IT NEWS

Don’t miss our upcoming webinar on EDR vs. MDR!

In the webinar, Marcin Kleczynski, CEO and co-founder of Malwarebytes, and guest speaker Joseph Blankenship, Vice President and research director at Forrester, discuss topic such as: 

• The difference between EDR and MDR, how EDR solutions can be challenging for businesses without dedicated security teams, and why building an in-house SOC can be expensive and difficult.
• The limitations of Endpoint Protection and EDR, specifically when it comes to advanced threats like ransomware that use Living off the Land (LOTL) attacks and fileless malware. 
• How MDR providers work with clients to understand their security technology stack, make recommendations, and agree on response actions to take.
• If EDR or MDR is better for your business based on the resources you have available and the level of security you require. 

Want to learn more about EDR and MDR and which is right for your business? Be sure to catch the full webinar on Wednesday, May 10, 2023 at 10 am PT / 1 pm ET and get valuable insights from industry experts on how to improve your security operations and protect against ransomware and fileless malware.

Register now!

Read also:

How to choose an MDR vendor: 6 questions to ask

Is an outsourced SOC worth it? Looking at the ROI of MDR

Cyber threat hunting for SMBs: How MDR can help

Website owners are once again at war with tools designed to scrape content from their sites.  An AI scraper called img2dataset is scouring the Internet for pictures that can be used to train image-generating AI tools.

These generators are increasingly popular text-to-image services, where you enter a suggestion (“A superhero in the ocean, in the style of Van Gogh”) and it produces a visual to match. Since the system’s “understanding” of images is a direct result of what it was trained on, there is an argument that what it produces consists of bits and pieces of all that training data, There’s a good chance there may be legal issues to consider, too. This is a major point of contention for artists and creators of online content generally. Visual artists don’t want their work being sucked up by AI tools (that make someone else money) without permission.

Unfortunately for the French creator of img2datset, website owners are very much dissatisfied with his approach to harvesting images. 

The free program “turns large sets of image URLs into an image dataset”. Its claimed the tool can “download, resize, and package 100 million URLs in 20 hours on one machine”. That’s a lot of URLs.

What’s aggravating site owners is that the tool is ignoring assumed good netiquette rules. Way back in 1994, “robots.txt” was created as a polite way to let crawlers know which bits of a website they were allowed to pay a visit to. Search engines could be told “Yes please”. Other kinds of crawlers could be told “No thank you”. Many rogues would simply ignore a site’s robots.txt file, and end up with a bad reputation as a result.

This is one of the main complaints where img2dataset is concerned. Website owners contend that it’s not physically possible to have to tell every tool in existence that they wish to opt-out. Rather, the tool should be opt-in. This is a reasonable concern, especially as site owners would essentially be responsible for adding ever more entries to their code on a daily basis.

One site owner had this to say, in a mail sent to Motherboard:

I had to pay to scale up my server, pay extra for export traffic, and spent part of my weekend blocking the abuse caused by this specific bot.

Elsewhere, you can see a deluge of complaints from site owners on the tool’s “Issues” discussion page. Issues of consent, custom headers, even talk of the creator being sued: It’s chaos over there.

If you’re a site owner who isn’t keen on img2dataser paying a visit, there are a number of ways you can tell it to keep a respectful distance. From the opt-out directives section:

Websites can use these http headers:” X-Robots-Tag: noai”, “X-Robots-Tag: noindex” , “X-Robots-Tag: noimageai”, and “X-Robots-Tag: noimageindex”. By default, img2dataset will ignore images with such headers.

However, the FAQ also says this for users of the img2dataset tool:

To disable this behaviour and download all images, you may pass “–disallowed_header_directives ‘[]’”

This does exactly what it suggests, ignoring the “please leave me alone” warning and grabbing all available images. It’s no wonder, then, that website owners are currently so hot and bothered by this latest slice of website scraping action. With little apparent interest in robots.txt from the creator, and workarounds to ensure users can grab whatever they like, this is sure to rumble on.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

When Alvin Staffin received an email from his boss, he didn’t question it. In the email, Gary Bragg, then-president of Pennsylvania law firm O’Neill, Bragg & Staffin, asked Staffin to wire $580,000 to a Bank of China account. Staffin, who was VP and in charge of banking, sent the money through as asked. An hour later, he realized the request was fraudulent—he hadn’t been contacted by Bragg at all.

