Search This Blog

Showing posts with label Kaspersky. Show all posts

Kaspersky detected a new method of cyber attacks on corporate data

Kaspersky Lab noted that the new attacks differ from cyberattacks using encryption viruses in that the scammers do not use specially created malware, but the standard BitLocker Drive Encryption technology included in the Windows operating system. Several Russian companies have been hit by ransomware attacks that have blocked access to corporate data and demanded a ransom.

The company explained that scammers get into the corporate network with the help of phishing emails that are sent on behalf of different companies in order to obtain user data or vulnerabilities in the system. After that, they find the BitLocker function in the control panel, perform encryption, and assign themselves the keys, usernames, and passwords that this program generates.

As the company said, as soon as the scammers get access to the server, which contains information about all corporate devices, they can completely encrypt the IT infrastructure of the organization.

Sergey Golovanov, the chief expert at Kaspersky Lab, explained that it is now difficult to estimate the actual number of attacks since the attackers use standard operating system tools.

"At this stage, we can assume that this is not a targeted campaign: the attacked companies are not similar both in size and in areas of activity," the expert said. According to Mr. Golovanov, scammers make phishing emails without taking into account the specifics of the enterprise and are widespread.

Earlier, Kaspersky Lab recorded hacker attacks on ten Russian financial and transport companies using a previously unknown Quoter ransomware program, as well as phishing emails with a banking Trojan program. The hackers sent out phishing emails with topics such as "Request for refund" or "Copies of Last Month's documents". As soon as the recipient clicked on the link or opened the attachment, a malicious RTM Trojan was downloaded to their device.

Kaspersky Discovered Purple Lambert to be a Part of the CIA

 

Kaspersky Lab, a cybersecurity company, has uncovered a new malware that analysts believe is linked to the US Central Intelligence Agency. Multiple antivirus providers obtained a series of malware samples in February 2019, according to Kaspersky experts, some of which cannot be linked to the operation of established APT classes. There were no parallels between these malware strains and malware affiliated with other APT classes.

Although an initial investigation revealed no common code with any previously-known malware samples, Kaspersky recently re-analyzed the files and discovered that “the samples have intersections with coding patterns, style, and techniques that have been used in different Lambert families,” according to the company. Lamberts is Kaspersky's internal codename for tracking CIA hacking operations.

Kasperksy has dubbed this new malware cluster Purple Lambert due to the shared similarity between these recently found samples and previous CIA malware. The malware samples seem to have been collected seven years earlier, in 2014, according to Purple Lambert metadata. Although Kaspersky has not seen any of these samples in the wild, it believes Purple Lambert samples were “most certainly deployed in 2014 and probably as late as 2015.”

“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert.” states the APT trends report Q1 2021 published by Kaspersky. “Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.” 

While the Lambert APT (also known as the Longhorn APT) has been present since at least 2008, the first samples were discovered in 2014. The group is extremely advanced, and it has penetrated organisations all over the world with a sophisticated cyberattack network that can hack both Windows and Mac systems. The researchers discovered and studied numerous backdoors and hacking methods that make up the cyberespionage group's arsenal over the years.

APKPure Compromised to Deliver Malware

 

APKPure, one of the biggest alternative application stores outside of the Google Play Store, was tainted with malware this week, permitting threat actors to disseminate Trojans to Android gadgets. In an incident that is like that of German telecommunications equipment manufacturer Gigaset, the APKPure customer variant 3.17.18 is said to have been altered trying to trick unsuspecting clients into downloading and installing noxious applications linked to the malevolent code incorporated into the APKpure application. The development was reported by researchers from Doctor Web and Kaspersky. 

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web. "This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing, and uninstalling software without users' permission," Doctor Web researchers added.

Triada was designed with the particular purpose to carry out financial frauds, typically hijacking financial SMS transactions. The most intriguing trait of the Triada Trojan is its modular architecture, which gives it theoretically a wide range of abilities. 

As per Kaspersky, the APKPure rendition 3.17.18 was altered to incorporate an advertisement SDK that goes about as a Trojan dropper intended to convey other malware to a victim's gadget. "This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware," Kaspersky's Igor Golovin said. In light of the discoveries, APKPure has released another rendition of the application (form 3.17.19) on April 9 that eliminates the malevolent part. "Fixed a potential security problem, making APKPure safer to use," the developers behind the app distribution platform said in the release notes.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.” states Kaspersky.

