Search This Blog

Showing posts with label malware. Show all posts

TrickBot Added New Stealthy Backdoor for High-Value Targets



The authors behind the infamous TrickBot malware – a modular banking trojan that targets sensitive financial information and also acts as a dropper for other malware–have developed a stealthy custom backdoor, circulating by the name 'PowerTrick', to monitor high-value targets and infiltrate them accordingly.

Statistics demonstrate that TrickBot is one of the top crimeware codes and cyberattack groups in existence currently. Developers behind TrickBot have made frequent upgradations in order to evade detection even fluently, empower its stealth, make it hard to research and let it bypass security configurations on user devices.

PowerTrick has been primarily created as an attempt to keep up with the fast paced era of constantly evolving defense mechanisms by effectively bypassing some of the most sophisticated security controls and highly secured networks of high value. Referencing from the statements given by SentinelLabs security researchers, Vitali Kremez, Joshua Platt and Jason Reaves on Thursday, "The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure air-gapped high-value networks."

According to the analysis, PowerTrick is configured to carry out commands and send back the results in the Base64 format. It is injected as a follow-up module after the victim's system has been infected by the TrickBot.

How does it work?

During the examinations, researchers discovered an initial backdoor script being sent out, at times draped as a Powershell task, it goes on to establish contact with command-and-control (C2) server. Once the contact has been successfully established, the authors send their very first command which leads to the downloading of the main PowerTrick backdoor. After the installation of the same, the malware starts executing common backdoor functions, it carries out check-in and then awaits further commands to act upon. Once received, it acts upon these commands and returns the results/errors.

“Once the system and network have been profiled, the actors either stealthily clean up and move on to a different target of choice, or perform lateral movement inside the environment to high-value systems such as financial gateways,” as per the SentinelLab analysis.

"TrickBot has shifted focus to enterprise environments over the years to incorporate many techniques from network profiling, mass data collection, incorporation of lateral traversal exploits,” researchers concluded.

“This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments, it is similar to a company where the focus will shift depending on what generates the best revenue.”

Sodinokibi Ransomware threats Travelex to release data, if ransom not paid.



The Sodinokibi Ransomware attackers are pressuring Travelex, a foreign exchange company to pay a 6 million dollar ransom amount or risk going their data public, the attackers warn that they will either release or sell the stolen data that contains users' personal information. 


Travelex was attacked on 31st by New Year's Eve ransomware Sodinokibi Ransomware, the operators stole 5 GB un-encrypted data and later encrypted the company's whole network. 

The Sodinokibi Ransomware operators in conversation with BleepingComputer stated that they are demanding 3 million dollars ransom or they would release the data containing "DOB SSN CC" and other. The ransom was later doubled to 6 million dollars. 

Meanwhile, the exchange company Travelex is still stating that no evidence of any stolen data exists. 

"Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil. Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated."

In further conversations with BleepingComputer, the operators said even if the company is denying that any data was stolen they are negotiating the ransom price and would benefit even if the ransom is not paid. 

"If this were true, they would not bargain with us now. On the other hand, we do not care. We will still benefit if they do not pay. Just the damage to them will be more serious."

And the Sodinokibi operators are right, they would benefit either way if Travelex does pay the ransom and if it doesn't then they'll simply sell the data. As for Travelex, it will inevitably suffer damage - by paying the ransom, public release of data or if the data is sold to other actors. 

Malware Against Crypto-Currency Businesses; Microsoft and Apple are Targets Alike


“AppleJeus” operation was the first time “macOS” users were made victims by Lazarus. Herein, a manipulated application was used to target potential victims. Apparently, Lazarus used customized malware, especially for macOS users.

Per leading sources, the malware had been so fabricated that it released the current and the next-stage payload automatically without any manual actions required. For attacking Windows users a multi-stage infection procedure was fabricated.

Reportedly, compromising “crypto-currency” related business was the major objective of “AppleJeus” and Lazarus at large. The macOS malware employed the source course only to structure “macOS” installers. Allegedly, “QtBitcoinTrader” was used.

However, the hackers at Lazarus altered the macOS malware. For starters, it no more has an encryption/decryption network communication routine as per reports.

In another case, the .NET malware was disguised as Wallet updaters like “wfcwallet.com” and “www.chainfun365.com”. Herein, the multi-stage infection took place but in a different way.

Later on files of the likes of “rasext,dll” and “msctfp.dat” are uploaded onto the target’s system. Allegedly, the Remote Access Connection Manager was also into play.

