Search This Blog

Showing posts with label Malware Attack. Show all posts

Pos Malaysia: Malware Attack Disrupts Internal Systems and Online Services



IT infrastructure of Pos Malaysia, postal delivery service in Malaysia, took a major hit from ransomware which rendered some of its online services inaccessible. After detecting the attack on Sunday, the company took immediate measures to shut down internal systems and parts of its online systems; they also lodged a police report with Royal Malaysia Police for attempted malware attack and reached out to concerned authorities to ensure the safety of their systems and database.

The website of the company was displaying an error message during the downtime, which said, “Sorry, we are under maintenance.” It was discovered during a system update on October 20 and since then, the company released three statements insisting on the safety of customers’ personal data and sensitive information. It assured that no user data was compromised and the issues are being rectified. Gradually, several of Pos Malaysia’s online services have been made accessible while over the counter services remain available at the company’s branches nationwide. However, the officials refrained from providing a specific timeline for the entire restoration of the halted services.

Seemingly, it was a major attempt that caused disruption in the company’s internal systems and online services for the past few days and subsequently affected the overall company’s operations.

In a statement on Facebook, Pos Malaysia told, “Our team has managed to rectify and restore several of the system and online services. We assure our customers that their data and personal information are safe.”

“We extend our apologies for the inconvenience caused and thank our customers for their kind understanding, patience and support during this period. We will provide regular updates from time to time,” it added.

Announcing that the services will be restored and made fully accessible gradually, a spokesperson told The Star, "Customers and business partners may now gradually access our services. Over the counter services at all branches remain available.”

"Currently, proactive steps are being taken by our IT recovery team to ensure minimal impact to our customers and business partners. While contingency plans are being considered to rectify and restore online operations, the majority of our services at all Pos Malaysia branches are still available," he added.

People who have made shipments via Pos Malaysia or have pending shipments and it required them to share any sensitive data with the postal delivery company, odds are it would have been compromised in the attempted malware attack, therefore, they are advised to check their private credentials where necessary.

Ransomware Attack Leaves Johannesburg without Power




A key electricity supplier for the largest South African city, Johannesburg, experienced a massive ransomware attack which led to the shutdown of the city's computer systems on Thursday.

In a series of tweets, City Power announced that the ransomware virus encrypted all their databases, applications and networks; all of which is being reconstructed by their ICT department.

They further told that the customers may not be able to access their website and may not be able to purchase electricity units until the issue has been sorted out by their ICT department.

As the website continued to be offline, the victims resorted to social media in order to report the issues occuring with their electricity supplies.

The type of ransomware employed in the attack is still a matter of question, however, with the magnitude, the power of this cyber power attack can be gauged. Besides, restricting customers from buying pre-paid electricity, it also affected the attempts made by City Power to respond to localized blackouts.

Commenting on the matter, a spokesman for City Power said, for the people affected, "These are the people on the pre-paid system[s] and would at any given day buy electricity,"

"Those people were not able to access the system." he added.




A new virus attacked computers in Russia


Cases of malicious e-mails to Russian companies have become more frequent. Attackers write on behalf of Banks, large air operators, car dealers and mass media. They offer cooperation to companies and advise to open the file in the attachment, where there are details about a good deal. If the user does this, the computer is infected with the so-called Troldesh virus. This malware encrypts files on the infected device and demands a ransom.

Fraudsters claim that they are employees of companies and attach a password-protected archive to the letter, in which, according to them, the details of the order are indicated. But in fact, a malicious virus is attached to this email. When a victim gains access to the archive, important files are blocked in his operating system that can be opened only by paying a ransom to the fraudsters. Of course, the addresses from which the letters were sent are fake.

Group-IB found out that in June more than a thousand such messages were sent to different Russian companies. The number of attacks using Troldesh only in this quarter increased 2.5 times compared to 2018. Yaroslav Kargalev, the Deputy Head of Information Security Incident Monitoring and Response Division of Group-IB, said that it is almost impossible to destroy the virus.

