IT NEWS

GuLoader, a perennial favourite of email-based malware campaigns since 2019, has been seen in the wild once again. GuLoader is a downloader with a chequered history, dating back to somewhere around 2011 in various forms. Two years ago it was one of our most seen malspam attachments.

Most popular attachments by tags in Malwarebytes email telemetry

We also saw it during the pandemic, masquerading as a health e-book sent from the World Health Organisation.

GuLoader is typically used to load in the payload for the campaign in question. It often arrives in a ZIP file, and once opened and the file inside is executed the malicious activity begins. It may attempt to download data stealers, trojans, generic forms of malware…whatever is required. On top of this, GuLoader is designed to evade network detection and sneak past sandbox technology. For example, it may recognise being loaded up inside a virtual testing machine and refuse to load.

In this case, we have a bogus shipping notification written in Italian.

This is somewhat humorous given GuLoader’s Italian origins. The mail, titled “Shipment Notification”, reads as follows:

Dear Customer,

We are pleased to inform you that the shipment to you by Mastrotto Express has begun. For shipping details, please see the attached file. For convenience, we summarise the details of the shipment:

Shipping number:

Delivery note number:

Number of packages:

Weight:

Volume:

We inform you that the email was automatically generated by a server, please do not reply, thanks for your cooperation.

In this example, GuLoader is not hidden inside a Zip file. Instead, the attachment is an .ISO file. An .ISO is designed to be a copy of a DVD, a CD, and other related forms of media. If you ever spent some time backing up your CD collection to a computer, you probably have a lot of these in a folder somewhere.

The file (or image, as they’re also sometimes called) would then be mounted as a virtual drive to gain access to the content. You could also just use a program like WinZip to open the files. However you do it, in this case the only thing waiting inside is GuLoader taking the form of a fake .JPG file. Note the .EXE (executable) extension in the below screenshot. Pretending that an executable is an image by giving it a double extension is an incredibly old trick. On the other hand, it works!

How to avoid fake parcel scams

• Check your orders. The email isn’t going anywhere, and neither is your order. You have plenty of time to see if you recognise parcel details, and also the delivery network. 
• Avoid attachments. So-called invoices or shipping details enclosed in a ZIP file should be treated with suspicion.
• Watch out for a sense of urgency. Be wary of anything applying pressure to make you perform a task. A missing payment and only 24 hours to make it? A time-sensitive refund? Mysterious shipping charges? All are designed to hurry you into making a decision.
• If in doubt, make contact with the company directly via official channels.

Thanks to Jerome for sending over.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Fake Chrome updates spread malware
• Woman tracks down and turns table on Airbnb scammer
• Update Chrome now! Google patches actively exploited flaw
• Beware: Fake IRS tax email wants your Microsoft account
• Ransomware in Germany, April 2022 – March 2023
• Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight
• Payment giant’s point-of-sale outage caused by ALPHV ransomware
• Spring cleaning tips for your browser
• Avoid this “lost injured dog” Facebook hoax
• Swatting-as-a-Service is a growing and complicated problem to solve
• LockBit ransomware on Mac: Should we worry?
• Instagram scam promises money in exchange for your image
• Malware authors join forces and target organisations with Domino Backdoor
• Introducing the Malwarebytes Admin app: Endpoint security at your fingertips
• Fancy Bear known to be exploiting vulnerability in Cisco routers
• FTC tackles tech support scams by chasing payment processor firms
• QBot changes tactic, remains a menace to business networks
• What your peers said: G2 comparison of top Endpoint Security vendors
• Update now, there’s a Chrome zero-day in the wild
• Would-be hitman busted after being fooled by parody website
• US Facebook users can now claim Cambridge Analytica settlement cash

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malwarebytes’ researchers have found a malvertising scheme that leads to clickjacking.

Clickjacking is a form of ad fraud which is also referred to as click fraud or click spam. It is a practice performed by certain dubious advertising networks, where they sometimes use automated programs—from simple to sophisticated bots and botnets—to interact with advertisements online. But it can also be done by tricking legitimate users into clicking ads, visiting pages, and (in some cases) creating fake form submissions.

