Security Posts

Mjag dropper: Using decoy documents to drop RATs

Zscaler Research - 29 min 31 sec ago
Mjag dropper Mjag dropper is compiled in the Microsoft .NET framework, and its original binary is obfuscated using SmartAssembly. The installation path and other details are stored in encrypted form using AES encryption (Fig. 1), and the decryption key is hardcoded. Fig. 1: AES decryption function The payload and decoy PDF is encrypted and stored in the resource section, and a custom encryption method has been used. The decryption key is hardcoded (Fig. 2). Fig. 2: Extracting decoy PDF and payload The decoy document claims to be an India Overseas Bank NEFT transaction statement. It lures users to click the “Click here to view full document” link, which points to a malicious website hosting a copy of the Mjag droppper payload. (Fig. 3). Fig. 3: Decoy PDF document   Installation Copies itself in “%APPDATA%\FolderN\name.exe”  location Creates startup key: “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load” with values as “%APPDATA%\FolderN\name.exe.lnk” Copies “C:\Windows\Microsoft.NET\Framework\\msbuild.exe” to “%TMP%\svhost.exe” Starts svhost.exe in suspend mode and injects the final payload (Fig. 4) Fig. 4: Process injection using Windows APIs However, the injected payload does not run properly and displays an error message (Fig. 5). Fig. 5: Unhandled exception popup This error is due to the injector code not being able to inject the overlay part of the payload, the part that contains the command-and-control (C&C) server details. As shown in the injection code snapshot below, it allocates memory in a target process similar to the size of image length defined in the PE header of payload (Fig. 6). This means Mjag will not be able to properly inject payloads (like Punisher RAT) that contain important data in the overlay.   Fig. 6: Injector code For the purpose of this blog we patched the memory mapping issue and continued our analysis of the infection cycle involving Punisher RAT. Analysis of Punisher RAT Punisher RAT is packed and written in .NET. The Punisher RAT builder is publicly available and can be configured with a range of features. In the builder (Fig. 7), you can configure the server IP, name, password, and listening port. The RAT will communicate on the given server IP and send all the information stolen from the victim’s machine. There is also a feature to add more functionality in binary, including anti-VMware, anti-AV, sandbox detection, and USB spread for further infection, among others. Fig. 7: Punisher RAT builder During analysis, we saw various functions of this malware, including: 1. Password stealing module The malware hunts for various application data and steals the credentials. Here (Fig. 8), it is trying to steal the stored login credentials for the Chrome browser. The stolen information will look like: |URL| http://facebook.com |USR| username or e-mail |PWD| userpassword Fig. 8: Stealing module The Punisher RAT attempts to steal sensitive data from the following applications on the infected system: Filezilla, No-IP Dynamic Update Client, Dyn DNS, Paltalk, FireFox, Chrome, Hotmail, Yahoo, Opera, and Internet Explorer. 2. Anti-task manager The malware checks for the following applications’ processes, and does not allow these applications to terminate any other processes running on the user's system. Process Explorer Process Hacker Task Manager This allows malware author to ensure that the malware processes cannot be terminated. Fig. 9 shows that while attempting to kill 'a.exe' process using the Process Explorer, the “OK” button will be replaced by an “Error” button. Fig. 9: Anti-task manager   3. Keylogging  The malware can capture keystrokes (Fig. 10) and store the data into the %AppData%/{random digits}.log file. Fig. 10: Capturing keystrokes   4. Persistence  The malware copies itself in the startup folder and creates a run key of this location. HKCU\\software\\microsoft\\windows\\currentversion\\run   5. Spreading vector It looks for a removable drive and CD-ROM for infection and creates an .lnk file. Below (Fig. 11) depicts the spreading mechanism through a USB device. Fig. 11: USB spread   6. AV checks The Punisher RAT checks for installed AV software (Fig. 12) and updates to the server. Fig. 12: Checking AV Network activity The hardcoded C&C information (Fig. 12) is extracted from the payload, and it will split the data with the delimiter “abccba.” Fig. 13: C&C server information   It also collects the information about the multiple running processes: AW|BawaneH|Process Explorernj-q8 AW|BawaneH|Notepadnj-q8 The table consists of extracted C&C information from the payload. This RAT uses “BawaneH” as a delimiter to split the server response data. It performs various actions based on received commands. There were a total of 59 commands used by the server, shown in the following table: Fig.14: Received commands IOCs Md5: 0a459c18e3b8bdef87a6fb7ea860acdb Filename: NEFTIOBAN1830369427520181030ABBIdiaLtddt30102018_pdf.exe Download URL: tenau[.]pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe C&C: chris101.ddns.net Sandbox Report   Fig. 15: Zscaler Sandbox report        
Categories: Security Posts

The Top 10 ThreatLabZ blogs from 2018

Zscaler Research - 29 min 31 sec ago
The Zscaler ThreatLabZ team is continually hunting new threats, analyzing them, and sharing their findings in blogs and reports on the Zscaler site. What follows are the most read and shared blogs of 2018.   Android apps infected with Windows malware reemerge By Gaurav Shinde This blog explores apps available on Google Play that were infected with malicious iFrames. Though the malware posed no immediate threat to users, its discovery highlights the fact that infections can be propagated across different platforms. This vector can be leveraged by a clever attacker to serve second-level malicious payloads, depending on the type of device platform visiting the URL. Read more.   Fake Fortnite apps scamming and spying on Android gamers By Viral Gandhi Fortnite is a co-op sandbox survival game and, at the time of the ThreatLabZ report, had 45 million players and more than three million concurrent users. In 2918, its maker, Epic Games, announced a version for iOS. Malware authors, knowing that Android users would be anxious to get Fornite, created fake Fortnite for Android apps to spread their payloads, including spyware, a coin miner, and some unwanted apps. Read more.   CVE-2017-8570 and CVE-2018-0802 exploits being used to spread LokiBot By Mohd Sadique This blog provides an overview of the use of malicious RTF documents that leverage the CVE-2017-8570 and CVE-2018-0802 vulnerability exploits to install malicious payloads on victims’ machines. The team shares its analysis of a campaign leveraging these two exploits to deliver LokiBot. Read more.   The latest cloud hosting service to serve malware By Dhanalakshmi Cloud services are under attack because they enable bad actors to open inexpensive hosting accounts for hiding malicious content in the cloud-based domains of well-known brands. The ThreatLabZ team discovered that a popular managed cloud hosting service provider has been serving phishing attacks and other malware in the wild as far back as February 2018. Read more.   Meltdown and Spectre vulnerabilities: What you need to know By Deepen Desai With the ability to allow attackers to gain unauthorized access to sensitive information in system memory, Meltdown and Spectre represent a new class of microarchitectural attacks that use processor chip performance optimization features to exploit built-in security mechanisms. This blog provides an analysis of the vulnerabilities as well as mitigation information. Read more.   Cryptominers and stealers – malware edition By Atinderpal Singh and Rajdeepsinh Dodia Due to their decentralized nature, cryptocurrencies are impossible to control or censor by any single authority—and that makes them attractive to cybercriminals. With more than 4,000 cryptocurrencies on the market rising in both value and popularity, we’ve seen a rise in the use of malware that targets bitcoins or altcoins for financial gain. This blog provides insight into various cryptominers and stealer variants. Read more.   DarkCloud Bootkit By Nirmal Singh Following on its report about cryptomining and wallet stealing techniques, this blog provides a technical analysis of yet another type of cryptominer malware that uses a bootkit and other kernel-level shellcode for persistence. Read more.   Spam campaigns leveraging .tk domains By Mohd Sadique ThreatLabZ identified a campaign using the “.tk” top-level domain, which started with compromised sites that redirect users to either fake blog sites to generate ad revenue or fake tech support sites that claim to remove viruses. We estimated at the time that at least USD 20K per month in revenue was being generated from the fraudulent ad activities alone. Read more.   Magecart campaign remains active By Rubin Azad Magecart is a notorious hacker group that has been responsible for large-scale attacks on the e-commerce sites of well-known brands. In this blog, we examine the campaign’s recent activity and its methods for skimming credit and debit card information for financial gain. Read more.   Ubiquitous SEO poisoning URLs By Jim Wang SEO poisoning is an attack method that involves creating web pages packed with trending keywords in an effort to get a higher ranking in search results. SEO poisoning is also a way to redirect users to unwanted applications, phishing, exploit kits and malware, porn, advertisements, and so on. This blog includes examples and analysis of the techniques in use. Read more.
Categories: Security Posts

