Archive for author: makoadmin

Decades ago, the promise of the Internet was clear: No one, depending on their age, gender, race, income, or place of birth, would be unwelcome from expressing their thoughts and ideas.

Today, that promise has been largely unfulfilled. As Malwarebytes discovered earlier this year, the Internet is a deeply unequal place for women, teenagers, and Black communities, Indigenous populations, and people of color. Women, above all demographics, told us that they felt both the least safe and the least private online, and when we looked at why that might be, the answers were obvious. Women face higher rates of cyberstalking. Women are almost singularly targeted by nonconsensual pornography. Women who are stuck in situations of domestic abuse are also reportedly more frequently impacted by the threats of stalkerware. Women also, as we learned, reported higher rates of receiving text messages from unknown phone numbers, and having their social media accounts hacked.

These are all the outcomes of an unfair Internet. On today’s Lock and Code podcast, with host David Ruiz, we dig into why so many real-life problems have followed women onto the Internet today.

Part of the problem, according to our guest Sue Krautbauer, is that the Internet has created tremendous latitude for bad actors to commit harms and then get away without a trace.

“It almost feels a bit like online guerilla warfare, right? Where they come in, and they lob something into the internet, and then they disappear again. And that can just have such an emotional and a mental toll on the victims because they can’t point to them and say it’s that person or that thing.”

Sue Krautbauer, senior director of strategy and development for Digitunity

Today, on the Lock and Code podcast, we speak with Sue Krautbauer, senior director of strategy and development for Digitunity, about the different—often worse—experiences that women face online, how pervasive such treatment can be, and why our Internet so often mirrors our real-life situations.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post The Internet is not safe enough for women, and Sue Krautbauer has some ideas about why: Lock and Code S02E22 appeared first on Malwarebytes Labs.

On October 29 we published our third CrackMe Challenge and announced two parallel tracks for the contest: “The fastest solve” , and “The best write-up“.

In the first category (“The fastest solve” ), we got three winners already the first weekend following publication. Big congratulations to:

@nazywam

Suvaditya Sur (@x0r19x91)

@evandrix

Yet, even those of you who are not as fast could still join in the fun, and get a chance to win a prize in the second category. Submissions for the best writeup closed November 12 (two weeks after the Crackme publication). In this post we will summarize the writeups that we received, and announce the winner for the best writeup!

Hall of fame

The submissions were treated as valid if they contained the following flag:

flag{you_got_this_best_of_luck_in_reversing_and_beware_of_red_herrings}

We received them in the following order:

1. @nazywam
2. Suvaditya Sur (@x0r19x91)
3. @evandrix
4. Alex Skalozub (@pieceofsummer)
5. @JLeow00
6. rainbowpigeon
7. arm4nd0
8. Matthieu Walter (@matth_walter)
9. Bahlai Vladyslav (@BaglaiVlad) & Alex Shevchuk
10. @kasua02
11. @zvikam

Congratulations to all the solvers!

CrackMe 3 challenge

Before we present you with the writeups, let’s have a quick look at the task itself.

The CrackMe was composed of multiple components:

• The GUI application (written in .NET): responsible for taking the input, and verifying it / passing it to the further layers. It was accepting 3 passwords for the consecutive levels.
• The server: a native application, packed. Responsible for verifying the input of the passwords for the stages 2 and 3. Communicating with the GUI application with the help of a named pipe, and a local TCP server.
• The DLL injector (written in .NET, loaded into the main application with the help of .NET Reflection)
• The hooking DLL: a native application, injected into the server and hooking some of the used APIs, changing the password verification function.

It is worth to note that each level of the CrackMe depends on the previous one, so the passwords have to be provided in the right order.

To make the analysis easier, and more approachable for beginners, the code (apart from the loader part) was not obfuscated. Some components were based on public code, or contained debug strings making it easier to follow.

Level 1:

In the first level, the user was supposed to input the password that would let the second stage get properly decoded and run as a new process. The second stage of the crackme was a PE, steganographically hidden in the image that was displayed in the GUI, and obfuscated by XOR with a static key. The key could be cracked with the help of plaintext attack.

Level 2:

The second password inserted by the user was sent over the pipe to the previously deployed server. The user was supposed to unpack the core of the server, and analyze it. First, it was required to notice that the presence of certain analysis tools cause the crackme to exit. Then, the user needed to find out that the expected password is in reality the name of one of those analysis tools. The next step was finding a public list of suspected tools, and cracking the password by a dictionary attack.

The correct password was not only clearing the level, but also triggering the decryption of the hooking DLL, that was injected in the server.

Level 3:

The third password inserted by the user was sent over the local TCP connection to the previously deployed server.

The user was supposed to notice that the hooking DLL alters the behavior of the verification function. With this information, the actual flow of the verification function should be reconstructed. Then it was possible to crack the final password.