Ad fraud means that the advertiser pays the referrer or the advertising network to show their ads to interested visitors. In reality, the criminal doesn’t care who actually clicks or whether they are interested, as long as the money keeps coming their way.

The campaign

To start things up, visitors are lured to several fake blogs about topics they might find interesting.

This is how the actual blog looks

The original blog however is hidden by an overlay showing blurred explicit content and a button asking the visitor to confirm they are 18+ and asking if they want to enter the website. We have seen a few different overlays on the same website, so there could some fingerprinting involved. Below are a few examples:

Whichever one the visitor sees, clicking the button does nothing other than registering a click on an advertisement. However, that does help the cybercriminals set up this clickjacking scheme. 

Above is an example of an advertisement shown to a Dutch IP and, below, a screenshot of the Google ad that was presented to a Canadian IP address.

This is the link behind the version you can see here:

Dragging the button allows the visitor to see where the click will take them

The code behind these attacks is obfuscated.

In this case there is no imminent danger for the website visitor. It is just wasted money for the advertiser. So, if you run into one of these, don’t make them any richer by clicking that 18+ button.

If you are spending money on advertising it is worth looking at what you get for the money your are spending. According to research carried out by BusinessOfApps the total cost of ad fraud in 2022 was around $81 billion, and is predicted to increase to $100 billion by 2023.

If the spending and return on investment are non-transparent, advertisers can also look at solutions that can significantly reduce their advertising costs. You can try some for free for up to 5,000 paid clicks per month on the Google Ads platform.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In January, a mental health nonprofit admitted that it had used Artificial Intelligence to help talk to people in distress. 

Prompted first by a user’s longing for personal improvement—and the difficulties involved in that journey—the AI tool generated a reply, which, with human intervention, could be sent verbatim in a chat box, or edited and fine-tuned to better fit the situation. The AI said:

“I hear you. You’re trying to become a better person and it’s not easy. It’s hard to make changes in our lives, especially when we’re trying to do it alone. But you’re not alone. There are people here who care about you and want to help you. I’m proud of you for making the decision to try to improve your life. It takes a lot of courage and strength. I send you love and support as you go through this journey.”

This was experimental work from Koko, a mental health nonprofit that integrated the GPT-3 large language model into its product for a short period of time that is now over. In a video demonstration posted on Twitter earlier this year, Koko co-founder Rob Morris revealed that the nonprofit had used AI to provide “mental health support to about 4,000 people” across “about 30,000 messages.” Though Koko pulled GPT-3 from its system after a reportedly short period of time, Morris said on Twitter that there are several questions left from the experience. 

“The implications here are poorly understood,” Morris said. “Would people eventually seek emotional support from machines, rather than friends and family?”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Courtney Brown, a social services administrator with a history in research and suicidology, to dig into the ethics, feasibility, and potential consequences of relying increasingly on AI tools to help people in distress. For Brown, the immediate implications draw up several concerns. 

“It disturbed me to see AI using ‘I care about you,’ or ‘I’m concerned,’ or ‘I’m proud of you.’ That made me feel sick to my stomach. And I think it was partially because these are the things that I say, and it’s partially because I think that they’re going to lose power as a form of connecting to another human.”

But, importantly, Brown is not the only voice in today’s podcast with experience in crisis support. For six years and across 1,000 hours, Ruiz volunteered on his local suicide prevention hotline. He, too, has a background to share. 

Tune in today as Ruiz and Brown explore the boundaries for deploying AI on people suffering from emotional distress, whether the “support” offered by any AI will be as helpful and genuine as that of a human, and, importantly, whether they are simply afraid of having AI encroach on the most human experiences. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Google has announced an important update for Chrome to help fend off a zero-day. The update fixes several issues, and readers are advised to ensure they’re using the latest version of the browser.

Mitigation

If you’re using Chrome on Mac, Windows, or Linux, you need to update as soon as you possibly can. If you’re using a standard Chrome setup then updates should be applied automatically. However, this won’t happen if you never close your browser, or if the update is blocked by something like a fault in an installed extension.

