Search This Blog

Showing posts with label Trojan Attacks. Show all posts

QakBot (QBot) Campaign: A thorough Analysis

Trojan-Banker QakBot, also known by the names - QBot, QuackBot, and Pinkslipbot, is a modular information stealer that has been active for almost 14 years. With the key agenda of stealing banking credentials, QakBot employs various tools to evade detection and hamper manual analysis. The authors have developed the trojan with an aggressive sophistication that allows its variants to essentially deploy additional malware, create a backdoor to infected systems, and log user keystrokes. 

Typically, QakBot attacks contain MS Office Word documents that are deployed via phishing emails constructed to trick the user into accessing it. However, in 2020, some of the QakBot campaigns featured ZIP attachments that contained macros within the word document enclosed in the ZIP file. These macros are configured to trigger the execution of a PowerShell script that further downloads the QBot payload from selected internet addresses. 

Spoofing the Victim: Opening the QBot Infected Word Doc 

The word document which carries a malicious macro, once accessed by the victim, leads him to the Word Program on his system wherein he is asked to click on "Enable Content" shown in a yellow-colored dialogue box appearing right below the header. It reads "Security Warning" in bold letters. Once the user clicks onto it, it spoofs him into believing that it is taking its time to load data as another gray-colored dialogue box appears, reading "Loading data. Please wait..."

However, behind the scenes, the malicious Macro is being executed. As a part of the process, the Macro creates a folder in which it attempts to download the QakBot payload; it's placed in 5 different places. Referencing from the 5 corresponding URLs, it could be easily concluded that they all were constructed with the same website builder, which possibly has an exploit that lets EXE files being uploaded onto it with a PNG extension.

In one of its previous campaigns, upon running, QBot replaced the original binary with a duplicate 'Windows Calculator app: calc.exe'. Then, it scanned the installed programs, compared process names to a blacklist, examined registry entries, and inspected hardware details to eventually look for a virtualization software like VMware or VirtualBox. If QBot fails to detect a virtualization software, it copies the legitimate executable into a folder; it disguises itself as a signed valid certificate. After setting the executable in place, QBot schedules a task to run the executable every 5 hours. Once the execution is completed, an explorer.exe process is launched by QBot, the code of the same is injected into the process' memory. QBot can also execute additional processes employing double process mechanisms. 

In order to safeguard against the ever-evolving threat of QakBot, experts recommend organizations provide training to their employees who could come up with alternative solutions when automated intrusion-detectors fail.

Turkey Dog Activity Continues to use COVID Lures


A year into the pandemic, Turkey Dog-related activity is ongoing with campaigns that keep on utilizing the "free internet" lures. These current campaigns use lure pages that guarantee cash payments of thousands of Turkish Lira, implying to be attached to the Turkish government. For instance, as indicated by Google Translate, a page states, "Final Phase Pandemic Support Application - 3,000TL State Support for All Applicants!" Another highlights a picture of Turkish Minister of Health Dr. Fahrettin Koca's and guarantees 1,000 lira for "everybody applying!" 

A portion of the lure pages, use scripts for tracking purposes. RiskIQ's Internet Intelligence Graph, utilizes unique identifiers associated with these scripts to associate numerous Turkey Dog domains. For example, a RiskIQ crawl of pandemidesteklerim[.]com noticed the ID loaded on the page, which was seen on 431 hosts since April 26, 2020. They additionally found a Google Analytics tracking ID associated with 52 Turkey Dog domains since October 25, 2020. 

In May 2020, threat researcher BushidoToken created a blog pulling together multiple indicators, some showing up as early as April 2020, from researchers following Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal client credentials to access bank accounts. Profoundly beguiling, they can overlay over other applications (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive information across the gadget. 

RiskIQ regularly crawls malignant app circulation URLs dependent on different internal and external feeds, they can directly notice the lure pages utilized by noxious Android applications. The mobile application landscape is likely overflowing with Turkey Dog mobile applications. A quick search for blacklisted samples of one known Turkey Dog APK, "edestek.apk" yields 90 outcomes from as many unique Turkey Dog URLs. Every one of the 90 of these samples can read, receive, and send SMS messages, allowing them to circumvent SMS two-factor authentication. Large numbers of them can likewise record audio, perform full-screen overlays to introduce a bogus login page for harvesting banking credentials, and download additional software packages.

