simply not the case.

The most recent Adwind RAT variants have a wide range of malicious functions, and act as keyloggers that can save login details and overlook user activity, capture screenshots, hijack the microphone and webcam to record audio and video, and as if that was not enough, the Adwind RAT allows the hacker to download additional malicious files.

As is now common, the emails spreading Adwind RAT variants are realistic and seem to be genuine communications from legitimate firms. At a time when parcels are expected to arrive in the mail, the hackers have chosen a very relevant ploy to increase the chance of emails being opened. Alerts about parcels that could not be sent.

Companies are also being targeted with malicious attachments claiming to be account statements, invoices, purchase orders, and payment receipts. The emails are well articulated and seem to have been sent from actual firms.

The spam emails incorporate two malicious email attachments, a JAR file and what seems to be a PDF file. In the case of the latter, it includes a double file extension, which will look like a PDF file if file extensions are not displayed. In reality, it is another JAR file. The files have layers of obfuscation in an effort to bypass antivirus controls.

If the JAR files are activated, they drop another JAR file and run VBS scripts which initiate legitimate Windows tools to investigate the environment, identify the firewall in use, and other security products downloaded on the device. They then set about turning off monitoring controls.

The timing of this Adwind RAT campaign is perfect to catch out as many people as possible. The festive period is an extremely busy period, and the rush to spot bargains and purchase presents online sees many Internet users let their guard down. Additionally, as many companies close over the festive period it gives the hackers more time to explore networks.

Infection with the Adwind RAT can result in sensitive data stolen, and login credentials taken, email accounts to be pilfered and abused and access to be obtained to company bank accounts.

Recent MS Office Patch Vulnerability Exploited by Cobalt Malware

A spam email campaign has been discovered that is distributing a variety of Cobalt malware. The hackers use the Cobalt Strike penetration testing tool to take full management of an infected device. The attack uses an exploit for a recently patched Microsoft Office flaw.

The spam emails seem to have been sent by Visa, advising the recipient about recent changes to its payWave service. The emails include a compressed file attachment that is password-secured. The password required to extract the contents of the zip file is included in the body of the email.

This is an apparent attempt to trick email recipients into thinking Visa had included security controls to stop unauthorized individuals from viewing the information in the email – a reasonable security measure for a financial communication. Also included in the email is a RTF file that is not password secured. Opening that file will initiate a PowerShell script that will install a Cobalt Strike client that will ultimately give the hackers full control of the infected device.

The hackers leverage a flaw in Microsoft Office – CVE-2017-11882 – which was patched by Microsoft earlier this month. The hackers use legitimate Windows tools to execute a wide range of commands and spread laterally through a network.

The campaign was discovered by researchers at Fortinet, who report that by exploiting the Office flaw, the hackers download a Cobalt Strike client and multiple stages of scripts which are then used to install the main malware payload.

The vulnerability has existed in Office products for 17 years, although it was only recently discovered Microsoft. Within a few days of the weakness being detected, Microsoft issued a patch to correct the flaw. Within a few days of the patch being released, threat actors started attacking the vulnerability. Any device that has a vulnerable version of Office installed is susceptible to attack.

This campaign shows just how important it is for patches to be applied quickly. As soon as a vulnerability is made public, malicious actors will use the vulnerability in attacks. When patches are made public, malicious actors get straight to work and reverse engineer the patch, allowing them to identify and exploit flaws.  As these attacks indicate, it may only take a few hours or days before vulnerabilities are attacked.

The recent WannaCry and NotPetya malware attacks indicated just how easy it is for vulnerable systems to be attacked. Both of those attacks targeted a vulnerability in Windows Server Message Block to obtain access to systems. A patch had been issued to address the flaw eight weeks before the WannaCry ransomware attacks happened. Had patches been applied swiftly, it would not have been possible to download the ransomware.

 

Smoke Loader Malware Malvertising Campaign Using Health Tips as Bait

Cybercriminals are broadcasting Smoke Loader malware using a new malvertising campaign that uses health tips and advice to bait end users to visiting a malicious website hosting the Terror Exploit Kit.

Malvertising is the label given to malicious adverts that seem genuine, but redirect users to phishing sites and websites that have toolkits – exploit kits – that search for unpatched flaws in browsers, plugins, and operating systems.

Spam email is the chief vector used to spread malware, although the threat from exploit kits should not be disregarded. Exploit kits were used widely in 2016 to deliver malware and ransomware, and while EK activity has fallen significantly toward the end of 2016 and has remained fairly low in 2017, attacks are still taking place. The Magnitude Exploit it is still extensively used to share malware in the Asia Pacific region, and recently there has been an spike in attacks elsewhere using the Rig and Terror exploit kits.

The Smoke Loader malware malvertising campaign has now been ongoing for almost two months. ZScaler first noticed the malvertising campaign on September 1, 2017, and it has remained live throughout October.

Fake advertisements are often used to lure users to the malicious sites, although the most recent campaign is using weight loss promises and help to quit smoking to attract clicks. Obfuscated JavaScript is included in adverts to redirect users to malicious websites hosting the Terror exploit kit.

Exploit kits can be loaded with several exploits for known flaws, although the Terror EK is currently trying to exploit two key weaknesses: A scripting engine memory corruption vulnerability (CVE-2016-0189) that impacts Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also deployed.

Patches have been published to address these vulnerabilities, but if those patches have not been applied systems will be susceptible to attack. Since these attacks take place without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious advertising.

Smoke Loader malware is a backdoor that if downloaded, will give cybercriminals full access to an infected device, allowing them to take data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not a new development – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to stop detection. Smoke Loader malware has also been linked with the installation of the TrickBot banking Trojan and Globelmposter ransomware.

To safeguard against attacks, organizations should ensure their systems and browsers are updated to the most recent versions and patches are applied swiftly. Since there is normally a lag between the release of a new patch and installation, organizations should think about the use of a web filter to restrict malicious adverts and restrict web access to staff members from visiting malicious websites.

Scarab Ransomware being Spread with Massive Spam Email Campaign

Millions of spam emails including Scarab ransomware have been seen over the past few days. The huge spam campaign is being carried out using the Necurs botnet – one of the largest botnets currently on the scene.

The Necurs botnet has been running for at least five years and now includes over 6 million zombie computers that are used to issue masses of spam emails. Necurs has been used on earlier occasions to send banking Trojans and many other types of malware, although recently, the operators of the botnet have changed to spreading ransomware, including Locky.

The most recent campaign saw the Necurs botnet share spam emails to more than 12.5 million email accounts in the space of just 6 hours, with people in the United States, France, Germany, Australia, and the UK targeted.

The emails were similar to other phishing campaigns carried out in recent months. The emails seem to have been sent from well known, trusted brands to enhance the likelihood of the malicious attachments being opened. This campaign spoofs printer producers such as HP, Canon, Lexmark and Epson.

The emails include a 7zip file attachment which claims to be a scanned document, with the subject line “Scanned from [Printer company]. The zip file contains a VBScript which, if run, will install Scarab ransomware.

Scarab ransomware is a comparatively new ransomware variant, first seen over the summer. While most ransomware variants have a constant price for obtaining the key to unlock the encryption, the authors of Scarab ransomware do not request a specific amount. Instead, the ransom payment depends on how quickly the victim replies.

As with the NotPetya wiper, users are asked to make contact with the hackers via email. This medium of communication has caused issues for victims in the past, as if the domain is taken down, victims have no method of getting in touch with the hackers. In this instance, an alternative contact method is given – victims can also contact the hackers via BitMessage.

Even though Scarab ransomware is not complex, it is effective. There is no free decryptor available to retrieve files encrypted by Scarab ransomware. Recovery without meeting the ransom demand is only possible if backups of the encrypted files are in place, and if the backup has not also been encrypted.

Scarab ransomware is thought to be the work of relatively small players in the ransomware arena. However, the range of the campaign and the speed at which the spam emails are being shared shows that even small players can carry out massive, global ransomware campaigns by joining up with the operators of botnets.

By using ransomware-as-a-service, anyone can carry out a ransomware campaign. Ransomware can be bought on darknet forums for next to nothing and used to steal money from businesses. More players mean more ransomware attacks, and the ease of carrying out campaigns and the fact that many victims pay up, mean ransomware is still highly sucessful.

Security specialists are predicting that 2018 will lead to even more ransomware attacks. AV firm McAfee has predicted that 2018 will see cybercriminal gangs increasing their attacks and target high-net worth individuals and small companies, while the campaigns will become more complex.

With the threat likely to heighten, companies need to ensure that they have solutions set up to stop ransomware from being sent to end users. By putting in place an advanced spam filtering solution, businesses can ensure that phishing and spam emails do not get sent to end users, mitigating the threat from ransomware. Failure to stop malicious emails will only result in an employee responding, opening an infected email attachment, and downloading ransomware on the network.

 

Shadow Brokers Release UNITEDRAKE Malware

Shadow Brokers are selling a new National Security Agency (NSA) hacking utility– UNITEDRAKE malware – making good on their promise to release monthly NSA exploits. The most recent malware variant is one of several that were allegedly stolen from the NSA last year.

Shadow Brokers previously issued the ETERNALBLUE exploit which was used in the WannaCry ransomware hacks in May that impacted thousands of businesses around the world. There is no reason to indicate that this new hacking tool is not exactly what they claim.

UNITEDRAKE malware is a modular remote access and control tool that can record microphone and webcam output, log keystrokes, and gain access to external drives. Shadow Brokers say UNITEDRAKE malware is a ‘fully extensive remote collection system’ that includes a variety of plugins offering a variety of functions that allow malicious actors to perform surveillance and gather information for use in further hacking attacks. UNITEDRAKE malware gives attackers the ability to take full management of an infected device.

Plugins include CAPTIVATEDAUDIENCE, which captures conversations through an infected computer’s microphone, GUMFISH gives the hackers control of the webcam and allows them to record video and capture images. FOGGYBOTTOM steals data such as login details, browsing histories and passwords, SALVAGERABBIT can access data on external drives such as flash drives and portable hard drives when they are linked, and GROK is a keylogger plugin. The malware is also able to self-destruct when its tasks have been finished.

The malware works on older Windows versions such as Windows XP, Vista, Windows 7 and 8 and Windows Server 2012.

According to documents published by Edward Snowden in 2014, the malware has been used by the NSA to infect millions of computers around the globe. The malware will soon be owned by any cybercriminal willing to pay the asking price of 500 Zcash – around $124,000. Shadow Brokers have published a manual for the malware explaining how it works and its various functions.

TrendMicro said in a recent blog post there is, at present, no way of blocking or stopping the malware. When attacks happen, they will be reviewed by security experts looking for clues as to how the malware works. That should ultimately lead to the development of tools to block attacks.

In the meantime, groups need to enhance their security posture by ensuring all systems are patched and operating systems are upgraded to the most recent versions. An incident response plan should also be developed to ensure it can be implemented quickly in the event of an attack.

An additional NSA exploit is expected to be released later this month, with the monthly dumps scheduled in the next two months.

New Tactic from Ursnif Banking Trojan Speeding Up Distribution

A new strain of the Ursnif banking Trojan has been discovered and the actors behind the latest campaign have implemented a new tactic to spread the malware more quickly.

Ransomware attacks may make the news, but banking Trojans can cause considerably more suffering. The $60 million heist from a Taiwanese bank last month shows just how serious infection with banking Trojans can end up. The Dridex Trojan gathered more than $40 million in 2015.

The Ursnif banking Trojan is one of the most seen Trojans. As with other banking Trojans, the aim of the Ursnif Trojan is to steal details such as logins to banking websites, corporate bank details, and credit card numbers. The stolen information is then used for financial transactions. It is not unusual for accounts to be emptied before the transactions are noticed, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been shut down. Recovering the stolen funds can be a lost cause.

