Nov 14, 2017
Comments Off on New Android Trojan malware discovered in Google Play

New Android Trojan malware discovered in Google Play

A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017.  These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1).

We named this new malware variant Android/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs.

Click to view slideshow.

For the sake of discussion as we analyze this malware, let’s concentrate on just one of its associated apps, since they all share the same behavior. We will focus on a malicious QR scanner app named Qr code generator – Qr scanner.

Surface analysis of Trojan AsiaHitGroup

AsiaHitGroup has several layers of maliciousness. It starts innocently enough with an icon created on the mobile device after install. Click on the icon, and it opens a functioning QR scanner, as promised.

Click to view slideshow.

However, this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it. If you are looking under the Q’s for Qr coder generator or Qr scanner, it’s not there. It’s not even under the icon’s name, Barcode reader, which is shown briefly before vanishing. Instead, this deceiving app is called Download Manager in the app list. Unless you know all the apps on your mobile device exceptionally well, it’s near impossible to discover this app name.

Diving deeper into Trojan AsiaHitGroup

If the behaviors listed above weren’t enough to conclude this QR app is malicious, it gets worse. The first step performed by the malicious app in the background is checking the location of the mobile device. This is done by using the website which provides Geolocation using IP. If the location is in an area that satisfies rules within the code, then it proceeds to the next step. This next step is to download an APK by visiting a website that contains download instructions.

Code from http://[hidden_domain]/api/custom/dynamic-fragment with instructions to download an APK

{"id": "duy.van.dao.dynamicduy.20171005.16", "files": [{"id": "duy.van.dao.dynamicduy.20171005.16", "md5": "4662e8537751c49beb06309a989796fc", "url": "https://[hidden_domain]/hoanghai27/dynamic-fragment/raw/master/dynamic-plugin-v22.apk"}], "version": "20171005.16", "fragments": [{"code": "duy.van.dao.dynamicduy.20171005.16", "name": "duy.van.dao.dynamicduy.MainFragment", "host": "dynamicfragment"}]}

Unfortunately during testing, the APK could not be downloaded via the malicious QR app—most likely due to my location. However, I was able to manually download the APK using the URL provided within the download instructions. The behavior of this downloaded APK was that of a Trojan SMS (which is why I subsequently named it Android/Trojan.SMS.AsiaHitGroup). Based on all the references to Asia within the code, my assumption is you must be in Asia for this malware to fully function.

Add some adware into the mix

Even if the malicious Trojan SMS fails to download, there is yet another layer to the malevolence.  Hidden within the malicious QR app is another APK waiting to do its biding. However, this hidden APK is a less threatening, adware-pushing app.

The hidden adware app comes with an unusual service name: vn.solarjsc.fakeads.ShowAdsService.  Within this service, there is reference to the same domain that was used to gain download instructions of the Trojan SMS. Although I was unable to verify, this domain may also contain the “fakeads” referenced in the service name. Regardless, rest assured we are detecting this hidden adware app as well as Android/Adware.AsiaHitGroup.

Google Play: not quite flawless

Even with the introduction of Google Play Protect, there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails. We (obviously) recommend Malwarebytes for Android. Stay safe out there!


Malicious APK samples: use at own risk


MD5: 178E6737A779A845B8F2BAF143FDEA15, Package Name: duy.van.dao.qrcode
MD5: 7EEC1C26E60FEDE7644187B0082B6AC4, Package Name: com.varvet.barcodereader
MD5: 7CEDA121F9D452E9A32B8088F50012B8, Package Name: com.maziao.alarm
MD5: B481CE9D0B7295CDA33B15F9C7809B95, Package Name: com.magiaomatday.editimage
MD5: 60A71632004EE431ABB28BF91C3A4982, Package Name: com.maziao.speedtest
MD5: N/A, Package Name: com.ruzian.explorer


MD5: 3CC02E4FECEB488B084665E763968108, Package Name: duy.van.dao.dynamicduy


MD5: 995D5DC873104B5E42B3C0AF805359DB, Package Name: com.offer.flashcall

The post New Android Trojan malware discovered in Google Play appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 14, 2017
Comments Off on Explained: the cloud

Explained: the cloud

Even if you are reading this post because you have no idea what the cloud is, you might be using it more often than you realize. Twitter, LinkedIn, Dropbox, Google Drive, and Microsoft Office 365 are some of the most well-known cloud apps.

Let’s start with a definition of the cloud to get a grip on things:

Cloud computing, often referred to as simply “the cloud,” is the delivery of on-demand computing resources—everything from applications to data centers—over the Internet.

