Hiding Malware in Social Media Buttons

Clever tactic:

This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.

The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers’ credit cards will be concealed in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container.

The syntax for hiding the skimmer’s source code as a social media button perfectly mimics an ‘svg’ element named using social media platform names (e.g., facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full).

A separate decoder deployed separately somewhere on the e-commerce site’s server is used to extract and execute the code of the hidden credit card stealer.

This tactic increases the chances of avoiding detection even if one of the two malware components is found since the malware loader is not necessarily stored within the same location as the skimmer payload and their true purpose might evade superficial analysis.

Symantec Reports on Cicada APT Attacks against Japan

Symantec Reports on Cicada APT Attacks against Japan

Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere.

Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom malware — Backdoor.Hartip — that Symantec has not seen being used by the group before. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines.

The attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon vulnerability that was patched in August 2020.

Interesting details about the group’s tactics.

News article.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Interview with the Author of the 2000 Love Bug Virus

Interview with the Author of the 2000 Love Bug Virus

No real surprises, but we finally have the story.

The story he went on to tell is strikingly straightforward. De Guzman was poor, and internet access was expensive. He felt that getting online was almost akin to a human right (a view that was ahead of its time). Getting access required a password, so his solution was to steal the passwords from those who’d paid for them. Not that de Guzman regarded this as stealing: He argued that the password holder would get no less access as a result of having their password unknowingly “shared.” (Of course, his logic conveniently ignored the fact that the internet access provider would have to serve two people for the price of one.)

De Guzman came up with a solution: a password-stealing program. In hindsight, perhaps his guilt should have been obvious, because this was almost exactly the scheme he’d mapped out in a thesis proposal that had been rejected by his college the previous year.

Sidebar photo of Bruce Schneier by Joe MacInnis.

North Korea ATM Hack

North Korea ATM Hack

The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide:

This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme­ — referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”

The level of detail is impressive, as seems to be common in CISA’s alerts and analysis reports.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

The malware isn’t entirely fileless. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light earlier this week, only two out of 57 antivirus products detected it as suspicious. On Friday, according to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it.

Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:

  • move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
  • set it to be owned by root
  • create a /Library/UnionCrypto directory
  • move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
  • set it to be executable
  • execute this binary (/Library/UnionCrypto/unioncryptoupdater)

The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly.

Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. Another piece of Mac malware, dubbed AppleJeus, did the same thing.

Another trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars’ worth of cryptocurrencies from exchanges in an attempt to fund the country’s nuclear weapons development programs.

Begin in-memory infection

It is around this point in the infection chain that the fileless execution starts. The infected Mac begins contacting a server at hxxps://unioncrypto[.]vip/update to check for a second-stage payload. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac.

“As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).”

Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. Given the theme of cryptocurrency in the file and domain names—and North Korean hackers’ preoccupation with stealing digital coin—it’s a decent bet the follow-on infection is used to access wallets or similar assets.

When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncrypto[.]vip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. By Friday, the domain was no longer responding to pings.

Patrick Wardle

While fileless infections are a further indication that Lazarus is growing increasingly more adept at developing stealthy malware, AppleJeus.c, as Wardle has dubbed the recently discovered malware, is still easy for alert users to detect. That’s because it’s not signed by an Apple-trusted developer, a shortcoming that causes macOS to display the warning to the right.

As is typical when applications are installed, macOS also requires users to enter their Mac password. This isn’t automatically a tip-off that something suspicious is happening, but it does prevent the first stage from being installed through drive-bys or other surreptitious methods.

It’s unlikely anyone outside of a cryptocurrency exchange would be targeted by this malware. Those who want to check can look for the existence of (1) /Library/LaunchDaemons/vip.unioncrypto.plist and (2) the running process or binary /Library/UnionCrypto/unioncryptoupdater.

Dexphot malware uses fileless techniques to install cryptominer

Security Awareness - Phishing Responses

Stay on top with IT

Any organisation comprises of three essential elements: People, Process & Technology. In recent times most of the cyber-attacks materialised because of weakness in people. Humans blamed for the weakest part of information security do not get enough controls to protect them from cyber-crimes. Security awareness training is emphasised to be the only effective control, however it is not implemented with same zeal and vigour as firewalls or antivirus solutions.

Any security control is implemented to achieve its control objectives. However security awareness is limited to annual sessions, posters and some weekly security news emails. The results of security awareness are not collected or analysed to verify whether control objectives are met or not. Like any control which is tested and evaluated, awareness program must be subject to testing by evaluating the awareness levels and comparing it with business objectives.

Tools that verify the security awareness program provide insights and effective performance indicators. Organisations can evaluate the results to identify their weak and strong areas. This allow for risk mitigation in weaker areas by utilising resources in cost effective manner. You can seek our services regarding phishing responses. We can assist you in developing your weakest link into strongest.

computer code on screen

Catching the phish

There are various tools to evaluate the readiness of users regarding phishing attacks. They are tested with phishing emails and phone calls to check their awareness level.

