IT NEWS

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we talk to Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, about the importance of protecting online anonymity and speech.

In January, the New York Times exposed a public harassment campaign likely waged by one woman against the family of her former employer. Decades after being fired, the woman allegedly wrote dozens of fraudulent posts across the Internet, ruining the family’s reputation and often slipping past any repercussions.

Frequently, the websites that hosted this content refused to step in. And, in fact, depending on what anyone posts on major websites today, those types of refusals are entirely within a company’s right.

These stories frequently produce reactionary “solutions” to the Internet—from proposals to change one foundational law to requiring individuals to fully identify themselves for every online conversation. Those solutions, however, can often harm others, including government whistleblowers, human rights activists working against oppressive governments, and domestic abuse survivors.

Tune in to hear about the importance of online anonymity for domestic abuse survivors and why changing one key Internet law will not actually fix the problems we have today, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

• The mystery of the Silver Sparrow Mac malware
• Clop targets execs, ransomware tactics get another new twist
• LazyScripter: From Empire to double RAT
• Scammers, profiteers, and shady sites? It must be tax season

Other cybersecurity news

• NCSC helps NurseryCam to secure itself (Source: The Register)
• Taking a peek behind the big-tech curtain (Source: Medium Blog)
• A tale of cloned attack tools (Source: Check Point Blog)
• Phishers imitate well-known shipping companies (Source: Tech Radar)
• Malware gangs forge alliances (Source: Threat Post)

Stay safe, everyone!

The post Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03 appeared first on Malwarebytes Labs.

VPNs have been a subject of deliberation for a long time.

Is it even important to use one? I think the pandemic has made it clear that, yes, using a VPN is useful, even necessary, most especially for those working remotely.

But should you pay for it? Or would you rather settle for free?

We’re going to take a look at free VPNs and paid VPNs in general. Mind you, we didn’t recommend any brands. Instead, we paved a way to help you make an informed choice on which one to use. Let’s face it, although the security- and privacy-conscious lean heavily into using paid VPN services, free VPN services—if we’re going to be honest—also have their place.

But what exactly is free?

We think there are three kinds of “free” in the context of VPNs:

• The “free-for-a-while” VPN. These are the VPN products that are free trial versions of paid products. Key features can be used by anyone who is interested in giving the VPN a test run, but only for a while.
• The honest free VPN. Like “free-for-a-while”, these VPN products are often designed to entice you into paying for a VPN, but they are not time limited and are distributed to the public for free. Genuinely free. Their marketing makes it clear what potential users will get, and what they will not get by not paying. This may include bandwidth throttling, sporadic disconnections—you get the idea.
• The mystery free VPN. This is perhaps the trickiest of the free ones. It’s tricky because some of the information that users would like to know about a VPN (most importantly, why it’s free) is not there—they are not “visibility friendly”. Just because a VPN provider doesn’t make it clear what the trade offs of using its products are, that doesn’t mean that there aren’t any. As a result, users are hindered from making an informed choice, leaving them trying out a product blind.

Why use a free VPN?

There are several reasons why someone might use a free VPN. And the most obvious one is to save money. Why pay for something when you can get it for free?

Someone can also reason that, although they heard that some free VPNs can be bad, not this VPN, because it was recommended by a friend, a neighbor, or a tech-savvy colleague who knows what they’re talking about.

At times, internet users use free VPNs because they may have no choice. Some institutions, such as universities and non-profit organizations, provide free VPNs for members to use.

The most important thing to remember when choosing a VPN is that it effectively becomes your Internet Service Provider (ISP). You are hiding your traffic from everyone else by pushing it through the VPN. So you had better trust your VPN provider a lot.

Are free VPNs safe?

So, the key questions to ask about a free VPN are: Why is it free, and how is it paid for? And, if somebody else is paying for your VPN, what are they getting in return?

A widespread problem one may encounter with genuinely free VPNs is resource constraint. This may be deliberate, in the hope you’ll upgrade to a paid service, or just a side effect of using an under-funded service.

The problem with mystery free VPNs, is the possibility of your internet activity being monetised, either by recording it for sale, or by tampering with it (by injecting ads, for example). When we took a look at free mobile VPNs last year, we concluded that many of them have problems and they are generally not safe to use.