Cloud resources are often split up in three different ways:

  • Public: cloud services are delivered over the Internet and sold on demand, which provides customers with a great amount of flexibility. You only pay for what you need.
  • Private: cloud services are delivered over the business network from the owner’s data center. You have control over the hardware, as well as the management and related costs.
  • Hybrid: a mix of the above. Businesses can choose to have control over the most sensitive data or their average user and use public services to cover the rest of their needs.

Multi-cloud is another expression you may have come across. This means that companies use more than one public cloud provider, maybe for specific applications or as a method to cover outages. When using hybrid and multi-cloud solutions, it is important to spread the workload in a cost-effective manner.

Perceptions of the cloud

There are a few expressions about saving your data in the cloud that are not completely true, but will give you an idea of people’s perception of the cloud and what risks might be involved.

  • Your data is on someone else’s computer.
  • Your data is in a huge server farm.
  • You can’t be sure where your data is right now.

As you can probably tell from these statements, the main concern about the cloud is a lack of control over the data. This is not surprising, given the number of breaches that have occurred in recent times. According to an article on CSO, more data records were lost or stolen in the first half of 2017 than in all of 2016.

So what we really want to know is: Who actually has access to our data? This is not only relevant with regards to cybercriminals that can gain access through breaches. The Patriot Act gives the US government a lot of freedom to access and investigate data that is stored in cloud infrastructures. And of course, the cloud provider who stores that data can see it. Depending on the provider, they can even advertise to you based on your data, as is the case with most social media platforms.

And in case of a breach? Is your data stored and sent encrypted? What if someone manages to intercept the traffic? These questions may not all be relevant in your case, but they are worth thinking about.

Pros and cons

As with all technology, there are pros and cons to using the cloud. Here are a few:


  • scalable and flexible, so you can quickly react to ups and downs
  • cost effective—you pay for what you use
  • off-site backup, so no need to worry about losing it all in a fire or other catastrophe
  • access to data in any location


  • less direct control
  • potential for privacy and security violations (breaches)
  • different security measures from what you may be used to
  • access dependent on access to the Internet, which means services outages could lock you out of your data

secured cloud

Choosing the right cloud service

First and foremost, when looking for a cloud service provider, you should consider one that not only suits your data storage needs, but also is a reliable partner. Look at their track record and ask for references. With public cloud solutions, you need to consider the possibilities of traffic being intercepted, maybe even being altered, and data being stolen. And always look for providers that offer encryption and multi-factor authentication.

Because running cloud applications requires more attention then straightforward data storage, it’s helpful to distinguish Infrastructure-as-a-Service (IaaS) from Platform-as-a-Service (PaaS) when you are talking about cloud security.

  • IaaS is when your systems are running on virtual servers in the cloud.
  • PaaS is when your applications are running on cloud environments.

For IaaS situations, the security problems that are left up to you to take care of are not that different from the ones in your regular environment. You should be able to treat the servers as if  they were in your own network. They require the same security solutions as your own, which could be anything from anti-malware software to a firewall.

For a PaaS environment, application hardening will be different as it may require a web-application firewall. As the applications are not running from the systems within your intranet, they will very likely be using different Internet connections to send and receive traffic. This is something to determine with the cloud service provider. Who takes care of what?

One other thing to consider when choosing your cloud service provider is the physical location of your data. It is your responsibility to make sure you remain compliant with laws and industry regulations. This can also be an important consideration when you are about to decide which data you will move to the cloud and which should be kept in-house.


The cloud is in essence a method to use other resources than your own to run applications or store any kind of data. It offers users flexibility, scalability and puts the care of systems in other hands than yours. The price, besides the fees, is a loss of control over the resources and data. For businesses, compliance is another factor to weigh. When talking to potential cloud service providers, security should always be a point on the agenda. It has to be clear who takes care of which aspects of cloud security, otherwise it could slip through the cracks.

The post Explained: the cloud appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 13, 2017
Comments Off on A week in security (November 6 – November 12)

A week in security (November 6 – November 12)

After coming out victorious in a case against PUPs, Malwarebytes CEO Marcin Kleczynski has this to say:

We fought for our users and we won.

— Marcin Kleczynski (@mkleczynski) November 9, 2017

And my, do we feel like champions!

You can read more about this here.

Last week, we looked into the cryptocurrency mining phenomenon, rising digital crimes that target businesses—the final supplement of a two-part series—a bogus WhatsApp app that got through the Google Play store because the actor behind it used Unicode, and puppy scams. We also revealed a Bitcoin multiplier scam that actors behind the Magnitude EK were banking on and the coming back of the Disdain EK, this time delivering a Neutrino bot.

