Security Posts

Mjag dropper: Using decoy documents to drop RATs

Zscaler Research - Hace 1 hora 10 mins
Mjag dropper Mjag dropper is compiled in the Microsoft .NET framework, and its original binary is obfuscated using SmartAssembly. The installation path and other details are stored in encrypted form using AES encryption (Fig. 1), and the decryption key is hardcoded. Fig. 1: AES decryption function The payload and decoy PDF is encrypted and stored in the resource section, and a custom encryption method has been used. The decryption key is hardcoded (Fig. 2). Fig. 2: Extracting decoy PDF and payload The decoy document claims to be an India Overseas Bank NEFT transaction statement. It lures users to click the “Click here to view full document” link, which points to a malicious website hosting a copy of the Mjag droppper payload. (Fig. 3). Fig. 3: Decoy PDF document   Installation Copies itself in “%APPDATA%\FolderN\name.exe”  location Creates startup key: “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load” with values as “%APPDATA%\FolderN\name.exe.lnk” Copies “C:\Windows\Microsoft.NET\Framework\\msbuild.exe” to “%TMP%\svhost.exe” Starts svhost.exe in suspend mode and injects the final payload (Fig. 4) Fig. 4: Process injection using Windows APIs However, the injected payload does not run properly and displays an error message (Fig. 5). Fig. 5: Unhandled exception popup This error is due to the injector code not being able to inject the overlay part of the payload, the part that contains the command-and-control (C&C) server details. As shown in the injection code snapshot below, it allocates memory in a target process similar to the size of image length defined in the PE header of payload (Fig. 6). This means Mjag will not be able to properly inject payloads (like Punisher RAT) that contain important data in the overlay.   Fig. 6: Injector code For the purpose of this blog we patched the memory mapping issue and continued our analysis of the infection cycle involving Punisher RAT. Analysis of Punisher RAT Punisher RAT is packed and written in .NET. The Punisher RAT builder is publicly available and can be configured with a range of features. In the builder (Fig. 7), you can configure the server IP, name, password, and listening port. The RAT will communicate on the given server IP and send all the information stolen from the victim’s machine. There is also a feature to add more functionality in binary, including anti-VMware, anti-AV, sandbox detection, and USB spread for further infection, among others. Fig. 7: Punisher RAT builder During analysis, we saw various functions of this malware, including: 1. Password stealing module The malware hunts for various application data and steals the credentials. Here (Fig. 8), it is trying to steal the stored login credentials for the Chrome browser. The stolen information will look like: |URL| http://facebook.com |USR| username or e-mail |PWD| userpassword Fig. 8: Stealing module The Punisher RAT attempts to steal sensitive data from the following applications on the infected system: Filezilla, No-IP Dynamic Update Client, Dyn DNS, Paltalk, FireFox, Chrome, Hotmail, Yahoo, Opera, and Internet Explorer. 2. Anti-task manager The malware checks for the following applications’ processes, and does not allow these applications to terminate any other processes running on the user's system. Process Explorer Process Hacker Task Manager This allows malware author to ensure that the malware processes cannot be terminated. Fig. 9 shows that while attempting to kill 'a.exe' process using the Process Explorer, the “OK” button will be replaced by an “Error” button. Fig. 9: Anti-task manager   3. Keylogging  The malware can capture keystrokes (Fig. 10) and store the data into the %AppData%/{random digits}.log file. Fig. 10: Capturing keystrokes   4. Persistence  The malware copies itself in the startup folder and creates a run key of this location. HKCU\\software\\microsoft\\windows\\currentversion\\run   5. Spreading vector It looks for a removable drive and CD-ROM for infection and creates an .lnk file. Below (Fig. 11) depicts the spreading mechanism through a USB device. Fig. 11: USB spread   6. AV checks The Punisher RAT checks for installed AV software (Fig. 12) and updates to the server. Fig. 12: Checking AV Network activity The hardcoded C&C information (Fig. 12) is extracted from the payload, and it will split the data with the delimiter “abccba.” Fig. 13: C&C server information   It also collects the information about the multiple running processes: AW|BawaneH|Process Explorernj-q8 AW|BawaneH|Notepadnj-q8 The table consists of extracted C&C information from the payload. This RAT uses “BawaneH” as a delimiter to split the server response data. It performs various actions based on received commands. There were a total of 59 commands used by the server, shown in the following table: Fig.14: Received commands IOCs Md5: 0a459c18e3b8bdef87a6fb7ea860acdb Filename: NEFTIOBAN1830369427520181030ABBIdiaLtddt30102018_pdf.exe Download URL: tenau[.]pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe C&C: chris101.ddns.net Sandbox Report   Fig. 15: Zscaler Sandbox report        
Categorías: Security Posts

The Top 10 ThreatLabZ blogs from 2018

Zscaler Research - Hace 1 hora 10 mins
The Zscaler ThreatLabZ team is continually hunting new threats, analyzing them, and sharing their findings in blogs and reports on the Zscaler site. What follows are the most read and shared blogs of 2018.   Android apps infected with Windows malware reemerge By Gaurav Shinde This blog explores apps available on Google Play that were infected with malicious iFrames. Though the malware posed no immediate threat to users, its discovery highlights the fact that infections can be propagated across different platforms. This vector can be leveraged by a clever attacker to serve second-level malicious payloads, depending on the type of device platform visiting the URL. Read more.   Fake Fortnite apps scamming and spying on Android gamers By Viral Gandhi Fortnite is a co-op sandbox survival game and, at the time of the ThreatLabZ report, had 45 million players and more than three million concurrent users. In 2918, its maker, Epic Games, announced a version for iOS. Malware authors, knowing that Android users would be anxious to get Fornite, created fake Fortnite for Android apps to spread their payloads, including spyware, a coin miner, and some unwanted apps. Read more.   CVE-2017-8570 and CVE-2018-0802 exploits being used to spread LokiBot By Mohd Sadique This blog provides an overview of the use of malicious RTF documents that leverage the CVE-2017-8570 and CVE-2018-0802 vulnerability exploits to install malicious payloads on victims’ machines. The team shares its analysis of a campaign leveraging these two exploits to deliver LokiBot. Read more.   The latest cloud hosting service to serve malware By Dhanalakshmi Cloud services are under attack because they enable bad actors to open inexpensive hosting accounts for hiding malicious content in the cloud-based domains of well-known brands. The ThreatLabZ team discovered that a popular managed cloud hosting service provider has been serving phishing attacks and other malware in the wild as far back as February 2018. Read more.   Meltdown and Spectre vulnerabilities: What you need to know By Deepen Desai With the ability to allow attackers to gain unauthorized access to sensitive information in system memory, Meltdown and Spectre represent a new class of microarchitectural attacks that use processor chip performance optimization features to exploit built-in security mechanisms. This blog provides an analysis of the vulnerabilities as well as mitigation information. Read more.   Cryptominers and stealers – malware edition By Atinderpal Singh and Rajdeepsinh Dodia Due to their decentralized nature, cryptocurrencies are impossible to control or censor by any single authority—and that makes them attractive to cybercriminals. With more than 4,000 cryptocurrencies on the market rising in both value and popularity, we’ve seen a rise in the use of malware that targets bitcoins or altcoins for financial gain. This blog provides insight into various cryptominers and stealer variants. Read more.   DarkCloud Bootkit By Nirmal Singh Following on its report about cryptomining and wallet stealing techniques, this blog provides a technical analysis of yet another type of cryptominer malware that uses a bootkit and other kernel-level shellcode for persistence. Read more.   Spam campaigns leveraging .tk domains By Mohd Sadique ThreatLabZ identified a campaign using the “.tk” top-level domain, which started with compromised sites that redirect users to either fake blog sites to generate ad revenue or fake tech support sites that claim to remove viruses. We estimated at the time that at least USD 20K per month in revenue was being generated from the fraudulent ad activities alone. Read more.   Magecart campaign remains active By Rubin Azad Magecart is a notorious hacker group that has been responsible for large-scale attacks on the e-commerce sites of well-known brands. In this blog, we examine the campaign’s recent activity and its methods for skimming credit and debit card information for financial gain. Read more.   Ubiquitous SEO poisoning URLs By Jim Wang SEO poisoning is an attack method that involves creating web pages packed with trending keywords in an effort to get a higher ranking in search results. SEO poisoning is also a way to redirect users to unwanted applications, phishing, exploit kits and malware, porn, advertisements, and so on. This blog includes examples and analysis of the techniques in use. Read more.
Categorías: Security Posts

