IT NEWS

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their dark web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

Lockbit has rebounded from its unusual fall from grace in November, snatching the title of the month’s worst ransomware, back from Royal. Royal has meanwhile still shown itself as a force to be reckoned with, ranking third in number of attacks for December. 

Attacks by Royal may be down 35 percent from their high of 49 in November, but at the same time, there’s good reason to suspect that their attacks are becoming more targeted. 

On December 07, 2022, the Health Sector Cybersecurity Coordination Center (HC3)—an arm of the US Department of Health and Human Services (HHS)—released a threat brief about Royal after observing the group disproportionately targeting the healthcare industry. Their crowning attack for December came late in the month when they breached telecommunications company Intrado.

In terms of progress, the two newcomers that we introduced last month, Play and Project Relic, have vastly different stories to tell. 

Project Relic has fallen off the map while Play has turned up the jets—we recorded a whopping 136 percent increase in attacks from the gang compared to November. Since our last update Play has been seen leveraging a never-before-seen exploit chain, which might be responsible for their sharp uptick in attacks. The new Microsoft Exchange attack, dubbed ‘OWASSRF’, chains exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks. This was the technique behind a ransomware attack on cloud computing service provider Rackspace in early December, which Play later claimed responsibility for. 

Play’s surge in activity, however, was hardly an anomaly for December. Month-on-month we saw hefty percentage-point increases in attacks across the board.

ALPHV (aka BlackCat), for example, is a ransomware gang that has consistently topped the charts in our ransomware reviews; the number of their attacks in December (33), however, is not only a 70 percent increase from November but also the highest it’s been all 2022. We also saw 25 percent and 116 percent increases from BianLian and BlackBasta, respectively. These upticks are perhaps to be expected, given that attackers famously love the holiday seasons due to the reduction in security staff on deck. Only time will tell if ransomware gangs will sustain their heightened levels of activity into the New Year—or if the increase is indeed simply a gift-wrapped aberration.

Lockbit… apologizes?

Lockbit in December regained the throne as the biggest ransomware gang by attack volume, reversing a three-month downward trend in number of victims.

The prolific ransomware group claimed on December 12 to have stolen up to 75GB of confidential data from California’s Department of Finance, or over 246,000 files in more than 114,000 folders. Not even SickKids (a hospital for sick children) was spared from LockBit’s avarice in December. A ransomware attack using LockBit impacted the hospital’s internal and corporate systems, hospital phone lines, and website.

While we’re not surprised to see a gang stoop to such lows, we don’t find many issuing apologies after the fact. Two days later LockBit apologized for the attack, which it blamed on a rogue affiliate, and released a decryptor for free. 

LockBit’s operation’s policy states “It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.”

Of course the apology doesn’t turn LockBit in to some kind of Robin Hood. Its business model is to inflict so much harm that people are willing to pay a fortune to make it stop.

New ransomware gangs

Unsafe

In December, we saw a group emerge that makes its cash by riding on the coattails of real ransomware gangs. 

The new player, Unsafe, seems to recycle leaks from other ransomware groups. Unsafe provides security blogs for cybercriminals to post victims and leaked data as well as consultation services for a fee. It currently lists eight victims. 

Endurance

We call them ransomware gangs for a reason: These are groups of cybercriminals working together in a hierarchical organization. Rarely do we ever see lone wolf attacks, and if we do it’s even more unusual for them to make as big of a splash in so short of a time as Endurance has.

This cybercriminal, known on dark web forums as IntelBroker, tends to make individual posts about data on sale.

In less than 30 days since its inception, Endurance appears to have successfully infiltrated some big corporations and breached several US government entities. After posting some high-value victims, Endurance has removed them from its dark web site, which is “undergoing development”.

The European Commission has been looking at retail websites to see if they’re misleading consumers with “dark patterns”. Spoiler: Yes, they are.

The Commission, along with the national consumer protection authorities of 23 EU member states, plus Norway and Iceland, have released the results of their screening of online shops. In a sweep of 399 sites the investigation discovered that 148 of them contained at least one of the three dark patterns they were checked for.

Dark patterns

Dark patterns, also known as deceptive design patterns, occur when a user interface has been carefully crafted to nudge or trick users into doing things they didn’t set out to do.

Dark patterns are not subliminal messagaging, visual or auditory stimuli that the conscious mind cannot perceive, although advertisers have been accused of using that as well.

The investigation focused on three manipulative practices that can push consumers into making choices that may not be in their best interests:

• Fake countdown timers, which create a sense of false urgency
• Interfaces designed to lead consumers to certain purchases, subscriptions or other choices.
• Hidden information.

Numbers

Frankly, the numbers are surprising, if not disappointing. The investigation found that “nearly 40% of the online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.”

The sweep found 42 websites that used fake countdown timers with deadlines for purchasing specific products. 54 websites directed consumers towards certain choices–from subscriptions to more expensive products or delivery options–either through their visual design or choice of language.

At least 70 websites hid important information or made it less visible for consumers. For example, this included information related to delivery costs, the composition of products, or on the availability of a cheaper option.

23 websites hid information with the aim of manipulating consumers into entering into a subscription.

Follow-up

The offending vendors will be contacted by their national authorities and ordered to rectify their websites. If necessary, further action will be taken. The Commissioner for Justice has called on all national authorities to make use of their enforcement capacities to take relevant action and fight these practices.