Lastly, we put out word about potential fakeries from cybercriminals targeting those shopping on Singles’ Day and a little exercise for the talented guys and gals who like to tinker with code, which we followed with a step-by-step tut on how to solve it.

Other news

  • Paradise lost? Breach of law firm, Appleby, exposes information of the rich. And so are their tax schemes. (Source: Quartz)
  • There’s a flaw in Tor that allows user IP address to leak. This affects macOS and Linux users. (Source: Computing)
  • Proofpoint reveals a multi-prong attack against Android users, wherein users are first faced with a phishing campaign, and then convinces users to install malware, then finally attempted to steal card details. (Source: InfoSecurity Magazine)
  • To hack back or not to hack back: this has been a longstanding debate from within and without the security industry. Keith Alexander, ex-NSA Director, weighed in on the debate, advising companies to never hack back as this might start wars. (Source: Motherboard)
  • According to a DHS testing, the Boeing 757 aircraft is found to be vulnerable to hackers. (Source: Aviation Today)
  • Companies granting a lot of admin rights to employees can actually leave them vulnerable to cyber attacks. (Source: TEISS)
  • Mozilla’s “Privacy Not Included” guide reveals gadgets and devices one might not acquire for loved ones as they can spy on them. (Source: CSO)
  • No, your Netflix account has been suspended. If you see an email saying otherwise, watch out! It’s a phishing campaign. (Source: Wired)

Safe surfing, everyone!

The post A week in security (November 6 – November 12) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 13, 2017
Comments Off on Augmented Reality games and real-world trolling

Augmented Reality games and real-world trolling

Augmented Reality games—where you wave a device around and the digital collides with reality— have been booming in popularity ever since Pokemon GO! rolled into mobile storefronts. However, many AR games haven’t really been designed with the possible consequences of real-world safety in mind. Take this hurricane howler, for example.

Even games that aren’t AR often include some sort of real-world activity. Black Watchmen is an Alternate Reality Game that involves solving puzzles both online and off, and depending on how much personal information you volunteer, you’ll gain access to more involved gameplay aspects.

At the absolute other end of the scale are games which (by accident or design) don’t include enough information ingame to explain how to achieve certain goals or tasks. In those cases, you’ll find a whole boatload of third-party tools, services, and community-driven sites that help keep the game fully functional from a “How do I do this?” perspective. Elite: Dangerous, for example [1], [2], [3]. This could also bring risks in the shape of fake/malicious downloadable programs.

In all of this, the potential for people to abuse tools outside of the game itself is high. And that’s exactly what happened to players of Ingress, the AR sci-fi game about aliens and capturing portals. The game relies on lots of player data, including location, which is a big part of how it works. And despite the data being anonymous (and stacked alongside piles of other player information), there are limits.

Geolocation is a huge driver for the game, and when a third-party tool designed to prevent players spoofing location was put to use by cheaters, it resulted in players finding themselves blocked into their property by vehicles, notes left on their doorstep, and even players on the other team knowing the “victim” was going out of town on holiday.

Many AR games are dead in the water without geolocation, as without it you may as well be sitting at home. The challenge for developers is to ensure games where players are in competition aren’t abused and turned into weird cases of real-world harassment. For now, these (hopefully isolated) stalker cases will likely put some folks off taking the plunge into competitive AR titles, and that’s a shame.

At a time when games are becoming more sociable, it’s ironic that a tool designed to stop cheaters has ended up becoming another sneaky way to grief people both online and off. “Be mindful of the information you post online and reveal in games” doesn’t really help much when the culprit is data being scraped outside of your control. So unless the games you play can prevent this kind of activity, you may wish to simply leave some mobile titles on the shelf for the time being.

The post Augmented Reality games and real-world trolling appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 10, 2017
Comments Off on How to solve the Malwarebytes CrackMe: a step-by-step tutorial

How to solve the Malwarebytes CrackMe: a step-by-step tutorial

The topic of this post is a Malwarebytes CrackMe—an exercise in malware analysis that I recently created. First, the challenge was created to serve internal purposes, but then it was released to the community on Twitter and triggered a lot of positive response. Thanks to all of you who sent in your write ups! Some of the links are included in the appendix.

I got several questions from people who were stuck and needed some more explanation/guidance. So I promised to present my own solution in a step-by-step tutorial to the CrackMe. I am going go into detail so that even someone with little experience in reverse engineering will not feel lost. But if you still find something unclear, please don’t hesitate to ask in the comments.

The CrackMe was intended to be simple, yet to demonstrate various techniques commonly used by malware—that’s why we hoped it would be a good learning experience for the beginner malware analyst. Like always, the demonstrated solution is just one of many possible approaches.

