Search This Blog

Showing posts with label Check Point. Show all posts

Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

 

The Phorpiex malware's creators have shut down their botnet and are selling the source code on a dark web cybercrime forum. The ad states that none of the malware's two original authors are participating in maintaining the botnet, which is why they opted to sell its source code. It was posted on 27th August by an individual previously associated with the botnet's operation. 

Phorpiex, a long-running botnet notorious for extortion schemes and old-school worms delivered via removable USB drives and instant messaging programmes, has been broadening its architecture in recent years in order to become more durable and deliver more deadly payloads. 

These operations had extended to encompass bitcoin mining, which had previously included extortion and spamming. Researchers have noticed an upsurge in data exfiltration and ransomware delivery since 2018, with the bot installer releasing malware such as Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others. 

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said on Friday in a forum post spotted by British security firm Cyjax. 

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse engineer for security firm Check Point. “The description of the malware is very similar to what we saw in the code,” Bukhteyev said. The malware's command and control (C&C) servers have been inactive for approximately two months, according to the researcher, who previously researched the Phorpiex virus in 2019. 

The last command the bot received from the Phorpiex C&C servers was on July 6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot in order to spy on its operations. The command was a self-explanatory "SelfDeletion" instruction. The botnet appears to have vanished from open-source reports since then. 

"As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev said. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone buys the code, they can set up new ones and hijack all the already infected systems.

Snake Keylogger: Enters Top 10 List for the Most Prominent Malwares

 

Check Point Research reveals that for straight three months the Trickbot is by far the most common malware, whereas, for the very first time, the Snake Keylogger is the second most prevalent malware.
 
The Snake Keylogger, first spotted in November 2020  is a modular.NET keylogger and credential stealer. Snake Keylogger has advanced to the position of second-most frequent malware variant in the world and has become increasingly popular in recent weeks as per the Check Point’s Global Threat Index for July 2021. 

The main function of the malware is to capture keystrokes of users on computers or mobile devices and then to pass over the collected information to the rogue software's cyber thieves and hackers. 

Infections with Snake Keylogger are indeed a huge threat to the data privacy of any user and internet security because spyware can stole nearly everything. It is also usually considered to be an especially deceptive and persistent keylogger. After a spur of effective phishing attacks, Snake Keylogger has become extremely prevalent. The malware is currently purchasable at a variety of underground sites, with purchasers being able to buy the malware for only $25. 

Check Point researchers have shown that Snake Keylogger attacks are typically very efficient because of the human tendency to use the same password and username on many accounts. Thereby, after an infringement of a certain login credential, malicious hackers get access to all accounts using the same password. 

Maya Horowitz, VP of Check Point Research, recommended that users must employ a "unique option" for each of the many profiles to stop such cyberattacks. “When it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services,” she further explained. 

“Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign-On (SSO) technologies,” Horowitz added. Keeping vigilance whenever visiting the web or checking emails is highly encouraged by Horowitz. 

As 'Keyloggers' are frequently spread through phishing emails, users must be aware of subtle anomalies, such as errors in URLs and email addresses. They must avoid clicking on malicious links or downloading any unusual attachments. 

Check Point research also identified some of the world's leading malware families, as well as provided information on rising mobile malware activity. It affirms that Trickbot is indeed the world's most popular malware that has an impact of 4%, trailed by Snake Keylogger and XMRig, each with worldwide impacts of 3%. Trickbot is an ongoing modular Botnet and Banking Trojan with new functions, features, and vectors for propagation. Meanwhile, XMRig which was first seen in the wild in May 2017  is an open-source CPU mining program that is used for Monero cryptocurrency mining. 

Throughout the month of July, xHelper was recognized as one of the most widespread mobile viruses in the world, followed by AlienBot and Hiddad. Studies indicate that xHelper has been around since March 2019. Whereas, Hiddad is an Android trojan that repackages and delivers legitimate programs to a third-party store. The primary purpose of the malware is to show advertisements. 