Tthe Commission is gathering feedback to analyze whether additional action is needed to ensure an equal level of fairness online and offline. The evaluation will look at three pieces of European Union consumer protection legislation to determine whether they ensure a high enough level of protection in the digital environment.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

We have recently written about malvertising campaigns that leverage Google paid advertisements to try and trick people into downloading malware instead of the software they were looking for. This malware then stole login credentials from the affected system.

Now, our researchers found that the malvertising campaigns via Google Ads are not just about software downloads and scams. They also include a  much more direct way to get at your login credentials by phishing for users of popular password managers such as 1Password.

Below is a screenshot of what we found:

Searching for “1password” we noticed two different sponsored advertisements as the top results. The first one leads to the legitimate domain 1password[.]com, but the second one points to start1password[.]com. Both claim to be for 1Password and both are https sites. Which makes it very hard for someone who is unfamiliar with the brand to determine which one to follow.

The following order in the search results is based on a metric called “Ad Rank.”

Google says (emphasis by me):

“Ad Rank is a value that’s used to determine where ads are shown on a page relative to other ads, and whether your ads will show at all. Your Ad Rank is recalculated each time your ad is eligible to appear. It competes in an auction, which could result in it changing each time depending on your competition, the context of the person’s search, and your ad quality at that moment.”

Just to point out that going for the top result is not always a sure fire way to get to the right one.

Next phase

So where does the fake URL take us? To a very convincing phishing site. We have posted a comparison between the two login forms below.

The differences are so subtle, most people will fall for it. The only real difference is that following the legitimate link will keep you in the same domain because it goes to my.1password[.]com and the phishing link will take you to my1password[.]com, where the missing dot is the only real difference in the URLs.

Secret key

The real difference is that phishing site will always have to ask for your secret key, because, well that’s what they are after. The legitimate 1Password will be able to retrieve it from your browser’s database and only ask for it if it has been deleted or if you are using 1Password on a new device or in a new browser. Deletion of the secret key can happen if you haven’t used the password manager for an extended period or if you have cleaned your browser’s cache. In which case you will have to retrieve it.

So, any attacker will not be satisfied with just your email address and password. They will need the secret key as well. But with that they would have access to all the login credentials in your vault.

While the sites used in this particular example have been taken offline, there is always the danger of new attempts, so be careful out there. Don’t give away the secret key to your password manager to any phishers.

Real URLs:

https://my[.]1password.com/signin

https://www[.]1password.com

Phishing URLs:

https://my1pasword[.]com/signin

https://www[.]start1password.com

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It’s time for a reminder to ensure all of your WordPress plugins are fully up to date (or removed, if you don’t need them). Bleeping Computer reports that as many as 75,000 WordPress sites may be open to several flaws in a plugin called LearnPress. Worse, the update tally for users of the plugin isn’t doing particularly well, with a big slice of site owners still to update.

If you own or operate a website there is a very good chance it uses WordPress. More than 40 precent of websites use a version of it, and it’s used on more websites that all other website Content Management Systems (CMS) combined. One of the reasons it’s so popular is that it can be easily extended by adding plugins, of which there are tens of thousands.

Provided it is kept up to date and protected by two-factor authentication, WordPress itself is quite secure. Because of that, in recent years threat actors have focussed on exploiting it via vulnerabilities in plugins rather than attacking it directly.

LearnPress is a WordPress plugin used for creating and selling courses online, with extra paid options available for additional features. This is something which would no doubt have been popular over the pandemic, and indeed up to the present day, as companies continue to lean heavily on online and remote services only.

A ripe target, then, for exploitation and targeted attacks.

Somewhere in the region of 100,000 sites make use of the LearnPress plugin, all of which will need to upgrade to LearnPress 4.2.0 if they haven’t already.

The vulnerabilities are:

• CVE-2022-47615, an unauthenticated Local File Inclusion vulnerability that allows remote viewing of local files on a web server, which could lead to API keys, credentials, and other secrets being exposed.
• CVE-2022-45808 and CVE-2022-45820, a pair of SQL injection vulnerabilities that could result in data modification, code execution, and more.

Patchstack discovered the three issues between the November 30, 2022 and December 4, 2022, with initial outreach on the same day as the first discovery, and subsequent details passed on over the following days. The issues were patched on December 20.

This is a fairly speedy turnaround compared to some of the other timeline notifications we’ve seen for plugins. Indeed, it’s not uncommon to not hear back from a developer at all and discover the plugin has been abandoned. (If you ever find yourself dealing with an abandoned plugin, you’ll need to untangle your site from it, which can cause additional complications and headaches for the site admin.)

Just to reiterate, upgrading your LearnPress install to version 4.2.0 is the way to lock these particular vulnerabilities down. With this done, you shouldn’t have any more concerns.

As for your plugins generally, this may be the perfect time to have a quick spring clean of your site and see which plugins you need and which ones you don’t:

• Update existing plugins. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to Dashboard > Updates. (The Themes and Plugins menu items will also have red circles next to them if any need updating.) Update everything.
• Turn on automatic updates for plugins. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the Plugins screen and clicking Enable auto-updates next to each plugin.
• Remove unsupported plugins. Go to the Plugins screen and click View details for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
• Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, don’t let not doing it become an option: Pay somebody to do it for you.

Stay safe out there!

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

After confirming threat actors were able to steal some of its code, Riot Games has also revealed that it received a ransom email from its attacker. The attackers demanding $10 million to stop them leaking source code from League of Legend’s and other games. Riot’s reply?

Today, we received a ransom email. Needless to say, we won’t pay.

While this attack disrupted our build environment and could cause issues in the future, most importantly we remain confident that no player data or player personal information was compromised.