Techniques covered:

1. Steganography
2. Packed executable (loader with self-injection of the payload)
3. Shellcodified PE
4. Loading functions by hashes (API hashing)
5. Basic anti-analysis tricks
6. Vectored Exception Handling (VEH)
7. Inline hooking
8. Inter-process communication
9. .NET Reflection
10. Classic DLL injection

List of writeups

We received 6 writeups in total, from the following contestants:

• Suvaditya Sur (@x0r19x91) [ writeup ]
• Alex Skalozub (@pieceofsummer) [ writeup ]
• @JLeow00 [ writeup ]
• rainbowpigeon [ writeup ]
• Matthieu Walter (@matth_walter) [ writeup ]
• Bahlai Vladyslav (@BaglaiVlad) & Alex Shevchuk [ writeup ]

Scoring the writeups

As we mentioned in the contest opening:

The write-up will be judged by its educational value, clarity, and accuracy. The author should show their method of solving the CrackMe, as well as provide the explanation of the techniques used in the challenge

Just like in the previous edition, in order to introduce some objective measures, several categories were used to assign points.

• The quality of the solution:

There are no wrong solutions if they lead to the goal. However, some approaches are faster and more elegant than others. We ranked higher the solutions that are straight to the point and not over-engineered. If multiple solutions were presented in a single writeup, we appreciated if the author stated which of them is the most optimal, and why.

• An in-depth explanation of the inner workings of the CrackMe, guiding through the process of solving. This means writers should have:

1. Explained how to approach the CrackMe: presented an overview of the task as a whole
2. Explained each stage of the CrackMe: the main logic, relationship to the other levels
3. Identified and described each executable layer the stage was composed of (loaders, shellcodes, etc.)
4. Identified each algorithm used (i.e. CRC32, RC4)
5. Identified and explained each technique used (from the list “techniques covered”)
6. Explained the third verification function before and after hooking, presented what each hook is responsible for, and how it changes the logic

An educational value of the writeup. Writers should have:

1. Introduced tools before they were used, showing the environment setup
2. Provided detailed explanation of the used techniques, reaching beyond the CrackMe itself. For example, providing links where the reader can learn more.
3. Described the solution in a comprehensive way, that can be followed by a beginner
4. If applicable, presented different approaches, and explanation which of them is the recommended one and why
5. Provided graphical illustrations making the provided explanation easier to follow. Diagrams, GIFs, videos, etc.
6. Been especially clear and had a pleasant writing style

You could also get some bonus points for OSINT if you found:

1. The header of the payload in the stage 2 was shellcodified with the help of pe_to_shellcode
2. The hashes in the stage 2 were based on the list from the Al-Khasher project
3. The function checking the processes was copied from the repo: antianalysis_demos
4. The hooking DLL was created with the help of MS Detours, and based on the following template

The writeup contest results

All 6 solutions turn out to be of very high quality, so it was extremely hard to select winners. Even trying to introduce some objective criteria for judging writeups, all authors covered most of the points that we would like to see described, and the margin between the scores was small. That’s why we decided to reward all of them with Malwarebytes swag.

Additionally, we decided to distinct three, most comprehensive solutions, that will be rewarded with the main prize (an IT-related book of contestant’s choice):

• rainbowpigeon [ writeup ] – clear explanation of the stages, elegance and simplicity of the taken approaches
• Matthieu Walter (@matth_walter) [ writeup ] – detailed explanation of each level, easy to follow even for a person who didn’t solve the crackme themselves
• Leow00 [ writeup ] – for the efforts to provide an educational value: detailed explanations, diagrams

All the authors will be contacted soon!

Once again thank you for participation, and hopefully see you again next year!

The post Malwarebytes CrackMe – contest summary appeared first on Malwarebytes Labs.

Netgear has released a fix for a vulnerability on several of their product models. The affected product models include extenders, routers, air cards, and modems.

The vulnerability was discovered by researchers at GRIMM, but prior to the planned disclosure date, Netgear released a patch that fixed the underlying bug in one of the affected devices.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-34991 and described as a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the universally unique identifier (uuid) request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

The vulnerability received a CVSS score of 8.8 out of 10 because of some limiting factors. One consolation in the above is that the attacker already has to be inside the LAN to perform this attack. But once they are, the attacker can send a specially crafted header to the UPnP daemon and can remotely run code with root privileges on the affected device.

Another limiting factor for the attacker lies in the fact that the copy function which overflows the stack is a string copy. As such, it will stop copying characters when it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes. All of the addresses within the UPnPd daemon contain a NULL character as the Most Significant Byte (MSB). But, the researchers that discovered this vulnerability created a Proof-of-Concept (PoC) which bypasses this limitation by omitting the gadget’s MSB in the payload, and then immediately ends the payload. The string copy which overflows the stack will automatically NULL terminate the string, and thus write a single NULL byte. However, this technique has the disadvantage that it can only write a single NULL byte at the end of the payload. As such, the exploit can only run a single gadget via this technique.