It’s always good to check, especially when something bad is floating around potentially helping to compromise devices. One easy way to do this is navigate to chrome://settings/help or clicking Settings > About Chrome.

Chrome will notify you of the version you’re on and if there’s an update available. Once you’ve downloaded the update, reload the browser and everything should be good to go. If everything has worked as it should, your version should in theory be running the latest version. At the time of writing the most recent update being offered is now 112.0.5615.138.

This will fix eight vulnerabilities, although the update is only currently available for both Mac and Windows. The Linux version is still being worked on.

Vulnerability

The exploit page for CVE-2023-2136 has few details available, as is the usual pattern followed by Google when something like this happens. Details are generally held back to give people time to patch, without offering any clues to cybercriminals about how they might exploit the vulnerability. So far, the only information we have is:

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program.

Skia is a graphics library (a set of reusable code) used by Google Chrome. In this case the error allows an attacker to escape the shackles of Chrome’s “sandbox”, a security feature that should prevent malicious code from affecting the system that Chrome is running on.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A member of the Air National Guard is facing federal charges after applying for a job online as an assassin. According to a Justice Department press release, Josiah Ernesto Garcia from Hermitage, Tennessee, was arrested by an undercover federal agent at a park on April 12, 2023.

The FBI affidavit says Garcia was looking for a good-paying job to support his family. He reportedly told the undercover agent:

“Im [sic] looking for a job, that pays well, related to my military experience (Shooting and Killing the marked target) so I can support my kid on the way. What can I say, I enjoy doing what I do, so if I can find a job that is similar to it, (such as this one) put me in coach!”

He is alleged to have started looking for “contract mercenary jobs” in mid-February, eventually coming across RentAHitman.com, a website for a cybersecurity startup that later turned into a parody site, after receiving inquiries about murder-for-hire services. The site contains false testimonials, a form where people can request hit services, and a career inquiry page for anyone wanting to apply as a hired killer.

Completely missing numerous red flags, Garcia reportedly applied to become a hitman. He then made several follow-up messages to the site’s administrator, and provided his identification documents and a resume that indicated he had been in the Air National Guard since 2021, where he reportedly earned the nickname “Reaper” for his excellent marksmanship.

The FBI eventually intervened and set up a sting to capture Garcia. An undercover agent disguised as a recruiter offered Garcia a hit on an individual for $5,000. They meet at a park, and the agent handed Garcia information about a fictitious target that included photographs, fake information, and a downpayment of $2,500.

“Defendant met with an FBI undercover agent and participated in detailed discussions expressing his interest in torturing and killing people for money,” the affidavit says. “After being offered many opportunities to withdraw from the employment offer, [D]efendant accepted payment to kill a person.”

After receiving the packet and the money, Garcia asked the agent if he needed to provide a photo of the dead body. He was swiftly arrested and charged with “the use of interstate facilities in the commission of murder-for-hire.” Subsequently, the FBI searched Garcia’s home and recovered his AR-15 rifle.

After waiving his Miranda rights, Garcia reportedly told investigators “he had second thoughts about the hitman job and changed his mind,” after getting a job offer from Vanderbilt University Medical Center. The affidavit says that “Garcia stated that he was meeting the UCE [undercover employee] to tell him he had changed his mind and did not want to do this kind of work. Garcia stated that he was going to call the UCE when he got to his car and leave the money on the curb for the UCE to pick up.”

According to the charge, Garcia faces up to 10 years in prison if convicted.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

US-based Facebook users can now claim a piece of the enormous settlement payment by Meta, Facebook’s parent company, over the Cambridge Analytica scandal. This news follows Meta agreeing to pay $725 million in December 2022 to settle the longstanding class action lawsuit filed by Lauren Price in 2018.

Price accused the company of unlawful business practices concerning its use and distribution of users’ personal data. Price was a Facebook user for eight years before the scandal happened. Her lawsuit asked for $500 million.