Sieren: A new DoS bot

Zscaler Research - Hace 1 hora 10 mins
Zscaler ThreatLabZ recently discovered a new DoS family bot named Sieren. A denial-of-service (DoS) attack is a cyber-attack in which cybercriminals disrupt the service of a host connected to the internet, either temporarily or indefinitely, to its intended users. In this analysis, we'll describe Sieren's functionality and communication, its 10 DoS methods, its bot commands, and its IoCs. Functionality Sieren is capable of performing HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server. HTTP flood HTTPS flood UDP flood Network communication Sieren starts communication with the server by sending system information. Data is separated by the “&” symbol. ping User Name Machine Name OS version Processor architecture (If 32 bit then 0 else 1) MD5 of the above data In response, the C&C server sends a target URL for performing a DoS attack. Data is separated by the “&” symbol. pong 60: used for sleep (60 * 1000 millisecond) Task_ID = 260 Method = 2 Target = https://deti-online.com/ Type = GET Threads = 100 Sleep = 100 Port = 0 Sockets = 0 (number of sockets) Size = 0 (size of data sent through packet during Dos) CreatedAT = Timestamp Data = Empty (data sent through packet during DoS) The malware is capable of performing a DoS attack against the target URL using different methods. The variant we analyzed has 10 methods supported for flooding, and it chooses the method based on data received from the C&C server. In the above instance, we saw that a Russian education material website (https://deti-online[.]com) was the intended target for this bot. We also identified other locations, such as forum.exlpoit[.]in and x3p0[.]xyz, as the DoS targets from the C&C server during our analysis. The Sieren bot selects the DoS method based on data received from the C&C server. Below are the parameters used in these methods:   Method Task_ID Target Type(GET/POST) No. of threads Sleep Data No. of Sockets Port Size of data 1 Yes Yes Yes Yes Yes         2 Yes Yes Yes   Yes         3 Yes Yes Yes             4 Yes Yes     Yes Yes       5 Yes Yes     Yes         6 Yes Yes         Yes Yes   7 Yes Yes         Yes Yes   8 Yes Yes         Yes Yes Yes 9 Yes Yes           Yes Yes 10 Yes Yes           Yes Yes   The C&C server can specify the port, data, sleep time, sockets, and size of packets that will be used during flooding. During flooding, a user agent is selected randomly from a predefined list, as shown below. DoS methods supported by Sieren Method 1: In this method, the malware first gets the cookies for the target URL using InternetGetCookieEx and uses them in the HTTP header when generating flood requests. Based on the protocol (HTTP/HTTPS) and method (POST/GET), it starts sending multiple requests to the target URL. The below screenshot contains code for generating the header part. The below screenshot contains the HTTP flooding code: The below screenshot contains the HTTPS flooding code: Method 2: The malware creates 50 sockets and sends 50 HTTP requests before executing a sleep command with the value supplied by the C&C server. It will repeat this process until taskID is active. Method 3: This method is similar to method 2, but the bot won’t sleep after every 50 requests. Method 4: In this method, the bot will use data supplied by the C&C server in the flood requests to the target URL. Method 5: In this method, the bot will also accept a response during the flooding of the target URL, after which it will sleep for 100 seconds. Then it again starts sending flood requests to the target URL. Method 6: This method is called when the number of sockets and port is specified by the C&C server. In this method, the bot will not send HTTP or HTTPS flood requests; instead, it opens multiple sockets for the target URL in an attempt to exhaust web server-side resources. It repeatedly closes and opens additional sockets to the target URL until taskID remains active. Method 7: This method is identical to Method 6 and appears to be a placeholder for a future update. Method 8: In this method, the bot will receive arguments such as the size of random data, number of sockets, and port information from the C&C server. The bot will generate random data based on specified size, open multiple sockets, and flood the target URL with the randomly generated data. Method 9: In this method, the C&C server will supply the size of random data and port information. The bot will generate random data and flood the target URL on the specified port. Method 10: This method is used for UDP-based flooding. The bot will send random data using the UDP protocol, and it sets the TTL (time to live) value between 220 and 225 for these packets. The bot will stop performing flood requests once the C&C server stops sending additional commands. Sieren bot commands: Other than the DoS feature-related methods, the malware has three additional commands. “dlexec”: Download payload from the URL given by the C&C server and execute it. “update”: Download the updated version and execute it. It also deletes itself using the cmd process. “Uninstall”: Deletes itself using the cmd process. Indicators of Compromise: MD5 320A600147693B3D135ED453FAC42E82 URL cx93835[.]tmweb.ru/rrljw91zqd.exe burgerkingfanbase[.]net/great.php  
Categorías: Security Posts

2019 Will See Cybercriminals Eye Opportunities in Cryptocurrency and IoT to Launch Their Attacks

Zscaler Research - Hace 1 hora 10 mins
Cybercriminals never take vacations. They’re always scanning the horizon to see which new technologies are being adopted by legitimate enterprises and are therefore ripe to be exploited, or how to utilize trusted protocols to steal credentials of unsuspecting consumers. The coming year will be no different, but the tools in some cases will change. Here are my predictions for the cybercrime trends that will get our attention in 2019. Prediction #1: Malware operators will cash in on cryptocurrency We’ll continue to see more and more malware operators make money on cryptocurrency, either by mining coins using infected systems or by stealing cryptocurrency from the infected systems. This will involve new and existing malware strains that will add cryptomining and stealing functionality. The three most common types of crypto-malware include cryptominers, wallet stealers, and clipboard hijackers, and we expect to see an increase in all three types. Here’s how they work: When downloaded, cryptominer malware works in the background to steal CPU cycles that can mine and generate digital currency like bitcoins without users’ knowledge or consent. By spreading their malware across thousands of machines, the miners form a mining pool that can result in big payoffs for the malware author. In 2018, cryptomining surpassed ransomware to become one of the top threats, and that trend is expected to continue. Wallet stealing will increase, too, in both frequency and sophistication. Wallets don’t store the cryptocurrencies; instead, they store credentials to access or spend the money, which is stored in blockchain. Expect to see new variants that contain the functionality to locate and steal wallet.dat files. Clipboard hijacking is another recent innovation. Because cryptocurrency wallet addresses are long, random-looking sequences of alphanumeric characters, they are difficult to remember. Almost all cryptocurrency owners copy and paste their wallet address for making transactions; on an infected system, malware can monitor for cryptocurrency transactions and dynamically change the wallet address on the clipboard to that of the malware operator so that future transactions benefit the malware operator. Prediction #2: SSL/TLS-delivered threats will become more common We’ve seen steady growth in overall SSL/TLS-encrypted traffic this year, which now accounts for almost 75 percent of total enterprise traffic going through the Zscaler cloud. Cybercriminals are leveraging this encrypted channel at all stages of the cyber kill chain. In particular, there has been a sharp increase in phishing attacks and malware payload delivery over encrypted channels. In the latter half of 2018 alone, we saw that 35 percent of phishing content was delivered over encrypted channels, representing a 300 percent increase since 2016. Though the volume of SSL/TLS-encrypted traffic has risen sharply, much of it is going uninspected, either because it’s assumed to come from trusted sources or, more likely, because of the impact inspection would have on network performance. Attackers can now hide malware in encrypted traffic knowing it is not likely to be inspected. In 2019, we will continue to see SSL/TLS utilized by cybercriminals to launch attacks, and we anticipate an increase in phishing attacks and malware payload deliveries over these channels, as cybercriminals take advantage of the assumed trust in encryption as well as the ease with which they can obtain digital certificates. Prediction #3: IoT threats will have a greater impact on enterprises IoT footprints in the enterprise network have grown rapidly over the past few years, and these internet-connected devices can pose significant risks to enterprise networks. We will continue to see cybercriminals leverage IoT devices as a beachhead to large-scale attacks against enterprise networks. Some of the largest attacks on record are the result of hackers using IoT devices to carry out massive distributed-denial-of-service (DDoS) attacks (you can read about some of them here and here). IoT devices have notoriously poor security with known default passwords that are rarely ever changed, and manufacturers are slow to patch vulnerabilities. In addition to employee-owned devices coming into the workplace, organizations are adding hundreds or even thousands of IoT devices to their environments, such as cameras, printers, IP phones, televisions, kitchen appliances, thermostats, and more. Besides the potential for DDoS attacks, IoT vulnerabilities are being used by attackers as an entry point to a network, in which they can hop from one vulnerable device to the next, undetected. One an attacker gains a toehold into a network through a compromised device, it can be used for spreading malware, stealing credentials, leaking data, and sniffing traffic. Unfortunately, until manufacturers take the threat seriously and bake security into their devices, the attacks will continue to rise in 2019 and beyond. The US-CERT (United States Computer Emergency Readiness Team) has provided security tips for IoT devices here. Prediction #4: Supply-chain attacks will grow There has been a steady increase in software supply-chain attacks in recent years. These attacks used to be targeted in nature, singling out a specific industry or organization, such as government. However, we’re seeing software supply-chain attacks used for commodity malware as well, which has the potential to impact larger numbers of users. We will see cybercriminals continue to focus on attacking critical software supply-chain infrastructure to conduct larger attacks. An example of the fast and massive damage that a software supply-chain attack can inflict is the June 2017 NotPetya attack. The initial infection was through an accounting software website and, by the end, it had wiped data from many thousands of computers around the world at banks, energy firms, governments, and more. Not only is a company’s valuable data and IP at risk, so too is their reputation—which in the end hits its bottom line. NotPetya appeared to be a state-sponsored attack, but most supply-chain attacks are the result of poor security hygiene, which attackers are always prepared to exploit. Prediction #5: Criminals will turn their attention to cloud service providers The increase in cloud adoption has shifted a lot of workflows to the cloud. With that shift, we’ll see more attacks aimed at infiltrating cloud service providers in an attempt to gain access to valuable data from the organizations using the cloud services. These attacks may have a far-reaching impact, in light of the volume of data companies are storing in public clouds, and they can pose severe financial consequences.  The cloud service providers themselves have invested heavily in security protections and have large security teams to ensure their systems are sound—they are far more secure than the typical enterprise data center. But most cloud services and their configurations are new and evolving, and mistakes, such as the widely publicized S3 bucket misconfigurations, have led to the exposure of sensitive data at many organizations. But the most common source of errors leading to data leaks or the spread of malware is the end-user. While your cloud storage system may be impenetrable, there is always the risk that employees will be careless with their credentials, enabling bad actors to access your valuable data. In 2019, we expect to see an increase in social engineering attacks aimed specifically at employees accessing cloud applications.    
Categorías: Security Posts

