Search This Blog

Showing posts with label Windows. Show all posts

Winja (VirusTotal Uploader)- The Malware Detector!


Cyber-security is an important concern for everyone working from these days, amid the lock-down due to the current Coronavirus pandemic. There are several security measures one can employ to stay on top of all the cyber-hazards that hackers could be brewing.

Winja is one such free application and passive analysis tool that is designed for Microsoft Windows that helps the user find any potential malware on their system. By way of using the scanning engine of the anti-virus products, the application gives forth very specific details as to which file is hazardous in which way.

Whenever we download something from the internet our first step is to ensure that it’s safe for our device. With Winja, all you have to do is to drag the file in question on the mal window and Voila! The results apparently will show on the desktop.

In case you have a sneaking suspicion about your device being infected, you could scan all services and processes for malware and the application will help you.

Reportedly, Winja initially uses the “VirusTotal” public API to insert the fingerprint of a file. If the fingerprint is present, Winja sends the current analysis report and if it is not then Winja sends the “unknown file” to the VirusTotal servers for scanning. You can also analyze files any time you want to enhance the chances of detection.

As has been recognized by researchers over these years, hackers tend to have their places of choice in their victim’s devices to first sneak in and then hide the malware. With Winja it becomes extremely easy to locate any suspicious files in those places. Per sources, Services, Task Scheduler, Active Processes, Applications beginning with Windows and Actions that require network resources and internet are few to be mentioned.

All you need to do to scan any file that you have a suspicion on is to drag it and drop in onto the main window of the Winja application.

Plus, you can make use of an extension for the Windows Explorer that would aid you to request a scan by means of a right-click on any file of your choice from the file browser.

Per sources, all the subsequent versions after the sixth one are available in French making it a huge hit in the French-versed population. VirusTotal, which is an arm of Google, strongly suggests Winja as a substitute for their Windows desktop application.

This application goes hand in hand with the anti-virus software that you love to use for your devices. It is not a substitute for anti-virus software but it fits with them like a puzzle piece and does not intend to endanger their publicity in any way.

Hackers Attack Amazon Web Services Server


A group of sophisticated hackers slammed Amazon Web Services (AWS) servers. The hackers established a rootkit that let them manually command the servers and directed sensitive stolen corporate date to its home servers C2 (command and control). The attackers breached a variety of Windows and Linux OS within the AWS data center. A recent report published by Sophos (from Britain) last week has raised doubts and suspicions among the cybersecurity industry.


According to Sophos reports, the hackers were able to avoid Amazon Web Services SG (security groups) easily. Security Groups are supposed to work as a security check to ensure that no malicious actor ever breaches the EC2 instance (it is a virtual server used by AWS to run the application). The anonymous victim of this attack had already set up a perfectly tuned SG. But due to the rootkit installed in AWS servers, the hackers obtained remote access meanwhile the Linux OS was still looking for inbound connections, and that is when Sophos intervened. Sophos said that the victim could have been anyone, not just the AWS.

The problem was not with AWS, this piggybacking method could have breached any firewall, if not all. According to cybersecurity experts' conclusion, the hackers are likely to be state-sponsored. The incident is named as "Cloud Snooper." A cybersecurity expert even termed it as a beautiful piece of work (from a technical POV). These things happen all the time, it only came to notice because it happened with a fancy organization, he says. There are still unanswered questions about the hack, but the most important one that how the hackers were able to manage this attack is cleared.

About the attack 

“An analysis of this system revealed the presence of a rootkit that granted the malware’s operators the ability to remotely control the server through the AWS SGs. But this rootkit’s capabilities are not limited to doing this in the Amazon cloud: It also could be used to communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server. By unwinding other elements of this attack, we further identified other Linux hosts, infected with the same or a similar rootkit," said Sophos.

Windows Devices in Hospitals Vulnerable to Potential Exploits


Windows Devices in Hospitals Vulnerable to Potential Exploits According to recent reports, hackers can exploit the vulnerabilities present in health devices, and it can prove dangerous to the health of the patients at the hospital. But, the problem could be avoided by following some simple steps. The health devices have a more likable chance to the Bluekeep exploit than any other devices connected in the hospitals. Health devices can be exploited up to 2 times, using the Bluekeep exploit. This puts both the patients and the hospital staff in danger as witnessing the current scenario, the health sector has recently been one of the primary targets of the hackers.