2/7

— Riot Games (@riotgames) January 24, 2023

The company says it is already looking into countering the negative effects of stolen code falling into the wrong hands.

Motherboard was able to obtain a copy of the ransom email and partially shared the content with its readers, which we have replicated below:

Dear Riot Games,

We have obtained your valuable data, including the precious anti-cheat source code and the entire game code for League of Legends and its tools, as well as Packman, your usermode anti-cheat. We understand the significance of these artifacts and the impact their release to the public would have on your major titles, Valorant and League of Legends. In light of this, we are making a small request for an exchange of $10,000,000.

According to the ransom note, if paid, the attackers promised to scrub the stolen code from their servers of and “provide insight into how the breach occurred and offer advice on preventing future breaches.” The attackers also opened a Telegram chat the company can use to reach out to them. 

“We do not wish to harm your reputation or cause public disturbance. Our sole motivation is financial gain,” the note further said, giving Riot Games a deadline of 12 hours. “Failure to do so will result in the hack being made public and the extent of the breach being known to more individuals.”

Last week, Riot Games revealed in a series of tweets that it had been compromised via a “social engineering attack”. The attackers siphoned out code for the company’s flagship games, League of Legends, Teamfight Tactics, and Pacman, its anti-cheat software for Valorant and League of Legends. The company said it has been working with law enforcement in investigating the hack and expects its systems to be fully restored by the end of the week.

Epic isn’t the only games company to find itself in the sights of attackers. The help desk of 2K Games was breached in September 2022, and then used to infect its customers with malware. A month later, 2K had alerted its users that some of their information had been stolen and was now up for sale.

Also in September last year, Rockstar Games experienced a messy leak after posts of a then-alleged sequel to its Grand Theft Auto franchise appeared online, shocking many. In a tweet, the company revealed someone illegally accessed its network and downloaded confidential information, including video clips containing concept content for the anticipated sequel. Eight days later, a British teen was arrested in London.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A couple of weeks ago, security news outlets made their rounds reporting on an Android TV box available on Amazon that came pre-installed with malware. The findings came from a Canadian developer, Daniel Milisic, who posted on his GitHub. What Daniel found was an Android T95 TV box infected with malware right out of the box!

Immediately, I recognized some of the apps that put up red flags, such as Adups. Under those circumstances, there’s only one logical thing a curious mobile malware researcher can do—I put in an IT Helpdesk request to buy a malware infested TV box! (For the record, I do not recommend putting in such a request at a non-information security company.)

The following is my analysis after days of obsessing over this little black box.

Toolset

Before we continue with my analysis, let me explain some of the tools I used so when they are referenced it makes more sense. This is for the average reader who is not a tech nerd like myself. If you are technically inclined and want to skip to the good stuff, head down to header Getting to the Core(java) of the case.

• Android Debug Bridge (adb)—I have referenced this command line tool many times in the past. It is your best friend into easily sending commands to an Android device via Windows, Mac, or Linux environments. It’s part of Android Studio, but unless you plan to develop an Android app, I recommend just grabbing the Android SDK Platform Tools. I have a great writeup on the Malwarebytes Forum on how to install adb and use it to remediate preinstalled malware.
• Telerik Fiddler Classic—Fiddler is an Internet traffic monitor with powerful HTTPS capturing capabilities. Most other internet traffic monitors can’t show details of HTTPS connections, because it is encrypted.  The powers of Fiddler can capture that traffic by installing a special certificate onto the device. Then by proxying internet traffic through a Windows machine, you can see otherwise private HTTPS traffic. The best part is it doesn’t require root access. That is unless you have a stubborn TV Box with no place in Settings to install certificates. Although more painful, there is a workaround to install with root access.
• NoRoot Firewall—This handy app allows or denies network traffic based on each individual app. More importantly, it also logs the traffic from each app, giving you a good baseline of what to look for in Internet traffic monitors. Although noisy at first, becasue you have to initially allow or deny every app that connects to the Internet, it’s worth it if your goal is to stop unwanted Internet traffic from particular apps in their tracks.
• Logcat —Good old Logcat! Another tool referenced quite often. This command line tool outputs logs of just about everything going on with an Android device.

Rooted in evil 

The first sign that something was not right with this TV box was the fact that it has a toggle switch for root access. (Hint: If you buy a TV box from Amazon Prime and it has a “Root switch” toggle, use the Prime free return policy right away.)

Whether the toggle switch is on or off, I am pretty sure it doesn’t matter because the box is rooted regardless.

To clarify, rooting in the context of Android devices means attaining the highest level of access—known as “root”. Among other things, this gives you the ability to modify system level directories and files, something regular Android users can’t do. This heightened access is made available mainly for developers who need access to test in a pre-production environment.

Once in production, Android devices are not rooted. In fact, if you run the command adb root on a production Android device, you get an error message stating adbd cannot run as root in production builds. On a rooted device, the message is restarting adbd as root or adbd is already running as root.

Important Warning: Rooting an Android device that is in production and thus does not have root access is very dangerous and can result in bricking the device, leaving it forever broken. In addition, allowing root access gives every app on the phone root access, including malware! We highly recommend you do not root your Android device. However, since the T95 TV box was already rooted, I used root for analysis and remediation.

Shell games

Another thing I should mention before moving on is a word about shell. Shell refers to interacting with the Linux command line. Since all Android devices are based on Linux, you can access the shell to run common Linux commands, along with other Android-specific commands installed on the device.

