Malware & other nasty IT / cyber things

[OUTLAW 09]

A Security researcher discovered that a Conexant audio driver shipped with dozens HP laptops and tablet PCs logs keystrokes.

Security researcher Thorsten Schroeder of security firm Modzero discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs logs keystrokes. The expert discovered that#MicTray64.exe application, which is installed with the Conexant audio driver package,is registered as a scheduled task in Windows systems and is able to monitor keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).

The keystrokes are logged to a file in the Users/Public folder Furthermore and are passed on to the OutputDebugString debugging API, allowing a process to access the data via the MapViewOfFile function.

Unfortunately, this feature can be abused to steal user data such as login credentials, a malware could access keystrokes without triggering security solutions monitoring for suspicious activities.

The researcher observed that an earlier version of the MicTray64 app released in December 2015 did not log keystrokes to a file, the dangerous feature was implemented starting from the version 1.0.0.46 released in October 2016.

“Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive. This type of debugging turns the audio driver effectively into a keylogging spyware. On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.”#Schroeder wrote in a blog post.

“There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful,”

The flaw, tracked as CVE-2017-8360, affects 28 HP laptops and tablet PCs, including EliteBook, Elite X2, ProBook, and ZBook models. The experts at Modzero speculate other devices manufactured by other vendors that use Conexant hardware and drivers could be affected.
Users are invited to delete the MicTray64from \Windows\System32 and the MicTray.log log file from \Users\Public.

HP plans to fix the issue as soon as possible.

[OUTLAW 09]

The latest NCSC (UK) guidance on Ransomware

The NCSC are aware of a ransomware campaign relating to version 2 of the “WannaCry” malware affecting a wide range of organisations globally.# NCSC are working with affected organisations and partners to investigate and coordinate the response in the UK.

From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.

The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.

The NCSC advise the following steps be performed in order to contain the propagation of this malware:
Deploy patch MS17-010:
https://technet.microsoft.com/en-us/.../ms17-010.aspx

A new patch has been made available for legacy platforms, and is available here:
https://blogs.technet.microsoft.com/...acrypt-attacks

If it is not possible to apply this patch, disable SMBv1.#There is guidance here:
https://support.microsoft.com/en-us/help/2696547

and/or block SMBv1 ports on network devices [UDP 137, 138#and TCP 139, 445]
If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.

Work done in the security research community has prevented a number of potential compromises. To benefit from this, a system must be able to resolve and connect to the domain below at the point of compromise.
www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Unlike most malware infections, your IT department should not block this domain.

Anti-virus vendors are increasingly becoming#able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).

The NCSC have previously published broader guidance on protecting your organisation from ransomware.

[OUTLAW 09]

Hackers are selling fake diplomas and certifications in the dark web
According to Israeli threat intelligence firm Sixgill, certifications and fake diplomas are very cheap and easy to buy in the dark web. It is quite easy to buy in dark#web marketplaces#any kind of illegal product and service, including#fake#certifications...

[OUTLAW 09]

Karmen Ransomware, a cheap RaaS service that implements anti-analysis features

Security experts from threat intelligence firm#Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. The service allows customers to easy create their ransomware campaign in a few steps and without specific skills.
Wannabe-crooks also track infected systems via a “Clients” tab, the Dashboard implements an efficient and easy to use cockpit that include various information such as the number of infected machines, earned revenue, and available updates for the malware.
The Karmen RaaS is very cheap, it costs just $175, buyers can decide the ransom#prices and the duration of the period in which the victims can pay the ransom.
The Karmen ransomware is based on the open-source ransomware Hidden Tear, which was released in August 2015 by the#Turkish security researchers Utku Sen for educational purposes.
The first Karmen infections#were reported in December 2016, the malware infected machines in Germany and the United States.
The Karmen ransomware is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard.
The malware is .NET dependent and requires PHP 5.6 and MySQL.
“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” reported a blog post published by Recorded Future.
“Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.”
“However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”
Once infected a machine, the ransomware displays a ransom note with payment instructions, unlike similar malware, the Karmen ransomware#automatically deletes the decryptor when detecting a sandbox environment or any other analysis software.
“A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.” continues the blog post.
Below the list of ransomware features#provided by DevBitox:
Multi-threaded
Multi-language
Supports .NET 4.0 and newer versions
Encryption algorithm: AES-256
Adaptive admin panel
Encrypts all discs and files
Separate BTC wallet for each victim
Small size
Automatic deletion of loader
Automatic deletion of malware (after payment was received)
Minimal connection with control server
Robust control panel
Almost FUD (1/35)
Automatic file decryption after received payment
T2W compatible
File extensions remain the same
Detection of anti-debugger/analyzers/VM/sandbox
Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
Light version: obfuscation and autoloader only
Full version: detection of analyzing software
The#ransomware is available for sale in both light and full versions, the light version doesn’t include anti-analysis features.

[OUTLAW 09]

Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far