A hacker had gained access to Bragg’s email account and used it, along with information they’d learned about an ongoing loan transaction, to pose as Staffin’s boss. Nothing in the exchange made Staffin suspect that something was off until he called Bragg, who was out of town at the time, to discuss the transfer.

Both Staffin and his employer were victims of business email compromise (BEC), also known as CEO fraud, a type of social engineering attack. Social engineering attacks are cyberattacks where a criminal tricks a victim into doing something against their interests, such as revealing sensitive information of making a bank transfer.

BEC is one of the most damaging forms of social engineering attacks faced by small businesses. In the 2022 Internet Crime Report, the FBI ranked it as the second most damaging fraud, in terms of financial losses, after investment fraud.

The common forms of social engineering used by criminals are pretexting, phishing, baiting, and tailgating. Pretexting involves creating a false identity and situation to trick victims into providing information or access (BEC is a form of pretexting). Phishing attacks try to trick victims into giving away sensitive information, such as login credentials, using emails and websites designed to look like they belong to a person or business the victim trusts, such as their bank. Baiting is when malware-infected devices, such as USB sticks, are left in public places, in the hope that victims will take them and use them. Lastly, tailgating is when a fraudster follows an authorized person into a restricted area without proper authorization.

Protecting your business from social engineering

Securing a small business from social engineering attacks is an ongoing effort that requires constant vigilance. Because social engineering relies on a criminal’s powers of persuasion, your staff’s vigilance is your first line of defence. Security software forms a vital second line, protecting your business from some social engineers’ tools, such as phishing sites, and from social engineering attacks designed to deliver malware.

Your first priority should be to empower employees to be confident in identifying and effectively responding to social engineering tactics.

• Run regular training to help employees understand how to properly recognize and respond to social engineering. Consider testing your staff, too, and follow up with further education for anyone who fails the test.
• Use at least two people for financial transactions. Social engineering attacks try to isolate and hurry staff so they act without thinking. Create checks in your processes to prevent that.
• Create an intentional culture of security so that security practices come naturally to your staff. Encourage people to report suspicious activity sooner rather than later, avoid punishing staff who fall for social engineering so that others are not afraid to be accountable, and lead by example.
• Use endpoint security to protect against the effects of baiting attacks, to block phishing sites, and to detect malware delivered by social engineering.
• Monitor threat intelligence to understand current and emerging threats that could affect your business.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft issued a client roadmap update on Thursday to remind us once again that Windows 10 support is slowly coming to an end. In less than three years, all Windows 10 users will need to have moved to Windows 11. While moving to Windows 11 should be a win for security, some Windows 10 fans may be a little nervous. Upgrading isn’t always straightforward, and exacting hardware requirements weigh heavily on Windows 11.

According to the update, the company intends the current version of Windows 10, version 22H2, to be the last edition of the operating system (OS). That meant no more new and significant features for Windows 10. Instead, interesting changes and enhancements will be incorporated into Windows 11. PCMag highlighted that this process is already underway.

Microsoft will continue to release monthly security updates for Windows 10 until October 14, 2025. After that, it will officially pull the plug for consumer users but not for organizations signed up to the Long Term Servicing Channel. Support for them will extend beyond the deadline for up to 10 years. From Microsoft’s description:

The Long-Term Servicing Channel (LTSC) is designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time. Examples include medical systems (such as those used for MRI and CAT scans), industrial process controllers, and air traffic control devices. We designed the LTSC with these types of use cases in mind, offering the promise that we will support each LTSC release for 10 years–and that features, and functionality will not change over the course of that 10-year lifecycle.

Microsoft recommends Windows 10 users switch to Windows 11 if they haven’t already done so. Despite that, Windows 10 remains hugely popular, with a 69 percent share of Windows desktops, globally. Windows 11 trails significantly with just 18 percent, not far off Windows 7, which still accounts for nine percent.