UPnP

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services. By design, the daemon accepts unauthorized requests of clients that want to receive updates when the UPnP configuration of the network changes. For example, the Xbox One uses UPnP to configure port forwarding necessary for gameplay.

The eternal dilemma

UPnP is a convenient way of allowing gadgets to find other devices on your network and, if necessary, modify your router to allow for device access from outside of your network. A UPnP client can obtain the external IP address of your network and add new port forwarding mappings as part of its setup process.

This is extremely convenient from a consumer perspective as it makes it a lot easier to set up new devices. Unfortunately, with this convenience have come multiple vulnerabilities and large-scale attacks which have exploited UPnP.

Very often, security issues arise from the developers’ inclination to make things easier for their users. It seems there is an impossible to find balance between security and ease of use. It should not be so hard to make secure the default, and if the user wants to increase the ease of use then there should be an option to do so temporarily. Why would you have to open the floodgates permanently just to let one boat in?

Affected devices

This list will not be inclusive because some organizations, and ISPs in particular, have a habit of rebranding routers and other network equipment. But a list of product models and the required firmware version can be found in the Netgear security advisory.

How to make sure you are safe

Netgear strongly recommends that you download the latest firmware as soon as possible.

1. Visit Netgear Support.
2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears. If you do not see a drop-down menu, make sure that you enter your model number correctly, or select a product category to browse for your product model.
3. Click Downloads.
4. Under Current Versions, select the first download that begins with Firmware Version.
5. Click Release Notes.
6. Follow the instructions in the firmware release notes to download and install the new firmware.

For cable products, new firmware is released by your Internet service provider after NETGEAR releases it to them. Firmware fixes for the following cable products have been released to all service providers:

• CAX80

Stay safe, everyone!

The post Update now! Netgear vulnerability patched appeared first on Malwarebytes Labs.

Influencers on TikTok are feeling the pinch of scams and phishing thanks to targeted campaigns hungry for fresh logins.

The phishing campaigns make use of much older tactics seen across multiple platforms down the years. It’s a one-two combo of “Do this quickly, or else something bad will happen”, combined with the the lure of increased social status for someone’s social media accounts. Shall we take a look?

“Support – copyright” mails go for the panic approach

People don’t want to lose their account due to accidental (or even deliberate) copyright infringement. Social media has a weird knife-edge of appearing to be a free for all, while routinely dinging accounts for copyright. Most platforms operate a sort of “three strikes and you’re out” policy. In this case, the scammers (who include a special kind of phishing link in the mail – more on this later) don’t waste any time:

Hi dear user,

Your account violates our copyright. Your account will be deleted from copyright within 48 hours, will not be re-entered if you think this is an error and you do not want your account deleted please reply to this email with “Confirm my account”. Copyright is very important to us. If necessary actions are not taken from our connection, you will be removed from our servers within 48 hours. Please do not change your password while your account is being examined.

There’s a veritable word salad bulging out of every other sentence. I’ve highlighted the important part in bold. They don’t want victims changing logins until they’ve taken full control of the account. This is a well worn tactic in 419 style scams, where the perpetrator warns the victim that whatever they’ve promised them will take a few days to happen. Definitely don’t tell anyone, or change details, or do anything else. They claim they’re taking care of it behind the scenes. In reality, they’re just stealing the account safe in the knowledge the victim is busy doing nothing to prevent this happening.

Verification woes

Getting a verification stamp on your social media profile is seen as a “special” form of status. We’ve seen years of scams along these lines for Twitter, where the promise of getting a checkmark results in account theft or even monetary loss.

It’s much the same thing here:

Hi dear user,

The account caught our attention and we examined the account. We saw that he shared his own original content. We offer the right to receive a verified badge for your account.

To get a verified badge for your account, you must identify that you are the real owner of the account. We will give you a form to verify that you are the true owner of the account.

To receive the verification form for your account, reply to this email by typing “verify my account”.

This is even more of a word salad than the original mail, but people still fall for it. You’re probably wondering what the “special kind of phishing link in the mail” is all about, right? Well, I’m glad you asked…

The special kind of phishing link in the mail

Scams like this typically send you to a phishing page. It might be well designed, it could be a mess, but a phishing page you shall have.

Not this one, however. They’re trying something a little fresher.

Scammers are wising up to the fact that folks may be using additional forms of authentication to protect their accounts. An easy way for them to combat this is to direct victims to WhatsApp chat rooms instead. From there, they can start asking for phone numbers, email addresses and (importantly) the 6 digit 2FA code sent to the mobile.