Sieren: A new DoS bot

Zscaler Research - 29 min 31 sec ago
Zscaler ThreatLabZ recently discovered a new DoS family bot named Sieren. A denial-of-service (DoS) attack is a cyber-attack in which cybercriminals disrupt the service of a host connected to the internet, either temporarily or indefinitely, to its intended users. In this analysis, we'll describe Sieren's functionality and communication, its 10 DoS methods, its bot commands, and its IoCs. Functionality Sieren is capable of performing HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server. HTTP flood HTTPS flood UDP flood Network communication Sieren starts communication with the server by sending system information. Data is separated by the “&” symbol. ping User Name Machine Name OS version Processor architecture (If 32 bit then 0 else 1) MD5 of the above data In response, the C&C server sends a target URL for performing a DoS attack. Data is separated by the “&” symbol. pong 60: used for sleep (60 * 1000 millisecond) Task_ID = 260 Method = 2 Target = https://deti-online.com/ Type = GET Threads = 100 Sleep = 100 Port = 0 Sockets = 0 (number of sockets) Size = 0 (size of data sent through packet during Dos) CreatedAT = Timestamp Data = Empty (data sent through packet during DoS) The malware is capable of performing a DoS attack against the target URL using different methods. The variant we analyzed has 10 methods supported for flooding, and it chooses the method based on data received from the C&C server. In the above instance, we saw that a Russian education material website (https://deti-online[.]com) was the intended target for this bot. We also identified other locations, such as forum.exlpoit[.]in and x3p0[.]xyz, as the DoS targets from the C&C server during our analysis. The Sieren bot selects the DoS method based on data received from the C&C server. Below are the parameters used in these methods:   Method Task_ID Target Type(GET/POST) No. of threads Sleep Data No. of Sockets Port Size of data 1 Yes Yes Yes Yes Yes         2 Yes Yes Yes   Yes         3 Yes Yes Yes             4 Yes Yes     Yes Yes       5 Yes Yes     Yes         6 Yes Yes         Yes Yes   7 Yes Yes         Yes Yes   8 Yes Yes         Yes Yes Yes 9 Yes Yes           Yes Yes 10 Yes Yes           Yes Yes   The C&C server can specify the port, data, sleep time, sockets, and size of packets that will be used during flooding. During flooding, a user agent is selected randomly from a predefined list, as shown below. DoS methods supported by Sieren Method 1: In this method, the malware first gets the cookies for the target URL using InternetGetCookieEx and uses them in the HTTP header when generating flood requests. Based on the protocol (HTTP/HTTPS) and method (POST/GET), it starts sending multiple requests to the target URL. The below screenshot contains code for generating the header part. The below screenshot contains the HTTP flooding code: The below screenshot contains the HTTPS flooding code: Method 2: The malware creates 50 sockets and sends 50 HTTP requests before executing a sleep command with the value supplied by the C&C server. It will repeat this process until taskID is active. Method 3: This method is similar to method 2, but the bot won’t sleep after every 50 requests. Method 4: In this method, the bot will use data supplied by the C&C server in the flood requests to the target URL. Method 5: In this method, the bot will also accept a response during the flooding of the target URL, after which it will sleep for 100 seconds. Then it again starts sending flood requests to the target URL. Method 6: This method is called when the number of sockets and port is specified by the C&C server. In this method, the bot will not send HTTP or HTTPS flood requests; instead, it opens multiple sockets for the target URL in an attempt to exhaust web server-side resources. It repeatedly closes and opens additional sockets to the target URL until taskID remains active. Method 7: This method is identical to Method 6 and appears to be a placeholder for a future update. Method 8: In this method, the bot will receive arguments such as the size of random data, number of sockets, and port information from the C&C server. The bot will generate random data based on specified size, open multiple sockets, and flood the target URL with the randomly generated data. Method 9: In this method, the C&C server will supply the size of random data and port information. The bot will generate random data and flood the target URL on the specified port. Method 10: This method is used for UDP-based flooding. The bot will send random data using the UDP protocol, and it sets the TTL (time to live) value between 220 and 225 for these packets. The bot will stop performing flood requests once the C&C server stops sending additional commands. Sieren bot commands: Other than the DoS feature-related methods, the malware has three additional commands. “dlexec”: Download payload from the URL given by the C&C server and execute it. “update”: Download the updated version and execute it. It also deletes itself using the cmd process. “Uninstall”: Deletes itself using the cmd process. Indicators of Compromise: MD5 320A600147693B3D135ED453FAC42E82 URL cx93835[.]tmweb.ru/rrljw91zqd.exe burgerkingfanbase[.]net/great.php  
Categories: Security Posts