Per sources, there was another case where a highly altered form of the macOS malware was at work. Similar to other cases, the fake website and application were being called by the attacker. The apparent differences as per reports in the attack are as follows:
o The malicious application was hosted via “GitHub”.
o The post-installation script of the macOS malware was different as well.
o This version used “ADVobfuscator” to hide its code.
o The author of this modified macOS malware utilized “Object-C” and not QT framework.


In a different attack, the post-install script was the same as the previous attack; the author here had used “SWIFT” for the development of the malware. The method of data collection was changed and then the conduct authentication began. According to sources, the “auth_signature and auth_timestamp” parameters were used to deliver the second payload. The current system time of the device is acquired by the malware and then it’s combined with the “12GWAPCT1F011S14” hard-coded string and an “MD5 hash” is created. The hash is used as the “auth_signature” parameter and the time is used as the value of the “auth_timestamp” parameter. These values can be reproduced as well and finally, the second payload is uploaded.

Apart from all the macOS cases, there was a Windows incident as well. Per sources, a version of the “UnionCryptoTrader” was found. Allegedly, the “Telegram messenger” was at play. The infection procedure was pretty much the same as one of the previous cases with an add-on. A final backdoor payload was done. This version showed numerous exchange rates for crypto-currency.

Reportedly, the Windows malware uploads the encrypted “msctfp.dat file” and loads all the configuration values. Later an extra command is executed as per the contents of the file. Finally, the malware communicates with the C2 server, a post request is sent.

Several parameters are sent and according to the response code from the C2 server, the “POST” request is sent through along with the encrypted data and a random value that could be used to identify individual victims.

Innumerable fake websites were found still in action. The fake websites were crypto-currency oriented but could easily be identified as fake if looked at with a keen eye.

Part 2 of the “AppleJeus” had its victims spread across, Poland, China, Russia, and the US with most of them related to businesses involving crypto-currency.

Lazarus group has been quite a matter of talk for a very long time. It especially continues to be a matter of concern for the cyber-world.

The AppleJeus and other malware that exist and would exist in the future are evolving by the hour. Crypto-currency associated businesses are the key and foremost objects of Lazarus and other threat actors and hence need to be more vigilant than ever.


Clop Ransomware Upgraded, Now can Terminate 663 Windows Processes


In February 2019, Michael Gillespie from MalwareHunter Team founded Clop ransomware that has been evolving to reach its full potential and now a variant of the same can terminate a total of 663 Windows processes.

While it was first discovered, it did not demonstrate any unique quality which made it stand out amid other ransomware variants, it was merely another likewise addition in the ransomware ecosystem like others that existed since 2017. However, it has continued to take various forms since its discovery and is emerging with all new and integrated process killer that affects several processes of Windows 10 apps, office applications, programming IDEs, languages and text editors.

As per the sources, it was noted in March 2019, that the attackers behind Clop Ransomware started to target entire networks instead of individual systems, they changed the ransom note to imply the same. The same year also witnessed a sudden disruption in the services of Clop Ransomware wherein they abruptly changed and disabled services for Microsoft SQL Server, MySQL, Microsoft Exchange, BackupExec and other enterprise software.

In 2019, while warning the organizations and businesses regarding app-killing malware, the Federal Bureau of Investigation (FBI) reported that the ransomware threat now is even amplified as the attackers are continually upgrading themselves, they have devised ways to bypass detection and be more effective in their operations. Organizations are being warned by investigative agencies to keep abreast of such potential threats and build a security net to guard their systems.

While commenting on the matter, Abrams, editor-in-chief for Bleeping Computer said, "It is not known why some of these processes are terminated," Bleeping Computer editor-in-chief, Abrams, said, "especially ones like Calculator, Snagit, and SecureCRT, but it’s possible they want to encrypt configuration files used by some of these tools."

Meanwhile, in a conversation with SC Media UK, Javvad Malik, security awareness advocate at KnowBe4, told "Clop is a variant of the CryptoMix ransomware family, but has been evolving rapidly in the last year to disable an increasingly large number of windows processes,"

"The main goal of Clop is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files," read the McAfee report in August.

"To achieve this, we observed some new techniques being used by the author that we have not seen before. Clearly, over the last few months, we have seen more innovative techniques appearing in ransomware."

DeathRansom, started as a mere joke is now encrypting files!


A ransomware strain named DeathRansom, which was considered a joke earlier, evolved and is now capable of encrypting files, cyber-security firm Fortinet reports. This DeathRansom after becoming an actual malware, was backed by a solid distribution campaign and has been taking victims daily in the last two months.

 Initially considered a joke - didn't encrypt anything 

 When it was first reported in Nov 2019, the DeathRansom version didn't encrypt anything and was deemed a mere joke. The infection left a simple ransom note and even though some people fell for the scam and paid the ransom demand, it didn't do much anything else. All the user had to do was to remove the second extension from the file to regain access.