After a year, cybercriminals keep on utilizing the COVID-19 pandemic as a lure for victims. Turkey Dog activity has gone on unabated for quite a long time, likely guaranteeing a huge gathering of victims and isolating them from their banking login credentials and other sensitive information.

Cybercriminals Spreading Node.js Trojan Promising Relief from the Outbreak of COVID-19

A java downloader going by the extension “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar” has been recently detected. Drawing inferences from its name, researchers suspected it to be associated with COVID-19 themed phishing attacks.

Running this file led to the download of an undetected malware sample that is written in Node.js; Node.js is an open-source, cross-platform, Javascript runtime environment that executes Javascript code outside of a browser and as it is primarily designed for web server development, there's a very less probability of it being already installed onto systems.

The trojan that is suspected of employing the unconventional platform for bypassing detection has been labeled as 'QNodeService'. The malware has been designed to perform a number of malicious functions including uploading, downloading, and executing files.

It is also configured to steal credentials stored in web browsers and perform file management etc. Currently, the malware appears to be targeting Windows systems only, however, the code signifies a potential for 'cross-platform compatibility', researchers concluded a possibility of the same being a 'future goal' for cybercriminals.

Cybercriminals are devising new methods all the time to design malware such as trojans to infect as many machines as possible without getting noticed.

To stay on a safer side, users are recommended to block malware from acquiring access via all the possible doorways like endpoints, networks, and emails.

Malware Campaigns Attacking Asian Targets Using EternalBlue and Mimikatz

Asian targets are falling prey to a cryptojacking campaign which takes advantage of 'Living off the Land' (LotL) obfuscated PowerShell-based scripts and uses EternalBlue exploit to land Monero coinminer and Trojans onto targeted machines.
At the beginning of this year, a similar malware campaign was identified by the research team of Qihoo 360; reportedly, the campaign was targeted at China at the time. Open source tools such as PowerDump and Invoke-SMBClient were employed to carry out password hashing and execute hash attacks.
The campaign resorts to an exploit which uses SMBv1 protocol which was brought into the public domain by the Shadow Brokers a couple of years ago. It has now become one of the standard tools used by the majority of malware developers.
Referenced from Trend Micro’s initial findings, the aforementioned cryptojacking campaign was only targeting Japanese computer devices but eventually the targets multiplied and now they encompassed Taiwan, India, Hong-Kong, and Australia.
Trend Micro’s research also stated that the EternalBlue exploit, developed by NSA is a new addition into the malware; alongside, they drew a co-relation between the exploit and the 2017 ransomware attacks.  
How does the malware compromise computers?
With the aid of "pass the hash" attacks, it inserts various infectious components into the targeted computer by trying multiple weak credentials in an attempt to log in to other devices which are connected to that particular network.
Upon a successful login, it makes changes in the settings concerning firewall and port forwarding of the compromised machine; meanwhile, it configures a task which is scheduled to update the malware on its own.
Once the malware has successfully compromised the targeted computer, it goes on to download a PowerShell dropper script from C&C server and then it gets to the MAC address of the device and terminates the functioning of all the antimalware software present on the system. Immediately after that, it furthers to place a Trojan strain which is configured to gather the information of the machine such as name, OS version, graphics detail, GUID and MAC address.
“We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases targets legacy software that companies may still be using,” said Trend Micro.
Trend Micro advises users and enterprises to, “use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable multi-layered protection the system that can actively block these threats and malicious URLs from the gateway to the endpoint.”

The Return Of Trojan Poses Substantial Hacking Threat To Businesses!

The Trojan malware has returned with its infectious ransomware attacks with an aim to harvest banking credentials and personal and property related data.

Business organizations have come out to become the latest targets of this malware.

With long-term and insidious operations as ambition, the Trojan poses a lot of threat even to intellectual property.