Cyber Monday: The biggest day for cyberattacks? Not by a long shot.

Zscaler Research - Hace 1 hora 10 mins
Last week, the Zscaler ThreatLabZ research team did an analysis of phishing attacks we’ve come across in our cloud leading up to Black Friday and Cyber Monday. The team had been seeing an increase in a variety of phishing activities, with targeted attacks and faked login pages designed to steal the credentials of unsuspecting shoppers. (You can read their informative report here.) With Black Friday and Cyber Monday behind us, we decided to take another look at the data to determine the volume of shopping activity across our cloud and the expected rise in threat activity that coincides with major online events. What we found was that Cyber Monday was, indeed, the biggest shopping day of the year on our cloud and elsewhere. According to the National Retail Federation, 50 million people shopped online in the U.S. alone. Amazon reported that Cyber Monday was its biggest shopping day in history, and over the five days from Thanksgiving through Monday, Amazon customers bought more than 180 million items. What we saw more than a billion times We can attest to the high volume of shopping activity. On Cyber Monday, the Zscaler cloud processed 1.35 billion internet requests on shopping sites, with the highest volume by far on Amazon, at 372,824,847 requests. While Monday’s shopping traffic only represented 2.18 percent of traffic overall on our cloud, it was 72 percent higher than shopping traffic on a typical day. Cyber Monday top five shopping sites on the Zscaler cloud: Number of requests we processed on Cyber Monday's top shopping sites. With so much shopping activity, you might think that Black Friday and Cyber Monday would be the days that cybercriminals would crank up the volume, launching phishing attacks and spreading malware to online shoppers. But the traffic patterns on our cloud show otherwise. Phishing attacks are planned and executed with precision On Cyber Monday, we blocked a total of 2,337,537 phishing attempts. That’s significant, but that number was actually down from the days before Black Friday, and this decrease is consistent with patterns we’ve seen. Attacks peak in the days leading up to major events or shopping days. Attackers plan their phishing campaigns for the days when potential victims are looking for deals, aligning their attacks with mainstream advertising campaigns. On the “big day,” when shoppers have already decided what sites to visit, the attacks drop off accordingly. On the three days before Thanksgiving, we blocked the highest numbers of phishing attempts, with a peak of 4.4 million on Wednesday. By Black Friday, attacks had dropped by nearly 30% from the high. They continued to decrease in volume through Monday when attacks were down 46% from Wednesday. November graph shows daily phishing attempts on the Zscaler cloud Why did attacks drop on Cyber Monday? It’s been a long time since hackers could be stereotyped as nerds in the basement using their programming skills to bootleg videos. Today’s criminals are sophisticated in their technical execution and in their understanding of market drivers and user behavior. They operate their campaigns like big businesses—because they are. They know when you’re most likely to be online and when you’ll be sifting through the most email (Monday is the most popular day for phishing attacks). They know you’re more likely to open tracking slips or invoices than an unknown attachment. And they exploit the trust you have in brands like Amazon, Kohl’s, Bank of America, and many others, by creating fake websites that look just like the real thing. Consumers must change their online behavior accordingly, approaching each online interaction with an awareness of its potential risk. You can’t assume that attachments are safe, even if you recognize the name of the sender; spoofing names is practically effortless. You can’t assume that text messages are safe either, due to the rise in SMS phishing. So-called “SMiShing” links can take you to compromised websites, just as infected email attachments can. E-commerce websites can be compromised in a variety of ways. Hackers can inject JavaScript into a site and the script sends data collected in the input fields to the hacker’s remote server. A favorite tactic is creating sites that look like legitimate sites but are designed to steal your personal information. Can you tell the difference between these two Amazon login screens? The screen on the left is a login for a phishing site that will collect your personal information, including credit card number, and you’ll think you’re on the Amazon site the whole time. The one on the right is a real Amazon login screen. The only difference is in the address bar. Be sure the site you are on matches the URL address. We also know, as we stated earlier, that today’s cybercriminals plan their campaigns with a marketer’s precision. It’s wise to take extra precautions leading up to and during big events or news days (another day in November when we saw a surge in phishing activity was the sixth, the U.S. election day). Three things you can do right now to protect yourself from phishing: Check the authenticity of the URL or website address before clicking on a link; make sure the address matches the site you're visiting Ensure online retailers and banking sites use secure connections; the URL should start with HTTPS Inspect the source of emails with enticing shopping deals; be wary of all links and attachments More resources: Read the ThreatLabZ Phishing Roundup blog for an analysis of current phishing trends Download the infographic:
Categorías: Security Posts