Windows 11’s low numbers may soon change as the sunset date approaches, which would be good news for security. Microsoft’s latest OS makes multiple improvements over what’s available in Windows 10. Microsoft’s approach has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. Many of the links in that chain rely on Virtualization Based Security (VBS), a technology that creates secure sandboxes isolated from the main OS. Doing that requires hardware-based virtualization features, which is why Windows 11 has such stringent hardware requirements.

Windows 11 also includes a more efficient way of warding off phishing attacks; warnings when users type passwords into notepad files and other programs; and a default account lockout policy to combat the dangers of Remote Desktop Protocol (RDP) brute force attacks, an automated attack wherein hackers try to guess a users’ passwords remotely, over RDP.

And, soon, Windows 11 will allow app developers to tap into its built-in human presence detection (HPD) capabilities to create and share unique experiences. HPD is a new feature that allows touch-free logins of laptops. It also automatically locks the device when a user walks away from it, giving them much-needed privacy. Of course, this feature can only be used if your laptop has the hardware to support it.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• LockBit and Cl0p ransomware gangs actively exploiting Papercut vulnerabilities
• Update now: Critical flaw in VMWare Fusion and VMWare Workstation
• Magecart threat actor rolls out convincing modal forms
• Fileless attacks: How attackers evade traditional AV and how to stop them
• ChatGPT writes insecure code
• Update your PaperCut application servers now: Exploits in the wild
• APC warns about critical vulnerabilities in online UPS monitoring software
• Decoy dog toolkit plays the long game with Pupy RAT
• GuLoader returns with a rotten shipment
• Black Basta ransomware attacks Yellow Pages Canada
• Removing the human: When should AI be used in emotional crisis? Lock and Code S03E09
• Fake Flipper Zero sellers are after your money
• Adult content malvertising scheme leads to clickjacking

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Four vulnerabilities in virtualisation software have been fixed by VMware, including two which were exploited at the 20223 Pwn2Own contest. Three have been given the severity rating “Important”, with the last (CVE-2023-20869) is classed as “Critical”.

Success! @starlabs_sg used an uninitialized variable and UAF against VMWare Workstation. They earn $80,000 and 8 Master of Pwn points, pushing the prize total for #P2OVancouver past $1,000,000. #Pwn2Own pic.twitter.com/DEjgYcmphH

— Zero Day Initiative (@thezdi) March 24, 2023

The four vulnerabilities are:

• CVE-2023-20869 is “Critical” flaw that affects Fusion and Workstation. It is a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. As per the advisory, “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.” Needless to say, guest VMs are not supposed to be able to make the host machines they’re running on do things.
• CVE-2023-20870 is an “Important” flaw that affects Fusion and Workstation. It’s another issue in the functionality for sharing host Bluetooth devices, but with this one an attacker can potentially read privileged information stored in the virtual machine’s hypervisor memory.
• CVE-2023-20871 is an “Important” flaw that only affects Fusion. It allows an attacker who has read / write access to the host operating system to elevate their privileges to gain root access to the host operating system.
• CVE-2023-20872 is an “Important” flaw that affects Fusion and Workstation. It allows virtual machines with a physical CD/DVD drive attached to execute code on the hypervisor, if the drive is configured to use a virtual SCSI controller.

Workarounds and updates

All four issues can be addressed by updating to the latest version of the affected software. At the time of writing these are VMware Fusion 13.0.2 and VMware Workstation 17.0.2. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872.

CVE-2023-20869 and CVE-2023-20870 can be mitigated by turning off Bluetooth support by unchecking the “Share Bluetooth devices with the virtual machine” option. The relevant support documents for each product are VMware Workstation Pro, VMware Workstation Player, and VMware Fusion.

CVE-2023-20872 can be mitigated by removing the CD/DVD device from the virtual machine. Alternatively, you can configure the virtual machine so that it does not use a virtual SCSI controller. After shutting down the virtual machine, the steps are:

To remove the CD/DVD device in VMWare Workstation:

• Select VM > Settings
• Click the Hardware tab
• Select the CD/DVD and click Remove

To remove the CD/DVD device in VMWare Fusion:

• Select a virtual machine in the Virtual Machine Library window
• Click on Virtual Machine menu
• Click Settings
• Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.

