IT NEWS

Hello folks! If you have not heard yet, the security firm FireEye has had a breach of many red team assessment tools used for identification of vulnerabilities to help protect customers.

While it is not known exactly who was behind this attack, a big concern is the sharing and use of these stolen red team tools by both sophisticated and non-sophisticated actors, similar to what we saw in 2017 with the ShadowBrokers group breach of the NSA’s Equation Group.

As soon as we at Malwarebytes found out, we started investigating. However, FireEye has been incredibly transparent and released detection rules and code for the stolen tools, so that vendors across the world can protect their customers from these tools.

So, thanks to the diligence of our own threat research team, as well as the transparency and assistance of FireEye, we’ve been able to incorporate these tools into our detection databases so if they show up on your endpoints, we’ll stop them.

Security firms are a huge target for cyber criminals, from FireEye to even us at Malwarebytes.  Often our software is the first, or last line of defense against sophisticated cybercriminal efforts and even state-sponsored attacks.  Being able to compromise one of these organizations has great value for both nation states as well as commercial cybercriminals.

To that end we commend FireEye for their efforts at quickly recovering and reducing the fallout from this breach and support them in protecting both their internal data and customers moving forward, at the end of the day, we are on the same side and have to deal with the same threats.

Thanks for reading, safe surfing.

The post Malwarebytes detects leaked tools from FireEye breach appeared first on Malwarebytes Labs.

Hello Folks! In this Videobyte, we’re talking about why hospitals are being targeted by the Ryuk ransomware, what tricks they are using to pull this off and what their motivations might be.

Ryuk ransomware is being spread to hospitals using targeted phishing emails that infect systems with the BazarLoader malware, which in turn deploys the Cobalt Strike pen-testing platform, giving attackers greater ability to compromise the network before launching the Ryuk ransomware.

The group has also been observed using the ZeroLogon vulnerability, which allows an attacker to compromise a domain controller server within seconds. That makes lateral infection of corporate endpoints very easy.

According to various law enforcement agencies, attacks are increasing against healthcare organizations:

“‘CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” the advisory states.’”

At the same time, ransomware attacks have been increasing more in the second half of 2020 than the first half, according to a report by Check Point.

The United States saw nearly a 100% increase in ransomware attacks in Q3 compared to Q2.

Overall, this makes for an alarming trend of targeted ransomware attacks that utilize high sophistication and professional tools for attack.  We need to all be on our guard right now.

Links:

• Global Surges in Ransomware Attacks – CheckPoint
• Ransomware threat surge, Ryuk attacks about 20 orgs per week – BleepingComputer
• BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware – BleepingComputer
• Hacking group is targeting US hospitals with Ryuk ransomware – BleepingComputer

The post VideoBytes: Ryuk Ransomware Targeting US Hospitals appeared first on Malwarebytes Labs.

It may not be tax season in your part of the world right now but you’ll no doubt be pleased to know a prolific tax scammer is on their way to jail for 20 years. If you’re annoyed by tax scam missives, or had the misfortune to hand money over, this is probably satisfying news.

Between 2013 and 2016, Hitesh Patel ran a particularly sophisticated operation. His tax ring called from centers in India, splitting their time between pretending to be the IRS and the US Immigration Services.

Breaking down the scam

Tax scammers typically threaten to revoke a victim’s visa status unless fictitious amounts of money are paid. The scams can range from crude cons, to sophisticated techniques where documents or devices are stolen, and fake websites created.  Those websites then claim to be official Government pages with all the victim’s (stolen) data on them. If the victim doesn’t pay the fake “fine”, they’re threatened with false deportation and imprisonment.

We can assume the fictional USCIS officers would’ve made similar, tax-centric immigration style threats to potential victims. However they did it, money from victims found its way into an elaborate fraud network. Victims are told to wire funds or purchase reloadable cards. US based “runners” then set about liquidating/laundering the money in its newfound forms. Reloadable cards are popular, and a great target for scammers generally. See endnote 50 on this article about how workers get paid for more details.

Between 2013 and 2016, the people at the heart of this scam made millions from their victims. 24 of 60 people charged involved in the scam have been found guilty. The guy at the top pleaded guilty to a wide variety of crimes, including access device fraud, money laundering, impersonation of a federal officer/employee, general conspiracy to commit identification fraud, and wire fraud conspiracy.

Avoiding the tax scammers

As above, be very cautious around claims of immigration fraud or money owed no matter what reasons are given. Contact relevant immigration authorities directly using known/trusted details or go through your immigration adviser, should you have one.

• For more general tax tips related to 2020, we’ve got you covered.
• If you need examples of tax scam mails, you’re in luck.
• Tax scams also wrap themselves in fake tech support calls, of which we have an example.