 Now, a new version is released that actually works and will encrypt your files! 

 The developers seems to have evolved the malware further with a solid encryption scheme that works as an actual ransomware. According to Fortinet, "the new DeathRansom strains use a complex combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files."

 Researchers and security experts are searching leek ways and implementation faults in the ransomware.

 The DeathRansom Author

 Fortinet examined the DeathRansom source code and the websites distributing the malware payloads and were able to track down the ransomware author and developer. The developer is a malware operator linked to various cyber crimes campaigns over the past few years. Prior to DeathRansom, the malware operator used to infect users with multiple password stealers (Vidar, Azorult, Evrial, 1ms0rryStealer) and cryptocurrency miners (SupremeMiner).

 Fortinet linked these crimes to young Russian named Egor Nedugov, living in Aksay, a small Russian town near Rostov-on-Don. Fortinet said,"They are very confident they found the right man behind DeathRansom, and that they found even more online profiles from the same actor which they didn't include in their report."

 As of now, DeathRansom is being distributed through phishing emails. Fortinet says it's working on finding any faults in the encryption scheme of the ransomware and creating a free decrypter to help victims.

Alert! USB Flash Drive Malware: Threats Decoded!


The cybercriminals have gotten all the savvier when it comes to finding out new ways of administering malware into the victims’ devices.

The next in the list happens to be “Malicious USB sticks”. These are employed whenever an attacker needs a “physical” entrance to a computer or any device for that matter.

The first related incident goes back a decade when the highly malicious, “Stuxnet” worm was disseminated to attack Iranian networks by means of USB sticks.

An “unattended” USB flash drive might as well cause an equally malicious problem if plugged into a host network or system. These drives could be carrying viruses or even ransomware.

The ultimate motive of these drives could range from easy-going hacking into systems to disrupting major businesses and their operations.

These USB sticks are extremely malicious and could lead to major setbacks and cyber harm for victim organizations and their clients and other individuals at large.

Reportedly, there are several other malware that are carried and transmitted through USB flash drives and per sources they encompass of:

1. The “Flame” modular computer malware
2. The “Duqu” collection of computer malware


There are numerous things, threats, and risks that a malicious USB flash drive poses to its users. Backdoors, Trojans, ransomware attacks and information stealing are common endeavors.


As per sources, browser hijackers could also be installed to mislead the users to the hackers’ website where adware, grey ware, malware or spyware could be injected in the device.

The users could follow the following safety and protection mechanisms to steer clear of the contingencies of the aforementioned attacks:

1. Updating the computer and other device software on a regular basis is a must. All the essential patches must be downloaded to clear the vulnerabilities.
2. Enable all the security features on the devices. Fingerprint authentication is a good option in such cases.
3. Keep all your USB flash drives absolutely secure and safe and prepared against hackers.
4. Never plug in unauthorized or unknown USB flash drives in your business devices especially those at your workplace.
5. Keep separate drives for work and home devices.

Company Behind Orcus Malware Fined by Canadian Broadcasting Agency


Orcus Technologies, an organization that sold a remote access trojan (RAT) Orcus has been fined with 115,000 Canadian dollars (Approximately 87,000 US dollars). The fine was imposed by one of Canada's broadcasting agency, Canadian Radio-Television and Telecommunications Commission (CRTC).

Orcus Technologies was established in March 2016 by founders John Paul Revesz (also known by the names, Ciriis McGraw, Armada Angelis, among other aliases) and a Germany-based man, Vincent Leo Griebel (also known as Sorzus). Griebel was responsible for developing the malware while Revesz looked after the marketing, sales and support section for the software. The idea behind the operations was to deliver a remote management tool just like widely used TeamViewer and various other remote management applications, as per the investigation carried out by the CRTC in association with the cybercrime division of the Royal Canadian Mounted Police (RCMP).

"Proof got for the duration of the investigation allowed the Leader Compliance and Enforcement Officer (CEO) to conclude that the Orcus RAT was once now not the everyday management instrument Griebel and Revesz claimed, however, was once, if truth be told, a Far-flung Get right of entry to Trojan (RAT), an identified form of malware," as per the CRTC's findings.

The findings further claimed that the duo not only sold and promoted the malware but also assisted malicious actors in getting Orcus RAT installed on users' computers without their consent or knowledge.

In a similar context, last month, Revesz faced criminal charges against him, filed by the RCMP. Earlier in March, this year, the RCMP came up with an arrest warrant at Revesz apartment, meanwhile, there were separate arrest warrants aimed at Orcus RAT customers by Australian Police.