Infection will see the malware capture a wide range of sensitive data, capturing details as they are entered through the browser. The Ursnif banking Trojan also captures screenshots of the infected device and logs keystrokes. All of that information is silently sent to the hacker’s C2 server.

Banking Trojans can be downloaded in a number of ways. They are often installed onto websites where they are downloaded in drive-by attacks. Traffic is sent to the malicious websites via malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are impacted using brute force tactics, and kits loaded to the sites that prey on those who have failed to keep their software up to date. Oftentimes, downloads are sent through spam email, hidden in attachments.

Spam email has previously been implemented to spread the Ursnif banking Trojan, and the most recent campaign is no different in that respect. However, the latest campaign uses a new process to maximize the chance of infection and spread infections more rapidly and widely. Financial bodies have been the primary focus of this banking Trojan, but with this latest attack method they are far more widespread.

Infection will see the user’s contact list abused and spear phishing emails shared with each of the user’s contacts. Since the spear phishing emails are sent from a trusted email account, the chance of the emails being opened is significantly higher. Simply opening the email will not lead to infection. For that to happen, the recipient must open the email attachment. Again, since it has originated from a trusted sender, that is more likely.

The actors responsible for this latest Ursnif banking Trojan campaign have another trick to improve trust and ensure their payload is sent. The spear phishing emails include message threads from past conversations. The email seems to be a response to an earlier email, and include details of past conversations.

A short line of text is included as a prompt to get the recipient to click on the email attachment – a Word document including a malicious macro. That macro needs to be authorized to operate – if macros have not been set to run automatically, but it will not until the Word document is closed. When the macro runs, it initiates PowerShell commands that install the Ursnif Trojan, which then starts logging activity on the infected device and sends more spear phishing emails to the new victim’s contact list.

This is not a brand-new tactic, but it is new to Ursnif – and it is likely to see infections spread much more rapidly. Additionally, the malware incorporates a range of additional tactics to hamper detection, allowing data to be stolen and bank accounts emptied before infection is detected – the Trojan even erases itself once it has run.

Malware is always evolving, and new tactics are constantly created to increase the chance of infection. The most recent campaign shows just how important it is to block email threats before they reach end users’ inboxes.

With an advanced spam filter like SpamTitan installed, malicious emails can be blocked to stop them from arriving at end-user’s inboxes, greatly minimizing the risk of malware infections.

Social Media Accounts Hijacks by Banking Terdot Trojan

The Terdot Trojan is a form of Zeus, a highly successful banking Trojan that first was seen in 2009. While Zeus is no longer doing the rounds, its source code has been available since 2011, allowing cyber criminals to produce new banking Trojans using its sophisticated code.

The Terdot Trojan is not brand new, having first being seen in the middle of 2016, although a new variant of the credential-stealing malware has been produced and is being actively used in attacks, mostly in Canada, the United States, Australia, Germany, and the United Kingdom.

The new variant incorporates many new features. Not only will the Terdot Trojan steal banking details, it will also spy on social media activity and includes the functionality to change tweets, Facebook posts, and posts on other social media platforms to contact the victim’s contacts. The Terdot Trojan can also alter emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites.

Additionally, once downloaded on a device, Terdot can download other files. As new strains are produced, the modular Trojan can be automatically updated.

The latest guise of this dangerous malware was discovered by security researchers at Bitdefender. Bitdefender researchers have revealed that, in addition to modifying social media posts, the Trojan can create posts on most social media platform  and expect that the stolen social media details are likely sold on to other malicious actors, spelling further misery for vtjose impacted.

Apart from social media infections, the Trojan is shared using phishing emails. One such spam email campaign incorporate buttons that appear to be PDF files, although a click will initiate JavaScript which starts the infection process. However, Bitdefender researchers have stated that the primary infection vector appears to be the Sundown exploit kit – exploiting flaws in web browsers.

Sadly, spotting the Terdot Trojan is difficult. The malware is installed using a complex chain of droppers, code injections and downloaders, to minimize the risk of detection. The malware is also installed in chunks and assembled on the infected device. Once downloaded, it can remain undetected and is not currently picked up by many AV solutions.

Bitdefender. said: “Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean.”

Safeguarding against threats like banking Trojans requires powerful anti-malware tools to detect and obstruct downloads, although businesses should consider  extra measure to block the main attack vectors: Exploit kits and spam email.

Spam filtering software should be implemented in order to block phishing emails containing JavaScript and Visual Basic downloaders. A web filter is also strongly recommended to block access to web pages known to host malware and exploit kits. Even with powerful anti-virus, web filters, and spam filters, staff members should be trained to be more security aware. Constant training and cybersecurity updates can help cut out risky behavior that can lead to malware infections on servers.

New Ordinypt Malware Wiper Disguised as Ransomware Discovered

Ordinypt malware is, at present, seen to being deployed in targeted attacks on businesses in Germany. Despite that, at first, this Ordinypt malware looking like ransomware, the malware is really a wiper.

Once the wiper has been installed, files on the infected device are made inaccessible and a ransom demand is issued. The hackers ask for 0.12 Bitcoin – around $836 – to restore files.

Ordinypt malware does not encrypt files – it simply erases the original file name and puts a random string of letters and numbers in its place. The contents of attacked files are also replaced with random letters and numbers.

Even if the ransom demand is met, the hackers do not have a mechanism to allow victims to recover their original files. The only sure-fire way to recover files is to restore them from an external backup. This is different to many ransomware variants that make it difficult to rescue files by deleting Windows Shadow Volume copies, those are left intact, so it may be possible for users to rescue some of their files.

Ordinypt malware – or HSDFSDCrypt as it was first known – was detected by Michael Gillespie. A sample of the malware was gathered and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security retitled the malware Ordinypt.

Hahn says that Ordinypt malware is badly written with a bad coding style, suggesting this is not the work of a skilled hacker. Hahn commented: “A stupid malware that destroy information of enterprises and innocent people and try steal money.”

The hackers are using a common technique to increase the number of infections. The malware is hidden as PDF files which are distributed via spam email. The messages claim to be applications in reply to job vacancy adverts. Two separate files are included in a zip file attachment, which look like a resume and a CV.

While the files look like PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions turned off, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. Clicking on either of the files will run the executable and initiate Ordinypt malware.

In recent times there have been many wiper malware variants detected that pretend to be ransomware. The hackers are taking advantage of the media coverage surrounding ransomware attacks, and are fooling end users into meeting the ransom demands, when there is no way of recovering files. It is not clear whether the reason for the hacking campaign is to make money. It is possible that these attacks are simply aimed at causing disruption to businesses, as was the case with the NotPetya wiper campaign.

Regardless of how badly written this malware is, it is still effective and can cause major disruption to businesses. Safeguarding against this, and other email-based malware threats, requires a combination of end user training and information technology.

End users should be aware of the dangers of opening attachments from unknown senders and should assume that all such emails could be harmful. In this instance, the malware is poorly written but the emails are not. They use perfect German and appear authentic. HR staff could be easily fooled by a ruse such as this.

The best security against threats such as these is using an advanced spam filter such as SpamTitan. Stopping these emails from reaching inboxes is the best security.

By setting up the spam filter to stop executable files, the messages will be sent to a quarantine folder rather than being delivered, stopping the threat.

 

New Wave of Cyberattacks on Financial Institutions with Silence Trojan

A new wave of cyberattacks on financial institutions using malware known as the Silence Trojan has been discovered. In contrast to many attacks on banks that aim on bank customers, this attack targets the bank itself. The attack method has a number of similarities to the attacks carried out by the Eastern European hacking group, Carbanak.

The Silence Trojan is being implemented to target banks and other financial institutions in many countries, although so far, the majority of victims are in Russia. The similarity of the Silence Trojan attacks to Carbanak implies these attacks could be carried out by Carbanak, or a spinoff of that group, although that has yet to be proven.

The attacks begin with the malicious actors behind the campaign gaining access to banks’ networks via spear phishing campaigns. Spear phishing emails are shared with bank employees requesting they open an account. The emails are well articulated, and the premise is believable, especially since in many instances the emails are sent from within using email addresses that have previously been compromised in other hacking attacks. When emails are sent internally, the requests seem perfectly credible.

Some of these emails were seen by Kaspersky Lab. Researchers report that the emails include a Microsoft Compiled HTML Help file with the extension .chm.

These files include JavaScript, which is run when the files are opened, triggering the installation of a malicious payload from a hardcoded URL. That initial payload is a VBS script, which in turn installs the dropper – a Win32 executable binary, which allows contact to be set up between the infected machine and the hacker’s C2 server. Additional malicious files, including the Silence Trojan, are then installed.

The attackers gain constant access to an infected computer and spend a large amount of time gathering data. Screen activity is recorded and sent to the C2, with the bitmaps combined to form a stream of activity from the infected device, allowing the hackers to monitor day to day activities on the bank network.

This is not a quick smash and grab job, but one that takes place over an extended period of time. The aim of the hack is to obtain as much information as possible to maximize the opportunity to steal money from the bank.

Since the hackers are using legitimate administration tools to gather intelligence, noticing the attacks in progress is complicated. Adapting solutions to detect and block phishing attacks can help to keep banks protected.

Since security flaws are often exploited, groups should ensure that all vulnerabilities are identified and remedied.  Kaspersky Lab recommends completing penetration tests to identify vulnerabilities before they are exploited by cyber criminals.

Kaspersky Lab notes that when a group has already been compromised, the use of .chm attachments in tandem with spear phishing emails from within the group has proved to be a highly effective attack method for carrying out cyberattacks on financial institutions.

New Wiper Ordinypt Malware Disguised as Ransomware

Ordinypt malware is, at present, being used in focused attacks on companies in Germany. While Ordinypt malware appears to victims to be ransomware, the malware is really a wiper.

Infection results in files being made inaccessible, and as with ransomware, a ransom demand is sent. The hackers ask for 0.12 Bitcoin – around $836 – to restore files.

Ordinypt malware does not encrypt files – it simply destroys the original file name and replaces it with a random string of letters and numbers. The contents of files are also changed to random letters and numbers.

Even if the ransom demand is met, the hackers do not have a mechanism to allow victims to retrieve their original files. The only sure-fire way to recover files is to restore them from a backup. In contrast to many ransomware strains that make it difficult to recover files by removing Windows Shadow Volume copies, those are left intact, so it may be possible for users to rescue some of their files.

Ordinypt malware – or HSDFSDCrypt as it was originally named – was discovered by Michael Gillespie. A sample of the malware was studied and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security renamed the malware Ordinypt.

Hahn remarks that Ordinypt malware is poorly written with a bad coding style,suggesting that this is not the work of a skilled hacker. Hahn stated, this is “A stupid malware that destroy information of enterprises and innocent people and try steal money.”

The hackers are using a common technique to maximize the number of infections. The malware is masked as PDF files which are sent via spam email. The messages purport to be applications in reply to job adverts. Two files are included in a zip file attachment, which look like a resume and a CV.

While the files look like PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions masked, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. OPening either of the files will run the executable and initiate Ordinypt malware.

In recent times there have been several wiper malware variants detected that look like ransomware. The hackers are taking advantage of the publicity surrounding ransomware attacks, and are tricking end users into paying a ransom, when there is no way of retrieving the files. It is not clear whether the reason for the attacks is to make profits. It is possible that these attacks are simply aimed at causing disruption to businesses, as was the case with the NotPetya wiper attacks.

Regardless of how poorly put together this malware is, it is still effective and can cause major disruption to businesses. Safeguarding against this, and other email-based malware threats, requires a combination of end user training and technology.

End users should be advised of the danger of opening attachments from unknown senders and should assume that all such emails could be dangerous. In this instance, the malware is poorly written but the emails are not. They use perfect German and are highly realistic. HR workers could be easily fooled by a ruse such as this.

The best protection against threats such as these is an advanced spam filter such as SpamTitan. Preventing these emails from reaching inboxes is the best defense.