2019 Will See Cybercriminals Eye Opportunities in Cryptocurrency and IoT to Launch Their Attacks

Zscaler Research - 29 min 31 sec ago
Cybercriminals never take vacations. They’re always scanning the horizon to see which new technologies are being adopted by legitimate enterprises and are therefore ripe to be exploited, or how to utilize trusted protocols to steal credentials of unsuspecting consumers. The coming year will be no different, but the tools in some cases will change. Here are my predictions for the cybercrime trends that will get our attention in 2019. Prediction #1: Malware operators will cash in on cryptocurrency We’ll continue to see more and more malware operators make money on cryptocurrency, either by mining coins using infected systems or by stealing cryptocurrency from the infected systems. This will involve new and existing malware strains that will add cryptomining and stealing functionality. The three most common types of crypto-malware include cryptominers, wallet stealers, and clipboard hijackers, and we expect to see an increase in all three types. Here’s how they work: When downloaded, cryptominer malware works in the background to steal CPU cycles that can mine and generate digital currency like bitcoins without users’ knowledge or consent. By spreading their malware across thousands of machines, the miners form a mining pool that can result in big payoffs for the malware author. In 2018, cryptomining surpassed ransomware to become one of the top threats, and that trend is expected to continue. Wallet stealing will increase, too, in both frequency and sophistication. Wallets don’t store the cryptocurrencies; instead, they store credentials to access or spend the money, which is stored in blockchain. Expect to see new variants that contain the functionality to locate and steal wallet.dat files. Clipboard hijacking is another recent innovation. Because cryptocurrency wallet addresses are long, random-looking sequences of alphanumeric characters, they are difficult to remember. Almost all cryptocurrency owners copy and paste their wallet address for making transactions; on an infected system, malware can monitor for cryptocurrency transactions and dynamically change the wallet address on the clipboard to that of the malware operator so that future transactions benefit the malware operator. Prediction #2: SSL/TLS-delivered threats will become more common We’ve seen steady growth in overall SSL/TLS-encrypted traffic this year, which now accounts for almost 75 percent of total enterprise traffic going through the Zscaler cloud. Cybercriminals are leveraging this encrypted channel at all stages of the cyber kill chain. In particular, there has been a sharp increase in phishing attacks and malware payload delivery over encrypted channels. In the latter half of 2018 alone, we saw that 35 percent of phishing content was delivered over encrypted channels, representing a 300 percent increase since 2016. Though the volume of SSL/TLS-encrypted traffic has risen sharply, much of it is going uninspected, either because it’s assumed to come from trusted sources or, more likely, because of the impact inspection would have on network performance. Attackers can now hide malware in encrypted traffic knowing it is not likely to be inspected. In 2019, we will continue to see SSL/TLS utilized by cybercriminals to launch attacks, and we anticipate an increase in phishing attacks and malware payload deliveries over these channels, as cybercriminals take advantage of the assumed trust in encryption as well as the ease with which they can obtain digital certificates. Prediction #3: IoT threats will have a greater impact on enterprises IoT footprints in the enterprise network have grown rapidly over the past few years, and these internet-connected devices can pose significant risks to enterprise networks. We will continue to see cybercriminals leverage IoT devices as a beachhead to large-scale attacks against enterprise networks. Some of the largest attacks on record are the result of hackers using IoT devices to carry out massive distributed-denial-of-service (DDoS) attacks (you can read about some of them here and here). IoT devices have notoriously poor security with known default passwords that are rarely ever changed, and manufacturers are slow to patch vulnerabilities. In addition to employee-owned devices coming into the workplace, organizations are adding hundreds or even thousands of IoT devices to their environments, such as cameras, printers, IP phones, televisions, kitchen appliances, thermostats, and more. Besides the potential for DDoS attacks, IoT vulnerabilities are being used by attackers as an entry point to a network, in which they can hop from one vulnerable device to the next, undetected. One an attacker gains a toehold into a network through a compromised device, it can be used for spreading malware, stealing credentials, leaking data, and sniffing traffic. Unfortunately, until manufacturers take the threat seriously and bake security into their devices, the attacks will continue to rise in 2019 and beyond. The US-CERT (United States Computer Emergency Readiness Team) has provided security tips for IoT devices here. Prediction #4: Supply-chain attacks will grow There has been a steady increase in software supply-chain attacks in recent years. These attacks used to be targeted in nature, singling out a specific industry or organization, such as government. However, we’re seeing software supply-chain attacks used for commodity malware as well, which has the potential to impact larger numbers of users. We will see cybercriminals continue to focus on attacking critical software supply-chain infrastructure to conduct larger attacks. An example of the fast and massive damage that a software supply-chain attack can inflict is the June 2017 NotPetya attack. The initial infection was through an accounting software website and, by the end, it had wiped data from many thousands of computers around the world at banks, energy firms, governments, and more. Not only is a company’s valuable data and IP at risk, so too is their reputation—which in the end hits its bottom line. NotPetya appeared to be a state-sponsored attack, but most supply-chain attacks are the result of poor security hygiene, which attackers are always prepared to exploit. Prediction #5: Criminals will turn their attention to cloud service providers The increase in cloud adoption has shifted a lot of workflows to the cloud. With that shift, we’ll see more attacks aimed at infiltrating cloud service providers in an attempt to gain access to valuable data from the organizations using the cloud services. These attacks may have a far-reaching impact, in light of the volume of data companies are storing in public clouds, and they can pose severe financial consequences.  The cloud service providers themselves have invested heavily in security protections and have large security teams to ensure their systems are sound—they are far more secure than the typical enterprise data center. But most cloud services and their configurations are new and evolving, and mistakes, such as the widely publicized S3 bucket misconfigurations, have led to the exposure of sensitive data at many organizations. But the most common source of errors leading to data leaks or the spread of malware is the end-user. While your cloud storage system may be impenetrable, there is always the risk that employees will be careless with their credentials, enabling bad actors to access your valuable data. In 2019, we expect to see an increase in social engineering attacks aimed specifically at employees accessing cloud applications.    
Categories: Security Posts

Cyber Monday: The biggest day for cyberattacks? Not by a long shot.