It was around 2016's summer, Orcus RAT starting making headlines in the cybersecurity ecosystem, the RCMP revealed that it started investigating the company behind the malware since July 2016 and have kept a continuous track of the activities revolving around Orcus Technologies since then. Before finally distributing the malware via malspam campaigns, the team behind Orcus announced the malware in a piracy forum in 2016 itself. Then same year also witnessed the publication of an article on the subject reporting the malicious intent of the authors in the month of July. In the wake of the publication which presented enough evidence against the malware, Revesz took to Twitter to defend the Orcus RAT, wherein he claimed that his tool amounts to nothing more than a remote administration application.

As an aftermath of Revenz's weak arguments and the disputes that followed on Twitter, various cybersecurity professionals and organizations filed complaints against the authors of Orcus RAT with corresponding Canadian authorities.

Although the duo is responsible for the creation of the malware and initiating its distribution, the buyers who extended the malicious operations by infecting the victims are equally responsible as the two.

Rise of the Ransomware Attacks Leads to an Increase Extortion Demands of Cyber Criminals


As there happens a rise in the number of ransomware attacks doubled is the number of organizations surrendering to the extortion demands of cybercriminals in the wake of succumbing to such attacks particularly this year in contrast with the previous one.

As indicated by figures in the recently released 2019 CrowdStrike Global; Security Attitude Security, the total number of organizations around the globe that pay the ransom subsequent to succumbing to a supply-chain attack has dramatically increased from 14% of victims to 39% of those influenced.

While cybersecurity suppliers and law enforcements suggest that victims don't fund crime by surrendering to the blackmail requests/ extortion demands, at times organizations see it as the fastest and easiest method for re-establishing their networks.

In the UK explicitly, the number of organizations that have encountered a ransomware attack and followed through on the demanded price for the decryption key stands at 28% – twofold the 14% figure of the previous year.

Be that as it may, on the grounds that the victims are as yet paying the ransom – which normally amounts up to six-figure sum – cybercriminals will keep on directing ransomware campaigns and likely broaden them further, particularly as the possibility of them getting captured is low.

In any case, notwithstanding the accomplishment of ransomware attacks – particularly those that have undermined the whole infrastructure of entire organizations – there are some generally straightforward and simple methods for averting the attacks doing any harm.

In the event that organizations guarantee that every one of the frameworks and programming on the network is fixed with the most recent security updates, it goes 'a long way' to preventing ransomware attacks from being effective the same number of campaigns depend on the abuse of the known vulnerabilities.

Organizations ought to likewise guarantee that default passwords aren't utilized on the system and, where conceivable, two-factor verification ought to be applied as this will counteract any hacker who figures out how to break the system from moving around and causing more damage.

However, in case of a ransomware attack being effective, organizations can guarantee they don't have to make the payment by normally creating a backup of their system and guaranteeing that the backup is stored offline.

Hackers using government websites of Russian Federation for mining


Cybercriminals used to generate cryptocurrencies not only computers of ordinary Internet users but also the resources of large companies, as well as the websites of government agencies of the Russian Federation. This was announced at a press conference on Monday by Nikolai Murashov, the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI).

"Cases of cryptocurrency mining with the help of infected information resources of state organizations have been identified. In this case, attackers infect web pages, and mining is carried out at the moment they are viewed pages in the browser,” said Murashov.

He noted that the cost of most virtual coins is very high, so there are a lot of people who want to earn money easily. "Up to 80% of the free power of a computer can be used to generate virtual coins, and the legal user may not even know about it," said the Deputy head of the NCCCI. He noted that the seizure of servers of large companies for mining purposes threatens to significantly reduce their productivity and significant damage to the business.

Murashov at a press conference also said that in 2019, about 12 thousand "foreign information resources were blocked, which were used by attackers to damage our country."  In addition, according to him, in the Russian Federation at the request of foreign partners in the current year, the activities of more than 6 thousand malicious resources were stopped.

According to Murashov, users should pay attention to the security of their computers to counter such attacks. The fact of infection with malicious software should serve as a signal that the computer is poorly protected and can become a victim of any attackers.

Murashov noted that two Russian citizens were prosecuted for mining cryptocurrencies through infected computers of organizations.

"In Russia recently there were two cases of criminal prosecution of persons who used seized computers for mining cryptocurrencies," said he.

One of them is a resident of Kurgan, who used almost an entire bot network in various regions of the country. In the second case, a criminal case was initiated on the fact of using the site of company Rostovvodokanal for mining.

State Bank of India Issues Warning of Juice Jacking


In recent months there has been a rise in cyber-frauds with people losing money on online payment or digital transactions. As digital transactions increase so do hackers get more and more creative in their ways of siphoning money. Cons where people accidentally reveal OTP and pins have become quite common but now a new malware has shown up. As such, the country's prominent bank State Bank Of India issued a warning against Juice Jacking also known as USB charging scam.