By setting up the spam filter to obstruct executable files, the messages will be sent to a quarantine folder rather than being delivered, killing the threat.

For further details on how a spam filter can help to prevent email-based threats and to sign up for for a free trial of SpamTitan for your business, get in touch with the TitanHQ team now.

Russia, Ukraine and Europe Experience Bad Rabbit Ransomware Attacks

Bad Rabbit ransomware attacks have been seen throughout Russia, Ukraine, and Eastern Europe recently. While new ransomware variants are constantly being created, Bad Rabbit ransomware stands out due to the speed at which attacks are taking place, the ransomware’s ability to spread within a network, and how alike it is to the NotPetya attacks that occurred in June 2017.

While Bad Rabbit ransomware has been compared to NotPetya, the method of attack is not the same. Rather than target the Windows Server Message Block flaw, the most recent attacks involve drive-by downloads that are initiated when users respond to an alert about an urgent Flash Player update. The Flash Player update warnings have been shown on prominent news and media websites.

The malicious payload includes an executable file called install_flash_player.exe. That executable drops and executes the file C:\Windows\infpub.dat, which begins the encryption process. The ransomware uses the open source encryption software DiskCryptor to encrypt files with AES, with the keys then encrypted with a RSA-2048 public key. There is no amendment to the file extension of encrypted files, but every encrypted file has the .encrypted extension added on.

Once downloaded, it spreads laterally via SMB. Security experts at ESET do not think bad rabbit is using the ETERNALBLUE exploit that was built into WannaCry and NotPetya. Instead, the ransomware uses a hardcoded list of commonly used login credentials for network shares, along with to extracting details from a compromised computer using the Mimikatz tool.

Similar to NotPetya, Bad Rabbit takes over the Master Boot Record (MBR). Once the MBR has been replaced, a reboot is kicked off, and the ransom note is then shown.

Those impacted are asked to pay a ransom payment of 0.5 Bitcoin ($280) via the TOR network. The failure to pay the ransom demand within 40 hours of infection will result in the ransom payment rising. It is currently unclear whether payment of the ransom will lead to a valid key being handed over.

So far victims have included the Russian news agencies Interfax and Fontanka, the Ministry of Infrastructure of Ukraine, the Odessa International Airport, and the Kiev Metro. Overall there are believed to have been over 200 attacks so far in Russia, Ukraine, Turkey, Bulgaria, Japan, and Germany.

Microsoft Office Attacks Without Macros

Microsoft Office documents that include malicious macros are commonly used to distribute malware and ransomware. However, security experts have now identified Microsoft Office attacks without macros, and the technique is more difficult to block.

While you can turn off macros so they do not run automatically, and even turn off macros completely, that will not safeguard you from this new attack method, which uses a feature of MS Office called Dynamic Data Exchange or DDE, according to security experts at SensePost. This in-built feature of Windows permits two applications to use the same data, for example MS Word and MS Excel. DDE allows a one- time exchange of data between two applications or continuous sharing of data.

hackers can use this feature of MS Office to obtain a document to execute an application without the use of macros as part of a multi-stage attack on the target. Different to macros which flash a security warning before being allowed to operate, this attack method does not give the user with a security warning as such.

Opening the MS Office file will show the user with a message saying “This document contains links that may refer to other files. Do you want to open this document with the data from the linked files?” Users who normally  use files that use the DDE protocol may automatically click on yes.

Another dialog box is then shown asking the user to confirm that they wish to execute the file mentioned in the command, but the researchers explain that it is possible to suppress that warning.

This technique has already been implemented by at least one group of hackers in spear phishing campaigns, with the emails and documents seemingly having been sent from the Securities and Exchange Commission (SEC). In this instance, the hackers were using the technique to infect users with DNSMessenger fileless malware.

Unlike macros, turning off DDE is problematic. While it is possible to review for these types of attacks, the best security is blocking the emails that send these malicious messages using a spam filter, and to train staff to be more security conscious and to verify the source of the email before clicking on any attachments.

Manufacturing and Aerospace Sectors Targeted by FormBook Malware

FormBook malware is being implemented in focused attacks on the manufacturing and aerospace sectors according to experts at FireEye, although attacks are not confined to these industries.

So far, the attacks seem o have been focused on groups in the United States and South Korea, although it is highly likely that attacks will be noticed in other areas due to the low cost of this malware-as-a-service, the ease of using the malware, and its wide-ranging functionality.

FormBook malware is being made available on underground forms and can be rented for $29 per month. Executables can be generated using an online control panel, a process that needs next to no skill. This malware-as-a-service is therefore likely to be used by many hackers.

FormBook malware is an information stealer that can log keystrokes, extract data from HTTP sessions and obtain clipboard content. Through the connection to its C2 server, the malware can receive and run commands and can install files, including other malware variants. Malware variants thought to have already been installed by FormBook include the NanoCore RAT.

FireEye researchers also say that the malware can obtain passwords and cookies, begin and stop Windows processes, and force a reboot of an infected device.

FormBook malware is being distributed by spam email campaigns using compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been carried out to spread the malware in both countries.

The U.S campaigns discovered by FireEye used spam emails involved to shipments sent via DHL and FedEx – a common option for cybercriminals. The shipment labels, which the emails say must be printed in order to receive the packages, are in PDF form. Invisible in the document is a tny.im URL that directs victims to a staging server that installs the malware. The campaigns using Office documents send the malware via malicious macros. The campaigns carried out in South Korea typically include the executables in the links.

While the manufacturing sector and aerospace/defense contractors are being focused on, attacks have been conducted on a wide range of sectors, including education, services/consulting, energy and utility companies, and the financial services. All groups, regardless of their sector, should be wise to this threat.

Groups can protect against this new threat by putting in place good cybersecurity best practices such as implementing a spam filtering solution to obstruct malicious messages and stop files such as ISOs and ACE files from being sent to end users. Groups should also warn their staff to the threat of attack and give training to help employees recognize this spam email campaign. Macros should also be switched off on all devices if they are not necessary for general work tasks, and at the very least, should be set to be operate manually.

Focused Attacks on Manufacturing and Aerospace Sectors Using FormBook Malware

FormBook malware software is being used in focused attacks on the manufacturing and aerospace sectors according to Internet security experts at FireEye, although malware attacks are not restricted to these sectors.

So far, the malware attacks seem to have been targeting organizations in the United States and South Korea, although it is highly probably that attacks will spread to other regions due to the low cost of this malware-as-a-service, the simplicity using the malware, and its extensive functionality.

FormBook malware is being made available on underground forums and can be rented for as little as $29 per month. Executables can be set up using an online control panel, a process that requires next to no expertise. Due to this, this malware-as-a-service is likely to be used by many cybercriminals.

FormBook malware is a data stealer that can log keystrokes, take data from HTTP sessions and steal clipboard content. Using the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants found to have already been downloaded by FormBook include the NanoCore RAT.

FireEye researchers have also revealed that the malware can obtain passwords and cookies, start and stop Windows processes, and force a reboot of an infected computer.

FormBook malware is being spread using spam email campaigns and compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the cyber attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been carried out to spread the malware in both countries.

The U.S campaigns identified by FireEye used spam emails linked to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed so they can be used to collect the packages, are in PDF form. Concealed in the document is a tny.im URL that sends victims to a staging server that installs the malware. The campaigns using Office documents send the malware via malicious macros. The campaigns carried out in South Korea normally include the executables in the attachments.

While the manufacturing industry and aerospace/defense contractors are the main focus, attacks have also been aimed at a wide range of sectors, including education, services/consulting, energy and utility companies, and the financial services. All groups, regardless of their sector, should be ready for this threat.

Organizations can safeguard against this new threat by implementing good cybersecurity best practices such as setting up a spam filtering solution to prevent malicious messages and stop files such as ISOs and ACE files from being sent to end users. Organizations should also warn their staff about the threat of attack and supply training to help employees recognize this spam email campaign. Macros should also be turned off on all devices if they are not required for general work duties, and at a minimum, should be set to be run manually.

New Android Ransomware Threat Called DoubleLocker

DoubleLocker ransomware is a newly-discovered Android threat, which as the name implies, uses two methods to lock the device and prevent victims from obtaining their files and using their device.

As with Windows ransomware variants, DoubleLocker encrypts files on the device to stop them from being accessed. DoubleLocker ransomware uses a strong AES encryption algorithm to encrypt stored data, changing files extensions to .cryeye

While new ransomware variants sometimes have a badly developed encryption process with weaknesses that allow decryptors to be developed, with DoubleLocker ransomware victims are not so lucky.

While it is possible for victims to retrieve their files from backups, first they must tackle the second lock on the device. Rather than join the encryption with a screen locker, DoubleLocker ransomware changes the PIN on the device. Without the PIN, the device will not be unlocked.

Experts at ESET who first detected this new ransomware variant report that the new PIN is a randomly generated number, which is not saved on the device and neither is it sent to the hacker’s C&C. The developers allegedly have the ability to remotely remove the PIN lock and supply a valid key to decrypt data.

The ransom demand is much smaller than is typical for Windows ransomware variants, which reflects the smaller quantity of data users store on their smartphone devices. The ransom demand is set at 0.0130 Bitcoin – around $54. The payment must be completed within 24 hours of infection, otherwise the hackers claim the device will be permanently locked. The malware is set as the default home application on the infected device, which shows the ransom note. The device will be permanently locked, so the attackers content, if any attempts are made to block or delete DoubleLocker.

Researchers at ESET have analyzed DoubleLocker ransomware and report that it is based on an existing Android banking Trojan called Android.BankBot.211.origin, although the ransomware variant does not have the functionality to steal banking details from the user’s device.

While many Android ransomware variants are downloaded via bogus or compromised applications, especially those available through unofficial app stores, DoubleLocker is spread using fake Flash updates on impacted websites.

Even though this ransomware variant is particularly complex, it is possible to retrieve files if they have been backed up prior to infection. The device can also be retrieved  by performing a factory reset. If no backup exists, and the ransom demand is not met, files will be lost unless the device has been rooted and debugging mode has been turned on prior to infection.

This new threat shows just how crucial it is to backup files stored on mobile devices, just as it is with those on your PC or Mac and to think before installing any web content or software update.

Mobile Accounts Being Targeted with Xafecopy Malware

Xafecopy malware is a new Trojan that is being deployed in order to steal money from victims through their smartphones. The malware looks like a useful app that will work exactly as expected, although in addition to the useful functions, the apps have a malicious aim.

Downloading the apps activates Xafecopy malware, which silently subscribes the infected smartphone to a range of online services via websites that have the WAP billing payment method. Rather than require a credit card for purchases, this payment method adds the price of the service to the user’s mobile phone bill. Consequently, it can take up to a month before the victim notices they have been defrauded.

Many apps are used to deliver the malware, including BatteryMaster – An app that can kill processes on a smartphone to increase battery life. Once downloaded, Xafecopy malware searches for websites that have the WAP billing feature and subscribes to the services. These websites often include the captcha system to provethat the user is human, although the malware uses JavaScript to bypass this control.

Additional features of Xafecopy malware include broadcasting text messages from the user’s device to premium rate phone numbers. The malware can also erase incoming text messages, such as text messages notifying users about services they have subscribed to and alerts from network operators about possible fraud.

To date, there are over 4,800 victims spread across 47 countries globally, although most of the WAP billing attacks have been identified in India, Mexico, Turkey and Russia, with India making up 37.5% of the WAP billing attacks. WAP billing attacks are focused in countries where WAP billing is most popular.

Kaspersky Lab senior malware analyst Roman Unucheck stated, “WAP billing can be particularly vulnerable to so-called ‘clickjacking’ as it has a one-click feature that requires no user authorization. Our research suggests WAP billing attacks are on the rise.”

While most PC users have antivirus software downloaded, the same cannot be said of users of Android devices. Many users still do not implement a security suite on their mobile devices to safeguard them from malware, even though they often use their smartphones to sign up and pay for online services or log on to their bank accounts.