You can do this via the adb command shell. For example, if you want to list all packages on an Android device, you could run pm list packages -f on the shell. You can do this in two ways. More commonly, you might tunnel the command using adb shell pm list packages -f. Or you can first go to the shell by using command adb shell, and then run pm list packages -f.

In this instance, the name of the shell on the T95 TV Box is walleye. The name of the shell changes based on the Android device’s manufacturer and model. Note that this is another oddity with the T95 TV Box. As a matter of fact, the shell name walleye is stolen from a Pixel 2 with the same name. (This information comes in handy later on.)

Okay, know that we went through the tedious details, lets get to the good stuff!

Getting to the Core(java) of the case

Daniel references in his GitHub the existence of a directory /data/system/Corejava. Testing with other Android devices I have sitting around confirms this directory should not exist—Including on a Pixel 2 (the box has the same shell name as a Pixel 2: Walleye).

If /data/system/Corejava was a common directory, surely the Pixel 2 with the same shell name as the T95 TV box would have this directory? Daniel also provides the contents of /data/system/Corejava from his T95 TV box. Within it contains an infected classes.dex file. Looking at my own T95 TV box, it in fact contains the same malicious directories and files:

The classes.dex is a DEX file that contains the machine code for an app to run. Every app, which is called an Android Package Kit (APK) on Android, contains a classes.dex file, along with other directories and files required for the classes.dex to load and run.

Therefore, there must be an APK installed for this classes.dex to work.

My next step was to analyze this malicious DEX file found in Corejava, or Corejava classes.dex—I will call it Corejava classes.dex for clarity.

Corejava classes.dex’s code contained a lot of references to using internet traffic: GET commands, POST commands, HTTP, HTTPS, etc. Looking at the VirusTotal results of the Corejava classes.dex found in my own T95 TV box aligned with it being a Trojan Downloader. The clearest evidence of this were URLs in the code. One of them was a malicious URL associated with other malicious DEX files and APKs:

hxxps://dy.kr.wildpettykiwi.info/dykr/update

With this evidence, I moved on to collecting network traffic.

Exploring the network traffic

When I am looking into network traffic, my very first step is installing NoRoot Firewall, as referenced in the Toolset section above. Looking at the logs of NoRoot, it appeared the T95 TV box had quite a bit of traffic coming from DGBLuancher.

This was of interest considering DGBLuancher, package name com.swe.dgbluancher, does not contain any references to using Internet traffic in the code.

Much of the traffic from DGBLuancher used port 443, which is for HTTPS traffic. Per the Toolset section, I think the best choice of network traffic monitors is Telerik Fiddler Classic. Capturing only an hour of traffic using Fiddler produced a massive list of entries!

The majority of the traffic came from random non-malicious news sites and ad sites. All of this was happening in the background, unseen, until you capture the Internet traffic! To be clear, this is malicious clicker activity, which generates revenue from pay-per-click ads.

But wait, there was more!

There was also a sprinkling of malicious URLs, including but not limited to malicious URLs from the code of Corejava classes.dex.

Tying it all together

Backing up, let’s look at the evidence so far. We have DGBLuancher with no evidence within the code of using Internet traffic capabilities, and we have Corejava classes.dex with lots of evidence within the code of using Internet traffic capabilities. And yet capturing Internet traffic shows a correlation to DGBLuancher, but with URLs from Corejava classes.dex.

My hypothesis was that DGBLuancher was the culprit APK loading and running Corejava classes.dex, but more testing needed to be done.

So, I first uninstalled DGBLuancher, but kept Corejava classes.dex. The result? Malicious Internet traffic stopped. Ergo, Corejava classes.dex cannnot run without DGBLuancher.

Next, I reinstalled DGBLuancher and removed Corejava classes.dex. Again, Malicious Internet traffic stopped. DGBLuancher could not produce malicious Internet traffic on its own. It needed Corejava classes.dex.

The obvious conclusion was that DGBLuancher was indeed the APK loading and running Corejava classes.dex!

If that wasn’t enough evidence, there was even more. If I deleted Corejava classes.dex from the /data/system/Corejava, it magically reappeared. This happened immediately after a reboot or if I simply waited long enough.  But, if I uninstalled DGBLuancher, Corejava classes.dex stops reappearing. With all the evidence, I had DGBLuancher dead to rights. It was the culprit loading and running Corejava classes.dex. 

The malicious behavior of DGBLuancher lands it with the classification of Android/Trojan.Downloader.CoreJava.T95. Despite this detection, Malwarebytes for Android cannot remediate due to DGBLuancher being a system app. For steps to remediate, see the Remediation section below.

The mystery of Corejava

Once I had established that DGBLuancher creates Corejava classes.dex, the next mystery was: What was creating /data/system/Corejava and the rest of its contents? You see, even when DGBLuancher was uninstalled, after removing /data/system/Corejava, it would appear again. Everything except for the Corejava classes.dex file, of course.

Looking at what process was creating /data/system/Corejava, it appeared to be a process called system_server. (Note that depending on where you look, it can also be called system_process.)

By using command logcat | grep system_server in shell, I confirmed that system_server did a lot more than just create /data/system/Corejava. In fact, it seemed to run many of the most important tasks. You can really see how important system_server is by terminating it which results in the device crashing—I do not recommend.

The obvious conclusion was that system_server was a generic system process used by many other elements to run commands in the background. As a matter fact, DGBLuancher uses system_server to create Corejava classes.dex. Anything from a script to another app could be using system_server to create /data/system/Corejava—system_server  is not the culprit itself, just a conduit.