A new technique that infects mobile phones with malware when they are connected to public charging ports and steal their personal information. What is Juice Jacking? Juice Jacking is stealing your personal information via a USB port. Hackers have developed a simple benign-looking USB port like a gadget that is attached to charging sockets at public places. Once the user connects his phone to this charging device the USB port infects the phone with malware. Then this malware gets active and sends personal information like contact details, emails, messages, photos, private videos, and sensitive financial credentials to the hacker. The miscreant then uses this information to siphon user's money.

The media reports, "Hackers adjust ports on these charging stations with sophisticated USB-like widgets that don’t look unusual for most. Once a user connects to one of these malicious ports, the device bypasses the phone’s security to steal the contents of the phone, including bank details, emails, messages, photos, and private videos, by injecting malicious software." Weeks earlier California Los Angeles County District Attorney department also issued a similar warning of Juice Jacking to locals and travelers.

Now, SBI also warns people to not charge their phones and other devices from public charging portals at station and airports.

How to protect your phone? 
Don't ever plug your phone to USB charging ports.
Always use two pins AC electrical outlets.
Better bring your charger or power bank as prevention is better than cure.
Avoid charging your phone at a public place like a metro station.

Banking Trojen rises as the Top Security Concern


According to a new research by Blueliv, banking trojans have risen as the biggest threat to the Financial sector second only to mobile malware. A twitter poll conducted by cyberthreat intelligence provider Blueliv, from 11,000 users revealed that a third of respondents were concerned about the impact banking Trojans (31 percent) and mobile malware (28 percent) will have on financial services organizations and their customers in 2020. Tracking these financial threats, Blueliv researchers observed an increase in Trickbot banking trojan (283%) and a 130% increase in Dridex botnets. These Q2 and Q3 botnets are believed to be distributing banking trojans and malware in the financial sector and their customers.


Skill shortage and lack of visibility of threats present as security challenge- According to the poll, the financial sector is suffering from a major skill shortage in building security programs and identifying security threats - the most pressing being a shortage of skills (28 percent), followed by the high volume of threats and alerts (26 percent) and a lack of visibility into cyber threats (20 percent) (by Blueliv). Realwire quotes, "This is hardly surprising: as financial services institutions (FSIs) embrace digital processes and new customer interaction channels, so their attack surface grows, making it harder to keep on top of threats ranging from Point-of-Sale (PoS) to ATM malware, mobile apps malware to card skimmers."

A recent data by (ISC)2 shows that the global skills shortage has crossed 4 million. In Europe alone, the shortage has bypassed 100 percent. Daniel Solís, CEO and founder, Blueliv says, “Organizations in the financial sector face a constantly changing threat landscape. Business priorities have shifted and digital risk management is now central. Because they are such high-value targets for cybercriminal activity, it is imperative that financial services organizations monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack.”

He further commented, “FSI (financial services institutions) security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats. Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with the human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention, and investigation capabilities.”

Financial organizations are prime suspects for attacks, even after having the most sophisticated cyber defense strategies, weak spots do remain and are being exploited by trojans and malware overlooked by fraud risk assessment teams due to skills shortage and poor threat visibility.

Alert! TrickBot Trojan and Ryuk Ransomware spreads through Japan, as the holiday season approaches


The most dangerous and active banking trojan family according to IBM X-Force data, TrickBot has been modifying it's malware’s modules lately, as the threat group launches in the wild. As the infection campaign spreads around the globe - Japan has become its new growing target ahead of the holiday season. Just ahead of the holiday's TrickBot campaigns usually target European and western countries and other parts of the world but this is the first time they have focused on Japan.


And also, just in time for the holidays when they'll be shopping extensively. Thus, the Japanese consumers should be wary of these infections as they target banks, online shopping payment cards, telecommerce, a bitcoin exchange, e-wallets, and others. TrickBot has been loaded with hundreds of targeted URLs belonging to banks and other retailers. Emotet botnet is also dropping TrickBot to other devices.

The most common attack includes web injections on bank websites leading to banking frauds. On-the-fly injections, used by TrickBot lures the victim into revealing personally identifiable information (PII), payment card details and PIN codes. This is not the first time Eastern European gangs attacked the country, other trojans like URLZone and Gozi (Ursnif) have been prevalent in Japan for years now. For Japanese Businessmen - Beware! Not only TrickBot but Ryuk Ransomware is also spreading through the region TrickBot, being already a worrisome banking plague is not only limited to that.

