Viry a Červi

HPE warns of impending SSD disk doom

Sophos Naked Security - 28 Listopad, 2019 - 12:16
The company has revealed that many of its SSDs are set to permanently fail by default after 32,768 hours of operation.

Twitter says it won’t delete tweets from those who have died

Sophos Naked Security - 28 Listopad, 2019 - 12:11
It "was a miss on our part", Twitter said.

RevengeHotels: cybercrime targeting hotel front desks worldwide

Kaspersky Securelist - 28 Listopad, 2019 - 11:00

RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims of the group, located in eight states in Brazil, but also in other countries such as Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as

The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine. The group has been active since 2015, but increased its attacks in 2019.

In our research, we were also able to track two groups targeting the hospitality sector, using separate but similar infrastructure, tools and techniques. PaloAlto has already written about one of them. We named the first group RevengeHotels, and the second ProCC. These groups use a lot of social engineering in their attacks, asking for a quote from what appears to be a government entity or private company wanting to make a reservation for a large number of people. Their infrastructure also relies on the use of dynamic DNS services pointing to commercial hosting and self-hosted servers. They also sell credentials from the affected systems, allowing other cybercriminals to have remote access to hotel front desks infected by the campaign.

We monitored the activities of these groups and the new malware they are creating for over a year. With a high degree of confidence, we can confirm that at least two distinct groups are focused on attacking this sector; there is also a third group, though it is unclear if its focus is solely on this sector or if carries out other types of attacks.

Not the quotation you’re expecting

One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.

An email sent to a hotel supposedly from an attorney’s office

This spear-phishing message, written in Portuguese, has a malicious file attached misusing the name of a real attorney office, while the domain sender of the message was registered one day before, using a typo-squatting domain. The group goes further in its social engineering effort: to convince the hotel personnel about the legitimacy of their request, a copy of the National Registry of Legal Entities card (CNPJ) is attached to the quotation.

The attached file, Reserva Advogados Associados.docx (Attorneys Associates Reservation.docx), is a malicious Word file that drops a remote OLE object via template injection to execute macro code. The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload.

PowerShell commands executed by the embedded macro

In the RevengeHotels campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator. After unpacking them, the code is recognizable as the commercial RAT RevengeRAT. An additional module written by the group called ScreenBooking is used to capture credit card data. It monitors whether the user is browsing the web page. In the initial versions, back in 2016, the downloaded files from RevengeHotels campaigns were divided into two modules: a backdoor and a module to capture screenshots. Recently we noticed that these modules had been merged into a single backdoor module able to collect data from clipboard and capture screenshots.

In this example, the webpage that the attacker is monitoring is (more specifically, the page containing the card details). The code is specifically looking for data in Portuguese and English, allowing the attackers to steal credit card data from web pages written in these languages.

Title searched by the malware in order to capture the screen contents

In the ProCC campaigns, the downloaded files are Delphi binaries. The backdoor installed in the machine is more customized than that used by RevengeHotels: it’s developed from scratch and is able to collect data from the clipboard and printer spooler, and capture screenshots. Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites, it’s possible to collect card numbers by monitoring the clipboard and the documents sent to the printer.

Screenshot is captured when the user copies something to the clipboard or makes a print request

A bad guy’s concierge

According to the relevant underground forums and messaging groups, these criminals also infect front desk machines in order to capture credentials from the hotel administration software; they can then steal credit card details from it too. Some criminals also sell remote access to these systems, acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves.

Access to hotel booking systems containing credit card details is sold by criminals as a service

Some Brazilian criminals tout credit card data extracted from a hotel’s system as high quality and reliable because it was extracted from a trusted source, i.e., a hotel administration system.

Message sent to an underground channel selling data extracted from hotel systems

Guests and victims

The majority of the victims are associated with the hospitality sector. Based on the routines used, we estimate that this attack has a global reach. However, based on our telemetry data, we can only confirm victims in the following countries:

Victims confirmed in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey

Based on data extracted from statistics, we can see that potential victims from many other countries have at least accessed the malicious link. This data suggests that the number of countries with potential victims is higher than our telemetry has registered.

Victims per country based on data from a malicious link from the RevengeHotels campaign

A safe stay

RevengeHotels is a campaign that has been active since at least 2015, revealing different groups using traditional RAT malware to infect businesses in the hospitality sector. While there is a marked interest in Brazilian victims, our telemetry shows that their reach has extended to other countries in Latin America and beyond.

The use of spear-phishing emails, malicious documents and RAT malware is yielding significant results for at least two groups we have identified in this campaign. Other threat actors may also be part of this wave of attacks, though there is no confirmation at the current time.

