Search This Blog

Showing posts with label Malware Attack. Show all posts

Smishing Campaign: Roaming Mantis Attacks OS Android Systems With Malware

A smishing campaign which goes by the name Roaming Mantis is imitating a logistics firm to hack SMS messages and contact list of Android users from Asia since 2018. Last year, Roaming Mantis advanced its campaign impact by sending phishing URL messages and dynamic DNS services that attacked targets with duplicate Chrome extension "MoqHao." From the start of 2021, Mcafee Mobile Research Team has confirmed that the group is attacking users from Japan with the latest malware named SmsSpy. 

The corrupted code infects Android users that use either one of the two versions that depend upon variants of operating systems used by attacked systems. The phishing technique incorporated here shares similarities with earlier campaigns, still, the Roaming Mantis URL has the title "post" in composition. A different phishing message impersonates to be a Bitcoin handler and then takes the target to a malicious site (phishing) where the victim is requested to allow an unauthorized login attempt. 

McAfee reports, "During our investigation, we observed the phishing website hxxps://bitfiye[.]com redirect to hxxps://post.hygvv[.]com. The redirected URL contains the word “post” as well and follows the same format as the first screenshot. In this way, the actors behind the attack attempt to expand the variation of the SMS phishing campaign by redirecting from a domain that resembles a target company and service." Different malware, as a characteristic of the Malware distribution program, is sent which depends upon the Android OS variant that gained login to the phishing site. In Android OS 10 and later variants, malicious Google Play applications will get downloaded. In Android OS 9 and earlier variants, malicious Chrome applications will get downloaded. 

Because the infected code needs to be updated with each Android OS update, the malware actor targets more systems by spreading the malware that finds OS, instead of just trying to gain a small set with a single malware type. "The main purpose of this malware is to steal phone numbers and SMS messages from infected devices. After it runs, the malware pretends to be a Chrome or Google Play app that then requests the default messaging application to read the victim’s contacts and SMS messages," said McAfee.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 

Kaspersky detected new ransomware attack on Russian companies

Kaspersky Lab has recorded a series of targeted attacks targeting Russian financial and transport companies. Hackers used a previously unknown ransomware virus

According to a statement from Kaspersky Lab, since December 2020, ten Russian financial and transport companies have been subjected to hacker attacks using the previously unknown Quoter ransomware. Experts believe that the Russian-speaking group RTM is engaged in this.

The hackers sent out phishing emails, choosing topics that they calculated should force the recipient to open the message, for example, "Request for refund", "Copies of documents from the last month" and so on. As soon as the recipient clicked on the link or opened the attachment, the RTM Trojan was downloaded to their device.

Then the attackers tried to transfer money through accounting programs by replacing the details in payment orders or manually using remote access tools. If they failed, they used Quoter, which encrypted the data using the AES cryptographic algorithm and left contacts for communication with hackers. If the recipient did not respond, they threatened to make the stolen personal data publicly available and attached evidence, and demanded about $1 million as a ransom.

Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the attacks pose a serious threat to companies, as hackers use several tools at once: a phishing email with a banking Trojan and an encryption program.

"Among the features of this campaign is that the Russian-speaking RTM attackers changed the tools used for the first time, moreover, now they are attacking Russian companies," said Mr. Golovanov, noting that usually encryption programs are used in attacks on foreign organizations.

Group-IB also warned about hacker attacks from RTM. According to the company, from September to December 2018, they sent more than 11 thousand malicious emails to financial institutions from addresses faked for government agencies. The emails contained a malicious attachment. They had fake PDF icons, and after running the file extracted from the archive, the computer was infected. On average, one successful theft of this type brought the attackers about 1.1 million rubles ($15,000).

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

ESET has revealed a new series of Lazarus attacks

Experts of the antivirus company ESET have discovered a series of attacks, behind which is one of the most famous North Korean groups, Lazarus. The hackers targeted users of government and banking websites in South Korea. The cybercriminals used an unusual mechanism to deliver the malware, disguising themselves as stolen security software and digital certificates.

