Search This Blog

Showing posts with label Hacking.. Show all posts

New Lampion Trojan Found Attacking Portuguese Users


There's a new Trojan in town - "The Lampion Trojan", this malware as discovered by security researchers is distributed via phishing emails that target Portuguese users and it appears like it's from Portuguese Government Finance & Tax.


 How does it attack? 

  • The Segurance Informatica-Lab (SI-Lab) reports that the phishing email that distributes the Trojan impersonates government mails, this time from Portuguese Government Finance & Tax. 
  • The email messages users about their debt from the year 2018.
  • Then it asks the user to click on a link to clear issues and avoid being scammed.
  • As soon as the victim clicks on the link available in the body of the email, the malware Trojan is downloaded in the system from the online server. 
  • The file that is downloaded is a compressed file called FacturaNovembro-4492154-2019-10_8.zip.’ When it is unzipped by the user, they will see three files - a PDF, VBS, and a text file.


 The file-
  • This file Factura Novembro-4492154-2019-10_8.zip is just the first phase of the infection chain of the trojan. It acts as a dropper and a downloader.
  • The dropper then downloads the next set of files from the online server. As the file is executed, it downloads two more files - P-19-2.dll and 0.zip. This P-19-2.dll is the actual Lampion trojan. 
  • The dll file contains a name in Chinese and a message for the victim. 


 The Lampion Trojan- 

The Lampion Trojan is an improvised form of the Trojan-Banker.Win32Chierro family, developed in Delphi. It has both anti-debug and anti-VM techniques that make it removal quite difficult both in a sandbox environment or manually. Security researchers discovered some features in the captured samples of the Trojan and found out that it can perform the following actions- Remote Connection; Startup Network; Resources Retrieval; Network Resources Manipulations and Redirect Folder Path; Retrieval Messages Communications; Communications Parameters Changes; Custom Functions; Dialog Box; Spawning Code and Logic Storage.

Cyware social reports that  "Lampion trojan is involved in capturing data belonging to both the users and infected systems. The collected information includes system information pages, installed software, web browser history, clipboard, details of the file system, etc."

It can also give access to hackers to perform functions in the infected machine through a web interface.

GetCrypt Ransomware: Modus Operandi and Solutions




A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit. It’s being installed via “Malvertising” campaigns.


Securoty researchers found it while it was being installed by way of a RIG exploit kit in the “Popcash malvertising" campaigns.

First the victim is redirected to a page hosting the exploit kit, and then the malicious scripts on it would try to exploit vulnerabilities on the device.

If all goes well it will download and install GetCrypt into Windows.

How GetCrypt Works
Reportedly, when the exploit kit executes the ransomware, GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or Belarusian.

If so the ransomware immediately terminates and no encryption happens. If not, the ransomware examines the CPUID of the computer.

The Id is used to create a 4 character string which is used as an extension for encrypted files.

The four character extension that was created is appended while the files are encrypted. The files’ names are changed after they are encrypted

Later on the Shadow Volume Copies are cleared by running the vssadmin.exedeleteshadows/all/quiet command.

Then, the ransomware starts to scan the computer for the files to encrypt. No particular files types are targeted, except for files located under the following folders:
·       :\$Recycle.Bin
·       :\ProgramData
·       :\Users\All Users
·       :\Program Files
·       :\Local Settings
·       :\Windows
·       :\Boot
·       :\System Volume Information
·       :\Recovery
·       AppData

According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions.

GetCrypt also creates a ransom note in each folder while it encrypts the files, named #decrypt my files#.txt

The aforementioned ransom note commands the victim to contact getcrypt@cook.li for payment instructions.

GetCrypt would also change the victim’s desktop background to an image with the ransom note written all over it which is stored at %LocalAppData%\Tempdesk.bmp

In addition to all the other things GetCrypt does, it will also try to encrypt files on network shares. When encrypting, it would also attempt to brute force the network account credentials.

It would use an embedded list of usernames and passwords to connect to the network shares using the WNetEnumResourceW function.

It could also try to brute force the credentials and mount them using the WNetAddConnection2W function.

Solution
All you need to get your files decrypted for free is an unencrypted copy of your encrypted file.

Simply download the decrypt_GetCrypt.exe program from the following link and save it on your desktop:

Once downloaded, run the decryptor and select an encrypted file you wish to decrypt and its unencrypted version.