Speaking of data recording and storage, there’s a population of internet users who have accepted the fact that one way or another, their activity and data are being recorded. This becomes another reason for them to use free VPNs, in the belief that even paid providers cannot guarantee that they won’t keep records about how their users use their service. For many, this is perhaps the make-or-break factor when weighing the odds. Why pay for privacy when it’s not genuinely offered by the VPN providers, free or paid?

If you understand who’s paying for your free VPN and why, we think it’s alright to use a free VPN service. It’s perhaps most suitable for occasional and light VPN users. They may consider the many limitations normally offered by free VPNs as not problems at all. In fact, they may willingly accept these limitations.

A light VPN user typically would like to protect their data when occasionally using public hotspots, such as in a restaurant, hotel lobby, public park, mall, or coffee shop. They would also like to temporarily visit a website that is normally geo-blocked when accessed in the user’s current location.

Keep in mind that even if you trust your VPN, you should keep your cybersecurity senses about you. A VPN over a public Wi-Fi protects your traffic from snooping and manipulation, but it doesn’t protected you from all possible online threats, nothing does. So, it’s still important to practice good internet safety habits while on the go with your mobile device.

Why pay for your VPN?

To get our money’s worth, we need to know where our money goes.

In the case of VPNs, the really good ones boast of speed, unfettered connections, unlimited data, multiple server connection options, a high level of privacy—factors that a great majority of free VPN service providers can’t compete with.

When it comes to price, free will always come on top, of course. But contrary to what many people think or expect from commercial VPNs, the majority of which are based on a monthly subscription scheme, the must-haves they offer are actually quite affordable. Depending on the kind of package that is on offer, you can expect to dish out as little as $1.99 USD/month (£1.40/month). The most expensive package we’ve seen so far amounts to $12.99 USD/month (£9.17/month), and it’s still not bad value.

Incidentally, several VPN providers accept cryptocurrency as payment for their services although this is not yet a fully accepted form of payment. This is handy for anyone who’d like to take their privacy journey a bit further.

To date, accepted cryptocurrencies are Bitcoin, Ethereum, and Ripple.

As you may already know, a paid premium VPN does more than just hide your true location and enable you to watch Netflix from countries where it’s normally unavailable. Here’s a high-level breakdown of what they offer and see if they are, indeed, worth our $13 dollars a month:

• Truly protected data. These are big words. Some of us are used to hearing but not believing them most of the time. Premium VPN service provides do have the technology and know-how to truly protect user data. All the top tier ones can make your session data disappear whenever you disconnect from the web. And that’s a good thing. What’s more, they keep no logs of user activity, provide AES 256-bit end-to-end encryption, support many tunneling protocols, and use other protection features that won’t leak your data even if you get temporarily disconnected from your VPN server.
• Truly unlimited bandwidth and speed. More big words, but again, these are possible for paid premium VPNs to offer. They have servers optimized for not just bandwidth and speed but also security, privacy, peer-to-peer (P2P) file sharing, media streaming, and video gaming.
• More server locations to choose from. The more servers a provider offers in different locations, the more change you have of unblocking region-restricted content at a speed you are happy with. Some VPN providers also let paid users manually pick their own servers to connect to, whereas sometimes, in their free trial versions, this convenient feature is not included.
• Added security features. The age of VPNs only caring about privacy is gone, and the age of VPNs also providing security has come. Some paid-for VPNs stop you from accessing blocklisted sites and stop invasive and annoying ads or malvertising.
• Support availability. This is already a given, but it’s still worth mentioning. Many paid providers offer 24/7 support for their clients in need of technical assistance.

We’ve weighed the odds. Now what?

Running a VPN is an expensive business and we think that “you get what we pay for” is—for the most part—true. But truth be told, there are exceptions to this. At the end of the day, it all boils down to how you want to use a VPN and how you want your VPN to work for you.

If you’re looking for free, we recommend you choose a brand that has a freemium model that lets you access a basic service for free in the hope you’ll upgrade—the “free-for-a-while” and honest free options. It’s better to go this route than risk inviting the very thing that threatens your privacy and security.

The post To pay, or not to pay? That is the VPN question appeared first on Malwarebytes Labs.

TikTok, the now widely popular social media platform that allows users to create, share, and discover, short video clips has been enjoying explosive growth since it appeared in 2017. Since then, it hasn’t stopped growing—more so during the current pandemic. 