Downloading antivirus software can help to stop Xafecopy malware infections. It is also crucial not to download apps from unofficial stores and to review all apps with the Verify Apps utility.

Two Million CCleaner Users Possibly Impacted by Malware

CCleaner malware infections persisted for a month before the compromised binary was discovered and the backdoor was deleted.

Avast, which purchased Piriform over the summer, revealed that between August 15 and September 15, a rogue version of the application was available on its server and was being installed by users. During that time, around 3% of users of the PC cleaning software had been infected according to Piriform.

Cisco Talos, which independently identified the build of CCleaner had malware included, reported around 5 million users install the program each week, potentially meaning up to 20 million users may have been impacted. However, Piriform suggests around 2.27 users had downloaded the backdoor along with the legitimate application. last Monday, around 730,000 users had not yet updated to the most recent, clean version of the program.

Any person that downloaded the application on a 32-bit system between August 15 and September 15 was infected with the CCleaner malware, which could gather data about the users’ system. The malware in question was the Floxif Trojan, which had been included into the build before Avast acquired Piriform.

The CCleaner malware gathered details of users’ IP addresses, computer names, details of software downloaded on their systems and the MAC addresses of network adaptors, which were extracted to the hackers C2 server. The CCleaner malware laced application was only part of the story. Avast says the attack included a second stage payload, although it would seem the additional malware never executed.

The versions of the software impacted were v5.33.6162 and CCleaner Cloud v1.07.3191. The malware reportedly did not run on 64-bit systems and the Android app was not impacted. The malware was detected on September 13, 2017, although an announcement was not made at first as Avast and Piriform were working with law enforcement and did not want to warn the hackers that the malware had been discovered.

The people behind the attack used a valid digital signature that was sent to Piriform by Symantec along with a Domain Generation Algorithm to ensure that new domains could be set up to receive exfiltrated data from compromised systems in the event that the main domain was turned off.

Now that the malware has been deleted, users can simply install version 5.34 of the application which will delete the backdoor. Users of the Cloud version need not take action, as the application has been updated to a clean version automatically. While simply updating the software should address all issues, users are advised to perform a full virus scan to make sure no extra malware has been placed onto their system.

Currently, it is unclear who was responsible for this supply chain attack or how the Floxif Trojan was introduced. It is possible that external cyber criminals obtained access to the development or build environment or that the Trojan was introduced from within.

Hacks such as this can infect many millions of users since downloads from the developers of an application are trusted. In this instance, the malware was included in the binary which was hosted on Piriform’s server – not on an external site.

A similar supply chain attack saw a software update for the Ukrainian accounting software MeDoc impacted. That attack lead to the installation of the NotPetya wiper, which caused billions of dollars of losses for businesses.

Redboot Malware Encrypts Files and Replaces MFT

A new form of malware called RedBoot has been identified that has some similarities to NotPetya. Like NotPetya, RedBoot malware seems to be a form of ransomware, when it is really a wiper in its current form.

RedBoot malware is can encrypt files, making them inaccessible. Encrypted and given the .locked extension. Once the encryption process is finished, a ‘ransom’ note is displayed to the user, giving an email address to use to discover how to unlock the encrypted files. Like NotPetya, RedBoot malware also makes alterations to the master boot record.

RedBoot incorporates a module that replaces the current master boot record and it also appears that changes are made to the partition table, but there is presently no mechanism for restoring those changes. There is also no command and control server and even though an email address is given, no ransom demand appears to be sent. RedBoot is therefore a wiper, not ransomware.

Lawrence Abrams at BeepingComputer, who has obtained a sample of the malware and performed an analysis, says that RedBoot is most likely a poorly designed ransomware variant in the early stages of development. Abrams said he has heard from the developer of the malware who claimed the version that was he reviewed is a development version of the malware. He was advised that an updated version will be released in October. How that new version will be spread is so far unconfirmed.

Even if it is the aim of the developer to use this malware to steal money from victims, at present the malware causes permanent damage. That may change, although this malware variant may still be a wiper and be used just to sabotage computers.

It is peculiar that an unfinished version of the malware has been released and advance notice has been issued about a new version that is about to be hit networks, but it does give companies time to prepare.

The attack vector is not yet known, so it is not possible to give exact instructions on how to stop RedBoot malware attacks. The security measures that should be put in place are therefore the same as for blocking any malware variant.

A spam filtering solution should be put in place to block malicious emails, users should be made aware of the threat of phishing emails and should be training how to identify malicious emails and told never to open files or click on hyperlinks sent from unknown people.

IT teams should ensure all devices and servers are fully patched and that SMBv1 has been deactivated or SMBv1 flaws have been addressed and antivirus software should be downloaded on all computers.

It is also crucial to back-up all systems to ensure that in the event of an hacking strike, systems can be restored and data rescued.

Two New Variants Spreading Locky Ransomware Spam Campaigns Detected

Two new Locky ransomware spam campaigns have been discovered this month, each being used to send a new variant of the cryptoransomware. The campaigns have beeninitiated after a relatively quiet period for ransomware attacks, although the most recent campaigns show that the threat of ransomware attacks in never far away.

Before, Locky ransomware spam campaigns have been carried out using the Necurs botnet – one of the largest botnets currently in existence. One of the campaigns, spreading the Locky variant Lukitus is being carried out via Necurs. The other campaign, which is sending the Diablo Locky variant, is being sent through a new botnet consisting of more than 11,000 infected devices. Those devices are based in 133 countries according to Comodo Threat Research Labs. The botnet seems to have been built quickly and is understood to be increasing, with most infected devices in Vietnam, India, Mexico, Turkey and Indonesia.

The failure to backup files is likely to prove expensive. The ransom demand issued by the hackers ranges between 0.5 and 1 Bitcoin per infected device – around $2,150 to $4,300 per machine. There is still no decryptor for Locky ransomware. Victims face file loss if they do not have a viable backup to retrieve files. Locky ransomware variants remove Shadow Volume Copies to hamper recovery without paying the ransom.

The Diablo Locky variant renames encrypted files with a unique 16-character file title and adds the diablo6 extension, while the Lukitus variant installs the .lukitus extension.

The two new Locky ransomware spam campaigns differ in their delivery process, although both include spam email. The Diablo campaign, which begun on August 9, uses various attachments including pdf, doc, and docx files, although infection occurs using malicious macros.

Opening the infected documents will show the user indecipherable data and a ask them to enable macros to view the content of the document. Enabling macro saves a binary to the device, runs it, and installs the Locky payload.

The email subjects in this campaign are varied, although in many of the emails the hackers say the attachment is a missed invoice or purchase order.

The Lukitus campaign was first seen on August 16 and has been mostly implemented in attacks in the United States, UK, and Austria, although there have also been successful campaigns in Italy, Sweden, China, Russia, Botswana, Netherlands and Latvia.

This campaign deploys zipped (zip and rar) attachments. The zip files have JavaScript files, which if run, will install the Lukitus Locky variant.

As with all ransomware attacks carried out using spam email, the best defense is an advanced spam filter to obstruct the emails and prevent them from being sent to end users. Staff should already have been trained on the threat from ransomware. Now would be a good time to send a reminder via email to all employees of the current threat.

Recovery without meeting the ransom depends on viable backup copies being in place. Since Locky can encrypt backup files, backup devices should be disabled after a backup has been made. Groups should also ensure three copies of backups are in place, on two different media, with one copy stored off site – the 3-2-1 approach to backing up.

SMB Exploit Leads to Upgraded Retefe Banking Trojan

Ransomware hackers have targets leveraged the EternalBlue exploit, now the cybercriminals responsible for the Retefe banking Trojan have added the NSA exploit to their weaponry.

The EternalBlue exploit was shared in April by the hacking organisation Shadow Brokers and was used in the global WannaCry ransomware attacks. The exploit was also utilized, along with other attack vectors, to deliver the NotPetya wiper and more recently, has been included with the TrickBot banking Trojan.

The Retefe banking Trojan is shared using malicious Microsoft Office documents sent via spam email. In order for the Trojan to be downloaded, the emails and the attachments must be opened and code must be activated. The hackers usually use Office documents with embedded objects which run malicious PowerShell code if visited. Macros have also been deloyed in some campaigns to deliver the malicious payload.

Security experts at Proofpoint have now obtained a sample of the Retefe banking Trojan that includes the EternalBlue SMBv1 exploit. The EternalBlue module installs a PowerShell script and an executable. The script runs the executable, which downloads the Trojan.

The security experts noted the module used in the WannaCry attacks that enabled rapid propagation within networks – Pseb – was lacking in Retefe, although that may be added in the future. It would seem that the criminals behind the campaign are just beginning to experiment with EternalBlue.

Other banking Trojans such as Zeus have been deployed in widespread attacks, although so far attacks using the Retefe banking Trojan have mainly been restricted to a small number of countries – Austria, Sweden, Switzerland, Japan, and the United Kingdom.

Companies in these countries will be at risk from Retefe, although due to the number of malware variants that are now using EternalBlue, all companies should ensure they address the threat. Other malware variants will almost certainly be upgraded to incorporate EternalBlue.

Defending against the threat from EternalBlue (CVE-2017-0144) includes applying the MS17-010 patch and also blocking traffic linked with the threat through your IDS system and firewall. Even if systems have been patched, a scan for vulnerable systems should still be carried out to ensure no devices have been missed.

As the Retefe Trojan is mainly being shared using spam email, a spam filter should be put in place to stop malicious messages from reaching end users. By using SpamTitan, companies can protect their networks against this and other malware threats delivered using spam email.

Double Ransomware Campaign Using Locky & FakeGlobe Ransomware

A new spam email ransomware campaign has begun that has infect unsuspecting users twice using with both Locky and FakeGlobe ransomware.

The campaign, which was kicked off earlier this month, sees the hackers switch between the payload between Locky and FakeGlobe ransomware. The security experts that discovered the campaign suggest the payload alternates every hour.

This method of distribution could lead to victims being infected twice, first having their files encrypted by Locky ransomware and also re-encrypted by FakeGlobe ransomware or the other way around. In such instances, two ransom payments would have to be completed if files could not be rescued from backups.

While the use of two separate malware variants for spam email campaigns is not a new phenomenon, it is much more normal for different forms of malware to be used, such as including a keylogger with ransomware. In such instances, if the ransom is paid to unlock data, the keylogger would likely remain and allow data to be taken for use in subsequent attacks.

As with previous attacks involving Locky, this double ransomware campaign uses fake invoices – one of the most effective ways of getting corporate users to open infected email attachments. In this campaign, the attachment seem to be from the latest invoice which takes the form of a zip file. Loading that zip file and clicking to open the extracted file initiates a script that downloads the malicious payload.

The emails also includes a hyperlink with the text “View Your Bill Online,” which will install a PDF file containing the same script as the attachment, although it sends you to different URLs.

This campaign is widespread, being shared in over 70 countries with the large-scale spam campaign involving hundreds of thousands of messages.

Infections with Locky and FakeGlobe ransomware see a wide variety of file types encrypted and there is no free decryptor to remove the infections. Victims must either restore their files from backups or pay the ransom to rescue their data.

If corporations are targeted, they can easily have a number of users fall for the campaigns, requiring multiple computers to be decrypted. However, since ransomware can spread across databases, all it takes is for one user to be tricked into installing the ransomware for entire systems to be taken down. If data cannot be rescued from backups, multiple ransom payments will need to be run.

Smart backup policies will help safeguard companies against file loss and stop them from having to pay ransoms; although, even if backups are in place, groups can suffer considerable downtime while the malware is removed, files are restored, and networks are analyzed for other malware infections and backdoors.

Spam email is still the weapon of choice for distributing ransomware. Groups can lessen the risk of ransomware attacks by putting in place an advanced spam filter such as SpamTitan. SpamTitan blocks over 99.9% of spam emails, stopping malicious emails from arriving at end users’ inboxes.

