Viry a Červi

FBI called in to investigate 2018 Mountain State mobile voting system hacking

The Register - Anti-Virus - 3 Říjen, 2019 - 01:29
'West Virginia, mobile ballots, country votes, nearly pwned'

The state of West Virginia says someone attempted to hack its citizens' votes during the 2018 mid-term elections.…

Kategorie: Viry a Červi

Google Maps gets Incognito fig leaf: We'll give you vague peace of mind if you hold off those privacy laws

The Register - Anti-Virus - 3 Říjen, 2019 - 00:43
Location data is likely to remain accessible to web ads giant, network service providers, apps

After last year acknowledging that Google Maps stores location data even when told not to, the Chocolate Factory plans to give Maps the same misunderstood form of privacy offered by its Chrome browser, otherwise known as Incognito mode.…

Kategorie: Viry a Červi

Zendesk Exposes 10,000 Accounts to Unknown Third Party

VirusList.com - 2 Říjen, 2019 - 22:44
Zendesk says access occurred in 2016 and that only a small percentage of customers were impacted.
Kategorie: Viry a Červi

Why This New Cybergang is Heralding a New Age For BEC

VirusList.com - 2 Říjen, 2019 - 21:58
Cybergang Silent Starling is taking BEC to the next level by targeting suppliers and going after their customers.
Kategorie: Viry a Červi

Medic! Uncle Sam warns hospitals not to use outdated IPnet freely on their networks

The Register - Anti-Virus - 2 Říjen, 2019 - 21:34
Meanwhile ransomware forces Alabama doctors to turn away non-urgent patients

The US Food and Drug Administration is warning hospital IT admins to keep a close eye on their networks following the discovery of security vulnerabilities in a relatively obscure and dated TCP/IP stack – IPnet – used in embedded devices.…

Kategorie: Viry a Červi

Virus Bulletin 2019: Geost Android Botnet Goes After Millions of Euros

VirusList.com - 2 Říjen, 2019 - 19:22
Bad OpSec led to the botnet's discovery -- revealing 800,000 victims in Russia.
Kategorie: Viry a Červi

Virus Bulletin 2019: Japanese Attacks Highlight Savvy APT Strategy

VirusList.com - 2 Říjen, 2019 - 18:47
Multiyear campaigns stretching back to at least 2014 have been seen using zero-days in region-specific software.
Kategorie: Viry a Červi

Zendesk clocks 10,000 accounts accessed by miscreants before November 2016

The Register - Anti-Virus - 2 Říjen, 2019 - 18:07
Helpdesk firm admits TLS certs also affected

Zendesk has admitted to suffering a data snafu – but while it affects 10,000 customers, it only applies to those who were using the firm's helpdesk products before 1 November 2016.…

Kategorie: Viry a Červi

If you really can't let go of Windows 7, Microsoft will keep things secure for another three years

The Register - Anti-Virus - 2 Říjen, 2019 - 17:37
For a fee, of course

Recognising that not everyone has climbed aboard the Windows 10 train, Microsoft has thrown a Window 7 Extended Support lifeline to more businesses... for a price.…

Kategorie: Viry a Červi

Google Adds Password Checkup Feature to Chrome Browser

VirusList.com - 2 Říjen, 2019 - 16:56
Google's new password checkup tool joins other similar services including Have I Been Pwned and Mozilla's Firefox Monitor.
Kategorie: Viry a Červi

HQWar: the higher it flies, the harder it drops

Kaspersky Securelist - 2 Říjen, 2019 - 16:00

Mobile dropper Trojans are one of today’s most rapidly growing classes of malware. In Q1 2019, droppers are in the 2nd or 3rd position in terms of share of total detected threats, while holding nearly half of all Top 20 places in 2018. Since the droppers’ main task is to deliver payload while sidestepping the protective barriers, and their developers are fully bent on countering detection, this is probably one of the most dangerous classes of malware.

One of the most dangerous and widely spread families of Trojan droppers is Trojan-Dropper.AndroidOS.Hqwar. Originally created as a MaaS infrastructure, today Hqwar is used for both small-scale attacks and big ones affecting thousands of users all over the world.