Cring Ransomware Attacks Exploited Fortinet Flaw

 

Ransomware operators shut down two production facilities having a place with a European manufacturer in the wake of conveying a relatively new strain that encrypted servers that control a manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday. Threat actors are abusing a Fortinet vulnerability flagged by the feds a week ago that conveys a new ransomware strain, named Cring, that is targeting industrial enterprises across Europe. 

Researchers say the attackers are misusing an unpatched path-reversal flaw, followed as CVE-2018-13379, in Fortinet's FortiOS. The objective is to access the victim's enterprise networks and eventually convey ransomware, as indicated by a report by Kaspersky Lab. “In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. 

Cring is relatively new to the ransomware threat scene—which as of now incorporates prevailing strains REvil, Ryuk, Maze, and Conti. Cring was first noticed and revealed by the analyst who goes by Amigo_A and Swisscom's CSIRT team in January. The ransomware is one of a kind in that it utilizes two types of encryption and annihilates backup files to threaten victims and keep them from retrieving backup files without paying the ransom. A week ago, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that nation-state advanced persistent threat (APT) groups were effectively abusing known security vulnerabilities in the Fortinet FortiOS operating system, influencing the organization's SSL VPN items. 

In its report, Kaspersky echoed the feds cautioning adding attackers are first scanning connections with Fortinet VPNs to check whether the software utilized on the gadget is the vulnerable version. The objective is to crack open affected hardware, give adversaries admittance to network credentials, and build up traction in the targeted network, Kopeytsev clarified. “A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”

Kaspersky detected new ransomware attack on Russian companies

Kaspersky Lab has recorded a series of targeted attacks targeting Russian financial and transport companies. Hackers used a previously unknown ransomware virus

According to a statement from Kaspersky Lab, since December 2020, ten Russian financial and transport companies have been subjected to hacker attacks using the previously unknown Quoter ransomware. Experts believe that the Russian-speaking group RTM is engaged in this.

The hackers sent out phishing emails, choosing topics that they calculated should force the recipient to open the message, for example, "Request for refund", "Copies of documents from the last month" and so on. As soon as the recipient clicked on the link or opened the attachment, the RTM Trojan was downloaded to their device.

Then the attackers tried to transfer money through accounting programs by replacing the details in payment orders or manually using remote access tools. If they failed, they used Quoter, which encrypted the data using the AES cryptographic algorithm and left contacts for communication with hackers. If the recipient did not respond, they threatened to make the stolen personal data publicly available and attached evidence, and demanded about $1 million as a ransom.

Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the attacks pose a serious threat to companies, as hackers use several tools at once: a phishing email with a banking Trojan and an encryption program.

"Among the features of this campaign is that the Russian-speaking RTM attackers changed the tools used for the first time, moreover, now they are attacking Russian companies," said Mr. Golovanov, noting that usually encryption programs are used in attacks on foreign organizations.

Group-IB also warned about hacker attacks from RTM. According to the company, from September to December 2018, they sent more than 11 thousand malicious emails to financial institutions from addresses faked for government agencies. The emails contained a malicious attachment. They had fake PDF icons, and after running the file extracted from the archive, the computer was infected. On average, one successful theft of this type brought the attackers about 1.1 million rubles ($15,000).

Kaspersky has reported hacker attacks on COVID-19 researchers

The hacker group Lazarus attacked the developers of the coronavirus vaccine: the Ministry of Health and a pharmaceutical company in one of the Asian countries

Kaspersky Lab reported that the hacker group Lazarus has launched two attacks on organizations involved in coronavirus research. The targets of the hackers, whose activities were discovered by the company, were the Ministry of Health in one of the Asian countries and a pharmaceutical company.

According to Kaspersky Lab, the attack occurred on September 25. Hackers used the Bookcode virus, as well as phishing techniques and compromising sites. A month later, on October 27, the Ministry of Health servers running on the Windows operating system was attacked. In the attack on the Ministry, according to the IT company, the wAgent virus was used. Similarly, Lazarus previously infected the networks of cryptocurrency companies.