Avoid missives in your mailbox mentioning mystery refunds, late payments, or “unlock fees” to re-access your online account. Take a similar approach should the tax organisation you deal with be suddenly asking for your login details. There’s no good reason at all why they’d be asking for these details.

Additional lockdowns

Many government tax services offer online portals, and a fair few of those permit additional security protocols. UKGOV’s HMRC portal, for example, is happy for you to use 2FA to keep details secure. Scammers tend to know this and will rely on potential victims using text-based 2FA. This method is vulnerable to “SIM swap” attacks, where scammers trick support staff into porting your mobile number to their own SIM. This means the next time a 2FA code is sent, it’ll go to the fraudster and not the potential victim.

If you’re using an authentication app instead of text codes, this is no longer a problem. Even if someone has grabbed your logins by some other method, they won’t be able to do anything with them. You can go change everything without the imminent threat of someone checking out the nitty-gritty of your account.

If 2FA isn’t available at all, then you’ll need to follow the usual best practices regarding passwords. Perhaps ask the relevant organisation when 2FA may be implemented. Not ideal, but it’s something proactive to get on with while you wait for them to fill the 2FA void.

Forewarned is forearmed

As you may be aware, tax season is almost upon us in many places. Whether it begins in January, April, or another month altogether? It’s worth digging into the online portion of your tax services. See what’s secure, what isn’t, and where the organisation you deal with could perhaps stand to make some improvements.

Scammers are out there making big bucks, and they don’t care who gets crushed in their dash for cash. It’s inevitable that plenty more groups are gearing up for tax time in the few weeks’ quiet before the storm. Start laying down some plans and ground-rules now.

It’s just possible you may help keep both yourself and others safe when the scam wave breaks.

The post Get a head start on defending against tax scams appeared first on Malwarebytes Labs.

Education in the United States faced a crisis this year. The looming threat of the coronavirus—which spreads easily in highly-populated, enclosed rooms—forced schools across the country to develop new strategies for education.

The dramatic stress of this transition is known. Teachers are working more hours than ever and parents are pulled between their jobs and 24/7 childcare. But perhaps for the first time, Malwarebytes has revealed how this transition has stressed the cybersecurity posture of schools and school districts.

Our full report, “Lessons in cybersecurity: How education coped in the shift to distance learning,” shows how schools across the United States are suffering, sometimes through inaction of their own.

Nearly half of all schools did not change anything about their cybersecurity preparations in transitioning to distance learning. The end result is that schools have faced a number of cybersecurity and IT issues that are dramatically increasing IT workload and putting undue strain on teachers’ lives. Some schools have even suffered cyberattacks that have delayed their distance learning plans for a day. More individuals learned that a colleague suffered a malware attack on a school-owned device.

Our report also reveals that cyberattacks do not just threaten the safety of teachers, students, and administrators, though—they also dramatically impact students’ perceptions of schools. Malwarebytes found that many students themselves said a cyberattack would significantly impact their decision to either apply to a school or transfer to that school. Cyberattacks also significantly impacted these students’ trust in their own schools.

Crucially, our report shows that the more cybersecurity best practices that a school put into place, the fewer cybersecurity and IT issues they suffered.

For all of these findings, we went straight to the source.

We conducted two, parallel surveys, the first of which targeted IT decision-makers at schools across the United States. The second survey targeted students enrolled in K–12; students working on obtaining a bachelor’s degree, associate’s degree, or attending trade school; and students enrolled in any post-graduate program.

Key takeaways

• 50.7 percent of IT decision-makers said that no one—not students, teachers, staff, or guests (including parents)—were required to enroll in cybersecurity training before the new school year began
• 46.7 percent of IT decision-makers said their schools developed “no additional requirements”—no distanced learning policy read-throughs, no cybersecurity training, no antivirus tool installations—for the students, faculty, or staff who connected to the school’s network
• 46.2 percentof students said their schools suffered a cyberattack
• 61 percent of students said a cyberattack resulted in a significant or strong impact on their trust in their school
• Schools that engaged in a variety of cybersecurity best practices before transitioning to a distance learning model reported zero school-wide cyberattacks, and zero instruction days lost because of a cyberattack
  • 63.6 percent of these schools said they suffered “sustained, excess IT workload” compared to the 72.0 percent of all respondents
  • 18.2 percent of these schools said “teachers or students have suffered a Zoom-bombing attack” compared to the 29.3 percent of all respondents
• With distance learning in full swing, concerns remain with device shortages:
  • 28 percent of IT respondents said their schools are missing laptops, computers or tablets for teachers
  • 40 percent are missing those tools for parents and students
  • 38.7 percent worry that teachers or students are too quickly using up the data on school-provided WiFi hotspots

Study hard

Though we’re halfway through the school year, it is never too late to improve a school’s cybersecurity. In fact, there are several best practices that a school can implement to protect itself from a cybersecurity incident. Not only that, but some of those same practices can help a school’s faculty focus on what matters most—educating students.

