Search This Blog

Showing posts with label malware. Show all posts

Banking Trojen rises as the Top Security Concern


According to a new research by Blueliv, banking trojans have risen as the biggest threat to the Financial sector second only to mobile malware. A twitter poll conducted by cyberthreat intelligence provider Blueliv, from 11,000 users revealed that a third of respondents were concerned about the impact banking Trojans (31 percent) and mobile malware (28 percent) will have on financial services organizations and their customers in 2020. Tracking these financial threats, Blueliv researchers observed an increase in Trickbot banking trojan (283%) and a 130% increase in Dridex botnets. These Q2 and Q3 botnets are believed to be distributing banking trojans and malware in the financial sector and their customers.


Skill shortage and lack of visibility of threats present as security challenge- According to the poll, the financial sector is suffering from a major skill shortage in building security programs and identifying security threats - the most pressing being a shortage of skills (28 percent), followed by the high volume of threats and alerts (26 percent) and a lack of visibility into cyber threats (20 percent) (by Blueliv). Realwire quotes, "This is hardly surprising: as financial services institutions (FSIs) embrace digital processes and new customer interaction channels, so their attack surface grows, making it harder to keep on top of threats ranging from Point-of-Sale (PoS) to ATM malware, mobile apps malware to card skimmers."

A recent data by (ISC)2 shows that the global skills shortage has crossed 4 million. In Europe alone, the shortage has bypassed 100 percent. Daniel Solís, CEO and founder, Blueliv says, “Organizations in the financial sector face a constantly changing threat landscape. Business priorities have shifted and digital risk management is now central. Because they are such high-value targets for cybercriminal activity, it is imperative that financial services organizations monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack.”

He further commented, “FSI (financial services institutions) security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats. Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with the human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention, and investigation capabilities.”

Financial organizations are prime suspects for attacks, even after having the most sophisticated cyber defense strategies, weak spots do remain and are being exploited by trojans and malware overlooked by fraud risk assessment teams due to skills shortage and poor threat visibility.

Alert! TrickBot Trojan and Ryuk Ransomware spreads through Japan, as the holiday season approaches


The most dangerous and active banking trojan family according to IBM X-Force data, TrickBot has been modifying it's malware’s modules lately, as the threat group launches in the wild. As the infection campaign spreads around the globe - Japan has become its new growing target ahead of the holiday season. Just ahead of the holiday's TrickBot campaigns usually target European and western countries and other parts of the world but this is the first time they have focused on Japan.


And also, just in time for the holidays when they'll be shopping extensively. Thus, the Japanese consumers should be wary of these infections as they target banks, online shopping payment cards, telecommerce, a bitcoin exchange, e-wallets, and others. TrickBot has been loaded with hundreds of targeted URLs belonging to banks and other retailers. Emotet botnet is also dropping TrickBot to other devices.

The most common attack includes web injections on bank websites leading to banking frauds. On-the-fly injections, used by TrickBot lures the victim into revealing personally identifiable information (PII), payment card details and PIN codes. This is not the first time Eastern European gangs attacked the country, other trojans like URLZone and Gozi (Ursnif) have been prevalent in Japan for years now. For Japanese Businessmen - Beware! Not only TrickBot but Ryuk Ransomware is also spreading through the region TrickBot, being already a worrisome banking plague is not only limited to that.

The Japanese companies should also be wary of the growing ransomware attacks because the TrickBot can usher in Ryuk Ransomware Attacks along with it. It's a kill chain that starts with Emotet and TrickBot and leads to Ryuk attack, ransomware that locks the system demanding millions of dollars. If such Ryuk or TrickBot attack is suspected, then you should immediately launch response plans and contain the infection or contact security companies without wasting precious time as these infections spread fast and wide.

Vulnerability found in Android Phones exploited by bank thieves through malicious apps


Researchers from security firm Promon, found a vulnerability in millions of fully patched Android phones, that's being exploited by malware through malicious apps designed to drain the user's bank account. The vulnerability is exploited by 36 apps, including bank trojans. These apps masquerade as legitimate apps already installed by the user posing on it or inside it, say the researchers. As the user already trusts these apps, after installing these then ask for permissions like recording audio or video, taking photos, reading text messages or phishing login credentials.



