Researchers find out New Linux Backdoor

Security researchers from Doctor Web, a Russian Anti-malware company, have detected a new backdoor dubbed Linux.BackDoor.Dklkt.1 that targets Linux operating systems.

However, the signature of the backdoor has been added to Dr.Web virus databases. So, its Linux users are under reliable protection.

“It clear that creators of this malicious program planned to equip it with wide variety of powerful features, but bringing all their intentions to life proved rather problematic at the moment, not all of the program's components work as they should,” the researchers wrote in a blog.

The researchers have claimed that backdoor is supposedly of Chinese origin. They have said that the virus makers tried to create a multi-component malicious program encompassing a large number of functional properties.

“For example, they wanted to equip it with functions typical of file managers, DDoS Trojans, proxy servers, and so on,” they added. “However, not all of these plans were destined to see the light. Moreover, virus makers attempted to make a cross-platform program out of their creation; so that the executable file could be assembled both for Linux and Windows architectures. However, due to carelessness of cybercriminals, the disassembled code contains some strange constructions that have absolutely nothing to do with Linux.”

According to the researchers, the backdoor checks the folder from which it is run for the configuration file containing all operating settings. The file has three addresses of command and control servers. One of them is used by the backdoor, while the other two are stored for backup purposes. The configuration file is encrypted with Base64.

Once the backdoor gets activated, it tries to register itself in the system as a domain (system service). If the attempt fails, the backdoor terminates its work.

“Once the malicious program is successfully run, it sends the server information on the infected system; at that, the transmitted data is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains a checksum, so that the recipient could verify data integrity,” the researchers explained.

Researchers have said that then Linux.BackDoor.Dklkt.1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer or turning it off.

‘Android games on Google Play steal Facebook credentials,’ say researchers


This may come as a shock to many of the game lovers that Cowboy Adventure, a popular Android game on Google Play store, because researchers, from ESET, have revealed that the game has compromised the Facebook login credentials of over a million users who downloaded that Android game.

According to a post by the researcher on July 9, the Cowboy Adventure app on the Google Play store was able to steal personal information of the users.

With 500,000 – 1,000,000 installs, the developer of the Cowboy Adventure app also used it as a tool to harvest Facebook credentials.

However, the Google has taken down both of the apps from their app store and also warns against their installation on Android devices.

“It was one of two games spotted by ESET malware researchers that contained this malicious functionality, the other one being Jump Chess,” according to a report on Welivesecurity.

The report said that unlike some other Android malware, these apps did contain legitimate functionality (they actually were real games) in addition to the fraud. The problem lies in the fact that when the app is launched, a fake Facebook login window is displayed to the user. If victims fell for the scam, their Facebook credentials would be sent to the attackers’ server.

It is said that the latest version of the app at the time Google took it down from their official market last week was 1.3. This trojanized game had been available for download from Google Play since at least April 16, 2015, when the app was updated.

“We are not sure how many users had their Facebook credentials compromised,” the report read.

 “Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework. The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the ‘drop zone’) is loaded from the server dynamically,” the report read.

The researchers have said always download apps from the official Google Play store than from alternative app stores or other unknown sources and always check the ratings and user comments.  

“Even though Google Play is not 100% malware free, they do have strong security mechanisms to keep trojans out,” the researchers added.

Researchers detect a threat that abuses Android accessibility feature to steal data

Researchers from LookOut, a San Francisco-based mobile security company that provides security to both private and business mobile devices, have detected a malware dubbed “AndroRATIntern” that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

“After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat,” the researchers wrote in the blog.

According to the researchers, AndroRATIntern is surveillanceware developed from the AndroRAT malware toolkit. It is sold commercially as “AndroidAnalyzer”.

“The threat is notably the first piece of malware we’ve ever seen abusing the Android accessibility service to steal data,” the blog read.

According to them, the malware targets the Japanese market. It can collect a broad amount of data from infected devices, including LINE’s, which allows users to make voice and video calls and send messages and most popular communications apps in Japan, messages, contact data, call logs, SMS, audio, video, photos, SD card changes, and GPS location.