With this information, I did everything from analyzing system level bash scripts on the device, looking for keywords such as Corejava within every file, to uninstalling apps to see if it resolved.

The only thing I neglected doing was uninstalling apps that would compromise the functionality of the device. After all, if the TV box cannot function, what’s the point of remediating? It pains me to say that this one is going to have to remain a mystery for now. This is no matter, since with DGBLuancher uninstalled the malware is neutralized. In addition, Daniel finds a clever way to stop the recreation that we will address below.

Remediation

Factory reset

I strongly recommend restarting the T95 TV box from a fresh factory reset before proceeding to remediation. If you’ve been using the TV box for a while, there’s a good chance other malware could have been downloaded during that time. As a result of resetting to factory, all of this will be removed, but keep in mind this will also erase all non-system related items on the device.

To factory reset the T95:

1. Go to the Gear icon for the settings screen
2. Navigate to More Settings
3. Navigate to Device Preferences
4. Scroll down to bottom and press Reset
   1. Read the warning, and proceed with Reset if you’re willing to go ahead

After the reset, do not connect the T95 TV box to a network just yet. Don’t do this until you have gone through remediating DGBLuancher in the next section. This will prevent any malware being installed via network download. 

Using adb

The first place you should start is installing adb onto a Windows, Mac, or Linux environment. (Check the Toolset section above on how to install.) Next, you will need to put the T95 TV box into Developer Mode and turn on USB0 device mode.

1. Go to the Gear icon for the settings screen
2. Navigate to About
3. Scroll down to Build
1. Press Build several times until it states You are now a Developer!
4. Press the Back button to return to settings screen
5. Navigate to More Settings
6. Navigate to Device Preferences > Developer options
7. Scroll down to Debugging section
1. Ensure these toggle switches are on
1. USB debugging (should be on by default)
2. USB0 device mode enable

Now that we have adb installed, and the T95 TV box in Developer Mode the next step is to test adb.

You will need a cable that can join your computer to the T95, which has a USB-A port. (If you can find USB-A to USB-A cable sitting around your place, congratulations, you have the rarest cable known to myself.)

With your comptuer connected to the T95 TV box, open a terminal (this is Command Prompt on Windows) and type:

adb devices

There should be an ID number followed by the word device under List of devices attached, for example:

List of devices attached

12345c3006c0c721d0e     device

Now you are ready to remediate some nasties!

Removing DGBLuancher

Before we remediate DGBLuancher, be aware that DGBLuancher is the T95 TV box’s launcher app. A launcher app is the app used to launch and run everything on an Android device. For example, all your app icons, widgets, clock, getting to Settings, etc. Which leads me to this warning:

Uninstalling DGBLuancher without first installing another launcher to replace it will render the Android device useless.

The good news is that you can still use adb to send commands even without a launcher. So, make sure to set that up first.

You can use whatever TV launcher you decide. There are many good choices on Google Play to choose from.  Personally, I just chose the first one on the list, which happened to be ATV Launcher. As long as it’s malware-free, anything is better than DGBLuancher!

But before we begin, a disclaimer is necessary:

Proceed at your own risk! Neither I, nor Malwarebyes, can guarantee this will not damage your Android device and we accept no responsibility if it does. By proceeding, you take the risk and responsibility upon yourself.

Now usually, I would highly recommend using Google Play to install apps instead of a third-party app store. It gives you have the added protection of Google Play Protect, and it also ensures the app will work with your make, model, and OS version. However, since this was a preinstalled, malware-infested TV box that was already rooted, that was bought for around $30 on Amazon… you may choose to make an expedient exception this one time.

The options are:

1. Connect the TV box to the Internet to download a TV launcher from Google Play, whilst letting the malware do nasty things in the meantime.
2. Download a TV launcher from a third-party app store, such as ATV Launcher form APKPure, and then drag-drop it to the Downloads folder on the TV Box. Then install it from the FileManager app already on the TV box. All while not opening up the flood gates to malware-riddled network traffic.

Re-read that disclaimer above and make a decision you’re willing to take full responsibility for, then proceed.

Now that you have another TV launcher installed, you can now remove DGBLuancher using the following adb command:

adb shell pm uninstall -k --user 0 com.swe.dgbluancher

If, for whatever reason, you need to revert to DGBLuancher, here’s the command:

adb shell pm install -r --user 0 /system/priv-app/Launcher10/Launcher10.apk

Note that the above pm uninstall  command uses -k to quote “keep the data and cache directories around after package removal”, and --user 0 to only uninstall for the current user. Therefore, it is a safer method to uninstall system level apps because you can reinstall from the APK stored in the system folder.

At this point, it is a good idea to restart the TV box. With DGBLuancher now uninstalled and a new launcher running, Corejava classes.dex is neutralized. You can now use the box safely. But if you’d rather be safe than sorry, you can move on to removing Corejava for good.

Removing Corejava

A big shout out to Daniel for providing this clever method of removing and stopping Corejava from being created again in his cleanup script!