While the victim waits in chat, the scammers are busy punching in the login and 2FA code to hijack their account in real time. At the moment, it seems nobody knows for sure if the idea here is eventual extortion, a bit of “fun” trolling, selling the accounts on, or something else altogether. But whether your account is geared towards influencing or you just use TikTok for fun, it pays to lock things down and make use of TikTok’s security settings.

TikTok users are popular targets for people up to no good. You don’t want the hassle of trying to recover stolen accounts via customer support, especially as many organisations continue to be impacted thanks to the pandemic. Be cautious, have fun, and keep those accounts free from harm.

The post Phishers target TikTok influencers with verification promises and copyright threats appeared first on Malwarebytes Labs.

According to its marketing team, a FatPipe MPVPN can make your VPN “900% more secure.” Well, I don’t know about that, but I do know a way to make your MPVPN admin console 100% more secure, and that you should do so right away, by installing the latest version of its software.

Why? Because older versions of the device software used by FatPipe’s MPVPN, WARP, and IPVPN products, are all vunerable to a serious zero-day exploit that has been actively exploited in the wild for at least six months. FatPipe advises that versions 10.1.2r60p93 and 10.2.2r44p1 of its software, or later, are the ones you need.

If you are unable to update immediately, FatPipe recommends you cut off access to your admin console from the Internet at large: “disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.”

The vulnerability

Like a lot of security and administration software, FatPipe’s MPVPN is configured and controlled through a web-based administration portal, which is just another way of saying “website”.

FatPipe describes the vulnerability in its software’s administration website as a “lack of input and validation checking mechanisms for certain HTTP requests”. It goes on to say “an attacker could exploit this vulnerability by sending a modified HTTP request to the affected device”.

That simple POST request could “allow a remote attacker to upload a file to any location on the filesystem on an affected device.” But FatPipe says could, and the FBI says did. According to the agency, a recent forensic analysis has revealed that Advanced Persistent Threat (APT) actors (plural) have been abusing the flaw since May 2021.

Input validation is website security 101, and the attack as described by the FBI is very simple. The Persistent Threat groups that carried out the attacks may have been be Advanced, but the exploit they used was not.

The exploitation

The FBI says that “The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity.”

There’s a lot going on in that one sentence. Let’s break down what it means:

The FBI says the APT groups gained access to an “unrestricted file upload function,” meaning that the attackers were able to add files to a server running the admin console for some FatPipe software. Attackers should obviously not be able to simply add their files to your servers.

For this attack to work, the APT actors only needed to add one file: A web shell, at /fpui/img/1.jsp. A web shell is a type of malicious script that turns an attacker’s ability to add a file to your server into an ability to do whatever they want on your server. The attackers simply send the web shell the commands they’d like your machine to run, and it runs them.

The shell can only run with whatever restricted permissions it inherits from the web server it’s added to, but in this case it seems as if there were no restrictions. The FBI’s description suggests that the web shell enjoyed root-level (administrator) access from the get go.

Free to do whatever they wanted with their web shells, the attackers opted to overwrite the machines’ Secure Shell (SSH) configuration, so they could use the same method of remote access as the machine’s legitimate administrators. The FBI says the APT groups then used the compromised FatPipe servers as bridgeheads to “route malicious traffic through the device and target additional U.S. infrastructure”.

If you want to check your system for signs of exploitation, the FBI alert contains a full list of Indicators of Compromise (IoCs). It also notes that the APT actors were careful to clean up after themselves, and so the agency would love to hear from you if you can add anything to its understanding of these attacks.

What is going on with security admin software?

It is a shock, but not a surprise, to read about an easily exploited flaw in an Internet-facing administration console for a security product in 2021. A shock because the whys and wherefores of securing websites—and the central importance of treating any kind of input as hostile unless proven otherwise—has been very well understood for decades. But it’s not a surprise because criminals exploiting basic flaws like authentication bypasses or input validation errors in security products like VPNs has been a running theme for several years now.

In a recent episode of Malwarebyte’s Lock and Code podcast, host David Ruiz interviewed Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure (DIVD), about July’s enormous Kaseya ransomware attack. Gevers explains that his team had been racing against time to get several zero-day vulnerabilities in Kaseya VSA fixed at the time of the attack, and that one of those zero-days was in fact used by the ransomware gang.

Gevers also revealed that the problems his team discovered in Kaseya VSA were not unusual. The vulnerabilities were uncovered during a much broader investigation which revealed a worrying trend—that Internet-facing remote administration tools are rife with flaws.

You can learn more about what Gevers and his team discovered in the podcast episode below.

The post Patch now! FatPipe VPN zero-day actively exploited appeared first on Malwarebytes Labs.

A ransomware warning has appeared out of nowhere and started taking over WordPress sites.