The very first versions of Hqwar saw the light in early 2016, getting quite popular by the end of the same year. It peaked in Q3 2018, when substantial numbers of financial malware payloads would come “packaged” with this dropper. Yet, beginning Q4 2018, we observe its decline. The likely reason is the tool is not updated frequently enough by its author, causing a customer outflow.

Number of Hqwar detections by unique users

The very first Trojan packed with Hqwar was a piece of ransomware targeting Russian users. This is how this disgrace introduced itself to the victims, impersonating the Ministry of Internal Affairs (note that Hqwar was built by a Russian-speaking author, and many of its clients prey on Russian users):

Now one can say that only the lazy did not use Hqwar: Kaspersky’s collection of viruses features over 200,000 Trojans packed using Hqwar. When decrypting and unpacking these malicious objects, we found that almost 80% of them are financial threats, while nearly one third represent the banking Trojan family of Faketoken. In fact, it was the first ever banking Trojan whose authors began using Hqwar.

The Top 10 list of payloads most often bundled with Hqwar features such widely distributed Trojans as Asacub, Marcher and Svpeng. On several occasions, the dropper was carrying Korean bankers of the Wroba family and such famous SMS Trojans as Opfake and Fakeinst. But their authors seem to have used Hqwar just to try things out, so to speak: these “matryoshkas” did not gain much popularity. All in all, we know of 22 families of different Trojans packed with Hqwar, which shows how much interest cybercriminals take in droppers.

Family %* 1 HEUR:Trojan-Banker.AndroidOS.Faketoken 28.81% 2 HEUR:Trojan.AndroidOS.Boogr 14.53% 3 HEUR:Trojan-Banker.AndroidOS.Asacub 10.10% 4 HEUR:Trojan-Banker.AndroidOS.Marcher 8.44% 5 HEUR:Trojan-Banker.AndroidOS.Grapereh 7.67% 6 HEUR:Trojan-Spy.AndroidOS.SmsThief 7.20% 7 HEUR:Trojan-Banker.AndroidOS.Gugi 6.18% 8 HEUR:Trojan-Banker.AndroidOS.Svpeng 5.38% 9 HEUR:Trojan-Banker.AndroidOS.Agent 5.24% 10 HEUR:Trojan-Banker.AndroidOS.Palp 1.97%

* percentage of all unpacked objects

What’s inside

From the technical viewpoint, the dropper is a wrapper around the payload’s DEX file to be decrypted and loaded, comprising two classes.

Decompiled dropper with two classes

If we are to simplify and forget about obfuscation, the dropper’s workflow can be presented as follows:

  • open a file from assets;
  • decrypt it using RC4 and a hardwired key;
  • delegate control with the help of DexClas`sLoader LoadClass.

Everything the unpacked Trojan needs to operate is in the dropper’s APK file: all activity, receiver and service records are written down in the manifest, the pictures are where they should be (with unique names generated for all objects). As Hqwar doesn’t “drop” the APK file but only loads the code, there is no need for an app installation request which can potentially be declined by the user (however, this approach is not exactly good for persistency: once the dropper is deleted by the user, the Trojan is deleted, too). The main Trojan’s body is obfuscated, so the original malware cannot be recognized.

Interesting fact: for some time Hqwar had co-existed with a Trojan called Trojan-SMS.AndroidOS.Fakeinst.hq, with which it had quite a few things in common:

  • The two used similar line obfuscation methods (it might be that the authors of both had used a ready-made decryption algorithm).

A portion of line decryption code from Hqwar (left) and Fakeinst.hq (right)

  • A setup was used in which a portion of code was loaded from AES-encrypted asset files. It is worth noting that in Fakeinst.hq one of the encrypted files was an APK file, while the other one was a DEX file used to install a secondary APK (payload). This made for a triple matryoshka: the original dropper at level one, an encrypted DEX file at level two, and an encrypted APK at three. This was done to preserve infection after the dropper itself was deleted. Broadly speaking, the trick is not new, but unlike other similar occasions, Hqwar and Fakeinst.hq used encrypted files with the same extension – DAT.

Encrypted files in Fakeinst.hq

Encrypted file from Hqwar

  • In both cases, a similar certificate generation pattern was used:

Certificate from Fakeinst.hq

Certificate from Hqwar

This evidence proves nothing, of course. But it can be assumed that the author of Hqwar had begun with Russian SMS Trojans, while at the same time working on the “wrapper” infrastructure.