As part of the settlement, US Facebook users—those still active and those who have already deleted their accounts—will be compensated financially. CNN points potentially affected and eligible users to this claim form.

It takes only a few minutes to complete. Although the form asks for personal information, it clarifies that what users provide “will be processed only for purposes of effectuating the settlement.”

Because of the amounts of money involved, and the personal information required to make a claim, readers are advised to be careful of imposter claim forms and websites asking for their details.

Furthermore, claimants are advised to whitelist the email address, confirmation@facebookuserprivacysettlement.com, to ensure they receive future correspondence from the settlement administrator should they need to get in touch.

As to how much each claimant might get, it depends on the number of submitted valid claims and how long claimants were Facebook users.

“We pursued a settlement as it’s in the best interest of our community and shareholders,” said Dina Luce, Meta spokesperson, in a statement following the settlement agreement in December. “Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program. We look forward to continuing to build services people love and trust with privacy at the forefront.”

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In a joint advisory, the UK National Cyber Security Centre (NCSC), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released information about APT28’s exploitation of Cisco routers in 2021.

Now please don’t stop reading because you think this is old news. If you think 2021 is long ago, maybe you will be surprised to learn that the vulnerability used in these attacks was actually discovered in 2017.

Cisco published workarounds and updates for this vulnerability in June of 2017. Nevertheless, the advisory says that the mentioned tactics, techniques, and procedures (TTPs) may still be being used against vulnerable Cisco devices.

APT28 (also known as Sofacy and Fancy Bear), is the name for an advanced group of cybercriminals of Russian origin which are commonly believed to be part of the Russian Staff Main Intelligence Directorate (GRU). Previous activities include cyberattacks against the German parliament in 2015, and an attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK.

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a standardized framework and a common language for monitoring and managing devices in a network. SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be abused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network. In 2021, APT28 used infrastructure to masquerade SNMP access into Cisco routers worldwide.

This was possible because the SNMP subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. These vulnerabilities affect all releases of Cisco IOS and IOS XE Software prior to the first fixed release and they affect all versions of SNMP-Versions 1, 2c, and 3. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

Enter Jaguar Tooth, the name of the malware that APT28 used to obtain further device information and enabled unauthenticated access via a backdoor. The actor obtained this device information by executing a number of commands via the malware and send them out over trivial file transfer protocol (TFTP). The information includes discovery of other devices on the network.

Discovery and countermeasures

Should you be worried about this threat? That depends on your threat model. If there is a reason for state actors to be interested in you in some way, then the answer is yes. This is the type of threat that the UK’s Minister and Secretary of State for National Investment Security, Mr Dowden, is referring to when he talks about groups that are ideologically motivated, rather than financially motivated.

If you suspect your router has been compromised, you can follow Cisco’s advice for verifying the Cisco IOS image. If that does not take away your suspicion, you should:

• Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
• Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.

To prevent falling victim to this specific threat there are some steps you should take:

• Patch devices as advised by Cisco
• Do not use SNMP if you are not required to configure or manage devices remotely. If you do need it, use a limiting allow list for SNMP messages to prevent unauthorized users from accessing your router.
• Review your password policy and adapt it where necessary.
• Use logging tools to record commands executed on your network devices.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A multinational payment processing company and two of its executives are facing a potential $650k fine as a result of allegedly processing credit card payments for tech support scammers. While this fine isn’t exactly massive in comparison to some of the privacy breaches and other incidents seen down the years, the original fine the company was handed was an eye-watering $49.5m. The fine was reduced alongside an agreement to court orders which involve close monitoring of “high-risk clients”.

From the FTC release:

The Federal Trade Commission has acted to stop Nexway, a multinational payment processing company, along with its CEO and chief strategy officer, from serving as a facilitator for the tech support scammers through credit card laundering.

The FTC’s complaint against Nexway (and several of its subsidiaries and an associated company known as Asknet), its CEO Victor Iezuitov, and its chief strategy officer Casey Potenzone charges that the defendants were at the center of several offshore tech support scams, processing tens of millions of dollars in charges and giving the scammers access to the US credit card network.

