Hackers in China are using Datper Trojan

A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.

Also referred to as Redbaldknight and Bronze Butler, Tick has been launching various cyber-attacks against entities in South Korea and Japan over the past couple of years. The campaign Talos analyzed also used compromised websites located in the two countries as command and control (C&C) servers.

Although Tick has been using custom tools in each campaign, the researchers observed a series of recurring patterns in the use of infrastructures, such as overlaps in hijacked C&C domains or the use of the same IP.

Based on these infrastructure patterns, the experts discovered similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks.

Datper, the malware used in the campaign Talos analyzed, can execute shell commands on the victim machine, while also obtaining hostnames and drive information. The used infection vector, however, is unknown, Talos says.

The analyzed Datper variant used the compromised website of a legitimate Korean laundry service to host their C&C. Located at whitepia[.]co.kr, the site does not use SSL encryption or certificates, which rendered it vulnerable to attacks.

The security researchers observed other compromised websites as well being used as C&C servers as part of the attack. This led to the hypothesis that the malware could be delivered via web-based assaults, such as drive-by downloads or watering hole attacks.

Talos also discovered hosts that were being used as C&C servers although they were not connected to compromised websites. This would suggest that the hackers initially deployed the C&C infrastructure on legitimately obtained (and potentially purchased) hosts.

“The actor behind this campaign deployed and managed their C&X infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their C&C infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these countries,” Talos says.

Once on the infected machine, Datper would create a mutex object and retrieve several pieces of information from the victim machine, including system information and keyboard layout. Next, the malware attempts to issue an HTTP GET request to the C&C server (which was unavailable during the investigation).

Some of the compromised websites were also used as C&C domains for the xxmm backdoor, also known as Murim or Wrim, which was previously associated with the threat actor, and which allows attackers to install additional malicious tools onto the infected machines. The two samples also use similar GET request URI paths.

Password and Credit Card-Stealing Azorult Malware Updated: More Weaponized



Exponentially increasing the potency of the Azorult, its operators configured a new update for the malware which has been stealing passwords, bank card main points, and cryptocurrency since its origination in 2016.
The Azorult malware, more weaponized than ever, leave victims unarmed against the cyber attack which allows fraudsters to steal their credentials including passwords, browsing histories, bank card main point and contents of their cryptocurrency wallets.
Well summarized by the researchers at tech safety corporate Test Level, “Considerably up to date”, is the phrase unanimously devised attempting to describe the degree of update the new model undertook.
“Substantially updated” is how the Check Point viewed it, the tech company says that the updated version is being marketed in an underground forum.
The updated model is equipped with novel features to rob the victims’ wallet off additional forms of cryptocurrency – BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore and Exodus Eden are the probable targets.
Azorult’s developer boats further enhancements to the cryptocurrency wallet stealer parts and improvements to the loader, this reflects the meteoric emergence of the gray sphere of malware advancements.
As noted by the researchers, the inclusion of a new encryption method to obscure the domain name coupled with a new key for connecting to the command and regulation server makes the malware comparatively deadlier and distinct from the earlier versions.
Azorult made its debut appearance in the market on 4th of the October; it was followed by the online leaks of source code for Azorult versions 3.1 and 3.2.  Check Point noticed, Gazorp (a malware builder that lets users generate a previous model of Azorult at zero expenses) being powered by using free tools.
Remarking the addition as worthwhile, Israel Gubi, a malware researcher at Check Point says "It is plausible that the Azorult's author would like to introduce new features to the malware and make it worthy as a product in the underground market,"
The updated version of Azorult is made to penetrate via the RIG exploit kit, it exploits the vulnerabilities in Internet Explorer and Flash Player to launch JavaScript, Flash, and VBScript-based attacks to deliver malware to users.
 On the protection front, users are advised to ensure that they have all the relevant software updates installed as Azorult is reportedly reliant on vulnerabilities that aren’t the first of their kind.





Over-Hyped libssh vulnerability




A four-year-old vulnerability in libssh, a library used to implement the Secure Shell (SSH) authentication protocol, could allow malicious actors an easy access to servers with full administrative control.

A security consultant Peter Winter-Smith at NCC Group is the first one to discover the authentication bypass flaw (CVE-2018-10933) in libSSH.