While most groups are now implementing spam filtering software to prevent attacks, a recent study completed by PhishMe suggests 15% of companies are still not using email gateway filtering, leaving them at a high risk of ransomware campaigns. Given the amount of phishing and ransomware emails now being sent, email filtering solutions are vital.

Shadow Brokers Release UNITEDRAKE Malware

Shadow Brokers are after developing a new National Security Agency (NSA) hacking tool – UNITEDRAKE malware – following through on their promise to publish monthly releases of NSA exploits. The most recent  malware variant is one of many that were allegedly stolen from the NSA during 2016.

Shadow Brokers previously made the ETERNALBLUE exploit available which was deployed in the WannaCry ransomware attacks in May that impacted thousands of businesses around the world. There is no reason to think that this new hacking tool is not exactly what they say it is.

UNITEDRAKE malware is a modular remote access and management tool that can record microphone and webcam output, log keystrokes, and obtain access to external drives. Shadow Brokers say that UNITEDRAKE malware is a ‘fully extensive remote collection system’ that incorporates a variety of plugins offering a range of functions that permit malicious actors to carry out surveillance and gather date for use in further cyberattacks. UNITEDRAKE malware gives hackers the ability to take full management of an infected device.

Plugins include CAPTIVATEDAUDIENCE, which captures conversations using an infected computer’s microphone, GUMFISH gives the hackers control of the webcam and allows them to record video and take images. FOGGYBOTTOM saves data such as login credentials, browsing histories and passwords, SALVAGERABBIT can access data on external drives including flash drives and portable hard drives when they are linked, and GROK is a keylogger plugin. The malware can also able to self-destruct when its tasks have been carried out.

The malware can be enabled on older Windows versions including Windows XP, Vista, Windows 7 and 8 and Windows Server 2012.

Documents released by Edward Snowden in 2014 state that the malware has been used by the NSA to infect millions of computers globally. The malware will soon available to any cybercriminal willing to pay the asking price of 500 Zcash – around $124,000. Shadow Brokers have published a manual for the malware outlining how it works and its various functions.

TrendMicro said in a recent blog post there is, at present, no way of blocking or preventing the malware from being installed. When attacks take place, they will be reviewed by security researchers looking for clues as to how the malware operates. That should finally lead to the development of tools to block attacks.

Until that time, groups need to enhance their security posture by ensuring all systems are patched and operating systems are upgraded to the most recent versions. An incident response programme should also be developed to ensure it can be put in place promptly following an attack.

A further NSA exploit is due to be released later in September, with the monthly dumps predicted to be published for at least the next eight weeks.

Healthcare and Education Sectors hit by Defray Ransomware

Defray ransomware is being used in targeted hacking campaigns on groups in the healthcare and education sectors. The new ransomware variant is being shared via email; however, in contrast to many ransomware campaigns, the emails are not being distributed in the millions. Rather than use the spray and pay method of broadcast, smaller scale campaigns are being carried out consisting of just a few emails.

To boost the chances of a successful infection, the hackers behind Defray ransomware are carefully crafting messages to target to specific victims in a group. Researchers at Proofpoint have captured emails from two small campaigns, one of which includes hospital logos in the emails and claims to have been shared to the Director of Information Management & Technology at the hospital.

The emails include an Microsoft Word attachment that seems to be a report for patients, relatives and carers. The patient report incorporates an embedded OLE packager shell object. If the link is clicked on, this executable downloads and downloads Defray ransomware, naming it after an authentic Windows file.

The ransom demand is large. Victims are directed to pay $5,000 per infected device for the keys to unlock the encryption, although the ransom note does imply the hackers are prepared to negotiate on price. The hackers suggest victims should create a backup of their files to avoid having to pay ransoms going forward.

At present there is no known decryptor to tackle defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to control file integrity. ALong with to encrypting files, the ransomware variant can create other disruption and will erase volume shadow copies to prevent the restoration of files without paying the ransom.

The developers of the ransomware have not given their malicious code a title and in contrast to most ransomware variants, the extensions of encrypted files are not amended. Proofpoint named the variant Defray ransomware from the C2 server used by the hackers.

A second campaign has been discovered targeting the production and technology sector. In this case, the email seems to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments are not the same, although the same OLE packager shell object is used to infect end users.

The hackers have been sending these malicious emails to people, user groups and distribution lists. Attacks have happened in both the United States and United Kingdom and are likely to go on.

Safeguarding against these targeted attacks requires a combination of spam filtering software and end user training. Healthcare, education, technology and manufacturing companies should think about sending an email alert to end users warning of the dangers of ransomware attacks, advising end users to use caution and not to open email attachments from unknown senders and never to click on a link to allow content on email attachments.

Reyptson Ransomware Spreads Itself by Emailing Itself to Contacts

Reyptson ransomware is a new cybercriminal campaign that has been identified recently. The new ransomware variant is currently being implemented in attacks in Spain, with detected activity rising massively in the days since its discovery.

There is no free decryptor for Reyptson ransomware at this point in time. The ransomware variant encrypts a wide variety of file types, including MS Office files and images using AES-128 encryption. Encrypted files will have the file extension .Reyptson joined to the file.

Infection will need files to be retrieved from backups or the ransom demand must be paid if no backup is in place and victims do not want permanent file loss. Users are told they must meet a ransom of €200 to unlock the encryption, although the payment will increase to €500 after 72 hours.

New cryptoransomware variants are being published on an almost daily basis with the majority spread via spam email. What makes this variant different is its ability to spread itself following infection. Reyptson is capable of carrying its own email campaigns and spreading itself to a victim’s contacts.

The spam email campaigns are carried out through the Thunderbird email client. Reyptson ransomware searches for contacts and creates new spam email messages and sends them to all contacts using the victim’s details.

The emails say that they are invoices and include a link for the recipient to download the invoice. Visiting the link will install a compressed .rar file which includes an executable file that appears to be a PDF file. If that executable file is installed; the user will be infected with the ransomware and the process will go on. According to a review by MalwareHunterTeam, the emails have the subject line Folcan S.L. Facturación included.

Recently, worldwide ransomware campaigns have been carried out using exploits obtained from the NSA. Those exploits take advantage of flaws in software that have not been remedied. Even though patches have been released to correct those flaws, many companies have yet to update their operating systems. A free scanner titled Eternal Blues has been developed that has revealed more than 50,000 computers around the world are still in danger and have not been patched.

Patching promptly has always been crucial, but now even more so. Delaying the updating of software can see groups infected and the damage can be significant. In the case of NotPetya, computers are rendered useless and even payment of a ransom cannot repair the damage.

However, spam email remains the most experienced vector for spreading ransomware. Preventing Reyptson ransomware attacks and other cryptoransomware variants requires an up to date spam filter. A spam filter such as SpamTitan can block these messages and stop them from being delivered to end users. If the spam emails are not sent, they cannot be opened by end users.

Quick patching, user awareness training, spam and web filtering can help groups reduce the risk of attack. However, it is also vital to ensure multiple backups of data are made to ensure recovery in case of infection. Groups should implement the 3-2-1 approach to backups. Ensure there are three copies of data, on 2 different media with one copy saved off site.

One backup copy can be saved locally – on a removable device that is unplugged when backups are finished or are not being used. One copy should be saved in the cloud and one on a backup drive/tape that is stored in a secure place off site that can be used in the event of a disaster.

Disdain Exploit Kit Available for Hire on Darknet Forums

Exploit kit activity has dropped considerably since 2017, but new variants are being formulated, one of the latest vesions being the Disdain exploit kit.

An exploit kit is a web-based toolkit capable of probing web users’ browsers for weakness. If flaws are found, they can be targeted to silently download ransomware and malware.

All that is necessary for an attack to take place is for web users to be sent to the domain hosting the exploit kit and for them to have a vulnerable browser outdated plugin. At present, the author of the Disdain exploit kit believes his/her toolkit can exploit more than a dozen separate weaknesses in Firefox, IE, Edge, Flash and Cisco WebEx – Namely, CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710, CVE-2017-0037, CVE-2016-7200, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551, CVE-2016-4117, CVE-2016-1019, CVE-2015-5119, and CVE-2017-3823. Many of those exploits are recent and would have a high probability of success.

No malware distribution campaigns have so far been discovered using the Disdain exploit kit, although it is likely to just be a matter of time before attacks are carried out. The Disdain exploit kit has only just begun being offered on underground forums.

Luckily, the developer does not have a particularly good reputation on the dark forums, which is likely to slow the use of the exploit kit. However, it is being sold at a low price which may be attractive to some malware distributors to start conducting campaigns. The EK can be hired for as little as $80 a day, with discounts being given for weekly and monthly use. The Disdain exploit kit is being sold for considerably less than some of the other exploit kits currently being sold on the forums, including the Nebula EK.

All that is needed is for someone to hire the kit, activate the malicious payload, and send  traffic to the domain hosting the Disdain exploit kit – such as through a malvertising campaign or botnet. The price and capabilities of the EK mean it could become a major threat.

Mamba Ransomware Attacks Seen Again

In November 2016, Mamba ransomware targeted the San Francisco Municipal Transportation Agency (Muni). The hackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to disable the encryption. Muni refused to pay up, instead choosing to recover files from backups. However, the Mamba ransomware attack still proved expensive to the company. The attack took its fare system out of action and passengers were permitted to travel for free for more than a day, a normal weekend day’s takings would be around $120,000.

Since then the Mamba ransomware has not been seen so much. However, this month has seen several Mamba ransomware attacks, suggesting that the gang behind the malware is operating again. Those attacks are geographically focused with companies in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first noticed the attacks.

Mamba ransomware uses DiskCryptor for full disk encryption instead of searching for and encrypting certain file types. That means a Mamba ransomware attack will stop the operating system from running.

Once downloaded, the malware forces a reboot of the system and changes the Master Boot Record and encrypts disk partitions and reboots again, this time victims are shown a warning screen advising data have been encrypted. The attacks share some commonalies with the NotPetya (ExPetr) attacks of June.

The algorithms which used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk becomes encrypted, victims face complete file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the most recent attacks make no mention of payment of a ransom. Victims are just told to email one of two email addresses for the decryption key.

The reason for this approach is it enables ransoms to be set by the hackers on an infection by infection basis. Once the extent of encryption is seen and the victim is identified, the hackers can set the ransom payment accordingly.

It is not yet known whether the hackers hold the keys to unlock the encryption and whether payment of the ransom will lead to file recovery. Kaspersky reports that the group responsible for this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the aim is not to obtain ransoms but to sabotage companies.

 

Worrying New RaaS Satan Ransomware Discovered

A new type of hacking campaign using Satan Ransomware is being sold to any would-be hacker or cybercriminal free of charge using an affiliate model known as ransomware-as-a-service or RaaS. The idea behind RaaS is basic. Developers of ransomware can infect more computers and networks if they get a team to help to distribute their malicious software. Anyone willing to spend a little time to distributing the ransomware will receive a portion of any profits.

Ransomware authors usually charge a nominal fee for individuals to take part in these RaaS schemes, Along with taking a percentage of any ransomware payments that are generated. In the case of Satan ransomware, the developers offer RaaS completely free of charge. Anyone who wants to share the malicious software is free to do so. In exchange for their efforts they get to keep 70% of the ransom payments they generate. The other 30% goes to the ransomware authors. The group behind the RaaS also offers higher percentages as infections rise as a reward for effort. All that is required to begin is to create a username and password. Access to the ransomware kit can then be obtained.

What is worrying is how easy it is to take part in this RaaS scheme and custom-craft the malware. The gang responsible for the campaign has developed an affiliate console that allows the malware to be amended. The ransom amount can be easily fixed, as can the time frame for making payments and how much the ransom will rise if the payment deadline is exceeded.