Black Friday & Cyber Monday Deals: Phishing and Site Skimmers

Zscaler Research - Hace 1 hora 10 mins
It’s that time of year again! The most glorious of shopping seasons has arrived, and users have commenced their annual tradition of flooding e-stores in search of the best deals that their money can buy. Threat actors, keen to take advantage of increased seasonal shopping activity, are deploying targeted phishing campaigns and site skimmers in the hopes of cashing in. The spectrum of attacks is reaching users in nearly all aspects of their online presence. Email, tweets, and websites are all vehicles of abuse. Zscaler has seen a steady rise in phishing attacks leading up to Black Friday and Cyber Monday, and we'll provide an overview of them here. Fig. 1: Malicious activities from mid-October through mid-November. The turquoise bars represent targeted phishing attacks. Targeted phishing Examining one of the targeted phishing campaigns illustrates the need for caution when shopping online. The faked Amazon screen provides the perfect example, because Amazon is probably the most prolific online shopping site used during the holidays. Aside from the address bar, it's a relatively good knock-off. Fig. 2: Faked Amazon sign-in form. This attack doesn’t stop at compromising your Amazon credentials. This site also wants your credit card information! Fig. 3: Faked Amazon billing page. A closer look at this attack shows that the attackers don’t even have the decency to encrypt your stolen credentials. Fig. 4: Wireshark exposes the packets moving between client and server over HTTP. The best defense is to always be conscious of the address bar. A store like Amazon is never going to ask you for sensitive information away from the Amazon site. Site skimmers Other sophisticated attacks that have proven to be even more insidious are site skimmers like MageCart. MageCart refers to a hacker group that is responsible for large-scale attacks on e-commerce sites. MageCart will compromise a well-known or trusted site and inject malicious, obfuscated JavaScript that can tap into purchases. The injected script will add a form to the payment page at runtime using Document Object Model (DOM) properties. Information skimmed from this attack can include all the personal information requested by the compromised e-commerce page. More information about this type of attack is detailed in another blog. Despite several security vendors taking notice, users are still being impacted daily. An updated chart on MageCart hits since our September 28 blog shows that this advanced attack is not stopping anytime soon. Fig. 5: MageCart activity between September 20 and November 15. The best defense against this threat is to have a malware detection tool that is inline with the browser. These tools have the best chance of detecting the malicious JavaScript code on an online store's page. Cryptocurrency Mining The final attack we'll review is the use of cryptojacking. Unlike the other attacks discussed, cryptojacking does not target the user's sensitive information but rather their system resources. A small piece of javascript can be injected into a page which will leverage the user's browser processes to mine cryptocurrency for the attacker. Attackers will leverage user susceptibility to the shopping season to bolster their cryptowallets. Fig. 6: An online shopping aggregator linking to Amazon, but redirecting user's to mine Monero Cryptocurrency Behind the scenes of this shopping site, lies a small piece of javascript that redirects the user's system resources to mine cryptocurrency through the application, CoinHive. Fig. 7: Coinhive injection script will use the user's system resources to mine the cryptocurrency, Monero. The best defense against this kind of attack is to use javascript blocking browser applications like ScriptSafe or NoScript to toggle what sites may execute javascript.  Conclusion The ThreatLabZ team at Zscaler works diligently to ensure that customers do not fall victim to malicious activities described above. Users should be cautious and protect themselves by reviewing our security checklist, particularly during the shopping season: Check the authenticity of the URL or website address before clicking on a link Ensure online retailers and banking sites use HTTPS/secure connections Do not use unsecured public Wi-Fi for shopping Inspect the source of emails with enticing shopping deals; be wary of any suspicious attachments Steer clear of unofficial mobile application stores Use two-factor authentication whenever possible, especially on sensitive accounts such as those used for banking Always ensure that your operating system and web browser are up to date and have the latest security patches installed Use browser add-ons like Adblock Plus to block popups and potential malvertisements Use browser add-ons like No Coin to block a site's attempts to use your computer for cryptocurrency mining Back up your documents and media files Review the Identity Theft Guide and FAQs from the Federal Trade Commission Review the  National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message Wishing you all a very happy, healthy, and safe Thanksgiving! Zscaler™, Zscaler Internet Access™, Zscaler Private Access™, ZIA™ and ZPA™ are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the property of their respective owners.
Categorías: Security Posts

Zscaler ThreatLabZ Phishing Roundup

Zscaler Research - Hace 1 hora 10 mins
Phishing is an attempt to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data. Typically, phishing targets a user with an email containing a link to a website that imitates a legitimate website the user might visit. As users have become savvier about their online practices, the developers of phishing sites have upped their game, too, and many of the sites we see are carefully designed to look like the sites they’re imitating, and clever tactics are used to trick potential victims. In this blog, we will share some insights from phishing activities blocked across the Zscaler™ cloud. We’ll cover the top brands and categories we are seeing targeted by phishing campaigns, recent examples of campaigns, and some of the tactics being used by threat actors to be more successful. Types of phishing There are different types of phishing activity, including: Spear phishing, in which the phishing attempt is targeted against certain organizations or individuals working for specific companies. SMiShing, also known as SMS phishing, which involves a message (SMS communication) that targets victims and entices them to click on URLs hosting phishing websites. Whaling, in which threat actors target high-profile individuals, such as senior executives in a company, most often to gain internal company information that is not public knowledge. What brands are being targeted? While it might be easier to spoof the sites of lesser-known brands, where differences wouldn’t be so apparent, the actors trying to steal personal information need to impersonate popular sites for maximum return, raising the odds of snaring a victim. Their phishing sites often feature the biggest brands, and they use a variety of tricks to evade detection, which we’ll describe in this report. Some of the most commonly targeted brands we’ve seen in the recent phishing campaigns can be seen below: Fig. 1: Top phished brands in the Zscaler Cloud Microsoft tops the list partly because of Microsoft’s multiple enterprise web properties, such as OneDrive, Office 365, Outlook Web Access, among others, being targeted by the threat actors. Microsoft was followed by Facebook and PayPal in the list. In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identification numbers. The top five most commonly targeted application categories we saw in the recent phishing campaigns include: Communications (41.4%) Social media (18.3%) Finance (16.7%) Travel (12.4%) Dating (3.4%)  Fig. 2: Top phished site categories in the Zscaler Cloud Delivery of phishing content The majority of the phishing campaigns start with an email or message containing a link to a site hosting the phishing page. If the user clicks on the link, the phishing page is delivered. We have seen an increasing number of phishing attempts being delivered over an encrypted channel (HTTPS) -. We believe this increase is most likely due to the availability of domain validated (DV) SSL certificates. These certificates are easy to obtain from free SSL cert providers like Lets Encrypt as well as commercial Certificate Authorities. Multiple commercial CAs also offer free DV SSL certs with shorter validity periods with the expectation that the client will purchase a paid certificate once those expire. However, these offers provide a safe haven for cybercriminals who often leverage these short-term certs to deliver malicious content and then discard them. About 65 percent of all phishing content we’ve seen in the past three months was over HTTP and the remaining 35 percent was over HTTPS. This represents a 300 percent increase in phishing content being delivered over HTTPS since 2016. A look at recent phishing examples: Chalbhai campaign We continue to see a known phishing campaign using the tag chalbhai in its form statements. This campaign has been targeting users with phishing pages that mimic American Express, Microsoft Office, and Adobe, seasonal campaigns like fake IRS and TurboTax webpages during tax season and more recently holiday shopping season pages. A sample of this tag being used on a Wells Fargo phishing page is shown below. Fig. 3: Chalbhai tag shown in the source code Usage of compromised sites Below is an example of a legitimate site that is compromised and the attacker has hosted multiple phishing sites on the compromised domain. The screenshot shows the open directory found on the compromised web server. Fig. 4: Compromised web server The two screenshots that follow are phishing pages designed to look like pages of legitimate websites, including a single sign-on page for Abilene Christian University and a Bank of America page. Fig. 5: Faked SSO for Abilene Christian University Fig. 6: Faked Bank of America page If the user falls for these phishing pages, the credentials are harvested and posted to the attacker controlled location. Evasion and Anti-Analysis Techniques 1. Use of images instead of content The phishing websites are usually cloned copies of the legitimate sites. The difference in the case of Bank of America is that the faked page is almost entirely made up of a single image with a simple credential login form. This helps to evade engines running heuristics on the page source code. 2. Preventing access to page source A simple anti-analysis technique used by scammers is disabling the right click functionality to prevent users from checking the page source. This can be seen in the phishing page below, which is pretending to be an Adobe Online document. Fig. 7: Malicious Adobe Online document  3. Filtering based on User IP address, Host Names, and User Agent strings involved in the request We’ve also observed malicious actors trying to fingerprint and serve phishing content based on the user’s IP address, host names, and user agents. We can see an example in the snippet below where the attacker is maintaining a list of IP addresses, hostnames and User-Agent strings known to be used by security researchers and analysts while attempting to get the phishing. If any request to the phishing site arrives from one of the known IP addresses or hostnames, or has one of the listed User-Agent strings then the phishing page will not be served. This tactic helps the attacker to keep the phishing page content undetected for a longer duration. Fig. 8: Banned source IP addresses, hostnames and User-Agent strings 4. Exfiltrating information as an image instead of content We have also seen multiple instances of phishing attacks that prompt users to verify their identity by asking them to upload a copy of their ID, as shown in the code below.   Fig. 9: Coded to prompt users to upload identification card The sensitive user information in this case is being stolen in the form of an image which will bypass content based data loss prevention engines. 5. Encrypted Phishing We have also seen a few phishing pages that use encryption to hide the source code in an attempt to evade detection by security engines. One such example, for a faked PayPal page, is shown below. Fig. 10: Encrypted source code for a phishing page 6. Punycode based hostnames We have also seen attempts to use punycode, in which threat actors use homograph techniques to construct a URL that looks like a legitimate URL, but uses characters in non-English language character sets to trick the user. (See our Punycode blog for examples of this technique.). This technique makes it difficult for reputation based engines to keep up. Anatomy of Scam Page creation Let’s now take a look at how typical scam web pages are created to perform financial fraud and phish for sensitive information. Attackers copy website templates to create scam websites making the scam pages look very similar to the original as seen below: Fig. 11: Scam websites are built using templates to mimic legitimate sites Most of the time, the fakes would include small changes to evade detection, like changing the names of the doctors on the following page but the site is identical otherwise. Fig. 12: Small changes that help attackers evade detection The scam websites even have live chat support, which responds to queries and guides users through the payment process. The photos of doctors were taken from a royalty-free stock photography database. When checking the source code in the Fig 11 example, we found that the contents were copied from a legitimate site, santabarbaraherbclinic[.]com, and we can see the timestamp in the screenshot below. Fig. 13: Source code in scam website shows copied content from a legitimate site Conclusion Phishing attacks have been on the rise over the past few years. As the end users become more vigilant against clicking suspicious links, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period. While in this blog we focused mainly on commodity phishing and scam pages, some of the tactics mentioned here are also commonly seen in many of the targeted phishing campaigns (Spearphishing, Business Email Compromise, etc). ZscalerTM ThreatlabZ actively tracks and ensures coverage against phishing campaigns.
Categorías: Security Posts