Therefore, the issue of cybersecurity among the health sector is one of the main concerns of the digital age. Bluekeep was first discovered in 2019, and it is a vulnerability in Microsoft RDP (Remote Desktop Protocol). The vulnerability affects Windows7, Windows8, Windows Server2008, and Windows Server2008 R2. When the news of Bluekeep vulnerability surfaced, Microsoft immediately released a security patch to resolve the issue. Various intelligence agencies, including the US NSA (National Security Advisory) and Britain's NCSC (National Cyber Security Centre), immediately informed Microsoft to fix all the security patches related to the vulnerability.

The matter of concern was that Bluekeep could be used as malware to do the same damage that EternalBlue had caused, the exploit that triggered Wannacry. In this incident, various high profile organizations were taken the victim, but the greatest attack happened on the National Health Service of UK, in which the entire networks of the hospitals were shut down. But despite various warnings, health devices that run on Windows are still vulnerable to a potential Bluekeep exploit.

According to researchers at CyberMDX, a healthcare cybersecurity company, a newly made report's data suggests that more than 20% of healthcare devices (that run on Windows) in hospitals are vulnerable to the blue keep exploit, as they have still not configured to the latest security patches. The healthcare devices include x-ray machines, anesthesia machines, ultrasound devices, and radiology equipment. If these devices are not fixed to the latest security patch, chances are that hackers could exploit them using the blue keep vulnerability. This can risk the lives of the patients and the healthcare staff.

Apple Doubles Microsoft by 2:1 in Cybersecurity Threats


According to a fresh report on malware that further sinks deep into the debate of cyberattacks, research company Malwarebytes has used data from various fields to analyze the cybersecurity attacks that effected either the consumers or the business in 2019. But the most surprising thing is the platforms on which these attacks happened: Apple vs Microsoft. Surprisingly, the report tells us that the cybersecurity threats had a larger effect on Apple than that of Microsoft.


An insight into State of Malware Reports- 

The 2020 Malwarebytes research looked into the following fields for the potential cybersecurity threats: macOS and Windows, iOS and Android users, attacks based on web browsers, and attacks that happened on Windows or Mac PCs. After calculating the cybersecurity threats and analyzing the data, the 'State of Malwares' report revealed that cybersecurity threats against Apple increased by 400% in the year 2019. It also concludes that Apple outnumbers Microsoft by 2:1 in terms of cybersecurity threats.

The ratio shouldn't be ignored as Malwarebyte's Apple has a larger user base than Microsoft. Further, the report reveals that Mac files tend to have more malicious behavior (front and center) throughout the years, allowing more space for hackers to deploy evading techniques to escape iOS discovery. As the malware signs of progress keep affecting the iOS, users should rethink if they should install antivirus in their phones or not, as it opens up the space for cyber attacks.

Does it raise concern over Mac Security- 

If you look back in the past media coverage on cybersecurity, the reports would suggest that there were more attacks to Microsoft or Windows users than to Apple or iOS. But simply having fewer reports than Microsoft doesn't mean that Apple has better cybersecurity. There have been a few prominent incidents that raised suspicion over Apple's commitment to security. For instance, the iPhone specific threats, or the Siri feature that left encrypted emails encrypted, or the apps that could tell if "your iPhone was hacked," or to ensure the security of the Apple Smartwatch 5. The Malwarebytes report suggests that one shouldn't ignore this while moving into 2020, as 2019 showed it was a bad year for Apple.

Modified TrickBot Trojan can now Steal Windows Active Directory Credentials


TrickBot trojan, a strain of malware that has been around affecting users since 2016 - is now evolved to steal Windows Active Directory credentials. Today, in the cybersecurity ecosystem it is considered as one of the top threats abusing businesses, experts estimate that TrickBot is responsible for compromising more than 250 million email accounts till date. Earlier, TrickBot went a step further while targeting Windows 10 users by disabling Windows defender onto their systems rather than just bypassing the protection. Fundamentally, TrickBot is a banking Trojan and is generally deployed through spearphishing emails like invoices mailed to the accounts department. Typically, it is attached as infected Microsoft Excel or Word documents. The malware can be spread across an organization in a number of ways, one of them is via exploiting vulnerabilities in a protocol called SMB which makes the process of sharing and accessing files on other systems easy for Windows computers.