The researchers said that the AndroRATIntern must be locally installed which requires a malicious actor to have physical, unmonitored access to the target device, making it a much more targeted threat that cannot be spread by drive-by-download campaigns.

It steals SMS messages, contact data, and other files are not uncommon. However, it is difficult to steal messages from LINE as the application runs in a sandbox.

The malware bypasses the security mechanism by abusing the text-to-speech accessibility feature in Android. This feature is designed to aid visually impaired users, but the malware developers are leveraging it to capture LINE messages when they are opened by the victim.

The researcher pointed out some tips which can keep people safe:

-         - Keep a pass-code on your device. it will be significantly harder for someone to download and install anything to your phone if it’s locked
-          -Download security software that can tell you if malicious software is running on your device
  

New Trojan that hides in PNG images affects healthcare organizatons

A new Trojan named the Stegoloader Trojan has been reported. The most victims claimed by this trojan are based in healthcare organizations in the US.

This new Trojan hides itself in PNG imaged to infiltrate personal computers of people and collect information. The malware hides in the pixels of the images.

The trojan hides in PNG images so it is able to circumvent security measures like network firewalls and personal antivirus software.

This malware was first spotted in 2013, but since then it has been reworked many times and multiple versions of Stegoloader now exist. Dell was the first company to report this malware.

Out of all the Stegoloader victims, 42 percent are in the healthcare industry.

Dangerous Android malware steals money from Your Bank


Researchers from Doctor web security have identified a banking trojan called Android.BankBot.65.origin which has been specially created for Android devices.

Cyber criminals are adding the malicious code with the legitimate online banking applications and planting them in various third-party android markets and other websites.

"Due to the fact that a compromised application looks and operates as a legitimate one, potential victims are very likely to install it on their mobile devices."  After that the Trojan starts accessing the system information and do nasty stuff.

After the installation of malicious software Android.BankBot.65.origin generates special kind of configuration file containing operating parameters for the Trojan. The trojan usually receive commands from host server and then exploit all the device vulnerability causing cyber criminals to steal money by intercepting and modifying SMS.

It may intercept incoming SMS messages and send texts to numbers listed by cyber criminals. It can add various texts to the list of incoming SMS messages. Using these methods, cyber criminals steal money from users' bank accounts by sending messages to transfer money from the victim's account to the account of cyber criminals or by intercepting messages containing verification codes or by implementing other fraudulent methods .

Messages like “pre-approved Credit card asking personal information” are example of fraudulent schemes which may lead user to fall into trap and they may share their banking credentials which leads to online banking stealing . And Thus its important to download mobile banking applications from authentic sources only .

Think twice before you open email attachments from unknown senders


Security researchers of Checkpoint have discovered a new ransom threat dubbed Troldesh, which is also known as Encoder.858 and Shade.

The Troldesh, which was created in Russia, has already affected numerous users across the world. The Troldesh ransomware typically encrypts the user’s personal files and extorts money for their decryption.

“Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. It is spread initially via e-mail spam,” Natalia Kolesova, anti-bot analyst at the Check Point, wrote in a blog.

She said that they found a distinctive characteristic in Troldesh besides the typical ransom features. 

The inventors of Troldesh directly communicate with the user by providing an email address, which is used to determine the payment method.

According to Kolesova, once a corrupted email is opened, the malicious threat is activated. Then, it will start encrypting the user’s files with the extension .xbtl.

Along with the files, users’ names are also encrypted. Once the encryption process is done, the affected user is displayed a ransom message and is being redirected to a ‘readme’ text for further information.

In a bid to stay safe, users are advised not to open anything suspicious by unknown senders.

“Many cases have been reported by the users paying the ransom without having their files decrypted. In order to avoid ransomware, it is important to back up important data previously on an external storage device or in a cloud,” she wrote.

The researcher said that the affected users have to download a powerful anti-malware tool to scan the system and remove the ransomware.

The researcher said she contacted the hackers via an email and asked for a discount.

“I was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As required, I sent the specified code to the e-mail address provided, one that is registered on the most famous Russian domain,” the researcher wrote.

The crooks had demanded 250 euros to decrypt all of the files.

However, after the researcher asked to reduce the amount, the criminals agreed to lower the ransom to €118 / $131, payable via QIWI money transfer system.