"Two Windows servers of a government agency were compromised on October 27 by a sophisticated malware known to Kaspersky Lab as wAgent. The infection was carried out in the same way that was previously used by the Lazarus group to penetrate the networks of cryptocurrency companies," said Kaspersky Lab.

Both types of malware allow attackers to gain control over an infected device. Kaspersky Lab continues its investigation.

"All companies involved in the development and implementation of the vaccine should be as ready as possible to repel cyber attacks," added Kaspersky Lab.

The Lazarus group is also known as APT38. The US Federal Bureau of Investigation (FBI) reported that their activities are sponsored by the DPRK authorities.

Recall that in July, the National Cyber Security Centre (NCSC) and similar departments of the United States and Canada accused the hacker group APT29, allegedly associated with the Russian special services, in an attempt to steal information about the coronavirus vaccine. Dmitry Peskov, press secretary of the Russian President, denied the Kremlin's involvement in the break-ins.

Kaspersky Lab and Yandex have detected malicious browser extensions

 Kaspersky Lab and Yandex have identified malicious code in browser extensions. Through them, attackers could gain access to the account in social networks and increase views of videos on various sites

Kaspersky Lab and Yandex experts have identified potentially malicious code that pulls more than twenty browser extensions, including Frigate Light, Frigate CDN and SaveFrom.

Through extensions, cybercriminals could, unnoticed by the user, gain access to his VKontakte account, and increase video views on various sites. Extensions received tasks from their own server, generated fraud traffic by playing videos in hidden tabs, and intercepted a token for access to the social network. The code was run only when the browser was actively used, activating the built-in detection protection.

The investigation began after users of Yandex.Browser began to complain about the sounds of advertising, although the video on the screen was not played. Yandex disabled extensions in Yandex. Browser after detecting a hidden traffic flow. Kaspersky lab blocks such activity on devices where the company's products are installed. The results of the investigation were sent to the developers of the social network and the most popular browsers.

According to Anton Mityagin, head of Yandex's Internet Security and Anti-Fraud Department, the traffic generated by extensions is very difficult to detect, as it is mixed with real user actions. He recalled that browser extensions are very popular and the total number of their installations has long been estimated in the tens or even hundreds of millions.

The leading expert of Kaspersky Lab Sergey Golovanov noted that more than 1 million users could become potential victims of the scheme. "The code from the browser extensions not only increased video views but also gained access to social network accounts, which could later be used, for example, to increase likes," added he.

Kaspersky announced the creation of the new smartphones with protection from hackers

A smartphone with a secure Kaspersky will have minimal functionality, said the head of Kaspersky Lab, Eugene Kaspersky. According to him, it will have its own basic applications and browser, but the smartphone has other tasks, it's security.

"There will be minimal functionality, but don't wait for beauty, both Android and iOS, this smartphone will perform other special tasks," said Mr. Kaspersky. "The device can call and send SMS, of course, there will be an office suite, its own browser with minimal functionality and a standard set of applications, such as an alarm clock, calculator, and so on,” added he.

So far, Kaspersky Lab does not plan to have an App store on its OS, but this is possible in the future. "Most likely, first we will make our own, and then we will be ready to attract other app stores," said Eugene Kaspersky.

At the same time, he said that smartphones on the Kaspersky operating system may appear next year. The company agreed with a Chinese smartphone manufacturer to install a new OS. 

He noted that the company does not plan to enter the platforms Google and Apple and try to replace them. "Our task is to create a secure phone that is almost impossible to hack, for processing secret and confidential information of both government officials and enterprises, and infrastructure management," said the head of Kaspersky Lab.

It’s interesting to note that Kaspersky Lab has been creating an operating system designed for maximum protection of equipment and operating on the principle of "everything is forbidden that is not allowed" for several years.

The Covid-19 Pandemic Forces Businesses To Prioritise Investment In Cybersecurity Despite The Overall IT Budget Cuts

 


As per a Kaspersky report on ‘Investment adjustment: aligning IT budgets with changing security priorities’ organizations and businesses have focused around 'prioritizing investment' in cybersecurity in spite of the general IT budget cuts in the midst of the Coronavirus pandemic. 
The report said that “Cybersecurity remains a priority for investment among businesses. This is despite overall IT budgets decreasing in both segments amid the Covid-19 pandemic, and cybersecurity cuts affecting the most economically hit SMBs,”

And further included that, “external conditions and events can influence IT priorities for businesses. As a result of the Covid-19 lockdown, organisations have had to adjust plans to meet changing business needs – from emergency digitalisation to cost optimisation.” 