Zscaler Research - 29 min 31 sec ago
Last week, the Zscaler ThreatLabZ research team did an analysis of phishing attacks we’ve come across in our cloud leading up to Black Friday and Cyber Monday. The team had been seeing an increase in a variety of phishing activities, with targeted attacks and faked login pages designed to steal the credentials of unsuspecting shoppers. (You can read their informative report here.) With Black Friday and Cyber Monday behind us, we decided to take another look at the data to determine the volume of shopping activity across our cloud and the expected rise in threat activity that coincides with major online events. What we found was that Cyber Monday was, indeed, the biggest shopping day of the year on our cloud and elsewhere. According to the National Retail Federation, 50 million people shopped online in the U.S. alone. Amazon reported that Cyber Monday was its biggest shopping day in history, and over the five days from Thanksgiving through Monday, Amazon customers bought more than 180 million items. What we saw more than a billion times We can attest to the high volume of shopping activity. On Cyber Monday, the Zscaler cloud processed 1.35 billion internet requests on shopping sites, with the highest volume by far on Amazon, at 372,824,847 requests. While Monday’s shopping traffic only represented 2.18 percent of traffic overall on our cloud, it was 72 percent higher than shopping traffic on a typical day. Cyber Monday top five shopping sites on the Zscaler cloud: Number of requests we processed on Cyber Monday's top shopping sites. With so much shopping activity, you might think that Black Friday and Cyber Monday would be the days that cybercriminals would crank up the volume, launching phishing attacks and spreading malware to online shoppers. But the traffic patterns on our cloud show otherwise. Phishing attacks are planned and executed with precision On Cyber Monday, we blocked a total of 2,337,537 phishing attempts. That’s significant, but that number was actually down from the days before Black Friday, and this decrease is consistent with patterns we’ve seen. Attacks peak in the days leading up to major events or shopping days. Attackers plan their phishing campaigns for the days when potential victims are looking for deals, aligning their attacks with mainstream advertising campaigns. On the “big day,” when shoppers have already decided what sites to visit, the attacks drop off accordingly. On the three days before Thanksgiving, we blocked the highest numbers of phishing attempts, with a peak of 4.4 million on Wednesday. By Black Friday, attacks had dropped by nearly 30% from the high. They continued to decrease in volume through Monday when attacks were down 46% from Wednesday. November graph shows daily phishing attempts on the Zscaler cloud Why did attacks drop on Cyber Monday? It’s been a long time since hackers could be stereotyped as nerds in the basement using their programming skills to bootleg videos. Today’s criminals are sophisticated in their technical execution and in their understanding of market drivers and user behavior. They operate their campaigns like big businesses—because they are. They know when you’re most likely to be online and when you’ll be sifting through the most email (Monday is the most popular day for phishing attacks). They know you’re more likely to open tracking slips or invoices than an unknown attachment. And they exploit the trust you have in brands like Amazon, Kohl’s, Bank of America, and many others, by creating fake websites that look just like the real thing. Consumers must change their online behavior accordingly, approaching each online interaction with an awareness of its potential risk. You can’t assume that attachments are safe, even if you recognize the name of the sender; spoofing names is practically effortless. You can’t assume that text messages are safe either, due to the rise in SMS phishing. So-called “SMiShing” links can take you to compromised websites, just as infected email attachments can. E-commerce websites can be compromised in a variety of ways. Hackers can inject JavaScript into a site and the script sends data collected in the input fields to the hacker’s remote server. A favorite tactic is creating sites that look like legitimate sites but are designed to steal your personal information. Can you tell the difference between these two Amazon login screens? The screen on the left is a login for a phishing site that will collect your personal information, including credit card number, and you’ll think you’re on the Amazon site the whole time. The one on the right is a real Amazon login screen. The only difference is in the address bar. Be sure the site you are on matches the URL address. We also know, as we stated earlier, that today’s cybercriminals plan their campaigns with a marketer’s precision. It’s wise to take extra precautions leading up to and during big events or news days (another day in November when we saw a surge in phishing activity was the sixth, the U.S. election day). Three things you can do right now to protect yourself from phishing: Check the authenticity of the URL or website address before clicking on a link; make sure the address matches the site you're visiting Ensure online retailers and banking sites use secure connections; the URL should start with HTTPS Inspect the source of emails with enticing shopping deals; be wary of all links and attachments More resources: Read the ThreatLabZ Phishing Roundup blog for an analysis of current phishing trends Download the infographic:
Categories: Security Posts

Black Friday & Cyber Monday Deals: Phishing and Site Skimmers

Zscaler Research - 29 min 31 sec ago
It’s that time of year again! The most glorious of shopping seasons has arrived, and users have commenced their annual tradition of flooding e-stores in search of the best deals that their money can buy. Threat actors, keen to take advantage of increased seasonal shopping activity, are deploying targeted phishing campaigns and site skimmers in the hopes of cashing in. The spectrum of attacks is reaching users in nearly all aspects of their online presence. Email, tweets, and websites are all vehicles of abuse. Zscaler has seen a steady rise in phishing attacks leading up to Black Friday and Cyber Monday, and we'll provide an overview of them here. Fig. 1: Malicious activities from mid-October through mid-November. The turquoise bars represent targeted phishing attacks. Targeted phishing Examining one of the targeted phishing campaigns illustrates the need for caution when shopping online. The faked Amazon screen provides the perfect example, because Amazon is probably the most prolific online shopping site used during the holidays. Aside from the address bar, it's a relatively good knock-off. Fig. 2: Faked Amazon sign-in form. This attack doesn’t stop at compromising your Amazon credentials. This site also wants your credit card information! Fig. 3: Faked Amazon billing page. A closer look at this attack shows that the attackers don’t even have the decency to encrypt your stolen credentials. Fig. 4: Wireshark exposes the packets moving between client and server over HTTP. The best defense is to always be conscious of the address bar. A store like Amazon is never going to ask you for sensitive information away from the Amazon site. Site skimmers Other sophisticated attacks that have proven to be even more insidious are site skimmers like MageCart. MageCart refers to a hacker group that is responsible for large-scale attacks on e-commerce sites. MageCart will compromise a well-known or trusted site and inject malicious, obfuscated JavaScript that can tap into purchases. The injected script will add a form to the payment page at runtime using Document Object Model (DOM) properties. Information skimmed from this attack can include all the personal information requested by the compromised e-commerce page. More information about this type of attack is detailed in another blog. Despite several security vendors taking notice, users are still being impacted daily. An updated chart on MageCart hits since our September 28 blog shows that this advanced attack is not stopping anytime soon. Fig. 5: MageCart activity between September 20 and November 15. The best defense against this threat is to have a malware detection tool that is inline with the browser. These tools have the best chance of detecting the malicious JavaScript code on an online store's page. Cryptocurrency Mining The final attack we'll review is the use of cryptojacking. Unlike the other attacks discussed, cryptojacking does not target the user's sensitive information but rather their system resources. A small piece of javascript can be injected into a page which will leverage the user's browser processes to mine cryptocurrency for the attacker. Attackers will leverage user susceptibility to the shopping season to bolster their cryptowallets. Fig. 6: An online shopping aggregator linking to Amazon, but redirecting user's to mine Monero Cryptocurrency Behind the scenes of this shopping site, lies a small piece of javascript that redirects the user's system resources to mine cryptocurrency through the application, CoinHive. Fig. 7: Coinhive injection script will use the user's system resources to mine the cryptocurrency, Monero. The best defense against this kind of attack is to use javascript blocking browser applications like ScriptSafe or NoScript to toggle what sites may execute javascript.  Conclusion The ThreatLabZ team at Zscaler works diligently to ensure that customers do not fall victim to malicious activities described above. Users should be cautious and protect themselves by reviewing our security checklist, particularly during the shopping season: Check the authenticity of the URL or website address before clicking on a link Ensure online retailers and banking sites use HTTPS/secure connections Do not use unsecured public Wi-Fi for shopping Inspect the source of emails with enticing shopping deals; be wary of any suspicious attachments Steer clear of unofficial mobile application stores Use two-factor authentication whenever possible, especially on sensitive accounts such as those used for banking Always ensure that your operating system and web browser are up to date and have the latest security patches installed Use browser add-ons like Adblock Plus to block popups and potential malvertisements Use browser add-ons like No Coin to block a site's attempts to use your computer for cryptocurrency mining Back up your documents and media files Review the Identity Theft Guide and FAQs from the Federal Trade Commission Review the  National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message Wishing you all a very happy, healthy, and safe Thanksgiving! Zscaler™, Zscaler Internet Access™, Zscaler Private Access™, ZIA™ and ZPA™ are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the property of their respective owners.
Categories: Security Posts