The spread of the Lazarus virus was facilitated by the fact that South Korean Internet users are often asked to install additional security programs when visiting government websites or Internet banking websites, explained the head of the investigation, Anton Cherepanov.

"The WIZVERA VeraPort integration installation program is widespread in South Korea. After installation, users can download the necessary software for a specific website. This scheme is usually used by the South Korean government and banking websites. For some of these sites, the presence of WIZVERA VeraPort is mandatory,” said Mr. Cherepanov.

Attackers used illegally obtained code signing certificates to inject malware samples. And one of these certificates was issued to a firm specializing in security - the American branch of a South Korean security company.

"Hackers disguised Lazarus malware samples as legitimate programs. These samples have the same file names, icons and resources as legitimate South Korean software," said Peter Kalnai, who was involved in the investigation of the attack.

ESET's analysis once again demonstrated the non-standard nature of the methods of intrusion, encryption and configuration of the network infrastructure, which has become the business card of Lazarus hackers.

It is worth noting that on November 13, Microsoft representatives reported that, according to their data, in recent months, three APT groups attacked at least seven companies engaged in COVID-19 research and vaccine development. The Russian-speaking group Strontium (Fancy Bear, APT28, and so on), as well as North Korean Zinc (Lazarus) and Cerium, are blamed for these attacks.

Hacker group Zinc (aka Lazarus) mainly relied on targeted phishing campaigns, sending potential victims emails with fictitious job descriptions and posing as recruiters.

Pos Malaysia: Malware Attack Disrupts Internal Systems and Online Services



IT infrastructure of Pos Malaysia, postal delivery service in Malaysia, took a major hit from ransomware which rendered some of its online services inaccessible. After detecting the attack on Sunday, the company took immediate measures to shut down internal systems and parts of its online systems; they also lodged a police report with Royal Malaysia Police for attempted malware attack and reached out to concerned authorities to ensure the safety of their systems and database.

The website of the company was displaying an error message during the downtime, which said, “Sorry, we are under maintenance.” It was discovered during a system update on October 20 and since then, the company released three statements insisting on the safety of customers’ personal data and sensitive information. It assured that no user data was compromised and the issues are being rectified. Gradually, several of Pos Malaysia’s online services have been made accessible while over the counter services remain available at the company’s branches nationwide. However, the officials refrained from providing a specific timeline for the entire restoration of the halted services.

Seemingly, it was a major attempt that caused disruption in the company’s internal systems and online services for the past few days and subsequently affected the overall company’s operations.

In a statement on Facebook, Pos Malaysia told, “Our team has managed to rectify and restore several of the system and online services. We assure our customers that their data and personal information are safe.”

“We extend our apologies for the inconvenience caused and thank our customers for their kind understanding, patience and support during this period. We will provide regular updates from time to time,” it added.

Announcing that the services will be restored and made fully accessible gradually, a spokesperson told The Star, "Customers and business partners may now gradually access our services. Over the counter services at all branches remain available.”

"Currently, proactive steps are being taken by our IT recovery team to ensure minimal impact to our customers and business partners. While contingency plans are being considered to rectify and restore online operations, the majority of our services at all Pos Malaysia branches are still available," he added.

People who have made shipments via Pos Malaysia or have pending shipments and it required them to share any sensitive data with the postal delivery company, odds are it would have been compromised in the attempted malware attack, therefore, they are advised to check their private credentials where necessary.

Ransomware Attack Leaves Johannesburg without Power




A key electricity supplier for the largest South African city, Johannesburg, experienced a massive ransomware attack which led to the shutdown of the city's computer systems on Thursday.

In a series of tweets, City Power announced that the ransomware virus encrypted all their databases, applications and networks; all of which is being reconstructed by their ICT department.

They further told that the customers may not be able to access their website and may not be able to purchase electricity units until the issue has been sorted out by their ICT department.

As the website continued to be offline, the victims resorted to social media in order to report the issues occuring with their electricity supplies.