Cybersecurity, it turns out, is a lot like school. You’ve got to do your homework. 

To learn more about the increasing risks uncovered in today’s distance learning environment, and about tips and advice that all schools can act on during 2021, read our full report:

Lessons in cybersecurity: How education coped in the shift to distance learning

The post 50 percent of schools did not prepare for secure distance learning, Labs report reveals appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Doug Levin, founder of the K12 cybersecurity resource center and advisor to the K12 Security Information Exchange, about how schools can plan for a cybersecure 2021.

Education faced a crisis in the US this year, as the looming threat of the coronavirus forced schools across the country to develop new strategies for teaching. At Malwarebytes, we wanted to discover how these shifts impacted education cybersecurity.

Revealed for the first time in our newest report published today, “Lessons in cybersecurity: How schools coped in the shift to distance learning,” what we found concerned us.

Tune in to hear about how schools fared in transitioning to distance learning models, what cybersecurity precautions they did not adopt, and how they can prepare for the second half of the school year, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Spam roundup for November
• Germans targeted by return of banking Trojan
• Baltimore schools struck by Ransomware
• Deep learning: what the future holds
• Facebook scams, and how to avoid them
• VideoBytes: is it goodbye for Maze Ransomware?

Other cybersecurity news

• Investment fund leaves files wide open to all (Source: The Register)
• Three years jail time for hacker told to leave Nintendo alone (Source: Justice(dot)Gov)
• How to keep healthcare safe from Ransomware (Source: Help Net Security)
• MacOS users under fire from updated malware (Source: ZDnet)
• Hunger relief org scammed out of close to a million dollars (Source: The Non Profit Times)

Stay safe, everyone!

The post Lock and Code S1Ep21: Lesson planning your school’s cybersecurity with Doug Levin appeared first on Malwarebytes Labs.

There it is again—that annoying message that pops up when your email client informs you that a file is too big to attach. Those of us that are confronted with this problem on a regular basis—and those of us that want to attach files that could get picked up by anti-malware scanners along the way—have probably resorted to using file-sharing sites to help solve this issue. But is file-sharing secure?

How do file-sharing sites work?

The procedure for such file-sharing sites is simple enough. You upload the file, copy the download link, and send that link to the person you want to have the file. Some sites offer you a range of options to prevent your files from falling in the wrong hands like encryption, password protection, and others.

Closely related and more than a few times used for the same purpose are cloud storage sites. These could be ideal to backup those files you can’t do without should your hard-drive fail. Personally, I prefer a physical hard drive to backup my more personal files, but I would have no reservations about storing my installers and configuration files online.

Follow the money

It’s not hard to imagine that it will cost money to run such a site. So, when this service is provided to you for free you would be wise to ask yourself how they pay the bills. As in many other online services, when they are offered for free there is a good chance that your data are used to pay the bills.

But there are other means for these sites to earn revenue:

• Advertising: Sometimes it’s easy to see how the bills are paid. It is hard to find the controls between the advertisements, though.

• Web push notifications: A special form of advertising that can be very annoying. Often used in conjunction with regular advertising. Depending on the advertising network these can vary from slightly annoying to downright malicious.

• Altered files: The file you download is not the same as the file that was uploaded. This can be very embarrassing. You don’t want to send your business relations a link that gets them infected with adware or some potentially unwanted program.
• Not the requested file at all: Some file-sharing sites simply replace the requested files with malware. This often happens on sites that are notorious for sharing cracks and keygens. Sometimes they don’t replace all the files to give the visitor the idea that he could “get lucky.”
• Some sites require you to register and provide an email address, social media account, or to install a program that enables the usage of the site. All these options could result in additional advertising.

• Some file sharing sites offer free accounts for small files but will ask a fee if you want to store bigger files. Or they will offer an improved user experience for paid users, for example higher speeds, simultaneous uploads, or an ad-free site. This seems like a fair deal and a good alternative for the users that only need this occasionally.

Inform yourself beforehand

To keep your data and computer secure, before you decide on which site to use for sharing files or storing online for yourself, follow these pointers:

• Look at reviews about the site and skip the ones that are all good

Even with an outstanding product people will find flaws and complain about them. If you can’t find any negative reviews, there is a good chance these will be barred or removed, or in some cases buried by good reviews posted by the people running the site.

• Check out the security options you can use as a free user.

The more the better, obviously. Look for encryption, limited number of downloads, password protection, or anything else you would like to see. There are many providers out there and it’s worth looking for the one that is ideal for you.

• Try the service out yourself before sending someone else a file.

