New variant of Java RAT can use your Android device to mine Litecoin

A new variant of old Java RAT "UNRECOM" is being distributed via spam emails, detected by TrendMicro.

One such spam mail is pretending to be from American Express, informs recipients that their account have been suspended due to suspicious activity.

"Attached to this mail is your statement with the irregular activities highlighted. Please fill in the required information in the form also attached, this is required for us to continue to offer you service in a safe and risk free environment" The spam mail reads.

The attachment is none other than the Java Remote Access Trojan.


So, What is New ?
We aware this Java RAT can run on multiple platforms.  Now, it is capable of running on Android Devices. It has also Litecoin-mining plugin.  Other than that, it can capture screenshots and display messages.

In addition, the malware has also APK binder component, means it can be used to take legitimate android apps and turn them into malware.

Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Android malware steals money from QIWI Wallets

Cyber criminals are continually finding new ways to earn money using infected devices.  We aware of SMS Trojans that earn money by sending out premium-rated messages from the infected android devices.

Experts at Kaspersky have recently spotted a new Android Trojan that not only send SMSs to premium-rate numbers but also steals money from QIWI electronic wallet.

Visa QIWI Wallet is electronic payment service can be used to pay for goods and services around the world, receive payments, and transfer money.

Once installed on a device, the malware, dubbed as 'Waller', attempts to communicate with Command and control (C& C) server located at playerhome.info and awaits further commands.

Malware is capable of checking the balance of infected phone by sending SMS to mobile network operator and intercepts the reply, send SMS, open web pages, download and install other malware.  It is also capable of updating itself and send SMS to victim's contact list.

This trojan also checks the balance in the QIWI Wallet by sending an SMS to 7494.  The response messages is intercepted by the trojan and forwarded to the cyber criminals.  If there is money in the Wallet, the malware will send message to 7494 with attacker's wallet number and the amount to be transferred.

The Trojan is being distributed via SMS spam and cybercriminal's site disguising as various applications.

Malware uses Your Phone to generate virtual currency for cybercriminals


Is your android mobile phone often overheating or the battery draining faster than normal? There are chances that your mobile phone is infected with a malware that will use your phone to generate money for cyber criminals.

Researchers at Lookout have spotted a new piece of malware targeting android devices on some spanish forums that distributes pirated software.

This malware, referred as 'CoinKrypt', is not designed to steal any information from the infected devices.  However, that doesn't mean that it is not harmful.  It will use the maximum computation power of your device to generate virtual currencies.

It will result in the infected device getting overheated and will affect the battery life.

The malware appears to be targeting only newer virtual currencies such as Litecoin, Dogecoin, Casinocoin.  Since, one will need high computing power to generate the popular and most valuable virtual currency 'Bitcoin', the cyber criminals didn't include the bitcoin mining process in this malware.

At this time, it is almost one million times easier to mine Litecoin than Bitcoin and over 3.5 million times easier to mine Dogecoin. Even though these newer coins are not as valuable as Bitcoins(1BTC is around $650, 1LTC is reaching $20), cyber criminals are probably hoping that one day they will reach high value like Bitcoins.

Variant of Zbot makes money for cybercriminals via pay-per-click ads


Zeus(ZBot) is the notorious trojan known for stealing login credentials associated with online banking, continues to evolve.

A new variant spotted by TrendMicro security researchers is doing totally different task than other variants.  This variant displays websites containing advertisements..

Every time user try do something on the infected machine, these websites will get occupied on the entire screen preventing user from accessing other windows or files.

Even though victim can access the desktop by pressing the 'show desktop' shortcut(win+d),  but the websites still being displayed in the background.

"It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines." researcher said.

"Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle."

Interestingly, this variant doesn't include a module to steal banking credentials.  However, it achieves the main goal of stealing credentials - making money for cyber criminals.

Dendroid, a new Android malware toolkit

Number of malware for Android platform is increasing day by day.  Cybercriminals trying to sell android-malware toolkit to others.  The first Android Remote admin tool is AndroRAT which is believed to first ever malware APK binder.