Zscaler ThreatLabZ Phishing Roundup

Zscaler Research - 29 min 31 sec ago
Phishing is an attempt to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data. Typically, phishing targets a user with an email containing a link to a website that imitates a legitimate website the user might visit. As users have become savvier about their online practices, the developers of phishing sites have upped their game, too, and many of the sites we see are carefully designed to look like the sites they’re imitating, and clever tactics are used to trick potential victims. In this blog, we will share some insights from phishing activities blocked across the Zscaler™ cloud. We’ll cover the top brands and categories we are seeing targeted by phishing campaigns, recent examples of campaigns, and some of the tactics being used by threat actors to be more successful. Types of phishing There are different types of phishing activity, including: Spear phishing, in which the phishing attempt is targeted against certain organizations or individuals working for specific companies. SMiShing, also known as SMS phishing, which involves a message (SMS communication) that targets victims and entices them to click on URLs hosting phishing websites. Whaling, in which threat actors target high-profile individuals, such as senior executives in a company, most often to gain internal company information that is not public knowledge. What brands are being targeted? While it might be easier to spoof the sites of lesser-known brands, where differences wouldn’t be so apparent, the actors trying to steal personal information need to impersonate popular sites for maximum return, raising the odds of snaring a victim. Their phishing sites often feature the biggest brands, and they use a variety of tricks to evade detection, which we’ll describe in this report. Some of the most commonly targeted brands we’ve seen in the recent phishing campaigns can be seen below: Fig. 1: Top phished brands in the Zscaler Cloud Microsoft tops the list partly because of Microsoft’s multiple enterprise web properties, such as OneDrive, Office 365, Outlook Web Access, among others, being targeted by the threat actors. Microsoft was followed by Facebook and PayPal in the list. In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identification numbers. The top five most commonly targeted application categories we saw in the recent phishing campaigns include: Communications (41.4%) Social media (18.3%) Finance (16.7%) Travel (12.4%) Dating (3.4%)  Fig. 2: Top phished site categories in the Zscaler Cloud Delivery of phishing content The majority of the phishing campaigns start with an email or message containing a link to a site hosting the phishing page. If the user clicks on the link, the phishing page is delivered. We have seen an increasing number of phishing attempts being delivered over an encrypted channel (HTTPS) -. We believe this increase is most likely due to the availability of domain validated (DV) SSL certificates. These certificates are easy to obtain from free SSL cert providers like Lets Encrypt as well as commercial Certificate Authorities. Multiple commercial CAs also offer free DV SSL certs with shorter validity periods with the expectation that the client will purchase a paid certificate once those expire. However, these offers provide a safe haven for cybercriminals who often leverage these short-term certs to deliver malicious content and then discard them. About 65 percent of all phishing content we’ve seen in the past three months was over HTTP and the remaining 35 percent was over HTTPS. This represents a 300 percent increase in phishing content being delivered over HTTPS since 2016. A look at recent phishing examples: Chalbhai campaign We continue to see a known phishing campaign using the tag chalbhai in its form statements. This campaign has been targeting users with phishing pages that mimic American Express, Microsoft Office, and Adobe, seasonal campaigns like fake IRS and TurboTax webpages during tax season and more recently holiday shopping season pages. A sample of this tag being used on a Wells Fargo phishing page is shown below. Fig. 3: Chalbhai tag shown in the source code Usage of compromised sites Below is an example of a legitimate site that is compromised and the attacker has hosted multiple phishing sites on the compromised domain. The screenshot shows the open directory found on the compromised web server. Fig. 4: Compromised web server The two screenshots that follow are phishing pages designed to look like pages of legitimate websites, including a single sign-on page for Abilene Christian University and a Bank of America page. Fig. 5: Faked SSO for Abilene Christian University Fig. 6: Faked Bank of America page If the user falls for these phishing pages, the credentials are harvested and posted to the attacker controlled location. Evasion and Anti-Analysis Techniques 1. Use of images instead of content The phishing websites are usually cloned copies of the legitimate sites. The difference in the case of Bank of America is that the faked page is almost entirely made up of a single image with a simple credential login form. This helps to evade engines running heuristics on the page source code. 2. Preventing access to page source A simple anti-analysis technique used by scammers is disabling the right click functionality to prevent users from checking the page source. This can be seen in the phishing page below, which is pretending to be an Adobe Online document. Fig. 7: Malicious Adobe Online document  3. Filtering based on User IP address, Host Names, and User Agent strings involved in the request We’ve also observed malicious actors trying to fingerprint and serve phishing content based on the user’s IP address, host names, and user agents. We can see an example in the snippet below where the attacker is maintaining a list of IP addresses, hostnames and User-Agent strings known to be used by security researchers and analysts while attempting to get the phishing. If any request to the phishing site arrives from one of the known IP addresses or hostnames, or has one of the listed User-Agent strings then the phishing page will not be served. This tactic helps the attacker to keep the phishing page content undetected for a longer duration. Fig. 8: Banned source IP addresses, hostnames and User-Agent strings 4. Exfiltrating information as an image instead of content We have also seen multiple instances of phishing attacks that prompt users to verify their identity by asking them to upload a copy of their ID, as shown in the code below.   Fig. 9: Coded to prompt users to upload identification card The sensitive user information in this case is being stolen in the form of an image which will bypass content based data loss prevention engines. 5. Encrypted Phishing We have also seen a few phishing pages that use encryption to hide the source code in an attempt to evade detection by security engines. One such example, for a faked PayPal page, is shown below. Fig. 10: Encrypted source code for a phishing page 6. Punycode based hostnames We have also seen attempts to use punycode, in which threat actors use homograph techniques to construct a URL that looks like a legitimate URL, but uses characters in non-English language character sets to trick the user. (See our Punycode blog for examples of this technique.). This technique makes it difficult for reputation based engines to keep up. Anatomy of Scam Page creation Let’s now take a look at how typical scam web pages are created to perform financial fraud and phish for sensitive information. Attackers copy website templates to create scam websites making the scam pages look very similar to the original as seen below: Fig. 11: Scam websites are built using templates to mimic legitimate sites Most of the time, the fakes would include small changes to evade detection, like changing the names of the doctors on the following page but the site is identical otherwise. Fig. 12: Small changes that help attackers evade detection The scam websites even have live chat support, which responds to queries and guides users through the payment process. The photos of doctors were taken from a royalty-free stock photography database. When checking the source code in the Fig 11 example, we found that the contents were copied from a legitimate site, santabarbaraherbclinic[.]com, and we can see the timestamp in the screenshot below. Fig. 13: Source code in scam website shows copied content from a legitimate site Conclusion Phishing attacks have been on the rise over the past few years. As the end users become more vigilant against clicking suspicious links, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period. While in this blog we focused mainly on commodity phishing and scam pages, some of the tactics mentioned here are also commonly seen in many of the targeted phishing campaigns (Spearphishing, Business Email Compromise, etc). ZscalerTM ThreatlabZ actively tracks and ensures coverage against phishing campaigns.
Categories: Security Posts