The current share of cybersecurity in IT spending has gone up from 23 percent in 2019 to 26 percent in 2020 for especially small and medium businesses (SMBs). For enterprises though, cybersecurity's offer in spending has expanded to 29 percent in 2020 from 26 percent a year ago. 

By and large, 10% of associations agree and implement the fact that they will spend less on IT security. The principle purpose behind the decreased spending on security in the endeavour was supposed to be a conscious choice by the top management to reduce spending, seeing no reason for investing “so much money in cybersecurity in the future.” 

Alexander Moiseev, Chief Business Officer at Kaspersky, nonetheless stresses on the fact that, “2020 has put many companies in situations where they needed to respond, so they wisely concentrated all their resources and efforts on staying afloat…” 

He included later, “even though budgets get revised, it doesn’t mean cybersecurity needs to go down on the priority list. We recommend that businesses who have to spend less on cybersecurity in the coming years, get smart about it and use every available option to bolster their defences – by turning to free security solutions available on the market and by introducing security awareness programmes across the organisation. Those are small steps that can make a difference, especially for SMBs…”


Kaspersky Lab detected a new threat to user data

 Kaspersky Lab experts discovered a targeted cyber espionage campaign, where attackers infect computers with malware that collects all recent documents on the victim's device, archives them and passes them back to them.

The UEFI program is loaded before the operating system and controls all processes at an "early start". Using it, an attacker can gain full control over the computer: change the memory, disk contents, or force the operating system to run a malicious file. Neither replacing the hard drive nor reinstalling the OS will help get rid of it.

"This file is a bootloader, it communicates with the control server, collects all recent documents on the computer, archives them, and sends them back to the server. In fact, this is just espionage. Now there is information about two victims of the UEFI bootkit, as well as several victims of the campaign who encountered targeted phishing. All of them are diplomats or members of nonprofit organizations, and their activities are related to North Korea," commented Igor Kuznetsov, a leading anti-virus expert at Kaspersky Lab.

The experts also found out that the components of the UEFI bootkit are based on the Vector-EDK code - a special constructor that was created by the cyber group Hacking Team and contains instructions for creating a module for flashing UEFI. In 2015, as a result of a leak, these and other sources of the Hacking Team were freely available, which allowed attackers to create their own software.

"Be that as it may, we are dealing with a powerful, advanced tool for cyber attacks, far from every attacker can do this. However, with the appearance of ready-made working examples, there is a danger of reusing the technology, especially since the instructions for it can still be downloaded by anyone,” added Kuznetsov.

Interestingly, five years ago, Kaspersky Lab already found undetectable viruses. Then the control servers and traces of attacks of the Equation hacker group were discovered, it was associated with the American special services.

Experts found targeted attacks by hackers from North Korea on Russia


Kaspersky Lab revealed that the well-known North Korean hacker group Lazarus has become active in Russia. The attackers attack through applications for cryptocurrency traders in order to steal data for access to the wallets and exchanges. In addition, the group collects research and industrial data.

Experts believe that hackers are particularly interested in the military-space sphere, energy and IT, and the interest in bitcoin can be explained by the need for North Korea  to bypass sanctions

The first cases of Lazarus targeted attacks on Russia appeared at the beginning of last year. According to Kaspersky Lab,  since at least spring 2018 Lazarus has been carrying out attacks using the advanced MATA framework. Its peculiarity is that it can hack a device regardless of what operating system it runs on — Windows, Linux or macOS.

According to Kaspersky Lab, the victims of MATA include organizations located in Poland, Germany, Turkey, South Korea, Japan and India, including a software manufacturer, a trading company and an Internet service provider.

Several waves of attacks have been detected this year. So, this month, Lazarus attacks were discovered in Russia, during which the backdoor Manuscrypt was used. This tool has similarities to MATA in the logic of working with the command server and the internal naming of components.

"After studying this series of attacks, we conclude that the Lazarus group is ready to invest seriously in the development of tools and that it is looking for victims around the world," said Yuri Namestnikov, head of the Russian research center Kaspersky Lab.