While we can no longer categorize TikTok as a kids’ app, most concerns about the app have been around the privacy of children. You can read more details about its track record in this field in our article Are TikTok’s new settings enough to keep kids safe?

Last year the app escaped a total ban in the US after rumors that it was sharing the data of US citizens with the Chinese government.

Now TikTok has agreed to pay $92 million to settle dozens of lawsuits alleging that it harvested personal data from users, including information using facial recognition technology, without consent, and shared the data with third parties.

What was TikTok accused of?

In fact, there were dozens of lawsuits alleging that the popular video-sharing app used personal data from users improperly. The suits were merged into one multi-district action in the Northern District of Illinois that cited violations of privacy laws in Illinois and California.

One lawsuit accused the social media platform of deploying a complex artificial intelligence (AI) system to scan for facial features in users’ videos, combined with algorithms to identify a user’s age, gender and ethnicity.

Another point brought forward, claims that TikTok doesn’t adequately disclose how user data is shared with entities outside the US. Since the owner of the app is the Chinese company ByteDance this behavior has already prompted some organizations—including Wells Fargo and some branches of the US military—to ask their employees to not use the app on devices that also contain data about them.

According to lawyers representing TikTok users, the app “clandestinely vacuumed up” vast quantities of private and personally identifiable data that could be used to identify and surveil users without permission. Even information from draft videos that were never shared publicly were mined by TikTok for data, the lawyers for the users alleged. Tiktok also shared information about users, without their consent, with Facebook, Google and other companies, the suit claims.

Code obfuscation

One of the arguments brought forward to prove their case was that investigators hired by the plaintiffs’ lawyers found that TikTok went to great lengths to obfuscate its data collection and sharing practices. It is worth noting here that obfuscation is not only done to hide illegal practices. Sometimes obfuscation is simply done to keep out the competition.

Did TikTok admit anything?

No. A spokesperson said:

Rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.

So, they would rather spend their time elsewhere, rather than in court. Understandable, but $92 million is a hefty sum. And maybe, just maybe, they would like to keep their lawyers available for possible future actions against the company. Former President Donald Trump threatened to ban TikTok unless ByteDance sold the app to a US-based owner. The Biden administration has pulled back from that take on TikTok, instead launching a broader review of Americans’ use of Chinese technology.

TikTok has always denied the allegations of sharing data, arguing other competing social networks have similar data collection practices, and insisting the company does not ship American user data to foreign servers.

So, this is settled now?

Well, not completely. This part of the battle has taken the best part of a year. And a federal judge still needs to sign off on the $92 million agreement. If it is approved, the settlement money will be divided up among US-based TikTok users (it’s roughly one dollar per American TikTok user).

The proposed TikTok settlement follows a similar deal struck last year in which Facebook paid $650 million to resolve legal claims over collecting and storing the biometric data of millions of users.

Besides the monetary settlement, TikTok will no longer record users’ biometric information, including facial characteristics, nor track their locations using GPS data. TikTok also committed to stop sending US users’ data overseas, and the app said it would no longer collect data on draft videos before the content is published.

Biometric data

TikTok’s use of facial biometric data is interesting, but unexceptional. All across the world, governments and corporations are developing facial recognition technology. Facebook uses it, Apple Photos uses it, police forces all over the world use it.

There are many concerns, however. Lack of oversight, ethics, failures and false positives, and bias against marginalized groups are all pressing concerns. As a result, a backlash has started and bans or moratoriums on facial recognition are now being implemented or considered in many jurisdictions.

With increased scrutiny on the use of facial recognition, and on the use of Chinese technology, the use of biometrics and other personal data by social media with ties to foreign entities, especially China, is likely to attract a lot of attention from now on. Just ask Clubhouse.

The post TikTok pays $92 million to end data theft lawsuit appeared first on Malwarebytes Labs.

US tax season is upon us, a time of the year when a special kind of vermin comes crawling out of the woodwork: tax scammers! Not that their goals are any different from any other scammers. They want your hard-earned dollars in their pockets.

Most of the tax-related attacks follow a few tried and true methods: A phishing email or scam call from someone purporting to be from the IRS, or an accountant offering to help you get a big refund. With all the financial and personal data to be had, it’s a time to keep a close eye on who you give your details to.

Below you is a real example you can use as a guide to the things you need to consider if you decide to use an online tax filing service.