Upload a file and then download it again, preferably from a different computer and other IP address. Sites may treat the uploader different from other downloaders. Don’t embarrass yourself by using an untested service and getting someone you know infected.

Finally, when you download something uploaded by another user, there are some pointers to minimize the privacy and security risks involved:

• Make sure to click the correct button on the site. PUPs love using those big green buttons that tell you to “start here” when in fact that’s not where you want to go at all.
• Check the file extension, does the filetype match with what you are expecting? When you were promised an mp3 and get a file with the .exe extension that should raise all kinds of alarms? In fact, executable files are best avoided entirely unless you know and trust the sender.
• Check the file size. A movie with a size of 8 MB is not likely to be what it claims to be.
• Scan the downloaded file with a trusted antimalware solution before running it.
• Should you decide to run a file, read the installation or download screens carefully. Sometimes there are additional surprises announced in small print.

So, what’s the end verdict on file-sharing?

We feel it’s not our place to make recommendations about which ones are the best, but we feel it is our duty to make you aware of the risks and pitfalls that are very common in this area, most of which you can spot easily by doing a test round or two.

Basic services for limited use are available for free if you are willing to look for them. With an ad blocker or Browser Guard you can navigate the sites that would normally be full of advertisements a lot easier.

Further, web push notifications can easily be controlled and managed form within the browser. If you want to know how, you should read our blogpost about web push notifications.

Also, a quick inspection of the downloaded file can save you some occasional grief as well.

All in all, we think it is possible to share files or use online storage for non-professional purposes without paying for these services. For more regular and professional usage there are many paid options available. The only thing we do want to warn about is downloading desirable files from “unknown” sources. Sites offering cracks, keygens, movies, music, and other desirable files do have a bad reputation for a reason.

Stay safe everyone!

The post File-sharing and cloud storage sites: How safe are they? appeared first on Malwarebytes Labs.

Hello Folks! In this Videobyte we’re talking about Maze ransomware and whether or not its shutting down, and what that means for the cybercrime world.

The notorious Maze ransomware group, known for its corporate targeting and data leaking extortion schemes is, apparently, shutting down operations.

Rumors began months ago that Maze was shutting down, as many affiliates who helped distribute Maze have been spotted switching to a different, new ransomware family called Egregor.

Then, on November 1, the group behind Maze released a statement claiming that it was closing its doors. The author also went on a rant about how the future will entirely be lived online and Maze ransomware attacks were meant to help prepare companies by forcing them to increase their security.

Typical rhetoric among delusional criminals who want to see their effort as beneficial rather than something which hurts lives.

We will have to wait and see if Maze is truly gone. After all, we thought Ryuk had vanished earlier this year, only to see it return. At the same time, the affiliate shift to Egregor ransomware is somewhat like the shift away from GandCrab to Sodinokibi in 2018-2019.

Unfortunately, history has shown us that when a crime group decides to close their doors, it’s rarely because they have seen the error in their ways and it’s more often due to a new, more powerful threat that these actors would prefer to use.

Links:

• Maze ransomware is shutting down its cybercrime operation – BleepingComputer
• Maze ransomware shuts down operations, denies creating cartel – BleepingComputer

The post VideoBytes: Is it goodbye forever to Maze ransomware? appeared first on Malwarebytes Labs.

Scams can be found anywhere, and Facebook is no exception. And, with the holiday season just around the corner, and the world still weathering a pandemic, it pays to know what Facebook scams you, those close to you, and those you have professional relationships with could potentially encounter.

We’ll look at those that pose a notable risk to either your banking account or your personal information in this two-part series.

“How do I scam thee, let me count the ways“

Plain, ol’ data mining schemes

According to Vade Secure, a company specializing in email defense, Facebook ranks second in its list of most impersonated brands in phishing campaigns, which it details more in its annual Phishers’ Favorites Q1 2020 report.

Facebook phishing campaigns can take many forms—including Facebook apps and SMS messages—and can come via many avenues. It could be a link on Messenger from a connection or stranger, an email asking you to verify your “legal ownership” of your Facebook account, or a simple public post designed to either entice or scare recipients to act, which usually involves the handing over of data.

Take, for example, a campaign where recipients are told their account has been reported for abuse, thus in violation of Facebook’s standards. This is then coupled with a link to a page that tells users to enter their credentials to prove that the account in question is theirs.

One thing to keep in mind is that when it comes to phishing campaigns on Facebook, it doesn’t matter whether it first appeared 10 years ago or 10 days ago. We see similarities in past and present campaigns because phishers find them effective against users as they continue to fall for the same tricks.

Here’s a tip: If you find it difficult to spot a phishing attempt, a password manager could help you by not automatically pre-filling credentials on sites you know it’s supposed to pre-fill. Once this happens, report this to your password manager support team so they can investigate. Meanwhile, avoid manually entering information to the site that your password manager refuses to pre-fill, as it might likely be a phishing page.