Techniques demonstrated

The techniques/skills that we wanted to exercise in the CrackMe are:

  • Noticing common evasion tricks (antidebug, anti-vm, etc.) and bypassing the checks
  • Detecting XOR-obfuscated payload and decoding it
  • Basic understanding of the RunPE technique
  • Finding a way to debug/load shellcode

Environment and tools used

For the analysis environment, I used Windows 7 32bit on Virtual Box, with an Internet connection.

During the analysis, I used the following tools:

Stage 1

When we run the CrackMe, the first thing we see is the following banner:

So far, we know that the CrackMe is finished when we get a flag in the following format:


There is no password prompt whatsoever—we just see the failure message on the screen. The only way to understand it more is by looking inside. For this purpose, I am going to use IDA.

Finding the decisive variable

The code is not obfuscated, and we can easily see that this message comes after the check:

The success of the check will depend on the value of AL registry (AL=0 leads to failure). This value is set in the function above: sub_4014F0. Let’s go inside the function and see where exactly is it set:

So there is some variable (IDA automatically named it szUrl, suggesting that it will be used somewhere as a URL) that is passed to a function sub_403380. The output of this function (at this point we can guess that it is some checksum) is going to be compared with the hardcoded one. If it matches, AL is being set. So, our goal is to have szUrl filled in such a way that it will give us the valid checksum: 0x3B47B2E6.

Finding references

First, let’s have a look at the external references (xrefs) of the variable szUrl to find out how is it used and where is it set. We can view them by pressing CTRL+X in IDA:

As you can see, it is referenced from three places in the code. The second (highlighted) one is the place where we came from (szUrl being passed to the checksum calculation).

How is the variable used?

The third xref will probably refer to the usage of this variable. So, let’s see it:

Entering in the function sub_4033D0, we can see some API calls related to reading the content from the given URL, such as:


At this point, we can be sure that the content of the szUrl, if filled correctly, will be used to download some content from the Internet.

How is the variable filled?

Now let’s have a look at the first reference and find out where the value of szUrl comes from:

We can see it is one of the parameters passed to the function sub_4031C0. This function takes also an array of DWORDs. Let’s look inside the function. We can see that Windows Crypto API is being used:

The passed content is decrypted with the help of Windows API, using AES algorithm.

Following the order of the passed parameters, it is easy to guess that this function is going to decrypt the passed buffer (the array of DWORDs) and the szUrl will be used to store the output. So the only thing that we need to take care of is a valid key for the decryption. Then we will get the proper URL that has the defined checksum 0x3B47B2E6.

Finding the decryption key

The key is derived from the hash another buffer, passed as one of the function’s parameters. We can see that Windows Crypto API is used to derive the hash. The used hashing function is SHA256 (algorithm ID: 0x800C = CALG_SHA_256):

This hash is used to derive the AES128 key (algorithm ID: 0x660E = CALG_AES_128):

We find that the buffer used as the base of the key is passed as a 4-th parameter to the function:

Let’s name it key_buf and find out where is is passed to the function:

Again, xfers can tell us more about where is it set:

We find out that the full buffer consists of pieces that are set DWORD by DWORD in various functions. Let’s have a look at each of those functions.

At this point, things are getting easy: We have various environment checks that malware often uses for recognizing if it is run in a controlled environment or not. For example, checking if it runs under the debugger:

While malware detecting the debugger often terminates the execution, in this case the conditions are reversed. Having each check passed/item detected gives us one more piece of data to the buffer. We need to catch them all!

We may achieve it by following each check and patching it out (removing the conditional jump) so that the chunk will be added to the buffer unconditionally. You can use IDA for patching, but IMHO it is not convenient, so I usually do it with the help of some other tools (debuggers like OllyDbg, or PE-bear), and use IDA just to find the branches.

Example: removing conditional checks in PE-bear:

Follow the offset of the check (CTRL+R):

Select the bytes on the hex view and modify them:


After following and removing all the checks, we can save the patched file:

If we deploy the patched version, we see some progress! The message “You are on the right track!” is printed on the screen. We can also see a hint that something is being uncompressed.

Examining the traffic

We already know that something was downloaded from the Internet (using the decrypted URL), so it may be helpful to have a closer look at the network traffic. There are many ways of checking the URL that was queried. We can do it with the help of Wireshark or Fiddler:

Request and response:

We see that the content was downloaded from the pastebin from the URL:

The content is in Base64, but decoding it by a Base64 decoder does not give us any sensible result. (We guess that the reason is the content is compresses and/or further encrypted). So, let’s go inside the applications again!