Symantec researchers have come to know another android malware toolkit called "Dendroid" is being sold in the underground forums.

A cybercriminal going by online handle "soccer" in the underground forum is selling this HTTP based RAT which is said to be having many malicious features.

The toolkit is able to create malicious apk file capable of 'deleting call logs', 'call to any number', 'open webpages', 'record calls', 'intercept sms', 'take and upload photos&videos', 'dos attack'.

Researchers say the cybercriminal also offer 24/7 support for this RAT.  Others can buy this toolkit by paying $300 through crypto currencies such as Bitcoins, Litecoins.

Experts have mentioned that this RAT has some link with the previous AndroRAT saying "the author of the Dendroid APK binder included with this package had assistance writing this APK binder from the author of the original AndroRAT APK binder.   "

YouTube ads serve Banking Trojan Caphaw


Number of Malvertising attacks are appeared to be increasing day by day, even top websites fall victim to such kind of attacks - YouTube is to be the latest popular organization affected by malicious ads.

Security experts from Bromium have discovered that the cyber criminals were distributing a malware via YouTube ads.

According to researchers,  malicious ads attempt to exploit vulnerabilities in outdated Java.  It loads different malicious jar file, to ensure the exploit is compatible with the installed java version.

The Exploit kit used in this attack "Styx Exploit Kit" which was the same one used by cybercriminals to infect users of toy maker Hasbro.com.

If the user's machine is having vulnerable plugins, it will exploit the vulnerability and drops a Banking Trojan known as "Caphaw".  Researchers say they are working with Google Security team. 

Android SMS malware hosted on Google Play infects 1.2 Million users


Experts often suggest to download android apps only from Google Play to avoid malware infection.  But, it doesn't mean that we can trust all of the apps hosted on Google.  

Security researchers from Panda security has found more than five malicious apps being hosted on Google play.

The apps in question appear to be targeting users in Spain.  Name of the apps are in Spanish: “Peinados Fáciles” (Easy Hairdos), “Dietas para Reducir el Abdomen” (Abs Diets), “Rutinas Ejercicios para el Gym” (Workout Routines) and “Cupcakes Recetas” (Cupcake Recipes).

The apps obtain phone number of the infected device from WhatsApp and uses it to sign the victim up to a premium rated SMS subscription services.

Researchers say that each of these apps have been downloaded by between 50k and 100k users. It means that between 300k and 1.2 Million users might have affected this malware.

“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, €20 paid by each user would result in a huge sum of 6 to 24 million euros stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.

Bitcoin stealing Mac malware found to be hosted on Download.com and MacUpdate.com

Image Credits: ThreatPost.
Another variant of the recently discovered Mac Trojan "OSX/CoinThief" is found to be hosted on two popular download websites Download.com and MacUpdate.com.

CoinThief malware is designed to steal Bitcoins login credentials from victim as well as Mac's username and UUID(unique identifier), also collects information about the list of Bitcoin related apps installed on the system.

Few days back, SecureMac spotted this Trojan is being hosted under the name of "Stealthbit" on GitHub and downloaded by hundreds of users.  One user from reddit also pointed out the similarity between an one year old fake bitcoin related app "BitVanity" and stealthbit.

Now, experts at SecureMac have spotted one more variant being hosted under the name of "Bitcoin Ticker TTM" and "Litecoin Ticker" on popular download sites.  These app names appear to have been taken from legitimate apps in the Mac app store.

This version also installs fake browser extension called as Pop-up Blocker in Chrome, safari and firefox.  The malicious extension attempts to sniff on the web traffic to steal  bitcoin login credentials.  It will communicate with the background process and send collected data to a remote server.

SecureMac has explained how to check whether malware is installed on your system and how to remove this CoinThief malware.

The developer of legitimate Bitcoin Ticker TTM app said he has no connection with download.com & Macupdate.com and recommends users to download the app from Mac app store.

JackPos, a new Point of Sale malware stole thousands of Credit card data

Cyber criminals keep targeting Point of Sale(POS) with malware in an effort to steal credit card data.  A new malware targeting POS have been uncovered security researchers.

