Archive for author: makoadmin

A week in security (January 6 – 12)

Last week on Malwarebytes Labs, we told readers how to check the safety of websites and their related files, explored the shady behavior taking place within the billion-dollar search industry, broke down the top six ways that hackers target retail businesses, and put a spotlight on the ransomware family Phobos.

We also broke a major new story when we discovered that a government-subsidized mobile phone is being shipped with pre-installed, unremovable malware.  

Other cybersecurity news

Stay safe, everyone!

The post A week in security (January 6 – 12) appeared first on Malwarebytes Labs.

Dubious downloads: How to check if a website and its files are malicious

A significant amount of malware infections and potentially unwanted program (PUP) irritants are the result of downloads from unreliable sources. There are a multitude of websites that specialize in distributing malicious payloads by offering them up as something legitimate or by bundling the desired installer with additional programs.

In November 2019, we learned that Intel removed old drivers, BIOS updates, and other legacy software from their site. While this software relates to products released in the last century and early years of the 2000s, many users still rely on old Intel products and have been left scrambling for specific downloads.

Users that follow older links to certain drivers and updates will find this instead:

Intel Removed

Following the links to search the site or the download center only leads users around in circles—those downloads are gone. While some might argue that it is Intel’s right to remove drivers and updates after a decade, others understand that whenever legacy software is abandoned, a security nightmare ensues.

When users can no longer download files from official sources, desperate people will roam the Internet for a place where they can find the file they need. And what they usually find instead are malicious websites and downloads.

Malvertising using popular downloads

Habitually, threat actors find out which search terms are gaining in popularity as users seek out terminated software downloads and try to lure searchers to their site. They will use SEO techniques to rank high in the search results or may even spend some dollars to show up in the sponsored results for certain keywords. They can hide their malware in malvertising in the form of downloads or even drive-by-downloads, in which users needn’t install a single file, only visit the site, to be infected.

After all, a victim that is desperately looking for a file he needs to get a system up and running again is really all a malware peddler could wish for. All they have to do is make the user of the site believe they have found the file they are looking for. Once they are convinced, they will download and install the alleged driver all by themselves.

All the threat actor has to do is upload the malware under some convincing filename and attract visitors to the site. This is basically the same modus operandi that you will find in use when people go looking for cracks and keygens.

So, what can users do to avoid falling victim to such a scam? A couple of things, as it happens. We will provide you with some checks you can do before you visit the download site. And there are some checks you can perform before you run the downloaded file, too.

Checks you can perform to assess the website

When you have found a site that offers a file for download, there are a few actions you can take to check whether the site is trustworthy. They are:

  • Check for the green padlock
  • Read third-party reviews of the website
  • Use a trusted antivirus or browser extension, such as Browser Guard

Checking for the presence of the green padlock is a good start to ensure a site has purchased a security certificate, but it’s also not a guarantee that the website is safe. SSL certificates are cheap, and your neighborhood cybercriminal knows where to get them practically for free. If you click on the green padlock, you can find out who issued the certificate and for which site.


Recommended reading: Explained: security certificates


There are many websites that offer reviews of download sites and domains, and while many of these sites are reputable, they tend to fall a little bit behind in adding Internet newcomers. Our cybercriminal can afford to dump a domain like a hot potato once it has racked up too many bad reviews, then purchase a new site from which to run his scheme.

In short, you can trust reviews about sites that have been around for a while, but the lack of reviews for a site could mean they only started or they may be up to no good.

Some cybercriminals are brilliant programmers. Most are not. But all the successful ones have one skill in common: They are well-versed in tricking people. So, don’t accept a website as trustworthy just because it features logos of other trustworthy companies on its pages. Logo images are easily found in online searches, and they could be planted on the site for exactly that reason: to gain the visitors’ trust. Logos could also be stolen, unauthorized, or handed out for different reasons than you might expect.

Some browsers and some free applications warn you about shady sites—especially sites they know to be the home of malware and scammers. Malwarebytes Browser Guard, for example, can be installed on Chrome and Firefox, adding to the browsers’ own capabilities to recognize malicious domains and sites.

How do I filter possible malware from the downloaded files

There are some methods you can use to weed
out the bad boys in your download folder:

  • Compare the checksum to the original file
  • Look at the file’s digital signature
  • Run a malware scan

A checksum is a sequence of numbers and
letters used to check data for errors. If you know the checksum of the original
file, you can compare it to the one you have downloaded. Windows,
macOS, and Linux have built-in options
to calculate the checksum of a file.