Online tax services

This blogpost was triggered by a web push notification I got from a search hijacker from the SearchDimension family I was investigating. Many search hijackers in this family also use notifications, which qualifies them as adware.

It’s not that I recognized the form displayed in the notifications, but I knew the notification would likely be aimed at US users of the extension I was investigating since I had set my VPN to New York.

Anyway, the thought of someone providing their financial status and personal data to a website that was advertized in this manner gave me the creeps.

The website

The full URL behind the “Click Here” field was:

https://www.e-file.com/offer.php?utm_medium=affiliate&utm_source=cake&utm_campaign=intango&utm_content=2648&pid=&utm_term=84733016804____&utm_medium=affiliate&lctid=&lcid=

The items after the question mark are Google Analytics campaign tracking parameters that help a website understand where its traffic is coming from. In this case the site appears to be using them so it can attribute traffic to different affiliates (presumably so the site knows how much to pay them).

A click on that link in the notification brought me to this site:

Note that I went from free to a 30% discount in just one click. A bad start! Some digging revealed that the domain e-file.com originally belonged to a record shop called “Vinyl Junkie.” The internet archive has a first snapshot dating back to October of 2000. In 2005 the domain had switched to an outfit selling software to organize and store files. The first snapshot promoting an online tax filing service shows up in 2010.

Phishing sites tend not to hang around that long, so while the domain’s history is certainly interesting, it is not in itself a bad sign.

Affiliates

Another interesting piece of information can be found in the page about their affiliate program.

There is no indication that e-file is using search hijackers itself. In this case it seems as if an affiliate is, and e-file may not know that it has an affiliate doing that. But offering the most aggressive payouts (“double what many of our competitors pay!”), even when the customer does not spend any money, is exactly what attracts the most obnoxious advertisers on the web.

We asked Dr. Fou of FouAnalytics to have a look at the affiliate program details and the notification I clicked on, and this is what he told us:

Anyone running or using affiliate programs to drive more leads and sales should carefully review who is sending the links, leads, and sales. This is clearly an example of scammers taking advantage of an affiliate program and using shady techniques to get paid. They are trading off of your good name, and consumers will think you scammed them. This is just like malvertising that happens on mainstream publishers’ sites; the consumers think the publisher compromised their device because they didn’t realize the malicious code came in through an ad served into the page.

Reviews

One way to find out more information about a company or site is to look for reviews from other users. When we did this for e-file.com and found many complaints that might indicate that their services are not always as free as they claim.

Other reviews speak of missed opportunities for a refund and a lack of service. Bad reviews aren’t proof of wrong doing though, and you may say: “OK, what did you expect from a free service?” If a service is offered for free, but it still promises to pay its affiliates high rates, that money is coming from somewhere.

Speaking for myself, I am not sure a free service is how I would try to save money in tax season.

ID theft

We are not accusing e-file of being up to no good, but one of its affiliates is. And they are not the only ones trying to make a quick buck from you in tax season. Chief among them are ID thieves.

Scammers like tax season because people don’t like tax, many are baffled by it, lots of people will be in a hurry or looking for ways to make it easier, and in they end they will have to hand over a lot of personal information.

For those that have no idea what information you do (and don’t) need to provide when you file your taxes, here is a pretty extensive list. Remember that a social security number, birth date, and a bank account number is all the information a cyber-criminal needs to perform identity theft. And the consequences of that theft can be devastating. Identity theft is not to be taken lightly. It can take years to recover from and be very costly. A good resource for information about it is the ITRC.

So, it is wise to do some research before you trust any website with your personal details (and not just those that help with your tax).

And even if a service is legitimate, you should consider how secure your data will be if you entrust it to them. If the data gets exposed in a breach, the result for you is practically the same as if it had been sold anyway.

You can find more general tips to stay safe in tax season in our blogpost Coughing in the face of scammers: security tips for the 2020 tax season.

Stay safe, everyone!

The post Scammers, profiteers, and shady sites? It must be tax season appeared first on Malwarebytes Labs.

Malwarebytes’ Threat Intelligence analysts are continually researching and monitoring active malware campaigns and actor groups as the prevalence and sophistication of targeted attacks rapidly evolves. In this paper, we introduce a new APT group we have named LazyScripter, presenting in-depth analysis of the tactics, techniques, procedures, and infrastructure employed by this actor group.

Although the observed TTPs have commonality with known actor groups, there are many notable differences setting LazyScripter apart from these groups; these similarities and differences are discussed in the Attribution section of this paper.

APT groups are traditionally tracked according to specific targets and tools or methodologies they employ. Many actor groups use spam campaigns, attaching weaponized documents to phishing emails themed to target the industry or demographic of interest. In this case, we initially discovered a number of malicious emails specifically targeting individuals seeking employment, which prompted a deeper investigation.

Digging deeper we uncovered a targeted spam campaign dating back as far as 2018 using phishing lures with themes aimed not only at those seeking immigration to Canada for employment, but also at airlines.

In the following analysis, we walk through the timeline of observed TTPs from the initial phishing campaign to the state of the current and ongoing activities of the actor. We take a deep dive into each of the tools used, including the weaponized documents and the multiple variants of malware and exploitation techniques employed. Finally, we detail the infrastructure used and discuss the attribution comparisons with known actor groups such as APT28 and Muddy Water.

This in-depth and detailed analysis has revealed a developing campaign by what we believe to be a previously unidentified APT actor. Not only has this campaign been active for several years, but ongoing tracking shows this actor is still maintaining the infrastructure used and is actively updating toolsets. For this reason, we continue to track this new group LazyScripter as the threat evolves.

Download paper here.

The post LazyScripter: From Empire to double RAT appeared first on Malwarebytes Labs.

Ransomware peddlers have come up with yet another devious twist on the recent trend for data exfiltration. After interviewing several victims of the Clop ransomware, ZDNet discovered that its operators appear to be systematically targeting the workstations of executives. After all, the top managers are more likely to have sensitive information on their machines.

If this tactic works, and it might, it’s likely that other ransomware families will follow suit, just as they’ve copied other successful tactics in the past.

What is Clop ransomware?

Clop was first seen in February 2019 as a new variant in the Cryptomix family, but it has followed its own path of development since then. In October 2020 it became the first ransomware to demand a ransom of over $20 million dollars. The victim, German tech firm Software AG, refused to pay. In response, Clop’s operators published confidential information they had gathered during the attack, on a dark web website.

Copycat tactics

When we first came across file-encrypting ransomware, we were astounded and horrified at the same time. The simplicity of the idea—even though it took quite a bit of skill to perfect a sturdy encryption routine—was of a kind that you immediately recognize as one that will last.

Since then, ransomware has developed in ways we have seen before in other types of malware, but it has also introduced some completely new techniques. Clop’s targeting of executives is just the latest in list of innovations we’ve witnessed over the last couple of years.

Let us have a quick look at some of these innovations ranging from technical tricks to advanced social engineering.

Targeted attacks

Most of the successful ransomware families have moved away from spray-and-pray tactics to more targeted attacks. Rather than trying to encrypt lots of individual computers using malicious email campaigns, attackers break into corporate networks manually, and attempt to cripple entire organisations.

An attacker typically accesses a victim’s network using known vulnerabilities or by attempting to brute-force a password on an open RDP port. Once they have gained entry they will likely try to escalate their privileges, map the network, delete backups, and spread their ransomware to as many machines as they can.

Data exfiltration

One of the more recent additions to the ransomware arsenal is data exfiltration. During the process of infiltrating a victim’s network and encrypting its computers, some ransomware gangs also exfiltrate data from the machines they infect. They then threaten to publish the data on a website, or auction it off. This gives the criminals extra leverage against victims who won’t, or don’t need to, pay to decrypt their data.

This extra twist was introduced by Ransom.Maze but is also used by Egregor, and Ransom.Clop as well, as we mentioned above.

Hiding inside Virtual Machines

I warned you about technical innovations. This one stands out among them. As mentioned in our State of Malware 2021 Report, the RagnarLocker ransomware gang found a new way to encrypt files on an endpoint while evading anti-ransomware protection.

The ransomware’s operators download a virtual machine (VM) image, load it silently, and then launch the ransomware inside it, where endpoint protection software can’t see it. The ransomware accesses files on the host system through the guest machine’s “shared folders.”

Encrypting Virtual Hard Disks

Also mentioned in the State of Malware 2021 Report was the RegretLocker ransomware that found a way around encrypting virtual hard disks (VHD). These files are huge archives that hold the hard disk of a virtual machine. If an attacker wanted to encrypt the VHD, they would endure a painfully slow process (and every second counts when you’re trying not to get caught) because of how large these files are.

RegretLocker uses a trick to “mount” the virtual hard disks, so that they are as easily accessible as a physical hard disk. Once this is done, the ransomware can access files inside the VHD and encrypt them individually, steal them, or delete them. This is a faster method of encryption than trying to target the entire VHD file.

Thwarting security and detection

Ransomware is also getting better at avoiding detection and disabling existing security software. For example, the Clop ransomware stops 663 Windows processes (which is an amazing amount) and tries to disable or uninstall several security programs, before it starts its encryption routine.

Stopping these processes frees some files that it could not otherwise encrypt, because they would be locked. It also reduces the likelihood of triggering an alert, and it can hinder the production of new backups.

What next?

It remains to be seen if Clop’s new tactic will be copied by other ransomware families or how it might evolve.

It has been speculated that the tactic of threatening to leak exfiltrated data has lowered some victims’ expectations that paying the ransom will be the end of their trouble. Targeting executives’ data specifically may be a way to redress this, by increasing the pressure on victims.

Clop, or a copycat, may also try to use the information found on managers’ machines to spread to other organisations. Consider, for example, the method known as email conversation thread hijacking, which uses existing email conversations (and thus trust relationships) to spread to new victims. Or the information could be sold to threat actors that specialize in business email compromise (BEC).

For those interested, IOCs and other technical details about Clop can be found in the Ransom.Clop detection profile.

The post Clop targets execs, ransomware tactics get another new twist appeared first on Malwarebytes Labs.

Cyber security company Red Canary published findings last week about a new piece of Mac malware called Silver Sparrow. This malware is notable in being one of the first to include native code for Apple’s new M1 chips, but what is unknown about this malware is actually more interesting than what is known!

Installation

We know that the malware was installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. However, we do not know how these files were delivered to the user.

These .pkg files included JavaScript code, in such a way that the code would run at the very beginning, before the installation has really started. The user would then be asked if they want to allow a program to run “to determine if the software can be installed.”

This means that, if you were to click Continue, but then think better of it and quit the installer, it would be too late. You’d already be infected.

Malware life cycle

The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This script has several functions.

First, it will contact a command & control server formerly hosted on Amazon AWS. The data it gets back looked something like this at the time of analysis:

{
     "version": 2,
     "label": "verx",
     "args": "upbuchupsf",
     "dls": 4320,
     "run": true,
     "loc": "~/Library/._insu",
     "downloadUrl": ""
 }

Next, the malware will check for the file ~/Library/._insu. From Malwarebytes data, it appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. In this case, the script does exactly that, then exits.

Finally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server.

However, as can be seen from the data, at the time of analysis, the download URL was blank. Although we know that the script will store the payload at /tmp/verx, we have yet to see any instances of this payload on any infected machines.

If the payload were actually downloaded, it would be launched with the args data as the arguments.

Separate from the files dropped by the JavaScript, the .pkg file also installs an app into the Applications folder. This app is named either “tasker” or “updater,” depending on the version of the .pkg file. Both of these apps appear to be very simplistic placeholder apps that don’t do anything interesting.

Silver Sparrows in the wild

Malwarebytes researchers collaborated with Red Canary researchers on their find, and have collected significant data about the infection at this point. At the time of this writing, we’ve seen 39,080 unique machines with components of Silver Sparrow detected by Malwarebytes.

Those detections are primarily clustered in the US, with more than 25,000 unique machines having Silver Sparrow detections. This, of course, is affected by Malwarebytes’ heavily US-based customer base, but the malware does appear to be quite widespread, with detections in 164 different countries.

The paths detected show a rather interesting pattern. The vast majority of “infections” are actually represented by the ._insu file, and machines that have that file present do not have any of the other components (as expected).

Conclusions

At this time, we have yet to see the /tmp/verx payload. None of the infected machines have it installed. This means that, as Red Canary said, we have little information on what the intent of this malware is.

Yes, Malwarebytes protects your Mac from Silver Sparrow.

The args value in the data from the command and control server (upbuchupsf) looks similar to an affiliate code, often used by adware. However, we can’t make assumptions based on a single ten-character string, as such assumptions could very easily be wrong. After all, malware that is sold to, and used by, multiple people may very well include some kind of “customer code.”