Soulmate: A Dating App That Spies On You

Zscaler Research - 29 min 31 sec ago
During a recent hunt for malware, the Zscaler™ ThreatLabZ team came across a piece of spyware disguised as an Android app and hosted on Google Play, Google’s official Android app store. The app portrays itself as partner matching app called Soulmate, designed to help you find (and keep tabs on) your True Love.  But the app has capabilities beyond those described by the developer, like snooping on incoming and outgoing calls, intercepting SMS messages, stealing contacts, tracing current and last-known location, and more.    Fig 1: Soulmate app on Google Play    Zscaler notified Google about the presence of this app and it was immediately taken down from Google Play.   App Details Name : Soulmate  Package Name : com.kikde.soulmate Hash : 28be1a661e375547df52e7b544c2745b Size : 8.6M Installs : 50+ Offered By : Kikde App   Detailed Information  As soon as the app is started, it greets the user with a splash screen and some basic setup activities. It also asks to register itself as default keyboard. By doing so, it can log every keystroke entered by the user.    Fig 2: Initial activities   During our analysis, we received a 404 error from the app’s command and control (C&C), which may have been a ploy or may have simply meant that the services were not available at the time of analysis. We decided to look further and found several permissions being asked that did not align with the name or purported function of the app. The screenshot below shows the list of permissions asked by the app.   Fig 3: Android permissions   Once the setup was done, the app registered and started some services and broadcast receivers. Android services are components that can run in the background without user interaction, and the Android BroadcastReceiver is a component that can be made to trigger when certain system events occur, such as presenting an alert when the battery is low. This spyware registers a broadcast receiver named ReciverHandler. This receiver is registered to execute upon following events:  Outgoing Call Connectivity Change Change of Phone State Package Added/Removed/Installed  Power Disconnect/Connect SMS Received SMS Sent Boot Screen ON/OFF Depending upon which of the above events occurs, the spyware is designed to trigger particular services. We found that this app used the following Android services:  Call Record Service Record Service Geofence Service App location Service MyKeyboard Service Clipboard Monitor Service Basic Info Upload Service File Upload Service  Upload Service  Call Record Service and Record Service are responsible for recording the victim’s calls. The screenshot below shows this functionality.   Fig 4:  Call recording   Geofence Service and AppLocation Service are responsible for fetching the victim's location. A snippet from the service can be seen below:   Fig 5: Location tracing   Clipboard Service is responsible for stealing everything that is copied/pasted by the victim. The app creates a file named clipboard.txt in which the app stores all copied data. Copied data is also uploaded to the server, as shown in the following screenshot.   Fig 6: Clipboard service    The app also tries to steal the victim's SMS messages as shown below:    Fig 7: SMS stealing   Once every detail is collected, the data is saved in database locally and then sent to the C&C. These functions are achieved with the BasicInfoUpload Service, FileUpload Service, and Upload Service.  As we researched package names, app certificates, and statically collected data, we discovered that this spyware had been uploaded to Google Play in past with the name Soulmate (Beta) and a different package name (com.perfekt.ats.perfektsoulemates). It was taken down immediately. We also came across a lot of advertising for spyware apps that enable users to spy on loved ones. Some of these ads are shown below.   Fig 8: Spyware advertisements   These advertisements took us to the developer's official website, apps[.]kikde[.]com. KikDe  promotes itself as a company that provides services to develop websites, Android apps, iOS apps, Windows apps, SEO (Search Engine Optimization), and more. On the KikDe website, we found references to another company called American Transportation System LLC. Tracing this company, we ended up on a third-party website that was still hosting some of its apps. All these apps contained the word  “perfekt” in their titles and it soon became clear that the earlier app named Soulmate was uploaded by this same entity. Other apps by this developer can be seen in the screenshot below along with comparisons to the same apps with different names on Google Play:    Fig 9: Third-party vs. Google Play apps   Other apps from this developer were also highly suspicious. For example, Kikde OTP Monitor could be used for forwarding an OTP (One Time Password) to another mobile device. Kikde Secure+ Keyboard was more of a keylogger. We are continuing our analysis of these apps and will report our findings.    Conclusion  It is always advisable to stay away from “spying” apps. They do have some legitimate use cases, such as parents keeping track of the whereabouts of their children. But as we’ve seen with Soulmate, users can’t be sure of what is happening under the hood, and the user who is spying may actually be the one who is spied upon. When considering apps to download, users should always exercise caution. Some apps might have good ratings and favorable reviews, but that is not reason enough to trust them, because such ratings and reviews can easily be supplied by the attackers themselves using other identities.  Zscaler protects users from spyware and other malicious apps that call out to C&C servers.
Categories: Security Posts