The digital signature of a Windows
executable file (a file with an .exe extension) can be verified after the file
has been downloaded and saved. In your Downloads folder, right-click the
downloaded .exe file and click Properties. Here you can click on the Digital
Signatures tab to check whether the downloaded file is signed by the expected
party.

Finally, use your anti-malware scanner to double-check that you are not downloading an infected file. You can also use online scanners like VirusTotal, which will also provide you with a SHA-256 hash for the file and save you the trouble of calculating a checksum.

virustotalscan

Much ado about what?

All this may seem like a lot of work to those who habitually download files without a worry in the world. However, even the most practiced downloader eventually has their moment of truth—when that downloaded file wrecks their computer or all those bundled applications are harder to remove than expected.

People who download all the time have better instincts about which sites to trust or not, but that doesn’t mean they can’t be fooled. From experience, they know the sites that offer malware under a different filename from the sites that offer clean files. But sometimes, we reach for the shiny golden delicious and, once we take a bite, discover it has a worm.

We don’t all have the stomach or the knowledge to clean an infected computer. And some systems are not ours to put at risk.

Even if you follow all these pointers to the letter, it is still riskier to download files from unknown sites than it is to download from the company that made them. So we would like to urge companies to keep their “old files” available on their own site, even if the number of downloads has dwindled.

Stay safe, everyone!

The post Dubious downloads: How to check if a website and its files are malicious appeared first on Malwarebytes Labs.

6 ways hackers are targeting retail businesses

Retail hacking is no new phenomenon, although it has increased in frequency over the last few years. In fact, retailers experienced more breaches than any other industry in 2019, and they’ve lost over $30 billion to cybersecurity attacks.

Both brick-and-mortar and online businesses experience retail hacking. Cybercriminals must often work harder to access online stores because these companies’ reputations ride on secure transactions. However, they’re not exempt from the flood of break-ins that happen during high-volume shopping seasons, including back-to-school, Black Friday, and the winter holidays.

Last-minute shoppers become the victims of retail hackers looking for simple ways in. Many consumers rush to buy gifts before the holidays sneak up on them, meaning they’re less diligent about scams and fraudulent sites. Shoppers might be willing to visit stores and webpages they’ve never been to before in search of hard-to-find items. Threat actors know this and take advantage of it with scarily authentic scams.

Even though the holidays have passed, shoppers should remain vigilant about scams and retail attacks—especially as web skimmers up the ante with social engineering tactics and evasion methods. Businesses, too, will benefit from strengthening their security protocols and staying up-to-date on the latest hacking methods.

1. Credential stuffing

Retail hackers frequently use credential stuffing, or the use of stolen usernames and passwords, to break into systems because it’s one of the easiest ways to siphon off data. Many people use the same passwords across multiple sites, which leaves them open to invasion. Hackers collect these credentials via purchase from the dark web or databases of personally identifiable information left online after massive breaches, and use them to hack into retailers and buy products.

Chipotle experienced a breach like this earlier in 2019, where costumers’ credit cards racked up hundreds of dollars in food purchases. However, many customers argued that their passwords were unique to Chipotle, which begs the question of how else cybercriminals could have accessed their accounts.

2. Near field communication (NFC)

Price scanners, cell phones, and card readers are notorious targets for NFC breaches. NFC technology allows customers to use their phones to purchase goods by tapping them against a reader.

Similarly, someone can scan a QR code and gain access to an exclusive app or land on a site where they can purchase items. Though NFC is convenient, retail hackers have little problem intercepting the data from its transactions and stealing information.

Even malware can pass from infected phones to retail systems. NFC technology is prevalent in face-to-face transactions, but more sites are hosting QR codes for users to scan. Hackers generally use several different ways to manipulate data transmitted over a distance:

  • Corruption: They use a third device to intercept a connection between two other electronic devices, which destroys the information being sent.
  • Eavesdropping: Cybercriminals pick up on private information by recording communications between two devices. Using this technique can give someone access to credit cards and other payment information.
  • Modification: The hacker manipulates the data before it reaches its intended source—meaning they can alter important details or inject malware or other harmful components.