The type of ransomware employed in the attack is still a matter of question, however, with the magnitude, the power of this cyber power attack can be gauged. Besides, restricting customers from buying pre-paid electricity, it also affected the attempts made by City Power to respond to localized blackouts.

Commenting on the matter, a spokesman for City Power said, for the people affected, "These are the people on the pre-paid system[s] and would at any given day buy electricity,"

"Those people were not able to access the system." he added.




A new virus attacked computers in Russia


Cases of malicious e-mails to Russian companies have become more frequent. Attackers write on behalf of Banks, large air operators, car dealers and mass media. They offer cooperation to companies and advise to open the file in the attachment, where there are details about a good deal. If the user does this, the computer is infected with the so-called Troldesh virus. This malware encrypts files on the infected device and demands a ransom.

Fraudsters claim that they are employees of companies and attach a password-protected archive to the letter, in which, according to them, the details of the order are indicated. But in fact, a malicious virus is attached to this email. When a victim gains access to the archive, important files are blocked in his operating system that can be opened only by paying a ransom to the fraudsters. Of course, the addresses from which the letters were sent are fake.

Group-IB found out that in June more than a thousand such messages were sent to different Russian companies. The number of attacks using Troldesh only in this quarter increased 2.5 times compared to 2018. Yaroslav Kargalev, the Deputy Head of Information Security Incident Monitoring and Response Division of Group-IB, said that it is almost impossible to destroy the virus.

Experts of Group-IB noted that Troldesh was previously sent out mainly on behalf of Banks, however, at the moment, the attackers stopped doing it, as Banks have strengthened measures to counter phishing.

It is interesting to note that Troldesh can be bought or rented at specialized sites on the Darknet. Judging from the latest attacks, Troldesh not only encrypts files but also mines cryptocurrency and generates traffic to websites, thereby increasing their traffic and revenue from online advertising.

Experts of Group-IB also stressed that a fairly large-scale infrastructure is involved in the virus distribution, which includes servers, infected IoT (Internet of Things) devices, for example, routers. Now the virus distribution campaign is still active.

It is worth noting that Troldesh attacks companies not for the first time. Such attacks were first recorded in 2015, and the largest took place in March 2019. Then messages came from well-known retailers, as well as financial and construction companies.

StalinLocker: ransomeware deletes data if correct code is not put in time

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.



The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.


According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.


This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.

Cyber attack in Japan : Malware steals 3k confidential documents from farm ministry


In a suspected Cyber attack against the Japan, Foreign hackers might have compromised more than 3000  confidential data from the country's Ministry of Agriculture,Forestry and Fishery by infecting the ministry's system with a malware.

Investigators from the governemnt revealed that malware used in the suspected cyber-attack to be HTran, a connection bouncer program believed to have been developed by a Chinese hacker group around 2003, The report from The Daily Yomiuri says.

HTran is often used in cyber-attacks to steal information, as it can send data secretly.

"The programme was also used to steal data from the Finance Ministry, as HTran data transmissions were discovered to have taken place from October 2010 to November 2011" The report says.

Initially, the ministry did not inform the police, despite the fact that the intrusion fell under the Unauthorized Access Prohibition Law. However, now, the police have launched their own investigation to determine what information has been compromised.

Biggest Cyber attack in India's history, 10k Indian government emails hacked


Indian Government have suffered one of the biggest cyber attack in the country's history. Hackers managed to compromise more than 10,000 email address of top government officials.The attack occurred on July 12 this year.

The cybercriminals managed to steal email IDs belong to official working at the Prime Minister's office, Defence, external affairs, finance ministries and Intelligence agencies.

The attack occurred on July 12 this year, four days after the government was warned by the National Critical Information Infrastructure Protection Centre (NCIIPC).

According to Indian Express, News of the attack was confirmed by officials of intelligence and enforcement agencies at a day-long NCIIPC meeting in New Delhi this week.

#BatchWiper, a new data-wiping virus targets Iranian computers


Recently, The Iranian CERT reported that a new piece of malware targets Iranian computers that capable of wiping the files from the infected computers.