Kindle's E-book Vulnerability Could Have Been Exploited to Hijack a User's Device

 

Amazon patched a significant vulnerability in its Kindle e-book reader platform earlier this April, which could have been used to gain complete control of a user's device and steal sensitive data by simply deploying a malicious e-book. "By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of cyber research at Check Point, said in an emailed statement. "The security vulnerabilities allow an attacker to target a very specific audience."

In other words, if a threat actor wanted to target a certain group of individuals or demographic, the adversary could tailor and coordinate a highly targeted cyber-attack using a popular e-book in a language or dialect widely spoken among the group.

Threat actors might readily target speakers of a specific language, according to Balmas. To target Romanians, for example, they would only need to publish a bestselling book in that language as an e-book. Because the majority of people who download that book will almost certainly speak Romanian, a hacker may be confident that nearly all of the victims will be Romanian. 

“That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber-espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely,” Balmas said. 

Following a responsible disclosure of the problem to Amazon in February 2021, the retail and entertainment behemoth released a patch in April 2021 as part of its 5.13.5 edition of Kindle software. The flaw is exploited by sending a malicious e-book to an intended victim, who, upon opening the book, triggers the infection sequence without any interaction from the user, allowing the threat actor to delete the user's library, gain full access to the Amazon account, or turn the Kindle into a bot for striking other devices in the target's local network. 

The flaw is in the firmware's e-book parsing architecture, notably in the implementation of how PDF documents are opened, which allows a malicious payload to be executed on the device. 

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "These IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."

Chinese Hackers Cloned Exploit Tool Belonging to NSA

 

A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report. 

The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016. 

Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes. 

A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report. 

 In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.

Domestic Kitten - An Iranian Surveillance Operation

 

Check Point researchers as of late revealed the full degree of Domestic Kitten's broad surveillance operation against Iranian residents that could pose a threat to the security of the Iranian system. The actual operation is linked to the Iranian government and executed by APT-C-50. Started in 2017, this operation comprised 10 unique campaigns, targeted more than 1,200 people with more than 600 effective infections. It incorporates 4 currently active campaigns, the latest of which started in November 2020. In these campaigns, victims are tricked to install a malicious application by various vectors, including an Iranian blog website, Telegram channels, and even by SMS with a link to the noxious application. 

The victims incorporate prominent scholastics, activists and business pioneers in Iran and elsewhere, and government authorities in the United States and Europe, researchers at Israeli cybersecurity firm Check Point said in a couple of reports released on Monday. 

The APT uses versatile malware called FurBall. The malware depends on commercially-available monitoring software called KidLogger, and as indicated by the researchers, "it seems that the developers either obtained the KidLogger source code or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities." FurBall is spread through an assortment of assault vectors including phishing, Iranian sites, Telegram channels, and employing SMS messages containing a link to the malware. The malware uses an assortment of disguises to attempt to fool a victim into the installation, for example, being packaged as "VIPRE" mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

When installed on a target device, FurBall can intercept SMS messages, get call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their target's movements, and more. At the point when data has been accumulated from the compromised device, it very well may be sent to command-and-control (C2) servers that have been utilized by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.  

On Monday, Check Point researchers, along with SafeBreach, additionally uncovered the activities of a subsequent danger group that is effectively focusing on Iranian dissidents but rather than focus on their smartphones, their PCs are at risk.

Check Point: What to expect from hackers in 2021

The pandemic has made its own adjustments in all areas of modern life. The attackers changed the targets of their attacks, choosing new priority areas of hacking, including focusing on the medical industry. Founder and CEO of information security company Check Point Software Technologies Gil Shwed told how hacker attacks have changed in the pandemic and what to expect from cybercrime in the future.

Gil Shwed suggested that in 2021, first, since the coronavirus and the fight against it will continue to bother humanity, then pharmaceutical companies working on the development of vaccines and medicines will most likely be attacked.

Secondly, while schoolchildren and students study from home, most likely, hackers will be interested in distance learning systems as well.

Third, it can be expected that botnets will increasingly be used in attacks. Hackers have already transformed many existing malicious applications into botnets to create entire armies of infected computers for cyber attacks.

The fourth expected point is that cyberwarfare will be at the global level.