Soulmate: A Dating App That Spies On You

Zscaler Research - Hace 1 hora 10 mins
During a recent hunt for malware, the Zscaler™ ThreatLabZ team came across a piece of spyware disguised as an Android app and hosted on Google Play, Google’s official Android app store. The app portrays itself as partner matching app called Soulmate, designed to help you find (and keep tabs on) your True Love.  But the app has capabilities beyond those described by the developer, like snooping on incoming and outgoing calls, intercepting SMS messages, stealing contacts, tracing current and last-known location, and more.    Fig 1: Soulmate app on Google Play    Zscaler notified Google about the presence of this app and it was immediately taken down from Google Play.   App Details Name : Soulmate  Package Name : com.kikde.soulmate Hash : 28be1a661e375547df52e7b544c2745b Size : 8.6M Installs : 50+ Offered By : Kikde App   Detailed Information  As soon as the app is started, it greets the user with a splash screen and some basic setup activities. It also asks to register itself as default keyboard. By doing so, it can log every keystroke entered by the user.    Fig 2: Initial activities   During our analysis, we received a 404 error from the app’s command and control (C&C), which may have been a ploy or may have simply meant that the services were not available at the time of analysis. We decided to look further and found several permissions being asked that did not align with the name or purported function of the app. The screenshot below shows the list of permissions asked by the app.   Fig 3: Android permissions   Once the setup was done, the app registered and started some services and broadcast receivers. Android services are components that can run in the background without user interaction, and the Android BroadcastReceiver is a component that can be made to trigger when certain system events occur, such as presenting an alert when the battery is low. This spyware registers a broadcast receiver named ReciverHandler. This receiver is registered to execute upon following events:  Outgoing Call Connectivity Change Change of Phone State Package Added/Removed/Installed  Power Disconnect/Connect SMS Received SMS Sent Boot Screen ON/OFF Depending upon which of the above events occurs, the spyware is designed to trigger particular services. We found that this app used the following Android services:  Call Record Service Record Service Geofence Service App location Service MyKeyboard Service Clipboard Monitor Service Basic Info Upload Service File Upload Service  Upload Service  Call Record Service and Record Service are responsible for recording the victim’s calls. The screenshot below shows this functionality.   Fig 4:  Call recording   Geofence Service and AppLocation Service are responsible for fetching the victim's location. A snippet from the service can be seen below:   Fig 5: Location tracing   Clipboard Service is responsible for stealing everything that is copied/pasted by the victim. The app creates a file named clipboard.txt in which the app stores all copied data. Copied data is also uploaded to the server, as shown in the following screenshot.   Fig 6: Clipboard service    The app also tries to steal the victim's SMS messages as shown below:    Fig 7: SMS stealing   Once every detail is collected, the data is saved in database locally and then sent to the C&C. These functions are achieved with the BasicInfoUpload Service, FileUpload Service, and Upload Service.  As we researched package names, app certificates, and statically collected data, we discovered that this spyware had been uploaded to Google Play in past with the name Soulmate (Beta) and a different package name (com.perfekt.ats.perfektsoulemates). It was taken down immediately. We also came across a lot of advertising for spyware apps that enable users to spy on loved ones. Some of these ads are shown below.   Fig 8: Spyware advertisements   These advertisements took us to the developer's official website, apps[.]kikde[.]com. KikDe  promotes itself as a company that provides services to develop websites, Android apps, iOS apps, Windows apps, SEO (Search Engine Optimization), and more. On the KikDe website, we found references to another company called American Transportation System LLC. Tracing this company, we ended up on a third-party website that was still hosting some of its apps. All these apps contained the word  “perfekt” in their titles and it soon became clear that the earlier app named Soulmate was uploaded by this same entity. Other apps by this developer can be seen in the screenshot below along with comparisons to the same apps with different names on Google Play:    Fig 9: Third-party vs. Google Play apps   Other apps from this developer were also highly suspicious. For example, Kikde OTP Monitor could be used for forwarding an OTP (One Time Password) to another mobile device. Kikde Secure+ Keyboard was more of a keylogger. We are continuing our analysis of these apps and will report our findings.    Conclusion  It is always advisable to stay away from “spying” apps. They do have some legitimate use cases, such as parents keeping track of the whereabouts of their children. But as we’ve seen with Soulmate, users can’t be sure of what is happening under the hood, and the user who is spying may actually be the one who is spied upon. When considering apps to download, users should always exercise caution. Some apps might have good ratings and favorable reviews, but that is not reason enough to trust them, because such ratings and reviews can easily be supplied by the attackers themselves using other identities.  Zscaler protects users from spyware and other malicious apps that call out to C&C servers.
Categorías: Security Posts