Understanding the payload

First, let’s do some static analysis to understand what exactly this payload is supposed to be and how is it going to be used. Let’s search first where the “Nope :(” message box is being shown. We see that before there is a check if the buffer starts from “MZ,” it is a well-known magic number starting DOS applications and also Windows Executables (PE files).

Taking a closer look at this function, we find out that the downloaded file is processed by few functions.

First, it is base64 decoded. Then, the output is uncompressed:

We understand that this function is responsible for decompression by looking inside and finding the relevant API calls, such as RtlDecompressBuffer:

Then, we notice a function that reads like something from the clipboard:

Going inside it, we can also easily find relevant API calls, such as:

We find that the format that is being read from the clipboard is one that measures text (CF_TEXT).

Then, we find that the content that was read from the clipboard is being used by another function. It becomes an XOR key to decrypt the downloaded content:

After all this, the result starts from the “MZ” magic number. It is being injected into rundll32.

Following inside the function sub_4011F0, we see exactly how the injection was made. It is a classic RunPE technique. The new process is created as suspended. The payload is being written into its memory space, linked to its PEB and resumed:

More detailed explanation of this well-known technique is out of scope of this article (you can find it here). However, unpacking it is very easy—we just need to dump the payload after it is decrypted but before it is converted into the virtual format and written to the remote process. I will show some of the possible unpacking methods next.

Decrypting the payload

During the static analysis, we found out the following information:

  • The payload is downloaded from the decrypted URL
  • It is Base64-decoded
  • It is decompressed with RtlDecompressBuffer
  • It is XOR-decrypted with the help of some key that is read from the clipboard

To pass this level, we must find the XOR key. It will not be difficult, knowing that the XOR operation is self-reversible. But first, let’s dump the payload after it is decompressed so that we can get the material for further analysis.

I will run the patched version of the CrackMe under the debugger (e.g. ImmunityDbg) and go to the API call RtlDecompressBuffer:

I am setting the breakpoint at the end of the decompression function and then running the CrackMe.

We can see on the stack the variable that was passed to the function. Let’s follow the buffer that was uncompressed:

We can see some repetitive patterns and the string “malwarebytes.” It is easy to guess that it will be the XOR key passed via clipboard. At this point, we can choose various approaches of unpacking it. I will demonstrate just one of them.

Decoding the XOR-obfuscated payload

After the buffer is decompressed, we dump it to file and decode by our external tool

First, we dump the buffer:

Then, we have to trim it so that it will start from the proper offset. We can do so by opening the dumped memory page in XVI32 hexeditor, navigating to the beginning of out buffer, and choosing:

Edit->Dump to cursor

Then, we can easily decode it by the script, supplying the XOR key. In this case, we could easily guess that the key is “malwarebytes” because this string repeats multiple times in the decoded buffer (XOR key is visible in those fragments of file when it was applied on NULL bytes). --file dump.bin --key "malwarebytes"

You can see the steps taken on the video below:

As we expected, based on the earlier findings, the decoded output is a new PE file.

Stage 2

Stage 2 is inside the new executable. After we dumped it, we can run it as a fully independent module. We see that it pops up the following message:

Let’s open it in IDA and have a look. It is not obfuscated and the structure is pretty simple.

Understanding the checked conditions

First of all, we can see why the “Fail” message was displayed. The first thing that is checked is the module path, compared with the path to rundll32.exe. The check is not done by direct comparison of the strings, but instead, the checksums of the paths are calculated and compared:

In short, if the current PE is not injected into the rundll32.exe, the check should fail and lead to the mentioned message box. At the moment, we want to run this PE file as an independent unit, not via rundll32. So we need to get rid of this check. We can do it by simply patching out the conditional jump (the same way as we patched out the conditional jumps in Stage 1).

Alternatively, we can load the executable under a debugger, set the breakpoint on the check, and change the flag to bypass it.

In order for the final flag to pop-up, two more conditions have to be met:

1. A process with a window of given class has to be running in the system.

First, the EnumWindows function is called. The searched checksum is given in the parameter to the callback:

Inside the callback function, each window’s class name is compared to the checksum. If it matches, the particular process is being opened for further injection:

Someone may notice that this check is implemented similar to this one. The searched window class belongs to ProcessExplorer.

2. The application must be loaded under the debugger.

The presence of the debugger is being checked, and sets the flag that further on influences the value of the XOR key.

If we run the executable under the debugger and if we have a ProcessExplorer (32-bit) running, the MessageBox with the flag will be injected there and we will get the solution instantly. Example:

Dumping and running the shellcode

If we have luck, we may get it very quickly. But in real life, finding the proper process that has to be injected could be problematic. Also, people who were running the CrackMe on the 64bit version of Windows will encounter problems because the shellcode is 32bit and can be injected only to the 32bit version of Process Explorer. However, in order to solve it, knowing the process name is not at all required. We can just dump the shellcode before it is injected and load it by our own loader.