Click on the start button. The decyptor will now brute force your decryption key and VOILA! Your files will get decrypted.

" Narcos " helping users to potentially curb Cybercrime




The dark web isn't only a market for illicit drugs and stolen Visa or credit card numbers but rising underneath the surface of this already uncertain market place is a growing economy flourishing on stolen identities.

There is a developing interest for favoured user logins on the dark web, and the outcomes could indeed have devastating consequences for organizations and businesses around the world.
It is as comparative as the famous Netflix original series "Narcos" which recounts the story of former drug chieftain Pablo Escobar, who in his prime made as much profit trafficking cocaine in a year than the entire total national output of Colombia. And keeping in mind that there were many components and factors that prompted and later led to the rise of Escobar, the most critical was the developing worldwide demand.

Amidst all this a simple formula is followed from consumer credit card logins to iOS administrator credentials.

The more access someone has to a system, the more valuable their identity is on the dark web.

Experts estimate that stunning revenue of $800,000 a day by AlphaBay, which was taken down in July, demonstrates that the money made on the black market can overshadow what many best and no doubt the top security organizations—who are in charge of protecting these identities—acquire every year.

Today almost 80 per cent of all cyber security breaches involve privileged login credentials according to Forrester Research.

In the wrong hands those privileged logins can wreak destruction and havoc on a business either through an arranged inward attack or by closing a framework (system) down for ransom.
In a current illustration featured in a report from BAE systems and PwC, a group called APT10 focused solely on the privileged credentials of managed IT service co-ops (MSPs) that further permitted the hacker unprecedented potential access to the intellectual property and sensitive information of those MSPs and their customers all around.

The dark web is lucrative to the point that anybody with software engineering abilities and a wayward good compass can endeavour to trade out; therefore one cannot avoid and ward off every 
attempt to break into their system.

Understanding and realising that, we must ensure that no user has full, uncontrolled and unregulated access to our networks and systems. As it turns out to be certain that the most ideal approach to avert hackers, hoping to offer your privileged credentials on the dark web is to debase them however much as could be expected.

To bring this back around to "Narcos," if cocaine clients amid Escobar's rule as a narco-trafficker all of a sudden ended up being noticeably invulnerable to the forces of the  drug, the market demand—and the fortune Pablo Escobar was hoarding—would have long dried up.


 Similarly on the off chance that we could check the straightforwardness or the ease at which culprits can utilize privileged credentials we can possibly control the cybercrime. The same is valid for offering and selling credentials and certifications alike, on the dark web.


Sensors existing in smartphones themselves present a gateway to hackers.

According to a study led by an Indian-origin scientist Shivam Bhasin, NTU Senior Research, data from your smartphone sensors can reveal PINs and passwords to hackers and allow them to unlock your mobile devices. Researchers from Nanyang Technological University (NTU) in Singapore used sensors in a smart phone to model which number had been pressed by its users, based on how the phone was tilted and how much light is blocked by the thumb or fingers.

Instruments in smart phones such as the gyroscope and proximity sensors represent potential security vulnerability, said researchers.

Utilizing machine learning calculations  and algorithms and a combination of data gathered from six different sensors found in smartphones, the researchers accomplished in unlocking Android smart phones with 99.5 per cent precision in just three tries, while tackling a phone that had one of the 50 most basic and common PIN numbers.

The team of specialists took Android phones and installed a custom application which gathered information from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.

"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9," said Bhasin.

Albeit every individual enters the security PIN on their phone in a different way, the researchers demonstrated that as information from more individuals is fed to the algorithm after some time, the success rates improved.

So while a vindictive application will most likely be unable to effectively figure a PIN  instantly after installation, but by using machine learning, it could gather information from a huge number of users over time from each of their phones to take in their PIN entry pattern and then dispatch an attack later when the success rate is substantially higher.

The study demonstrates how gadgets with apparently strong security can be attacked using a side-channel, as sensor information could be redirected by vindictive applications to keep an eye on the user behaviour and help to access the PIN  and password data, said Professor Gan Chee Lip from NTU.

To keep Mobile phones secure, Dr Bhasin encourages users to have PINs with more than four digits, combined with other validation techniques like one-time passwords, two-factor confirmations, and unique finger impression or facial recognition.