Using the vulnerability, the attackers can bypass authentication procedures and gain access to a server enabled with an SSH connection without entering the password.

This could be done by sending the SSH server "SSH2_MSG_USERAUTH_SUCCESS" message instead of the "SSH2_MSG_USERAUTH_REQUEST" message.

Due to a coding error, the message "SSH2_MSG_USERAUTH_SUCCESS" is interpreted as the "authentication has already taken place" and it grants access to the server.

On June this year, he informed the libSSH team about the flaw, and the patch for the vulnerability was coded in mid-September and the update was released Oct. 16.

However, until now there are no signs of any major sites being affected by the flaw. While,  it is reported that Github support libssh, but its security team has clarified that their site is unaffected by the vulnerability.

"We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933," the company said on Twitter.

"I suspect this will end up being a nomination for the most overhyped bug, since half the people on Twitter seem to worry that it affects OpenSSH and the other half (quite correctly!) worry that GitHub uses libssh, when in fact GitHub isn’t vulnerable," Winter-Smith said.

 “Remove GitHub and my guess is you’ll be left with a small handful of random sftp servers or IoT devices and little else!” he further added.

According to the security researcher, the best way to avoid any kind of flaw is to update the libSSH library to version 0.7.6 or higher.

Here are some of the additional details about the bug as provided by  the researcher Winter-Smith

"The issue is basically a bug in the libssh library, not to be confused with the similarly named libssh2 or OpenSSH projects (especially the latter) which results from the fact that the server uses the same state machine to authenticate clients and servers.

The message dispatching code that processes messages either in client mode or server mode (it’s the same function) doesn’t make sure that the message type received is suitable for the mode it’s running in. So, for example, the server will dispatch messages which are only intended by design for processing client side, even when running in server mode.

The SSH2_MSG_USERAUTH_SUCCESS message is used by the server to inform the client that they were authenticated successfully, it updates the internal libssh state machine to mark the client as being authenticated with the server. What I found was that if the exact same message is sent to the server it updates the state machine to tell the server the client is authenticated.

Technically: I would say that it’s surprising how fairly straightforward bugs with serious consequences can still lurk, and sometimes it pays to take a step back from fuzzing to try to understand how a protocol implementation works."


Russians and Vietnamese Hackers detained in the Czech Republic



The Prosecutor's office in Prague reported the detention of eight citizens of Russia and Vietnam. Hackers are accused of cyber attack on computer networks of the Czech Foreign Ministry.

Hackers are suspected of hacking into the servers of the Ministry of Foreign Affairs of the Czech Republic. According to prosecutors, Russian hackers helped Vietnamese citizens to legalize in the Czech Republic for a fee. It does not specify how many Russian citizens among the suspects.

The Ministry clarified that the detainees are suspected of breaking into the system of issuing residence permits. Four detainees were also charged with money laundering.

According to the Police, attackers could earn tens of millions of dollars.

In turn, Russian blogger Rustem Adagamov, who lives in the Czech Republic, wrote on his Twitter that Russian hackers had hacked the servers of the Czech Foreign Ministry in the interests of the Vietnamese, who can legalize their countrymen’s stay in Europe.


Phishing attack stealing login details, pictures of iPhone users



A new phishing email attack has engulfed Apple users to steal their login information.

The users are taken in the trap through a malicious email hyperlink labeled as ''review your subscription' which appears to be from Spotify. The link takes the users to an official-looking site with identical Apple logos.

The hackers have designed the site to dupe people into submitting their Apple login and password so that they can get an unrestricted access to Apple Pay, pictures, videos, and personal information.



A Reddit user named /u/the101maham was the first one to highlight the iPhone scam. "I saw this email today, I thought the sender looked fishy, so I went in to see if I had bought a year of Spotify Premium.

"I was drinking last night so I had a slight panic and clicked the link.

"But when I saw the Apple page with a random address I immediately knew it was a scam."

Tim Sadler, CEO at security firm Tessian, told The Sun: "This is an example of a classic phishing scam.

"Phishing emails, like spam, are bulk in nature but are often farming for a user's credentials by mimicking the identity of a trusted website or service – in this case, Apple and Spotify.

"Like spam, phishing doesn't discriminate. Anyone, individual or business, can be targeted and easily duped."