3. RAM scraping

RAM scraping is a procedure hackers use to enter point-of-sale software. Every card transaction leaves data in the retailer’s terminal system. This information lasts temporarily as a part of the machine’s RAM, but threat actors can implant POS malware that reads this input before it disappears. By scraping this information, they obtain all the items stored on a card’s tracks—such as the account number, CVN, and expiration date.

The massive Target breach of 2013 is one example of RAM scraping in action. Text strings containing credit card information can remain in a retailer’s database for seconds, minutes, or hours. The longer it stays, the more chances hackers have for grabbing it before it goes.

4. Card readers

The magnetic strips on credit and debit cards make them frequent targets for cybersecurity attacks. Hackers don’t always need to force their way into online accounts—they can glean data from a single card swipe. Card data, which includes PINs and card numbers, remains encrypted until the moment of the swipe. Skilled criminals can take this opportunity to snatch the information and use it for themselves or sell it to others.

Many retailers and card companies have switched to chips instead of magnetic strips. Chips create a unique code that is only used for a single purchase. This form of EMV technology—which stands for Europay, Mastercard, and Visa—makes it harder to duplicate information and use it for subsequent transactions.

5. Web skimming

Web skimmers had quite a year in 2019, helped along by the criminal groups known collectively as Magecart, which were responsible for developing a slew of new techniques for stealing from online retailers and consumers alike.

Web skimmers sneak malware into website codes to glean personal information from customers. All e-commerce sites have a payment page for completing purchases, most of which are securely encrypted. However, those without airtight security are prime targets for web skimmers. This malware is hard to detect—especially for small businesses without advanced tech—and it can affect hundreds of customers at a time, making it a favorite among threat actors.

Skimmers enter sites through a third party, such as plug-in or an e-commerce page. These entryways are easier to get through because they often contain weaker code structure. (First-party entry commonly happens only to those small sites without strong cybersecurity measures in place.) Once the script infects the webpage, it funnels passwords, social security numbers, and credit card numbers back to the cybercriminals’ servers.

6. Social engineering

Social engineering might sound like a term too vague to be real, but this tactic is one of the oldest in the criminal book, useful for preying on emotions. In the pre-Internet days, someone might dress up as an employee of a department store and pretend to work there to access private information. They might ask other employees for information, knowing that some harried workers will readily supply it so they can return to their tasks. Others might loiter in front of a store and scam people out of cash using the old shoeshine technique.

Online, social engineering looks a bit different for retailers and shoppers. Websites might sell counterfeit goods at too-good-to-be-true prices, then snatch the personal information of customers while they’re at it. Watering hole attack strategies target hundreds of users at a time by analyzing their Internet browsing habits then laying siege at sites known to attract particular user groups, such as mommy blogs, gamers, or foodies. Phishing emails might pose as favorite retailers asking for account updates, while delivering malware or ransomware instead.

Beating web threats

With so many ways to steal information, it’s plain to see why retail cybercriminals often see success during the holidays and otherwise. Although retail hacking runs rampant during high shopping seasons, it doesn’t have to deter shoppers from completing their last-minute purchases. The onus is on businesses to secure their data and build trust with their consumers and partners.

Though
no system is entirely unhackable, businesses should follow standard
cybersecurity procedures and aim for the best defenses possible. Prioritizing
user safety will allow them to build trustworthy relationships with their
shoppers.

The post 6 ways hackers are targeting retail businesses appeared first on Malwarebytes Labs.

United States government-funded phones come pre-installed with unremovable malware

UPDATE: January 10, 2020

At time of original publication, we were not yet able to replicate the malware Android./Trojan.HiddenAds being dropped on our test device, though multiple users had reported that a variant of HiddenAds suddenly installed on their UMX mobile phone.

As of today, we are now able to report that our UMX U683CL test phone has become infected with a variant of HiddenAds we detect as Android/Trojan.HiddenAds.WRACT. This variant has been observed in the wild since spring 2019. It runs silently in the background and does not create an app icon. Evidence of its running in the background can be seen in the mobile device’s notifications. A notification box that changes its title name is highlighted below in red.

HiddenAds2
HiddenAds3
The app runs in the background without an icon, though a space remains where it would be.

The notification bar cannot be swiped out in notifications. It stubbornly remains running in the background.