First identified by Sandor Nemes, a security researcher from Virus Total, this new module of TrickBot dubbed as "ADII" further amplifies the threat it possesses for security, it steals Windows Active Directory information by executing a set of commands.

An Active Directory database is being created and stored into the default C:\Windows\NTDS folder on the domain controller, a server here is acting as the domain controller. Now, all the information including passwords, computers, users, and groups of Windows Active Directory are saved in a file by the name "ntds.dit" in the database. As all the aforementioned information is sensitive in nature, Windows resort to a BootKey that is located in the system component of the Registry and encrypts the information with the help of it. Admins who are responsible for database maintenance use a special tool known as "ntdsutil" to work with that database. Reportedly, standard file operations cannot access the BootKey.

How TrickBot Goes About Stealing Active Directory Credentials?


Administrators use the command "install from media", also known as "ifm", to create a dump of Active Directory. The command leads to the creation of an installation media for setting up new Domain Controllers. The new module "ADII" exploits the ifm command to produce a copy of the Windows Active Directory database; after the database is dumped into the %Temp% folder, the bot collects the information and transfers it to the admin. The collected data can be effective in infecting more systems in the same network and could also be employed by various other malware in search of similar vulnerabilities.

SNAKE Ransomware Targets Entire Corporate Systems?


The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

The ransom note of SNAKE ransomware (Source: Bleeping Computer)

“It is clearly evident from the language in the ransom note, that this Ransomware specifically targets the entire network rather than individual workstations. Further indicating that any decryptor that is purchased will be for the network and not individual machines, but it is too soon to tell if they would make an exception.”
 - This is what Bleeping Computer said in a blog post on SNAKE. 

Nonetheless, the rise of SNAKE Ransomware highlights the critical requirement for organizations to defend themselves against a Ransomware infection.

While making effective use of the suggestions to forestall a Ransomware infection in the first place, they ought to likewise consider 'investing' into a solution like Tripwire File Analyzer for the purpose of distinguishing suspicious documents and conduct on the network.

Cyber Attack Alert! Microsoft Gives Inside Revelations About RDP Brute Force Attacks


Microsoft conducted a long-term study, which majorly focused on RDP brute-force attacks, their success and the duration they last for.

Per sources, according to the reports of the study, over 0.8% of the RDP brute force attacks on an average last for about “2-3 days”. The study also revolved around the effect of such attacks on various business organizations.

Data from over 45,000 devices and workstations that ran “Microsoft Defender Advanced Threat Protection” (commercial version of the free Defender anti-virus app) was acquired in terms of RDP login related acts.

According to reports, both failed and successful attempts at RDP login was part of the data collected for the detailed study that spread across numerous months of dedication.

Reportedly, the aforementioned successful and failed events include Windows events with ID 4264 and 4265, correspondingly. The usernames that the attackers or users may have used were also collected.


Per sources, RDP, Remote Desktop Protocol happens to be a feature of the Windows operating system that enables the users to log into a “remote computer” or device by way of an interface that looks much like a desktop, by means of the computer’s public IP address and port 3389.

Businesses and organizations usually make use of RDP and its provisions to manage servers, workstations and other connected devices in remote areas. It’s easier for the administrators and employees alike to work that way.

Brute force attacks have been pretty common on Windows devices especially via open RDP ports. Automated tools that the hackers use help them to create various combinations of passwords and usernames to figure out the target computer’s RDP login details.

Simple and basic combinations stand at the top of the hit list. The password and usernames combinations that have previously been leaked on the dark web are also used the most.

Where on an average these brute force attacks last for 2 to 3 days, in 90% of the cases, as the reports have found out, the attacks last for around a week.

According to the study reports the attacks spread across days because the hackers were trying out selected combos per hour rather than blindly shooting combos.

This clearly helped the attackers dodge the chances of their attack Internet Protocols getting banned by the firewalls.