The Japanese companies should also be wary of the growing ransomware attacks because the TrickBot can usher in Ryuk Ransomware Attacks along with it. It's a kill chain that starts with Emotet and TrickBot and leads to Ryuk attack, ransomware that locks the system demanding millions of dollars. If such Ryuk or TrickBot attack is suspected, then you should immediately launch response plans and contain the infection or contact security companies without wasting precious time as these infections spread fast and wide.

Vulnerability found in Android Phones exploited by bank thieves through malicious apps


Researchers from security firm Promon, found a vulnerability in millions of fully patched Android phones, that's being exploited by malware through malicious apps designed to drain the user's bank account. The vulnerability is exploited by 36 apps, including bank trojans. These apps masquerade as legitimate apps already installed by the user posing on it or inside it, say the researchers. As the user already trusts these apps, after installing these then ask for permissions like recording audio or video, taking photos, reading text messages or phishing login credentials.



Victims who click yes, fall prey to the scam. Lookout and Promon, researchers reported on Monday that they found 36 apps exploiting the spoofing vulnerability. This includes BankBot banking trojan, which's been active since 2017 and apps from this malware have been caught on Google Play repeatedly. And the only way the users can protect themselves is by clicking 'no' to the permissions. TaskAffinity is the function in Android where this vulnerability occurs that lets the app disguise as other app and work in the multitasking environment. Using this the malicious app is placed inside or top of the target. "Thus the malicious activity hijacks the target's task," Promon researchers wrote.

"The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible. The malicious app then only needs to appear like the target app to successfully launch sophisticated attacks against the user. It is possible to hijack such a task before the target app has even been installed." Promon is calling the vulnerability, "StrandHogg," neither promon nor lookout has revealed the apps but Google has removed these apps from their market.

Still, the vulnerability remains a problem in Android. Google representatives said, "We appreciate the researchers['] work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate to improve Google Play Protect's ability to protect users against similar issues."

Russian banks discovered a new virus to steal money


From this year, hackers began to use new viruses that can enter the bank’s application on a mobile device and withdraw money from the victim’s account. Two Russian banks have already reported on this type of fraud.

Hackers use a new type of attack for the Android operating system. Fraudsters disguise viruses as applications or distribute them as links. After downloading and installing such a file, the virus begins to perform its functions without the user's knowledge. The programs are able to automatically transfer money from the victim's account to cybercriminals through the available mobile banking application.
Group-IB specialists first discovered such an attack in the spring of 2019. Then the new mobile Trojan Gustuff was modified, which appeared in December 2018 and created by a Russian-speaking hacker. This type of virus, experts noted, threatened only 100 foreign banks.

A new type of Trojan attacked at least two Russian banks in 2019 - Moscow Credit Bank and Post Bank. Representatives of the first noted that there are few cases of theft. The second confirmed one-time problems and talked about preventing fraud.

"From July 2018 to June 2019, hackers were able to steal 110 million rubles (1,7 million $) with the help of Trojans for Android," reported Group-IB.
However, compared to the same period last year, the indicator fell by 43%. It is reported that now hackers have mainly switched to the international market and only in rare cases continue to modify the application to attack the Russians.

According to the representative of Group-IB, the activity of Trojans in Russia decreased after the detention of the owners of the largest Android botnets, as a result of which hackers switched to the international market.

"However, some attackers modify applications and sell Trojans for subsequent attacks on users in Russia. This is a rare practice."

Earlier, the head of the Computer Security Association, Roman Romachev, said that data leaks will continue until banks become responsible for this.

Three Common Forms of Ransomware Infecting 1,800 businesses, Warns Dutch Govt



Around 1,800 companies are being affected by ransomware across the globe, according to a confidential report by the National Cyber Security Centre (NCSC) in the Netherlands. The report does not specify the names of the affected organizations but indicates that the targeted are the big players from different industries including chemical, health, construction, food, entertainment, and automobile. Most of these companies deal with revenue streams of millions and billions.

In the recent past, ransomware attacks have been on a rise and are being widely publicized as well, but due to the rapid increase in the number of ransomware attacks, many of these go unnoticed and hence unreported. As a result, the number of affected companies as per the NCSC report is likely conservative. Reportedly, the affected organizations are on their own as they recuperate from the attack by either being forced to pay the ransom or resorting to untainted backups to restore files.

NCSC's report enlists three file-encrypting malware pieces namely LockerGoga, MegaCortex, and Ryuk that are to be blamed for the malware penetration, these pieces of malware use a similar digital infrastructure and are "common forms of ransomware." While drawing other inferences, NCSC reckons the utilization of zero-day vulnerabilities for the infection. The dependence upon the same digital infrastructure implies that the attackers setting-up the attacks transferred the threat onto the victim's network via a single network intruder.