According to Andrey Arsentiev, head of Analytics and Special Projects at InfoWatch Group, Lazarus is one of the politically motivated groups. It is supported by the North Korean authorities and is necessary for this state: cybercrimes are committed to obtain funds for developing weapons, buying fuel and other resources. He explained that the anonymous nature of the cryptocurrency market makes it possible to hide transactions, that is, by paying for various goods with bitcoin, North Korea can bypass the sanctions,

Kaspersky Lab noted that data from organizations involved in research related to the coronavirus vaccine is currently in high demand in the shadow market.

Kaspersky Lab recorded an increase in attacks by Russian hackers on banks in Africa


Kaspersky Lab recorded a wave of targeted attacks on major banks in several Tropical African countries in 2020. It is assumed that the attacks are made by the Russian-speaking hacker group Silence.

According to the company's leading anti-virus expert, Sergey Golovanov, "hundreds and sometimes thousands of attempts to attack the infrastructure of banks in Africa are blocked every day."
According to Kaspersky Lab, the hacker group Silence has already penetrated the internal network of

African financial organizations, and the attacks are "in the final stages".
During the attack, hackers could gain access to a large amount of confidential data that can be used in the future, said Golovanov.

At the end of August 2019, Group IB calculated the amount of theft from banks by the group of Russian-speaking hackers The Silence. From June 2016 to June 2019, the amount of damage amounted to about 272 million rubles ($4.2 million). Hackers infected financial institutions in more than 30 countries in Asia, Europe and the CIS.

According to Kaspersky Lab, Silence attacks financial organizations around the world with phishing emails containing malicious files, often on behalf of real employees of organizations. Viruses use administrative tools, study the internal infrastructure of banks, and then attackers steal money (including through ATMs).

The director of the Positive Technologies security expert center, Alexei Novikov believes that Silence did not increase activity at the beginning of 2020, and attacks outside of Russia and the CIS countries are uncharacteristic for them.

Recall that in October, Group-IB reported five hacker groups that threaten Russian banks: Cobalt, Silence, MoneyTaker, Lazarus and SilentCards. According to the founder of Group-IB, "it is curious that three of the five groups (Cobalt, Silence, MoneyTaker) are Russian-speaking, but over the last year Cobalt and Silence began to attack banks mainly outside Russia".

Russian hacker accused the ex-employee of Kaspersky Lab of forced hacking


Hacker, who has been in the pretrial detention center for the fifth year, made a statement to the head of the Investigative Committee of Russia. He insists that his case was fabricated with the participation of a Kaspersky Lab convicted of high treason along with FSB officers.

Russian hacker Dmitry Popelysh, accused of stealing money from the accounts of Sberbank and VTB together with his twin brother Eugene, said that he sent a complaint to the head of the Russian Investigative Committee. According to the hacker, the criminal case against him and his twin brother was fabricated.

The hacker said that ex-employee of Kaspersky Lab Stoyanov blackmailed and threatened him. Later, he demanded that brothers Popelysh provide technical support to some servers.

It is reported that mentions of an unknown employee who forced the hackers to commit hacks is in the surrender of Popelysh for 2015. However, this information was not verified by the investigation.

Previously, Stoyanov was the head of the computer incident investigation Department at Kaspersky Lab. He also participated in the examination of case of Popelysh.

The representative of Kaspersky Lab told that the company is not aware of Dmitry Popelysh’s appeal to the Investigative Committee.

Recall that in 2012 the brothers Popelysh were convicted of embezzlement of 13 million rubles from customers of banks. In 2015, they were again detained and accused of creating and actively using malware. According to the case, the men stole about 12.5 million rubles ($195,000) in two years. In the summer of 2018, they were sentenced to eight years. In 2019, the sentence was canceled in connection with "violations committed during the preliminary investigation." In total, they have been detained for four years and four months.

It is interesting to note that Dmitry Popelysh is already the second Russian hacker who publicly stated that experts investigating his criminal case forced him to commit hacks. Konstantin Kozlovsky, who has been in a pretrial detention center since May 2016 on charges of organizing a hacker group Lurk, claimed that he was recruited by FSB in 2008 and done various cyber attacks for a long time. He also mentioned that his supervisor was FSB major Dmitry Dokuchaev.