Microsoft, according to sources, also mentioned that “0.8% of the devices that were attacked by the brute-force attacks were compromised. Also, that on an average a machine was expected to have a high probability of being compromised leading to an RDP brute force attack every 3-4 days”.

Per sources it’s imperative to look for the following things in a sign-in attempt:
 Event ID 4625 login type
 number of other devices with RDP inbound connections from one or more of the same IP
 number of failed sign-ins
 Event ID 4625 failure reason
 The number count of a username and the times it failed to log in
 number of RDP inbound external IP
 an hour and the day of the failed sign-in
 RDP connections
 Timing of successful sign-in attempts

To secure your device from such attacks, it’s supremely essential to monitor unknown connections and failed sign-in attempts.


Clop Ransomware Upgraded, Now can Terminate 663 Windows Processes


In February 2019, Michael Gillespie from MalwareHunter Team founded Clop ransomware that has been evolving to reach its full potential and now a variant of the same can terminate a total of 663 Windows processes.

While it was first discovered, it did not demonstrate any unique quality which made it stand out amid other ransomware variants, it was merely another likewise addition in the ransomware ecosystem like others that existed since 2017. However, it has continued to take various forms since its discovery and is emerging with all new and integrated process killer that affects several processes of Windows 10 apps, office applications, programming IDEs, languages and text editors.

As per the sources, it was noted in March 2019, that the attackers behind Clop Ransomware started to target entire networks instead of individual systems, they changed the ransom note to imply the same. The same year also witnessed a sudden disruption in the services of Clop Ransomware wherein they abruptly changed and disabled services for Microsoft SQL Server, MySQL, Microsoft Exchange, BackupExec and other enterprise software.

In 2019, while warning the organizations and businesses regarding app-killing malware, the Federal Bureau of Investigation (FBI) reported that the ransomware threat now is even amplified as the attackers are continually upgrading themselves, they have devised ways to bypass detection and be more effective in their operations. Organizations are being warned by investigative agencies to keep abreast of such potential threats and build a security net to guard their systems.

While commenting on the matter, Abrams, editor-in-chief for Bleeping Computer said, "It is not known why some of these processes are terminated," Bleeping Computer editor-in-chief, Abrams, said, "especially ones like Calculator, Snagit, and SecureCRT, but it’s possible they want to encrypt configuration files used by some of these tools."

Meanwhile, in a conversation with SC Media UK, Javvad Malik, security awareness advocate at KnowBe4, told "Clop is a variant of the CryptoMix ransomware family, but has been evolving rapidly in the last year to disable an increasingly large number of windows processes,"

"The main goal of Clop is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files," read the McAfee report in August.

"To achieve this, we observed some new techniques being used by the author that we have not seen before. Clearly, over the last few months, we have seen more innovative techniques appearing in ransomware."

Smominru Botnet Affecting Over 4,000 Windows Systems Every Day


Affecting Windows machines across the globe, Smominru has been labeled as one of the most rapidly spreading botnet malware, as per a report by data center and cloud security company, Guardicore Labs. The infection rate of this computer malware has been detected to be up to 47,000 machines per day and in the month of August alone, it compromised almost 90,000 computers, according to the report.

While attacking, Smominru compromises Windows PCs by using the NSA exploit, EternalBlue and brute-force on various services like RDP, TELNET, MS-SQL, and others. The malware is configured to steal the target's credentials and then install a cryptominer and Trojan module to compromise the network. After establishing a foothold, the malware moves laterally to affect as many systems as it potentially can inside the targeted organization.

Reportedly, the US, Russia, China, Taiwan, and Brazil witnessed the maximum number of attacks, however, other countries remain equally vulnerable to the computer malware which saw an upsurge in recent times. To exemplify, we can look at the largest network targeted and hence compromised by Smominru, which was a healthcare provider in Italy, it left a total of 65 hosts affected.

The unspecified and non-targeted nature of the attacks was notable as the compromised networks ranged from medical firms to higher-education institutions, the victims infected by the malware included cybersecurity companies as well.

It has been discovered that around 85% of the attacks are carried out on Windows 7 and Windows Server 2008 systems, while, some others are observed to be taking place on Windows XP, Windows Server 2012, and Windows Server 2003.