Scam ad campaigns

Although this may sound new to the average consumer, those who have established an online business presence on Facebook are quite familiar with scam ad campaigns.

Scam ads are, essentially, false or fake ads designed to reel people in to con them out of their money. This type of campaign has made Facebook their home by hijacking business, community, or “public figure” accounts and buying ad campaigns to run.

Hackers and fraudsters particularly target Facebook accounts that can run ads as everything is already set up for them to use and abuse. And while some cybercriminals deliberately create and leave Facebook accounts to “mature” over time—we’re talking about years here—before they get sold, most scammers just couldn’t wait that long.

Why do they do this? Because Facebook’s system is on the lookout for scammery involving new accounts. Leaving accounts to mature is a way to circumvent the system.

Running scam ads can net fraudsters huge sums of money, even if they only run for a few hours before getting shut down. In fact, a few hours are all they need to see a return on their investment of time and effort.

Last year, Henry Lau, co-founder of Privolta, a company that specializes in privacy focused ads, had his Facebook ads account compromised by hackers via a third-party, who then used it to run a 13-second video campaign of a red toy wagon that was seen by Facebook users in Australia, North America, and Mexico. Interested users who clicked it were taken to a sale site with card skimmer code embedded in it.

Although Facebook had raised a red flag on his account when the fraudsters set a campaign budget of 10,000 USD, the social network didn’t notify Lau and allowed the campaign to play out anyway. Wilson said that Facebook’s model is “approve first, ask questions later”.

---

On the radar: After compromising and installing ransomware on the systems of Campari Group, a well-known Italian beverage maker, the Ragnar Locker ransomware group took to Facebook’s ad campaigns to further pressure the company. The account the group used to run the ad campaign belongs to a deejay based in Chicago. Read more about it in this KrebsOnSecurity post.

---

Live stream and music festival scam

The current pandemic has pretty much made every form of contact with the outside world virtual—including attending concerts. Yes, live stream concerts are indeed a thing today, but unfortunately, concert tickets scams that have plagued such music gatherings have evolved with the times, too.

There are several types of this scam that have been observed in the wild. According to Celebrity Access, fraudsters have set up several Facebook pages with a list of fake live streaming events to come. This, apparently, is a front for a phishing campaign as those who are interested in attending these streams would have to register with their PII.

Another flavor of the live stream scam involves fake donation links. Since local musicians have migrated their live performance events online, cybercriminals have bombarded their official pages with fraudulent links in the hope of directing stream attendees to a site where fans are asked for “donations”. This was what happened to Steve Lucky & the Rhumba Bums featuring Carmen Getit, popular mainstays in the Bay Area music scene, when they announced a Saturday live stream in April.

Several music festivals in the UK were also victims of scammers who employ similar tactics. Kevin Tate, the Festival & Events UK editor, has uncovered nearly a hundred fraudulent links to legitimate events, such as the Reading and Leeds Festivals, the Love Saves the Day Festival in Bristol, and the Noisily Festival. These links, Tate said, were created a few days before the event, and charges interested parties with varying amounts to view content that is, essentially, free.

Fake concert ads are also pushed out via ad campaigns on Facebook.

PayPal fund transfer scam

Facebook Messenger is no stranger to messages containing a copious level of fakery. From across the pond, county police in North West England issued a warning in August about a spate of messages sent via Facebook from accounts that were believed to have been hijacked by hackers.

According to detectives, once scammers take over a legitimate Facebook account, they then proceed to contact friends and family of the account owner, asking them to receive payment from a buyer for an item—usually a camera, based on collected reports—they have purportedly sold on eBay.

They then claim they couldn’t receive the payment themselves because their PayPal account isn’t working, or they don’t have one. They instruct the family or friend that once they receive the cash into their own PayPal account, they are to transfer it to their own bank account before forwarding it to an account controlled by the fraudster.

After the family member or friend arranges a money transfer from their bank account to the scammer’s, the scammer then reverses the PayPal transaction. So no money reaches the family member or friend’s PayPal account, and they have just knowingly given part of their savings to fraudsters.

---

In part 2, we’ll be moving forward with our list and include tips on how to keep yourself and your loved ones safe from these Facebook scams, too. Until then: eyes open, and stay safe!

The post The many ways you can be scammed on Facebook, part I appeared first on Malwarebytes Labs.

Deep learning is one of the most advanced forms of machine learning, and is showing new developments in many industries. In this article, we’ll explain the concept and give some examples of the latest and greatest ways it’s being used.

What is deep learning?

There have been many attempts at creating a definition of deep learning.