Mr. Shwed noted that attacks on hospitals, research laboratories, especially during the period of COVID-19 are an opportunity for attackers to get ransom or attention.

The goals of cybercriminals who attack medical institutions can be different - both obtaining financial gain, and causing harm, and gaining widespread publicity. For example, medical records are sold in Darkweb for up to $1,000 per record.

In addition, medical devices such as insulin injectors, heart monitors, and pacemakers can be targeted.  

Check Point researchers have demonstrated the ease with which an ultrasound machine running on an old Windows operating system can be hacked, revealing an entire database of patient images. Unsurprisingly, there has been a 75% increase in ransomware attacks on healthcare facilities in recent months.

Microsoft's researchers said that hackers from only three countries carried out 89% of national cyberattacks this year. Attacks were extremely common, and their target was events of various levels, from elections to the Olympic Games. And also in 2021, the active use of deepfakes is expected.

Earlier E Hacking News reported that Russian hackers gained access to the source codes of Microsoft programs and systems. The organization assured that there is no reason to believe that hackers gained access to services for maintenance of its products or to customer data.

Check Point: 56 apps from the Google Play Store hide a new dangerous malware


Check Point experts have identified a new family of malware in the Google Play Store. It was installed in 56 Google Play Store apps that have been downloaded almost a million times by users worldwide. 24 apps among the damaged 56 are children's games, as well as utilities such as calculators, translators, cooking apps and others. As it is specified, applications emulate the behavior of a real user.

Tekya malware uses the MotionEvent mechanism in Android that simulates a click on an ad banner (first discovered in 2019) to simulate user actions and generate clicks.

Imitating the actions of a real person does not allow the program or a third-party observer to understand the presence of fraud. This helps hackers to attack online stores, make fraudulent ads, promote advertising, promote sites in search engine results, and also serve to carry out banking operations and other illegal actions.

During the research, Tekya went unnoticed by the VirusTotal and Google Play Protect programs.
Hackers created copies of official popular apps to attract an audience, mostly children since most apps with Tekya malware are children's games.

However, the good news is that all infected apps have already been removed from the Google Play.
This case shows that malicious app features can still be found in Google Play. Users have access to almost 3 million apps in the Google Play Store, and hundreds of new ones are downloaded daily, making it difficult to check the security of each individual app.

Although Google is taking steps to ensure security and prevent malicious activity on the Google Play Store, hackers are finding ways to access users' devices through the app store. So, in February, the Haken family of malware was installed on more than 50 thousand Android devices through various applications that initially seemed safe.

Check Point: coronavirus has become a tool for hacker attacks on users and businesses


According to Check Point Threat Intelligence, more than 4,000 coronavirus-related domains have been registered worldwide since January 2020. 3% of these sites have already been identified as malicious, and another 5% as suspicious.

According to experts, hackers send spam with a link to a malicious site on behalf of trusted organizations to encourage a potential victim to click on it. When you click the link, malware is automatically installed on the user's device.

So, Check Point discovered a phishing attack allegedly on behalf of the World Health Organization (WHO), which spread in Italy. Experts noted that 10% of organizations in Italy were subjected to this attack.

Moreover, a website registered in Russia in February 2020 was discovered. The attackers offered to buy "the best and fastest test for detecting coronavirus at a fantastic price — 19,000 rubles ($264)".
In addition, a large spam campaign was recorded in Japan. There, attackers send spam on behalf of the Japanese Society for the rehabilitation of disabled persons (JSRD). Emails report the spread of the coronavirus in several cities in Japan, prompting the recipient to open the document.
If the user is interested and opens the attachment, the Emotet Trojan will be downloaded to their computer.

According to experts, as the spread of the coronavirus continues, scammers will continue to use the coronavirus theme to carry out attacks on users and businesses.

Any events that cause mass discussion or are popular, especially negative ones, are an occasion for fraudsters to realize their plans, said Alexey Dankov, head of the information security Department at Cross Technologies. In this case, they use the news as an excuse to get data, and people who are panicked lose their vigilance and, as a result, trust scammers.

"A virus that has become a pandemic is a great reason for cybercriminals to get the desired information on accounts and personal information," added Mr. Dankov.