The warning, with its black background and red writing, says:

“SITE ENCRYPTED

{ Countdown }

FOR RESTORE SEND 0.1 BITCOIN:

[address redacted]

(create file on site /unlock.txt with transaction key inside)”

But there’s just one thing… the warning is a fake. There is no ransomware.

The ransomware that isn’t what it claims to be

The warning is clearly intended to scare the site owner into paying the 0.1 Bitcoin ransom amount, which amounts to roughly $6,000 at the time of writing. The countdown clock adds to the intimidation.

Researchers at Sucuri found and analyzed the fake ransomware. When they performed an on-site scan for a file that contained the bitcoin address, they found that the ransomware alert was merely an HTML page that displays the notice and a PHP script that accounts for the timer.

WordPress

WordPress is one of the, if not the most popular content management system (CMS). Of course, this also makes it a primary target for anyone looking to compromise websites. WordPress is an open-source CMS, meaning its source code is public so that anyone can inspect, modify, and enhance. This has resulted in a great many available plugins to add to sites that perform all kinds of tasks, from stopping spammers to incorporating special smileys. You name it, there is a plugin for it.

Unfortunately, not all these plugins have the same level of security, and some even have an ulterior, malicious motive. In this case, it looks as if files were added into the directory of an already present plugin.

Removing the infection

Once the infection was found, it turned out to be easy to remove. All victims had to do is find the file with the bitcoin address in it and delete it. In this case it was the file /wp-content/plugins/directorist/directorist-base.php. Directorist is the name of a legitimate plugin intended to create lists of directories based on location, category, and other interests.

By backtracking changes and looking at the access logs, the researchers found that it is very likely the legitimate plugin was already installed on the website and later tampered with by the attackers. While it was clear that the attacker must have had administrator level access, it is unclear whether they had brute forced the admin password or had acquired the already-compromised login from the black market.

Restoring the website

Deleting the file removed the ransom notice but it also left the researchers with a lot of 404 Not Found responses to internal links on the website. As it turned out, our fake ransomware included a basic SQL command which finds any posts and pages with the “publish” status and changes them to “null“. All the content was still in the database, just unable to be viewed!

Website administrators can undo this effect by using another simple SQL command.

UPDATE `wp_posts` SET `post_status` = 'publish' WHERE `post_status` = 'null';

Please note that this command will also bring back some content that you may have removed yourself, but at least it will bring back all the content that the plugin made invisible.

Under development?

The researchers found indications for the presence of a file called azz_encrypt.php in the directorist directory, but were unable to find the file actually present on any of the infected websites they looked at. So this CMS hijack may be a work in progress that aims to do some actual encryption at one point.

How to protect your WordPress site

If you are running a website, you do not need scares like this one. Besides a possible loss of revenue, it brings in extra work. So what can you do to keep your WordPress site safe?

• When using a CMS, and especially a popular one, you need to keep an eye out for updates—for both the CMS itself and any plugins you have installed. Speed is important, so patch as soon as you are able. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.
• Create backups regularly (there are plugins for that). If you find out an intruder made changes to your website, it makes things a lot easier for you if you have a recent backup that you can restore without losing too much work, and without having to comb through every piece of code to check if anything else has been tampered with.
• Choose your plug-ins wisely.
• Think about access management. Consider who you allow to make changes to your site, and to what level.
• Use secure passwords (and preferably 2FA) .
• Be wary of SQL injection.
• If you allow uploads, limit the type of files to non-executables and monitor them closely.
• For websites that require even more security, there are specialized vulnerability scanners and application firewalls that you may want to look into. This is especially true if you are a popular target for people that would love to deface or abuse your website.
• If the CMS is hosted on your own servers, be aware of the dangers that this setup brings. Remember that you are relying on open-source code. Running it on your own servers should be met with special precautions to keep it separated from other work servers.

Stay safe, everyone!

The post Fake ransomware warnings hit WordPress sites: How to stay safe appeared first on Malwarebytes Labs.

If your kids play Roblox, you may wish to warn them of ransomware perils snapping at their heels. A very smart, and determined attack has been taking place for a little while now. Although initially dismissed as a form of prank, the developers under fire now disagree. Whether prank or malicious campaign, the end results are still bad for everyone involved. Shall we take a look?

What is Roblox?

If you have younger kids and they play games, they may well have dabbled in Roblox. If so, you’ll have experienced howls of outrage for a few days in October when the entire system came crashing down.

It’s a game, but also much more than that. It’s a place where other users can make their own games inside the Roblox landscape. It’s been around since 2006, and has millions of users. Kids love it because every time they log in, there’ll be something different to do. If they start making content, there’s even the possibility of making money from it.

As you can imagine, this makes it a popular target for scammers and malware authors. As they’re primarily targeting kids, it’s probably a bit easier to go on the offensive than tackling more cautious adults.