Ubiquitous SEO Poisoning URLs

Zscaler Research - Hace 1 hora 10 mins
SEO poisoning, also known as search engine poisoning, is an attack method that involves creating web pages packed with trending keywords in an effort to trick search engines to get a higher ranking in search results. There are different ways to implement SEO poisoning, such as keyword stuffing, the use of hidden text, and cloaking, among others. In addition to manipulating search ranking, SEO poisoning is widely used to redirect users to unwanted applications, phishing, exploit kits and malware, porn, advertisements, and so on.  The ThreatLabZ research team has been actively tracking SEO poisoning campaigns; in this blog, we will share some recent examples and an analysis of the techniques used.  “Midterm elections” campaign Attackers often use holidays and other timely occasions that are likely to generate a lot of search interest. For this analysis, we chose to focus on the upcoming U.S. election. In the following screenshot, there are three SEO poisoned URLs in the Google search result for the keyword “midterm elections.”  Fig. 1: SEO poisoned URLs in Google search   After about a month of looking at this “midterm elections” SEO poisoning campaign, we found more than 10,000 compromised websites with more than 15,000 keywords, and we continue to find hundreds of newly compromised sites involved in this activity every day. Use of multiple redirects Let’s take a look at some specific URLs generated by the following SEO poisoning campaign: websitedukkani[.]com/enj0qnh/godev3a.php?snlhpyouf=midterm-elections-2018-polls The Google cache for the above URL is shown below, and you can see that the Google crawler got a junk page loaded up with many uses of the keyword “midterm elections.”  Fig. 2: Google crawler loaded with keywords But as we browse this URL in Chrome, we discovered that it may be redirected to this page: Figure 3: SEO poisoning landing page example We say “may” because the redirected website is different each time. We also noted that it goes through a series of redirects before landing on the final page, as shown in figure 4 below. This is just one of the many measures that cybercriminals are using to deter automated crawlers from adding detection for the landing pages. In our example, the user goes through two redirects via the “302 Found” response code before getting to a real page, as shown in figure 3: Redirect URL #1 - 5[.]45[.]79[.]15/input/?mark=20180314-landlordpeace.com/0fuq&tpl=9&engkey=how+to+login+to+zscaler   Redirect URL #2 - www[.]hitcpm[.]com/watch?key=027ed88f05536b6c1a41df968c0abb52 Figure 4: The web page content of the last redirect The final landing page that the user sees will be different every time; in our case the user was served the following web page: best2017games[.]com/bestgames/playtime/6a6d637637c06de629eb725d6c5c34e1/index.php?country_code=US&p1=http%3A%2F%2Fadsfxs.pro%2Fclick%2F05e45367-502f-4558-8e24-9235a5169358%3Fclickid%3DVjN8MTQyNjk4NDh8MTE0NTYyNXwxNTQ2MzZ8MTUyMTA2NzI3M3wyN2RkMDE5MS0xMThjLTRhNWItYjJiYy1mYWI0Nzk2ZTRjMzJ8NzEuMTk3LjIzMS45NXwzfDIwZTdkNzQ3Mzk3MmU5MTllZDQ2NDY0NTI3ZmE0OTcz%26zoneid%3D14269848 The multiple redirect model provides a perfect platform for a MaaS (Malware-as-a-Service) infrastructure, as it shields the final landing page from automated security crawlers. Cloaking technique The attackers are leveraging cloaking techniques whereby the end user is served different content depending on the HTTP headers involved in the web request. We noticed three distinct responses in some of the recent campaigns:   Crawler view: The SEO URL will return a web response that is more catered towards poisoning the search engine results for the relevant search term. This will make the URL appear higher in the search result. Browser or user view: The SEO URL in this case will lead the user through a series of redirects before a final landing page, dependent upon the campaign. The attacker distinguishes between user view and crawler view by inspecting the user-agent HTTP header of the request. If the user-agent string belongs to a well-known web browser, then user view content is served.   Referer view: The SEO URL in this case will serve different content to the end user, depending on the URL set in the referer HTTP header. Without cloaking Without the use of cloaking, the content fetched by the search engine crawler “crawler view” as well as the direct user “direct view” will be identical. However, the SEO page will have scripts to detect whether it is an actual user loading the content in a web browser, in which case the user will be redirected to the final landing page containing the malicious content. Here is an example of an SEO campaign where cloaking is not being used: URL:  tucuerposiente[.]cl/forum/070sxjj.php?bbhb=excel-vba-cells-function The crawler view and direct view for this SEO URL returns identical content. The SEO page in this case will redirect to a final landing page based on the user’s action, such as mouse movement or rendering of the page in the web browser. The crawler will not see the landing page redirect, as there is usually no user interaction or browser rendering involved. Below is a view of what happens when a user browses an SEO-poisoned URL that is not leveraging cloaking techniques. The user will see a webpage as well as a busy icon on the browser tab indicating additional background activity. This activity is leading the user to the final landing page in the background as shown in this screen capture from Fiddler (a free web request debugging tool). Figure 5: An SEO poisoned URL without cloaking leads user to landing page The attacker is leveraging specially crafted CSS (Cascading Style Sheet) to perform a redirect from the user’s browser. In CSS, the URL property can be used to set the background. The figure below shows the typical usage of the URL property (taken from w3schools.com). Figure 6: URL property But, if you don’t give any parameter to the URL property, like url() instead of url(“URL”),  it will load the parent page again. During the second loading, however, the referer HTTP header is set to the parent URL itself. This is the reason there are two requests to the same URL in Fiddler. It is important to note that the malicious content will be served on the second request, in which the referer HTTP header is set to the expected URL. The figure below shows the CSS code snippet used in the SEO page. The line “background-image: url()” will cause the page to reload. Figure 7: CSS code snippet in the SEO page The second request will load the malicious code, as shown in the image below. Figure 8: Malicious code SEO URL generation Let’s take a look at a typical SEO URL structure seen in SEO poisoning campaigns: SEO URL:  sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load We can divide this URL into several parts: Host:                           www.sbtechsiteleri[.]com URI path:                    docs PHP page file: bmfns7.php Parameter:                 gneo Search keywords:      access-vba-form-load The campaign uses different parameters to generate URLs. We have found hundreds of unique parameters; jtjd and wanh are two examples of parameters shown in the screenshot below. From the search result in the screenshot, we can reasonably guess there are hundreds of millions of SEO URLs generated for these two parameters.  Figure 9: URLs generated  SEO web page generation Although we don’t have access to the backend code used to generate the SEO webpages, we can draw some insights into the generation process based on our analysis of several pages involved in this activity: Pick up the keywords from the “search keywords”; search in search engine Collect the responses that contain the keywords  Generate a final response containing specific strings from the collected responses The Google cache of the webpage www.sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load:  Figure 10: Example of Google cache  The first sentence, “I am fairly new to Access,” can be found in several URLs. The second sentence, “Programming Microsoft Access with VBA can be a lot easier if you know the keyboard shortcuts for the most common commands and tasks and the” is from this site: Figure 11: Example of site found  Following that sentence, you can see, “If you want to set the RecordSource of another form, you must ensure the other form is open first,” which is from this website: Figure 12: Example of sentence found at site All three of the above examples are for the keyword “access.” Conclusion SEO URLs redirect users to different targets. We saw two modes of operation in the pages that we analyzed:   The users go through a series of redirects to reach the final landing page. The users are redirected to a MaaS (Malware-as-a-Service) platform which starts another redirection chain leading to final landing page.   Here are the top web categories to which the final landing page sites belonged: 1. Adult and pornographic websites 2. Internet services sites; in this case, the SEO campaign's purpose is advertising 3. Politics and religion, an example of which is shown below 4. Exploit servers leading to adware/malware payloads On an average, we see over 3,000 new and unique SEO poisoned URLs every day. ThreatLabZ is actively tracking this threat and will continue to ensure coverage for Zscaler customers. Indicators of Compromise The  list of the redirectors used by this campaign and some IOCs for PHP files and ZIP files can be found here. If you find these PHP or ZIP files in your website, it is likely that your website has been compromised.
Categorías: Security Posts

Why you shouldn't trust "safe" spying apps!