SophosLabs have analyzed the new sample and confirmed that the malware attempt to erase the contents of any files on D, E, F, G, H and I drives.

The malware is distributed as a self-extracting WinRAR archive called GrooveMonitor.exe that drops three executable files: juboot.exe, jucheck.exe and SLEEP.EXE.

The 'justboot.exe' is a DOS BAT file that has been converted to PE format that uses 'SLEEP.exe' to wait for few seconds before it adds a registry entry that ensures that 'jucheck.exe' is executed each time the computer restarted.

The primary function of the malware is wiping the files from hard drive, but it does so only within few specific date ranges, each about two days long.

After deleting the data , the malware runs chkdsk in order to trick the victim into believing that the files have been corrupted because of software or hardware failure.

ACH Bank Transfer Refusal Scam leads to Malware Attack

 MX Labs reports that they recently intercepted a lot of emails that warned internauts of certain banks that didn't accept payroll payments or transfers , this scam comes with malware attachement.

The Email Scam with following subject:
  • ACH debit transfer was hold by Yolo Community Bank
  • ACH payroll payment was not accepted by Central Trust and Savings Bank
  • ACH Transfer was not accepted by Eldorado Bank
  • ACH debit transfer was hold by The Mechanics Bank
  • Funds transfer was hold by our bank
They spoofed the email address and send the following message:
Dear Madam / Sir,

I regret to inform you that ACH payroll payment initiated by you or on your behalf was not accepted by Central Trust and Savings Bank.

Transaction ID: 17036653478735
Current status of transaction: on hold

Please review transaction details as soon as possible.

Theodore Parham
Payments Administration
Central Trust and Savings Bank

"review transaction details" link leads to malicious page.  The malicious site ask you to download the adobe flash player with pop up message.  The file is 233kb and named as "Flash.exe".  if you guessed, yes It is malware.

Kaspersky detect it as Trojan-Spy.Win32.Zbot.coak and McAfee detects it as Artemis!C5D161117328.



Several Windows registry changes will be exectued and the trojan can establish connection with the IP 64.252.17.231 on port 11760.

At the time of writing, only 12 of the 43 AV engines did detect the trojan at Virus Total.

Brazil ISP servers under DNS cache Poisoning attack , spreads Trojan


"Brazil ISP servers under massive DNS cache Poisoning attack"warns Kaspersky Lab expert Fabio Assolini.  When Brazilians try to visit facebook,google,youtube and othe websites, pop message asked to install Google Defence or some java applet in order to access the sites.

Some innocent peoples will install without knowing what problem will occur.  if you are the reader of EHN or Know about Security risks , you know what happen.  Yes, it will spread the banking Trojan. 

"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.

According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.
80.XX.XX.198/Google_setup.exe
80.XX.XX.198/google_setup.exe
80.XX.XX.198/Google_Setup.exe
80.XX.XX.198/ad2.html
80.XX.XX.198/flash.jar
80.XX.XX.198/FaceBook_Complemento.exe
80.XX.XX.198/ad.html
134XX69350/AppletX.class
80.XX.XX.198/YouTube_Setup.exe
80.XX.XX.198/FlashPlayer.class
80.XX.XX.198/google2.exe
80.XX.XX.198/crossdomain.xml
80.XX.XX.198/favicon.ico
In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list.

Infecting peoples with DNS Poisoning attack is very easy because users believe their trusted sites. Cyber criminals paid an employee who has access to the DNS records to modify them so that user are redirected to the malicious site.

Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.

But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.

The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.

Duqu is an upgraded version of Stars, Spyware that infected Iran


One of Best Antivirus firm ,Kaspersky enabled protection against the infamous Duqu worm.  Now it detects all version of Duqu.  Kaspersky's Developers Successfully updated the kaspersky to detect Trojan.Win32.Duqu and all other Trojans that exploit the CVE-2011-3402 vulnerability.

Recently, the Duqu Trojan became infamous that successfully exploit the Zero-Day Vulnerability. You can get more information about the malware here.

Following that, Organization start to give protection against the Duqu Trojan. NSS Labs released Anti-Duqu tool.

