New Trojan that hides in PNG images affects healthcare organizatons

A new Trojan named the Stegoloader Trojan has been reported. The most victims claimed by this trojan are based in healthcare organizations in the US.

This new Trojan hides itself in PNG imaged to infiltrate personal computers of people and collect information. The malware hides in the pixels of the images.

The trojan hides in PNG images so it is able to circumvent security measures like network firewalls and personal antivirus software.

This malware was first spotted in 2013, but since then it has been reworked many times and multiple versions of Stegoloader now exist. Dell was the first company to report this malware.

Out of all the Stegoloader victims, 42 percent are in the healthcare industry.

Dangerous Android malware steals money from Your Bank

Researchers from Doctor web security have identified a banking trojan called Android.BankBot.65.origin which has been specially created for Android devices.

Cyber criminals are adding the malicious code with the legitimate online banking applications and planting them in various third-party android markets and other websites.

"Due to the fact that a compromised application looks and operates as a legitimate one, potential victims are very likely to install it on their mobile devices."  After that the Trojan starts accessing the system information and do nasty stuff.

After the installation of malicious software Android.BankBot.65.origin generates special kind of configuration file containing operating parameters for the Trojan. The trojan usually receive commands from host server and then exploit all the device vulnerability causing cyber criminals to steal money by intercepting and modifying SMS.

It may intercept incoming SMS messages and send texts to numbers listed by cyber criminals. It can add various texts to the list of incoming SMS messages. Using these methods, cyber criminals steal money from users' bank accounts by sending messages to transfer money from the victim's account to the account of cyber criminals or by intercepting messages containing verification codes or by implementing other fraudulent methods .

Messages like “pre-approved Credit card asking personal information” are example of fraudulent schemes which may lead user to fall into trap and they may share their banking credentials which leads to online banking stealing . And Thus its important to download mobile banking applications from authentic sources only .

Think twice before you open email attachments from unknown senders

Security researchers of Checkpoint have discovered a new ransom threat dubbed Troldesh, which is also known as Encoder.858 and Shade.

The Troldesh, which was created in Russia, has already affected numerous users across the world. The Troldesh ransomware typically encrypts the user’s personal files and extorts money for their decryption.

“Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. It is spread initially via e-mail spam,” Natalia Kolesova, anti-bot analyst at the Check Point, wrote in a blog.

She said that they found a distinctive characteristic in Troldesh besides the typical ransom features. 

The inventors of Troldesh directly communicate with the user by providing an email address, which is used to determine the payment method.

According to Kolesova, once a corrupted email is opened, the malicious threat is activated. Then, it will start encrypting the user’s files with the extension .xbtl.

Along with the files, users’ names are also encrypted. Once the encryption process is done, the affected user is displayed a ransom message and is being redirected to a ‘readme’ text for further information.

In a bid to stay safe, users are advised not to open anything suspicious by unknown senders.

“Many cases have been reported by the users paying the ransom without having their files decrypted. In order to avoid ransomware, it is important to back up important data previously on an external storage device or in a cloud,” she wrote.

The researcher said that the affected users have to download a powerful anti-malware tool to scan the system and remove the ransomware.

The researcher said she contacted the hackers via an email and asked for a discount.

“I was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As required, I sent the specified code to the e-mail address provided, one that is registered on the most famous Russian domain,” the researcher wrote.

The crooks had demanded 250 euros to decrypt all of the files.

However, after the researcher asked to reduce the amount, the criminals agreed to lower the ransom to €118 / $131, payable via QIWI money transfer system.

Linux Moose: A new malware which turns routers into social networks bots

Linux/Moose overview

A  new worm, which is capable of spreading past firewalls, is now targeting routers and modems to boost visibility of profiles on various social networking sites including Twitter, Facebook, YouTube, Instagram, Vine and SoundCloud, researchers said.

Olivier Bilodeau and Thomas Dupuy, security researchers at ESET, an IT security company based in Bratislava, Slovakia, said in a technicalpaper, which was issued on 26 May, that new threat, which is called Linux/Moose, targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers.

The researchers said that the new malware is infecting Linux-based routers and other Linux-based devices to commit social networking fraud in order to ‘like’ posts and pages, ‘view’ videos and ‘follow’ other accounts.

“During our analysis we often asked ourselves, “Why so much effort in order to interact with social networks?” Then we realized that there is a market for follows, likes, views and whatnot. It is pretty clear that this is what is going on here,” the researchers wrote in the paper.

“First, there are attempts at stealing cookies from these sites. However, the cookies cannot be stolen if the traffic is HTTPS and now most of these sites are HTTPS-only, so it’s unclear how effective these attacks are in this respect. Second, attempting to commit fraud upon these sites needs a reputable and disposable IP address,” the researchers added.

“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention. To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers,” said the researchers.

They said that the task of the malware operators is to increase the number of followers, views and likes on social media websites, which the operators target.

According to the researchers, Moose does not exploit any vulnerability to compromise the device and instead accesses them by trying out weak or default login credentials, like other threats targeting routers. Then it starts scanning for other devices to infect, either on the network or on the Internet.

Moreover, it looks for other nefarious process and terminating the devices activity in order to protect those devices.

The technical paper has revealed that the routers are used to drive traffic to certain social network profiles. An infected device would send more than 500 requests in a day.

The researchers have observed one of the Instagram accounts, which maintained the zero-followers numbers but the number of followers increased from three to 40 in one day.

While the researchers were checking the followers, they found out an account with a large number of fans (3,430). Within a week, the number of followers increased to 11,672.

They also observed that devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone were affected by Moose.

Fake Minecraft game apps trick users into activating a premium-rate SMS subscription

Google Play store has over 30 scareware application available for download as a cheat for the Minecraft game, more than 600.000 Android users have installed it.

The malicious applications was discovered by ESET Mobile Security. According to the  security website, “all of the discovered apps were fake, in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a “dangerous virus”. Users were then directed to remove viruses by activating a premium-rate SMS subscription that would cost them 4.80 EUR per week.”

The apps were uploaded by different developer account, but there was no difference in their functionality, the only difference is in the names and icons of the applications.

The app has  only three buttons  – Start, Options, Exit. After installing the app, the whole screen is covered by flashy advertisement , and the language of the advertisements are based on geographic location.

Clicking on any of the buttons or on the numerous banners will lead to an alert window  saying that your device is infected by virus and need attention, and giving you many options to remove it.

Researcher Lukas Stefanko, ESET, wrote “The scareware prepares an SMS in the system default SMS application. The text of the SMS appears as an activation of the antivirus product. The application does not have permissions to send the SMS itself and solely relies tricking the user to do it manually by social engineering. If the user falls for the scam, it will cost him 4.80 € per week.”

To avoid downloading any kind of malicious apps, refrain from downloading apps from unofficial sources and keep security software on your Android up to date.

'Rombertik' malware which destroys the system if detected

Researchers have discovered a new malware ‘Rombertik’ which destroys the system if it realizes that it is being analyzed.

"Security researchers are constantly looking for ways to better detect and evade each other. As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples,” Ben Baker and Alex Chiu from Cisco Systems' Talos Group wrote in a blog post.

“Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis,” the blog post added.

Similar to Dyre, Romberik, which has multiple layers of obfuscation and anti-analysis functions, is a complex malware which can be hooked into the user’s browser to read credentials and other sensitive information for ex-filtration.

However, Dyre targets banking information unlike Rombertik which collects information from all websites in an indiscriminate manner.

Researchers said Romberik arrives on any computer through a phishing campaign or through an email attachment. It tries to check to see if it is running within a sandbox. After that, it decrypts itself and launches on the user’s computer. Once this process gets completed, a second copy of itself launches and is overwritten with the spying functionality.

Before Rombertik begins spying on the system, it does a final check to see if it is running in the system’s memory.

It destroys the computer’s master boot record, leaving the system inoperable. If it cannot destroy then it targets all files in the user’s home folder, by encrypting each one with random RC4 keys. It contains plenty of dummy code, which include 75 images and 8,000 functions which is to hide the malware’s functionality.

If the malware is not detected, it checks the browser activities, reading credentials and private information, before sending its findings back to the attacker’s server.

The researchers said that in order to prevent ones’ computer from Rombertik, people have to follow security basics like up-to-date security software, ignore attachments from unknown senders and solid security policies for businesses will all help avoid the malware.