As we’ve explained in the past, machine learning can be considered as a sort of offspring of artificial intelligence. In the same way, you can view deep learning as a further evaluated type of machine learning.

According to Wikipedia:  Deep learning (also known as deep structured learning) is part of a broader family of machine learning methods based on artificial neural networks with representation learning. Learning can be supervised, semi-supervised or unsupervised.

While that definition does give us some clues on what we are looking at, it deserves an explanation of some of the terms used.

Artificial neural networks (ANNs) are computerized networks that mimic the behavior of biological communication nodes. What makes biological neural networks different from other artificial networks is that they are dynamic and analog. That not only makes them more flexible, but it also makes them harder to mimic in an artificial neural network.

Representation learning or feature learning is a set of techniques that allows a system to automatically discover the representations needed for feature detection or classification from raw data. In other words, representation learning is a way to extract features from unlabeled data by training a neural network

How is deep learning more advanced?

Basic machine learning methods are becoming better at what they were designed for at an impressive speed. But they still need human guidance from time to time. For example, when users notice that the algorithm has accepted a false statement as true. In such a case, the predictions made by the algorithm become worthless and the situation needs to be corrected.

Deep learning uses multiple layers which allows an algorithm to determine on its own if a prediction is accurate or not. As we all know, you can sometimes reach an accurate conclusion based on false facts. A deep learning model will typically be designed to analyze data with a logic structure and do that in a way that’s very similar to how a human would draw conclusions. This layered approach results in a method that is far more capable of self-regulated learning, much like the human brain.

The obvious warning here is that not every human brain is capable of following the rules of logic and while we perfect the mimicry, we may introduce the same weaknesses that exist in biological brains. Of course, deep learning machines are capable of processing a lot more input than humans can at this point, which is why big data and deep learning often go hand in hand.

Examples of deep learning

Machine learning and, more specifically, deep learning already have proven their worth in some use cases and we can expect more improvements in these fields.

Optimizing

Traffic analysis: Predictions about which roads and motorways are acting as a bottleneck and how the flow can be optimized with a minimum of investments. For example, whether it will prove to be useful to add an extra lane to that highway or whether it will just create the same problem a few miles further ahead.

Transportation automation: In transport, the shortest route is not always the fastest. A delivery route can be optimized by time of arrival at certain delivery addresses, which is something that can be done by deep learning.

Finding cures: Deep learning neural networks can help in structuring and speeding up drug design. Researchers have enhanced deep learning for drug discovery by combining data from a variety of sources.

Market analysis: Combining machine learning with your data can provide insight into which leads prove to give you the highest success rate. However, given that you need a relatively big dataset, this may not be interesting for smaller organizations lest it may lead to self-fulfilling prophecies.

Recognizing

Speech recognition: Apps that listen to voice commands can learn to understand their user better over time. This can help to overcome the returning annoyance about voice assistants that misunderstand or not understand the user at all.

Gesture recognition: One of the latest additions in the area of machine learning deals with recognizing gestures. The signals that are emitted from sensors are able to detect emotions by energy, time delay, and frequency shift.

Deepfakes: For good or bad, further analysis of facial expressions and voice patterns can provide the data for the next step in creating more convincing deepfakes. By better understanding human behavior, it will become easier to mimic and provide more convincing results.

Specializing

Smartphone cameras: These small cameras have to make up for the limitations set by their size in order to come close to the picture quality made by dedicated cameras. Machine learning algorithms do several things to improve and enhance the smartphone’s picture quality.

Targeted advertising: To minimize the number of advertisements the public have to watch, and to optimize the effectiveness of those advertisements, deep learning can be used to provide targeted advertising and make sure the aim is at the most suitable demographic for your product.

These are just some examples. You can probably come up with more if you look around you and see how software has taken over a lot of tasks that required human brains in the past.

The use of machine learning has also made things possible that were impossible before. For example, Google built a system to guard the rainforest. The company built a solution based on an open source platform for machine learning that uses audio to detect sounds of chainsaws and logging trucks to understand if any if an illegal activity is occurring. The machine learning solution takes into account various artificial intelligence techniques to ensure it is correctly detecting any destruction taking place.

The cybersecurity industry

We’ve already talked at length in another blog about how artificial intelligence and machine learning may impact cybersecurity. Some of these changes are already taking form and others are well on their way to being developed, but as we move forward there are bound to be changes. Especially in an industry that is involved in an arms race that entices both sides to stay one step ahead of the other.

The post Deep learning: An explanation and a peek into the future appeared first on Malwarebytes Labs.

This blog post was authored by Hasherezade and Jérôme Segura

On November 23, we received an alert from a partner about a resurgence of Gootkit infections in Germany. Gootkit is a very capable banking Trojan that has been around since 2014 and possesses a number of functionalities such as keystroke or video recording designed to steal financially-related information.