The fact that the ._insu file has been seen in such high numbers is interesting. Since this file signals that the malware should delete itself (though we don’t know how the file gets created), that is a strong indicator that these are probably formerly infected machines.

Thus, it’s highly likely that this infection may have been present at some point in the recent past, but the operators sent out a silent “kill” command to cause the malware to delete itself. This could correspond to the first appearance of the newest malicious installer being uploaded to VirusTotal, which would be an indicator to the creator that the malware had been spotted, or it could have been prompted by some other event.

It’s unlikely that these machines were infected for a very long time, as the two command and control server domains were registered in August and December of 2020, per Red Canary findings.

Malwarebytes detects these files as OSX.SilverSparrow.

The post The mystery of the Silver Sparrow Mac malware appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, the spotlight fell on the State of Malware 2021 report, wherein we have seen cyberthreats evolve.

We also touched on ransomware, such as Egregor and a tactic known as Remote Desktop Protocol (RDP) brute forcing that has long been part of the ransomware operators’ toolkit; insider threats, such as what Yandex recently experienced with one of its own sysadmins; romance scams; and put social media under scrutiny—looking at you, Clubhouse and Omegle; some wins for the good guys; and course, Cyberpunk 2077.

Other cybersecurity news

• Following the water supply hack in a Florida city, the US government warned critical infrastructure operators to upgrade their Windows 7 operating systems. (Source: Security Week)
• Baby monitor vulnerabilities are in the spotlight once again after the cybersecurity team at SafetyDetectives, an independent review site, unearthed a flaw that allows miscreants to take over a camera’s video stream. (Source: SafetyDetectives)
• Phishers used “financial bonus” as lure to deliver the Bazar Trojan. (Source: ZDNet)
• Speaking of phishing scams, they’re also promising free COVID vaccines. Again. (Source: Infosecurity Magazine)
• Intelligence officials from South Korea claimed that North Korea is behind the COVID vaccine cyberattack against Pfizer. (Source: Computer Weekly)
• A flaw in Agora, a voice and video platform, was discovered that could allow attackers to spy on private calls. (Source: CyberScoop)
• Palo Alto’s Unit42 uncovered a cryptojacking campaign that has been in operation for the last couple of years. (Source: Palo Alto Networks)
• ScamClub, a malvertising group, was discovered using an iPhone browser bug to push ads. (Source: Confiant)
• With the introduction of Apple’s M1 computer processors, new malware made for them is starting to emerge. (Source: Motherboard)

Stay safe, everyone!

The post A week in security (February 15 – February 21) appeared first on Malwarebytes Labs.

Social media site Omegle is under fire after an investigation found boys using the platform to expose themselves on camera, and adults exposing themselves to minors.

Omegle users are paired with a random stranger who they can socialize with via text or video chat. An investigation by the British Broadcasting Corporation (BBC) found boys and adults exposing themselves on camera, after its founder, Lief K-Brooks, claimed that he had increased moderation efforts months ago.

Just like TikTok, Omegle’s popularity has exploded during the pandemic. According to data collected by Semrush, an online visibility management platform, Omegle has enjoyed a global growth of 65 million visits from January 2020 to January 2021—a staggering 91 percent growth. Users from the US, the UK, India, and Mexico have helped spark interest.

What contributed to Omegle finding fame is that TikTok users started sharing Omegle videos to their friends and followers. TikTok now has a very active #omegle hashtag, which has been viewed 9.4 billion times as of this writing.

MEL magazine’s Magdalene Taylor theorized that it’s the allure of talking to strangers—or being exposed what our parents warned us about: “stranger danger”—that is fuelling this growth. “People wanted to experience what the Internet was like when people were still afraid,” Taylor wrote.

Read: Stranger Danger and the Sociable Child

Investigators from the BBC, who had monitored Omegle for approximately 10 hours, were paired with dozens of other users who appeared to be under 18 years of age, even as young as seven or eight. But within one two hour period they were connected with 12 men performing sexual acts (“a common occurrence”, the BBC noted), eight naked males, and a handful of pornographic ads. In instances wherein BBC investigators were paired with people who appeared to be, or identified themselves as, underaged Omegle user performing sexual acts, the broadcaster says “These instances were not recorded, and we ended both chats swiftly before reporting them to the authorities.”