Experts of Group-IB noted that Troldesh was previously sent out mainly on behalf of Banks, however, at the moment, the attackers stopped doing it, as Banks have strengthened measures to counter phishing.

It is interesting to note that Troldesh can be bought or rented at specialized sites on the Darknet. Judging from the latest attacks, Troldesh not only encrypts files but also mines cryptocurrency and generates traffic to websites, thereby increasing their traffic and revenue from online advertising.

Experts of Group-IB also stressed that a fairly large-scale infrastructure is involved in the virus distribution, which includes servers, infected IoT (Internet of Things) devices, for example, routers. Now the virus distribution campaign is still active.

It is worth noting that Troldesh attacks companies not for the first time. Such attacks were first recorded in 2015, and the largest took place in March 2019. Then messages came from well-known retailers, as well as financial and construction companies.

StalinLocker: ransomeware deletes data if correct code is not put in time

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.



The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.


According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.


This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.

Cyber attack in Japan : Malware steals 3k confidential documents from farm ministry


In a suspected Cyber attack against the Japan, Foreign hackers might have compromised more than 3000  confidential data from the country's Ministry of Agriculture,Forestry and Fishery by infecting the ministry's system with a malware.

Investigators from the governemnt revealed that malware used in the suspected cyber-attack to be HTran, a connection bouncer program believed to have been developed by a Chinese hacker group around 2003, The report from The Daily Yomiuri says.

HTran is often used in cyber-attacks to steal information, as it can send data secretly.

"The programme was also used to steal data from the Finance Ministry, as HTran data transmissions were discovered to have taken place from October 2010 to November 2011" The report says.

Initially, the ministry did not inform the police, despite the fact that the intrusion fell under the Unauthorized Access Prohibition Law. However, now, the police have launched their own investigation to determine what information has been compromised.

Biggest Cyber attack in India's history, 10k Indian government emails hacked


Indian Government have suffered one of the biggest cyber attack in the country's history. Hackers managed to compromise more than 10,000 email address of top government officials.The attack occurred on July 12 this year.

The cybercriminals managed to steal email IDs belong to official working at the Prime Minister's office, Defence, external affairs, finance ministries and Intelligence agencies.

The attack occurred on July 12 this year, four days after the government was warned by the National Critical Information Infrastructure Protection Centre (NCIIPC).

According to Indian Express, News of the attack was confirmed by officials of intelligence and enforcement agencies at a day-long NCIIPC meeting in New Delhi this week.

#BatchWiper, a new data-wiping virus targets Iranian computers


Recently, The Iranian CERT reported that a new piece of malware targets Iranian computers that capable of wiping the files from the infected computers.

SophosLabs have analyzed the new sample and confirmed that the malware attempt to erase the contents of any files on D, E, F, G, H and I drives.

The malware is distributed as a self-extracting WinRAR archive called GrooveMonitor.exe that drops three executable files: juboot.exe, jucheck.exe and SLEEP.EXE.

The 'justboot.exe' is a DOS BAT file that has been converted to PE format that uses 'SLEEP.exe' to wait for few seconds before it adds a registry entry that ensures that 'jucheck.exe' is executed each time the computer restarted.

The primary function of the malware is wiping the files from hard drive, but it does so only within few specific date ranges, each about two days long.

After deleting the data , the malware runs chkdsk in order to trick the victim into believing that the files have been corrupted because of software or hardware failure.

ACH Bank Transfer Refusal Scam leads to Malware Attack

 MX Labs reports that they recently intercepted a lot of emails that warned internauts of certain banks that didn't accept payroll payments or transfers , this scam comes with malware attachement.

The Email Scam with following subject:
  • ACH debit transfer was hold by Yolo Community Bank
  • ACH payroll payment was not accepted by Central Trust and Savings Bank
  • ACH Transfer was not accepted by Eldorado Bank
  • ACH debit transfer was hold by The Mechanics Bank
  • Funds transfer was hold by our bank
They spoofed the email address and send the following message:
Dear Madam / Sir,

I regret to inform you that ACH payroll payment initiated by you or on your behalf was not accepted by Central Trust and Savings Bank.