Seemingly, the failure of company administrators to timely patch their computer networks and servers is one of the primary reasons for the networks being compromised, although for a lot of organizations, the inability is a result of logistical scarcity, for others, it's simply due to negligence and not being regularly updated with the requirements of the sector.

Windows Users Beware of the “Complete Control” Hack Attack; Update Imperative!





The hardware device drivers of Microsoft Windows due to a common design flaw left the entire systems of users compromised giving it to a recently resuscitated Remote Tojan Access (RAT).

The RAT brought about a hack attack tool with a modified format which as it turns out is absolutely free of cost.

The NanoCore RAT as it’s called, has been hovering around the dark web for quite some time now. It was sold initially for $25 which is a minimal amount for a hacking tool for Windows OS.

NanoCore’s cracked version, as soon as it appeared caused quite a commotion amongst researchers and hackers.

Initially the “premium plugins” were especially paid for privileges but the latest cracked version has it all for free.

The NanoCore coder had to be arrested given the rising familiarity of the product and the fact that he was a part cybercrime!
Despite that, NanoCore thrived and generated other tool variants RAT, Surprise Ransomware, LuminosityLink and of course the free “highly modified” latest version.

The NanoCore RAT, per researchers is controlled by way of easy security measures, no particular entry troubles and a really uncomplicated interface to aid even the novice hackers.

There was an outburst of campaigns using the very malware including:
·       Remote shutdown and restart of Windows systems
·       Remote file browsing on the infected system
·       Access and control of Task Manager, mouse and Registry editor
·       Disabling webcam lights to spy
·       Taking over open webpages
·       Recovering passwords and obtaining credentials
·       Remotely operated “locker” for encryption

Owing it to the long presence of NanoCore the techniques it uses are well known to the researchers. Scripting, registry keys and malicious attachments are the three main categories that the researchers found out.


The scripting threat’s basic solution is to check Microsoft office files for macro code and “anomalous execution” of legitimate scripting programs like PowerShell or Wscript.

The registry keys should be monitored for updates and patch cycles and rigorous security implementations should be made for behavioural detection.

Windows users should immediately go ahead and get their systems updated and make sure all their applications are running the way they actually should.

Additionally, Windows 10, 8.1 and 7 users should especially keep a keen check on regular updates and patching!

Ransomware found exploiting former Windows flaw

Researchers at cybersecurity firm Kaspersky have uncovered new encryption ransomware named Sodin (Sodinokibi or REvil) that exploits a recently discovered Windows vulnerability to get elevated privileges in an infected system. The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection - functionality that is not often seen in ransomware.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors," said Fedor Sinitsyn, a security researcher at Kaspersky.

"We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely," Sinitsyn added.

The researchers found that most targets of Sodin ransomware were found in the Asian region: 17.6 percent of attacks have been detected in Taiwan, 9.8 percent in Hong Kong and 8.8 percent in the Republic of Korea.

However, attacks have also been observed in Europe, North America and Latin America, Kaspersky said, adding that the ransomware note left on infected PCs demands $2500 worth of Bitcoin from each victim.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

To avoid falling victim to Sodin threats, make sure that the software used in your company is regularly updated to the most recent versions, said Kaspersky researchers.

Security products with vulnerability assessment and patch management capabilities may help to automate these processes, they added.

Firefox Now Set To Utilize BITS for Downloading New Software Updates


Mozilla Firefox is all set to utilize the Windows Background Intelligent Transfer Service, or BITS, to download the software updates in the background, this initial phase in the possible release of a standalone "Update Agent" that will perform updates despite when the browser's closed.
Presently Firefox will look for the new updates when the user opens the browser and either show a notification that an update is available or automatically install it.

Mozilla developers are likewise taking a shot at an independent application written in Rust called "Update Agent" which will discreetly run while checking for new browser updates notwithstanding when Firefox isn't open. For the users who don't run Firefox every now and again, it'll make it simpler for them to receive the new updates.

The purpose behind the Update Agent being planned as a 'background process’ which will remain running even after the browser is closed to download and apply updates is to make updating progressively helpful for everybody and lessen the time to get the new updates for users who aren't all around bolstered by the present update process since they don't run Firefox very much or they do not have an access to a proper internet connection.