In one of the new reports of one of the reputed security companies, it was mentioned that backdoor attacks against businesses with Trojans as back power have subsequently increased.

According to the aforementioned security lab, “Trojans” and “Backdoors” are different.

A Trojan is supposed to perform one function but ends up performing another and a Backdoor is a type of Trojan which enables a threat actor to access a system via bypassing security.

“Spyware” attacks have also consequentially risen. A spyware is a malware which aids gaining information on a device and sending it to a third party, stealthily.

This concept, of a spyware, sure is old but still is as efficacious as any other powerful malware and strictly works towards data exfiltration.

The “Emotet Trojan” has been considered to be behind the information stealing campaigns all round last year and in the beginning of this moth too.

This Trojan could move through networks, harvest data, and monitor networks. Also, it could easily infect systems by reproducing with no substantial effort at all.

Emotet is a self-sufficient danger which tends to spread onto compromised systems in addition to installing other malware on them.

The menacing behavior of TrickBot was also inferred upon by the aforementioned report, as it’s one of the by-products of Emotet.

The constantly evolving TrickBot daily gets updated with new abilities, stealing passwords and browser histories and harvesting sensitive data being a few of them.

Consultancy firms seem to be the primary targets of the Trojan. It is disposed towards harvesting more than just banking details and personal information.

Intellectual property is another thing which is a major point of concern for everyone now that the cyber-cons have stooped down to breaching walls using Trojans.

These tactics were thought to be really boring and old but have taken serious tosses and turns and have evolved into something genuinely perilous.

Businesses should stop under-estimating the attacks and keep a keen eye towards any potentiality of such attacks.

Trojan Neloweg operates similar to Zeus and steals Bank details

Symantec researchers currently tracking a banking Trojan called Trojan Neloweg.  According to their research, the threat has been localized to Europe.  This Trojan steals login credentials of infected users including banking data.

Neloweg operates similar to notorious banking Trojan Zeus. Like Zeus, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver.

Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server

Neloweg infection

The browser of Infected system can function like a bot and accept commands. It can process the content of the current page that it is on, redirect the user, halt the loading of particular pages, steal passwords, run executables, and even kill itself. Unfortunately the kill function is a bit excessive, and deletes critical system files, which in turn prevent users from logging in properly.

A Mac Trojan "DevilRobber" Upgraded to v3 and masquerades as PixelMator

DevilRobber(Backdoor:OSX/DevilRobber) is the Latest Malware that targets Mac OS X users, it is now upgraded and masquerades as PixelMator . Based on the malware's dump.txt file, this latest backdoor is identified as Version 3 (v3).

"The main point of difference in DevilRobberV3 is that it has a different distribution method — the 'traditional' downloader method." F-Secure Researchers says. 

The previous of Version of this Trojan masquerades as some other legitimate Mac Application, this time PixelMator Application.

Previously this Trojan log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet.  Also they performed the following;
  •  Opens a port where it listens for commands from a remote user.
  •  Installs a web proxy which can be used by remote users as a staging point for other attacks.
  • •Steals information from the infected machine and uploads the details to an FTP server for later retrieval.

Changelog for this Upgraded Trojan (This is first time we are posting changelog for a virus).
  • It no longer captures a screenshot
  • It no longer checks for the existence of LittleSnitch (a firewall application)
  • It uses a different launch point name
  • It harvests the shell command history
  • It harvests 1Password contents (a password manager from AgileBits)
  • It now also harvests the system log file

Unfortunately, It still attempts to steal Bitcoin wallet contents though.

Tsunami backdoor Trojan Horse for Mac OS X, port of Troj/Kaiten

Sophos researchers discovered a new Trojan Horse named as "Tsunami" that infects Mac OS X.  Researchers said it appears to be a port of Troj/Kaiten( a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions)

An attacker can get access to infected system and launch DDOS Attack(Distributed Denial of service).

Sophos Anti virus included this OSX/Tsunami-A in virus Definitions, So it can detect these malwares. Don't forget to update your Antivirus.

Backdoor R2D2 ~Government Trojan discovered by Chaos Computer Club

The Famous European hacker club, Chaos Computer Club(CCC) discovered the backdoor Trojan horse capable of spying on online activity and recording Skype internet calls which, it says, is used by the German police force.

For some years, German courts have allowed the police to deploy a Trojan known colloquially as "Bundestrojaner" ("State Trojan") to record Skype conversations, if they have legal permission for a wiretap.

But the CCC's claim is controversial, as the Trojan they have uncovered has more snooping capabilities than that. For instance, it includes functionality to download updates from the internet, to run code remotely and even to allow remote access to the computer - something specifically in violation of Germany's laws.

The malware has the following of functionality as per the Sophos's analysis:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger.
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls.
* The Trojan attempts to communicate with a remote website.

A CCC spokesperson expressed the group's concern at the discovery:

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired. Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

Was the Trojan horse really written by the German authorities?
We have no way of knowing if the Trojan was written by the German state - and so far, the German authorities aren't confirming any involvement.

The comments in the Trojan's binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous the Bundestrojaner.

What we can say is that the phrase "0zapftis" has raised some eyebrows amongst the German speakers at SophosLabs. It's a play on a Bavarian phrase "The barrel is open", said by the mayor of Munich when he opens the first barrel of beer at the Oktoberfest.

But there certainly have been claims of German state-sponsored cyber-spying in the past. For instance, in 2008, there were claims that the BND - Germany's foreign intelligence service - deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan.

BMW virus ~A New BIOS based virus discovered by Chinese Antivirus Firm

A Chinese Antivirus Firm 360 discovered a new Trojan BMW Virus that infects BIOS(motherboard chip program) and MBR(Master Boot drive)  Formatting full hard disk or installing New OS won't help you in anyway because BIOS is firmware that resides inside motherboard chip, it will work without the Hard disk.  This new virus infects BIOS so how can the formatting hard disk will help?

Virus transmission
Tied the game plug-in, tricking users to turn off security software attacks.

Phenomenon of virus move

One, Windows system before the start of the computer screen "Find it OK!" Words;
Second, anti-virus software again prompts "Hard disk boot sector virus" is not completely clear;
Third, the browser home page was altered to

Technical Analysis for the BMW virus :
BMW virus body is divided into BIOS, MBR and Windows of three parts, attack the process as shown below:

Prevention and Virus Removal
If you are one of 360 users , Your system is protected against BMW virus, it can not be infected with the motherboard BIOS chip and hard disk MBR;

If you turn off the computer security software for BMW has been infected. You can download 360 "BMW virus Zhuanshagongju" BIOS can detect the virus and prevent the virus code is written back to MBR, and then with 360 first aid kit to repair the system, can effectively prevent Such recurrent virus.
They explained in the above page clearly how to remove the virus.

SpyEye Trojan stole $3.2 million from U.S. victims ~ Discovered by TrendMicro

A Russian cybergang headed by a mysterious ringleader called 'Soldier' were able to steal $3.2 million from U.S. citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported.

Trend Micro researchers recently uncovered a cybercriminal operation involving SpyEye that began as early as January 2011. The said operation was orchestrated by “Soldier” (the cybercriminal’s handle), who is currently based in Russia. Trend Micro researchers had been monitoring Soldier and his activities since March 2011.

Based on investigation, this attack mainly targeted US users and some of those affected were large enterprises and institutions such as the US government and military. In fact, 97% of the affected corporations are based in the US. However, we have also observed affected organizations located in other countries such as the United Kingdom, Mexico, Canada, and India.

The SpyEye variant used in this attack is detected by Trend Micro as TSPY_SPYEYE.EXEI.

How much money was stolen?

According to Trend Micro research, the cybercriminal behind this attack was able to get more than $3.2 million dollars, or $17,000 per day, in the last 6 months with the help of accomplices and money mules. Money mules were recruited to transfer the money to the cybercriminals. To launder the money, the stolen money is passed by the cybercriminal to the accomplices situated in various locations then to the money mules and finally back to the cybercriminal. This is done so the cybercriminal won’t be easily track down by security researchers and law enforcement.

Once a system is infected, what does TSPY_SPYEYE.EXEI do?

Once installed, TSPY_SPYEYE.EXEI downloads a configuration file, which contains the websites that it monitors. Once users visit any of these monitored sites, it performs web injection and logs keystrokes to steal information from users. It also connects to specific URLs to send and receive information from a remote user. Once connected to these sites, it sends specific information such as operating system information, Internet Explorer (IE) version, account type, language ID, time zone etc.

What is SpyEye and how can I encounter this?

SpyEye is a commercially-sold toolkit which first emerged in 2009. Users may encounter SpyEye variants via various infection vectors such as blackhat search engine optimization (SEO), spam, and other malware to infect users’s systems. Its main routine is information, identity, and financial theft.

Trend Micro detects the binary files generated by SpyEye as TSPY_SPYEYE variants. When SpyEye first came out in the wild, it is thought of as the rival of another prevalent crimeware toolkit, ZeuS.

How do SpyEye malware steal information?

SpyEye downloads a configuration file on the infected systems. This configuration file contains the list of monitored websites. When users accessed any of the monitored websites, SpyEye performs Web injection to steal the data inputted by the users. It is also capable of capturing screenshots from the infected systems.

What is a web injection and how does it work?

In Web injection, SpyEye injects HTML code into the webpage to add form fields of other data that the cybercriminals want to steal. In the instance that users visit one of the monitored web sites, they would see an additional field(s) in the said site, asking for specific information other than logon credentials such as ATM or credit card number, email address, etc.

What kind of information do SpyEye variants steal?

Although SpyEye steals banking credentials, it is capable of stealing credentials related to different websites, such as Facebook, Twitter, Yahoo!, Google, eBay, and Amazon. It also gathers system information such as installed operating system, Internet Explorer version, timezone, and others. Furthermore, it is capable of capturing screenshots. This routine enables SpyEye to bypass authentication means and to gather data apart from online banking information. The stolen data are either used for other fraudulent activities or sold in the underground.

Why should I be concerned about SpyEye?

As an information stealer, SpyEye variants steal logon credentials and used this to initiate unauthorized transactions, such as an online fund transfer. Because of the web injection routine, users are also at risk of unwittingly giving out sensitive information, which are sold to the underground market and used for malicious purposes. In addition, SpyEye remains to be one of the prevalent malware to date. It can be sold commercially making it available to anyone who intends to steal information and hard-earned money of users.

SpyEye is known for targeting consumers, as well as small and medium businesses. However, large organizations are affected in this particular attack. It is possible that employees of large enterprises accessed their online bank accounts, and may have engaged in other online activities while using the work/business network, thus compromising its security. Furthermore, the stolen information from these large enterprises may be used to stage targeted attacks.
Are Trend Micro users protected from this attack?

Yes. Trend Micro provides a multi-layered protection via Trend Micro™ Smart Protection Network™. With Web reputation technology blocks all the malicious URLs where SpyEye variants may be downloaded. It also prevents access to all the URLs where the malware may download its configuration files. File reputation service detects and deletes all known SpyEye variants found on the affected system. For SpyEye variants that arrive via spam messages, the Email reputation service promptly blocks such messages even before it arrives on users' inboxes.
Trend Micro’s Threat Discovery Appliance (TDA) also protects users' networks by blocking malicious packets, such as C&C communication and upload of stolen information.
Home users can use Trend Micro’s HouseCall to scan and clean systems infected with malware components related to this attack. Similarly, Trend Micro’s Genericlean detects and cleans the malware components.

Users are advised to be wary of divulging any personal information online. It is also best not to access online bank accounts using a work network. For businesses, we recommend the use of various security layers such as firewall, gateway, messaging, network, server, endpoint, and mobile security for optimal protection against attacks like this.

As of this writing, Trend Micro researchers and analysts are collaborating with law enforcement agencies regarding the blocking of identified command and control servers related to SpyEye.


Android users will be next target !