Also Microsoft issued a temporary fix for this vulnerability.

Duqu is Upgraded Version of "Stars" Malware in Iran:
The Research at Kaspersk's Lab unveils additional information about the Duqu worm.  As the result of their investigation, Duqu is first spotted as "Stars" Malware(a malware created to spy on Iran's nuclear system). 

April 2011(this year), Iran announced that they were under cyber attack with Malware named as "Stars" . Kaspersk researchers confirmed that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.

According to analysis by IrCERT (Iran's Computer Emergency Response Team) Duqu is an upgraded version of "Stars".

Anti-Duqu available for free, 100% Accurate detection of Duqu


Duqu(similar to Stuxnet) is notorious worm that exploit Windows Zero-day Vulnerability.  Microsoft released temporary fix yesterday for this vulnerability .  NSS Labs claimed that they developed very accurate Duqu detection tool , available for free .

This tool detects all DuQu drivers installed on a system.  This tool was developed in the hopes that additional drivers can be discovered to allow us to learn more about the functionality, capabilities and ultimate purpose of DuQu.

According to the test, NSS tool Success rate is 100%, zero false positivies. Developers said it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. 

Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.
 

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm


Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .

TimThumb vulnerability in Wordpress leads to malware infection

Last month, Thousands of Wordpress  sites infected by malware , discovered by Armorize. Avast Researchers investigate this hack and conclude that Blackhole exploit kit made by Russian Developers and available for $1500 in black market.

The Vulnerability in non-updated TimThumb allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes.

In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

These scripts redirects to a new site where the Black Hole exploit kit is located. The victim is then served a JAR file, that will deploy other malicious downloads to the infected system.

source:
Avast

Cyber Criminals jailed 4 years for Stealing £3 million from bank accounts

 The ring leaders of Cyber criminal gang that siphoned nearly £3 million from the bank accounts were yesterday (Monday 31 October) jailed following an investigation by the Met's Police Central E-Crime Unit (PCeU)

Ukrainian nationals Yuriy Konovalenko aka Pavel Klikov (29 ys), and Yevhen Kulibaba (33 ys) were jailed for four years and eight months at Croydon Crown Court after previously pleading guilty to conspiracy to defraud.

This result is the culmination of a complex and protracted investigation by detectives from the Met's Police Central e-Crime Unit which has seen 13 people jailed for their part in a sophisticated international online fraud that attacked the heart of the UK banking industry.

The investigation, codenamed Operation Lath, focussed on the activities of a group responsible for conducting a systematic and highly sophisticated banking fraud which attacked the banking accounts of hundreds of online customers.

The fraud was perpetrated through the use of banking 'Trojans' to infect the personal computers of bank account holders and subsequently secure funds from them. The malicious software programme was able to capture confidential information, such as usernames, passwords and account numbers. These details were then used to access those accounts without the knowledge of the owners. Funds were then transferred to a large number of receiving accounts controlled by the group.

Kulibaba was the principal within this group of conspirators. He was based in the Ukraine and was responsible for obtaining and allocating accounts to be attacked, and organising the UK based conspirators to set up and operate recipient accounts and remove funds from them.

Konovolenko was Kulibaba's right hand man in the UK. He had a co-ordinating role, organising the establishment and operation of recipient accounts and instructing those with responsibility for organising the removal of the money out of the recipient accounts.

During the investigation the PCeU worked closely with UK banks and colleagues from the Crown Prosecution Service, the FBI and the US Department of Justice.

Report from met.police.uk 

Avira Antivirus detects itself as Malware | False Virus Definition File

Avira Antivirus labeled itself as Spyware.  Avira detects AESCRIPT.DLL(one of Avira dll file) as "TR/Spy.463227".
Recent Virus Definition File(VDF version 7.11.16.146 ) Update of Avira mistakenly includes AESCRIPT.DLL  Library file as one of Spyware.  This results in avira detects itself as spyware.   

After they come to know about this issue, Avira updated the Virus Definition File and ask users to update the Antivirus. The posted about this issue in their official Forum