To configure VMWare Workstation not to use a virtual SCSI controller:

• Select VM > Settings
• Click the Hardware tab
• Select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
• You can configure the Bus type

To configure VMWare Fusion not to use a virtual SCSI controller:

• Select a virtual machine in the Virtual Machine Library window
• Click on Virtual Machine menu
• Click on Settings
• Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
• You can configure the Bus type.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A few days ago we wrote about two vulnerabilities found in PaperCut application servers. As we noted, exploitation was fairly simple so there was some urgency to install the patches. My esteemed colleague Chris Boyd literally wrote:

“Arbitrary code can be deployed, or even ransomware if that’s part of the attacker’s toolkit.”

As it turns out, there are already two flavors of ransomware preying on those that haven’t updated yet.

A Cl0p affiliate, branded as DEV-0950 by Microsoft has already incorporated the PaperCut exploits into its attacks. This affiliate has also been known to use the GoAnywhere zero-day that basically brought Cl0p back from the dead last month.

In a surprising turn of events for the ransomware landscape, Cl0p emerged as the most used ransomware in March 2023, coming out of nowhere to dethrone the usual frontrunner, LockBit.

But don’t rule the habitual frontrunner LockBit out just yet. Microsoft Threat Intelligence said in a tweet that it’s “monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment.”

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

When you hear about malware, there’s a good chance you think of sketchy executables or files with extensions like .DOCX or .PDF that, once opened, execute malicious code. These are examples of file-based attacks—and while they can be bad, they’re nothing compared to their fileless cousins.

As the name suggests, fileless attacks don’t rely on traditional executable files to get the job done but rather in-memory execution, which helps them evade detection by conventional security solutions.

In this post, we’ll explore topics like how fileless attacks work, why they’re effective, and what you can do to find and block fileless threats.

Fileless attacks explained

In contrast to file-based attacks that execute the payload in the hard drive, fileless attacks execute the payload in Random Access Memory (RAM). Executing malicious code directly into memory instead of the hard drive has several benefits, such as:

• Evasion of traditional security measures: Fileless attacks bypass antivirus software and file signature detection, making them difficult to identify using conventional security tools.   
• Increased potential for damage: Since fileless attacks can operate more stealthily and with greater access to system resources, they may be able to cause more damage to a compromised system than file-based attacks.

• Memory-based attacks can be difficult to remediate: Since fileless attacks don’t create files, they can be more challenging to remove from a system once they have been detected. This can make it extra difficult for forensics to trace an attack back to the source and restore the system to a secure state.

Fileless attacks vs Living-off-the-land (LOTL) attacks

If you read our article on LOTL attacks, you may be confused: Aren’t fileless attacks and LOTL attacks the same thing? Well, yes and no.

LOTL attacks are anytime an attacker leverages legitimate tools to evade detection, steal data, and more, while fileless attacks refer purely to executing code directly into memory. While both types of attacks often overlap, they are not synonymous.

Think of fileless attacks as an occasional subset of LOTL attacks. Fileless attacks can and often do leverage LOTL techniques to execute payload into memory, but they can also do so without leveraging a legitimate system tool or process at all.

PowerShell script extracted from a Microsoft Word document. If macros are enabled, it would execute the code in memory upon being opened. Source.

For example, an attacker can use PowerShell to download and execute a malicious payload directly in memory, without writing it to the disk. In this case, the attack is both LOTL (since PowerShell is a legitimate tool) and fileless (as the payload is executed in memory).

On the other hand, an attacker injecting malicious JavaScript into a website can exploit browser vulnerabilities and execute payloads in memory. This fileless attack executes code without writing to the hard drive, but doesn’t qualify as LOTL as it doesn’t use a legitimate system tool or process.

5 different ways fileless attacks execute code in memory

Once an attacker gains access through phishing or exploiting vulnerabilities, they can execute malicious code in memory using several methods, some of which may overlap with LOTL techniques.