Victims who click yes, fall prey to the scam. Lookout and Promon, researchers reported on Monday that they found 36 apps exploiting the spoofing vulnerability. This includes BankBot banking trojan, which's been active since 2017 and apps from this malware have been caught on Google Play repeatedly. And the only way the users can protect themselves is by clicking 'no' to the permissions. TaskAffinity is the function in Android where this vulnerability occurs that lets the app disguise as other app and work in the multitasking environment. Using this the malicious app is placed inside or top of the target. "Thus the malicious activity hijacks the target's task," Promon researchers wrote.

"The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible. The malicious app then only needs to appear like the target app to successfully launch sophisticated attacks against the user. It is possible to hijack such a task before the target app has even been installed." Promon is calling the vulnerability, "StrandHogg," neither promon nor lookout has revealed the apps but Google has removed these apps from their market.

Still, the vulnerability remains a problem in Android. Google representatives said, "We appreciate the researchers['] work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate to improve Google Play Protect's ability to protect users against similar issues."

Russian banks discovered a new virus to steal money


From this year, hackers began to use new viruses that can enter the bank’s application on a mobile device and withdraw money from the victim’s account. Two Russian banks have already reported on this type of fraud.

Hackers use a new type of attack for the Android operating system. Fraudsters disguise viruses as applications or distribute them as links. After downloading and installing such a file, the virus begins to perform its functions without the user's knowledge. The programs are able to automatically transfer money from the victim's account to cybercriminals through the available mobile banking application.
Group-IB specialists first discovered such an attack in the spring of 2019. Then the new mobile Trojan Gustuff was modified, which appeared in December 2018 and created by a Russian-speaking hacker. This type of virus, experts noted, threatened only 100 foreign banks.

A new type of Trojan attacked at least two Russian banks in 2019 - Moscow Credit Bank and Post Bank. Representatives of the first noted that there are few cases of theft. The second confirmed one-time problems and talked about preventing fraud.

"From July 2018 to June 2019, hackers were able to steal 110 million rubles (1,7 million $) with the help of Trojans for Android," reported Group-IB.
However, compared to the same period last year, the indicator fell by 43%. It is reported that now hackers have mainly switched to the international market and only in rare cases continue to modify the application to attack the Russians.

According to the representative of Group-IB, the activity of Trojans in Russia decreased after the detention of the owners of the largest Android botnets, as a result of which hackers switched to the international market.

"However, some attackers modify applications and sell Trojans for subsequent attacks on users in Russia. This is a rare practice."

Earlier, the head of the Computer Security Association, Roman Romachev, said that data leaks will continue until banks become responsible for this.

Three Common Forms of Ransomware Infecting 1,800 businesses, Warns Dutch Govt



Around 1,800 companies are being affected by ransomware across the globe, according to a confidential report by the National Cyber Security Centre (NCSC) in the Netherlands. The report does not specify the names of the affected organizations but indicates that the targeted are the big players from different industries including chemical, health, construction, food, entertainment, and automobile. Most of these companies deal with revenue streams of millions and billions.

In the recent past, ransomware attacks have been on a rise and are being widely publicized as well, but due to the rapid increase in the number of ransomware attacks, many of these go unnoticed and hence unreported. As a result, the number of affected companies as per the NCSC report is likely conservative. Reportedly, the affected organizations are on their own as they recuperate from the attack by either being forced to pay the ransom or resorting to untainted backups to restore files.

NCSC's report enlists three file-encrypting malware pieces namely LockerGoga, MegaCortex, and Ryuk that are to be blamed for the malware penetration, these pieces of malware use a similar digital infrastructure and are "common forms of ransomware." While drawing other inferences, NCSC reckons the utilization of zero-day vulnerabilities for the infection. The dependence upon the same digital infrastructure implies that the attackers setting-up the attacks transferred the threat onto the victim's network via a single network intruder.