A security aware workforce will:

phishing risk on email

Awareness is key

Phishing is one of the major causes of massive breaches. Using phishing, trust of humans is exploited to gain unauthorised information, install malware, bypass authentication mechanisms and steal sensitive data. Phishing uses emails or phone calls. Emails with malicious attachment, links to fake websites or spoofed to look legitimate, are sent to the recipients. In case users are not properly trained to identify or differentiate phishing emails, they fall prey to hackers. One unaware employee can cause damage to the entire organisation as he provides a door for the attacker.

Any business. Every solution.

If you’d like to work with us to help establish or improve your phishing awareness, please get in touch with us today. Or, whilst you’re here, why not have a look at our other services in this category?


IT are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227

Black Friday, Cyber Monday scams are on the loose, businesses need to prepare

stumbling to the couch in a turkey-induced coma with their laptop or phone in
hand ready to hit the cyber-holiday sales are not alone in being targeted by

Retailers and
businesses also may be affected by the dramatic increase in malicious threats that
target shoppers looking for buys on Black Friday and Cyber Monday. This can
include being hit with ransomware and having to make the decision whether or
not to pay up or risk losing sales during the busiest shopping period of the

retailers much of the damage done may be to their reputation as malicious actors
generate hundreds of brand and website-specific email scams and fake websites
designed to confuse and entice anxious shoppers.

A study by
Zerofox’s Alpha Team has already identified 61,305 potential scams spread across
26 brands. Brick and mortar retailers are the primary focus with 92 percent of
the campaigns spotted using a store brand in some manner.

likely target brick and mortar retailers in such high quantities because these
kinds of scams will be attractive to a larger pool of consumers and thereby
potential victims. Fewer consumers are in the market for luxury goods and high-end
jewelry than are shopping at large brick and mortar stores that appeal to
multiple price points. Brick and mortar stores also carry a wide range of
goods, from electronics to jewelry, versus stores that only sell one kind of
good,” the report

The threats
are generally centered on email campaigns that use the one lure every shopper
is interested in, something for nothing. This is usually in the form of a gift
card or coupon, but to obtain these items the shopper/victim is required to
enter some level of information, at the very least an email or physical

permanent members of Santa’s naught list also use social media to attract victims.
This is done by creating fake accounts and then loading posts with hashtags
designed to catch a shopper’s eye, such as #blackfriday or #cybermonday.

Some of the
more technical threats involve typsquatting or  creating domains based on popular shopping
sites like Amazon, Apple and Target.

Alpha Team found 124,000 domains that contain the brand name out of the list of
26 selected for this report. The team filtered the 124,000 domains by
Certificate Issuer for legitimate domains,” the security company said.

Source: Zerofox

The massive
uptick in internet traffic also presents an opportunity for attackers and a
danger to corporate entities whose workers may use either company equipment or
its network to make purchases. Tim Erlin, vice president of product management and strategy at Tripwire,
cited a recent Tripwire Twitter survey that found 84 percent of security
professionals are concerned there is not enough security awareness for
consumers to keep them safe online during the holiday shopping season.

businesses, there are two ways to look at cyber risks around Black Friday. The
first is that, simply because it’s a busier time and more money is flowing
through their systems, attackers will be more likely to target them, hoping for
the busyness to serve as a diversion. The second way to look at it is from an
employee perspective: staff may be shopping online from business-owned assets,
thus potentially opening them up to Black Friday scams. For this reason, it
would be worth it for business to focus on education and training on how to
recognize scams and phishing attempts,” Erlin said.

Then there
are the direct threats to business. A retailer, delivery company or distributor’s
worst fear is not being able to operate during this time.

and other types of malware are also a concern for businesses around this time
of the year. Those that are targeting the business itself ultimately just want
the organization to pay the ransom, which can be avoided by having good
incident response measures in place and secure, up-to-date backups,” Erlin

In addition
to being shut down another huge potential headache is discovering credit card
skimming malware like Magecart residing in a chain’s POS system, noted a Sucuri
study. It could also mean a retailer could be held liable for any fraudulent charges
made on a customer’s card in cases where the cards was not present for the

consumer habits, such as buy online, pick up in store (BOPIS), now allow
customers to pick up products at a physical locations after purchasing them on
the retailer’s website – so these transactions become classified as
card-not-present. Unfortunately,
there are still retail merchants that have little to no authentication process
for in-person pickups, making them likely targets for abuse due to a lack of
security controls,” Sucuri said.

There are steps e-commerce
sites and retailers with an online presence can take to protect themselves not only
during the holiday season, but all year long, said Kaspersky.

  • Use
    a reputable payment service and keep your online trading and payment platform
    software up to date. Every new update may contain critical patches to make the
    system less vulnerable to cybercriminals.
  • Use
    a tailored IT and cybersecurity solution to protect your business and customers.
  • Pay
    attention to the personal information used by customers who buy from you. Use a
    fraud prevention solution that you can adjust to your company profile and the
    profile of your customers.

The post Black Friday, Cyber Monday scams are on the loose, businesses need to prepare appeared first on SC Media.