First, we have a look in IDA and see the part of the code where the injection is made. Before, the checksum of the shellcode is calculated:

So at this point we already have the valid shellcode stored in the buffer. We don’t really care where it is injected—we can just dump it and run it on our own. To reach this place, we only need to bypass the search of the window with the given checksum. We can do it by simply patching the condition (or changing the flag under debugger). This is the condition that must be patched out:

On the attached video we can see the full solution: dumping the shellcode and running it independently. In the given example, the shellcode was added as a new section to the original CrackMe with the help of PE-bear:

That’s how we got the final flag:


In this tutorial, I tried to explain step-by-step one of the possible solutions to the CrackMe. I recommend you to have a look at the write ups below to see different perspectives and learn more. And of course, I encourage you to try on your own and describe your own solution, because this is the best way to learn.


Received write ups: – by @FraMauronz – by @JR0driguezB – by @ShAd0wHuNt3r_0 – by @ValthekOn

The post How to solve the Malwarebytes CrackMe: a step-by-step tutorial appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 9, 2017
Comments Off on Singles’ Day deal seekers beware

Singles’ Day deal seekers beware

Originally a day set aside for singles in China to be proud of their singlehood, Singles’ Day has been transformed into what is arguably the world’s single largest e-commerce festival, thanks to the involvement of The Alibaba Group. In fact, the Alibaba Group alone reported $17.8 billion in sales; six times higher than what was spent on Black Friday (around $3 billion).

Today, Singles’ Day has evolved into a shopping phenomenon that has gained traction beyond the shores of China, with shoppers across Southeast Asia eagerly awaiting previews, hoping to make a killing on the deals set to land on November 11.

However, also waiting to make a killing are cybercriminals, who see e-commerce festivals and heavy shopping holidays such as Singles’ Day, Black Friday, and Christmas as huge opportunities to dupe unsuspecting deal seekers and steal their hard-earned cash. Traditionally, cybercrime activity tends to pick up during festive periods, especially those that involve increased online shopping.

As we await Singles’ Day, many retailers will be sharing promotional links via email, social media, or mobile. Based on past experience, cybercriminals will also be ready to disseminate their own versions of fake promotional links through these channels. These emails from hackers, known as “phishing emails,” could be so well designed as to accurately mimic an email from legitimate and renowned retailers.

Phishing emails would likely contain links to fake promotions, which, instead of giving shoppers a great deal, would instead link directly to malware or ask users to provide personal details that can be abused for nefarious purposes later.

Taking it one step further, entire web pages built to look like legitimate online shopping sites are often built by cybercriminals to take advantage of shoppers. Sometimes hackers even build random e-commerce sites from scratch. These sites are used to steal personal data and even credit card information. And with many deals being time-based in the form of “flash” deals, shoppers sometimes fail to stop and consider the authenticity of a site before rushing to make a purchase.

A quick guide to safe online shopping during Singles’ Day

To ensure you can celebrate Singles’ Day safely and smoothly, here are some basic guidelines to protect oneself from being a victim on Singles’ Day.

1. Beware of spoofed links

Don’t simply click on a link if you can’t be a hundred percent sure it is indeed from the retailer, even if you know the “sender.” To make sure the link is legit, check the sender’s email header and message context. Display the full email address and reply-to address instead of looking at the sender’s name alone. An additional step you can take is to hover over the link to ensure it directs to a legitimate site. Also, be doubly wary of social media posts and texts that offer deals that are too good to be true.

2. Shop at retail websites directly

Instead of keying in personal details into a coupon link in direct emailers or on social media posts, it is wiser to go directly to a retailer’s main website. If the offers are legitimate, chances are more often than not you would be able to find them on the website itself.

3. Check the validity of retailers’ websites

Choosing to shop directly at a retailer’s website is a great first step, but always remember to ensure you are, in fact, on the right website before beginning to shop. Check the URL of the website. If it ends with a “.net” or has a different name in the URL, there is a good chance the site is not legitimate. Also, make sure the sites include “https” at the beginning of the URL. This indicates your data is encrypted whilst browsing or purchasing. Furthermore, check the website copy. If there are numerous grammatical errors and typos, this might not be the website you’re looking for.