According to the cyber intelligence firm IntelCrawler, the new POS malware dubbed as "JackPos" which is being distributed through drive-by download attack disguise itself as Java Standard Edition binary, replaces the legitimate Java Update Scheduler file in the infected system. 

The loaders used in the "Drive-by" download attack has been written in obfuscated and compiled AutoIt Script.  Researcher says it is a technique to avoid AV detection and unpack additional malicious codes that will receive instructions from C&C server.

"The Cybercriminals have used some sophisticated scanning, loading, and propagating techniques to attack these vectors to look to get into the merchants system through external perimeters and then move to card processing areas, which were possibly not separated in compliance with PCI polices."IntelCrawler said.


At least 4,000 credit card data appeared to be stolen from several countries.  The list of target countries including Canada, Brazil, India, France, Spain, United states, Argentina, Korea and others.

According to Globe and Mail, more than 400 card data have been stolen from Bangalore City, India. 3,000 cards' data stolen from Sao Paulo, Brazil.  700 cards data from Canada, 230 cards data from Madrid have also been compromised.

Corkow, a Banking Trojan which has interest in Bitcoins and Android developers

Security researchers at ESET have found that the infection ratio of the lesser-known Russian Banking Trojan "Corkow" is increasing.

According to WeLiveSecurity, the Corkow trojan allows attackers to use different plug-in to improve the capabilities.

Like other trojans, it is capable of logging keystrokes, grab screen shots, web injection and form-grabbing to trick victims into handing over their financial data to cyber criminals.

In addition to the usual banking trojan features, it also allows attackers to remotely access the trojan and installs Pony- universal password stealer.

The malware also capable of collecting browser history, list of applications installed and processes running on the infected machine.

It appears the malware has interest on websites and softwares related to Bitcoins and systems belong to Android developers who publish apps in Google Play.

Once a system is infected, the malware's payload will be encrypted using volume serial number of C drive and behaves innocuously, if it is being executed in a separate computer from the one it initially infected in an attempt to make the malware analysis difficult.

ESET is about to release more detailed technical examination of this malware next week.

StealthBit: New malware targeting Apple Mac OS X steals Bitcoins

A new Trojan Horse targeting Apple Mac OS X spies on web traffic of users and attempt to steal Bitcoins.  SecureMac says the malware referred as "OSX/CoinThief.A" is found in the wild.  Several users have reported that their Bitcoins have been stolen.

The malware hosted in Github with the name "StealthBit" disguising itself as an app to send and receive payments on Bitcoin Stealth Addresses.  A link to this project had also been posted in reddit  inciting users to download the app and have been voted by 100 people. 

The project had source code as well as a pre-compiled binary file.  Researchers say the binary file didn't match with the copy generated from source code. Those who installed the pre-compiled version of the app likely to be infected by this malware.

One user from reddit reported that his 20 Bitcoins(current value is around $10k) have been stolen by this malware app.

"I foolishly installed 'StealthBit' Anyone else find this to be a virus? The Post is still online.. I found 1 comment suggesting the possibility. https://pay.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/" The user posted in the reddit.

Upon running the app for the first time, it installs browser extensions for Safari and Google Chrome and runs continually a program in background that looking for Bitcoin Wallet login credentials. The malware then steals Bitcoin login credentials, username and Unique identifier of infected Mac.

At the time of writing, the malicious project have been removed from the GitHub. 

It appears this is not the first time Mac users being fooled such kind of malicious apps.  One user shared his experience that he was scammed by similar app called "Bitvanity" which was also hosted in Github, stole 20 BTC from his account.

The user also has pointed out interesting facts about these two projects- The "StealthBit" hosted by "Thomas Revor" and "Bitvanity" was hosted by "Trevorscool".

Thousands of websites using MadAdsMedia ads blocked by Google Safe Browsing

Thousands of websites' owners using MadAdsMedia ads service became mad after Google Safe Browsing blocked their websites.

A number of users have reported in Google forums and Digital Point forums that their website is blocked by GSB and showing the following warning message "This web page at [site] has been reported as an attack page and has been blocked based on your security preferences."