Ubiquitous SEO Poisoning URLs

Zscaler Research - 29 min 31 sec ago
SEO poisoning, also known as search engine poisoning, is an attack method that involves creating web pages packed with trending keywords in an effort to trick search engines to get a higher ranking in search results. There are different ways to implement SEO poisoning, such as keyword stuffing, the use of hidden text, and cloaking, among others. In addition to manipulating search ranking, SEO poisoning is widely used to redirect users to unwanted applications, phishing, exploit kits and malware, porn, advertisements, and so on.  The ThreatLabZ research team has been actively tracking SEO poisoning campaigns; in this blog, we will share some recent examples and an analysis of the techniques used.  “Midterm elections” campaign Attackers often use holidays and other timely occasions that are likely to generate a lot of search interest. For this analysis, we chose to focus on the upcoming U.S. election. In the following screenshot, there are three SEO poisoned URLs in the Google search result for the keyword “midterm elections.”  Fig. 1: SEO poisoned URLs in Google search   After about a month of looking at this “midterm elections” SEO poisoning campaign, we found more than 10,000 compromised websites with more than 15,000 keywords, and we continue to find hundreds of newly compromised sites involved in this activity every day. Use of multiple redirects Let’s take a look at some specific URLs generated by the following SEO poisoning campaign: websitedukkani[.]com/enj0qnh/godev3a.php?snlhpyouf=midterm-elections-2018-polls The Google cache for the above URL is shown below, and you can see that the Google crawler got a junk page loaded up with many uses of the keyword “midterm elections.”  Fig. 2: Google crawler loaded with keywords But as we browse this URL in Chrome, we discovered that it may be redirected to this page: Figure 3: SEO poisoning landing page example We say “may” because the redirected website is different each time. We also noted that it goes through a series of redirects before landing on the final page, as shown in figure 4 below. This is just one of the many measures that cybercriminals are using to deter automated crawlers from adding detection for the landing pages. In our example, the user goes through two redirects via the “302 Found” response code before getting to a real page, as shown in figure 3: Redirect URL #1 - 5[.]45[.]79[.]15/input/?mark=20180314-landlordpeace.com/0fuq&tpl=9&engkey=how+to+login+to+zscaler   Redirect URL #2 - www[.]hitcpm[.]com/watch?key=027ed88f05536b6c1a41df968c0abb52 Figure 4: The web page content of the last redirect The final landing page that the user sees will be different every time; in our case the user was served the following web page: best2017games[.]com/bestgames/playtime/6a6d637637c06de629eb725d6c5c34e1/index.php?country_code=US&p1=http%3A%2F%2Fadsfxs.pro%2Fclick%2F05e45367-502f-4558-8e24-9235a5169358%3Fclickid%3DVjN8MTQyNjk4NDh8MTE0NTYyNXwxNTQ2MzZ8MTUyMTA2NzI3M3wyN2RkMDE5MS0xMThjLTRhNWItYjJiYy1mYWI0Nzk2ZTRjMzJ8NzEuMTk3LjIzMS45NXwzfDIwZTdkNzQ3Mzk3MmU5MTllZDQ2NDY0NTI3ZmE0OTcz%26zoneid%3D14269848 The multiple redirect model provides a perfect platform for a MaaS (Malware-as-a-Service) infrastructure, as it shields the final landing page from automated security crawlers. Cloaking technique The attackers are leveraging cloaking techniques whereby the end user is served different content depending on the HTTP headers involved in the web request. We noticed three distinct responses in some of the recent campaigns:   Crawler view: The SEO URL will return a web response that is more catered towards poisoning the search engine results for the relevant search term. This will make the URL appear higher in the search result. Browser or user view: The SEO URL in this case will lead the user through a series of redirects before a final landing page, dependent upon the campaign. The attacker distinguishes between user view and crawler view by inspecting the user-agent HTTP header of the request. If the user-agent string belongs to a well-known web browser, then user view content is served.   Referer view: The SEO URL in this case will serve different content to the end user, depending on the URL set in the referer HTTP header. Without cloaking Without the use of cloaking, the content fetched by the search engine crawler “crawler view” as well as the direct user “direct view” will be identical. However, the SEO page will have scripts to detect whether it is an actual user loading the content in a web browser, in which case the user will be redirected to the final landing page containing the malicious content. Here is an example of an SEO campaign where cloaking is not being used: URL:  tucuerposiente[.]cl/forum/070sxjj.php?bbhb=excel-vba-cells-function The crawler view and direct view for this SEO URL returns identical content. The SEO page in this case will redirect to a final landing page based on the user’s action, such as mouse movement or rendering of the page in the web browser. The crawler will not see the landing page redirect, as there is usually no user interaction or browser rendering involved. Below is a view of what happens when a user browses an SEO-poisoned URL that is not leveraging cloaking techniques. The user will see a webpage as well as a busy icon on the browser tab indicating additional background activity. This activity is leading the user to the final landing page in the background as shown in this screen capture from Fiddler (a free web request debugging tool). Figure 5: An SEO poisoned URL without cloaking leads user to landing page The attacker is leveraging specially crafted CSS (Cascading Style Sheet) to perform a redirect from the user’s browser. In CSS, the URL property can be used to set the background. The figure below shows the typical usage of the URL property (taken from w3schools.com). Figure 6: URL property But, if you don’t give any parameter to the URL property, like url() instead of url(“URL”),  it will load the parent page again. During the second loading, however, the referer HTTP header is set to the parent URL itself. This is the reason there are two requests to the same URL in Fiddler. It is important to note that the malicious content will be served on the second request, in which the referer HTTP header is set to the expected URL. The figure below shows the CSS code snippet used in the SEO page. The line “background-image: url()” will cause the page to reload. Figure 7: CSS code snippet in the SEO page The second request will load the malicious code, as shown in the image below. Figure 8: Malicious code SEO URL generation Let’s take a look at a typical SEO URL structure seen in SEO poisoning campaigns: SEO URL:  sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load We can divide this URL into several parts: Host:                           www.sbtechsiteleri[.]com URI path:                    docs PHP page file: bmfns7.php Parameter:                 gneo Search keywords:      access-vba-form-load The campaign uses different parameters to generate URLs. We have found hundreds of unique parameters; jtjd and wanh are two examples of parameters shown in the screenshot below. From the search result in the screenshot, we can reasonably guess there are hundreds of millions of SEO URLs generated for these two parameters.  Figure 9: URLs generated  SEO web page generation Although we don’t have access to the backend code used to generate the SEO webpages, we can draw some insights into the generation process based on our analysis of several pages involved in this activity: Pick up the keywords from the “search keywords”; search in search engine Collect the responses that contain the keywords  Generate a final response containing specific strings from the collected responses The Google cache of the webpage www.sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load:  Figure 10: Example of Google cache  The first sentence, “I am fairly new to Access,” can be found in several URLs. The second sentence, “Programming Microsoft Access with VBA can be a lot easier if you know the keyboard shortcuts for the most common commands and tasks and the” is from this site: Figure 11: Example of site found  Following that sentence, you can see, “If you want to set the RecordSource of another form, you must ensure the other form is open first,” which is from this website: Figure 12: Example of sentence found at site All three of the above examples are for the keyword “access.” Conclusion SEO URLs redirect users to different targets. We saw two modes of operation in the pages that we analyzed:   The users go through a series of redirects to reach the final landing page. The users are redirected to a MaaS (Malware-as-a-Service) platform which starts another redirection chain leading to final landing page.   Here are the top web categories to which the final landing page sites belonged: 1. Adult and pornographic websites 2. Internet services sites; in this case, the SEO campaign's purpose is advertising 3. Politics and religion, an example of which is shown below 4. Exploit servers leading to adware/malware payloads On an average, we see over 3,000 new and unique SEO poisoned URLs every day. ThreatLabZ is actively tracking this threat and will continue to ensure coverage for Zscaler customers. Indicators of Compromise The  list of the redirectors used by this campaign and some IOCs for PHP files and ZIP files can be found here. If you find these PHP or ZIP files in your website, it is likely that your website has been compromised.
Categories: Security Posts

Why you shouldn't trust "safe" spying apps!