Help is also give to for the distribution of the malware. Assistance is supplied to make droppers that install the malware on victims’ systems. Help is provided to create malicious Word macros and CHM installers that can be used in spam email campaigns. Help is also given to encrypt the ransomware to avoid detection. Even multi-language support is available. Any would-be hacker can craft ransom demands in multiple languages via the RaaS affiliate console.

Satan ransomware carries out a check to determine if it is running on a virtual machine. If it is, the ransomware will disable itself. If not, it will run and will look for over 350 different file types. Those files will be locked with powerful encryption. File extensions are altered to. stn and the file names are scrambled to make it harder for victims to pinpoint individual files. The ransomware will also delete all free space on the hard drive before the ransom demand is placed onto the desktop.

There is no decryptor available for Satan ransomware. Recovery without paying the ransom will depend on groups being able to restore files from backups. As the ransomware also encrypts backup files, those backups will have to be located in the cloud or on isolated devices.

 

Free Ransomware-as-a-Service Called ‘MacRansom’ Targeting Mac Users

Mac users are better safeguarded from ransomware than Windows users, although they now face a new danger: MacRansom. The new ransomware variant may not be particularly advanced, although it can encrypt files.

MacRansom is being provided under a ransomware-as-a-service (RaaS) model with the RaaS advertised to hackers on a Tor network portal. In contrast to many RaaS offerings that need payment to be made before the RaaS can be used, the threat actors responsible for MacRansom are offering the RaaS free of charge.

Any would-be hackerl looking to conduct ransomware attacks can email the creators of the ransomware through a secure Protonmail email address and a version of MacRansom will be created in lie with the user’s specifications.

The creators of MacRansom claim they are professional engineers and security experts with extensive experience in software development and a complete understanding of the MacOS. They claim they have previously been employed at Yahoo and Facebook.

The authors say that MacRansom can be downloaded and will remain hidden to the victim until the scheduled execution time, when it will finish its encryption routine in under a minute. The ransomware variant uses a 128-bit industrial standard encryption algorithm that cannot be overwritten unless the ransom is paid. The authors claim the ransomware leaves no digital traces and that it can be timed to run at a specific time set by the user. It can even be set off when an individual plugs in an external drive into an infected machine to maximize the amount of files that are encrypted. However, the ransomware can only encrypt a maximum of 128 files.

The Ransomware can see if it is in a virtual environment, whether it is being debugged or if it has been downloaded in a non-Mac environment, in which case it will exit.

Security experts at Fortinet – Rommel Joven and Wayne Chin Low – registered for the RaaS and obtained a sample, but noted that under some instances it may not be possible to decrypt encrypted files even if the ransom demand is met. They stated, “A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number.  In other words, the encrypted files can no longer be decrypted once the malware has terminated.” However, to find out, victims will be required to pay a ransom payment of 0.25 Bitcoin – almost $700.

Luckily infection requires the victim to run a file with an unidentified developer. They will therefore need to state that they would like to do that before the file is run. This alert  should be sufficient to prevent many end users from going ahead with i..

IRS Instructed to Implement an Enterprise Email Archiving Solution by TIGTA

The Treasury Inspector General for Tax Administration (TIGTA) have recently been calling for the IRS to implement an enterprise email archiving solution, according to reports. An email archiving solution for enterprise allows emails to be retrieved on demand as well as ensuring messages remain usable. Emails must be able to be produced by companies in the event of an audit and during the legal discovery process. An email archive is searchable and allows emails to be quickly and easily located and accessed if they are required.

Recovering emails from backups can be a long and complicated process for businesses. Because of this, many companies simplify the process through using an enterprise email archiving solution such as ArcTitan. ArcTitan ensures archiving emails is a quick and easy process by freeing up valuable storage space on mail servers. Recovering emails is also made a quick and straightforward task as the archive is searchable. Although recovering multiple emails from backups can take several days, with ArcTitan even large numbers of emails from multiple email accounts can be recovered in minutes.

Currently, federal laws require emails to be produced on demand. The IRS has recently been discovered to have failed to comply with federal regulations on email storage. It is becoming evident that many companies are yet to switch to an email archive and the IRS is not setting a good example in this regard.

In an audit recently conducted by the Treasury Inspector General for Tax Administration (TIGTA) on the Inland Revenue Service, it was discovered that IRS policies on email storage does not allow it to consistently ensure records are retained. Additionally, in several cases, the IRS has been unable to produce emails on request.

The Chairman of the Senate Committee on Finance and the Chairman of the House Committee on Ways and Means requested the audit after the IRS reported that it was unable to produce some documents after receiving Freedom of Information requests. The IRS discovered documents had been accidentally deleted upon searching for them on their system.

It was also discovered by the auditors that emails are not automatically archived for all employees and some employees had been instructed to manually store emails on their hard drives or network drives. Some emails and documents were consequently permanently lost when hard drives were damaged or destroyed.

Additionally, the audit portrayed that even though a new executive e-mail retention policy had been introduced that should have resulted in emails being automatically archived, that didn’t ever occur due to some executives failing to turn on the automatic archiving feature.

The IRS also failed to apply polices on email archiving consistently. In fact, it was discovered that it had failed to follow its own policies on email archiving in more than half of the 30 Freedom of Information requests assessed by auditors. All documents and emails would have been recoverable and could have been quickly been located, had an enterprise email archiving solution been used.

Following the findings of the audit, the IRS have been instructed to implement an enterprise email archiving solution by TIGTA. This is something which all organizations in the United States should consider. In the event of a Freedom of Information request, an audit or a lawsuit, all relevant emails can be quickly produced and regulatory fines can be avoided.

How an Enterprise Archiving Solution can Help IRS´ Compliance with GDPR

The EU´s General Data Protection Regulation (GDPR) is due to be introduced in May 2018. Under this new Regulation, the IRS, and any other US organization maintaining the personal data of EU citizens, have a duty to protect EU citizens’ personal data from theft, loss or unauthorized disclosure. The implementation of an enterprise email archiving solution will help the IRS to comply with these new regulations.

EU citizens now also have the right to request access to personal data held by the IRS. In addition, they also hold a “right to be forgotten” if the IRS no longer has a lawful basis for retaining the data. TIGTA´s audit of email practices within the IRS came in perfect time for them as, should the IRS be unable to produce an email on request or fail to respond to a data access request within thirty days, the Service could be liable for a fine of up to 4% of global turnover. The IRS collected $3.3 trillion in taxes in 2015, making the amount they could be fined a substantial figure.

Pros & Cons of BYOD

Many workers want to use their personal devices when they are working. Personally owned devices are normally quicker than the desktops supplied by employers. Staff members know how to use the operating system, they have the software they need already downloaded, and it allows them to be more flexible about when and where they do their day’s work.

These are all great advantages for staff members. The power of new technology can be used with minimal expense, and productivity can rise.

There is also a feeling that technology vendors are the main champions of BYOD. It is true that vendors have pushed the BYOD movement and are urging for their new devices to be used in the workplace. However, it is workers who are really driving the push for change. They want to use their own devices in the workplace as it makes their lives less complicated.

Sadly for IT security professionals, keeping control of the devices is thought to be practically impossible. The dangers introduced by personal tablets, Smartphones and laptops are many. BYOD is seen as a data security risk and a security breach just waiting to happen.

But what are the dangers introduced by the devices? Are they as problematic as security workers think?

What are the issues with Bring Your Own Device (BYOD) policies?

  • Many IT workers dislike BYOD, but it is not only for data security reasons. Managing BYOD calls for a considerable amount of planning and time. IT staff are usually short of time as it is, and that is without having to manage personally owned networked devices. Budget increases to account for BYOD are rarely sufficient and extra staff are often not employed to cope with the extra workload.
  • Devices owned by worker must be given access to corporate networks. They are also used to hold sensitive corporate data, yet those devices are taken outside the control and security of the company, used at home, taken to social events and are often misplaced or stolen.
  • The devices can cause issues with compliance, especially in highly regulated sectors.
  • IT workers must ensure data can be remotely deleted, and protections are put in place to stop the devices from being infected with malware.
  • Another issue is how to make sure data can be deleted from the device when an employee leaves the company. Controls must therefore be put in place to ensure data can be wiped remotely, and access to corporate networks and data must be turned off.
  • If data is stored on the device, it must be set up to store personal data and work data separately. The IT department cannot remotely erase all data on the device. Some will belong to the owner of the device.

There are solutions to make BYOD work properly. Work data can be saved in the cloud, instead of on the device itself. This makes data management much easier. Policies can be designed to ensure security flaws are not allowed to develop. Management may be difficult, but software is available to make the process much more straightforward and less labor heavy. Many software security solutions have been designed specifically for BYOD.

Self-Replicating Worm Module Included with Trickbot Malware

Trickbot malware is a banking Trojan that has been in action for a few years now, although its authors have recently created a WannaCry ransomware-style worm module that allows it to spread much more quickly.

The recent NotPetya attacks also had a similar module allowing the malware to be used in devastating attacks that erased entire systems.

This new method of speeding up the spread of malware uses a vulnerability in Windows Server Message Block, which is used to spot all vulnerable computers on a network that connect through the Lightweight Directory Access Protocol (LDAP).

Since the exploit is openly available, hackers can use it in tandem, with malware to spread infections more effectively and quickly. Worms were once common, although their use has died out. The use of worm-like elements with the WannaCry and NotPetya attacks has shown just how successful they can be, and also acted as a reminder of why they were popular in the first place.

Far from isolated malware variants, we could be about to see an increase in the use of worm-like modules. Luckily, for the time being at least, the worm module in Trickbot malware does not seem to be fully operational. That said, the malware is always being redeveloped so it is probable the flaws will be fixed soon.

The malware can obtain access to online banking accounts enabling the hackers to empty bank accounts.  It is quickly becoming one of the main banking Trojans, according to IBM X-Force. It is currently being used in targeted attacks on groups in the financial sector around the world, with recent campaigns hitting banks in the UK and United States. The ability to spread throughout a network quickly will make it much more dangerous.

Apart from the new worm-like module another change has been seen. PhishMe reports that it has identified a change to how the Trojan is spread. Attacks have taken place via malvertising campaigns this year that send web users to sites hosting the Rig exploit kit, although Trickbot is mainly distributed via spam email sent via the Necurs botnet.

The latest alteration to the Trickbot malware campaign is helping the threat actors to a avoid anti-virus solutions. Previously, the Trojan has been downloaded via macro scripts in specially crafted office documents. The most recent campaign update sees the hackers use a Windows Script Component (WSC) containing XML-format scripts. The same delivery method has also been used to send GlobeImposter ransomware.

New Locky Ransomware Campaign Using Fake Invoices

The WannaCry ransomware campaign may have attracted a lot of media attention, but Locky ransomware presents a bigger threat to organizations with a new Locky ransomware campaign now a regular event. The ransomware was initially seen in February last year and quickly became the biggest ransomware threat. In recent times, Cerber has been extensively shared, but Locky is still being used in widespread attacks on groups.

Those responsible for Locky ransomware are constantly changing tactics to trick end users into installing the malware and encrypting their files.

The Necurs botnet has recently been used to share Jaff ransomware, although now that a decryptor has been produced for that ransomware variant, the actors to blame for Necurs have switched back to Locky. The new Locky ransomware campaign involves millions of spam messages being broadcast using the Necurs botnet, with some reports suggesting around 7% of global email volume at the start of the campaign came from the Necurs botnet and was spreading Locky.

The new Locky ransomware campaign deploys a new variant of the ransomware which does not encrypt files on Windows operating systems newer than XP. This appears to be a mistake, with new, updated version of the ransomware is expected to be released soon. As with previous campaigns, the latest batch of emails uses fake invoices to trick end users into downloading the ransomware.

Fake invoices are typically used to spread ransomware because they are highly successful. Even though these campaigns often include scant details in the email body, many end users open the attachments and enable macros. BY doing this user download Locky. There is still no free decryptor available to recover Locky-encrypted files. Infections can only be mitigated by paying a sizeable ransom payment or restoring files from backups.