Even after removing the MadAdsMedia script from their website, it is still showing the Malware warning.

"In my webmaster tools it lists the suspicious snippets as the links to madads. As I said before I removed them, then I tried to request a review in my webmaster tools but when I submit it I get: 'Your request can't be processed at this time because your site isn't currently flagged for malware. If you see a malware warning in your browser, it is likely a cross-site warning.' " One of the user posted in DigitalPoint forums.

It is still unknown whether Google mistakenly blocked those websites or the MadAdsWebsite is hacked to serve malicious ads.  We are not sure how many number of websites have been affected.

*Update:
According to fz6-forum, one of the MadAdsMedia advertising vendors' server was hacked and few ads have been injected with malicious code.

"This message is regarding the recent malware notifications that some of our publishers may have experienced. Just before noon today, our engineers discovered that one of our ad serving locations had been hacked."
 
"Since this attack was discovered, our engineering team worked diligently until 3:45pm EST to ensure that the appropriate action was taken to secure our ad server. Unfortunately during that time, this attack effected 7.8% of our publishers' domains. " Mail from MadMAdsMedia reads.

Malvertising on Aftonbladet news site targets IE users with Fake Antivirus

A largest Sweden Newspaper website Aftonbladet is found to be serving malicious ads that redirect users to a malicious website serving Fake Antivirus.

Security researcher at Kaspersky said the website was spreading malware not because they got hacked, but because cybercriminals compromised a third-party ads running on the site.

The malicious script used in the malvertising attack checks whether the user is using Internet Explorer browser or not.  Only IE users are being redirected to malware website.

The malware page is not exploiting any vulnerabilities but displays a fake virus alert message from Microsoft Security essential that it has detected potential threats in the user's computer and recommends to clean the malware.

Once user click on the picture, it will not clean any viruses, it will download a malicious obfuscated Visual Basic Executable file. 

"Large websites often include content from other websites, and if the bad guys compromise any of those websites they can also manipulate the content which is getting included by the large website." researcher said.

Android malware delivered via windows, when debugging-mode enabled

Be careful if you are connecting your android device to others computers! 
A New windows-based malware installs malicious application in debugging-mode enabled android devices.

Usually, malware applications get installed in your device, only if you have changed the default security settings to allow apps from third-party app stores.  But, Malware analysts at Sophos say a malware still can reach your device, even if you have not enabled so-called "off-market" apps.

When you have enabled USB debugging mode,  you can install apps directly from your windows machine.  A new windows-based malware appears to be taking advantage of this facility.

The malware first register itself as a system service and downloads a configuration file "iconfig.txt".  The iconfig.txt file contains the list of exe files to be downloaded in the infected machine.

"Samsung.exe, LG.exe, AdbWinApi.dll, AdbWinUsbApi.dll, aadpt.exe, adb.exe, AV-cdk.apk, ok.bat" are the files downloaded by the malware.

The "ok.bat" is a batch file that runs "C:\Users\Yourname> adb install AV-cdk.apk" in your command prompt, results in the malicious apk file getting installed in your android device.

The name of apk file sounds like it is pretending to be an Antivirus, but once installed, the app disguise itself as "Google Play store".

Researchers suggest to turn it off the Android Debugging option, when you don't need it.

Java Bot, a cross-platform malware capable of running on Windows, Mac and Linux


Security researchers at Kaspersky has came across a cross-platform malware which is capable of running on Windows, Mac and Linux.

The malware is completely written in Java.  Even the exploit used for delivering the malware is also well-known Java exploit(CVE-2013-2465) which makes the campaign completely cross-platform.

Once the bot has infected a system, it copies itself into user's home directory as well as add itself to the autostart programs list to ensure it gets executed whenever user reboots the system.

Once the configuration is done, the malware generates an unique identifier and informs its master.  Cyber criminals later communicates with this bot through IRC protocol.

The main purpose of this bot is appeared to be participate in Distributed-denial-of-service(DDOS) attacks.  Attacker can instruct the bot to attack a specific address and specify a duration for the attack.