Professionals in intruding corporate networks tend to find allies who are involved in ransomware dealings and being experts they are always inclined to spot the best amongst all for whom they gladly pay a lump sum amount of money as salaries on a monthly basis in turn for proficient penetration testers that can potentially travel via infected networks without being detected. Here, the level of access provided determines how high the prices can go up to.

Cybercriminals are not likely to stop spreading ransomware as long as there are victims who are paying the ransom as they have no other option to fall back on, NCSC strictly recommends that organizations strengthen their security net to avoid falling prey to ransomware attacks carried out every now and then these days. 

New Chrome Password Stealer, 'CStealer' Sends Stolen Data to a MongoDB Database


The information collected by the Chrome browser including passwords, usernames, and other user credentials is being exposed to heavy risk as a new trojan known as CStealer attempts to steal the confidential data stored onto Google's Chrome browser.

Password stealer trojans include applications that tend to run in the background and silently gather sensitive information about the system such as connected users and network activity. It attempts to steal confidential information stored onto the system and the browsers like usernames, passwords and other credentials which once being stolen are sent to a specified destination by the attacker.

While the idea behind this info-stealing trojan is just like many others- which is to steal user credentials saved onto the browser's password manager, however, the fact that CStealer uses a remote MongoDB database to store the stolen data is what makes this case unprecedented and interesting.

The malware which was discovered by MalwareHunterTeam and was later analyzed by James does not compile and send the stolen data to a C2 under the author's command, rather, it is programmed to directly connect to a remote MongoDB data and utilize it to keep the stolen passwords stored, according to the findings.

As soon as the passwords are successfully stolen, the malware tends to link to the database and store the stolen data as per the network traffic created which was examined by James. In order to carry this out, the malware carries hardcoded MongoDB credentials and to connect to the database, it uses the MongoDB C Driver as the client library.

Notably, the approach is a bit more sophisticated and not as mainstream, however, ultimately it gets the agenda right as it successfully gets the credentials stolen. In doing so, indirectly it also gives a free invitation to other hackers to access the victim's confidential information as it tends to decrypt the privacy layers already. To exemplify, anyone who would examine the malware afterward, from law enforcers to security officers, will be able to retrieve the hardcoded passwords and employ them to get to the stolen data.

An IT contractor accidentally takes down NYPD's high-tech fingerprint database with a ransom malware!


The much-coveted and popular in news for keeping juveniles fingerprints data, the New York Police Department's fingerprint unit yet again gained much attention as it was shut down for hours because of ransomware.


The NYPD was hit by this ransom malware when they hired a third-party IT, contractor, to set up a digital display at the police academy in Queens on October 5 last year. And when he connected his tainted NUC mini-PC to the police network, the virus attached itself to the system. The virus immediately spread to 23 machines linked to the department's LiveScan fingerprint tracking system.

Deputy Commissioner for Information Technology Jessica Tisch said the officers discovered the malware within hours and contacted the cyber command and joint terrorism task force to solve the potential threat. We wanted to get to the bottom of this,' Tisch said. 'Was this plugged in maliciously was really important for us to get to the bottom of this.'

The ransomware was not executed but the fingerprints system was shut down for hours and were switched back on the next morning. Precautionary, 200 computers were reinstalled throughout the city to be safe.

The NYPD said, 0.1 percent of computers were attacked by the breach but the threat potential was large, as once inside the system, they could access case files and privileged data. The virus, ransomware locks the data, unless a 'ransom' is paid, fortunately, it could not execute the command and they shut down the system.

The IT contractor that accidentally bought the malware was questioned but not arrested.

Experts told the New York Post that breaches in public databases pose a serious security issue. Adam Scott Wandt, a professor of cybersecurity at John Jay College of Criminal Justice in Manhattan, said any breach put information at risk of being stolen. 'It's a fairly complex world that we live in,' he added. 'Everything is linked together. The government normally does a fairly good job of keeping hackers out, but every now and then there is a breach.'

Thousands of Russians became victims of the Сryptominer


International antivirus company ESET reported that hundreds of thousands of users in Russia, Belarus, Ukraine and Kazakhstan became victims of the Miner Virus. Specialists could not find a special module for cryptocurrency mining for years.

According to the company ESET, the mining module is distributed by the Stantinko botnet. This is a complex threat, active at least since 2012. The botnet has self-defense mechanisms that allow operators to remain undetected.