First, you need to gain root access:

adb root

Now, enter shell:

adb shell

From shell, check to confirm that Corejava exists (the output will tell you):

test -d /data/system/Corejava/ && echo "You are infected with Corejava!!!" && cd /data/system/Corejava/ || echo "Corejava does not exist"

If you get output, “You are infected with Corejava!!!”, then move on to the removal process. That starts with removing /data/system/Corejava/ and anything in it:

rm -rf /data/system/Corejava

Now that it’s gone, we need to stop it from every coming back. Using the command touch, create an empty file named Corejava in /data/system:

touch /data/system/Corejava

Next, change the permissions so nothing can modify it:

chmod 000 /data/system/Corejava

This last step is key. It uses the chattr command located under busybox, which holds common legacy Unix commands, to set the attribute to +i. Why? Because “a file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file’s metadata cannot be modified, and the file cannot be opened in write mode.” In other words, game over Corejava!:

busybox chattr +i /data/system/Corejava

With these settings in place, whenever the system tries to create /data/system/Corejava, it will be denied as seen in the output from logcat | grep Corejava run in shell:

FileUtils: Failed to chmod(/data/system/Corejava): android.system.ErrnoException: chmod failed: EPERM (Operation not permitted)

Adups

Adups and I have had a fiery relationship. We have crossed paths several times. This time though, I come to Adups’ defense. Not all Adups versions are malicious, and I see no malicious activity from the version on the T95 TV box.

Although the existence of it prompted me into wanting to analyze the T95 TV box, it was not the culprit this time. That being said, you can follow the Uninstalling Adups and other preinstalled malware via adb command line tool just to make sure you are free and clear of any future malware. With Adups’ shady past, it probably isn’t a bad idea. Just remember, Adups is the app used to update the system including security patches. Luckily, the tutorial will show you how to restore Adups in case you want or need to run an update.

“Budget” should not mean “malware”

Once again, thank you to Daniel Milisic for bringing this to our attention. I’ll end by saying buying “budget” should not mean “malware infested”, as we’ve seen disgustingly in the past. Especially when the device is bought through a reputable online store like Amazon. I hope this analysis will help others remediate this bad actor. Stay safe out there!

Samples

Malicious classes.dex file

MD5: F9802B1168D5832D32C229776CD9B9AA.

Malicious Launcher APK

Package Name: com.swe.dgbluancher
MD5: EB850022E4269BB1DAB9FC5D2B0B734F

In 2020, a photo of a woman sitting on a toilet—her shorts pulled half-way down her thighs—was shared on Facebook, and it was shared by someone whose job it was to look at that photo and, by labeling the objects in it, help train an artificial intelligence system for a vacuum.

Bizarre? Yes. Unique? No. 

In December, MIT Technology Review investigated the data collection and sharing practices of the company iRobot, the developer of the popular self-automated Roomba vacuums. In their reporting, MIT Technology Review discovered a series of 15 images that were all captured by development versions of Roomba vacuums. Those images were eventually shared with third-party contractors in Venezuela who were tasked with the responsibility of “annotation”—the act of labeling photos with identifying information. This work of, say, tagging a cabinet as a cabinet, or a TV as a TV, or a shelf as a shelf, would help the robot vacuums “learn” about their surroundings when inside people’s homes. 

In response to MIT Technology Review’s reporting, iRobot stressed that none of the images found by the outlet came from customers. Instead, the images were “from iRobot development robots used by paid data collectors and employees in 2020.” That meant that the images were from people who agreed to be part of a testing or “beta” program for non-public versions of the Roomba vacuums, and that everyone who participated had signed an agreement as to how iRobot would use their data.

According to the company’s CEO in a post on LinkedIn: “Participants are informed and acknowledge how the data will be collected.”

But after MIT Technology Review published its investigation, people who’d previously participated in iRobot’s testing environments reached out. According to several of them, they felt misled. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with the investigative reporter of the piece, Eileen Guo, about how all of this happened, and about how, she said, this story illuminates a broader problem in data privacy today.

“What this story is ultimately about is that conversations about privacy, protection, and what that actually means, are so lopsided because we just don’t know what it is that we’re consenting to.”

Tune in today.

On January 26, 2023, the United States Department of Justice (DoJ) released details about a disruption campaign against the Hive ransomware group. The disruption campaign has reportedly had access to Hive’s infrastructure since July of 2022. Its access became public on Thursday when Hive’s dark web began showing a notice that “this hidden site has been seized.”

Hive

Hive ransomware has been around since June 2021. It is a ransomware-as-a-service (RaaS) operation which uses the threat to publish exfiltrated data as extra leverage to get the victims to pay. Hive was one of the most widely used RaaS in 2022, according to monitoring of dark web leak sites by Malwarebytes Threat Intelligence.

In August 2021, the FBI published a warning about Hive ransomware, sharing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation advice. In February 2022, researchers discovered a way to decrypt files for all versions of Hive ransomware up to and including version four. Hive is also thought to be one of the gangs that welcomed Conti members after the Conti disbandment in April 2022.

According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world.

Disruption

US officials credited German and Dutch authorities, and Europol for helping in the case. The German police were able to infiltrate the Hive infrastructure following an investigation of the Polizeipräsidium Reutlingen, which shows the importance of victims filing a report.

As part of the disruption the FBI has helped victims to decrypt their files for months, perhaps contributing to the dip in ransomware revenue over 2022. According to the DoJ this amassed to 336 victim interventions, preventing potentially $130 million in ransom payments.

The authorities also seized the leak site, where the group posted data exfiltrated from victims that were unwilling to pay, and the victim negotiation portal. This is a major setback and will undoubtedly cause affiliates and Initial Access Brokers (IABs) to take their business elsewhere.

Not done yet

But the hunt is far from finished. The US Rewards for Justice is offering a reward up to $10 million for information that links Hive or any other malicious cyber actors targeting US critical infrastructure to a foreign government. And in a press conference about the Hive takedown, FBI Director Christopher Wray acknowledged the FBI had infiltrated other ransomware groups.