Below are five common techniques used in fileless attacks:

• PowerShell: A legitimate scripting that can execute malicious code directly in memory. As mentioned earlier, this technique overlaps with LOTL attacks as it leverages a built-in system tool.
• Process hollowing: Process hollowing is a fileless technique where attackers create a new process in a suspended state, replace its memory content with malicious code, and then resume the process. The malicious code executes in memory without writing to the disk.
• Reflective DLL injection: In this fileless attack, attackers load a malicious Dynamic Link Library (DLL) into a legitimate process’s memory without writing it to the disk. The DLL is executed directly in memory, evading detection by traditional security software.
• JavaScript and VBScript: Fileless attackers can use JavaScript or VBScript to run malicious code directly in memory within a web browser or other applications that support these scripting languages.
• Microsoft Office macros: Fileless attackers can use malicious macros embedded in Microsoft Office documents to execute code in memory when the document is opened. This method takes advantage of the legitimate macro functionality, making it an example of an LOTL technique as well.

Note that fileless attacks often rely on exploiting vulnerabilities in system components in each of these instances (such as Office or web-browsers) to execute their code. 

Preventing and spotting fileless attacks: Quick tips

Malwarebytes EDR and Exploit Protection: Safeguarding against fileless attacks

Malwarebytes Exploit Protection can effectively block many fileless attacks by monitoring and reinforcing application behavior, hardening applications, and ensuring advanced memory protection.

To configure Exploit Protection Advanced settings, follow these steps:

• Go to Configure > Policies in Nebula.

• Select a policy and navigate to Protection settings > Advanced settings > Anti-exploit settings.

Exploit Protection settings in a policy in Malwarebytes EDR.

Here’s an overview of the protection layers offered by Malwarebytes EDR Exploit Protection:

• Application Hardening: By enforcing security measures like DEP and ASLR, and disabling potentially vulnerable components like Internet Explorer VB Scripting, Application Hardening reduces the attack surface and makes it more difficult for fileless malware to exploit weaknesses in applications.
• Advanced Memory Protection: This layer prevents fileless malware from executing payload code in memory by detecting and blocking techniques such as DEP bypass, memory patch hijacking, and stack pivoting, thereby stopping the attack before it can cause harm.
• Application Behavior Protection: This layer also detects and blocks exploits that do not rely on memory corruption, such as Java sandbox escapes or application design abuse exploits. Options include Malicious LoadLibrary Protection, Protection for Internet Explorer VB Scripting, Protection for MessageBox Payload, and protection against various Microsoft Office macro exploits. 
• Java Protection: These settings protect against exploits commonly used in Java programs. By guarding against Java-specific exploits, such as web-based Java command execution and Java Meterpreter payloads, Java Protection can effectively prevent fileless attacks that leverage Java vulnerabilities to infiltrate systems and execute malicious code.

Fighting fileless threats with Malwarebytes EDR: Configuring Suspicious Activity Monitoring in Nebula

Malwarebytes Endpoint Detection and Response (EDR) offers an effective solution to detect and mitigate fileless malware threats by monitoring potentially malicious behavior on endpoints. The Suspicious Activity Monitoring feature in Nebula uses machine learning models and cloud-based analysis to detect questionable activities. In this section, we will outline how to configure Suspicious Activity Monitoring in Nebula.

To enable Suspicious Activity Monitoring in your policy:

• Log in to your Nebula console.
• Navigate to Configure > Policies.
• Click “New” or select an existing policy.
• Choose the “Endpoint Detection and Response” tab.
• Locate “Suspicious Activity Monitoring” and enable it for the desired operating systems.

Suspicious Activity monitoring detections in Nebula showing a possible fileless attack. On the right, we see the command line context for this process in our organization.

Advanced Settings offer additional options for activity monitoring. To configure these settings:

• In the same “Endpoint Detection and Response” tab, find the “Advanced Settings” section.
• Enable “Server operating system monitoring for suspicious activity” to extend monitoring to server operating systems. 
• Enable “Very aggressive detection mode” to apply a tighter threshold for flagging processes as suspicious. 
• Toggle “Collect networking events to include in searching” to ON (default) or OFF, depending on your preference. Turning it OFF decreases traffic sent to the cloud.