What tactics are used to scam Roblox users?

Glad you asked! We covered one such scam last year. Robux is the in-game currency used by players. It can be bought with real money, or earned via creating content (assuming the child is over 13 years of age).

As a result, Robux cash generators are rife and will send gamers off to bogus surveys, malware installs, phish attempts…the usual collection of awfulness.

Outside of Robux generators, phishing and malware generally are popular with scammers everywhere. You can read about typical Roblox experiences here. Not everything is scam central; some of it is just weird, or baffling. Even so, it pays to be on your guard. This is especially applicable in this case. We don’t “just” have scammers targeting the kids directly. What we have here is people trying to place bogus files in locations the players wouldn’t necessarily expect to find them.

We now turn our attention to Noblox, the stepping-stone for scammers to reach their goal of the end users.

Roblox and Noblox

Noblox is a popular way to automate certain in-game Roblox functions. As per its description:

This NPM package enables operations froms the Roblox website to be executed via NodeJS; many individuals leverage noblox.js along side Roblox’s HTTPService to create in-game scripts that interact with the website, i.e. promote users, shout events, and so on, or to create Discord utiltiies to manage their community.

Malicious packages containing ransomware were found to be emulating the real thing.

Noblox.js-proxy imitated noblox.js, deliberately using a name as similar as possible. Meanwhile, Noblox.js-proxies did the same thing to the legitimate noblox.js-proxied. The bad packages had a few hundred downloads between them before being shut down.

The scammers reused certain portions of the real thing, and then dropped dubious code into places users wouldn’t suspect. A little bit of obfuscated code later, and the end result is Trojans dropped onto the target PC, alterations to the Windows registry, and a dash of ransomware to round the whole sorry enterprise off.

When “pranks” start to get serious

This one was arguably well beyond the prank point and had at least one foot in serious territory. A feeling now compounded as the Noblox devs flag at least 6 different libraries aiming to confuse and trap unsuspecting victims.

Although the bogus libraries are being taken offline, the people behind this are making use of Discord to cause additional headaches. Multiple servers exist and are being used to trick younger users into downloading the rogue files. Regular readers will be familiar with the type of Discord messages used for these sorts of antics.

What can Roblox gamers do to avoid these attacks?

As many of the bogus files are being sent in Discord, gamers should be very cautious around anything sent their way. These rogue messages may be sent via DM or posted publicly in a Discord server. They could also arrive via other methods. It’s a tricky one to address, because we’re dealing with younger users who may not be massively tech savvy, versus a confusing selection of package repositories and somewhat technical file names.

If you’re a parent and unsure about your kid’s activity in Roblox, and want to know more about it generally, a good place to start is the Roblox Parents’ Guide. If your kids are making their own games and want to branch out into the kind of package assistance seen above, it may be worth reading the FAQs from the developers. This isn’t a problem that’s likely to go away overnight, and that’s what the scammers and malware authors are banking on.

The post Bogus JS libraries become sustained ransomware threat for Roblox gamers appeared first on Malwarebytes Labs.

Apple’s reputation on security has been taking a beating lately. As mentioned in some of our previous coverage, security researcher Joshua Long recently shone a light on problems with Apple’s security patching strategy. His findings showed a shocking number of cases where Apple patched a vulnerability, but did not do so in all of the vulnerable system versions. Often, systems older than the most current one were left in vulnerable states.

In theory, this could lead to attacks on those vulnerable systems. And new Mac malware that was disclosed on Thursday provides a concrete example of why this is not just theory.

Watering hole campaign discovered by Google

Google’s Threat Analysis Group (TAG) discovered a watering hole campaign in Hong Kong, targeting journalists and pro-democracy political groups. This campaign was using two macOS vulnerabilities to infect Macs that simply visited the wrong web page.

A watering hole attack is one that’s deployed through a website that the desired target is likely to visit, so named because of the way predators will hide near a watering hole that is frequented by their prey.

The vulnerabilities were used to drop malware onto the computer silently, without the user needing to click on anything or even being aware that anything has happened. The malware itself is a pretty full-featured backdoor, but what is most remarkable about it is not its capabilities. This malware has been in the wild, with very few changes, since at least 2019. Back then, it was distributed as a trojan, in an installer disguised as – you’ll never guess – an Adobe Flash Player installer!

Some of the executable files dropped by this installer from 2019 are nearly the same as the ones currently in distribution, but were (as of Thursday) still undetected by any antivirus software.

The vulnerabilities had been fixed… sort of

The first vulnerability used by the malware was CVE-2021-1789, which was a remote code execution (RCE) vulnerability in WebKit. This means that it allowed an attacker to trick WebKit – the foundation of Safari and a number of other browsers – into executing arbitrary code, which is not supposed to be possible.