Mitigation

The Europol statement about the takedown mentions some specific tactics used by Hive affiliates, which include using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In other cases, Hive actors gained access by exploiting vulnerabilities. Some Hive actors also gained initial access to victim’s networks by distributing phishing emails with malicious attachments.

Which prompts us to repeat, that you should implement measures to keep out IABs, such as employee phishing training, brute force protection, and timely vulnerability and patch management. It also reminds us of the importance of protecting your RDP.  

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Annual reviews of any year’s developments in privacy rarely lend themselves to pithy wrap-ups, but 2022 was different, providing the clearest example yet for so many people—American women in particular—that their privacy was not theirs to determine, and that the often-repeated refrain that privacy doesn’t matter for those who have “nothing to hide” only holds sway until the world around those words decides: “Now you do.”

The US Supreme Court’s decision to overturn Roe v. Wade and the associated Constitutional right to choose to have an abortion redefined personal privacy, as individual states can now treat previously benign health data as possible evidence in a criminal investigation. Where perhaps millions of women previously had “nothing to hide,” now, they do.

The Supreme Court’s decision was also an event that has few modern equivalents, changing the behaviors of three, core parts of society—government, corporate, and public.

In the wake of a leaked draft of the decision, Federal legislators introduced a new, targeted data privacy bill to protect reproductive health data. Immediately following the decision, countless individuals dropped their current period-tracking apps in search for another app that would promise to better protect their data. And months after the decision, companies are still announcing changes to what types of data they will no longer store.

In looking back at 2022, it isn’t that nothing else happened in data privacy—it’s that nothing else like this has happened for a long time.

Here’s a look at what happened in privacy in 2022.

Roe v. Wade overturned

The privacy fallout from the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization is both succinct and enormous: It changed what people want to keep private. 

By allowing a state-by-state approach to the legality of obtaining and providing abortion services, the US Supreme Court’s decision introduced a new uncertainty about what types of online activity—be it Google searches, Facebook posts, TikTok videos, or location histories revealing trips to an abortion clinic—could now be considered as potential evidence of a crime.

Would law enforcement, for example, be able to pull Google search requests on someone they suspected of seeking an abortion? Would text messages between friends be brought before an investigator? What about Instagram stories that included offers to pay for the travel and lodging of complete strangers seeking abortion from other states? And what about period-tracking app data? What if cops could see in a person’s data that, for a week or two, they were pregnant, and then soon after, they were not? 

In the absence of immediate best practices, individuals made their own choices. Period-tracking app users scrambled to find the most secure app online, and one period-tracking app maker promised to encrypt user data so that, even if law enforcement made a request for their data, the data would be unintelligible. (Those promises, one investigation found, were shaky.)

But it wasn’t just period-tracking apps that reconsidered data collection and storage policies.

In July, Google announced that it would automatically delete location histories that revealed physical trips to any sensitive locations, which Google defined as “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, [and] cosmetic surgery clinics.” Samsung, too, recently announced that it would delete “Women’s health data” collected through Samsung Health.

To address this corporate, piecemeal approach to user privacy, Congressmembers introduced the My Body, My Data Act, which would place new, national restrictions on how companies handle reproductive health data.

Web wins (and one wayward rollout)

When the developers of the privacy-forward browser Brave released their own search engine last year, they touted that, unlike other search engines, “Brave Search” would pull from an entirely separate index of the Internet, only relying on Google’s index when it could not fill in the gaps for user searches. Upon Brave Search’s launch, this “independence score,” as the company put it, was 87 percent.

One year later, that score has reportedly increased to 92 percent for all Brave Search users, and Brave Search itself has exited out of beta. But perhaps the biggest privacy draw of all for the tool is simple: It doesn’t track users or their searches.

Privacy-minded users has another choice in web browsers last year, as well, as Mozilla claimed that a new feature in Firefox made it the “most private and secure major browser available across Windows, Mac, and Linux.”

The feature, called Total Cookie Protection, promises to create “cookie jars” for every website that users visit. This will reportedly put browsing activity into separate silos so that user activity cannot be stitched together across websites, which is often done to help build in-depth profiles of who to target with ads.

But why spend so much time on cookie restrictions when, according to Google’s own words several years ago, it, too, would retire third-party tracking in its browser, Chrome?

Probably because that major rollout was delayed yet again—this time to 2024.

A question of corporate commitment to privacy

If you can believe it, there was a time last year when the biggest thing happening to Twitter had nothing to do with its new owner, Elon Musk.

In August, the company confirmed a data breach that affected 5.4 million users, their email addresses and phone numbers now linked to their accounts in a data dump that could be found for sale on the dark web.

In May, Twitter was also hit with a $150 million fine from the US Federal Trade Commission for violating an earlier consent order that prohibited the company from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”

But with so broad a description, what, exactly, did Twitter do?

It used phone numbers that were specifically requested for two-factor authentication—a security measure—for targeted advertising.

(At least the company did put its services on Tor last year, a great step for familiarizing users with a more private online experience.)

---

To learn more about privacy and Tor’s security benefits to the Internet, listen to our Lock and Code podcast interview with Alec Muffet here.

---

But privacy blunders—and intentional evasions—have become a guarantee in Silicon Valley, and so Twitter shouldn’t receive all the spotlight.

Facebook, possibly angered by one browser’s decision to remove tracking parameters that Facebook inserted into URLs to help track users across pages, decided to encrypt their URLs so that the browser in question could no longer determine which part of the URL would need to be removed. The company is also facing a lawsuit alleging that it has built a “secret workaround” to safeguards built into the iPhone to prevent the social media giant from tracking users.         