Showing end users to be more security aware will help groups to minimize to reduce susceptibility to ransomware attacks, although the best security against email-based ransomware attacks is to use an advanced spam filtering solution to stop the messages from arriving in end users’ inboxes. If emails are obstructed blocked, there is little chance of end users opening malicious attachments and downloading the ransomware.

Fileless Malware Phishing Attacks Targeting Restaurants

Hackers have been conducting fileless malware phishing attacks and restaurants are being focused on. Restaurants are being targeted as they tend to have relatively weak cybersecurity defenses and criminals can easily obtain access to the credit card details of thousands of customers.

The phishing attacks are used to download fileless malware – malware that stays in the memory and does not involve any files being placed to the hard drive. Due to this, fileless malware is particularly complex to detect. By changing to fileless malware, which most static antivirus solutions do not spot, the criminals can operate undetected.

While fileless malware can be short-lived, only remaining in the memory until the computer is rebooted, the latest variants are also persistent. The aim of the malware is to allow the attackers to install a backdoor that gives access to restaurants’ computer systems. They can then obtain the financial information of customers undetected.

The most recent fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been blamed to the hacking group FIN7; a group that has close associations with the Carbanak group.

The hacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to click on the attached RTF file. RTF files have been seen that are restaurant themed, named menu.rtf and relating to orders. Some emails seem to have been written to target specific restaurant groups.

One intercepted phishing email purported to be a catering order, with the attachment including a list of the items required. In the email, short instructions outlining when the order is needed and how to view the list of ordered items. The email was short, but it was particularly realistic. Many restaurants are likely to be tricked by these fileless malware phishing attacks, with access to systems granted for long periods before being seen.

As with other phishing campaigns, the user is asked to enable the content in the attached file. Opening the RTF file display a large image to the user that they must click in order to view the contents of the document. The document is expertly designed, appears professional and implies the contents of the document are protected. Double clicking on the image and confirming with a click on OK will initiate the infection process, running JavaScript code.

FIN7 has recently been carrying out attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to send the shellcode stage of infection, but different to previous attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being placed to the hard drive, it is hard to detect.

Furthermore, the researchers compared the RTF file against VirusTotal and saw that none of the 56 AV vendors are, at present, detecting the file as malicious.

Hotels.com Breach Phishing Attacks Likely to Result in More Hacks

The Texas-based online hotel booking web portal Hotels.com is alerting customers that some of their sensitive data has been accessed. The Hotels.com breach possibly involved usernames and passwords, email addresses, and the last four digits of site users’ credit card details.

Users’ accounts were accessed between May 22 and May 29, although at this stage it is unclear exactly how many people have been impacted. While full credit card numbers were not downloaded, the Hotels.com breach will see users face an elevated risk of phishing campaigns.

Phishing emails come in many forms, although it is common for users of a site that has suffered a data breach or security incident to receive warning emails about the attack. The emails rightly claim that a user’s sensitive data has been compromised; however, the emails do not come from the company that suffered the breach. Instead, it is the hackers who conducted the attack, or individuals who have bought stolen data from the hackers, that send the emails.

A typical phishing scenario sees people informed that their usernames and passwords have been obtained. A link is included in the emails to permit the user to reset their password or activate additional security controls on their account.

That link will send the user to a phishing website where further information is obtained – the missing digits from their credit card number for instance – or other personal data. Alternatively, the link could direct the user to a malicious website including an exploit kit that downloads malware onto their computer.

Hotels.com customers were targeted in a 2015 phishing campaign which lead to many site users divulging information such as names, phone numbers, email addresses and travel details. That information could be used in further scams or even for robberies when victims are known to be on vacation.

The Hotels.com breach is the latest in a number of attacks on online companies. While it is currently unclear how access to customers’ accounts was obtained, a letter emailed to affected users implies the attacks could be linked to breaches at other websites. The letter suggests access to online accounts could have lead to password reuse.

Reusing passwords across online platforms is a bad idea. While it is easier to remember a single password, a breach at any online website means the hackers will be able to access accounts on multiple sites.

To stop this, strong, unique passwords should be set up for each online account. While these can be difficult to remember, a password manager can be used to hold those passwords. Many password managers also help users generate strong, unique passwords. Users should also implement two-factor authentication controls on sites whenever possible to enhance security.

Since many companies use hotel booking websites such as Hotels.com, they should be particularly aware of phishing emails over the coming weeks, especially any referring to hotels.com. To safeguard against phishing attacks, we recommend using SpamTitan. SpamTitan blocks more than 99.9% of phishing and other spam emails, minimizing the danger of those messages being sent to end users. Along with security awareness training and phishing simulation exercises, companies can successfully defend against phishing campaigns.

 

Cerber is the Main Ransomware Threat

Locky Ransomware first arrived on the scene in 2017, with the ransomware variant quickly becoming the largest ransomware threat. Locky infections increased quickly following its release in February and went on to rising in the first six months of the year. The ransomware variant was initially downloaded using exploit kits, although as exploit kit activity fell, the developers changed to spam email as the main attack method.

As 2016 went on, Locky activity dropped. While Locky infections persist, it is no longer the largest ransomware threat. Locky now makes up just 2% of infections. A new report from Malwarebytes has shown that the biggest ransomware threat is Cerber ransomware.

Cerber ransomware is now responsible for 90% of all global ransomware infections, with those attacks carried out using many different strains of the ransomware. Cerber has even overtaken TeslaCrypt; a previously highly prevalent ransomware variant that dominated attacks in 2015 and early 2016. At the beginning of 2017, Cerber’s ‘market share’ was 70%, although that grown to 90% by the end of Q3.

The secret of the growth of Cerber lies not only in the complexity of the ransomware, but how it is being used and shared. Cerber ransomware has become the largest ransomware threat because it is not only the authors that are using it to attack groups. There is now an army of affiliates implementing the ransomware. Those affiliates do not require programming experience and neither much in the way of technical skill. Their role is simple. They are simply hackers who get a cut of the profits for any ransoms they manage to process.

Ransom payments are probable with Cerber infections. There is no decryptor for the ransomware as no weaknesses have been seen. Files locked by Cerber cannot be unlocked without using decryption keys, and only the hackers have access to those. The encryption implemented is of military-grade, says Malwarebytes. Furthermore, a computer does not even need to be connected to the Internet in order for files to be encrypted. The most recent  variants also include a host of new defenses to prevent detection and analysis.

The main attack vector used is email. Cerber is spread in spam email, with infection occurring when a user opens an infected email attachment. That leads to the downloading of Cerber from the hacker’s Dropbox account.

With the new security measures put in place by its authors and no shortage of affiliates signing up to use the ransomware-as-a-service, Cerber looks set to be the main ransomware threat throughout Q2. Attacks will continue and likely grow, and new variants will almost certainly be issued.

All groups can do is to enhance their defenses against attack. Cybersecurity solutions should be used to prevent spam emails from being delivered to end users. Employees should be trained how to identify malicious emails and not to open email attachments sent from unknown senders. Groups should also use security tools to spot endpoint infections.

Since even with advanced security defenses infections can still happen, it is vital that all data are backed up and those backups tested to ensure they will allow encrypted data to be retrieved.

Millions of Account Details Stolen in Edmodo Data Breach

A data breach at Edmodo has been reported that has affected tens of millions of users of the education platform, among them teachers, students and parents.

Edmodo is a platform used for K-12 school lesson planning, homework assignments and to assign grades and school reports.  There are over 78 million registered users of the platform. The cyber criminal responsible for the Edmodo data breach claims to have obtained the credentials of 77 million users.

This allegation has been partially verified by Motherboard, which was given a sample of 2 million records that were used for verification reasons. While the full 77 million-record data set has not been reviewed, it would appear the claim is authentic.

The hacker, nclay, has placed the data for sale on the darknet marketplace Hansa and has asked to be paid $1,000 for the complete list. The data incorporates usernames, hashed passwords and email addresses. Email addresses for approximately 40 million users are thought to have been obtained by the cyber criminal.

The passwords in question have been salted and encrypted using the bcrypt algorithm. While it is possible that the passwords can be decrypted, it would be a long and painstaking process.  Edmodo users have therefore been given a some time to reset their passwords and safeguard their accounts.

The Edmodo data breach is now being looked into and third party cybersecurity experts have been hired to complete a full analysis to determine how access to its system was obtained. All users of the platform have been emailed and advised to change their passwords.

Even if access to the accounts cannot be obtained, 40 million email addresses would be valuable to online spammers. Users of the platform are likely to face a heightened danger of phishing and other spam emails, should nclay find a buyer for the stolen information.

This is not the only large-scale data breach to impact the education sector this year. Schoolzilla, a data warehousing service for K-12 schools, also suffered a serious cyberattack this year. The data breach was noticed last month and is believed to have lead to in the theft of 1.3 million students’ data. In the case of Schoolzilla, the hacker took targeted a backup file configuration error.

New Variant from the Distributors of Locky Called Jaff Ransomware Discovered

A new encryptor called Jaff ransomware is being distributed by the hackers responsible for spreading the Dridex banking Trojan and Locky ransomware. The group has also previously used Bart ransomware to encrypt files in an effort to extort money from companies.

Different to Locky and many other ransomware variants, the individuals behind Jaff ransomware are looking for a huge ransom payment to unlock files, suggesting the new variant will be used to target companies and not individuals. The ransom demand per infected machine is 1.79 Bitcoin – around $3,300. The WannaCry ransomware variant only asked for a payment of $300 per infected machine.

The distributors have used exploit kits previously to spread infections, although spam email is used for the most recent campaign. Whether that will remain the only distribution mechanism is unclear. Millions of spam email messages have already been transmitted using the Necurs botnet, according to Proofpoint researchers who discovered the new encryptor.

The emails have a PDF file attachment instead of a Word document. Those PDF files include embedded Word documents with macros that will install the malicious payload. This method of distribution has been seen with Locky ransomware in recent times.

The change in file attachment is thought to be an effort to get users to open the attached files. There has been a lot of publicity about malicious Word documents attached to emails from unknown issuers. The change could see more end users open the attachments and infect their computers.

Opening the PDF file will give the user with a screen telling them them that the contents of the document are secured. They are told to ‘enable editing’ by ignoring the security warning and enabling macros. Enabling macros will lead to infection. Jaff ransomware will then find and encrypt a wide range of file types including images and multimedia files, databases, office documents and backups.

There is no known decryptor for Jaff ransomware currently available. Recovery will depend on a viable backup existing that has not been encrypted by the ransomware. The other options are to pay the large ransom payment or permanently lose files.

To safeguard against the threat, an advanced spam filtering solution should be put in place to stop the emails from reaching end users’ inboxes. As a failsafe, staff should be warned about the threat of ransomware and told not to open any file attachments from unknown individuals. They should also be warned about the threat from PDF files containing embedded word documents.

Employees Wages Stolen in Denver Public Schools Phishing Scam

The importance of anti-phishing training for employees has been emphasised this week after a major incident in Denver. A targeted Denver Public Schools phishing scam saw at least 30 workers provide their usernames and passwords to scammers.

The Denver Public Schools phishing scam allowed hackers to obtain access to accounts, which allowed information to be used to access to the school district’s payroll system. The hackers changed the routing numbers for payments to employees and sent the payments to their own accounts. More than $40,000 that had been set aside to pay staff wages was taken.

Workers have now been paid and efforts are continuing to recuperate the stolen funds. At least 14 direct deposits were made and have not been rescued. The school district believes that the payments will be covered by an insurance policy. The incident has been reported to the Colorado Bureau of Investigation and the incident is being investigated to try to identify the individuals behind the hacking attack.

The Denver Public Schools phishing scam was highly realistic; however, questions will be asked about how so many workers fell for the scam and disclosed their login details. The school district has confirmed that efforts were made to train its employees on the risk of phishing before the attack taking place.

Denver Public Schools employs 13,991 workers. The response percentage was therefore quite low, but it can only take one individual to reply to such a scam for serious financial harm to be caused.

A Bad 12 Months for Phishing Attacks on Schools

Phishing attacks on schools take place a lot, but this year has seen attacks soar even more than usual. For example, in 2017, there have been 141 reported W-2 phishing scams, 33 of which impacted schools, colleges and universities.

While phishing scams used to be fairly easy to spot, now they are becoming much more complex. It is now not easy to tell a phishing email from a proper email request. The hackers use spoofing techniques to make the emails appear as if they have been sent from within the group. Genuine email accounts may even be compromised and used for phishing attacks. Last month, the Digital Citizens Alliance reported locating millions of .edu email addresses listed for sale on the dark web. Those email addresses are often implemented in phishing scams as they are trusted.

Phishing emails are often free from the spelling and grammatical mistakes that were commonly seen in spam emails in previous years. The emails often include lifted branding, images and formatting, which makes them highly realistic. The requests for details may also seem reasonable.

How to Stop Phishing Attacks

Supplying anti-phishing training for staff is now an important cybersecurity defense; however, it is also vital to ensure that training has had the desired effect and has been taken onboard. Schools should therefore carry out dummy phishing exercises to identify the effectiveness of their training programs. Research has displayed that with practice, employees get much better at spotting phishing scams.

Technological solutions should also be put in place to stop spam emails from reaching end users’ inboxes. Advanced anti-spam solutions like SpamTitan do not rely on blacklists to label emails as spam. Blacklists are implemented along with a host of front end controls and emails are subjected to Bayesian analyses to discover common spam signatures. Rules can be configured to reduce the risk of email spoofing.

Spam King Arrested In Connection with Kelihos Botnet

The US Department of Justice yesterday revealed that one of the leading email spammers has been apprehended as part of an operation to disrupt and take down the infamous Kelihos botnet.

The Kelihos botnet is a group of tens of thousands of computers that are utilized to deploy massive spamming campaigns including millions of emails. Those spam emails are used for a range of illegal purposes including the distribution of ransomware and malware. The botnet has been widely used to share fake antivirus software and spread credential-stealing malware.

Computers are placed on the Kelihos botnet using malware. Once in place, Kelihos malware runs silently and users are not conscious that their computers have been hacked. The Kelihos botnet can be swiftly weaponized and used for a range of malicious purposes. On previous occasions the botnet has been used for spamming campaigns that artificially inflate stock prices, promote counterfeit drugs and hire people for fraudulent work-at-home schemes.

Pyotr Levashov is thought to be the main user of the botnet along with conducting a wide range of cybercriminal activities out of Russia. In what turned out to be an ill-advised move, Levashov departed from the relative safety of his home country and travelled to Barcelona, Spain on holiday. Levashov was arrested on Sunday, April 9 by Spanish authorities acting on a U.S. issued international arrest warrant.

Levashov is thought to have played a major role in the alleged Russian interference in the U.S. presidential election in 2016, although Levashov is best known for his spamming work, click fraud and DDoS attacks.

Levashov, or Peter Severa as he is alternatively known, is heavily involved in sharing virus spamming software and is believed to have developed numerous viruses and Trojans. Spamhaus lists Levashov in seventh place on the list of the 10 worst spammers.

Levashov is thought to have been responsible for multiple operations that connected virus developers with spamming networks, and is also a main suspect in relation to the running of the Kelihos botnet, the Waledac botnet – which was shut down in 2010 – and the Storm botnet.  Levashov was convicted for his role in the latter in 2009, although he managed to prevent his extradition to the United States. At the time, Storm was the largest spamming botnet in operation and was used to broadcast millions of emails every day. Levashov also moderates a number of spamming forums and is well known. Levashov is thought to have been extensively involved in spamming and other cybercriminal activities for the past 20 years; although to date he has not had to answer for his crimes.

A statement issued by the U.S. Department of Justice states: “The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks.”

The DOJ operation also included the takedown of domains linked with the Kelihos botnet beginning on April 8, 2017. The DOJ says closing down those domains was “an extraordinary task.”

While it is obviously good news that such a high profile and prolific spammer has been caught and the Kelihos botnet has been severely impacted, other spammers are likely to soon replace Levashov. Vitali Kremez, director of research at Flashpoint said his firm had seen chatter on underground forums alleging that well-known spammers are responding to the news of the arrest by taking acting to safeguard their own operations. There may be a period of less activity in email spam volume, but that blip is only likely to be short-lived.

Tax-Related Email Spam up 6,000% According to IBM

IBM X-Force has recently released a report which highlighted the massive growth in tax-related email spam during 2017. From December 2016 to February 2017, tax-related email spam rose by an incredible 6,000%.

A increase in tax-related email spam is normal during tax season. It is the time of year when tax returns are filed and criminals can make massive profits. If tax details is stolen and a fraudulent tax return is filed prior to the individual sending in their own return, thousands of dollars in refunds can be stolen. With such high returns from each set of tax information, it is no surprise that tax-related scams are so common.

In 2017 there have been many different scams detected, although one of the most successful is the W-2 phishing scam. The scam is where a tax fraudster pretending to be the CEO, CFO or another executive, and emailing a request for W-2 Forms to members of the payroll department.

As we have witnessed on many occasions this year, the emailed lists can include thousands of staff members’ sensitive information. Normally, every employee that has taxable earnings for the previous fiscal year. To date, there have been 141 reports of successful hacks. The biggest breach was reported by American Senior Communities. The tax data of more than 17,000 members of staff were sent to scammers.

The IRS said it was one of the most dangerous email phishing scams seen in recent times. It’s too soon to tell how much in fraudulent refunds have been given out out by the IRS, although in 2016 the total was around $5.8 billion. This year that total is expected to increase.

W-2 form phishing scams may be the most experienced type of tax-related email scams seen this year, but there are many. Most are shared via email, although website phishing attacks have also been highly prevalent.

Cybercriminals have been pretending to be tax software companies and have been issuing fake marketing emails encouraging consumers to visit spoofed websites. They then have their personal information stolen. Information recorded via the online forms allow fraudsters to steal identity details and file fraudulent tax returns in the victims’ names.

Tax season is also a time when malware infections rise. Tax-related email spam is shared with malicious email attachments. Clicking on those attachments leads to malware or ransomware being installed to the victims’ computers.

Cybercriminals use a wide variety of techniques to steal details. Social engineering techniques are used to trick email recipients into thinking that requests for information are authentic. Hackers use typosquating and URL hijacking to make their malicious websites appear genuine. The phishing templates used by some cybercriminals are so realistic it is almost impossible to distinguish them from genuine emails. The correct branding is present, links are masked, and support is even provided for uploading tax-related documentation. In many instances, the emails include the IRS logo and victims are tricked into supplying their credentials. The scams often achieve their aim, even though the IRS does not begin contact with taxpayers via email.

To safeguard against attacks and fraud, consumers add an IRS IP PIN on their accounts. That pin number must be entered to file a tax return. Provided the PIN is not shared, individuals will be safeguarded from fraudulent tax filings.

Many US citizens leave submitting their tax returns to the last seconds; however, this year the scammers started sending tax-related email spam early. The late filing of tax returns gives hackers plenty of time to submit fake returns. Tax returns should be submitted as soon as a W-2 Form is received to reduce the chance of becoming a victim of fraud.

Companies can safeguard themselves against W-2 phishing scams by putting in place an advanced spam filtering solution to block spam emails. However, staff should be given anti-phishing training and policies should be set up that require any request for W-2 Forms to be verified with the sender of the email over the telephone.

Companies are still being focused on by scammers so they should be careful. They should also ensure that they are tuned in well in advance for the tsunami of tax-related email spam that will start to arrive soon.

Malicious Spam Emails Sent After MailChimp Account Hack

MailChimp puts in place security controls to ensure that its customers do not use the service to share spam; yet, this week malicious spam emails were sent from a number of accounts after a MailChimp account hack.

Customer accounts that were violated included Business News Australia, Brisbane’s The Sit Down Comedy Club, and gardening and home services supplier Jim’ Group.

MailChimp accounts are valuable to hackers as subscribers to company newsletters are more likely to believe the emails than they would an email from an unknown sender. The hijacked accounts were used to share spam emails demanding an invoice be paid. Hackers often target companies with malicious emails that spread malware. If malware such as a keylogger can be installed, the hackers can obtain access to corporate email accounts or gain network access. Corporate bank account details can be stolen and fraudulent transfers completed.

A fake invoice is a common trick used to fool email recipients into opening an infected email attachment or clicking on a malicious link. A sense of urgency is often incorporated to scare the recipient into opening the attachment. A threat of legal action if the outstanding invoice is not paid quickly is a common tactic.

In this instance, a number of different variants were sent. Some emails contained an image with an embedded hyperlink which recipients could click to see the invoice. The hackers also included the logo of accounting software Quickbooks for extra validity.

Other emails included an attached zip file which included a malicious JavaScript file. If run, the JavaScript installed malware onto the email recipient’s computer.

At first, it appeared that MailChimp had experienced a security breach that lead to spammers gaining access to accounts; although the company issued a statement saying that an investigation of the incident did not indicate an internal breach.

MailChimp said “MailChimp’s normal compliance processes identified and disabled a small number of individual accounts sending fake invoices. We have investigated the situation and have found no evidence that MailChimp has been breached. The affected accounts have been disabled, and fraudulent activity has stopped.”

 

Locky Ransomware Downloaded in Dropbox Phishing Attacks

Dropbox phishing campaigns are relatively typical and often fool employees into revealing their sensitive information or installing malware.

Dropbox is widely used for sharing files and employees are used to receiving links advising them that files have been shared with them by their colleagues and contacts and phishers are taking advantage of familiarity with the service.

There are two chief types of Dropbox phishing attacks. One involves issuing a link that asks users to verify their email address. Clicking the link takes them to a spoofed Dropbox website that looks like the official website. They are then asked to enter in their login details as part of the confirmation process.

Dropbox phishing attacks are also used to send malware such as banking Trojans and ransomware. A link is broadcast to users relating to a shared file. Instead of accessing a document, clicking the link will result in malware being installed.

Over the past few days, there has been a huge campaign using both of these hacking methods involving millions of spam email messages. Last week, more than 23 million messages were sent in one day.

Most of the emails were spreading Locky ransomware, with a smaller percentage used to share Shade ransomware. There is no free decryptor available to unlock files encrypted by Locky and Shade ransomware. If files cannot be retrieved from backups, victims will have to spend big.

Due to the increase in value of Bitcoin of late the cost of recovery is major. The malicious actors behind these attacks are demanding 0.5 Bitcoin per infected device – Around $2,400.

According to F-Secure, the majority of malware-related spam messages discovered recently – 90% – are being used to distribute Locky. Other security experts have issued similar reports of a surge in Locky infections and spam email campaigns.

To stop Locky ransomware attacks, companies should install an advanced spam filtering solution to stop malicious emails from being sent to end users’ inboxes. Occasional emails are likely to get past spam filtering defenses so it is important that all users receive security awareness training to assist them identify malicious emails.

A web filter can be highly successful at blocking attempts to visit malicious websites where malware is installed, while up to date antivirus and anti-malware solutions can detect and quarantine malicious files before they are clicked on.

Backups should also be completed of all data and systems and those backups should be stored on an air-gapped device. Ransomware variants like Locky can delete Windows Shadow Volume Copies and if a backup device remains connected, it is likely that backup files will also be encrypted.

Best practices for backing up data include three backup files being created, on two different media, with one copy stored offsite and offline. Backups should also be audited to make sure files can be recovered in the event of disaster occurring.

The rise in ransomware attacks has lead to the National Institute of Standards and Technology (NIST) to creating new guidance (NIST SPECIAL PUBLICATION 1800-11on recovering from ransomware attacks and other disasters.