Viry a Červi

Microsoft: The Kremlin's hackers are already sniffing, probing around America's 2018 elections

The Register - Anti-Virus - 20 Červenec, 2018 - 23:04
Russia's Fancy Bear crew caught gearing up for mid-terms

Microsoft says it has already uncovered evidence of Russian government-backed hacking gangs attempting to interfere in the 2018 US mid-term elections.…

Kategorie: Viry a Červi

Massive Malspam Campaign Finds a New Vector for FlawedAmmyy RAT

VirusList.com - 20 Červenec, 2018 - 22:57
Hundreds of thousands of emails are delivering weaponized PDFs containing malicious SettingContent-ms files.
Kategorie: Viry a Červi

D-Link, Dasan Routers Under Attack In Yet Another Assault

VirusList.com - 20 Červenec, 2018 - 22:24
Dasan and D-Link routers running GPON firmware are being targeted by hackers in an attempt to create a botnet.
Kategorie: Viry a Červi

Friday FYI: 9 out of 10 of website login attempts? Yeah, that'll be hackers

The Register - Anti-Virus - 20 Červenec, 2018 - 22:18
Credential stuffing is rampant – so try not to reuse the same password on every site, eh?

Up to 90 per cent of the average online retailer's login traffic is generated by cybercriminals trying their luck with credential stuffing attacks, Shape Security estimated in its latest Credential Spill Report.…

Kategorie: Viry a Červi

Crypto gripes, election security, and mandatory cybersec school: Uncle Sam's cyber task force emits todo list for govt

The Register - Anti-Virus - 20 Červenec, 2018 - 21:12
In detail: The threats facing America's computer networks

The US Department of Justice (DOJ) this week released the first report from its Cyber Digital Task Force – which was set up in February to advise the government on strengthening its online defenses.…

Kategorie: Viry a Červi

Newsmaker Interview: Troy Mursch on Why Cryptojacking Isn’t Going Away

VirusList.com - 20 Červenec, 2018 - 20:45
Criminals have found a mischievous way to mine cryptocurrency. Security researcher Troy Mursch sounds off on why this tricky trend isn't going away anytime soon.
Kategorie: Viry a Červi

Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

The Register - Anti-Virus - 20 Červenec, 2018 - 18:31
Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh*

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets' camera, and remote-control the gizmos.…

Kategorie: Viry a Červi

ThreatList: A Ranking of Airports By Riskiest WiFi Networks

VirusList.com - 20 Červenec, 2018 - 18:29
Airport TSA agents don’t check terminals for insecure WiFi networks, so stay on your toes when using hotspots at these airports.
Kategorie: Viry a Červi

Chinese Hackers Mount Espionage Campaign During Trump-Putin Summit

VirusList.com - 20 Červenec, 2018 - 18:05
An uncharacteristic spate of strikes against IoT devices in Finland during the summit was likely an indicator of a coordinated cyberespionage effort, researchers said.
Kategorie: Viry a Červi

Cybercrooks slurp nearly $1m from Russian bank after pwning router at regional branch

The Register - Anti-Virus - 20 Červenec, 2018 - 16:30
MoneyTaker lives up to its name

Hackers stole almost $1m from a Russian bank earlier this month after breaching its network via an outdated router.…

Kategorie: Viry a Červi

Čti zprava, spouštěj zleva, aneb zase nás chtějí ošálit!

VIRY.CZ - 20 Červenec, 2018 - 15:54

Na welivesecurity.com lze najít další informace o špionážním malware Quasar, Sobaken a Vermin, který působil na území Ukrajiny, mě ale zaujala jiná věc, na kterou může narazit kdokoliv z nás…

Nejde o žádnou žhavou novinku, ale zde jsem se o tomto ještě nezmínil a je to jeden z mnoha dalších způsobů, jak ošálit uživatele. Pokud si zapnete Word a v novém dokumentu postupně stiskněte klávesy 2, 0, 2, e a posléze stisknete kombinaci kláves ALT + X, Word vám od tohoto momentu začne cokoliv dalšího psát z pravé strany doleva. Právě znak s označením unicode U+202E (right-to-left override) se o toto dokáže postarat i v názvu souboru. Vy jako uživatel tak vidíte jiný název souboru, než jak ho vidí počítač. Resp. hodně záleží na přístupu konkrétní aplikace. Prostě ideální nástroj pro útočníky! Vy vidíte například nevinný název posledni_varovani_exekuce_scr.docx, zatímco počítač to zpracovává jako posledni_varovani_exekuce_docx.scr. Přitom pro počítač je stěžejní poslední přípona souboru, která je v tomto případě SCR. A ta je stejně dobře spustitelná jako přípona EXE. Kouzlo spočívá v tom, že za posledním podtržítkem použil útočník magický znak U+202E a zbytek dopsal postupnými stisky kláves xcod.scr. Pak už záleží na tom, jak název jednotlivé aplikace zobrazí. Například můj poštovní klient to zobrazí jako nevinně vypadající dokument, zatímco archivační program WinRAR na otočení směru upozorní šipkou.