Linux Moose: A new malware which turns routers into social networks bots

Linux/Moose overview

A  new worm, which is capable of spreading past firewalls, is now targeting routers and modems to boost visibility of profiles on various social networking sites including Twitter, Facebook, YouTube, Instagram, Vine and SoundCloud, researchers said.

Olivier Bilodeau and Thomas Dupuy, security researchers at ESET, an IT security company based in Bratislava, Slovakia, said in a technicalpaper, which was issued on 26 May, that new threat, which is called Linux/Moose, targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers.

The researchers said that the new malware is infecting Linux-based routers and other Linux-based devices to commit social networking fraud in order to ‘like’ posts and pages, ‘view’ videos and ‘follow’ other accounts.

“During our analysis we often asked ourselves, “Why so much effort in order to interact with social networks?” Then we realized that there is a market for follows, likes, views and whatnot. It is pretty clear that this is what is going on here,” the researchers wrote in the paper.

“First, there are attempts at stealing cookies from these sites. However, the cookies cannot be stolen if the traffic is HTTPS and now most of these sites are HTTPS-only, so it’s unclear how effective these attacks are in this respect. Second, attempting to commit fraud upon these sites needs a reputable and disposable IP address,” the researchers added.

“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention. To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers,” said the researchers.

They said that the task of the malware operators is to increase the number of followers, views and likes on social media websites, which the operators target.

According to the researchers, Moose does not exploit any vulnerability to compromise the device and instead accesses them by trying out weak or default login credentials, like other threats targeting routers. Then it starts scanning for other devices to infect, either on the network or on the Internet.

Moreover, it looks for other nefarious process and terminating the devices activity in order to protect those devices.

The technical paper has revealed that the routers are used to drive traffic to certain social network profiles. An infected device would send more than 500 requests in a day.

The researchers have observed one of the Instagram accounts, which maintained the zero-followers numbers but the number of followers increased from three to 40 in one day.

While the researchers were checking the followers, they found out an account with a large number of fans (3,430). Within a week, the number of followers increased to 11,672.

They also observed that devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone were affected by Moose.

Fake Minecraft game apps trick users into activating a premium-rate SMS subscription



Google Play store has over 30 scareware application available for download as a cheat for the Minecraft game, more than 600.000 Android users have installed it.

The malicious applications was discovered by ESET Mobile Security. According to the  security website, “all of the discovered apps were fake, in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a “dangerous virus”. Users were then directed to remove viruses by activating a premium-rate SMS subscription that would cost them 4.80 EUR per week.”

The apps were uploaded by different developer account, but there was no difference in their functionality, the only difference is in the names and icons of the applications.

The app has  only three buttons  – Start, Options, Exit. After installing the app, the whole screen is covered by flashy advertisement , and the language of the advertisements are based on geographic location.

Clicking on any of the buttons or on the numerous banners will lead to an alert window  saying that your device is infected by virus and need attention, and giving you many options to remove it.

Researcher Lukas Stefanko, ESET, wrote “The scareware prepares an SMS in the system default SMS application. The text of the SMS appears as an activation of the antivirus product. The application does not have permissions to send the SMS itself and solely relies tricking the user to do it manually by social engineering. If the user falls for the scam, it will cost him 4.80 € per week.”

To avoid downloading any kind of malicious apps, refrain from downloading apps from unofficial sources and keep security software on your Android up to date.

'Rombertik' malware which destroys the system if detected

Researchers have discovered a new malware ‘Rombertik’ which destroys the system if it realizes that it is being analyzed.

"Security researchers are constantly looking for ways to better detect and evade each other. As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples,” Ben Baker and Alex Chiu from Cisco Systems' Talos Group wrote in a blog post.

“Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis,” the blog post added.

Similar to Dyre, Romberik, which has multiple layers of obfuscation and anti-analysis functions, is a complex malware which can be hooked into the user’s browser to read credentials and other sensitive information for ex-filtration.

However, Dyre targets banking information unlike Rombertik which collects information from all websites in an indiscriminate manner.

Researchers said Romberik arrives on any computer through a phishing campaign or through an email attachment. It tries to check to see if it is running within a sandbox. After that, it decrypts itself and launches on the user’s computer. Once this process gets completed, a second copy of itself launches and is overwritten with the spying functionality.

Before Rombertik begins spying on the system, it does a final check to see if it is running in the system’s memory.

It destroys the computer’s master boot record, leaving the system inoperable. If it cannot destroy then it targets all files in the user’s home folder, by encrypting each one with random RC4 keys. It contains plenty of dummy code, which include 75 images and 8,000 functions which is to hide the malware’s functionality.

If the malware is not detected, it checks the browser activities, reading credentials and private information, before sending its findings back to the attacker’s server.


The researchers said that in order to prevent ones’ computer from Rombertik, people have to follow security basics like up-to-date security software, ignore attachments from unknown senders and solid security policies for businesses will all help avoid the malware.

Updated Dyre malware successfully avoiding sandboxing

The Dyre banking trojan, which lead to stealing of over a million from the corporate banks in April has got a new update which renders it undetectatble by anti-sandboxing techniques.

The malware checks how many processor cores the machine has and if it has only one, it terminates. Since sandboxes are configured with only one processor with one core as a way to save resources, this is an effective evasion technique -  most of the computers now come with multiple cores.

Seculert's check for Dyre's evasion of analysis with four commercially available sandboxes revealed that the malware has been successful in fooling the systems.

In addition Dyre has switched user agents to avoid detection by signature-based systems. The Upatre downloader which is working in conjunction with Dyre also has new changes to avoid signature-based detection. Upatre now uses two user agents and different download communication pathway. The communication path naming convention is obscure and not based on identifiable characteristics.

These progress in malware technologies reveal that sandboxing alone cannot be an effective way to deal with vulnerabilities. The ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time.

New malware in online banking causes problem in Japan


A new online banking malware, which was found in Operation Emmental, has now been causing problems in Japan.

TROJ_WERDLOD, a new detected malware, has been causing problems in the country since December 2014. More than 400 systems were affected by the new malware.

According to Hitomi Kimura, a security specialist at TrendMicro, the malware can change two settings which allow information theft at the network level.

It does not require a reboot or any memory-resident processes on the affected systems.

Kimura wrote on a blog that one of settings gets modifies in the system’s proxy settings. The attackers controls the way from Internet traffic to a proxy. And the second is the additional malicious root certificate to the system’s trusted root store. It allows malicious site certificates which are added in man-in-the-middle attacks to be used without triggering alerts or error messages.

He wrote that the TROJ_WERDLOD harms users via spam mails with an attached .RTF document. The document said to be an invoice or bill from an online shopping site. If anyone opens the .RTF file, the user gets instruction to double-click the icon in the document in order to execute the TROJ_WERDLOD in the system.
Spam mail which leads to TROJ_WERDLOD. Photo Courtesy:TrendMicro

According to him, the hackers used a fake certificate and proxy in Operation Emmental. They also used fake mobile apps in order to steal SMS messages from online banks. It seems that the same behavior may be seen in the future in Japan, although Japanese banks rarely use SMS authentication.

Kimura suggested that in order to restore an infected PC to its normal condition, the following steps should be taken:
-        1. Remove the proxy automatic setting in Windows and Firefox and if anyone has an option provided by the ISP and/or system administrator, he/she can change it back to the previous setting.
-        
           2. Remove the malicious root certificate installed by TROJ_WERDLOD which was stored in Windows and Firefox. This malicious root certificate has the following signature:
·         A134D31B 881A6C20 02308473 325950EE 928B34CD

Fake adult site infecting your phone with SMS Trojan

People at Zscalar Research have found out that, a chinese porn site has been masquerading, and in reality is making your phone infected with malware.

When you visit the page, and try to play a video, the website asks you to download a piece of software to view the video, which in reality is a trojan.

The trojan installs itself in your phone and becomes a Broadcast Receiver, and intercepts all the SMS communications that happen on your phone. This is used by hackers to do fraudulent transactions on affected phones.

The payload filename is dynamically generated by the website so as no blacklisting of the malicious malware can be done.