There are tens of thousands of cyber criminals in the world, says kaspersky

Russian experts from Kaspersky Lab, the company, specializing in the development of protection systems against computer viruses, spam, hacker attacks and other cyber threats, revealed the details of hackers. According to them, there are currently tens of thousands of cybercriminals on the Internet, of which at least 14 hacker groups specializing in certain groups of users and organizations are Russians.

According to experts, financial cybercriminals are the largest group. They attack banking infrastructure, business and individuals. There are several schemes giving the opportunity to withdraw funds from corporate accounts and go unpunished.

There are also a number of hacker groups developing phishing and spyware programs. They are the most technically equipped.

The drops, which are responsible for contacts with the physical world, risk more than others. Next in the list are botters, or operators, who remotely control malicious computer software.

"In total, there are several tens of thousands of hackers in the world who must be constantly trained. Inexperienced hackers can simply lose their jobs without new knowledge due to the active development of technology ", — said the experts of Kaspersky Lab.

Hackers mainly communicate among themselves in half-closed or closed forums. They have the opportunity to discuss, group and involve third-party experts to cooperate. Every day several dozens of new topics appear on such forums. An entry ticket to closed forums can be an entrance fee or recommendation from a hacker with a reputation. Top spyware developers usually ignore the forums. According to experts, only several hundred people in the world are in the highest category of hackers.

Hackers used ASUS Software Updates to Install malware on thousands of computers





Researchers at cybersecurity firm Kaspersky Lab found out that recent Asus’ software update system was hacked and used to distribute malware to millions of its customers.

The malware was masked as a  “critical” software update, which was distributed from the Asus’ servers. The malicious malware file was signed with legitimate ASUS digital certificates that made it look an authentic software update from the company, Kaspersky Lab says.

 The report of the hack was first reported by Motherboard, and Kaspersky Lab plans to release more details as soon as possible at an upcoming conference.

The intentions of hackers behind doing this is not clear. However, from the early investigation, it is reported that the hackers seem to target a bunch of specific Asus customers as it contains special instructions for 600 systems, which is identified by specific MAC addresses.

Till now, Asus has not contacted any of its affected customers or taken any step to stop the malware. In an email interview with the Verge, Asus said that they would issue an official statement on the malware tomorrow afternoon.

According to the Motherboard, Asus apparently denied that the malware had come from its servers.

“This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team who led the research.



Skygofree Malware: One of Most Advanced Spyware Ever Seen

Russian cybersecurity lab, Kaspersky, has found out a new advanced Android spyware having “never before seen” features that lets hackers carry out advanced surveillance on Android phones, such as location-based audio recording, WhatsApp message theft, and connecting an infected device to Wi-Fi networks controlled by cybercriminals.

The malware, dubbed as “Skygofree,” was reportedly found on malicious websites in Italy. According to Kaspersky, the malware is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares.

More information including, Skygofree's commands, indicators of compromise, domain addresses, and device models targeted, can be found in their blog post on Securelist.

The spyware functions by tricking the “Accessibility” feature present in Android to help users with disabilities access their apps. Using this, the spyware can read the messages displayed on the screen, even those sent by the user.

Skygofree is also capable of taking pictures and video, recording audio and noise according to the location specified by the hacker, record Skype conversations, seizing call records, geolocation data, and other sensitive data.

Kaspersky believes that, just like an earlier hack in 2015 by Hacking Team, an Italy-based spyware developer, Skygofree was also developed by Italians.

Skygofree has allegedly been active since 2014 and has been targeting select individuals, who are all from Italy. The spyware has been undergoing regular development since then and as many as 48 commands were found in the latest version.

UK spymasters suspect Russia is using Kaspersky to spy on people

 

British Intelligence service is reportedly worried that Kaspersky Antivirus offered by Barclays to its customers may be being used by Russian Intelligence agency to spy, according to The Financial Times.

An unnamed official told The Financial Times that GCHQ, British intelligence agency has concerns over widespread distribution of Kaspersky in the UK.

Intelligence officials fear that this might allow Russia to gather intelligence from the computers of Government employees members of the military who are customers of the Bank and have downloaded the software.

The Financial Times added that "No evidence suggests that any data of Barclays customers have been compromised by use of Kaspersky software on their computers."

However, the bank said they were planning to end the deal with Kaspersky for commercial reasons that doesn't have any connection with the GCHQ concerns.