Fortunately, there is a way to find and uninstall this app. If you press and hold the notification, it will give the option to go to MORE SETTINGS.

HiddenAds4

After clicking MORE SETTINGS, it will take you to the app’s notification settings. From there, press the app’s icon at the top.

HiddenAds5

Lastly, it will take you to the app’s App info, where you can uninstall.

HiddenAds6

Of course, Malwarebytes for Android takes care of this as well.

************************************************************************

A United States–funded mobile carrier that offers phones via the Lifeline Assistance program is selling a mobile device pre-installed with not one, but two nefarious applications. Assurance Wireless by Virgin Mobile offers the UMX U683CL phone as their most budget conscious option. At only $35 under the government-funded program, it’s an attractive offering. However, what it comes installed with is appalling.

Not just malicious, but pre-installed

In October 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious. We purchased a UMX U683CL to better assist our customers and verify their claims.

We informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we unfortunately never heard back. Here’s what we discovered.

The first questionable app found on the UMX U683CL poses as an updater named Wireless Update. Yes, it is capable of updating the mobile device. In fact, it’s the only way to update the mobile device’s operating system (OS). Conversely, it is also capable of auto-installing apps without user consent.

Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That’s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers.

1

From the moment you log into the mobile device, Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own. While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time. 

Not just pre-installed, but unremovable

It’s with great frustration that I must write about another unremovable pre-installed app found on the UMX U683CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX. Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable.

Android/Trojan.Dropper.Agent.UMX shares characteristics with two other variants of known mobile Trojan droppers. The first characteristic is that it uses the same receiver and service names. The receiver name ends with ALReceiver and the service name ends with ALAJobService. These names alone are too generic to make a solid correlation. But, coupled with the fact that the code is almost identical, and we can confidently confirm a match. 

The only difference between the two codes are their variable names. The more discernible variant of this malware uses Chinese characters for variable names. Therefore, we can assume the origin of this malware is China.

2 2
Variant of malware with Chinese variable names

The second characteristic it shares is containing an encoded string within the code. Decoding this string reveals a hidden library file named com.android.google.bridge.LibImp.

b64 02 edit
Decoded string with
com.android.google.bridge.LibImp

Let’s take some time to look at how the code flows while decoding com.android.google.bridge.LibImp. It first grabs the encoded string and decodes using Base64 decoding.

flow1
Encoded string
flow2
Base64 decoding

It then loads the decoded library into memory using DexClassLoader.

flow3
DexClassLoader loading decoded string

After the library is loaded into memory, it then drops another piece of malware known as Android/Trojan.HiddenAds.

Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device.

The malware origin

In addition to the malware being of Chinese origin, it’s noteworthy to mention that this UMX mobile device is made by a Chinese company as well. This could simply be a coincidence rather than explicit malcontent—we cannot confirm if the makers of the device are aware there is Chinese malware pre-installed.

UMX Made 1

No current resolution

Although we do have a way to uninstall pre-installed apps for current Malwarebytes users, doing so on the UMX has consequences. Uninstall Wireless Update, and you could be missing out on critical updates for the OS. We think that’s worth the tradeoff, and suggest doing so. 

But uninstall the Settings app, and you just made yourself a pricey paper weight. We do offer an attempt to remediate such pre-installed malware in our blog: The new landscape of pre-installed mobile malware: malicious code within. See section: Attempting to remediate.

Pre-installed malware getting worse, as foreshadowed

As I have highlighted in this blog and blogs past, pre-installed malware continues to be a scourge for users of mobile devices. But now that there’s a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behavior by app development companies.

Budget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision at Malwarebytes.

Final words on UMX U683CL

Having an actual UMX U683CL in my hands, I can tell you it is not a bad phone. It feels solid in hand and runs smoothly. Sure, it’s not the fastest mobile device, but it’s a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget. 

It’s important to realize that UMX isn’t alone. There are many reports of budget manufactures coming pre-installed with malware, and these reports are increasing in number. Although I don’t have the answer to this widespread issue, I can say that US citizens using the Lifeline Assistance Program and many others on a tight budget deserve more. Stay safe out there.

Correction: An earlier version of this blog listed the UMX model as U686CL. The correct model is UMX U683CL. We apologize for the confusion.

The post United States government-funded phones come pre-installed with unremovable malware appeared first on Malwarebytes Labs.