Professionals in intruding corporate networks tend to find allies who are involved in ransomware dealings and being experts they are always inclined to spot the best amongst all for whom they gladly pay a lump sum amount of money as salaries on a monthly basis in turn for proficient penetration testers that can potentially travel via infected networks without being detected. Here, the level of access provided determines how high the prices can go up to.

Cybercriminals are not likely to stop spreading ransomware as long as there are victims who are paying the ransom as they have no other option to fall back on, NCSC strictly recommends that organizations strengthen their security net to avoid falling prey to ransomware attacks carried out every now and then these days. 

New Chrome Password Stealer, 'CStealer' Sends Stolen Data to a MongoDB Database


The information collected by the Chrome browser including passwords, usernames, and other user credentials is being exposed to heavy risk as a new trojan known as CStealer attempts to steal the confidential data stored onto Google's Chrome browser.

Password stealer trojans include applications that tend to run in the background and silently gather sensitive information about the system such as connected users and network activity. It attempts to steal confidential information stored onto the system and the browsers like usernames, passwords and other credentials which once being stolen are sent to a specified destination by the attacker.

While the idea behind this info-stealing trojan is just like many others- which is to steal user credentials saved onto the browser's password manager, however, the fact that CStealer uses a remote MongoDB database to store the stolen data is what makes this case unprecedented and interesting.

The malware which was discovered by MalwareHunterTeam and was later analyzed by James does not compile and send the stolen data to a C2 under the author's command, rather, it is programmed to directly connect to a remote MongoDB data and utilize it to keep the stolen passwords stored, according to the findings.

As soon as the passwords are successfully stolen, the malware tends to link to the database and store the stolen data as per the network traffic created which was examined by James. In order to carry this out, the malware carries hardcoded MongoDB credentials and to connect to the database, it uses the MongoDB C Driver as the client library.

Notably, the approach is a bit more sophisticated and not as mainstream, however, ultimately it gets the agenda right as it successfully gets the credentials stolen. In doing so, indirectly it also gives a free invitation to other hackers to access the victim's confidential information as it tends to decrypt the privacy layers already. To exemplify, anyone who would examine the malware afterward, from law enforcers to security officers, will be able to retrieve the hardcoded passwords and employ them to get to the stolen data.

An IT contractor accidentally takes down NYPD's high-tech fingerprint database with a ransom malware!


The much-coveted and popular in news for keeping juveniles fingerprints data, the New York Police Department's fingerprint unit yet again gained much attention as it was shut down for hours because of ransomware.


The NYPD was hit by this ransom malware when they hired a third-party IT, contractor, to set up a digital display at the police academy in Queens on October 5 last year. And when he connected his tainted NUC mini-PC to the police network, the virus attached itself to the system. The virus immediately spread to 23 machines linked to the department's LiveScan fingerprint tracking system.

Deputy Commissioner for Information Technology Jessica Tisch said the officers discovered the malware within hours and contacted the cyber command and joint terrorism task force to solve the potential threat. We wanted to get to the bottom of this,' Tisch said. 'Was this plugged in maliciously was really important for us to get to the bottom of this.'

The ransomware was not executed but the fingerprints system was shut down for hours and were switched back on the next morning. Precautionary, 200 computers were reinstalled throughout the city to be safe.

The NYPD said, 0.1 percent of computers were attacked by the breach but the threat potential was large, as once inside the system, they could access case files and privileged data. The virus, ransomware locks the data, unless a 'ransom' is paid, fortunately, it could not execute the command and they shut down the system.

The IT contractor that accidentally bought the malware was questioned but not arrested.

Experts told the New York Post that breaches in public databases pose a serious security issue. Adam Scott Wandt, a professor of cybersecurity at John Jay College of Criminal Justice in Manhattan, said any breach put information at risk of being stolen. 'It's a fairly complex world that we live in,' he added. 'Everything is linked together. The government normally does a fairly good job of keeping hackers out, but every now and then there is a breach.'

Thousands of Russians became victims of the Сryptominer


International antivirus company ESET reported that hundreds of thousands of users in Russia, Belarus, Ukraine and Kazakhstan became victims of the Miner Virus. Specialists could not find a special module for cryptocurrency mining for years.

