A Mysterious Malware That Holds The Power To Critically Damage One’s Phone

It wouldn't be wrong to state that Hack forums isn't the most "world class"  or elite gathering of cybercriminals as many of  its members as of now appear to be relative novices, and furthermore it's probable that some post about hacking methods they've never really endeavoured. In spite of the fact that experts do state that with the current buyer showcase in cryptocurrencies, even the refined hacking groups are increasingly getting into undercover or in other words clandestine mining, and once in a while running such operations close by more customary and traditional  cybercrime like data theft and dissent of service attacks.

In the same way as many other people, the hackers on the message board Hack Forums are presently exchanging tips on the most proficient method to make profit with cryptocurrencies. Be that as it may, they're not simply hoping to purchase low and offer high they are only swapping approaches to surreptitiously tackle other people's phones and PCs to further generate digital coins for themselves.

A month ago, F5 networks, a Seattle security firm reported a "sophisticated multi-stage attack" hijacking networks of computers to mine cryptocurrencies.

The assailants have been known to utilize the vulnerabilities in common server softwares, combined with Windows exploits leaked from the National security Agency, to effortlessly infiltrate the victim's systems and migrate through their networking systems.

Despite the fact that it's difficult to know how much these current crypto jacking attacks have earned altogether, yet the addresses connected to the malware variations seemed to have gotten a sum of $68,500 in the cryptographic money (cryptocurrency) monero.

In any case, in the previous year, monero-mining malware has been spotted on an extensive variety of sites, mining the currency as people streamed videos from Showtime and Ultimate Fighting Championship or only browsed the web on compromised Wi-Fi systems at Starbucks cafes. Albeit, some program expansions have been found mining the currency while the users do other things, and monero-mining malware has as of late been spotted proliferating through links on Facebook Messenger also.

Hi @Starbucks@StarbucksAr did you know that your in-store wifi provider in Buenos Aires forces a 10 second delay when you first connect to the wifi so it can mine bitcoin using a customer’s laptop? Feels a little off-brand... 

— Noah Dinkin (@imnoah) December 2, 2017

If you remember the IoT botnets, Mirai in the past, we’ve actually seen one variant this year which was mining monero coins on routers and hard disk recorders as well,” says Candid Wueest, principal threat researcher at Symantec and contributing author on a report the security company released on cryptojacking last month.

Creators of some monero-mining software argue that in-program (browser) mining can have a true blue use, letting people intentionally exchange computer power for access to articles, videos, or premium application features, when sites are looking past publicizing or advertising as an income and revenue stream. "I don't agree with anybody's computer being mishandled or abused without their insight," says Spagni, the monero core developer.

"However the technology that is being manhandled presents a completely new approach for monetizing a service on the web." He contends this could empower a "free" version of Netflix or provide another subsidizing stream for journalism.

Coinhive one of the most well-known web miners, even offers a mining-based captcha alternative, aimed at making it less attainable for spammers to play out specific activities on a website, and a version of the software called AuthedMine which requires the users to unequivocally opt in before mining begins. Makers of other mining tools put forth comparable expressions about user consent, maybe with changing degrees of sincerity.

Nevertheless a tool called Monero Quiet Excavator, available for $14, mines in the background on Windows PCs. It doesn't launch a visible window that users can recognize or detect as fast as possible, keeps the gadgets from going into sleep mode, and can "bypass firewalls," as indicated by its website. In any case, its developer states that it is intended just for "legitimate users". Those could incorporate individuals who possess various PCs and need to utilize them to mine monero "transparently for the end user or client of the PC"

The Dyre Wolf of cyber street is after your money


The Dyre malware affecting the corporate banking sector has successfully stolen upwards of million dollars from unsuspecting companies since its inception in mid-2014, according to IBM's Security Intelligence report.

In a span of seven months the global infection rate has shot up from 500 to more than 4000 with North America being the most affected region.

While such a threat is not new to the banking sector what sets Dyre apart is its wealth of features that combines Spear phishing, malware (initial infection via Upatre), social engineering, complex process injections, the Deep Web and even Distributed Denial of Service (DDoS) alongside the constant updates that makes its detection tough.

The malware works in multiple steps.

Spear phishing: An organization  is as strong as its weakest link. Dyre uses this adage to the full as it targets employees of an organization with mails that contains the malware delivered in a zip file. Unsuspecting employees might download the zip file having a scr or an exe file which is actually the  malware known as Upatre (pronounced like “up a tree”), which begins the initial infection of the target machine.

First Stage Malware: Upatre then establishes contact with the Control and Command servers and downloads and installs Dyre to the system and deletes itself.

Second Stage Malware: Dyre establishes persistence in the system and connects to nodes at Invisible Internet Project that would enable it to communicate information without revealing destination or content.It also sends emails to victim's contact list aiming to increase its list of potential victims.It then hooks to the victim's browsers to intercept log in credentials by routing them to fake pages when the victim tries to visit web sites of the targeted bank.

Advanced Social Engineering: Social engineering is the alarming aspect of Dyre Wolf campaign. In addition to providing fake pages to extract log in data from individuals, it can at times display a message to the consumer asking them to call the bank at a specified number. Dyre wolf operators at the other end of the line act professionally and extract information under the guise of verification. This is done to circumvent bank's two stage authentication processes.

Wire Transfer and DDoS: After obtaining credentials, they log into the accounts and request for wire transfer of large sums. The money is moved from account to account quickly to make tracing and reversal impossible. Following this the affected consumer faces DDoS from the bank pages which hinders detection and investigation.

Dyre is operated by a highly organized and well funded group of cyber criminals in Eastern Europe.

The only way to prevent this seems to be to avoid the first infection of the system arising from a vulnerable employee. Employees need to be trained well on regarding such malwares, spear-phishing campaigns. Other preventive measures include stripping executables from email attachments, preventing installation from temp folders, using updated anti-virus, two factor authentications etc.

Delving into PoSeidon malware

News of data breaches that have been occurring through card usage at infected point of sale (PoS) systems at retailers has become common now-a-days. There being a huge market for stolen credit card information, the companies are being targeted with newer and sophisticated malwares.

How do these malwares exactly work? During investigation of the cases of breaches, CISCO security solutions have discovered the working mechanism a new malware family which has been nicknamed PoSeidon malware.

The infection of the PoS system possibly arises from a keylogger which after getting installed deletes the profile log in information i.e passwords stored on the system. This forces the user to type down the information which gets recorded by the keylogger and sent back to the server which can then access the system remotely to infiltrate it with the Loader malware to steal card information.

What the Loader does is, it tries to get itself installed in the PoS system as a service that is run as Winhost, so that it can survive reboots of the system. This step is called persistence by which it maintains hold on the system. It then connects to the hardcoded command and control servers, which then sends the second executable part of the malware called the FindStr.

It also simultaneously installs another keylogger. FindStr goes through data on the infected system to look for number sequences that start with 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) or 3 with a length of 15 digits (AMEX).

It then runs the Luhn algorithm to verify whether its card information or not and sends the information along with data from keylogger to the exfiltration servers from where it can be harvested for further usage.

The malware can also update itself depending on communication from external server. Further investigation shows that developers are working to use these in other newer projects.Faced with such persistent threats organizations need to be vigilant and adopt a threat-centric approach to provide security during the full attack continuum – before, during, and after an attack.

Crypto currency miner ‘quietly’ bundled with μTorrent, users cry foul


Are you in a hurry to install the newest version of μTorrent? Be careful of what you hit agree to.

Users of μTorrent are fuming after it came to notice that the newest version of the popular file sharing app (version 3.4.2) is coming covertly bundled with Epic Scale which uses a portion of the CPU cycles to mine crypto-currency Litecoin. One Litecoin is worth $1.89.

The complaints in the forum imply that the users had 
no indication of the software being installed, and the reactions ranged from discontent to outraged “good bye μtorrent”.

Users are furious that the processing power of their computers are being utilized without their knowledge.
Bit Torrent has released an official statement that 

Epic Scale is not installed without the consumer’s permission. They further added that like other software companies, they have partner packages in the install path which are strictly optional.
Epic Scale which euphemistically proclaims “Your computer has the power to change the world” denied allegations of the sly installations and said it is included in Bit Torrent clients.
It's website explains,
Epic Scale uses your computer’s idle time to do genomics research, protein folding, image rendering, cryptocurrency mining, and more, then we give a majority of the profits to charities like Watsi (life-changing surgeries), and Immunity Project (HIV vaccine). We do not spy on your browsing behavior or scan your files or anything like that.”

Epic Scale's CEO,Tim Olson stated that they will shift from mining Litecoin to working for full time science research projects.

Philanthropic initiatives aside, the troubling fact remains that it is flagged as a risk and blocked by trackers and firewall. It is difficult to uninstall according to users; in addition to the Removal via Add/Remove Programs, all residual files in the program drive has to be removed manually. Epic  Scale however maintains that it is not a spyware.
It is to be noted that since BitTorrent varies the bundled partner software for each download, not all users will get Epic Scale.
The furore on the forum, prompted Epic Scale to damage control mode. The site has been updated with clear instructions on how to uninstall the code, and the company has promised to display clearer opting out options in the future.
For those who are having troubles uninstalling, can visit Epic Scale's uninstall instructions, or email its support address for help in removing the software.

FBI uses Spear Phishing technique to plant malware in Suspect's system


It's not surprising that FBI uses malware to track the activities and location of suspects. A New article published by Washington Post covers the story about FBI using malware for surveillance to track suspect's movements.

FBI team works much like other hackers, targets suspects with the Spear Phishing technique that will attempt to exploit vulnerability in the target's machine and installs malware. The malware then collects information from the infected machine and send it back to FBI's server. The malware is also capable of covertly activating webcams.

In a bank fraud case, Judge Stephen Smith rejected FBI request to install spyware in the suspect's system in April.

Smith pointed out that using such kind of technologies ran the risk of accidentally capturing information of others who are not involved in any kind of illegal activity.

In another case, another judge approved the FBI's request in December 2012. The malware also successfully gathered enough information from the suspect's system and helped in arresting him.

In another case, July 2012, an unknown person who is calling himself "Mo" from unknown location made a series of threats to detonate bombs at various locations. He wanted to release a man who had been arrested for killing 12 people in a movie theater in the Denver suburb of Aurora, Colo.

After investigation, they found out Mo was using Google Voice to make calls to Sheriff , he also used proxy for hiding his real IP.

After further investigation, FBI found out Mo used IP address located in Tehran when he signed up for the email account in 2009. 

In December 2012, judge approved FBI's request that allowed the FBI to send email containing surveillance software to the suspect's email id. However, the malware failed to perform as intended.  But, Mo's computer sent a request for info to FBI's server from two different IP address.  Both suggested that he was still in Tehran.

Hackers stole ₹2.4 crore from Mumbai Bank in 3 hours

 
Cybercriminals hacked into the Mumbai-based current account of the RPG Group of companies and stole Rs 2.4 crore within 3 hours on May 11, Times of India reported.

The TOI report says money has been transferred to 13 different bank accounts in Chennai, Coimbatore,Tirunelveli, Bangalore,Hyderabad and other places.

The bank blocked those accounts but the gang have already managed to withdraw some funds.

The police has arrested three members of the crew who came to withdraw the money in Coimbatore and Hyderabad.

It appears the Company fell victim when the company officials opened the malware attached mail sent by the gang.  The gang then probably harvested the bank login credentials using the malware.

Earlier this year, cyber criminals stole Rs 1 crore in Mulund from the current account of a cosmetics company.