If you want to be a savvy and safe traveler, it’s highly recommended to use a virtual payment card for reservations made via OTAs, as these cards normally expire after one charge. While paying for your reservation or checking out at a hotel, it’s a good idea to use a virtual wallet such as Apple Pay, Google Pay, etc. If this is not possible, use a secondary or less important credit card, as you never know if the system at the hotel is clean, even if the rooms are…

All Kaspersky products detect this threat as:

  • HEUR:Backdoor.MSIL.Revenge.gen
  • HEUR:Trojan-Downloader.MSIL.RevengeHotels.gen
  • HEUR:Trojan.MSIL.RevengeHotels.gen
  • HEUR:Trojan.Win32.RevengeHotels.gen
  • HEUR:Trojan.Script.RevengeHotels.gen
Indicators of compromise (IoCs) Reference hashes:
  • 74440d5d0e6ae9b9a03d06dd61718f66
  • e675bdf6557350a02f15c14f386fcc47
  • df632e25c32e8f8ad75ed3c50dd1cd47
  • a089efd7dd9180f9b726594bb6cf81ae
  • 81701c891a1766c51c74bcfaf285854b

For a full list of IoCs as well as the YARA rules and intelligence report for this campaign, please visit the Kaspersky Threat Intelligence Portal:

Cloudy biz Datrix locks down phishing attack in 15 mins after fat thumb triggers email badness

The Register - Anti-Virus - 28 Listopad, 2019 - 10:15
You can be fast but they're always faster

Cloud-'n'-comms biz Datrix has suffered a phishing attack that resulted in some customers' contact details being compromised – though the company reckons it contained the attack within 15 minutes.…

Kategorie: Viry a Červi

This week, we give thanks to Fortinet for reminding us what awful crypto with hardcoded keys looks like

The Register - Anti-Virus - 28 Listopad, 2019 - 01:42
Plus more from the world of infosec

Roundup  Here's a summary of recent infosec news beyond what we've already covered – earlier than usual because some of us have Thanksgiving to get through in the US. By the way, watch out for hackers taking advantage of IT teams suffering turkey comas.…

Kategorie: Viry a Červi

NSO Group President Defends Controversial Tactics - 27 Listopad, 2019 - 20:41
Firm defends controversial business offerings, claims it should be considered a force of good.
Kategorie: Viry a Červi

SDKs Misused to Scrape Twitter, Facebook Account Info - 27 Listopad, 2019 - 18:44
Malicious mobile apps could be created to scrape and share profile information, email addresses and more.
Kategorie: Viry a Červi

IoT Smartwatch Exposes Kids’ Personal, GPS Data - 27 Listopad, 2019 - 16:28
Yet another connected smartwatch for children has been discovered exposing personal and location data of kids - opening the door for various insidious threats.
Kategorie: Viry a Červi

Federal Data Privacy Bill Takes Aim at Tech Giants - 27 Listopad, 2019 - 16:26
The COPRA legislation would provide GDPR-like data protections, and create a new FTC enforcement bureau.
Kategorie: Viry a Červi

Dexphot Malware Hijacked 80K+ Devices to Mine Cryptocurrency - 27 Listopad, 2019 - 15:00
A cryptomining malware has infected at least 80k devices and uses various tactics to evade detection.
Kategorie: Viry a Červi

Facebook, Twitter profiles slurped by mobile apps using malicious SDKs

Sophos Naked Security - 27 Listopad, 2019 - 13:49
Hundreds of users gave permission to these third-party apps to access their social media accounts, but the apps got more handsy than that.

Splunk customers should update now to dodge Y2K-style bug

Sophos Naked Security - 27 Listopad, 2019 - 13:37
Splunk has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files.

EU raises eyebrows at possible US encryption ban

Sophos Naked Security - 27 Listopad, 2019 - 13:26
EU officials have warned that they may not take kindly to a US encryption ban or insertion of crypto backdoor technology.

'Ethical' hackers say: It's just hacker. To be one is no longer a bad thing

The Register - Anti-Virus - 27 Listopad, 2019 - 13:00
Great and good of pentesting chew the fat with El Reg

Ethical hacking is a "redundant term" but to be a "hacker" is no longer a bad thing, according to proponents of the cybersecurity art form known as "penetration testing".…

Kategorie: Viry a Červi

Police arrest alleged Chuckling Squad member who hijacked @Jack Dorsey

Sophos Naked Security - 27 Listopad, 2019 - 12:58
Debug, another Chuckling Squadder, told Motherboard that the kid was weird, "Swatting celebrities for a follow back."

Firefox gets tough on tracking tricks that sneakily sap your privacy

Sophos Naked Security - 27 Listopad, 2019 - 12:25
Firefox is getting ready to turn on its automatic anti-snooping tools to stop web 'fingerprinting" tricks.

Austin Man Indicted for Stealing Unreleased Music from Artists - 26 Listopad, 2019 - 21:34
He and co-conspirators stole 50 gigs of music and leaked some of it onto the internet.
Kategorie: Viry a Červi

Magecart Group Switches Up Tactics with MiTM, Phishing - 26 Listopad, 2019 - 20:44
This new skimming/phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable.
Kategorie: Viry a Červi

Managing the Human Security Factor in the Age of Ransomware - 26 Listopad, 2019 - 17:12
Convincing employees to take security seriously takes more than awareness campaigns.
Kategorie: Viry a Červi

Naked Security needs an intern! Here’s how to apply

Sophos Naked Security - 26 Listopad, 2019 - 14:46
Naked Security is looking for a content marketing intern to join the team for 12 months in 2020.
Syndikovat obsah