The malware uses few techniques to make the malware analysis and detection more difficult.  It uses the Zelix Klassmaster obfuscator.  This obfuscator  not only obfuscate the byte code but also encrypts string constants.

All machines running Java 7 update 21 and earlier versions are likely to be vulnerable to this attack.

First Android Bootkit virus found to have infected 350,000 mobile devices

A New Android Trojan which is said to be the first Android Bootkit has been discovered by the Russian security firm Doctor Web.

The malware resides in the memory of the infected devices and launches itself early on in the OS loading stage and makes it hard to remove from the device.

The trojan, identified as Android.Oldboot.1.origin, installs one of its components into the boot partition of the file system.  It also modifies the init script -  a specialized program for initializing elements of the Android system.

When the device is turned on, the script is get executed and installs other malware components as a typical application.

Android virus which can't be removed by your Antivirus:  
This malware is considered as most dangerous of android malware because even if you remove it, once the device is rebooted, the component residing in the protected memory area will re-infect the device.

Researchers believe the threat gets into the device when user reflash their smartphones with the modified firmware containing this Trojan.

The malware has reportedly been infected more than 350,000 mobile devices around.  92% of the infected devices are appeared to be from China.

To prevent yourself from being victim to such kind of threats, make sure that you are not installing firmware from unreliable sources.  Users are also advised not to buy devices from unknown origin.

No, Your fridge is not sending spam emails - They are innocent

A recent report from security firm Proofpoint saying "Internet connected Refrigerators are participating in massive cyber attack" is one of the hot topic on Information Security.

The report said that a massive global cyber attack involved more than 750k malicious emails relied on more than 100k consumer gadgets such as routers, multimedia systems, tvs and refrigerator.

However, a recent report form Symantec says "Internet of Things" devices including the Internet-connected fridge are not source of this spam campaign.

Symantec confirmed the source of spam as several windows-based computers, and none of them were originated from any non-windows based computer systems.

"if your refrigerator uses a feature known as port forwarding and someone contacts the IP address on port 80, that traffic is allowed to reach your smart refrigerator."Symantec report reads.


"Viewed from outside, all you will see is the refrigerator and you may not even realize there is a router with potentially many other devices behind it, such as an infected computer." Symantec experts explained that it might be the reason why researchers mistakenly considered the IoT devices as source for the spam campaign.

Even though the IoT devices such as fridge are innocent at this time, experts say that we can expect them to be exploited by cyber criminals in future.  Researchers also pointed out that there is already few malware targeting Linux-based IoT devices. 

Brazil Government website hacked, redirected to malicious website

malicious javascript

Security Researcher at F-Secure has spotted a piece of malicious code injected in the official website of the City of Franca in São Paulo, Brazil(franca.sp.gov.br).

Hackers managed to place a malicious javascript code in one of the javascript file which loads malicious flash object.  The flash object redirects visitors to a malicious domain.

Researcher didn't specify what exactly served in the malicious domain.

The website using outdated joomla version(1.5), Cybercriminals might have exploited any known vulnerabilities.  According to researchers, this is not the only Brazil government website using outdated CMS.

F-Secure has contacted the Brazil's  Computer Security and Incident Response Team - CTIR Gov and informed about the incident.

Android Malware HeHe steals messages and Intercepts phone calls


Security Researchers from FireEye Labs have discovered six variants of a new Android malware dubbed as "Android.HeHe" which is capable of stealing SMS and intercepting phone calls.

The malware is being distributed as a security update for the Android OS. Once it infects a device, it communicates with the command and control(C&C) server and monitoring incoming SMS.

Phone details including IMEI, IMSI(International mobile Subscriber Identity), phone number, OS version, model of the phone are being transfered to the C&C server.

It also checks whether the IMSI code is null so that it can determine whether it is being executed in Emulator or in real device(Emulators don't have IMSI code).

The C&C server responds to the device with a list of phone numbers. If the infected device receives SMS or phone call from one of these numbers, the threat intercepts the message or call.

Text messages from one of these numbers are captured and stored in the attacker's server. Any phone calls from these numbers are silenced and rejected.