Takhle to vidíte vy (dokument .DOCX), ale počítač to vidí jinak (spustitelný soubor .SCR)…

 

Takhle o otočení směru „varuje“ WinRAR – tj. vidíte to shodně jako když k tomu přistupuje počítač.

Přeji hezký víkend bez havěti!

The post Čti zprava, spouštěj zleva, aneb zase nás chtějí ošálit! appeared first on VIRY.CZ.

Kategorie: Viry a Červi

UK's Huawei handler dials back support for Chinese giant's kit in critical infrastructure

The Register - Anti-Virus - 20 Červenec, 2018 - 14:17
'Limited assurance' that there is no risk to national security

A UK government-run oversight board has expressed misgivings about the security of telecoms kit from Chinese firm Huawei.…

Kategorie: Viry a Červi

Hackers hold 80,000 healthcare records to ransom

Sophos Naked Security - 20 Červenec, 2018 - 13:50
CarePartners said its forensic investigation identified 1500 affected records - the hackers say they took 80,000.

Roblox says hacker injected code that led to avatar’s gang rape

Sophos Naked Security - 20 Červenec, 2018 - 13:29
Roblox was moving some older, user-generated games to a newer, more secure system when the attack took place, it says.

Basic email blunder exposed possible victims of child sexual abuse

Sophos Naked Security - 20 Červenec, 2018 - 12:41
The Independent Inquiry into Child Sexual Abuse sent out a mass emailing in which a staffer mistakenly used "To" instead of "Bcc".

Privacy – can you have too much of a good thing? [PODCAST]

Sophos Naked Security - 20 Červenec, 2018 - 12:02
Catch up with Day 4 of our Security SOS Week - here's the fourth episode of our week-long online security summit.

Calisto Trojan for macOS

Kaspersky Securelist - 20 Červenec, 2018 - 12:00

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).

Propagation

We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018 Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.

Installation

As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan With SIP enabled

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

  • Keychain storage data
  • Data extracted from the user login/password window
  • Information about the network connection
  • Data from Google Chrome: history, bookmarks, cookies

Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available

Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

  • Copies itself to /System/Library/ folder
  • Sets itself to launch automatically on startup
  • Unmounts and uninstalls its DMG image
  • Adds itself to Accessibility
  • Harvests additional information about the system
  • Enables remote access to the system
  • Forwards the harvested data to a C&C server

Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:


The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

  • Enables remote login
  • Enables screen sharing
  • Configures remote login permissions for the user
  • Allows remote login to all
  • Enables a hidden “root” account in macOS and sets the password specified in the Trojan code

The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:



Attempt to contact the C&C server

Extra functions

Static analysis of Calisto revealed unfinished and unused additional functionality:

  • Loading/unloading of kernel extensions for handling USB devices
  • Data theft from user directories
  • Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton

Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

  • The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
  • The Trojan sample contains the line “com.proton.calisto.plist”
  • Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain

Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

  • Always update to the current version of the OS
  • Never disable SIP
  • Run only signed software downloaded from trusted sources, such as the App Store
  • Use antivirus software

MD5

DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

Either my name, my password or my soul is invalid – but which?

The Register - Anti-Virus - 20 Červenec, 2018 - 11:46
Devising complex new passwords is character-building

Something for the Weekend, Sir?  Try as I might, it won't go in.…

Kategorie: Viry a Červi

ThreatList: Sizing Up The Scourge of Credential-Stuffing

VirusList.com - 19 Červenec, 2018 - 22:53
Over two billion credentials were stolen in 2017 and contributed to the complex problem of credential spills, credential stuffing and account takeover fraud.
Kategorie: Viry a Červi

Stealthy Malware Hidden in Images Takes to GoogleUserContent

VirusList.com - 19 Červenec, 2018 - 21:29
Hackers are embedding malicious code within compromised, uploaded images on trusted Google sites – weaponizing the website and staying under the radar.
Kategorie: Viry a Červi
Syndikovat obsah