Zscaler Research - 29 min 31 sec ago
During a recent malware hunt, the ZscalerTM ThreatLabZ research team came across a suspicious Android app on Google Play, the official Google app store, named SPYMIE. SPYMIE portrays itself as an Android-based key logger designed for parents to track the cell phone activities of their children. Given the popularity of such apps, it has become common practice for app creators to promote spying capabilities as parental control features. However, SPYMIE packs a little something extra with the parental controls.  Basically, SPYMIE is an Android-based keylogger that has ability to hide itself and start recording everything the user tries to access. Ideally, keystroke logging is best achieved with keyboard-based apps, but this app uses Android's Accessibility Services to perform its functions. The app author also has included their email address in the code of the app, which allows them to receive all the information that the app is collecting, making those using the app vulnerable to having their personal information stolen.  Before the app was removed from Google Play, its description was as follows: “SPYMIE: Key logger is specially designed for parents to track the cell phones of your children. It will also help you when someone friends ask you for your phone for ten minutes but you don’t trust on it. So what you have to do you only have to on the SPYMIE: Key Logger. So whenever the friends return phone to you, you can check all the activities done by your friend. It records all the activities that are done on your phone. All activates are send to your mobile phone via email.  "For parents what they have to do, you just install the app in your children phone. Hide the icon. Later on you have check all the activities done by your children in the whole day." Zscaler notified Google about the presence of this app and it was immediately removed from Google Play.   App Details Name : SPYMIE: Key Logger Package Name : com.ant.spymie.keylogger Hash : 8e32ce220e39ba392c9e15671a32854b Size : 5.5M Installs : 10,000+   Technical Details   As soon as the app is installed, it splashes basic setup activities asking the user for email ID, as shown in screenshot below.    Fig. 1: SPYMIE initial activities   Once the introduction is complete, the app asks for runtime permission for managing outgoing calls. The reason for asking this permission is related to the app's hiding functionality. As shown in screenshot below, if the user enables the hiding feature, the app then asks for a secret PIN to open the app. The user can then open the app by firing up the phone dialer and entering the PIN. This is the main reason for asking permission related to phone calls.   Fig. 2: Hiding functionality    After further analysis, we found that the app contains a default PIN as well. Dialing **00## would open this keylogger app. The screenshot below shows the code snippet for this functionality.    Fig. 3: Default hard-coded PIN   Once the basic setup is done, one can turn on the spying feature. For enabling spying on a user's activities, this app uses Accessibility Services. This feature was designed to assist users with disabilities in using Android devices and apps. The below screenshot displays functionality in action:    Fig. 4: Enabling Accessibility Services   Once Accessibility Services is enabled, the app starts logging every activity performed by the user/victim. The snapshot below shows the code responsible for logging user actions along with keystrokes and storing it in a file named SpyLogger.xml.    Fig. 5: Storing user/victim's activities    In order to see the functionality in action, we tried running the app in a controlled environment. At first, we opened Gmail and tried composing a sample email. As shown in the screenshot below, almost every activity, from opening the Gmail app (left side) to composing the body of the email, was logged (right side).    Fig. 6: Gmail logging     In another test, we fired up Paytm and tried logging in. The right side of the screenshot below shows how every action was logged.    Fig. 7: Paytm login   The above screenshots display the logs visible in Android's logcat command, but behind the scenes, all this data is being written in a file named SpyLogger.xml.   Looking from another perspective, the app has a serious vulnerability which, according to OWASP, can be categorized into Insecure Data Storage. Any random app with READ_LOGS permission can read logs presented by Android. In this scenario, all sensitive data is being written to log entries and every piece of sensitive data is at risk.  Additionally, this keylogger app can send logged/stolen data to the email ID input by the user during setup, but we found a code snippet that was designed to send this data to another hard-coded email ID as well. The screenshot below shows both the code snippets. The first one is the ideal scenario, in which email is sent to the provided email ID, and the second box shows the app's functionality, in which a timer task is run to send email to the hard-coded email ID every 60 seconds.    Fig. 8: Sending stolen data to different email IDs   During our analysis, we did not find any calls made to the second code snippet, where email is sent to the hard-coded email ID, and we believe there are two possible explanations. It is possible that the app's author added this functionality while testing and forgot to remove the dead code. This seems unlikely, because the code snippet to send email to the hard-coded email ID is well designed and placed as a timer task to send email every 60 seconds. The second possibility could be related to the app being "under-construction." This app might still be in development and any calls related to this function may be added in future updates.  Conclusion  We believe there are two likely scenarios in which key logging apps, like SPYMIE, may be used. 1. Parents installing spying apps on their children's devices     - Parents can install such apps in order to track their children's online activities 2. Users willingly install such an app to steal someone else's data.     - Any user can install such apps on their Android devices and might offer their phone to others for use. When a victim enters his/her personal details, it will be logged. User can view this information at a later time. It is always advisable to stay away from spying apps, because a typical user can never be sure of what exactly is happening under the hood. Be cautious if using mobile devices other than your own. Never perform critical actions or enter personal information on borrowed or unknown devices. Zscaler users are safe from such type of threats. ZscalerTM Sandbox detected the app accurately as shown in screenshot below:  Fig. 9: Zscaler Cloud Sandbox detection  
Categories: Security Posts

Infocon: green

CVE-2020-5902: F5 BIG-IP RCE Vulnerability
Categories: Security Posts

New Snort rule addresses critical vulnerability in F5 BIG-IP

Cisco Talos - Mon, 2020/07/06 - 23:19
By Jon Munshaw. Cisco Talos just released Snort coverage for a prominent vulnerability in F5’s BIG-IP. BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score. CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Categories: Security Posts

MACsec Hardware Testing—Why Back-to-Back Validation Falls Short

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
MACsec has become an important encryption technology that is shipped with next-generation chips,…
Categories: Security Posts

ATI Adds Maze Ransomware Attack Campaign

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
Last month, the Application and Threat Intelligence (ATI) Team released a new type of cyberattack…
Categories: Security Posts

Monitoring SSL VPN Gateways - A Step-by-Step Guide

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
Virtual private network (VPN) connectivity is one of the most critical services in today’s…
Categories: Security Posts

Assess the Effectiveness of Dynamic NGFW Updates: Palo Alto Security Audit

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
One benefit of breach and attack simulation is continuous assessment, and I set Keysight Threat…
Categories: Security Posts

Assess Cloud-based Web Application Firewalls with Breach and Attack Simulation

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
Securing your web applications is a necessity. As the 2020 Verizon DBIR reports, web application…
Categories: Security Posts

Lessons Learned from Verizon DBiR 2020

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
Verizon had just released its annual Data Breach Incident Report (DBiR) 2020. It analyzes 32,002…
Categories: Security Posts

"Tap if you can, SPAN if you must."

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
If you've ever wondered why that piece of advice is fairly common among IT and security…
Categories: Security Posts

Be Confident Stopping Hancitor, Wannacry Internal, & more

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
Being current is critical in cybersecurity. When attacks spring up you worry if you're protected.…
Categories: Security Posts
Syndicate content