Zscaler Research - Hace 1 hora 10 mins
During a recent malware hunt, the ZscalerTM ThreatLabZ research team came across a suspicious Android app on Google Play, the official Google app store, named SPYMIE. SPYMIE portrays itself as an Android-based key logger designed for parents to track the cell phone activities of their children. Given the popularity of such apps, it has become common practice for app creators to promote spying capabilities as parental control features. However, SPYMIE packs a little something extra with the parental controls.  Basically, SPYMIE is an Android-based keylogger that has ability to hide itself and start recording everything the user tries to access. Ideally, keystroke logging is best achieved with keyboard-based apps, but this app uses Android's Accessibility Services to perform its functions. The app author also has included their email address in the code of the app, which allows them to receive all the information that the app is collecting, making those using the app vulnerable to having their personal information stolen.  Before the app was removed from Google Play, its description was as follows: “SPYMIE: Key logger is specially designed for parents to track the cell phones of your children. It will also help you when someone friends ask you for your phone for ten minutes but you don’t trust on it. So what you have to do you only have to on the SPYMIE: Key Logger. So whenever the friends return phone to you, you can check all the activities done by your friend. It records all the activities that are done on your phone. All activates are send to your mobile phone via email.  "For parents what they have to do, you just install the app in your children phone. Hide the icon. Later on you have check all the activities done by your children in the whole day." Zscaler notified Google about the presence of this app and it was immediately removed from Google Play.   App Details Name : SPYMIE: Key Logger Package Name : com.ant.spymie.keylogger Hash : 8e32ce220e39ba392c9e15671a32854b Size : 5.5M Installs : 10,000+   Technical Details   As soon as the app is installed, it splashes basic setup activities asking the user for email ID, as shown in screenshot below.    Fig. 1: SPYMIE initial activities   Once the introduction is complete, the app asks for runtime permission for managing outgoing calls. The reason for asking this permission is related to the app's hiding functionality. As shown in screenshot below, if the user enables the hiding feature, the app then asks for a secret PIN to open the app. The user can then open the app by firing up the phone dialer and entering the PIN. This is the main reason for asking permission related to phone calls.   Fig. 2: Hiding functionality    After further analysis, we found that the app contains a default PIN as well. Dialing **00## would open this keylogger app. The screenshot below shows the code snippet for this functionality.    Fig. 3: Default hard-coded PIN   Once the basic setup is done, one can turn on the spying feature. For enabling spying on a user's activities, this app uses Accessibility Services. This feature was designed to assist users with disabilities in using Android devices and apps. The below screenshot displays functionality in action:    Fig. 4: Enabling Accessibility Services   Once Accessibility Services is enabled, the app starts logging every activity performed by the user/victim. The snapshot below shows the code responsible for logging user actions along with keystrokes and storing it in a file named SpyLogger.xml.    Fig. 5: Storing user/victim's activities    In order to see the functionality in action, we tried running the app in a controlled environment. At first, we opened Gmail and tried composing a sample email. As shown in the screenshot below, almost every activity, from opening the Gmail app (left side) to composing the body of the email, was logged (right side).    Fig. 6: Gmail logging     In another test, we fired up Paytm and tried logging in. The right side of the screenshot below shows how every action was logged.    Fig. 7: Paytm login   The above screenshots display the logs visible in Android's logcat command, but behind the scenes, all this data is being written in a file named SpyLogger.xml.   Looking from another perspective, the app has a serious vulnerability which, according to OWASP, can be categorized into Insecure Data Storage. Any random app with READ_LOGS permission can read logs presented by Android. In this scenario, all sensitive data is being written to log entries and every piece of sensitive data is at risk.  Additionally, this keylogger app can send logged/stolen data to the email ID input by the user during setup, but we found a code snippet that was designed to send this data to another hard-coded email ID as well. The screenshot below shows both the code snippets. The first one is the ideal scenario, in which email is sent to the provided email ID, and the second box shows the app's functionality, in which a timer task is run to send email to the hard-coded email ID every 60 seconds.    Fig. 8: Sending stolen data to different email IDs   During our analysis, we did not find any calls made to the second code snippet, where email is sent to the hard-coded email ID, and we believe there are two possible explanations. It is possible that the app's author added this functionality while testing and forgot to remove the dead code. This seems unlikely, because the code snippet to send email to the hard-coded email ID is well designed and placed as a timer task to send email every 60 seconds. The second possibility could be related to the app being "under-construction." This app might still be in development and any calls related to this function may be added in future updates.  Conclusion  We believe there are two likely scenarios in which key logging apps, like SPYMIE, may be used. 1. Parents installing spying apps on their children's devices     - Parents can install such apps in order to track their children's online activities 2. Users willingly install such an app to steal someone else's data.     - Any user can install such apps on their Android devices and might offer their phone to others for use. When a victim enters his/her personal details, it will be logged. User can view this information at a later time. It is always advisable to stay away from spying apps, because a typical user can never be sure of what exactly is happening under the hood. Be cautious if using mobile devices other than your own. Never perform critical actions or enter personal information on borrowed or unknown devices. Zscaler users are safe from such type of threats. ZscalerTM Sandbox detected the app accurately as shown in screenshot below:  Fig. 9: Zscaler Cloud Sandbox detection  
Categorías: Security Posts

Magecart campaign remains active

Zscaler Research - Hace 1 hora 10 mins
The Zscaler ThreatLabZ team has been tracking the Magecart campaign for several months. Magecart is a notorious hacker group that has been responsible for large attacks on the e-commerce sites of well-known brands, and we have continued to see its activity during this past month. In this blog, we will examine this campaign’s recent activity and its methods for skimming credit and debit card information for financial gain. The e-commerce sites targeted by Magecart are being compromised and injected with malicious, obfuscated JavaScript, which, in turn, tries to tap into purchase transactions. Injected script typically adds a form to the payment page at runtime using Document Object Model (DOM) properties. This form captures information such as the site’s domain, credit card details, and the user’s personal information, and then makes a POST request, sending all stolen information to remote site. Magecart compromise sample As shown in the screenshot below, the attacker compromises the site and injects a script tag in order to dynamically load a highly obfuscated JavaScript code hosted remotely. Figure 1: Magecart compromised site The obfuscated JavaScript code as well as the deobfuscated version of the same can be seen below. This is a common technique leveraged by the attackers to evade detection by security crawlers. Figure 2: Injected JavaScript code for stealing information As shown in the image below, this script tries to steal financial and personal information from the form input elements of the target site, and sends the collected information back to the attacker-controlled site. Figure 3: POST request with stolen information The domain used by the attacker to host malicious scripts and receive stolen information was registered in early September 2018. This newly registered domain is part of a trend we are seeing that minimizes the attacker's chances of getting blocked based on reputation engines, as the site is too new to have a low rating. Fun fact: the attacker also listed this domain for sale. Figure 4: Attacker’s domain registration Below are hits we have seen from MageCart campaign in past month.    Figure 5: Campaign activity in past month Although this campaign is not new, we continue to see newer domains being leveraged and additional e-commerce sites being impacted on a regular basis. Scripts used in the new and previous campaigns are similar; both domains are hosted on AS24936 Moscow, and may involve the same actor. Here is a comparison of the deobfuscated JavaScript. Figure 6: Deobfuscated JavaScript Sites compromised by Magecart can easily be searched from publicly available data (PublicWWW and Censys.io).  Figure 7: Sites infected with Magecart Although magentacore[.]net is not responding at the moment, infected domains/URLs can be searched on PublicWWW. Compromised sites seen recently by ThreatLabZ can be found here. IOCs 83.166.243[.]206 magento[.]name/mage/mage.js magento[.]name/mage/mail2.php magentocore[.]net/mage/mage.js magentocore[.]net/mage/mail2.php References: https://gwillem.gitlab.io/2018/08/30/magentocore.net_skimmer_most_aggressive_to_date/ https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ Conclusion: Attackers are increasingly creative in their methods for generating income, whether through cryptomining, fake tech support scams, or, as in the case of Magecart campaigns, skimming for credit and debit card information. Magecart has been responsible for large-scale attacks on well-known brands, and the ThreatLabZ team will continue to monitor its activities to ensure coverage for Zscaler customers.
Categorías: Security Posts

Hoy, hace 14 años, nació "Un informático en el lado del mal"

Un informático en el lado del mal - Hace 1 hora 12 mins
Hoy es el cumpleaños de este blog. Son 14 años cumplidos con la rutina de escribir todos, o casi todos, los días. Y se ven un montón todos ellos juntos, pero es que yo no sé comenzar cosas y dejarlas a medias. Será un proyecto aún por terminar, pero hasta que no está completo, completo, yo no dejo las cosas a medias. Así que cuando decidí que iba a ponerme a escribir en El lado del mal sabía que era un proyecto con fecha de inicio, pero no con fecha de finalización.