Transaction ID: 17036653478735
Current status of transaction: on hold

Please review transaction details as soon as possible.

Theodore Parham
Payments Administration
Central Trust and Savings Bank

"review transaction details" link leads to malicious page.  The malicious site ask you to download the adobe flash player with pop up message.  The file is 233kb and named as "Flash.exe".  if you guessed, yes It is malware.

Kaspersky detect it as Trojan-Spy.Win32.Zbot.coak and McAfee detects it as Artemis!C5D161117328.



Several Windows registry changes will be exectued and the trojan can establish connection with the IP 64.252.17.231 on port 11760.

At the time of writing, only 12 of the 43 AV engines did detect the trojan at Virus Total.

Brazil ISP servers under DNS cache Poisoning attack , spreads Trojan


"Brazil ISP servers under massive DNS cache Poisoning attack"warns Kaspersky Lab expert Fabio Assolini.  When Brazilians try to visit facebook,google,youtube and othe websites, pop message asked to install Google Defence or some java applet in order to access the sites.

Some innocent peoples will install without knowing what problem will occur.  if you are the reader of EHN or Know about Security risks , you know what happen.  Yes, it will spread the banking Trojan. 

"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.

According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.
80.XX.XX.198/Google_setup.exe
80.XX.XX.198/google_setup.exe
80.XX.XX.198/Google_Setup.exe
80.XX.XX.198/ad2.html
80.XX.XX.198/flash.jar
80.XX.XX.198/FaceBook_Complemento.exe
80.XX.XX.198/ad.html
134XX69350/AppletX.class
80.XX.XX.198/YouTube_Setup.exe
80.XX.XX.198/FlashPlayer.class
80.XX.XX.198/google2.exe
80.XX.XX.198/crossdomain.xml
80.XX.XX.198/favicon.ico
In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list.

Infecting peoples with DNS Poisoning attack is very easy because users believe their trusted sites. Cyber criminals paid an employee who has access to the DNS records to modify them so that user are redirected to the malicious site.

Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.

But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.

The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.

Duqu is an upgraded version of Stars, Spyware that infected Iran


One of Best Antivirus firm ,Kaspersky enabled protection against the infamous Duqu worm.  Now it detects all version of Duqu.  Kaspersky's Developers Successfully updated the kaspersky to detect Trojan.Win32.Duqu and all other Trojans that exploit the CVE-2011-3402 vulnerability.

Recently, the Duqu Trojan became infamous that successfully exploit the Zero-Day Vulnerability. You can get more information about the malware here.

Following that, Organization start to give protection against the Duqu Trojan. NSS Labs released Anti-Duqu tool.

Also Microsoft issued a temporary fix for this vulnerability.

Duqu is Upgraded Version of "Stars" Malware in Iran:
The Research at Kaspersk's Lab unveils additional information about the Duqu worm.  As the result of their investigation, Duqu is first spotted as "Stars" Malware(a malware created to spy on Iran's nuclear system). 

April 2011(this year), Iran announced that they were under cyber attack with Malware named as "Stars" . Kaspersk researchers confirmed that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.

According to analysis by IrCERT (Iran's Computer Emergency Response Team) Duqu is an upgraded version of "Stars".

Anti-Duqu available for free, 100% Accurate detection of Duqu


Duqu(similar to Stuxnet) is notorious worm that exploit Windows Zero-day Vulnerability.  Microsoft released temporary fix yesterday for this vulnerability .  NSS Labs claimed that they developed very accurate Duqu detection tool , available for free .

This tool detects all DuQu drivers installed on a system.  This tool was developed in the hopes that additional drivers can be discovered to allow us to learn more about the functionality, capabilities and ultimate purpose of DuQu.

According to the test, NSS tool Success rate is 100%, zero false positivies. Developers said it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. 

Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.
 

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm


Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .

TimThumb vulnerability in Wordpress leads to malware infection

Last month, Thousands of Wordpress  sites infected by malware , discovered by Armorize. Avast Researchers investigate this hack and conclude that Blackhole exploit kit made by Russian Developers and available for $1500 in black market.

The Vulnerability in non-updated TimThumb allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes.

In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

These scripts redirects to a new site where the Black Hole exploit kit is located. The victim is then served a JAR file, that will deploy other malicious downloads to the infected system.

source:
Avast

Cyber Criminals jailed 4 years for Stealing £3 million from bank accounts

 The ring leaders of Cyber criminal gang that siphoned nearly £3 million from the bank accounts were yesterday (Monday 31 October) jailed following an investigation by the Met's Police Central E-Crime Unit (PCeU)

Ukrainian nationals Yuriy Konovalenko aka Pavel Klikov (29 ys), and Yevhen Kulibaba (33 ys) were jailed for four years and eight months at Croydon Crown Court after previously pleading guilty to conspiracy to defraud.

This result is the culmination of a complex and protracted investigation by detectives from the Met's Police Central e-Crime Unit which has seen 13 people jailed for their part in a sophisticated international online fraud that attacked the heart of the UK banking industry.

The investigation, codenamed Operation Lath, focussed on the activities of a group responsible for conducting a systematic and highly sophisticated banking fraud which attacked the banking accounts of hundreds of online customers.

The fraud was perpetrated through the use of banking 'Trojans' to infect the personal computers of bank account holders and subsequently secure funds from them. The malicious software programme was able to capture confidential information, such as usernames, passwords and account numbers. These details were then used to access those accounts without the knowledge of the owners. Funds were then transferred to a large number of receiving accounts controlled by the group.

Kulibaba was the principal within this group of conspirators. He was based in the Ukraine and was responsible for obtaining and allocating accounts to be attacked, and organising the UK based conspirators to set up and operate recipient accounts and remove funds from them.

Konovolenko was Kulibaba's right hand man in the UK. He had a co-ordinating role, organising the establishment and operation of recipient accounts and instructing those with responsibility for organising the removal of the money out of the recipient accounts.

During the investigation the PCeU worked closely with UK banks and colleagues from the Crown Prosecution Service, the FBI and the US Department of Justice.

Report from met.police.uk 

Avira Antivirus detects itself as Malware | False Virus Definition File

Avira Antivirus labeled itself as Spyware.  Avira detects AESCRIPT.DLL(one of Avira dll file) as "TR/Spy.463227".
Recent Virus Definition File(VDF version 7.11.16.146 ) Update of Avira mistakenly includes AESCRIPT.DLL  Library file as one of Spyware.  This results in avira detects itself as spyware.   

After they come to know about this issue, Avira updated the Virus Definition File and ask users to update the Antivirus. The posted about this issue in their official Forum


Japanese parliament's computers infected by Virus, an Cyber Attack


Japanese Parliment's computers infected by virus .  This gave access to Hackers. They Steal Confidential Data belonging to 480 lawmakers and their staff, for over a month.

As per the Report their servers are infected after a Trojan Horse was emailed to a a Lower House member in July. This Trojan Horse downloaded malware from Chinese based Server. This malware Spy on Email Communication and Steal confidential Data of Lawmakers and send to the attacker.








Last month, Mistubishi(Japan's Biggest Defense Contractor) server compromised and confidential data stolen such as such as fighter jets, as well as nuclear power plant design and safety plans.

Tsunami backdoor Trojan Horse for Mac OS X, port of Troj/Kaiten


Sophos researchers discovered a new Trojan Horse named as "Tsunami" that infects Mac OS X.  Researchers said it appears to be a port of Troj/Kaiten( a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions)

An attacker can get access to infected system and launch DDOS Attack(Distributed Denial of service).

Sophos Anti virus included this OSX/Tsunami-A in virus Definitions, So it can detect these malwares. Don't forget to update your Antivirus.


Mass Iframe injections used to drive traffic | Traffic Direction System[TDS]


Security Researchers of Sophos noticed the rise in the volume of Mal/Iframe-Gen detections. A Number of sites infected using the Iframe Injection technique. These infected sites are used to drive traffic to another websites(mostly malware sites).