4. Install the latest antivirus software

Aside from laptops, shopping through smartphones and tablets has become commonplace nowadays. Therefore, make sure to have a next-generation antivirus software installed, and preferably one that offers multi-layered protection. While having antivirus solutions installed on desktops is relatively common, many of us are guilty of failing to do the same for our mobile devices.  Maintaining a multi-layered security solution across all devices will help protect you from all sorts of malware such as worms, Trojans, spyware, ransomware, and more.

While consumers should stay alert of potential cyberattacks when shopping online throughout the year, one should pay extra attention during festive shopping periods such as Singles’ Day. Cybercriminals are ramping up their attempts to target hungry shoppers, who are rushing for the limited hours deep discounts. So stay calm and think twice before taking any actions. Don’t just rush for the best deals and forget the basic concepts of Internet safety. If you keep your head, you can protect yourself from being a victim of cybercriminals during Singles’ Day.


Singles' Day Infographic

The post Singles’ Day deal seekers beware appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 9, 2017
Comments Off on Disdain exploit kit and a side of social engineering deliver Neutrino Bot

Disdain exploit kit and a side of social engineering deliver Neutrino Bot

Today we picked up new activity from an exploit kit that was first discovered back in August of this year. The Disdain exploit kit, simply identified by a string of the same name found in its source code, is being distributed again after a short interruption via malvertising chains.

Disdain EK relies on older vulnerabilities that have long been patched and some that do not appear to be working properly. From a traffic to infection point of view, this means that the conversion rates are going to be lower than, say, RIG EK, the other most common exploit kit at the moment.

This may explain why we are seeing Disdain being used as a drive-by download alongside a social engineering attack to increase the likelihood of infections. Case in point, the following site was compromised to serve Disdain EK while also distributing a fake Flash Player update:

What’s interesting is that both payloads (Disdain’s malware drop and the so-called Flash update) are actually the same malicious binary, just delivered by different methods. The former is loaded via an iframe injected into the page which triggers the exploit kit and delivers the payload automatically, while the latter is a regular download that requires user interaction to download and run it.

Disdain’s landing page exploits older Internet Explorer vulnerabilities and attempts to load Flash exploits as well, although in our tests these did not work.

That payload is Neutrino Bot, which we have documented on this blog before when it was served in malicious spam campaigns as well as via the now defunct Neutrino exploit kit. Neutrino Bot, AKA Kasidet , is a multi-purpose piece of malware famous for its information stealing abilities.

In the past few weeks, there have been a few developments in the exploit kit scene beyond the long running RIG exploit kit, where threat actors are attempting new tricks both from an evasion and distribution point of view. Despite this, there remains a lack of innovation in what really matters at the end of the day: the exploits being used to deliver drive-by infections.

While some groups have switched to pure social engineering-based attacks, others are attempting either or both methods at once. In the current threat landscape, the campaigns that have the most success are those that can draw a lot of traffic and use clever techniques to fool users.

Systems that have been patched regularly would not be affected by this exploit kit, but at the same time users should beware of non-legitimate software updates. Many of the so-called “Flash Player” or “Video Player” updates typically push adware and, as we saw recently with the BadRabbit outbreak, even ransomware.

Malwarebytes users are protected from the Disdain exploit kit and Neutrino Bot malware.

The post Disdain exploit kit and a side of social engineering deliver Neutrino Bot appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 9, 2017
Comments Off on Winning the battle against PUPs on your computer and in court

Winning the battle against PUPs on your computer and in court

I know very few people, other than lawyers, that get excited about corporate court cases. But, I want to share with you a recent decision that I believe is cause for every computer user to celebrate.

This week, a United States District Court judge ruled in Malwarebytes’ favor, dismissing a lawsuit brought against us by Enigma Software Group USA LLC (“Enigma”). Essentially, they sued us because we classified two of their software programs as Potentially Unwanted Programs (PUPs).

Sounds mundane, but the reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users. This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.

Those of you that follow this blog know that for years, we have taken an aggressive stance against PUPs. We continue to monitor all known software against Malwarebytes’ PUP criteria to give our users the choice to select which programs you want to keep or remove from your computer. We strongly believe that you should be allowed to make this choice, and we will continue to defend your right to do so.

This company was founded on a real problem I experienced and a dream that everyone at Malwarebytes still affirms: that computer users have a right to choose what’s on their computers. As PUPs became more prevalent and problematic, we began offering protection against them too, a choice that is now backed by the United States District Court.

If you are interested in the brief news release we shared today, it can be found here.

A copy of the US District Court Clerk’s filing (Case 5:17-cv-02915-EJD Document 105) can be found online here.