The second vulnerability, CVE-2021-30869, was a privilege escalation bug. This means that it could be used to run arbitrary code with the highest level of permissions possible when it should not actually have that level of access.

The first of these was patched on February 1, with the release of macOS Big Sur 11.2 and Safari 14.0.3. The latter would have fixed the problem on macOS Catalina (10.15) and macOS Mojave (10.14), if users had upgraded to Safari 14.

The second was apparently also fixed in Big Sur 11.2, on February 1, although it was not originally mentioned in the release notes. Mention of the fix was added on September 23, after Google alerted Apple to the issue and on the same day Apple released Security Update 2021-006 Catalina, to fix the issue in macOS Catalina.

Catalina wasn’t fixed for more than seven months?!

Yes, you heard that right. Apple knew about the vulnerability long before, and fixed it in macOS Big Sur, after the team who found it, Pangu, alerted Apple of the issue. Pangu went on to present their findings in April at the Zer0con security conference.

However, the same bug apparently existed in Catalina, which remained unpatched seven months after Apple released the patch for Big Sur, and more than five months after the details had been released at Zer0con. This allowed attackers to target individuals running Catalina and Safari 13 without detection. (According to TAG, more than 200 machines may have been targeted for infection at the time it discovered the campaign.)

There’s a lot that’s unclear about why this might have happened. Did Apple know that the bug affected Catalina, but chose not to patch it? Was the bug superficially different in Catalina, and thus was missed in a cursory investigation? Or was the bug completely different, but resulted in the same vulnerability? Only Apple could say.

I do find it highly suspicious that mention of this fix was left off of the Big Sur 11.2 release notes, and then added at the end at the same time the bug was fixed in Catalina. That would seem to suggest that it’s something that Apple already knew should have been fixed, or very quickly identified as being the same as the Big Sur bug.

Takeaways

There are a couple things that this incident illustrates quite plainly. First, this throws further weight behind what Joshua Long has taught us; that Apple can only be relied on to patch the absolute latest version of macOS, which is currently macOS Monterey (12). If you are using an older system, you do so at your own risk.

I personally have an older machine still on macOS Mojave, because upgrading to anything newer means I’d lose access to all my old 32-bit Steam games. However, since I’m aware that that system can no longer be considered secure, I limit what I do with it. Any web browsing and other online activities are done with my up-to-date devices, and since I’ve recently migrated to a newer machine, I’ll soon remove my personal data from the Mojave machine.

Second, the fact that this malware went undetected since at least 2019 is, unfortunately, a repeating pattern. There has been a lot of very tightly targeted nation state malware affecting Mac users, and because of the very limited number of victims, it’s hard to detect. Those managing business environments would do well to use some kind of EDR or other monitoring software, but what is an average person to do with their personal Macs?

Some steps you can take to avoid this kind of malware would include:

• Keeping your system and all your software fully up to date
• Be conscious of everything you open on your computer, and be sure you know exactly what it is before you do so
• Never install Adobe Flash Player, whether you think it’s legitimate or not!
• Use an ad blocker (malicious ads can be a source of malware) and some kind of protection against malicious sites, such as the free Malwarebytes Browser Guard
• If you engage in any “risky” activities, consider doing them from a burner device with no access to your data, such as a cheap Chromebook
• If you are a potential target of a hostile nation-state – such as a journalist or human rights activists critical of an oppressive regime, or a member of a group persecuted by a government (such as the Uyghur people in China) – consider consulting with a security professional

Malwarebytes for Mac detects this malware as OSX.CDDS.

The post New Mac malware raises more questions about Apple’s security patching appeared first on Malwarebytes Labs.

Researchers have discovered and analyzed a new Android banking Trojan that allows attackers to steal sensitive banking information such as user credentials, personal information, current balance, and even to perform gestures on the infected device.

According to the researchers, SharkBot demonstrates:

“…how mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks and financial services during the last years.”

Type and source of the infection

A banking Trojan is a type of Trojan specifically created to harvest credentials and other sensitive financial and personal information stored and processed through online banking systems. This particular one, dubbed SharkBot by the researchers, goes beyond that, and uses uses an Automatic Transfer System (ATS) technique to automate the process of stealing funds from users’ accounts.

ATS allows attackers to automatically fill in fields on an infected device with minimal human input. It launches an autofill service to facilitate fraudulent money transfers through legitimate financial service apps. SharkBot uses this technique to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA).

SharkBot isn’t available in the Google Play Store, so the threat actors would have to convince victims to sideload the app on their device. Sideloading refers to installing an app onto the device by copying the APK installer onto the device and manually installing it on the system, i.e. bypassing the app store. On many devices, in order to sideload apps you would need to obtain root access on the phone, something that often results in users ‘bricking’ their phone or turning it into a $800 paper weight.

Apps like these are often offered for download masquerading as a media player, live TV, or data recovery apps.