Services

Hqwar owns its popularity to convenient infrastructure and pricing policy (as well as the fact that its maker is still at large and has no fear of being called to account for his actions).

Advertisement of the service

An API exists to have the malware mass-produced. It is likely used by the makers of Trojans like Faketoken, Asacub, Marcher, etc.:

The need to have a certificate for each APK file is one of the places that could give one “a foothold” in Hqwar to reconstruct the certificate generation system. Therefore, the author has made it possible to load a random certificate – either stolen or from a legitimate application.

Conclusion

Despite all the convenient features the dropper’s author has built into it, we believe Hqwar (and similar wrappers) may soon lose much of their popularity: their counter-detection mechanisms have become obsolete, while the structure of the APK file implies there are places that cannot be “littered”, allowing for timely detection of threats (exactly what Kaspersky’s protective solutions are for).

IOC
8011659ab9b2e79230b4ccd7212758e97ac5152a
3cb8e3b699746ba578a7d387cf742bc558b47a2e
9c430147d9f0eca15db7ad1f4cd03ab3a976c549
8d777121b5b79de68d5e35a19e7f826bd7793531
6c9d0f50412175fc5f42c918aa99017f5f4d92a5
13e88a4c88ff76b1f7c3c3103fe3dac8fc06da6b
1f757946a6ca6e181bef4b4eafc54fb81a99efdf
bf81fc02d5aca759ffabd23be12b6c9da65da23a
fecdb304f5725b2b5da4d0fb141e57fbbeb5ebb8
f6def3411e6e599e769357cebe838f89053757b8
14083557d050b01d393e91f8850f614c965c5727
4d68516c9a19011e72fe0982dadd99cc1a7faf9b
fb4b166f42dfc36fdcc49ed0dde18bdc2a6774df
9f75a57eb3476bd545227bda8d54a4ad50c2c465
21b9e289f0a9eba65bb463cc8d624f1f9892aeac
c3090c9b31d0cc67661f526e9ea878af426fb8d9
e48113cedf180d427306b66b6f736ad66614202b
01f9b39c8228bd2cc68dd3d66c15c7388fbd755f
b6524f0c303a3323951af5e91d7cd1ac5f3b274f
81abbbbe81f89bb75ad97bf82c4d2c5571582191
332870d5f516e7f7e263b861939ed76d78bf0bff
4b9979205715c01035c966e5a94ab3842fb6f6a5
e66ef3bffa9cd0d3635a198b33e8b48f5454d96b
374a855e7bce7fb73ba7ce1305ae77089286a729
ed410ffad0a2f549a4ccc5c591b9115f71a8e345
9bff9215b8d2008d1282b5316be9cbd890321f3a
d13139e7c3f4de738ad7a58431d5ceea94920045
17ee7fbd871a384d7b596132999242b516dbdaa2
a01ae5c73693dad0fdf4ee69dbf03d9079a81c1c
c366eae7941754ecb29de453c40a2d9b15c91e7c
9b6adb0ce5c6e2ed364d802b286ab1a19c16747a
04026f896ba26374ff48ccf12d20110202e0f2a7
5c5ddc13cf02f30968f5f09b8dd7a3bedaa9ffdf
1f18595d6607f44c9ced44c091c027ab291198e4
bf33b37be16839708e6855a664459620c3cfda5f
ead2362be3fa1237f163dae5bfa8809f2d4692cf
f10f2c245843d9afc92f40be7cd83a4d2d2bb992
4e61161587eebb1a995bf1a3547fa194dab81872
f4ba07de1be13112532d5b24ab6dca1f9ca8068a
da8deed6054c55b23ec7201fb50ee1415e1cffc6
e7936d5b99777873a21f7874fc1efda98a568c3c
a656e7589b52bf38b70facd1afb585745b328ebe
8aeaa1e8efc72a8c156bad029e167b6dce1cd81b
de09f03c401141beb05f229515abb64811ddb853
18dce8f0b911847dc888404eb447eeae6b264fec
5f6447f9367bcb70fee946710961d027c3ae8d7e
e7023902d044e154fdf77f82d9605f2f24373d90
8c15c4873c4050bf55bbd9fbdf4ec04f5b94f90d
74f4ba7c065e6538bd95dc92f9a901171437a1c5
522aad03e29e3ada2fb95a9a0a960dc0aa73272b

Exim suffers another ‘critical’ remote code execution flaw

Sophos Naked Security - 2 Říjen, 2019 - 14:28
This latest Exim flaw could lead to at least a denial of service crash in the software but also the possibility of remote code execution.