Keira, a 15-year-old Omegle user from the US told the BBC that “Men being gross is something me and my friends see a lot. It should be better monitored. It’s like the dark web but for everyone.”

Like most popular social media platforms, Omegle has a minimum age limit of 13, and its terms of use say that users under 18 should only use it with a parent or guardian’s permission. It’s home page also features a prominent warning: “Video is monitored. Keep it clean!”. It does not attempt to verify users’ age, however.

The Internet Watch Foundation (IWF), an international charity based in the UK that aims to minimize available abuse content against children, expressed concern over what the investigators have unearthed but are not surprised as this follows a trend. According to Chris Hughes, hotline director for IWF, they have found self-abuse material that were recorded from Omegle and distributed by predators online. They also know that such acts happen in a household where parents are present as evidence of background conversations they can hear in the videos.

“I’m absolutely appalled. This sort of site has to take its responsibilities seriously,” says Julian Knight MP, the House of Commons Digital, Culture, Media, and Sport Select Committee chairman in an interview with the BBC. “What we need to do is to have a series of fines and even potentially business interruption if necessary, which would involve the blocking of websites which offer no protection at all to children.”

The saga exposes some familiar fault lines. Age verification is fine in theory but it is difficult to do. Even if it’s implemented effectively it can simply replace one set of potential harms with a different one.

The history of social media suggests that if Omegle tried to tackle the problem by increasing the number of human moderators, it’s unlikely it could ever hire enough to effectively police the platform effectively.

Until (and perhaps even if) these intractable problems find a solution, parents who want to protect their children will have to educate themselves, and their children, to the hazards they might face online.

The post Omegle investigation raises new concerns for kids’ safety appeared first on Malwarebytes Labs.

The US Department of Justice recently unsealed indictments detailing North Korea’s involvement in several global cyberattack campaigns against institutions in the financial and entertainment sectors, and money laundering schemes in certain US states.

The first unsealed indictment is for hacking activities done by three computer programmers from North Korea. Prosecutors name Jon Chang Hyok (전창혁; aka “Alex/Quan Jiang”), Kim Il (김일; aka “Julien Kim” and “Tony Walker”), and Park Jin Hyok (박진혁; aka “Pak Jin Hek”, “Pak Kwang Jin”, and “Jin Hyok Park”) as members of the Reconnaissance General Bureau (RGB), a military intelligence arm of the Democratic People’s Republic of Korea (DPRK) that is known for conducting clandestine operations on behalf of its country.

Park was already indicted back in Septmber 2018 for his involvement in multiple destructive cybercrime attacks, which includes the creation of WannaCry that made headlines in 2017, the Bangladesh Bank cyber heist in 2016, and the attack on Sony Pictures Entertainment (SPE) in 2015.

According to the Justice Department, the RGB is known by many names in the cybersecurity industry, such as the Lazarus Group and Advanced Persistent Threat 38 (APT38). Other crimes the three North Koreans are charged with include: attempting to hack banks’ networks and sending falsified SWIFT messages; the theft of millions of US dollars worth of cryptocurrency from cryptocurrency companies; conducting ATM cash-out (aka FASTcash) and spear phishing schemes; deploying multiple malicious cryptocurrency applications; and the creation and marketing of the Marine Chain Token, an attempt to gain funds and evade US sanctions. A charge was also unsealed against Ghaleb Alaumary, a Canadian-American described by the FBI as a “prolific money launderer”.

While Jon, Kim, and Park are based in North Korea, their government has stationed them in other countries like Russia and China, the report further claims.

North Korean actors have not only heavily targeted the financial sector but also several cybersecurity professionals. Jérôme Segura, director of threat intelligence at Malwarebytes details, “In one of the most recent campaigns, Lazarus APT has targeted vulnerability researchers and exploit developers to steal new exploits as well as any additional tools they may be able to use in the future. This campaign has been conducted to broaden their capabilities in using zero days in their future attacks.”

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” the report quotes Acting US Attorney for the Central District of California Tracy L. Wilkinson. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

Alaumary is already in custody while Jon, Kim, and Park remain at large.

A copy of the indictment in PDF can be downloaded here.

The post North Korean hackers charged with $1.3 billion of cyberheists appeared first on Malwarebytes Labs.