This technique makes Firefox progressively secure, as regardless of whether a user immediately installs the update when prompted to do so, despite everything it comes up with an open door for a vulnerability which could be exploited before the update as well as its security fixes, can be installed.

For Windows users, Mozilla will utilize the Windows Background Intelligent Transfer Service, or BITS, since it enables updates to be downloaded in a manner that can be recovered if a download ends or is paused for reasons unknown. This enables the update to keep downloading where it left off when it can and spare time completing the update.

As the Update Agent application isn't prepared as of yet and requires a few different bugs to be settled with first, Mozilla is empowering BITS in Firefox with the goal that the browser can start utilizing the support and service of download browser updates.


Firefox BITS preferences


While the Mozilla developers are effectively taking a shot at this venture, with the goal that they can positively finish it sooner rather than later, then again in the Firefox Nightly build, Mozilla has included two new flags that can be utilized to test downloading software updates through BITS. Users can thus enable this test by setting the app.update.BITSenabled and app.update.BITS.inTrialgroup preferences to true in about:config.

New China-Based Campaign Targets Windows MS-SQL and Phpmyadmin Servers Worldwide


A china based attack campaign has primarily targeted on servers having a place with the healthcare, telecommunications, media, and IT segments. The campaign named as Nansh0u is known to target Windows MS-SQL and PHPMyAdmin servers around the world.

Despite the fact that the campaign was detected towards the start of April, however the attacks were observed to go back to February 26. All through the campaign the threat actors used 20 unique payloads, and continued making at least one payload a week and utilized them right away.


More than 50,000 servers were reported to be breached in this campaign, when the targeted servers compromised they were infected with a rather pernicious payload, which thusly drops a crypto-miner that mines TurtleCoin and sophisticated kernel-mode rootkit.

The hackers behind this campaign utilize propelled systems pursued by APTS groups, like the 'fake certificates and privilege escalation exploits' so to state the Nansh0u campaign isn't only a crypto-miner attack.

The attack begins with a serious of login endeavors targeting MS-SQL servers in order to gain administrator privileges. Attacker’s infrastructure consolidates the following modules to dispatch an attack on MS-SQL servers.
  • Port scanner
  • MS-SQL brute-force tool
  • Remote Code Executor


And by analysing the 20 payload samples from the attacker’s servers and Guardicore Global Sensor Network, each payload is a wrapper and has several functionalities.

The reasons being why the researchers are quite confident in accessing that Chinese attackers have operated this campaign are:
  •  The attacker choosing to write their tools with EPL, a Chinese-based programming language.
  • Some of the file servers deployed for this campaign are HFSs in Chinese.
  • Many log files and binaries on the servers included Chinese strings, such as (“duplicates removed”) in logs containing breached machines, or (“start”) in the name of the script initiating port scans.

A2 Hosting finds 'restore' the hardest word as Windows outage slips into May

The great A2 Hosting Windows TITSUP has entered its second week as the company continues to struggle to recover from a security breach that forced its System Operations team to shut down all its Windows services.

To recap, things went south on 23 April as malware spread over the company's Windows operation, causing a problem so severe that the A2 Hosting team decided the only way to recover was to restore data from backups. The company told furious customers last week that "Restores continue to progress at a steady pace".

Except, alas, things have not gone smoothly.

As some services gradually tottered into life, users made the horrifying discovery that the backups being restored from were less than minty fresh.

A "day or two" is bad enough for an ecommerce site, but the loss of several months' worth of data is an altogether angrier bag of monkeys. To make matters worse, the company has left it to users to work out just how whiffy those backups are.

Register reader David Sapery, who was lucky enough to see his services stagger back to life after a five-day liedown, was then somewhat embarrassed when his customers, finally able to access his sites, told him things looked a tad outdated.

Sapery told us: "Anything on any of my websites that was updated over the past 2+ months is gone."

Still, Sapery was at least able to recover. Another reader was not so lucky, describing his experience as "an unmitigated disaster."

Having spent eight months and "thousands of dollars", the unfortunate A2 Hosting customer told us that "my business and all my hard work has been gutted within seven days by a hosting company that clearly did not have robust security in place."

A2 Hosting will, of course, point to its Terms of Service where it makes it quite clear that it is not responsible for any data loss and that users are responsible for their own backups.