O.MG! Evil Lightning cable about to hit mass distribution

Sophos Naked Security - 2 Říjen, 2019 - 14:27
This malicious O.MG Lightning cable has come a long way, with extensive work on the kinds of payload it can deliver.

218 million Words With Friends players lose data to hackers

Sophos Naked Security - 2 Říjen, 2019 - 14:20
The serial hacker GnosticPlayers is claiming to have ransacked Zynga's user data - including names, emails and passwords.

Have you been Thomas Crooked? Watch out for cybercrims slinging holiday-themed fakes

The Register - Anti-Virus - 2 Říjen, 2019 - 12:55
Bed, board and flights of fancy as fraudsters register scam websites

Thomas Cook's former breach detection contractor has warned of a sharp spike in scammers setting up fake websites to lure ex-staff and customers alike.…

Kategorie: Viry a Červi

Ex-Yahoo engineer pleads guilty to hacking 6,000 accounts

Sophos Naked Security - 2 Říjen, 2019 - 12:41
Reyes Daniel Ruiz went after younger women's accounts, including those of his personal friends and work colleagues, he admitted.

Hack Breaks PDF Encryption, Opens Content to Attackers

VirusList.com - 2 Říjen, 2019 - 12:21
PDFex can bypass encryption and password protection in most PDF readers and online validation services
Kategorie: Viry a Červi

The State of Stalkerware in 2019

Kaspersky Securelist - 2 Říjen, 2019 - 12:00

Introduction and methodology

Six months ago, we created a special alert that notifies users about commercial spyware (stalkerware) products installed on their phones. This report examines the use of stalkerware and the number of users affected by this software in the first eight months of 2019.

Сonsumer surveillance technology has evolved rapidly in recent years and the very purpose of surveillance activity has changed dramatically. The rise of the internet and subsequent explosion in mobile device usage has led to a thriving type of surveillance software – known as stalkerware. The software allows users to spy on other people – for example, to monitor their messages, call information and GPS locations – in complete stealth. It can often be used to abuse the privacy of current or former partners and even strangers. This can be done by simply manually installing an application on the targeted victim’s smartphone or tablet. Once in place, the stalker receives access to a range of personal data, despite being remote from the victim. It differs greatly from parental control software. While parental control apps aim to restrict access to risky and inappropriate content and persistently notifies a user about its requests, stalkerware is about providing the abuser with surveillance to spy on a victim, without the consent of an individual.

The vast majority of stalkerware apps are not available on official app stores – like Google Play – and installation requires access to a dedicated website and access to the victim’s device. Those with bad intentions may use it to monitor employee emails, track children’s movements and even spy on what a partner is up to. Such uses may lead to harassment, surveillance without consent, stalking and even domestic violence. However, current laws to regulate the use of stalkerware are not yet strong enough to deter culprits from abusing and taking advantage of other people.

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network, to measure how often and how many users encountered stalkerware threats in the first eight months of 2019, compared to what was found last year. The Kaspersky Security Network is the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. In this blog, we have explored why stalkerware is being used and where it is implemented most prolifically.

Main findings
  • From January to August 2019, around the world, there were more than 518,223 cases when our protection technologies either registered presence of stalkerware on users’ devices or detected an attempt to install it – a 373% increase in the same period in 2018
  • In the first eight months of 2019, 37,532 users encountered stalkerware at least once. This is a 35% increase from the same period in 2018 when 27,798 users were targeted
  • The number of users targeted by full-throttle spyware detected as Trojan-Spy reached 26,620 the first eight months of 2019, which makes it a minority compared to the number of users who encountered stalkerware
  • The Russian Federation remains the most prominent region for stalkerware globally, accounting for 25.6% of potentially affected users, in the first eight months of 2019. India is in second place with 10.6% of affected users, and Brazil is in third place (10.4%). The United States hold forth place with 7.1%
  • When it comes to Europe – Germany, Italy and the UK hold the top three places respectively
Rise of the stalkerware problem

This year has seen a sharp rise in the number of detections of stalkerware on Android devices protected by Kaspersky products. One reason for this rise could be the improvement in detecting stalkerware software through cybersecurity solutions. In April, Kaspersky launched functionality in its Android security app – Privacy Alert – that specifically alerts users if a software that can be used for stalking is found on their device. Since then, the number of detections has steadily risen. For instance, 4,315 users encountered stalkerware in March 2019, compared to 7,075 in April – a 64% increase in just one month. This figure rose to 9,251 during August, 94% higher than the month before the functionality was launched.

Fig.1 Number of users who encountered stalkerware in Jan-Aug 2019

These openly-sold consumer surveillance programs are often used for spying on colleagues, family members or partners, and are in great demand. For a relatively modest fee, sometimes as little as $7 per month, these apps stay hidden while keeping their operators informed about the device activity, such as its owner’s location, browser history, text messages, social media chats, and more. Some of them can even make video and voice recordings.

To further examine the extent of the stalkerware problem, Kaspersky has analyzed the last eight months’ worth of activity. Between January to August 2019, 37,533 users encountered stalkerware on their devices at least once. This is a 35% increase from the same period in 2018 when 27,798 users were targeted. Overall, there were 518,223 cases when Kaspersky products either registered the presence of stalkerware on users’ devices or detected an installation attempt in the period from January to August 2019 – a staggering 373% increase compared to the period in 2018.

Fig.2 Users targeted by stalkerware 2018 vs 2019

Examples of software used for stalking purposes

The most prolific stalkerware family in 2019 was identified as Monitor.AndroidOS.MobileTracker.a, which affected 6,559 unique users. In second place, Monitor.AndroidOS.Cerberus.a was detected on the devices of 4,370 users, closely followed in third place by Monitor.AndroidOS.Nidb.a (4,047).

Comparing the results from 2018, the top two differ from last year. Monitor.AndroidOS.Nidb.a and Monitor.AndroidOS.PhoneSpy.b were found most on the devices of users in 2018, reaching 4,427 and 2,819 respectively. Monitor.AndroidOS.XoloSale.a was the third most common stalkerware reaching 1,946 users.

In our internal classification system, a Monitor.AndroidOS.MobileTracker.a record is used to identify a Mobile Tracker Free application, which is positioned as a tool to track the activity of children or employees. In fact, the application allows tracking of the user’s location, their correspondence both in SMS messages and messenger applications (WhatsApp, Hangouts, Skype, Facebook Messenger, Viber, Telegram, etc.), as well as calls. A third-party can also access victims’ photos from the phone and the camera in real-time, along with their browser history, files on the device, calendar and contact list. In addition, the application provides the ability to remotely control the device. As well as all of this, there is a possibility of working in a hidden mode under the disguise of system applications.

Fig.3 Screenshots from the Mobile Tracker Free official website

The next application – Cerberus (Monitor.AndroidOS.Cerberus.a) – is positioned as an anti-theft app. However, it also allows a stalker to work in ‘hidden’ mode and to prevent its deletion. Among other things, it provides the ability to track the location of the device, take pictures from the camera and screenshots, as well as record audio from the microphone.

The third-placed Monitor.AndroidOS.Nidb.a is in fact a group of similar applications: iSpyoo/TheTruthSpy/Copy9. Unlike the previous two applications, some representatives of this group openly advertise themselves as a means of spying on a partner and even write articles about it.

Fig.4 Screenshot from the TheTruthSpy official website

The set of functions is quite standard for such programs yet still impressive – website tracing, interception of correspondence in SMS and in messenger applications, call tracing and browser history. Like many other similar applications, they require super-user rights (administration rights) to operate some functions. They can work in ‘hidden’ mode, and their names in the list of installed applications mimic the system processes.

Where is stalkerware found?

There is a global market for legal spyware and stalkerware software, as proven by the diverse range of regions where the most attacks are taking place. The top 10 countries with the largest share of users attacked with stalkerware do not have geopolitical similarities and are not in close proximity.

Fig. 5 Geography of users who encountered stalkerware in 2019

Kaspersky’s findings show that Russia is the region where stalkerware activity is peaking. Persistent activity in India has led to the country being the second most prominent region for stalkerware-related incidents from January to August, with 10.56% users affected.

Brazil accounted for 10.39% of attacked users in 2019, while the United States are now fourth (7.11%). There are advocacy groups in the country raising awareness about the dangers of stalkerware and conducting revealing user research. 72 domestic violence shelters were surveyed by National Public Radio, with 85% of domestic violence workers saying they have assisted victims whose abuser tracked them using GPS. Nearly three-quarters (71%) of domestic abusers monitor survivors’ computer activities, while 54% tracked survivors’ cell phones with stalkerware. The fifth most prevalent country in 2019 was Germany with (3.55%).

Stalkerware on the cyberthreat landscape

When comparing stalkerware and spyware to the rest of the attacks mobile users face – such as adware, riskware and malware – it takes up a big share of less targeted not-a-virus programs. In the first eight months of 2019, Kaspersky detected 2,350,862 users attacked with potentially unwanted threats and just 1.60% of them were related to stalkerware. However, unlike the majority of mass potential threats (like adware), stalkerware requires a specific stalker to act and carry out its operation. Every target is being stalked and chosen on purpose. So, while the numbers are lower, stalkerware takes a more targeted effort to affect a victim and has a disturbing figure of abuse behind each of them.

To get the big picture when assessing the stalkerware development dynamics, we’ve compared stalkerware to the full scale, illegal survelliance malware for PC that we detect as Trojan Spy. The results have proved, that while illegal spyware is in decline, stalkerware is thriving.

Fig. 6 Users attacked by stalkerware and spyware

Our analysis of the first eight months of 2019 shows that the number of users who encountered stalkerware had, in fact, surpassed the figure for Trojan-Spy attacks. While 2018 saw more than 43,000 spyware targets compared to around 28,000 stalkerware targets, in 2019 the picture changed. The number of users that encountered stalkerware grew by 35% to reach over 37,000, while spyware tools accounted for 26,620 of targets.

There has been a notable rise in the number of stalkerware-related incidents registered by Kaspersky products when compared to all threats from the figures in 2018. Between January and August last year, such software made up just 1.01% of the overall number of users who faced any kind of potentially dangerous (adware and others from not-a-virus category) software (2,740,023). It appears that stalkerware is growing in popularity, while more traditional malware attacks are less prolific than they were 12 months ago.

Conclusion and recommendations

It is clear to see that stalkerware is on the rise and becoming much more prominent in the cybersecurity landscape. In accordance with the overall number of detected riskware, adware and spyware attack fluctuations year-on-year, the percentage of stalkerware-related incidents continues to rise. It may take time to discover the role of stalkers on the cyberthreat landscape, but more incidents are now accounted for. Thanks to improved cybersecurity software, there has been a sharp rise since Kaspersky launched its own solution to notify users about stalkerware in April 2019.

There has also been a level of consistency around which countries are the most likely to experience stalkerware-related incidents, with Russia, India, the United States and Germany amongst the most prominent for the last two years.

The good news for users is that functionality and effective solutions are being put in place so they can protect themselves. Practical ways to solve the problem are coming to the fore. IT security companies and advocacy organizations working with domestic abuse victims should join forces to ensure that cybersecurity companies respond better to stalkerware. Such initiatives would help victims through technology and expertise.

We believe that every person has a right to be privacy-protected. That’s why we deliver security expertise, work closely with international organizations and law enforcement agencies to fight cybercriminals, as well as develop technologies, solutions and services that help you stay safe from the cyberthreats.

Jamf emits mystery security fix for Pro macOS, iOS wrangler, keeps admins in dark by censoring chatter

The Register - Anti-Virus - 1 Říjen, 2019 - 23:04
iAdmins steaming over handling of 'critical' patch rollout

MacOS network admins are being advised to update their copies of the Jamf Pro management software following the disclosure of a critical security flaw.…

Kategorie: Viry a Červi

Ransomware Attacks Leave U.S. Hospitals Turning Away Patients

VirusList.com - 1 Říjen, 2019 - 21:22
Ransomware attacks have crippled hospitals worldwide, forcing them to turn away patients and cancel surgeries.
Kategorie: Viry a Červi
Syndikovat obsah