In this latest campaign, threat actors are relying on compromised websites to socially engineer users by using a decoy forum template instructing them to download a malicious file.

While analyzing the complex malware loader we made a surprising discovery. Victims receive Gootkit itself or, in some cases, the REvil (Sodinokibi) ransomware. The decision to serve one or the other payload happens after a check with the criminal infrastructure.

Gootkit attacks observed in Germany

Security researcher TheAnalyst was the first to publicly identify an active campaign in November using a sophisticated loader that was eventually attributed to Gootkit, a banking Trojan not observed in the wild for some time. Germany’s Computer Emergency Response Team DFN-CERT later confirmed that German users were being targeted via compromised websites.

Around the same time, we started receiving reports from some of our partners and their ISPs about Gootkit-related traffic. We were able to confirm Gootkit detections within our telemetry that were all located in Germany.

After a couple of days, we remediated over 600 unique machines that had been compromised.

Fake forum template on hacked websites

The initial loader is spread via hacked websites using an interesting search engine optimization (SEO) technique to customize a fake template that tries to trick users to download a file.

The template mimics a forum thread where a user asks in German for help about a specific topic and receives an answer which appears to be exactly what they were looking for. It’s worth noting that the hacked sites hosting this template are not German (only the template is); they simply happen to be vulnerable and are used as part of the threat actor’s infrastructure.

This fake forum posting is conditionally and dynamically created if the correct victim browses the compromised website. A script removes the legitimate webpage content from the DOM and adds its own content (the template showing a link to a file to download).

There is a server-side check prior to each visit to the page to determine if the user has already been served the fake template or not, in which case the webserver will return legitimate content instead.

Fileless execution and module installation

The infection process starts once the victim executes a malicious script inside the zip archive they just downloaded.

This script is the first of several stages that leads to the execution of the final payload. The following diagram shows a high level overview:

Stage 1 – The first JavaScript

The first JavaScript is the module that has to be manually executed by the victim, and it has been obfuscated in order to hide its real intentions. The obfuscation consists of three layers where one decodes content for the next.

The first stage (a version with cleaned formatting available here) decodes the next element:

The decoded output is a comma-separated array of JavaScript blocks:

There are four elements in the array that are referenced by their indexes. For example, the element with the index 0 means “constructor”, 1 is another block of JavaScript code, 2 is empty, 3 is a wrapper that causes a call to a supplied code.

Block 1 is responsible for reading/writing registry keys under “HKEY_CURRENT_USERSOFTWARE<script-specific name>”. It also deobfuscates and runs another block of code:

This fragment of code is responsible for connecting to the C2. It fetches the domains from the list, and tries them one by one. If it gets a response, it runs it further.

The above downloader script is the first stage of the loading process. Functionality-wise it is almost identical in all the dropped files. The differentiation between the variants starts in the next part, which is another JavaScript fetched from the C2 server.

Stage 2 – The second JavaScript (downloaded from the C2)

The expected response from the server is a decimal string, containing a pseudorandom marker used for validation. It needs to be removed before further processing. The marker consists of “@[request argument]@”.

After conversion to ASCII, the next JavaScript is revealed, and the code is executed. This JavaScript comes with an embedded PE payload which may be either a loader for Gootkit, or for the REvil ransomware. There are also some differences in the algorithm used to deobfuscate it.

Example for the Gootkit variant (commented, full)

The downloaded code chunk is responsible for installing the persistent elements. It also runs a Powershell script that reads the storage, decodes it and runs it further.

Stage 3 – The stored payload and the decoding Powershell

The authors diversified the method of encoding and storing the payload. During our tests we observed two ways of encoding. In one of them, the PE is stored as a Base64 encoded string, and in the other as a hexadecimal string, obfuscated by having certain numbers substituted by a pattern.

The payload is usually stored as a list of registry keys, yet we also observed a variant in which similar content was written into a TXT file.

Example of the payload stored in a file:

The content of the file is an obfuscated Powershell script that runs another Base64 obfuscated layer that finally decodes the .NET payload.

Example of the Powershell script that runs to deobfuscate the file:

"C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX (([System.IO.File]::ReadAllText('C:Users[username]bkquwxd.txt')).Replace('~',''));"

Below we will study two examples of the loader: One that leads to execution of the REvil ransomware, and another that leads to the execution of Gootkit.

Example 1—Loading REvil ransomware

The example below shows the variant in which a PE file was encoded as an obfuscated hexadecimal string. In the analyzed case, the whole flow led to execution of REvil ransomware. The sandbox analysis presenting this case is available here.

Execution of the second stage JavaScript leads to the payload being written to the registry, as a list of keys. The content is encoded as hexadecimal, and mildly obfuscated.