Kaspersky denied the allegations and said the company does not have inappropriate ties with any government.

"No credible evidence has been presented publicly by anyone or any organization. The accusations of any inappropriate ties with the Russian government are based on false allegations and inaccurate assumptions, including the claims about Russian regulations and policies impacting the company." Kaspersky said.

Earlier this year, US Spymasters and FBI chief said that they do not trust software from Russian antivirus company Kaspersky.

- Christina
 

Kaspersky solved the mystery of Duqu Framework : written in OO C

Finally, Researchers around the world helped Kaspersky researchers to solve the 'Mystery of Duqu Framework'. Kaspersky researchers announced that the mystery code was written in the 'C' programming language and compiled with MSVC 2008 .

The mystery began earlier this month, when Kaspersky researchers struggled to determine what programming language had been used to develop the Duqu Trojan. Kaspersky researchers asked the programming community for help in finding out the name of the programming language.

The most popular suggestion were Variants of LISP, Forth,Erlang, Google Go,Delphi, OO C, Old compilers for C++ and other languages

With the help of community's response, researcher cracked the code and identified the code as 'C' code compiled with Microsoft Visual Studio 2008 using the special options “/O1” and “/Ob1”.

Read the full story here.

Duqu Framework written in an unknown Programming language..?!


Kaspersky facing difficulty in identifying the programming language of Duqu Framework. Today, Researcher Igor Soumenkov shared their findings about the Duqu in Kaspersky lab post.

"At first glance, the Payload DLL looks like a regular Windows PE DLL file compiled with Microsoft Visual Studio 2008 (linker version 9.0). The entry point code is absolutely standard, and there is one function exported by ordinal number 1 that also looks like MSVC++. " Researcher wrote in the post.

"This function is called from the PNF DLL and it is actually the “main” function that implements all the logics of contacting C&C servers, receiving additional payload modules and executing them. The most interesting is how this logic was programmed and what tools were used."

After analyzing the Duqu, researcher come to come to conclusion that Duqu Framework have been written in an unknown programming language. The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages they have checked.

Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of the Duqu framework.

Kaspersky request programmers to recognize the framework , toolkit or the programming language that can generate similar code constructions.  If anyone find the answer contact them via this email stopduqu@kaspersky.com or post a comment in their official blog.

You can read the full report about the Duqu here.

Kaspersky Lab announced the partnership with TAGHeuer (Swiss luxury watchmaker)


Kaspersky Lab, announced the partnership with TAGHeuer  (Swiss luxury watchmaker).

TAG Heuer has launched its first luxury touchscreen smartphone TAG Heuer LINK, operating on Android. For this unique smartphone Kaspersky Lab has developed TAG Heuer Mobile Security (Powered by Kaspersky). This user-friendly and reliable security software provides complex malware and data protection.

Commenting on the new partnership, Eugene Kaspersky, Chairman and CEO of Kaspersky Lab, said: “We are happy to start our partnership with and to provide protection for users of TAG Heuer smartphones. Kaspersky Lab and TAG Heuer have common core values, such as best-of-breed reliability, cutting edge technology, and constant innovation. TAG Heuer Mobile Security is our first project in the luxury segment, and we are looking forward to further develop our partnership with TAG Heuer.”

The new TAG Heuer LINK phone is the ultimate communication tool. Swiss-engineered, French-built, and equipped with upgradeable Google Android software, it combines elegance, reliability and unparalleled access and connectivity. Luxuriously crafted and detailed, the TAG Heuer LINK incorporates the most prestigious materials and advanced components in the watchmaking and automotive worlds, including black PVD, diamonds and rose gold. The mirror-polished and fine-brushed stainless steel is premium grade surgical 316L, corrosion-resistant and hypoallergenic.

TAG Heuer Mobile Security (Powered by Kaspersky) provides top grade protection from network attacks, malware targeting mobile platforms, and SMS spam. On top of that it allows users to locate a lost or stolen smartphone using the GPS Find function, store all digital assets in encrypted folders, and remotely block or wipe the smartphone if it is lost or stolen. With Kaspersky Lab’s Mobile Security, the owner of a LINK smartphone is able to efficiently manage private contacts, filter out annoying calls and texts by assigning contacts to black lists and white lists, restrict children’s calls and texts, and monitor the phone’s whereabouts using GPS Find