Interpol coordinated to take down Simda botnet

The Simda botnet has been taken down on April 9 in a collaborative effort between international law enforcement bodies and private security and technology companies coordinated by Interpol's Global Complex for Innovation.

The botnet, known for spreading banking malware and establishing backdoor for many malware, has exploited more than 770,000 computers in 190 countries. The take down has resulted in seizure of 14 command-and-control servers in the Netherlands, United States, Poland, Luxembourg, and Russia.

According to the researchers, Simda is a mysterious botnet used by cyber criminals for distributing several types of unwanted and malicious software. Due to constant functionality and security updates, it rarely appears on the KSN radars despite a large number of hosts every day.

It uses hardcoded IP addresses to notify the keeper about the various stages of execution. It can modify the system hosts file by downloading and running additional components from its own updated servers, and to point to malicious IP’s, it adds unexpected records for google-analytics.com and connect.facebook.net.

The Kaspersky Lab report says that, “This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server – it can deactivate itself by preventing the bot to start after next reboot, instantly exiting. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.”

To analyse the spread of the infection the Digital Crime Centre (IDCC) in Singapore worked with Microsoft, Trend Micro, Kaspersky Lab, and Japan's Cyber Defense. The researcher team also involved officers from the Dutch National High Tech Crime Unit in the Netherlands, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, the Federal Bureau of Investigation in the US, and the Russian Ministry of the Interior's Cybercrime Department "K".

Sanjay Virmani, Director of the INTERPOL Digital Crime Centre, said “This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cyber crime. The operation has dealt a crippling blow to the Simda botnet. INTERPOL will continue its work to assist member countries in protecting their citizens from cybercriminals and to identify other emerging threats.”

‘Trojan.Laziok’ Malware targets energy sector in Middle East

Image Credits: Symantec
Symantec detected a Trojan.Laziok, which acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers.

Between January and February, Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, and the focus  was on the Middle East Countries.

According to the blog post of Symantec’s Christian Tripputi, the attack starts  with spam emails from the moneytrans[.]eu domain,  which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These mails include a  malicious attachment that contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). The code is executed, If the users opens the attachment, which is Excel file. It leaves Trojan.Laziok on the computer.

To hides itself Trojan creates folder names in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, and rename itself with well-known file names such as:

%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe

By collecting system configuration data such as Computer name, Installed software, GPU details, CPU details, Antivirus software, RAM size, Hard disk size, Trojan.Laziok begins its reconnaissance process.


After receiving the system configuration data, attackers infected  the computers with additional malware, and distribute the customized copies of Trojan.Zbot and  Backdoor.Cyberat which are specifically tailored for the compromised computer’s profile.

Symantec and Norton products have protections against this campaign.

Malware infections through spam campaigns can be avoided by not clicking on links in unsolicited, unexpected, or suspicious emails; avoid opening attachments in unsolicited, unexpected, or suspicious emails; use comprehensive security software, such as Symantec Endpoint Protection or Norton Security, to protect yourself from attacks of this kind; take a security layered approach for better protection; keep your security software up to date; apply patches for installed software on a timely basis.

The 64 bit version of NewPosThings malware is here

A new 64 bit version of NewPosThings, a point of sale malware, has come to light. The 32 bit version of NewPos Things was discovered by Arbor systems in September last year.

The recent developments were brought to light by Trend Micro's threat analyst, Jay Yaneza. They found the malware targeting 64 bit and higher systems, rather than the original 32 bit systems that were being affected initially.

According to SC Magazine, Taneza said, “Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines,” Yaneza wrote. “These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.”

Researchers have noticed recently that the malware has been evolving continuously affecting more and more security based function in a POS machine.

Delving into PoSeidon malware

News of data breaches that have been occurring through card usage at infected point of sale (PoS) systems at retailers has become common now-a-days. There being a huge market for stolen credit card information, the companies are being targeted with newer and sophisticated malwares.

How do these malwares exactly work? During investigation of the cases of breaches, CISCO security solutions have discovered the working mechanism a new malware family which has been nicknamed PoSeidon malware.

The infection of the PoS system possibly arises from a keylogger which after getting installed deletes the profile log in information i.e passwords stored on the system. This forces the user to type down the information which gets recorded by the keylogger and sent back to the server which can then access the system remotely to infiltrate it with the Loader malware to steal card information.

What the Loader does is, it tries to get itself installed in the PoS system as a service that is run as Winhost, so that it can survive reboots of the system. This step is called persistence by which it maintains hold on the system. It then connects to the hardcoded command and control servers, which then sends the second executable part of the malware called the FindStr.

It also simultaneously installs another keylogger. FindStr goes through data on the infected system to look for number sequences that start with 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) or 3 with a length of 15 digits (AMEX).

It then runs the Luhn algorithm to verify whether its card information or not and sends the information along with data from keylogger to the exfiltration servers from where it can be harvested for further usage.

The malware can also update itself depending on communication from external server. Further investigation shows that developers are working to use these in other newer projects.Faced with such persistent threats organizations need to be vigilant and adopt a threat-centric approach to provide security during the full attack continuum – before, during, and after an attack.

Gift from Amazon, beware it can be Malware


In recent times, if you received this message, "Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here", on your phone, if yes, then you have became the victim of one of the single largest messaging-initiated mobile malware, as discovered by AdaptiveMobile.

This malware access all your contacts  on the phone and sends a spam message to each of them with the URL that promises an Amazon gift card if you install an APK file hosted on the page.

Thousands of people around the world have installed this malware and been a victim, alone in North America, there is around 4K devices that are infected  by this malware. According to VirusTotal, none of the Anti Virus engines detect this malware, but can be easily removed by using standard Android app uninstall utilities.

The shortened URL account of this malicious URL was actually connected to a FB account, which seems to be owned by a real person. It seems that this spam campaign is not new for the owner of the profile. Previous WhatsApp spam can be related to this, as there was a link which redirects users to a scam page, which shows close link between the author of both the spams.

AdaptiveMobile is the  mobile security protecting  company, that protects all services on both fixed and mobile networks through in-network and cloud solutions.

New Mac OS X Botnet uses Reddit's Search function to get CNC servers list


Security Researchers at Russian Antivirus company Dr.Web have published
details of a new botnet that targets Mac OS X.

What is very interesting is that this malware uses the search function of Reddit to acquire the Command and control(C&C) servers list from comments posted in a 'Mine Craft Server Lists' sub reddit.

The malware calculates MD5 hash of the current date and uses the first 8 bytes of the hash to search in reddit.  The result contains the Server IPs with port numbers.

The malware dubbed as 'iWorm' has reportedly infected more than 17,000 Mac computers - 4,610 of which are in the US.

The reddit account used by the cyber criminals appears to be removed.  However, it is not going to stop the bad guys from controlling their botnet, they either create a new account or use any other online services.

"Xsser mRAT", an Advanced iOS spyware targets Hong Kong protesters


Security researchers from Lacoon Mobile Security company identified an advanced iOS Trojan targeting protesters in Hong Kong.

The trojan dubbed as 'Xsser mRAT", is related to similar Android malware found last month targeting the protesters.

The android version of this malware is distributed via whatsapp messages disguised as an application to help coordinate Occupy Central protest.

"The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity." the company wrote.

The malware is capable of stealing text messages, contact list, call logs, location information, photos and other information.  It also steals passwords from the iOS keychains.

The good news is that the malware can run only if the user's device is jailbroken.  You can find lot more information and technical information in their blog post.

Malicious Ad Network "Kyle and Stan" serves Windows and Mac Malware


Cyber Criminals have been placing malicious ads on a number of popular websites including YouTube, Yahoo that serves malicious software.  The campaign also targets Mac users.

The malicious network, uncovered by Cisco Researchers comprise of over 700 domains.  They observed nearly 10,000 connections to the malicious domains.

The operation has been dubbed "Kyle and Stan" because most of the domains used in this campaign for distributing malicious software contain "kyle" and "stan" strings in the sub-domain name.

The users website who visit the websites containing malicious ad will be redirected to another website.  Users will then be redirected to another page that will serve mac or windows malware based on their user agent.

"The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far" Armin Pelkmann, Cisco researcher, wrote in a blog post.