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms




A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.

Telegram Messenger Leaks IP Addresses of Users



Dhiraj Mishra, a security researcher from Mumbai, India found that under specific conditions, the Telegram desktop clients for Windows, Mac, and Linux would uncover users' IP address, notwithstanding when the user was configured to protect this data.

Despite the fact that the program describes itself similar to a protected and private correspondence application, yet the researcher has demonstrated that in its default design it would permit a user's IP address to be leaked when making call.

The leak, happening just amid voice calls, happened notwithstanding when the "Peer-to-Peer" connection choice was set to "Nobody." A Peer-to-Peer connection isn't private by outline, as it directly exposes the two participants.

P2P Settings in Telegram for iOS

When utilizing Peer-to-Peer to begin Telegram calls, however, the IP address of the person you are conversing with will show up in the Telegram console logs. Not all forms incorporate a console log. For instance, Windows does not show a console log in their tests, while the Linux variant does.

The Telegram application indicates that users can keep their IP address from being disclosed by changing the setting as doing it will make the user's calls to be steered through Telegram's servers, which would then shroud the IP address, however at the expense of having a slight abatement in sound quality.

Dhiraj, the researcher even shared a Proof of Concept video to BleepingComputer that showed how the IP addresses were leaked. Where he explained about the 3 IP's that leak:

1. Telegram server IP (That's Ok)

2. Your own IP (Even that's okay too)

 3. End user IP (That's not okay)

IP address leak in Telegram console log

The issue since its revelation has been a matter of deep concern that was patched by telegram with the release of Telegram for Desktop v1.4.0 and v1.3.17 beta.

Nevertheless telegram clients who particularly utilize the application for its obscurity highlights are advised to update their desktop clients at the earliest opportunity to patch the bug that has the ability to very easily leak their IP address.

Over 145 Malicious Android Apps Discovered On the Google Play Store




Researchers from the security software company Palo Alto Network made an alarming disclosure in regards to certain applications accessible on the Google Play Store esteeming them to be defected with malware for stealing information from the Windows Computers.

These 145 applications, with names, "Gymnastics Training Tutorial ", "Modification Trail" and " Learn to Draw Clothing” were uploaded to Google Play between October 2017 and November 2017 and remained there until the point when Palo Alto Networks made Google aware of this issue.

Many of these applications have been downloaded over a thousand times and even 4-star ratings purportedly from individuals who utilized them.

"We have reported our findings to Google Security Team and all infected apps have been removed from Google Play,"

In any case, the fact that these infected applications are very easily accessible on the official Google Play Store is for sure concerning. Additionally, it demonstrates that the software developer ‘odieapps’ isn't sufficiently paying enough consideration to the security part of the applications.

 This by a long shot though isn't the first run through Google has needed to expel the malware-loaded applications from Play, which is by and large thought about as the most secure hotspot for Android applications.

 “These embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform. The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware.”  - Palo Alto Networks said in a blog post.

Also in the most recent two years alone, various security vendors have discovered a huge number of Android applications released to Google Play corrupted with adware, spyware and different vindictive payloads and much like for this situation where these applications were downloaded countless of times before being hailed as hazardous and finally expelled from the Play store.

An analysis of the malware code proposes that the developers of the compromised applications may have built up the applications on infected Windows machines and incidentally exchanged the pernicious code in their Android applications to the Play store.

Had the malware apparatuses functioned as proposed they would have been equipped for recording the mobile device user's keystrokes and thusly steal information, like the passwords, social security numbers, payment card data as well as other important and significant information, says the Palo Alto Networks.

Nevertheless the capacity of enemies just to get their malware past the Play store's defenses poses a tough challenge for Google indeed and as well for the countless users that download their applications from it.

Malware that hijacks clipboard monitoring over 2.3 million bitcoin addresses


Bleeping Computer today revealed that they discovered a type of “clipboard hijacker” malware that monitors over 2.3 million bitcoin addresses.

A clipboard hijacker malware works by tricking users by switching the bitcoin address from their clipboard to another address that the attacker control. Since bitcoin addresses are long and hard to remember, this method works easily for hackers since users simply copy paste addresses from one application to another when sending cryptocoins.

The malware reportedly comes as a part of the All-Radio 4.27 Portable malware affecting Windows computers and monitors the Windows clipboard for a bitcoin address. Unless the user double-checks the address after pasting it, the bitcoin will go to the attackers’ address.

“While we have covered cryptocurrency clipboard hijackers in the past and they are not new, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses,” their report on the malware read. They also posted a video showing how the malware works: 


Bitcoin users are advised to always double-check the address before making a transaction and to have a trusted antivirus program installed on their device.

Mylobot Turns your PC into a Zombie system



Tom Nipravsky, a security researcher at Deep Instinct, discovered another 'never seen before' malware that could transform a Windows PC into a botnet. Named as 'Mylobot', this malware has developed from the 'Dark Web'. It was finished up in the wake of following its server that was additionally utilized by other malware from the dark web.

The powerful botnet is said to consolidate various noxious systems, generally including:

·       Anti-VM techniques
·       Anti-sandbox techniques
·       Anti-debugging techniques
·       Wrapping internal parts with an encrypted resource file
·       Code injection
·       Process hollowing (a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden)
·       Reflective EXE (executing EXE files directly from memory, without having them on disk)
·       A 14-day delay before accessing its C&C servers.

"On a daily basis we come across dozens of highly sophisticated samples, but this one is a unique collection of highly advanced techniques," says Arik Solomon, vice president of R&D at Deep Instinct. "Each of the techniques is known and used by a few malicious samples, but the combination is unique."

As indicated by the researcher, Mylobot likewise bears contrary to the botnet property. The reason, as indicated by the researcher, for this conduct being is, possibly to prevail upon the "opposition" on the dark web.

 “Part of this malware process is terminating and deleting instances of other malware. It checks for known folders that malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”

The researchers say it's vital to take note that Mylobot was found in the wild, at a Level 1 communication and telecommunication equipment manufacturer and not in a proof-of-idea show.

Also, in conclusion the one thing they are extremely sure about is the modernity of the malware's creators as, according to ZDNet, the real author(s) of this malware are yet obscure, be that as it may, the malware utilizes a similar server which is connected to the scandalous Locky ransomware, Ramdo, and DorkBot.

Zacinlo Malware; Yet another Threat for All Windows 10 Users


Researchers at Bitdefender have recently discovered a powerful malware that takes control over the PC and spams with advertisements. They have named it 'Zacinlo' after the last and final payload, looking at this as a transitory name for an intricate code. In any case, the Zacinlo malware has been around for almost six years extremely contaminating various Windows users.

The researchers at the Cyber Threat Intelligence Lab, following a year of research have published a rather detailed paper about this malware. Despite the fact that the malware has been around since 2012, it became the most active in late the 2017, state the researchers while clarifying about their work.

Zacinlo is said to be so powerful to the point that it has the capability of deactivating the most anti- malware directly accessible. Well known targets of Zacinlo incorporate Bitdefender, Kingsoft, Symantec, Microsoft, Avast, and various different programs.

Once installed, it altogether takes control over the user's framework for noxious exercises. These incorporate controlling the OS, forestalling against malware activities, at last accomplishing its fundamental objective – to display ads and generate income. This is accomplished by infusing contents in webpages.

 “The infection chain starts with a downloader that installs an alleged VPN application. Once executed, it downloads several other components, as well as a dropper or a downloader that will install the adware and rootkit components.”

Zacinlo effectively keeps running on most commonly utilized programs, including Chrome, Firefox, Internet Explorer, Edge, Safari, and Opera. As this adware starts working, it wipes out some other adware exhibit in the victim's PC to accomplish its main objectives. It at that point shows advertisements in order to produce income by getting the snaps.

The advancement of this malware makes its detection extremely hard. However, there is one route through which you can detect the presence of Zacinlo in the victim's PC. As stated by Bogdan Botezatu, the senior e-Threat Analyst at Bitdefender.

“Since the rootkit driver can tamper with both the operating system and the anti-malware solution, it is better to run a scan in this rescue mode rather than running it normally.”

Regardless of this all the windows users are thus instructed to stay wary while downloading any outsider applications or applications from untrusted sources to shield themselves from any malware attacks.