Windows backdoor masquerading as VPN app installer

Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor, Trend Micro researchers warn.

The trojanized package in this specific case is the Windows installer for Windscribe VPN, and contains the Bladabindi backdoor, which is able to:

  • Execute commands from a remote malicious user (e.g., downloading, executing, and updating files)
  • Log a user’s keystrokes
  • Take screenshots of the user’s screen
  • Collect information about the computer (OS, username, machine name), the running AV product(s), and passwords stored in browsers

The trojanized installer is offered on third-party download sites and users who download and run it are unlikely to notice that something is wrong with it.

“The bundled application drops three components to the user’s system: the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves as the runner of the malicious file (win.vbs). The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background,” the researchers explained.

Windows backdoor VPN

Trojanizing legitimate software

Bundling malware with legitimate apps is a popular technique for compromising computers and mobile devices.

In Bladabindi’s case, there’s even a publicly available hacker tool (NJ Rat) that can help create variants sporting a “benign” icon designed to mislead users into running the file:

Windows backdoor VPN

Users who don’t stick to official download centers and app stores are at greater danger of downloading malware, although attackers have been known to bypass app stores’ protections and compromise official developer sites to deliver malware.

“Enterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats,” the researchers concluded.

A look at the top threats inside malicious emails

Web-phishing targeting various online services almost doubled during the COVID-19 pandemic: it accounted for 46 percent of the total number of fake web pages, Group-IB reveals.

threats inside malicious emails

Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analyzed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.

Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.

Opened email lets spy in

According to the data, in H1 2020, 43 percent of the malicious mails on the radars of Group-IB Threat Detection System had attachments with spyware or links leading to their downloading.

Another 17 percent contained downloaders, while backdoors and banking Trojans came third with a 16- and 15-percent shares, respectively. Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.

These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.

Top-10 tools used in attacks were banking Trojan RTM (30%); spyware LOKI PWS (24%), AgentTesla (10%), Hawkeye (5%), and Azorult (1%); and backdoors Formbook (12%), Nanocore (7%), Adwind (3%), Emotet (1%), and Netwire (1%).

The new instruments detected in the first half of the year included Quasar, a remote access tool based on the open source; spyware Gomorrah that extracts login credentials of users from various applications; and 404 Keylogger, a software for harvesting user data that is distributed under malware-as-a-service model.

Almost 70 percent of malicious files were delivered to the victim’s computer with the help of archives, another 18% percent of malicious files were masked as office documents (with .doc, .xls and .pdf file extensions), while 14% more were disguised as executable files and scripts.

Secure web-phishing

In the first six months of 2020, a total of 9 304 phishing web resources were blocked, which is an increase of 9 percent compared to the previous year. The main trend of the observed period was the two-fold surge in the number of resources using safe SSL/TLS connection – their amount grew from 33 percent to 69 percent in just half a year.

This is explained by the cybercriminals’ desire to retain their victim pool – the majority of web browsers label websites without SSL/TLS connection as a priori dangerous, which has a negative impact on the effectiveness of phishing campaigns.

Experts predict that the share of web-phishing with insecure connection will continue to decrease, while websites that do not support SSL/TLS will become an exception.

threats inside malicious emails

Pandemic chronicle

Just as it was the case in the second half of 2019, in the first half of this year, online services like ecommerce websites turned out to be the main target of web-phishers. In the light of global pandemic and the businesses’ dive into online world, the share of this phishing category increased to remarkable 46 percent.

The attractiveness of online services is explained by the fact that by stealing user login credentials, threat actors also gain access to the data of bank cards linked to user accounts.

Online services are followed by email service providers (24%), whose share, after a decline in 2019, resumed growth in 2020, and financial organizations (11%). Main web-phishing target categories also included payment services, cloud storages, social networks, and dating websites.

The leadership in terms of the number of phishing resources registered has persistently been held by .com domain zone – it accounts for nearly a half (44%) of detected phishing resources in the review period. Other domain zones popular among the phishers included .ru (9%), .br (6%), .net (3%) and .org (2%).

“The beginning of this year was marked by changes in the top of urgent threats that are hiding in malicious emails,” comments CERT-GIB deputy head Yaroslav Kargalev.

“Ransomware operators have focused on targeted attacks, choosing large victims with a higher payment capacity. The precise elaboration of these separate attacks affected the ransomware share in the top threats distributed via email en masse.

“Their place was taken by backdoors and spyware, with the help of which threat actors first steal sensitive information and then blackmail the victim, demanding a ransom, and, in case the demand is refused, releasing the info publicly.