A big part of the complaint is in relation to the so-called “premium tech support” customers using the Nexway system for credit card payment processing. The FTC alleges that a Nexway leadership meeting indicated that it was “strongly dependent” on its premium tech support clients, which represented 25% of Nexway’s revenue.

Additionally, the complaints related to the individual tech support scammers were in great supply. So much so that chargebacks (a way for people to dispute charges they feel to be wrong, like realising they’ve been hit by a tech support scam) and cancellations were in no short supply. From the complaint, in relation to one support scam outfit using Nexway for payment processing:

…on February 10, 2017, the Senior Key Account Manager at Nexway sent Potenzone an email titled “Nexway/TechLiveConnect: Chargeback & Cancellation rates”. The February 10, 2017 email included a table showing Tech Live Connect had (1) chargeback rates of 2.2% in November 2016, 2.6% in December 2016, and 1.5% in January 2017; and (2) cancelation rates of 23.2% in November 2016, 27% in December 2016, and 21.8% in January 2017.

Credit card companies keep a sharp lookout for signs of repeated dubious transactions happening via fraud monitoring programs. From the complaint:

Nexway had such high chargebacks that Visa placed the company in its Chargeback Monitoring Program in December 2017.

Something was clearly amiss here, and complaints from consumers related to pop-ups, locking up the screen while a siren plays, and bogus virus warnings made to the Better Business Bureau and elsewhere leads us to where we are today.

Tech support scams have been around forever, and often ride on the coattails of established brands to sell their wares. This kind of scammer has imitated everything from Microsoft to genuine security firms down the years. If you’re an organisation unfortunate enough to be imitated, you can also expect to field support calls from understandably annoyed people who think that you’ve ripped them off, as opposed to the genuine culprits.

Tips for avoiding tech support scams

There’s a huge amount to cover with this style of attack, but here’s a few of the basics to get you up to speed:

• Beware the lock up. If your browser or mobile device “locks up”, as in you’re no longer able to navigate away from a virus warning, you’re on a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible (for example, by pressing CTRL+ALT+DEL on a Windows PC) or restart your device if this doesn’t work.
• Screenlocker issues. These are typically fake Windows Blue Screen of Death error pages, except they come with the tech support scammer’s phone number included. You may need one of our removal self-help guides to resolve this.
• Beware of someone wanting to connect to your computer remotely. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders. 
• Did you already pay? Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC, or contact your local law enforcement agency depending on your region.

For a very detailed breakdown of tech support scams, how they operate, and more suggestions to keep yourself safe from harm, please check out our dedicated tech support scams page.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

QBot, an infostealer-turned-dropper that aids criminal gangs in their malicious campaigns, is now being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF), according to recent discoveries by malware hunter Proxylife (@pr0xylife) and the Cryptolaemus group (@Cryptolaemus1).

The last time QBot (aka QakBot) had its modus operandi changed was in November. Campaign operators adopted tactics from Magniber’s playbook to successfully exploit a Mark of the Web (MotW) zero-day flaw to run a JavaScript (JS) that executed QBot.

The latest QBot phishing campaign is illustrated simply in the diagram below:

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)

The attack starts with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment. BleepingComputer has noted that these phishing emails use a variety of languages. This means the language barrier is absent in such an attack, so any business from any part of the world could be affected.

A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)

Once someone in the email chain opens the attached PDF, they see a message saying, “This document contains protected files, to display them, click on the ‘open’ button.” Clicking the button downloads a ZIP file containing the WSF script.

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into wermgr.exe, a legitimate Windows Error Manager program, to run quietly in the background.

Because QBot is said to be used by operators of ransomware-as-a-service (RaaS) offerings, its presence in company systems could be disastrous. Therefore, any organization must take its QBot-infected systems offline as soon as possible and thoroughly scan and review network logs for unusual behavior.

The DFIR Report in February 2022 showed QBot collecting data from a compromised system 30 minutes after infecting it. Within an hour, QBot can be spread to adjacent systems.

Malwarebytes detects the malicious DLL (QBot).

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW