Search This Blog

Showing posts with label Avast. Show all posts

This Malware Generated $2 Million After Abusing 222,000 Windows Systems

 

Avast researchers published a report on Thursday regarding the discovery of a cryptocurrency mining malware that abuses Windows Safe mode and has likely generated more than 9,000 Monero coins (estimated today at around $2 million) after exploiting more than 222,000 Windows systems since 2018.

The latest version of Crackonosh, as Avast dubbed it, spreads through illegal and cracked copies of popular software also known as “warez” which is distributed on various torrent sites and forums.

The malware continues to infect systems worldwide, affecting 222,000 unique devices in more than a dozen countries since December 2020. As of May, the malware was still getting about 1,000 hits a day. The researchers already spotted 30 different versions of the malware, with the latest one that was published in November 2020. 

According to Daniel Beneš, a malware analyst for antivirus maker Avast, the worst-hit region is the Philippines, with 18,448 victims; followed by Brazil (16,584); India (13,779); Poland (12,727); the United States (11,856); and the United Kingdom (8,946).

The researchers started investigating the threat after they received reports that Crackonosh was disabling and uninstalling its antivirus from infected devices. The company later discovered that Crackonosh was also disabling many other popular antivirus vendors, including Windows Defender and Windows Update as part of an advanced set of anti-detection and anti-forensics tactics that were meant to allow the malware to remain undetected on infected hosts.

Once Crackonosh weakened infected hosts, it will run XMRig, a cryptocurrency miner that enables attackers to mine Monero using the victim’s hardware download, to earn a profit from infected computers. Earlier this month, the company identified another crypto-miner named DirtyMoe which infected more than 100,000 systems. The difference between the two was that DirtyMoe was primarily being spread using an SMB worm and that its developer appears to be based in China rather than Europe.

“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you,” Beneš said.

DirtyMoe Botnet has Infected over 100,000 Windows Systems

 

More than 100,000 Windows systems have been infected with the DirtyMoe malware. According to cyber-security firm Avast, a Windows malware botnet thought to be managed out of China has surged this year, increasing from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. The malware, which goes by the names DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, has been circulating since late 2017. 

Its main goal has been to infect Windows systems and mine cryptocurrency behind the users' backs, although the functionality to execute DDoS assaults was discovered in 2018. The botnet was a small-scale operation for the majority of its existence. Its authors mostly used email spam to get people to malicious websites that hosted the PurpleFox exploit kit. 

This web-based attack tool took use of browser vulnerabilities, most commonly in Internet Explorer, to install a rootkit component on unpatched Windows computers, giving the malware complete control over the affected host, which is then used for crypto-mining. This rootkit, also known as DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, was well-known in the cyber-security field, but it was only considered a minor threat. 

According to Avast, the DirtyMoe botnet had an annual average of a few hundred to a few thousand infected systems for the majority of its life from 2017 to 2020. Things changed dramatically near the end of 2021 when the DirtyMoe gang released an update to their operation that included a worm module that allowed the malware to spread across the internet to other Windows systems. “Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise” reads the analysis published by Avast. This module scoured the internet for distant Windows machines that had left their SMB port exposed online and launched password brute-force attacks against them. 

The malware's SMB propagation module allowed it to explode in terms of infections on a logarithmic scale, with over 100,000 systems affected this year alone, according to Avast. However, this figure is based solely on Avast's visibility—that is, PCs with the antivirus software installed. The true magnitude of the DirtyMoe botnet is thought to be far larger. 

A report from Tencent, a Chinese security firm, detected an increase in DirtyMoe/PurpleFox infections in China over the course of 2021, reflecting the comparable explosion in infection numbers reported by Avast in Europe, Asia, and America at the start of the month.

100 Italian Banks Hit by Ursnif Trojan

 


The Trojan Ursnif was tracked back to threats on at least 100 Italian banks. In Avast's view, malware operator has a strong interest in Italian objectives, which has resulted in a loss of credentials and financial information through attacks against these banks. 

Avast researchers have discovered username, passwords, and credit card details, bank, and payment data which the Ursnif Banking Trojan operators seem to have seized from banking customers. They did not pinpoint the source of the details. However, details on payment cards are also sold on the dark web. In just one instance, over 1,700 credentials were stolen from an undisclosed payment processor. 

Ursnif is malware that was originally discovered in 2007 as a banking trojan but has developed over the years. In several countries across the world, Ursnif has targeted consumers over the years, mostly using native-language e-mail lures. Ursnif is typically distributed via phishing emails, such as invoice demands and attempts to steal financial details and credentials of the account. Italy has been a major factor among Ursnif countries, a fact which is demonstrated in the information obtained from the researchers. 

Referring to the Italian Financial CERT Avast says, "Our research teams have taken this information and shared it with the payment processors and banks we could identify. We've also shared this with financial services information sharing groups such as CERTFin Italy.” 

The Italian project of Ursnif used a phishing campaign to email malicious attachments that get downloaded when opened, according to Fortinet. The malware Ursnif is sometimes sent using the malware loader says the company.

Username, device name, and system uptime, Ursnif gathers confidential information. According to Avast security researchers, these data are configured into packets and forwarded to the gang's command and control server. The Ursnif Trojan is spyware that controls traffic by taking screenshots and keylogging and obtains login credentials saved on browsers and mail applications. 

Researchers from Datktrace have reported the 2020 malware campaign in a US bank attack. An employee who opened a malicious link unintentionally and inadvertently installed an executable file claiming to be a .cab extension received a phishing email. This file called for command-and-control servers (C2) registered in Russia just one day before the campaign launch and, thus, at the time of infection, the IPs weren't banned. 

“With this information, these companies and institutions are taking steps to protect their customers and help them recover from the impact of Ursnif,” concludes AVAST.

Avast Antivirus Harvested Users' Data and Sold it Google, Microsoft, IBM and Others



Avast, a popular maker of free anti-virus software being employed by almost 435 million mobiles, Windows and Mac harvested its users' sensitive data via browser plugins and sold it to third parties such as Microsoft, Google, Pepsi, IBM, Home Depot, and many others, according to the findings of an investigation jointly carried out by PCMag and Motherboard.

As per the sources, the investigation basically relied on leaked data; documents used to further the investigation belonged to Jumpshot which is a subsidiary of Avast. The data was extracted by the Avast anti-virus software itself and then repackaged by Jumpshot into various products which were sold to big companies as the report specified, "Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others."

"The sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it," other company documents found.

Allegedly, Avast has been keeping a track of personal details such as exact time and date when a user starts surfing a website, the digital content being viewed by him and his browsing and search history. As per the findings, the information sold by Jumpshot includes Google Maps searches, Google search engine searches, YouTube videos viewed by users, activity that took place on companies' LinkedIn handles and porn websites visited by people. The data contained no traces of personal information of people like their names or email addresses, however, the investigators at Vice pointed out how the access to such precise browsing data can potentially lead back to the identification of the user anyway.

When the investigation reports were made public, Jumpshot stopped receiving any browsing-related data harvested by extensions as Avast terminated the operations, however, currently, the popular anti-virus maker is being investigated for collecting user data asides from browser plug-ins.

While Google denied commenting on the matter, IBM told Vice that they have no record of dealing with Avast's subsidiary, Jumpshot. Meanwhile, Microsoft made it clear that at present they are not having any relationship with Jumpshot.

40.8% Smart Homes vulnerable to attacks




Security researchers have found nearly 40.8% of smart homes have at least one device that could be easily breached by hackers as one-third of them have outdated software with unpatched security issues, while two-thirds of them are exposed due to their weak credentials.

The team of researchers at Avast said that all these vulnerable devices are connected to the internet directly, and routers are the ones most targeted.

"59.7% of routers have weak credentials or some vulnerabilities" and "59.1% of users worldwide have never logged into their router or have never updated its firmware," says Avast.

In their report, Avast says that "a router that is vulnerable to attack poses a risk for the whole home, much like leaving your front door unlocked. Cybercriminals can redirect compromised routers to access exactly what they want, including phones, computers or any other connected device."

Printers lead the list of types of devices which are most vulnerable to attacks. In the US,  the printer's vulnerability percentage is 43.8%, while other devices like NAS devices and security cameras are on the second and third place with 17.7% and 14.7% respectively.

"It only takes one weak device to let in a bad hacker and once they are on the network, they can access other devices, and the personal data they stream or store, including live videos and voice recordings," said Avast President Ondrej Vlcek. "Simple security steps like setting strong, unique passwords and two-factor authentication for all device access, and ensuring software patches and firmware updates are applied when available, will significantly improve digital home integrity."

The Avast's 2019  Smart Home Security Report includes data from 16 million different home from all over the world, the total of 56 million devices having been scanned to gather the data.  

Users Making Themselves Vulnerable To Hackers; Keeping Outdated Versions of Popular Applications on Their Pcs




The users and their own personal information are rapidly becoming to be vulnerable against security risks proves yet another research from the global security company Avast as it discharged its PC Trends Report 2019.

As per the said report the users are making 'themselves' defenseless against hackers by not implementing the security patches and keeping out-dated versions of well-known applications on their PCs, these include Adobe Shockwave, VLC Media Player and Skype.


This is a matter of grave concern as out-dated software's are turning into the greatest dangers of cyber-attack , as they give hackers unapproved access to the framework as well as the known vulnerabilities with which they can easily exploit the user in question.

 “While most of us replace our smartphone regularly, but the same cannot be said for our PCs. With the average age of a PC now reaching six years, we need to be doing more to ensure our devices are not putting us at unnecessary risk, but with the right amount of care, such as cleaning our hardware's insides using cleaners, optimisation and security products, PCs will be safe and reliable for even longer," says Ondrej Vlcek, President, Avast.

The report is said to have accumulated information from approximately 163 million devices over the globe, and has even covered the most popular PCs, software, hardware equipment utilized today in on a worldwide basis. Among the applications installed 55% of them are not their latest versions, those applications utilizing the structures and tools, contain vulnerabilities and for security reasons ought to be updated as soon as possible.

The most installed softwares of 2018 include, Google Chrome, Adobe Reader, WinRAR, Microsoft Office, and Mozilla Firefox.

Android Devices with Pre-Installed Malware


The Avast threat Labs have recently discovered pre-installed adware  on a few hundred diverse Android gadget models and versions, also incorporating gadgets from makers like ZTE and Archos.
The adware, analyzed has previously been portrayed by Dr. Web and has been given the name "Cosiloon."

The adware has been on the move for no less than three years, and is hard to remove as it is introduced on the firmware level and utilizes solid obfuscation. Thousands of users are said to have been affected , and in the previous month alone it has been observed that the most recent adaptation of the adware on around 18,000 devices having a place with Avast users situated in excess of 100 nations which includes Russia, Italy, Germany, the UK, and as well as a few users in the U.S.

The adware makes an overlay to display an advertisement over a webpage within the users' browser, it can be observed in the screenshots given below:




Google is taking a shot at fixing the malware's application variations on Android smartphones utilizing internally created strategies and techniques. Despite the fact that there is Google Play Protect, the malware comes pre-installed which makes it harder to address. Google is as of now, contacting various firmware engineers and developers to bring awareness to these concerns and energize in making effective steps likewise.

Anyway it is misty in the matter of how the adware got onto the gadgets, and the malware creators continued updating the control server with new payloads. Then again, Producers likewise kept on delivering new gadgets with the pre-installed dropper.

The payload was updated again on April eighth, 2018 and the name in application launcher changed to "Google Download," and some class names in the code changed likely trying to keep away from discovery.Since the malware is a part of the chipset platform bundle which is reused on different brands also and the chipset being referred to happens to be from MediaTek running different Android variants going from 4.2 to 6.0.

Avast says that some anti-virus applications report the payloads, however the dropper will install them back again immediately, and the dropper itself can't be expelled in that way the gadget will always host a strategy permitting an obscure party to install any application they need on it.



Avast announced the acquisition of Mobile Virtualization Company ‘Remotium”


Avast Software, maker of the most trusted mobile and PC security products in the world, on July 8 announced the acquisition of Remotium, a leader in virtual enterprise mobility which technology enables enterprises to extend access securely, simply, and cost-effectively to business-critical applications in a bring-your-own-device (BYOD) environment.

According to a press statement posted by the company, the acquisition of the Silicon-Valley-based start-up will allow Avast to expand its offering of mobile security applications to the enterprise space.

The entire Remotium team has joined the global organization of more than 600 Avast employees.

Like Avast, Remotium, which won "Most Innovative Company" at RSA Conference 2013, solves the challenges of delivering corporate applications to employees’ mobile devices by creating a smooth user experience, while assuring data security and compliance.

The company said that its product, Virtual Mobile Platform (VMP), which enables access to enterprise applications from any mobile or desktop device, allows users to work from anywhere in the office, remotely from their home office or while on business trips.

It is said that the users can connect to their VMP from any device they are using smartphones, tablets, and desktops in order to get access to their corporate tools, apps and data.

Vince Steckler, CEO at Avast, said that the Remotium‘s mobile solutions address the needs of modern enterprises.

"As more and more companies support BYOD policies, the question of how to implement these policies efficiently and securely is top of mind for everyone. With Remotium’s technology, 
companies have visibility and security needed to ensure data integrity and corporate compliance. At the same time, users enjoy increased privacy, as well as apps that look and feel consistent across mobile and desktop platforms. We are pleased to add the Remotium staff to our team together we will further accelerate Remotium’s growth and expand its capabilities across enterprise mobility platforms," he added.

Stephanie Fohn, CEO at Remotium, said, "The Remotium team and I are very excited about joining Avast Software. Avast has a long history in creating innovative, best-in-class security for personal and commercial use. We look forward to extending our technology leadership position and continuing to deliver groundbreaking enterprise mobility solutions to meet the needs of the enterprise.”