“The ransomware operators’ desire to make a good score is likely to result in the increase of the number of targeted attacks. As email phishing remains the main channel of their distribution, the urgency of securing mail communication is more relevant than ever.”

Analysis of 92 billion rejected emails uncovers threat actors’ motivations

Mimecast released the Threat Intelligence Report: Black Hat U.S.A. Edition 2020, which presents insights gleaned from the analysis of 195 billion emails processed by Mimecast for its customers from January through June 2020. Of those, 92 billion (47%) were flagged as malicious or spam and rejected.

malicious emails analysis

Blocked impersonation attacks

Main trends

Two main trends ran throughout the analysis: the desire for attacker’s monetary gain and a continued reliance on COVID-19-related campaigns, especially within certain vertical industries.

One of the most significant observations was that threat actors are launching opportunistic and malware-based campaigns across multiple verticals at volumes at an alarming rate. The report also forecasts what types of attacks will likely spike in the next six months.

Attacks and malware-centric campaigns

The majority of attacks seen by Mimecast during this period were simple, high volume forms of attacks, such as spam and phishing that is likely a reflection of the ease of access to tools and kits available online. As the attacks progressed, exploits evolved to more potent forms of malware and ransomware with the attacker’s goal appearing to be monetary gain.

In addition, malware-centric campaigns have been a fixture of 2020 and have become increasingly sophisticated. 42 significant campaigns were identified during the six-month period that the report covers. The campaigns showed a significant uptick in the use of short-lived, high volume, targeted and hybridized attacks against many sectors of the U.S. economy.

Researchers believe it is highly likely a consequence of threat actors targeting industries that remained opened during the ‘stay at home’ period in the U.S., as well as those essential to the nation’s recovery from the current pandemic. Interestingly, the media and publishing sectors suffered high volumes of impersonation attacks, potentially as a vehicle for cybercriminals to spread disinformation across the U.S.

“If one thing is for certain, the pandemic we’re living in today has caused significant challenges. We’ve continued to see threat actors tap into the vulnerabilities of humans and launch campaign after campaign with a COVID-19 hook, in attempt to get users to click harmful links or open malicious files,” said Josh Douglas, VP of product management, threat intelligence at Mimecast.

malicious emails analysis

Mimecast signature detections

Understanding the modern threat landscape

Threat actors go where the money flows. The attacks from January-June 2020 incorporated a vast array of threats, including Azorult, Barys, Cryxos, Emotet, Hawkeye, Lokibot, Nanocore, Nemucod, Netwired, Remcos, Strictor, and ZLoader, and involved a combination of mass generic Trojan delivery with phishing campaigns with the goal of monetary gain.

Industries that remained opened during the pandemic where the hardest hit. The top sectors for attacks in the U.S. were: manufacturing, retail/wholesale, finance and insurance. In addition, the media and publishing sector suffered high volumes of impersonation attacks (48.4 million detections), potentially was a vehicle to spread disinformation across the U.S.

Organizations are at a higher risk of being attacked by ransomware. Researchers found that it is highly likely that U.S. businesses are at risk of ransomware attacks, due to threat actors’ efforts towards the high volume, opportunistic attack of multiple verticals. The circumstances of the pandemic make organizations more vulnerable to ransomware, so it will likely remain a significant threat for the second half of 2020.

Impersonation attacks continue to accelerate. The volume of sender impersonation attacks increased by 24% between January and June to nearly 46 million per month.

Most malware in Q1 2020 was delivered via encrypted HTTPS connections

67% of all malware in Q1 2020 was delivered via encrypted HTTPS connections and 72% of encrypted malware was classified as zero day, so would have evaded signature-based antivirus protection, according to WatchGuard.

encrypted malware

These findings show that without HTTPS inspection of encrypted traffic and advanced behavior-based threat detection and response, organizations are missing up to two-thirds of incoming threats. The report also highlights that the UK was a top target for cyber criminals in Q1, earning a spot in the top three countries for the five most widespread network attacks.

“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” said Corey Nachreiner, CTO at WatchGuard.

“As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Monero cryptominers surge in popularity

Five of the top ten domains distributing malware in Q1 either hosted or controlled Monero cryptominers. This sudden jump in cryptominer popularity could simply be due to its utility; adding a cryptomining module to malware is an easy way for online criminals to generate passive income.

Flawed-Ammyy and Cryxos malware variants join top lists

The Cryxos trojan was third on a top-five encrypted malware list and also third on its top-five most widespread malware detections list, primarily targeting Hong Kong. It is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores.

Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.

Three-year-old Adobe vulnerability appears in top network attacks

An Adobe Acrobat Reader exploit that was patched in August 2017 appeared in a top network attacks list for the first time in Q1. This vulnerability resurfacing several years after being discovered and resolved illustrates the importance of regularly patching and updating systems.

Mapp Engage, AT&T and Bet365 targeted with spear phishing campaigns

Three new domains hosting phishing campaigns appeared on a top-ten list in Q1 2020. They impersonated digital marketing and analytics product Mapp Engage, online betting platform Bet365 (this campaign was in Chinese) and an AT&T login page (this campaign is no longer active at the time of the report’s publication).

COVID-19 impact

Q1 2020 was only the start of the massive changes to the cyber threat landscape brought on by the COVID-19 pandemic. Even in these first three months of 2020, we still saw a massive rise in remote workers and attacks targeting individuals.

Malware hits and network attacks decline. Overall, there were 6.9% fewer malware hits and 11.6% fewer network attacks in Q1, despite a 9% increase in the number of Fireboxes contributing data. This could be attributed to fewer potential targets operating within the traditional network perimeter with worldwide work-from-home policies in full force during the pandemic.

The FBI expects a surge of mobile banking threats

The increased use of mobile banking apps due to the COVID-19 pandemic is sure to be followed by an increased prevalence of mobile banking threats: fake banking apps and banking Trojans disguised as those apps, the FBI has warned.

mobile banking threats

The problem

The pandemic and the resulting social distancing brought about many changes. Among them is a preference for using payment cards and electronic funds transfers instead of cash and an increased use of mobile devices to conduct banking activities.

“Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020. Additionally, studies indicate 36 percent of Americans plan to use mobile tools to conduct banking activities, and 20 percent plan to visit branch locations less often,” the FBI pointed out.

Cyber criminals go where the money goes, so the agency expects them to increase their efforts to surreptitiously deliver information-stealing apps and banking Trojans to mobile users.

Banking Trojans are usually disguised as other popular apps – mobile games, utility apps, contact-tracing apps, etc. – while fake banking apps are apps that are made to look like the real deal. Both will harvest login credentials and, increasingly, second authentication factors (one-time passcodes) delivered via SMS or authenticator apps.

Risk mitigation

The FBI advises users to be careful when installing new apps. Third-party app stores should be avoided, but even official ones like Google Play can harbor malicious apps that have made it through the vetting process by employing different tricks to hide their malicious nature.

If you want to be sure that you’ll download the right mobile banking app, your best bet is to visit you bank’s website and download the app from there or follow the link they provide to the official app store where it’s hosted.

When downloading any new app, users should check the reviews and the provided developer info. They should also critically evaluate the permissions the app requests and ditch it if it asks for permissions it shouldn’t have (e.g., a wallpaper app that wants to access the user’s contacts or SMS messages).

If enabled, services like Google Play Protect may catch malicious apps before they do harm, and so can anti-malware apps – just be sure to download an effective one.

The FBI also advises users to choose unique, strong passwords for banking apps, a password manager or password management service to “remember” them, and to enable two-factor or multi-factor authentication on devices and accounts where possible.

“Use strong two-factor authentication if possible via biometrics, hardware tokens, or authentication apps,” the agency urged, and warned not to give two-factor passcodes to anyone over the phone or via text.

“If you encounter an app that appears suspicious, exercise caution and contact that financial institution. Major financial institutions may ask for a banking PIN number, but will never ask for your username and password over the phone,” the FBI added.

“Check your bank’s policies regarding online and app account security. If the phone call seems suspicious, hang up and call the bank back at the customer service number posted on their website.”

A closer look at the global threat landscape

60% of initial entries into victims’ networks leveraged either previously stolen credentials or known software vulnerabilities, allowing attackers to rely less on deception to gain access, according to a new IBM report exploring the global threat landscape.

global threat landscape

The top three initial attack vectors

  • Phishing was a successful initial infection vector in less than one-third of incidents (31%) observed, compared to half in 2018.
  • Scanning and exploitation of vulnerabilities resulted in 30% of observed incidents, compared to just 8% in 2018. In fact, older, known vulnerabilities in Microsoft Office and Windows Server Message Block were still finding high rates of exploitation in 2019.
  • The use of previously stolen credentials is also gaining ground as a preferred point-of-entry 29% of the time in observed incidents. Just in 2019, the report states more than 8.5 billion records were compromised— resulting in a 200% increase in exposed data reported year over year, adding to the growing number of stolen credentials that cybercriminals can use as their source material.

“The amount of exposed records that we’re seeing today means that cybercriminals are getting their hands on more keys to our homes and businesses. Attackers won’t need to invest time to devise sophisticated ways into a business; they can deploy their attacks simply by using known entities, such as logging in with stolen credentials,” said Wendi Whitmore, Vice President, IBM X-Force Threat Intelligence.

“Protection measures, such as multi-factor authentication and single sign-on, are important for the cyber resilience of organizations and the protection and privacy of user data.”

Configure it out

Of the more than 8.5 billion breached records reported in 2019, seven billion of those, or over 85%, were due to misconfigured cloud servers and other improperly configured systems — a stark departure from 2018 when these records made up less than half of total records.

Banking on ransomware

Some of the most active banking trojans found in this year’s report, such as TrickBot, were increasingly observed to set the stage for full-on ransomware attacks. In fact, novel code used by banking trojans and ransomware topped the charts compared to other malware variants discussed in the report.

Tech trust takeover for phishing

Tech, social media and content streaming household brands make up the “Top 10” spoofed brands that cyber attackers are impersonating in phishing attempts.

This shift could demonstrate the increasing trust put in technology providers over historically trusted retail and financial brands. Top brands used in squatting schemes include Google, YouTube and Apple.

Ransomware attacks evolve

The report revealed trends in ransomware attacks worldwide, targeting both the public and private sectors.

While over 100 U.S. government entities were impacted by ransomware attacks last year, there were also significant attacks against retail, manufacturing and transportation —which are known to either hold a surplus of monetizable data or rely on outdated technology and, thus, face the vulnerability sprawl.

In fact, in 80% of observed ransomware attempts, attackers were exploiting Windows Server Message Block vulnerabilities, the same tactic used to propagate WannaCry, an attack that crippled businesses across 150 countries in 2017.

With ransomware attacks costing organizations over $7.5 billion in 2019, adversaries are reaping the rewards and have no incentive to slow down in 2020. New malware code was observed in 45% of banking trojans and 36% of ransomware. This suggests that by creating new code attackers are continuing to invest in efforts to avoid detection.

Concurrently, a strong relationship between ransomware and banking trojans has been observed, with the latter being used to open the door for targeted, high-stakes ransomware attacks, diversifying how ransomware is being deployed.

For example, the most active financial malware according to the report, TrickBot, is suspected of deploying Ryuk on enterprise networks, while various other banking trojans, such as QakBot, GootKit and Dridex are also diversifying to ransomware variants.

Adversaries spoof tech and social media companies in phishing schemes

As consumers become more aware of phishing emails, phishing tactics themselves are becoming more targeted. There has been a squatting trend in phishing campaigns, wherein attackers are impersonating consumer tech brands with tempting links – using tech, social media and content streaming companies to trick users into clicking malicious links in phishing attempts.

Nearly 60% of the top 10 spoofed brands identified were Google and YouTube domains, while Apple (15%) and Amazon (12%) domains were also spoofed by attackers looking to steal users’ monetizable data. IBM X-Force assesses that these brands were targeted primarily due to the monetizable data they hold.

Facebook, Instagram and Netflix also made the list of top 10 spoofed brands observed but at a significantly lower use rate. This may be due to the fact that these services don’t typically hold directly monetizable data.

As attackers often bet on credential reuse to gain access to accounts with more lucrative payouts, frequent password reuse may be what potentially made these brands targets. In fact, 41% of millennials surveyed reuse the same password multiple times and Generation Z averages use of only five passwords, indicating a heavier reuse rate.

Discerning spoofed domains can be extremely difficult, which is exactly what attackers bet on. With nearly 10 billion accounts combined , the top 10 spoofed brands listed in the report offer attackers a wide target pool, increasing the likelihood that an unsuspecting user clicks an innocent-seeming link from a spoofed brand.

Retail rebounds in targeted industry rankings

Retail has jumped to the second most attacked industry in this year’s report, in a very close race with financial services which remained at the top for the fourth year in a row. Magecart attacks are among the most prominent attacks observed against retail, impacting a reported 80 e-commerce sites in the summer of 2019.

Cybercriminals seem to have set their sights on consumers’ PII, payment card data and even valuable loyalty program information. Retailers also experienced a large amount of ransomware attacks based on insights from IBM’s incident response engagements.

global threat landscape

ICS and OT attacks soar

In 2019, OT targeting increased 2000% year over year with more attacks on ICS and OT infrastructure than any of the prior three years. Most observed attacks involved a combination of known vulnerabilities within SCADA and ICS hardware as well as password-spraying.

North America and Asia: Most targeted regions

These regions experienced the highest number of observed attacks as well as suffered the largest reported data losses over the past year, over 5 billion and 2 billion records exposed respectively.

Mac threats are growing faster than their Windows counterparts

Mac threats growing faster than their Windows counterparts for the first time ever, with nearly twice as many Mac threats detected per endpoint as Windows threats, according to Malwarebytes.

mac threats growing

In addition, cybercriminals continue to focus on business targets with a diversification of threat types and attack strategies in 2019.

Emotet and TrickBot were back in 2019

Trojan-turned-botnets Emotet and TrickBot made a return in 2019 to target organizations alongside new ransomware families, such as Ryuk, Sodinokibi and Phobos.

In addition, a wave of new hack tools and registry key disablers made a splashy debut, reflecting greater sophistication used by today’s business-focused attackers.

Threat actors are becoming more creative

Adware was particularly problematic for consumers and businesses on Windows, Mac and Android devices, deploying aggressive techniques for serving up advertisements, hijacking browsers, redirecting web traffic and proving extremely difficult to uninstall.

“A rise in pre-installed malware, adware and multi-vector attacks signals that threat actors are becoming more creative and increasingly persistent with their campaigns,” said Marcin Kleczynski, CEO of Malwarebytes.

“It is imperative that, as an industry, we continue to raise the bar in defending against these sophisticated attacks, actively protecting both users and businesses by flagging and blocking all programs that may violate their privacy, infect their devices, or even turn the infrastructure they depend on against them.”

Mac threats are growing, other threats in the spotlight

Mac threats significantly ramp up – An average of 11 threats per Mac endpoint were detected in 2019—nearly double the average of 5.8 threats per endpoint on Windows. Overall Mac threats increased by more than 400 percent, year-over-year.

Business detections continued to rise – In 2019, global business threats rose 13 percent to about 9.6 million detections.

HackTools triumph – With consumer detections of HackTools up 42 percent, this is a threat to watch in 2020, bolstered by families such as MimiKatz, which also targeted businesses.

Dynamic duo does damage – TrickBot and Emotet once again reigned globally, targeting businesses heavily in the last year. Emotet was second-most detected threat against businesses in 2019.

mac threats growing

Meanwhile, TrickBot saw enormous growth, with business detections on-the-rise by 52 percent, year-over-year.

Ransomware is rampantRansomware targeted cities, schools and healthcare organizations with increased vigor in 2019. Newer ransomware families saw the highest growth, with Ryuk business detections up by 543 percent, year-over-year, and Sodinokibi increasing by 820 percent since its introduction in May 2019.

Beware of adware – Adware increased 13 percent, year-over-year, for consumers and 463 percent for businesses. Seven of the 10 top consumer threat families were adware variants, as well as five of the top 10 business threat families.

Pre-installed malware became pervasive – Top-rated mobile threat in 2019 was a team of pre-installed potentially unwanted program (PUP) variants that combined for 321,103 detections.

These auto installers ship with Android devices and are used to update the phone’s firmware—but they also take and sell personal information.

Just keep skimming – Credit card skimmers, or Magecart, were one of the most prevalent web threats in 2019. Magecart activity will continue in 2020 with more e-commerce platforms targeted.

Key targets shift – The services sector leapfrogged over education and retail, snagging the top spot for industries impacted by threats in 2019. Notably this includes managed service providers (MSPs), which are being leveraged to take advantage of their network of clients.

Emotet can spread to poorly secured Wi-Fi networks and computers on them

Here’s yet another reason to secure Wi-Fi networks and Windows user accounts with a strong enough password: researchers have spotted and analyzed a malware program that is able to spread the Emotet Trojan to nearby wireless networks and compromise computers on them.

emotet spread Wi-Fi networks

Emotet: An old threat

Emotet is one of the most versatile malware threats out there.

Its ability to download additional malware (more often than not the Trickbot Trojan – another huge enterprise threat) is just one of the things it’s capable of due to its modular nature.

Until now, Emotet was known to be able to deliver itself to other computers on the same network thanks to its propagation component, which spreads the malware via mounted shares or the use of exploits.

But, according to Binary Defense researchers, it now has another, even more dangerous propagation trick that allows it to “hop” onto other Wi-Fi networks and try to compromise computers on it.

A new spreading capability

“We retrieved this malware sample from an Emotet bot used for research and reverse-engineered the malware code using IDA Pro to determine how it operates,” Randy Pargman, senior director of threat hunting and counterintelligence at Binary Defense, told Help Net Security.

After the malware infects a computer that has Wi-Fi capability, it uses the wlanAPI interface to discover any Wi-Fi networks in the area: a neighbor’s Wi-Fi network, a free Wi-Fi network at a café, or a Wi-Fi network of a nearby business.

“Even if those networks are protected with a password required to join, the malware tries a list of possible passwords and if one of the guessed passwords works to connect to the Wi-Fi network, it will join the infected computer to that network,” Pargman explained.

“Once it is on the network, the malware scans all other computers connected to the same network for any Windows computers that have file sharing enabled. It then retrieves the list of all user accounts on those computers and attempts to guess the passwords to those accounts as well as the Administrator account. If any of the guessed passwords are correct, the malware copies itself to that computer and installs itself by running a remote command on the other computer.”

Lastly, is reports back to the command and control server to confirm the installation.

Some interesting details

One interesting thing discovered during the analysis is that the main executable file the malware uses for wireless spreading has a timestamp that dates back to April 2018 and was first submitted to VirusTotal a month later.

“The executable with this timestamp contained a hard-coded IP address of a Command and Control (C2) server that was used by Emotet. This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years,” noted James Quinn, a threat researcher at Binary Defense.

“This may be in part due to how infrequently the binary is dropped. Based on our records, 01/23/2020 was the first time that Binary Defense observed this file being delivered by Emotet, despite having data going back to when Emotet first came back in late August of 2019.”

Another thing that might explain the low profile of this malware is that its exploitation of the wlanAPI for network profiling will not be triggered if researchers run it in VMs/automated sandboxes with no Wi-Fi adapter.

Wuhan coronavirus exploited to deliver malware, phishing, hoaxes

The Wuhan coronavirus continues to spread and create anxiety across the globe, allowing malicious individuals and groups to exploit the situation to spread fake news, malware and phishing emails.

coronavirus phishing

Malicious coronavirus-themed campaings

IBM X-Force says that Japanese users have been receiving fake notifications about the coronavirus spreading in several prefectures, purportedly sent by a disability welfare service provider and a public health center.

The emails contains legitimate information taken from those services’ official websites and carries an attached .doc file that ostensibly contains more information.

“The content of the document itself is just an Office 365 message, instructing the viewer to enable the content (which is malicious), in case the document has been opened in protected view,” the researchers explained. The delivered malware is the Emotet downloader.

“We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic,” IBM X-Force researchers added.

Mimecast researchers spotted similar emails targeting English-speaking users, purportedly sent by a virologist from Singapore, carrying a malicious .pdf attachment.

KnowBe4 specialists warn about phishing emails that look like they’ve been sent by the US Centers for Disease Control and Prevention (CDC), linking to a web page that supposedly contains updated lists of new coronavirus infection cases in the US:

coronavirus phishing

Be careful, be aware

Cyber crooks and other malicious individuals are expected to continue to impersonate official notifications by legitimate institutions to spread malware or hoaxes (and panic).

Cybercriminals are known for using high-profile, global news stories to target users and trick them into doing something they otherwise wouldn’t do, but situations like this latest coronavirus outbreak are a gift that keeps on giving since each day comes with a new update and everybody is expecting official alerts.

KnowBe4’s CEO noted that users should be careful when it comes to anything related to the coronavirus – emails, attachments, social media posts, text messages.

As malware and network attacks increase in 2019, zero day malware accounts for 50% of detections

Amid significant increases in both malware and network attacks, multiple Apache Struts vulnerabilities – including one used in the devastating Equifax data breach – appeared for the first time on WatchGuard’s list of most popular network attacks in Q3 2019.

network attacks 2019

Massive fallout from the Equifax breach

The report also highlights a major rise in zero day malware detections and, increasing use of Microsoft Office exploits and legitimate penetration testing tools.

Apache Struts 2 Remote Code Execution enables attackers to install Python or make a custom HTTP request to exploit the vulnerability with just a few lines of code and obtain shell access to an exposed system. This threat was accompanied by two additional Apache Struts vulnerabilities on the top ten network attacks list in Q3 2019, as overall network attacks increased in volume by 8%.

The massive fallout from the Equifax breach put the severity of this vulnerability on full display and should serve as a reminder of how important it is for web admins to patch known flaws as soon as possible.

“Our latest threat intelligence showcases the variability and sophistication of cybercriminals’ growing playbook. Not only are they leveraging notorious attacks, but they’re launching evasive malware campaigns and hijacking products, tools and domains we use every day,” said Corey Nachreiner, CTO, WatchGuard Technologies.

“As threat actors continue to modify their tactics, organizations of every size must protect themselves, their customers and their partners with a set of layered security services that cover everything from the core network to endpoints, to the users themselves.”

Attackers continue to favor Microsoft Office exploits

Two malware variants affecting Microsoft Office products made WatchGuard’s top ten list of malware by volume, as well as the top ten most-widespread malware list last quarter. This indicates that threat actors are doubling down on both the frequency with which they leverage Office-based attacks, as well as the number of victims they’re targeting.

Both attacks were primarily delivered via email, which highlights why organizations should increasingly focus on user training and education to help them identify phishing attempts and other attacks leveraging malicious attachments.

Zero day malware instances spike to 50%, as overall malware detections rise

After stabilizing at around 38% of all malware detections over the past several quarters, zero day malware accounted for half of all detections in Q3. The overall volume of malware detected increased by 4% compared to Q2 2019, with a massive 60% increase over Q3 2018.

The fact that half of malware attacks in Q3 were capable of bypassing traditional signature-based solutions illustrates the need for layered security services that can protect against advanced, ever-evolving threats.

Cybercriminals may be leveraging legitimate pentesting tools for attacks

Two new malware variants involving Kali Linux penetration testing tools debuted on WatchGuard’s top ten list of malware by volume in Q3. The first was Boxter, a PowerShell trojan used to download and install potentially unwanted programs onto a victim’s device without consent.

The second was Hacktool.JQ, which represents the only other authentication attack tool besides Mimikatz (which dropped in prevalence by 48% compared to Q2, and 16% compared to Q3 2018) to make the list.

It’s unclear whether the rise in these detections comes from legitimate pentesting activities or malicious attackers leveraging readily available open source tools. Organizations must continue to leverage anti-malware services to prevent data theft.

Malware attacks targeting the Americas increase drastically

More than 42% of all malware attacks in Q3 2019 were aimed at North, Central and South America; up from just 27% in Q2. This represents a significant geographic shift in focus for attackers compared to last quarter, as EMEA and APAC (which were tied for the top regional malware target in Q2) accounted for 30% and 28% of all malware attacks in Q3, respectively.

Although the specific motivations are unclear, this trend indicates attackers are bringing new malware campaigns online that specifically target users in the Americas region.

Key security priorities for financial services: Preventing fraud and data leaks

The banking and financial services sector is struggling with a skills shortage along with the sheer volume of threats and alerts as it continues its ongoing battle against cybercrime, according to Blueliv.

security priorities financial services

With financial organizations a prime target for attacks, preventing fraud and data leakages is key to the sector’s security strategies – but it is getting harder as cyberthreats become increasingly diverse, sophisticated and malicious.

Rise in banking Trojans

Roughly a third of respondents are concerned about the impact banking Trojans (31 percent) and mobile malware (28 percent) will have on financial services organizations and their customers in 2020.

Tracking the latest evolving threats, researchers observed a 283 percent increase in botnets relating to Trickbot as well as a 130 percent increase in Dridex botnets. These botnets are linked to the distribution of banking Trojans and other malware families targeting the financial services sector.

The report also highlights that malware targeting mobile apps is one of the most rapidly developing threats to the financial services sector, with functionalities that allow criminals to gather user credentials as well as steal funds from mobile users’ bank accounts.

This is partly driven by the fact that cybercriminals can now easily buy malware builders in underground forums, and that these often include advanced evasion techniques so the malware remains undetected on infected devices.

Key security priorities for financial services include fraud prevention

While the financial services sector – by its very nature – has some of the most mature cyberdefense strategies and is ahead of many other industries in detecting and preventing economic crime, weak spots remain in some organizations’ fraud risk assessments. This is underlined by the fact that 35 percent of poll respondents named fraud prevention the most crucial element to an ongoing cybersecurity strategy.

Unauthorized transmission of data from within an organization to external recipients is another key concern, with 31 percent of respondents considering the prevention of data leaks the most important.

Just under a quarter (24 percent) would focus their security strategy around regulation and compliance requirements such as GDPR. In contrast to this, the same number of respondents (25 percent) named regulatory issues as the biggest challenge for financial services institutions developing ongoing security programs.

Visibility of threats is a challenge

According to the poll, financial services organizations encounter a range of issues as they build their security programs – the most pressing being a shortage of skills (28 percent), followed by the high volume of threats and alerts (26 percent) and a lack of visibility into cyberthreats (20 percent).

This is hardly surprising: as financial services institutions (FSIs) embrace digital processes and new customer interaction channels, so their attack surface grows, making it harder to keep on top of threats ranging from Point-of-Sale (PoS) to ATM malware, mobile apps malware to card skimmers.

“Organizations in the financial sector face a constantly changing threat landscape,” commented Daniel Solís, CEO and founder, Blueliv.

“Business priorities have shifted and digital risk management is now central. Because they are such high-value targets for cybercriminal activity, it is imperative that financial services organizations enhance their security priorities, and monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack.”

Solís continued, “FSI security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats.

“Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention and investigation capabilities.”

Healthcare spikes data breach fever, endpoint threat detections grow 60%

The healthcare industry has been overwhelmingly targeted by Trojan malware during the last year, which increased by 82 percent in Q3 2019 over the previous quarter, according to Malwarebytes. The two most dangerous Trojans of 2018–2019 for all industries, Emotet and TrickBot, were the two primary culprits. Emotet detections surged at the beginning of 2019, followed by a wave of TrickBot detections in the second half of the year, becoming the number one threat to … More

The post Healthcare spikes data breach fever, endpoint threat detections grow 60% appeared first on Help Net Security.

Researchers discover massive increase in Emotet activity

Emotet had a 730% increase in activity in September after being in a near dormant state, Nuspire discovered. Emotet, a modular banking Trojan, has added additional features to steal contents of victim’s inboxes and steal credentials for sending outbound emails. Those credentials are sent to the other bots in its botnet which are used to then transmit Emotet attack messages. When Emotet returned in September, it appeared with TrickBot and Ryuk ransomware to cause the … More

The post Researchers discover massive increase in Emotet activity appeared first on Help Net Security.

Will Antivirus Software Always Block Viruses?

Antivirus Detecting Virus

Working in the computer industry for over a dozen years and repairing ten’s of thousands of computers over that time has given me rather good insight into some of the most common mistakes home users make. Almost half of my computer repair business is from clients who are infected with a virus. Removing a virus from a computer can be easy at times with antivirus and other instances it seems like hell on earth.

Continue reading “Will Antivirus Software Always Block Viruses?”

Android Trojan Compromises Credit Card Details and Then Locks Your Mobile

This nasty two-year-old Android trojan has evolved into an all-around threat.

trojan1An Android trojan detected by Russian security firm Dr.Web as Android.SmsSpy.88 evolved in the past two years from simple spyware to banking trojan, and now to a mobile ransomware threat.

First detected in April 2014, the trojan was initially distributed via SMS spam, and once it infected victims, it was capable of intercepting phone calls and SMS messages, usually used for two-factor authentication systems.

As time went by, the Android.SmsSpy trojan evolved and added the ability to phish for credit card details using a Google Play Store-like interface, as well as to show interstitials mimicking popular Russian bank logins.
“Android.SmsSpy came back stronger and more powerful than ever”

The biggest update happened at the end of 2015, when Dr.Web says the trojan gained the ability to phish for credentials from almost any bank around the world, along with the capacity to lock the user’s screen and ask for a ransom.

This increase of functionality also had an effect on its distribution model, which switched from SMS spam to fake apps posing as an Android version of Adobe Flash Player.

Dr.Web also noticed that the trojan started using a very customizable bank phishing popup system, which allows trojan operators to modify the popup’s content much more easily and target any bank or payment processor they’d like.

“Trojan is chock-full of features”

These latest versions of Android.SmsSpy need administrative privileges, a constant Internet connection, and are packed full of dangerous features.

These include the ability to send USSD requests, intercept MMS messages, send SMS spam to all phone contacts, exfiltrate SMS messages and more.

botnet1All of these are managed from C&C servers, and Dr.Web claims it detected over 50 different master servers, commanding as many different botnets.
“Android.SmsSpy is rented from underground cyber-crime forums”

The large number of different botnets is explained by the fact that Android.SmsSpy’s creator is extremely busy with advertising and renting out his infrastructure to other criminals on the Dark Web.

Dr.Web researchers claim that Android.SmsSpy made victims in 200 countries and infected at least 40,000 mobile devices. The hardest-hit country was Turkey, which accounted for nearly one-fifth of all infections, followed by India, Spain, Australia, Germany, and France.

The most targeted Android version was 4.4 (35.71%), but Android.SmsSpy also infected almost all Android version between 2.3 and 5.2.

“Android.SmsSpy.88.origin acts not only as a banking Trojan and a spyware program but also as a ransomware Trojan, allowing attackers to make more money on gullible users,” Dr.Web reported this week.
Geographical distribution of Android.SmsSpy victims

By Catalin Cimpanu