Despite the obfuscation, Sophos products proactively block these malicious scripts as Mal/Iframe-Gen. As suggested from the threat name, the payload of the injected script is to write an iframe to the page:

The iframe points to what appears to be a 'middleman' server, used to bounce the traffic elsewhere. This is commonly known as a Traffic Direction System (TDS). The TDS server is under the control of the attackers, enabling them to configure it to redirect user traffic to wherever required.

At first the Iframe Injection redirects to a freshly registered domain (hosted in Germany). However, the page was unavailable, with all requests getting a 404 error. This was a little surprising given that the attack was new (you expect 404s for old, stale attacks where the compromised sites persist long after the target payload servers have been shut down).

Later the TDS server was updated to redirect the traffic to a new destination. At the time of writing it is redirecting the traffic to a Blackhole exploit pack site, where the victim is bombarded with the usual Flash, Java and PDF exploits.

The illustration below gives an overview of this attack, and the role that the TDS server plays in it.

This attack provides us with a perfect illustration of how user traffic is a commodity. Once they have injected numerous sites to redirect to their TDS, the attacker can essentially sell that user traffic to interested parties, willing to pay for victims to hit their exploit sites.

As ever, protection from this form of attack consists of several components:
  • detection of the malicious redirects injected into the legitimate sites (in this case, proactive detection as Mal/Iframe-Gen).
  • URL filtering to block requests to the TDS. Thus far, a few different servers are being used in these attacks.
  • URL filtering to block requests to the final destination servers.
  • detection of the exploit site itself (Mal/ExpJS-N) and the various malicious files it uses.
  • detection of the final payload (which will vary as the final destination server changes).
  • if all else has failed, runtime protection (HIPs) to catch the malicious payload running on the victim's machine.

Bloody photos of Gaddafi's death, A spam Mail leads to malware infection


Malware Attackers take advantage of The death of Libyan dictator Colonel Gaddafi to spread malwares.They have spammed out an attack posing as pictures of Gaddafi's death, tricking users into believing that they came from the AFP news agency and are being forwarded by a fellow internet user.





Spam Mail:



Subject: Fw: AFP Photo News: Bloody Photos: Libya dictator Moammar Gadhafi's Death

Message body:

Libya dictator Moammar Gadhafi's Death

Libyan dictator Moammar Gadhafi, the most wanted man in the world, has been killed, the country's rebel government claimed Oct. 20. The flamboyant tyrant who terrorized his country and much of the world during his 42 years of despotic rule was cornered by insurgents in the town of Sirte, where Gadhafi had been born and a stronghold of his supporters.

Attached file: Bloody Photos_Gadhafi_Death.rar
If windows users opened the attachement, it will lead to infection of your system.

Sophos anti-virus products detect the malware proactively as Mal/Behav-103.

Symantec AdVantage(Anti-Malvertising): Armorize and Symantec partnered and launched


Armorize Technologies(malware blog) and Symantec joined together to fight against Malvertisement. They launched a AdVantage(Anti-Malvertising) Technology, cloud based scanner to detect the malvertising(malware advertisement) in online.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue. Highly publicized malvertising infections can damage the reputation of even the most trusted online sites. Symantec AdVantage will provide ad publishers the tools they need to protect their businesses by fighting back against these threats.”
– Fran Rosch, Vice President, Identity and Authentication Services, Symantec Corp.

 Symantec Advantage will scan, detect and report malvertising on websites by automatically alerting publishers and identifying the location of malicious advertisements so customers can remove malicious ads that may damage their business’ reputation. A real-time performance dashboard complements these automatic reports by providing essential insights. For example, Symantec AdVantage will enable customers to compare safe ads to malicious advertisements and discover how and when malvertising occurred by visually tracing and identifying the path and source of infected advertisements .

Symantec AdVantage is scheduled to be made available to publishers and ad networks through a free early access program beginning in November 2011.

The service will be available here:
http://advantage.symantec.com/

Reference:
Few days back, the famous site " KickAssTorrent(KAT.ph)" served malvertising, detected by Armorize.