The post Winning the battle against PUPs on your computer and in court appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 8, 2017
Comments Off on Of scammers and cute puppies

Of scammers and cute puppies

We’ve followed tech support scammers for quite a while at Malwarebytes. They’ve been of particular interest because of their preference for scamming the poor, the elderly, and the developmentally disabled.  But there’s a diverse spectrum of online scams a criminal can profit from, and today we’re going to take a look at one of the more despicable ones: puppy scams.

The basic gist of the scam is that the crook will find photos of beautiful purebred dogs, put them up on Craigslist or a private website, and advertise them for adoption. Once a buyer is found, they’re on the hook for fees including fake vet bills, registration, kennel fees, and transport to the victim’s location. Suffice it to say: there is no dog. Average losses for this scam run from US$800 to $5,000.

Shopping for a fake dog

For our investigation, we started with pomeranianhouse[.]com. Clicking on puppies for sale, we get Paulie, an unbelievably cute dog that looks happy to see us.

This dog is not actually for sale.

The “About us” page has extensive copy on the care and upkeep of these beautiful dogs designed to make your heart melt. But when we reverse image search on Paulie, we get another site entirely:

This site has the same dog:

It includes the same copy, but contains identifying details of the breeder, along with a lengthy diatribe against scammers who steal her photos.

Having confirmed that the first site is a huge scam, we decided to give them a call and see what happens.


Unsurprisingly, instead of a woman from Oklahoma, we get a man with a south Asian accent requesting a Walmart-2-Walmart money transfer. If you’re unfamiliar, Walmart-2-Walmart is a money transfer that allows a recipient to collect funds with an ID and a reference number. Most commonly, scammers will recruit money mules to do the collections as part of a work from home scheme. This particular scammer wanted to take us for $850 for the non-existent dog, but that probably would have gone up over time with assorted “unforeseen” costs.

So what about the perpetrator? is WHOIS protected, with no significant pDNS, but the email they used with us, dydydav849@gmail[.]com, was partially reused on their last scam iteration in July, as seen below on a scam information website:

Once pomeranianhouse[.]com is taken down for fraud, the scammer will most likely set up a new site with fresh stolen pictures in another three months.

How to stay safe

Please do not use unconventional payment methods with people you do not know, or cannot find a reputable history on. Money wire, ACH transfer, and any sort of gift card should all be enormous red flags for “maybe I should not do business with this person.” You can also decrease your chances of getting scammed by buying pets locally from shelters or breeders who allow you to meet the dog first (to make sure it exists). Stay safe, and stay suspicious—no matter how cute the puppy is.

The post Of scammers and cute puppies appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 8, 2017
Comments Off on Phony WhatsApp used Unicode to slip under Google’s radar

Phony WhatsApp used Unicode to slip under Google’s radar

After a troubling week for Google not so long ago, the company is under the spotlight once more for missing another app that, after further investigations by several members of Reddit, was found laden with adware.

This app, which was called “Update WhatsApp Messenger,” used the logo and developer name of the real WhatsApp app—two elements that a user familiar with the app expects to see. However, the developer name for this bogus app had an extra space at the end, so it looked like this:

WhatsApp, Inc.{space}

To aid users in realizing this deception, Redditor Megared17 posted snapshots of a code section belonging to the real WhatsApp and the fake app to compare the two. We have reproduced the shots below for your convenience.

That bit in the box is the percent coding equivalent of a blank space, which translates to U+00A0, the Unicode value of a no-break space. Although this is something our normal eyes may have a difficult time spotting, many decried that Google’s scanner should have quickly picked this up.

Read: Out of character: Homograph attacks explained

Once downloaded and installed, Redditor Dextersgenius pointed out that “Update WhatsApp Messenger” hid from users by “not having a title and having a blank icon,” which he then supplemented with screenshots that we also reproduced below.

From Dextersgenius’s testing, they also pointed to a piece of code that indicated this bogus app appears to access a hardcoded shortened URL that presumably downloads an update APK named whatsapp.apk. Upon closer inspection, however, the URL led to another shortened URL—this time Google’s URL shortener,—that then led to a Google search result for a WhatsApp Messenger APK file.

Essentially, users are told to “Look for the APK file from these search results. It’s got to be in one of them!” No updates are sent to the phones at all, so they’re just left with a PUP app.

“Users need to be more vigilant,” advised Armando Orozco, Lead for the Mobile Protection Team at Malwarebytes. “If they want to update WhatsApp, they need to use the update mechanism in the Play Store app, not a secondary app.”

Apart from reading app reviews for any reports of questionable behavior, it also pays for users to check the link to the developer of the app, which might have helped catch “Update WhatsApp Messenger” and possibly lessen the number of affected devices.

Stay safe!

Other related post(s):

The post Phony WhatsApp used Unicode to slip under Google’s radar appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo