Malware & other nasty IT / cyber things

[OUTLAW 09]

The Russian group Turla has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

The Russian APT group known as Turla (also known as Waterbug, KRYPTON and Venomous Bear) has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

Carbon is a second-stage backdoor that is used after an initial reconnaissance phase of an attack, it involves malware such as Tavdig.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.

Last time the researchers reported Turla‘s activities was February 2017, when experts at Kaspersky Lab have discovered a new piece of JavaScript malware linked to the group targeting organizations in Greece, Qatar, and Romania.

Turla has been active since at least 2007, the hackers launched several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

Carbon, aka Pfinet, is once of the tool in the arsenal of the hacking crew, researchers from ESET described it as a lite version of Uroburos.

Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, it has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator.

The orchestrator is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other bots that are located on the network.

Turla

ESET has identified several versions of Carbon compiled last year; the most recent one was compilated on October 21, 2016. The newer versions of the Carbon malware make a massive use of encryption.

Almost any component is a DLL file, except for the loader, which is an EXE file.

“The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.” reads the analysis shared by ESET.

“After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.”

Threat actor behind Turla have modified their tools everytime they were detected in the wild. Researchers observed that in the case of Carbon, the hackers changed file names and mutexes in the version 3.8 released in the summer of 2016.

Experts noticed that before the malware start communicating with C&C, it checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.


“Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

•TCPdump.exe
•windump.exe
•ethereal.exe
•wireshark.exe
•ettercap.exe
•snoop.exe
•dsniff.exe”

[OUTLAW 09]

Over 20 million Gmail and 5 million Yahoo accounts available for sale on the Dark Web

The vendor "SunTzu583" is offering for sale over 20 million Gmail and 5 million Yahoo login credentials on the Dark Web A vendor with the online moniker "SunTzu583" is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a

A vendor with the online moniker “SunTzu583” is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a black market in the dark web. Over 20 million Gmail accounts and 5 million Yahoo accounts are available for sale, the huge trove of data is the result of previous massive data breaches.

SunTzu583 is known to security experts, he was specialized in the sale of stolen login credentials.

A couple of weeks ago the colleagues at HackRead reported the sale of more than 1 million Gmail and Yahoo accounts by the same seller and a few days later, SunTzu583 started selling PlayStation accounts.

Dark web Playstation accounts

SunTzu583 offered 640,000 PlayStation accounts for USD 35.71 (0.0292 BTC), the dump includes emails and clear-text passwords.

SunTzu583 confirmed that the archive was not directly stolen from PlayStation network, but it does contain unique accounts of PlayStation users. The seller added that even if the accounts may work for other web services they are first of all PlayStation accounts.

Back to the present, the seller SunTzu583 is offering in separate listings millions of Gmail accounts.

In three different listings, he is offering 4,928,888 accounts.

“The total number of Gmail accounts being sold are 4,928,888 which have been divided into three different listings. All three listings contain 2,262,444 accounts including emails and their clear text passwords.” reports the analysis published by HackRead. “In the description of these listings, SunTzu583 has mentioned that “Not all these combinations work directly on Gmail, so don’t expect that all these email and passwords combinations work on Gmail.””

The researchers at HackRead who have compared the listings with Hacked-DB and Have I been pwned repositories confirmed that the sources of the data are past data breaches including LinkedIn (117 million accounts), Adobe (153 million accounts) and Bitcoin Security Forum (5 million Gmail passwords).

[OUTLAW 09]

Experts from security firm Sixgill have discovered a new strain of the macOS Proton RAT that is offered for sale on Russian cybercrime underground.

The Dark Web is the right place where to find any kind of illegal products and services, malware such as banking trojan and spyware are very popular in cyber criminal underground.

Recently a new remote access tool (RAT) specifically designed to infect macOS systems is currently being advertised on Russian cybercrime underground. The researchers at security firm Sixgill discovered the advertising on crime forums and on a custom website, this threat is also described in videos published on YouTube.

https://youtu.be/JA7sfDc9Ad0

The Proton homepage went down just after the experts at Sixgill published the report.

“Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets.” reads a report published by Sixgill.

The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims information such as credit card numbers, login credentials, and others.

“The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.” continues the report.

According to the author, macOS Proton RAT is written in native Objective-C and it is fully undetected by any existing MAC OS antivirus solution.

Below the list of features described in the ad:

macOS Proton RAT

The Proton RAT has root access and is able to elude standard macOS security features, it is also able to bypass two-factor authentication on iCloud accounts.

Researchers speculate macOS Proton RAT leverages a zero-day vulnerability in macOS, but most interesting characteristic of the threat is that the malicious code is signed with genuine Apple code-signing certificates. It is likely the author has managed to falsify registration to Apple Developer ID Program or has stolend the credentials to an apple developer.

“The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose.” reads the report.

The price for the macOS Proton RAT ranged from $1,200 to $830,000 for the entire project (an absurd price). Below the version advertised on the Proton websites:

Standard Edition

I) License to control only ONE remote machine 1) 1 BTC — unsigned 2) 2 BTC — signed
II) License to control 20 remote machines 1) 10 BTC — unsigned 2) 11 BTC — signed
III) License to control infinite remote machines 1) 66 BTC — unsigned 2) 76 BTC — signed

Extended edition

I) License to control infinite remote machines 1) 166 BTC — unsigned 2) 200 BTC — signed
II) License to control infinite remote machines on your own server 1) 366 BTC — without source code 2) 666 BTC — with full source code

Researchers noticed that the authors of the malware try to disguise their spyware as legitimate surveillance software.

[OUTLAW 09]

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

One year ago the Angler EK and Nuclear EK disappeared from the threat landscape, while the Sundown EK was conquering the criminal underground.

What’s happening now?

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

Last week, Cisco Talos published an analysis of Sundown EK, the expert detailed the improvements of the EK that presented many similarities with the RIG exploit kit.

“Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors.” reads the analysis of the Talos group. “The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”

The Sundown EK was not sophisticated like other large exploit kits.

Security experts at Talos were noticing a long inactivity of the Sundown EK, also variant of the kit was disappeared from the scene, including Bizarro and Greenflash.

This silence leads the experts into believing that threat actor ceased the operations.

“Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).” reads a blog post published by MalwareBytes.

“Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.”

Recently experts observed a significant increase of hacking campaigns leveraging the Terror EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a newer campaign using a different landing page that distributes the Andromeda malware.

The compromised websites are leveraged to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

Terror EK

“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.

[OUTLAW 09]

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

On the front lines of the antivirus industry's "testing wars."
Sean Gallagher - 4/17/2017, 1:00 PM

https://arstechnica.com/information-...re-that-wasnt/

[OUTLAW 09]

IoT malware clashes in a botnet territory battle
http://www.cio.com/article/3190179/s...y-battle.html#
… via @CIOonline

Hajime IoT malware, is it the work of vigilante hacker?

Mirai -- a notorious malware that's been enslaving IoT devices -- has competition.
A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers.
"You can almost call it Mirai on steroids," said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS)#attacks.
[ Your guide to top tech conferences 2017 ]
Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it's been spreading unabated and creating a botnet. Webb estimates it's infected about 100,000 devices across the globe. ###

These botnets, or networks of enslaved computers, can be problematic. They're often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.
That’s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S.
Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.
Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations#and then transferring a malicious program.

However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that's more decentralized -- and harder to stop.
"Hajime is much, much more advanced than Mirai," Webb said. "It has a more effective way to do command and control."
Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts.

Who's behind Hajime? Security researchers aren’t sure. Strangely, they haven't observed the Hajime botnet launching any DDoS attacks -- which is good news. #A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.
"There’s been no attribution. Nobody has claimed it," said Pascal Geenens, a security researcher at security vendor Radware. #
However, Hajime does continue to search the internet for vulnerable devices. Geenens' own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.
So the ultimate purpose of this botnet remains unknown.#But one scenario is it'll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. #
"It's a big threat forming," Geenens said. "At some point, it can be used for something dangerous."
It’s also possible Hajime might be a research project. Or in a possible twist, maybe it's a vigilante security expert out to disrupt Mirai.
So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria's National Laboratory of Computer Virology.
However, there's another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.
That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware.#Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.
That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.
"There's definitely an ongoing territorial conflict," said Allison Nixon, director of security research at Flashpoint.
To stop the malware, security researchers say it's best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.
That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.
"It will keep going," Nixon said. "Even if there's a power outage, [the malware] will just be back and re-infect the devices. It's never going to stop."