Flight Recorder Search

Flight Recorder Search collects all endpoint events within its search functionality. By configuring Suspicious Activity Monitoring in Malwarebytes EDR through the Nebula platform, you can effectively counter fileless malware threats by monitoring processes, registry, file system, and network activity on the endpoint. 

Respond to fileless attacks quickly and effectively

Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to fileless attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection. 

Stop fileless attacks today

To ensnare new victims, criminals will often devise schemes that attempt to look as realistic as possible. Having said that, it is not every day that we see the fraudulent copy exceed the original piece.

While following up on an ongoing Magecart credit card skimmer campaign, we were almost fooled by a payment form that looked so well done we thought it was real. The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page.

While the technique to insert frames or layers is not new, the remarkable thing here is that the skimmer looks more authentic than the original payment page. We were able to observe several more compromised sites with the same pattern of using a custom-made and fraudulent modal.

This skimmer and associated campaigns represent one of the most active Magecart attacks we have been tracking in recent months.

Smooth checkout 

We identified a compromised online website for a Parisian travel accessory store running on the PrestaShop CMS. A skimmer we previously identified as Kritec, was injected and loading malicious JavaScript that altered the checkout process. In the following section, we will compare the checkout process when the skimmer is active and when it is not.

Fraudulent payment form

What we see here is the use of a ‘modal‘ which is a web page element displayed in front of the current active page. The modal disables and grays out the background so that the user can focus on the presented element instead. This is an elegant way for website owners to keep their customers on the same web site and have them interact with another form.

Figure 1: Compromised store loads fake payment modal

The problem is that this modal is entirely fake and designed to steal credit card data. It may sound hard to believe given everything matches to the original brand and feel of the site. Before digging further into why it is fraudulent, we will take a look at the same online store when the skimmer has been disabled.

Actual (real) payment form

In order to view this legitimate sequence, we first had to block the skimmer when requesting the e-commerce page. In our case, we simply blocked the connection to the malicious domain where the skimmer is hosted. As a result, the website will display what the original payment form should be (prior to the compromise).

Figure 2: Legitimate payment form when same store is not compromised

The actual payment flow for this merchant is to redirect users to a third-party processor hosted by Dalenys, now part of Payplug, a French payment solutions company. So rather than display a modal, it loads the webpage for the payment processor to allow the user to enter their banking information. Once that is validated, it will take them back to the merchant page.

Malicious modal

The malicious modal is built very cleanly and contains an animation that displays the store’s logo in the middle and then moves it back up. We have to give credit where credit is due: this is a very well done skimmer that is actually a smoother user experience than the store’s default. We should also note that the malware author is not only well versed in web design, they also use proper language (French) for each form field.

Figure 3: A closer look at the fake modal

However, we noticed a small mistake in the hyperlink for Politique de confidentialité (terms of use). That link redirects to the terms of use for Mercardo Pago, a payment processor used in South America. It is likely the threat actor copied the data from a previous template and did not notice their mistake. This is just a detail, and does not affect the functionality of the skimmer at all.

We can try to look for this erroneous hyperlink within the skimmer source code in order to confirm that the modal was created by the threat actor. The skimmer is rather complex and heavily obfuscated but we can see that HTML content is generated dynamically and goes through a decodeURIComponent routine.

Figure 4: Extracting code from the skimmer to reveal connection with the modal

If we step through the code until the modal is loaded, we can grabbing the Base64 value corresponding to the HTML content. One we have it, we can convert it to plain text and finally see the reference to mercadopago, that is proof that the skimmer is the one rendering this beautiful modal. In fact, we can see the whole thing is an iframe called v.ECPay:

Figure 5: The iframe created by the skimmer to display the modal

Full payment flow

We recreated the payment flow from the perspective of a customer shopping via that compromised store. We can see that upon selecting the credit card payment option, the malicious modal is loaded and will harvest their payment card details.

A fake error is then displayed briefly “votre paiment a été annulé” (your payment was cancelled) before the user is redirected to the real payment URL:

Figure 6: Payment process flow with the skimmer active

On the second attempt, the payment will go through and victims will be unaware of what just happened.

The skimmer will drop a cookie which will serve as an indication that the current session is now marked as completed. If the user was to go back and attempt the payment again, the malicious modal would no longer be displayed (instead the real payment method by the external processor Dalenys will be used).

Figure 7: Cookie dropped by skimmer once data has been stolen

Ongoing, covert campaigns

We now believe this Kritec skimmer is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script. It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly.

While many hacked stores had a generic skimmer, it appears the custom modals were developed fairly recently, maybe a month or two ago. The threat actor is using different domains to host the skimmer but names them in a similar way: [name of store]-loader.js.

We crawled several thousand e-commerce sites and found more fraudulent modals, in different languages.

Figure 8: A Dutch e-commerce site with the fake modal

Figure 9: A Finnish e-commerce site with the fake modal

Discerning whether an online store is trustworthy has become very difficult and this case is a good example of a skimmer that would not raise any suspicion.

If you are a Malwarebytes customer, you will get a notification and block when attempting to make a purchase from a store that has been compromised by this skimmer.

Figure 10: Skimmer being blocked by Malwarebytes

Indicators of Compromise

Domain names

genlytec[.]us
shumtech[.]shop
zapolmob[.]sbs
daichetmob[.]sbs
interytec[.]shop
pyatiticdigt[.]shop
stacstocuh[.]quest

IP addresses

195.242.110[.]172
195.242.110[.]83
195.242.111[.]146
45.88.3[.]201
45.88.3[.]63

YARA rule

rule kritecloader
{
 strings:
     $string = "'fetchModul'"
     $string2 = "'setAttribu'"
     $string3 = "'contentWin'"
     $string4 = "'zIndex'"

condition:
    all of them
}

Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI’s popular chatbot, is prone to generating insecure code.

“How Secure is Code Generated by ChatGPT?” is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn’t robust, despite claiming awareness of its vulnerabilities. 

“The results were worrisome,” the researchers say in the paper. “We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts.”

“In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not. The chatbot, however, was able to provide a more secure version of the code in many cases if explicitly asked to do so.”

In the experiment, the researchers assumed the role of a novice programmer who doesn’t have security in mind. They asked ChatGPT to generate code, specifying in some cases that the code would be used in a “security-sensitive context.” What they didn’t do, however, was specifically ask the AI chatbot to create secure code or include certain security features.

ChatGPT generated 21 applications written in five programming languages: C, C++, HTML, Java, and Python. The programs are simple, with 97 lines of code at most.

In its first run, ChatGPT produced five secure applications out of 21. When prompted for changes, it made seven more secure applications from the remaining 16.

The authors note that ChatGPT can only create “secure” code when a user requests it. When tasked with creating a simple FTP server for file sharing, it generated code without applying input sanitization (where code is checked for harmful characters and removed where necessary). ChatGPT only added the security feature after the authors prompted it to do so.

“Part of the problem seems to be that ChatGPT simply doesn’t assume an adversarial model of execution,” the authors say, explaining why the AI bot cannot create secure code by default. Despite this, the bot readily admits to errors in its code.

“If asked specifically on this topic, the chatbot will provide the user with a cogent explanation of why the code is potentially exploitable. However, any explanatory benefit would only be available to a user who ‘asks the right questions’. i.e.; a security-conscious programmer who queries ChatGPT about security issues.”

Additionally, the authors point to the chatbot’s ethical inconsistency when it refuses to create attack code but will create insecure code.

It might refuse to create attack code, but there are ways round it. Malwarebytes Security Evangelist Mark Stockley decided to try to create ransomware using ChatGPT. The AI bot refused to create malware code at first, but Stockley found his way around the initial safeguards and managed to get it to create (admittedly quite dubious) ransomware anyway.

In an interview with The Register, one of the Université du Québec researchers said he had concerns about ChatGPT. “We have actually already seen students use this, and programmers will use this in the wild,” Khoury said. “So having a tool that generates insecure code is really dangerous. We need to make students aware that if code is generated with this type of tool, it very well might be insecure.”

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW