Website of Chelyabinsk court hits by data-encrypting malware

Attackers hacked into the website of Arbitration court of Chelyabinsk( a federal subject of Russia, on the border of Europe and Asia) and infected the server with a data encrypting malware.

The malware encrypted the information and files on the server. This incident took place on 4th October. By 10th October, the experts have managed to restore the website from previously saved backup.

However, the court lost all the information that was published on their website for this year, as the last backup operation was done only in January. The online resources including news, charts, video of conferences, information about bureau and judicial appointments were irretrievably lost.

According to the local report, the court is still trying to recover the information using their own sources.  There is no detailed information about the malware variant used in the attack.

- Christina

Over 6 million computers in Moscow are infected with Cryptocurrency Mining Virus

In Moscow about 30 percent of all computers are infected with a virus, which allows covertly mining bitcoins.

Herman Klimenko, adviser of the Russian President on Internet development, said that nowadays this is the most common and most dangerous virus. There are about 20 million computers in Moscow, of those, 20-30 percent are infected.

Klimenko noted that the organizers of such schema earn money by "rental" capacity of infected computers for processing Cryptocurrency payments.

As a reminder, on July 21, researchers discovered advertisement botnet Stantinko, which had so many victims from Russia and Ukraine. In the beginning of the month the specialists of "Kaspersky Lab" spotted the wide spread of the virus Xafekopy, which sent subscription request on paid services from victim's phone.

"We do not have information about all computers in Moscow and Russia, we can only talk about our users, 6% of them were attacked in 2017 with the goal of installing" miners "(Cryptocurrency), which makes it quite common type of malicious programs," Antonov Ivanov, an antivirus expert at Kaspersky Lab, quotes the local press.

- Christina

Guardian's Article on Cyber Crime spreads Malware

A cybercrime article from 2011 named as “Cybercrime: is it out of control?"  on the website of Guardian has been found to be serving up the Angler Exploit Kit.

The Angler Exploit Kit is a Web-based utility toolbelt that hackers use to test the defenses of a user's computer.

The problem was discovered by FireEye Labs on December 01 which noticed that this instance of Angler infection this not come from a tainted ad but visiting the Guardian’s article about cybercrime.

Visiting the page would execute an embedded script to redirect the reader's browser to an Angler Exploit Kit landing page.

This particular vulnerability enables a "God Mode" on infected PCs, giving attackers control over every face of the user's machine.

Angler exploit kit also scans for the Flash-based CVE-2015-5122, CVE-2015-5560, and CVE-2015-7645 vulnerabilities which are less powerful intrusions, compared to the Windows OLE one, but dangerous nevertheless.

These vulnerabilities have been fixed by Microsoft and Adobe, and users who keep their systems up to date have nothing to fear while reading the article on Guardian.

Meanwhile, Guardian has assured to fix the contaminated links on its website.

This news came days after Angler was found serving malvertising to visitors of video site DailyMotion.

Malware detected in Martel’s cameras used by police department

iPower Technologies, a U.S security company and network integrator, has discovered a copies of Conficker malware in the Martel Frontline Camera with GPS, one of the largest manufacturers of police in-car video systems in America, whose product is being sold and marketed as a body camera for official police department.

The Florida-based company, which is currently working to develop a cloud based video storage system for government agencies and police departments to store and search camera video, said that it had received cameras from the supplier Martel Electronics were loaded with 2009's baddest botware.

It was not the first time, the Conficker flaw was discovered in late 2008 when researchers found that the malware, which at that point had already infected millions of PCs, had been set to perform an unspecified update activity on April 1, 2009.

Jarrett Pavao and Charles Auchinleck, researchers from the security company, found that when the cameras were connected to a computer, they tried to execute the Worm ‘Win32/Conficker.B!inf variant’.

“When the camera was connected to a computer, iPower's antivirus software immediately caught the virus and quarantined it.  However, if the computer did not have antivirus actively protecting the computer it would automatically run and start propagating itself through the network and internet, iPower said in a post.

"In the iPower virtual lab environment, packet captures were also run on the infected PC to view the viruses' network activity using Wireshark. The virus, classified as a worm virus, immediately started to attempt to spread to other machines on the iPower lab network, and also attempted several phone home calls to internet sites," the post added.

After the findings, iPower said to have tried to contact Martel Frontline Camera in order to report the flaws. However, the company concerned is yet to give any response. 

Researchers find new POS malwares

Researchers have now discovered two new and different strains of point of sale (POS) malware including one that has gone largely undetected for the past five years.

Researchers have described Cherry Picker, a set of PoS malware which in one form or another has been targeting businesses that sell food and beverage since 2011.

The malware is reportedly said to be used in a recent breach at an unidentified U.S. restaurant chain.
The new form of memory-scraping POS malware has become a threat for retailers.

The Federal Bureau of Investigation (FBI) has released a warning to keep guards against the malware as it can infect any Windows-based POS network and can encrypt the data stolen, making detection difficult.
Researchers with Trustwave have noticed some basic elements of the malware back in 2011 but the malware has gone through three iterations in the years since, adding new configuration files, ways to scrape memory, and remain persistent. 

The malware has managed to stay covert since many years by using a combination of configuration files, encryption, obfuscation, and command line arguments. 

During his research Eric Merritt, the primary researcher who observed the malware found a file on a system infected by Cherry Picker that helped cover the malware’s tracks all these years, too. The file contains hardcoded paths to the malware, exfiltration files, and legitimate files on the system. A special “custom shredder function” in the code goes ahead and overwrites the file multiple times with 00’s, FF’s, and “cryptographic junk” before going on to shred a list of malware and exfiltration file locations, and the executable itself. From there, the code removes any remaining traces of the PoS malware.

With this reaserchers have also discovered the existence of another type of POS malware known as Abaddon. This is relatively newer to Cherry Picker.

Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader which in turn, downloaded another downloader which downloaded shellcode that turned into Abaddon.

“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” said Kevin Epstein, Vice President of Threat Operations at the firm.

In addition, security firm Trend Micro is warning of a new malware called Malum POS which targets the Oracle Micros POS system.

Attackers are going to have several choices when it comes to POS malware this season.

18,000 Android apps found with malicious code that steals messages

Researchers from Palo Alto Networks, has confirmed that Taomike, a Chinese mobile advertising company, has been distributing a malicious Software Development Kit (SDK) that allows Android developers for implementing in-app purchases (IAPs) for Android apps.

The SDK, which can be downloaded for free via Taomike, steals all messages on infected phones and sends them to the Taomike controlled server.

The SDK is being offered as a free download by Chinese company Taomike, and can be used to allow Android developers to create mobile apps that provide in-app purchases via SMS messages.

Palo Alto Networks posted in a blog stating since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain the library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.

Taomike provides the SDK and services to help developers display rich advertisements with a high pay rate. Although, it has not previously been associated with malicious activity, a recent update to their software added SMS theft functionality.

According to a report published in MNR Daily, there has been an increment in the number of cases of Chinese advertising company's developing malicious SDKs and APIs being used by developers to develop their own apps.

But, these apps built using the malicious SDKs and APIs have been found to steal private information and data from the handsets on which the infected apps have been installed.

They have been providing datas, which include device login and password details, to the companies who have developed the SDKs and APIs.

“Among these malware, we have found many that are created by “mobile monetization” companies who distribute apps that provide little value but have a high cost to the user. These apps are often installed by tricking users into clicking a pop-up, only to find later that a charge has appeared on their phone bill,” they added.

The researchers suggested that when developers incorporate the libraries into their apps they needed to carefully test them and monitor for any abnormal activities.

“Identifying monetization and advertising platforms that behave poorly and abuse their users is something that our industry must to do ensure the safety of all mobile devices and their users,” they concluded.