Finally, Google settled multi-state charges that the company had allegedly misled users as to how their locations were tracked across various services, agreeing to pay a whopping $391.5 million. A separate but similar lawsuit is still active against the company.

Legislation and legal violation

Compared to earlier years, the legislative battle for data privacy cooled off in 2022, but that doesn’t mean it was necessarily less spirited.

In June, a draft of the US Supreme Court’s opinion in Dobbs v. Jackson Women’s Health Organization was leaked, suggesting that the Court was positioned to soon overturn both Roe v. Wade and Planned Parenthood v. Casey, previous decisions that had guaranteed a Constitutional right to choose to have an abortion. 

Before the Supreme Court could issue its final decision, legislators in Washington DC moved fast, introducing the My Body, My Data Act in both the House of Representatives and the Senate. The bill sought to place new restrictions on how companies use “personal reproductive or sexual health information,” allowing for the collection, use, retainment, and disclosure of such data only if a company was delivering a service requested by a user, or if the user gave express consent. The definition of “personal reproductive or sexual health information” in the bill is broad, including any info that could reveal someone’s attempts to “research or obtain” reproductive health service, along with any reproductive or sexual health “conditions,” including pregnancy or menstruation.

The bill has not significantly moved forward since its introduction.

Separately, last year saw the introduction of the American Data and Privacy Protection Act—the latest attempt from Congressmembers to pass a Federal, comprehensive data privacy law for the United States. Like many attempts before, the American Data and Privacy Protection Act would extend the rights to access, correct, and request deletion of the personal data that companies have already collected on them—similar to the rights granted to those living in the European Union through the General Data Protection Regulation (GDPR).

With a new Congress elected, it is unclear whether the bill will progress.

Aside from legislation that has only been introduced, one full-blown law scored its first-ever enforcement action. In California, the state’s attorney general announced a settlement with the makeup company Sephora over allegations that it violated the California Consumer Privacy Act, the state’s privacy law that was first passed in 2018.

According to the Office of the Attorney General, Sephora allegedly “failed to disclose to consumers that it was selling their personal information, … failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and … it did not cure these violations within the 30-day period currently allowed by the CCPA.”

Per the settlement, Sephora agreed to pay $1.2 million.

Pushing back against stalkerware

Rounding out a turbulent year, there was some good news in the continued fight against stalkerware.

Through a months-long investigation, the technology publication TechCrunch revealed that a network of stalkerware-type apps all shared the same security vulnerability that could allow “near-unfettered remote access” to the data of hundreds of thousands of devices that are already infected with said apps. TechCrunch worked with the Carnegie Mellon University Software Engineering Institute to both report the vulnerability and contact any party that could responsibly address the vulnerability. The investigation provided likely the strongest, global “map” of who is providing cover for these types of apps, and how they seem to skirt any consequences.

But there’s more.

Following questions that TechCrunch sent to a company called 1Byte, which operates the server infrastructure behind several of the apps under investigation, two of the apps “appeared to cease working or shut down.” 

Today, TechCrunch offers a tool that allows people to see if their devices are infected with the apps that the publication previously investigated.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

To help K–12 schools and school districts in their struggle against cybercrime the Cybersecurity & Infrastructure Security Agency (CISA) has released the report, Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats.

A cybersecurity incident can significantly impact a school or district’s ability to carry out its educational mission. Late last year, CISA warned of ransomware particularly targeting the education sector, and less than two weeks ago we reported on multiple schools being hit by a ransomware attack.

This report gives insight in the particular threats the K–12 community is facing and offers actionable steps school leaders can take to strengthen their cybersecurity efforts.

1. Resource constraints

When resources are limited, it is important to make sure that the measures you choose to take are the most impactful ones. Important recommendations to that effect are:

• Working with technology providers that offer low-cost services and products that are secure by design and default.
• Urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.

CISA also recommends starting with the security controls that have the highest priority, making sure you align near-term investments with pressing goals and compliance regulations. You should also have a long-term cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF), a set of guidelines for mitigating organizational cybersecurity risks.

2. Security measures

Some examples of high-priority measures provided by CISA, which ring true for most organizations, are:

• Deploying multifactor authentication (MFA)
• Mitigating known exploited vulnerabilities
• Implementing and testing backups
• Regularly exercising an incident response plan
• Implementing a strong cybersecurity training program

CISA recommends that K–12 organizations adopt its Cybersecurity Performance Goals (CPGs)—a set of cybersecurity practices that, when implemented, “can meaningfully reduce the likelihood and impact of known risks and adversary techniques”.

3. Help each other

Collaboration and information sharing are both cost-effective and mutually beneficial in order to improve awareness of current threats and how to meet them. CISA provides these suggestions:

• Join relevant information and threat intelligence collaboration groups, such as the MS-ISAC and K12 SIX.
• Work with other information-sharing organizations, such as fusion centers, state school safety centers, other state and regional agencies, and associations.
• Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.

Toolkit

CISA has also published a toolkit that aligns resources and materials to each of its three recommendations, along with guidance on how stakeholders can implement each recommendation based on their current needs.

Malwarebytes

Many K–12 organizations operate their own IT systems, known as “on premises” systems. Such systems require time to patch, to monitor, and to respond to potential security events.

Malwarebytes can help K-12 organizations by combining these tasks and taking them to the cloud.

Read also: 5 must haves for K-12 cybersecurity.