Android Accessibility service

In order to use ATS, the Trojan needs access to the Android Accessibility Service. So once SharkBot is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users interact with their devices by automating certain tasks. SharkBot uses the access to Accessibility Services to perform tasks such as:

• Overlay attacks against multiple applications to steal login credentials and credit card information. Overlay attacks allow the threat actor to show fake benign pop-ups over dangerous ones. This allows them to deceive a victim user into clicking “through” them, performing a specific action (such as accepting a permission)
• Intercept and/or hide SMS messages. This feature is mostly used by threat actors to get the MFA sent by the bank via text messages
• Keylogging, for example to record and send typed passwords to the attacker
• Obtain full remote control of an Android device
• Bypass Android’s doze component and stay connected to the C2 servers

Once the malicious app has been installed, no icon is displayed on the device and SharkBot is able to get all the permissions needed thanks to the enabled Accessibility Services. This is done by clicking instantly on the popup shown to the user.

Targets

Analysis of the samples revealed 22 different targets, including international banks from the UK and Italy and five different cryptocurrency services. So far, infections have been found in the UK, Italy, and the United States. As the app appeared to be in the development stage, the number of targets is likely to grow over time.

Detection

SharkBot uses different anti-analysis and detection techniques, in particular:

• Obfuscation to slow down the static analysis and “hide” all the commands and important information used by the malware
• Anti-emulator. When the malicious application is installed on the device, it checks if the device is an emulator or a real phone
• Modular in that it uses an external ATS module. Once installed, the malware downloads an additional module from the C2. The external module is a “.jar” file that contains all the functionality used to perform the ATS attacks. So this functionality can not be found when analyzing the apk
• Hide the icon of the app from the device screen
• Anti-delete. Like other malware, SharkBot uses the Accessibility Services to prevent the user from uninstalling the malicious application from in Settings
• Encrypted communication. All the communication between the malware and C2 are encrypted and encoded with Base64. In addition to this, SharkBot uses a Domain Generator Algorithm (DGA).

Malwarebytes detects SharkBot as Android/Trojan.BankBot.SHRK.

Stay safe, everyone!

The post SharkBot Android banking Trojan cleans users out appeared first on Malwarebytes Labs.

If you haven’t heard of SoSafe Chat, you will now.

This Android app, purported as a secure messaging application that uses end-to-end encryption, is the latest ruse cybercriminals put upon smartphone users, particularly those based in India, to infect their devices with GravityRAT, a piece of malicious software that is known to spy on people and steal their data.

According to Cyble Research Labs, the latest version of GravityRAT can now track locations of its targets, exfiltrate cellular network data, and record audio. Below is the complete list of GravityRAT’s malicious behavior:

• Read SMS, call logs, and contacts data
• Change or modify system settings
• Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any phone accounts registered on the device
• Read or write the files on the device’s external storage
• Record audio
• Get connected network information
• Get the device’s location

The history of GravityRAT

This remote access Trojan (RAT) was first discovered in infected Windows computers in 2017 by the Indian Computer Emergency Response Team (CERT-IN), but it has been active since at least 2015. An advanced persistent threat (APT) group with origins in Pakistan was believed to be behind the creation and initial attacks using the RAT.

CERT-IN had described GravityRAT as “unlike most malware, which are designed to inflict short term damage. It lies hidden in the system that it takes over and keeps penetrating deeper. According to latest inputs, GravityRAT has now become self aware and is capable of evading several commonly used malware detection techniques.”

Knowing India and Pakistan’s longstanding historical and political conflict, it’s no surprise to see GravityRAT coming back to target high profile individuals in India once more. The first time threat actors attempted this was when they homed in on the Indian armed forces in 2018.

SoSafe markets itself as an encrypted message platform that worries about the security of its users.

SoSafe chat is not just another chat application, but an application that encrypts your messages whether it is text,images,voice notes,videos.”SoSafe” is available to talk to your loved ones when all the other applications secretly steal your chat data even when they say they do not. We at “SoSafe” ensure that the security of our customers remain our top priority. Be safe with “SoSafe”.

— SoSafe Chat website marketing blurb

BleepingComputer thinks that the above website “likely played a role in the distribution of the app”, and that users are likely get directed to it via malvertising and other known means like social media and instant messages.

It’s also likely that targeted users were messaged privately, since quick searches on top social media sites turned up empty.

How to stay safe

This is a good time to remind readers to never download apps from sites you haven’t heard about. It’s still much, much safer to download apps from the Google Play Store. Just make sure you enable Google Play Protect before you download apps.

Lastly, if you use an antivirus for your Android device, always make sure you are using the latest version.

Stay safe!

The post SoNot SoSafe: Android malware disguises itself as secure messaging app appeared first on Malwarebytes Labs.