After writing the keys, the JavaScript deploys a PowerShell command that is responsible for decoding and running the stored content.

Decoded content of the script:

It reads the content from the registry keys and deobfuscates it by substituting patterns. In the given example, the pattern “!@#” in the hexadecimal string was substituted by “1000”, then the PE was decoded and loaded with the help of .NET Reflection.

The next stage PE file (.NET):

• REvil loader: (0e451125eaebac5760c2f3f24cc8112345013597fb6d1b7b1c167001b17d3f9f)

The .NET loader comes with a hardcoded string that is the next stage PE: the final malicious payload. The Setup function called by the PowerShell script is responsible for decoding and running the next PE:

The loader runs to the next stage with the help of Process Hollowing – one of the classic methods of PE injection.

Example 2 – Loading Gootkit

In an other common variant, the payload is saved as Base64. The registry keys compose a PowerShell script in the following format:

$Command =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("[content]")); Invoke-Expression $Command;Start-Sleep -s 22222;

After decoding the base64-encoded content, we get another PowerShell script:

It comes with yet another Base64-encoded piece that is further decompressed and loaded with the help of Reflection Assembly. It is the .NET binary, similar to the previous one.

• Gootkit loader:(973d0318f9d9aec575db054ac9a99d96ff34121473165b10dfba60552a8beed4)

The script calls a function “Install1” from the .NET module. This function loads another PE, that is embedded inside as a base64 encoded buffer:

This time the loader uses another method of PE injection, manual loading into the parent process.

The revealed payload is a Gootkit first stage binary: 60aef1b657e6c701f88fc1af6f56f93727a8f4af2d1001ddfa23e016258e333f. This PE is written in Delphi. In its resources we can find another PE (327916a876fa7541f8a1aad3c2270c2aec913bc8898273d545dc37a85ef7307f ), obfuscated by XOR with a single byte. It is further loaded by the first one.

Loader like matryoshka dolls with a side of REvil

The threat actors behind this campaign are using a very clever loader that performs a number of steps to evade detection. Given that the payload is stored within the registry under a randomly-named key, many security products will not be able to detect and remove it.

However, the biggest surprise here is to see this loader serve REvil ransomware in some instances. We were able to reproduce this flow in our lab once, but most of the time we saw Gootkit.

The REvil group has very strict rules for new members who must pass the test and verify as Russian. One thing we noticed in the REvil sample we collected is that the ransom note still points to decryptor.top instead of decryptor.cc, indicating that this could be an older sample.

Banking Trojans represent a vastly different business model than ransomware. The latter has really flourished during the past few years and has earned criminals millions of dollars in part thanks to large ransom payments from high profile victims. We’ve seen banking malware (i.e. Emotet) turn into loaders for ransomware where different threat actors can specialize in what they do best. Time will tell what this return of Gootkit really means and how it might evolve.

Detection and protection

Malwarebytes prevents, detects and removes Gootkit and REvil via our different protection layers. As we collect indicators of compromise we are able to block the distribution sites so that users do not download the initial loader.

Our behavior-based anti-exploit layer also blocks the malicious loader without any signatures when the JavaScript is opened via an archiving app such as WinRar or 7-Zip.

If a system is already infected with Gootkit, Malwarebytes can remediate the infection by cleaning up the registry entries where Gootkit hides:

Finally, we also detect and stop the REvil (Sodinokibi) ransomware:

Indicators of Compromise

Compromised websites downloading JavaScript loader:

docs.anscommerce[.]com
ellsweb[.]net
entrepasteles[.]supercurro.net
m-uhde[.]de
games.usc[.]edu
doedlinger-erdbau[.]at

3rd stage JavaScript C2s:

badminton-dillenburg[.]de
alona[.]org[.]cy
aperosaintmartin[.]com

Variant 1 (Gootkit):

1. NET loader [973d0318f9d9aec575db054ac9a99d96ff34121473165b10dfba60552a8beed4]
2. Delphi PE [60aef1b657e6c701f88fc1af6f56f93727a8f4af2d1001ddfa23e016258e333f]
3. PE stored in resources [327916a876fa7541f8a1aad3c2270c2aec913bc8898273d545dc37a85ef7307f]

Variant 2 (REvil):

1. NET loader [0e451125eaebac5760c2f3f24cc8112345013597fb6d1b7b1c167001b17d3f9f]
2. Delphi PE [d0e075a9346acbeca7095df2fc5e7c28909961184078e251f737f09b8ef892b6] – the ransomware
3. PE stored in resources [a7e363887e9a7cc7f8de630b12005813cb83d6e3fc3980f735df35dccf5a1341] – a helper component

The post German users targeted with Gootkit banker or REvil ransomware appeared first on Malwarebytes Labs.