Stantinko is most often distributed through torrents and can disguise itself as pirated software. Previously, it was used for advertising fraud schemes: security experts said that over the past five years, the botnet infected more than 500 thousand computers in Russia (46%) and Ukraine (33%).
According to ESET, the crypto mining module is CoinMiner. Stantinko is carefully compiled for the new victim, so it is difficult to detect on the device. It is also able to contact with the mining pool through a proxy, the IP addresses of which are in the description of the videos on YouTube.

It is almost impossible to detect the module on a computer without special security checks. CoinMiner.Stantinko constantly scans the processes running on the PC and shuts down when anti-virus activity is registered.

In the process of mining, a significant part of computer resources is spent. In order not to cause suspicion, the module analyzes the activity and pauses its work, for example, if the device is running on battery power.

The main goal of Stantinko is financial gain. Operators provide false clicks on advertising links: the virus installs two browser extensions (the Safe Surfing and Teddy Protection) for the unauthorized display of advertising, which brings income to operators.

Analysts note that Stantinko allows operators to not only simulate click-throughs on advertising but also to steal data from a computer, to hack control panels using password-guessing attacks for reselling, to create fake accounts, likes on pages and a photo, to fill up the list of friends on Facebook.

Technology Company Hit by Ransomware Attack, Prevented Access to Crucial Patient Records


Virtual Care Provider Inc, a Wisconsin based technology company that provides cloud data hosting, security, and access management to more than 100 nursing homes was hit by a ransomware attack carried out by Russian hackers. The involvement of Ryuk encryption prevented access to crucial medical records of the patients and administration data related to the medication. After encrypting all the data hosted by the company for its patients and clients, attackers demanded a $14 million ransom in bitcoin in turn for a digital key that would unlock access to the data. Unable to afford the ransom, the company owner said that she is fearful of the consequences of the incident which could lead to the premature death of certain patients and the shutdown of her business.

Reportedly, the ransomware was spread via a virus known as 'TrickBot', the company told that it is 'feverishly working' to regain access to crucial data. The officials estimated that about 20% of the company's servers were compromised during the attack.

In a letter addressed to the company's clients, obtained via the Milwaukee Journal Sentinel, Christianson and Koch said that VCPI is "prioritizing servers that provide Active Directory access, email, eMAR, and EHR applications. We will be communicating status updates often and transparently, and, in preparation for service restoration, recommending to you the most efficient manner for your users to regain authenticated access."

Operated by WIZARD SPIDER (eCrime group), Ryuk is a targeted, well-planned and sophisticated ransomware that has targeted large organizations, primarily those that supply services to other businesses. It is employed to target the enterprise ecosystem and has mainly focused on wire fraud in the recent past. Despite having relatively low technical abilities and being under constant development since its release in August 2018, Ryuk has successfully encrypted hundreds of systems, storage and data centers in all the companies it attacked.

VCPI chief executive and owner Karen Christianson said, “We have employees asking when we’re going to make payroll,” “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she further told. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have a family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

A Trojan that Steals User's Banking Information via Fake McDonald Coupons


Spread via malvertising attacks, the banking trojan fools its victims through fake McDonald's coupons as a bait. This came into notice when banking details of Latin American buyers were tried to steal. The trojan discovered by experts at ESET is known as Mispadu, and it is similar to other trojans like Casbaneiro and Amavaldo that are found in Latin America. The trojan uses a remote crypto key for covering its original language. Mispadu targets users from Mexico and Brazil.


False McDonald’s tokens are used to lure the customers- 

The process consists of using bogus McD offer tokens as bait. These discount vouchers are either sent through spam e-mails or facebook ads which when clicked, takes the user to the primary site of the coupon. When the user clicks the button to get the coupon, they are displayed with an MSI option. The hacker uses this MSI installer to start a command that deciphers and performs an initializing course which allows them to connect to a remote server. "The trojan was also detected when working on a harmful Chrome version. It's built to shield the Google Chrome network to instead affect its victims' devices through the support of JavaScript," confirms ESET's inquiry.

Loots banking and personal information- 

Once the malware successfully invades a system, Mispadu uses false popup notifications to convince possible targets to share personal data. The primary aim of the trojan is to obtain critical system knowledge like- commonly used Latin American banking apps menu and downloaded safety products. The trojan also steals information from several network browsers and e-mail consumers. This includes Google Chrome, Mozilla Firefox, Outlook, Internet Explorer, and many more.

"Mispadu can also steal crypto funds like Bitcoins using a technique like a clipboard hijacking. But fortunately, no such case has appeared to date," says ESET. The elements of the Google Chrome expansion that the trojan uses for sharing can also collect users' transaction information and debit card data through various sites by scouring the information from data application lists. "For securing a backdoor entry in your device, Mispadu can automatically capture a screenshot, regulate your keyboard and mouse controls, and recover commands," say the experts.