Figura 1: Hoy, hace 14 años, nació "Un informático en el lado del mal"
Este año, es verdad, puede que tal vez me tome la licencia para saltarme de escribir algún día de los fines de semana, para no andar con tanta presión con mi tiempo, que os aseguro que es el mismo que tenéis vosotros. Ni más, ni menos. Esto es porque el volumen de trabajo que tengo ha ido creciendo de forma sostenible durante los últimos años, y las responsabilidades familiares también, y las dos cosas están en los primeros lugares de mi lista de prioridades.

Ahora mismo mi prioridad principal es sacar sí o sí tiempo para llevar a patinar a mis hijas, hacer deberes con ellas, y que Mi Survivor y Mi Hacker sigan creciendo con un buen número de momentos con su “papaete” el del gorro, para que disfruten de volverme loco y llenen la mochila de muchos recuerdos bonitos. Es curioso, porque ellas me ven muy pocas veces con el gorro, y les encanta cuando lo llevo puesto. Me lo quitan, se lo ponen ellas. Y me lo piden mucho: “Papaete, ponte el gorro”. Pero para ellas, soy el papaete gruñón que dice: “Recoje tu habitación”. “Haz los deberes”. “Lávate bien las manos”. Ya sabéis: Un papaete.

Por otro lado, la gran prioridad en mi vida profesional es Telefónica. Y ahora con la nueva unidad CDCO y los cambios en la nueva Telefónica, estamos en momentos de transformación brutal. Hay que hacer muchas cosas en medio de un proceso de transformación de nuestro mundo espectacular. La llegada del 5G, la aplicación masiva de IA en todos los rinconces, la digatilización masiva del hogar, la próxima llegada del WiFi 6.0, el coche conectado, y pronto autónomo, el IoT aplicado a todas las esquinas de nuestro mundo, la mutación – o desaparición – hacia la Industria 4.0 de todas las grandes compañías, los nuevos retos de ciberseguridad, etc… hace que el momento en el que se encuentra Telefónica sea muy especial y me tenga enganchado a todo.

Es apasionante ver lo que ha sido nuestro mundo en los últimos 14 años que he estado escribiendo este blog y cómo ha cambiado. Fue en Julio de 2008 cuando se vendió el primer iPhone. Aún no ha hecho 12 años de aquel día, y fijaos cómo ha cambiado todo el mundo y nuestra vida. Pues ahora mirad hacia delante e imaginar cómo va a ser esto en los próximos 5 años.

A todo esto, el tiempo también debo repartirlo en tomar café (muchos!!!), cenar con un buen vino y muchas risas, ir al cine a disfrutar las aventuras en pantalla grande, 3D, 4D, 4DX y hasta 5DX si nos ponemos que yo me apunto a todo, sacar ratos para subirme al monopatín, hacer algún viaje robado a la agenda, subirme a la bici y pedalear entre arboles parar comer arena, disfrutar de la lectura de un libro de esos que te actualizan el software o te alimentan el alma, seguir leyendo y cuidando de mis cómics para disfrutar de las novelas gráficas y los héroes con poderes de cambiar su mundo, ir a conciertos a ver música en directo y saltar, gritar y reír, apuntarme a una charla para aprender, salir a correr unos kilómetros en soledad, con compi para charlar o con multitud para sufrir más en serio, y tumbarme a morir en un sofá para recuperar algo de energía viendo una serie de mutantes cuando el mundo me ha robado hasta la última de las energías que había atesorado.

Y si queda algo de tiempo, meterme a hacer más cosas. Escribir algo para 0xWord. Liarme la cabeza y sacar algún cómic de Cálico Electrónico o Evil:One, meterme de cabeza en algún proyecto como MyPublicInbox, o seguir empujando nuevas ideas con mis compañeros del equipo de Ideas Locas, que si no hay cosas que hacer, entonces todo es más aburrido.

Pero aún así, buscaré un ratito para traeros una entrada todos, o casi todos, los días de este año, que dentro de nada estamos celebrando los 15 años en este espacio que, curiosamente, ya tiene lectores más jóvenes incluso que él. Eso sí, si no llego un día.... no me lo tengáis en cuenta.

Saludos Malignos!

Autor: Chema Alonso (Contactar con Chema Alonso)




Sigue Un informático en el lado del mal RSS 0xWord
Categorías: Security Posts

Update: format-bytes.py Version 0.0.11

Didier Stevens - Hace 9 horas 56 mins
As announced in my previous blog post, this new version of format-bytes.py adds a pack expression (#p#) and other features and (Python 3) bug fixes. A pack expression is another “here filename”, like #h# for hexadecimal data (which now accepts spaces too). When format-bytes.py is given a filename as argument, the content of that file is read and processed. File arguments that start with character # have special meaning. These are not processed as actual files on disk (except when option –literalfilenames is used), but as file arguments that specify how to “generate” the file content. Generating the file content with a # file argument means that the file content is not read from disk, but generated in memory based on the characteristics provided via the file argument. For example, file argument #ABCDE specifies a file containing exactly 5 bytes: ASCII characters A, B, C, D and E. File arguments that start with #p# are a notational convention to pack a Python expression to generate data (using Python module struct): a “pack expression”.
The string after #p# must contain 2 expressions separated by a # character, like #p#I#123456.
The first expression (I in this example) is the format string for the Python struct.pack function, and the second expression (123456 in this example) is a Python expression that needs to be packed by struct.pack.
In this example, format string I represents an unsigned, 32-bit, little-endian integer, and thus #p#I#123456 generates byte sequence 40E20100 (hexadecimal).
Remark that the Python expression is evaluated with Python’s eval function: this can be abused to achieve arbitrary code execution. Don’t use this in a situation where you have no control over arguments. I introduced “pack expressions” because I had an IPv4 number represented as a decimal integer, and I needed the dotted quad representation. format-bytes.py will represent 4 bytes as a dotted quad, but I still had to convert a decimal integer to 4 bytes. Hence the introduction of pack expressions (#p#). For example, number 3232235786 is IPv4 address 192.168.1.10. Pack expression #p#>I#3232235786 converts number 3232235786 to 4 bytes: >I is the struct format specifier for a big-endian, unsigned 32-bit integer. Remark that I enclose this pack expression in double-quotes (“), as most shells will interpret character > as file redirection if not escaped. Because of CVE-2020-0601, I also introduced Object Identifier aka OID (DER) decoding. In DER encoding, an OID starts with byte 6 (excluding flags) followed by one byte indicating the length of the bytes representing the OID. Hexadecimal sequence “06 07 2a 86 48 ce 3d 01 01” is the DER value for OID 1.2.840.10045.1.1. I also added support for environment variable DSS_DEFAULT_HASH_ALGORITHMS to let you choose your favorite hashing algorithm, in case it is no longer MD5
Categorías: Security Posts

Update: cut-bytes.py Version 0.0.11

Didier Stevens - Sáb, 2020/01/25 - 23:59
Some bug fixes and new features (pack expression #p# and spaces allowed for #h#), to be covered in more detail in the next blog post on format-bytes.py. cut-bytes_V0_0_11.zip (https)
MD5: 51F90BBBDE845DEC3EAB94FD30AFCF9B
SHA256: C805CBD23E09D80EB2AF39F8F940CC9188EF7F6B27197D018DA95093AC5D0932
Categorías: Security Posts

Cyber Range Training Gives the Louisiana Army National Guard—and Other Defenders—a Powerful Edge

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
When we hear the word "training," visions of classrooms and online tutorials come to mind, but for…
Categorías: Security Posts

Finance and Capital Markets 2020 Predictions

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
Another new year and a new job! Within Keysight I have now moved on to head up the Finance and…
Categorías: Security Posts

Network Trends to Watch in 2020

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
From our vantage point at Ixia—securing and optimizing the world’s networks—we take stock each new…
Categorías: Security Posts

What Cost Control Use Cases Are You Using?

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
As networks become larger and more complex, the cost to maintain them increases. However, there are…
Categorías: Security Posts

$50k Makeover – We Have a Winner!

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
$50k Network Makeover MC Daniel Bogdanoff in Action. For bonus points name the 8 bit computer on…
Categorías: Security Posts

Edge computing requires a change in performance monitoring

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
Our smart, connected devices are capable of generating and processing more data than ever before…
Categorías: Security Posts
Distribuir contenido