According to the company ESET, the mining module is distributed by the Stantinko botnet. This is a complex threat, active at least since 2012. The botnet has self-defense mechanisms that allow operators to remain undetected.

Stantinko is most often distributed through torrents and can disguise itself as pirated software. Previously, it was used for advertising fraud schemes: security experts said that over the past five years, the botnet infected more than 500 thousand computers in Russia (46%) and Ukraine (33%).
According to ESET, the crypto mining module is CoinMiner. Stantinko is carefully compiled for the new victim, so it is difficult to detect on the device. It is also able to contact with the mining pool through a proxy, the IP addresses of which are in the description of the videos on YouTube.

It is almost impossible to detect the module on a computer without special security checks. CoinMiner.Stantinko constantly scans the processes running on the PC and shuts down when anti-virus activity is registered.

In the process of mining, a significant part of computer resources is spent. In order not to cause suspicion, the module analyzes the activity and pauses its work, for example, if the device is running on battery power.

The main goal of Stantinko is financial gain. Operators provide false clicks on advertising links: the virus installs two browser extensions (the Safe Surfing and Teddy Protection) for the unauthorized display of advertising, which brings income to operators.

Analysts note that Stantinko allows operators to not only simulate click-throughs on advertising but also to steal data from a computer, to hack control panels using password-guessing attacks for reselling, to create fake accounts, likes on pages and a photo, to fill up the list of friends on Facebook.

Technology Company Hit by Ransomware Attack, Prevented Access to Crucial Patient Records


Virtual Care Provider Inc, a Wisconsin based technology company that provides cloud data hosting, security, and access management to more than 100 nursing homes was hit by a ransomware attack carried out by Russian hackers. The involvement of Ryuk encryption prevented access to crucial medical records of the patients and administration data related to the medication. After encrypting all the data hosted by the company for its patients and clients, attackers demanded a $14 million ransom in bitcoin in turn for a digital key that would unlock access to the data. Unable to afford the ransom, the company owner said that she is fearful of the consequences of the incident which could lead to the premature death of certain patients and the shutdown of her business.

Reportedly, the ransomware was spread via a virus known as 'TrickBot', the company told that it is 'feverishly working' to regain access to crucial data. The officials estimated that about 20% of the company's servers were compromised during the attack.

In a letter addressed to the company's clients, obtained via the Milwaukee Journal Sentinel, Christianson and Koch said that VCPI is "prioritizing servers that provide Active Directory access, email, eMAR, and EHR applications. We will be communicating status updates often and transparently, and, in preparation for service restoration, recommending to you the most efficient manner for your users to regain authenticated access."

Operated by WIZARD SPIDER (eCrime group), Ryuk is a targeted, well-planned and sophisticated ransomware that has targeted large organizations, primarily those that supply services to other businesses. It is employed to target the enterprise ecosystem and has mainly focused on wire fraud in the recent past. Despite having relatively low technical abilities and being under constant development since its release in August 2018, Ryuk has successfully encrypted hundreds of systems, storage and data centers in all the companies it attacked.

VCPI chief executive and owner Karen Christianson said, “We have employees asking when we’re going to make payroll,” “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she further told. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have a family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

A Trojan that Steals User's Banking Information via Fake McDonald Coupons


Spread via malvertising attacks, the banking trojan fools its victims through fake McDonald's coupons as a bait. This came into notice when banking details of Latin American buyers were tried to steal. The trojan discovered by experts at ESET is known as Mispadu, and it is similar to other trojans like Casbaneiro and Amavaldo that are found in Latin America. The trojan uses a remote crypto key for covering its original language. Mispadu targets users from Mexico and Brazil.


False McDonald’s tokens are used to lure the customers- 

The process consists of using bogus McD offer tokens as bait. These discount vouchers are either sent through spam e-mails or facebook ads which when clicked, takes the user to the primary site of the coupon. When the user clicks the button to get the coupon, they are displayed with an MSI option. The hacker uses this MSI installer to start a command that deciphers and performs an initializing course which allows them to connect to a remote server. "The trojan was also detected when working on a harmful Chrome version. It's built to shield the Google Chrome network to instead affect its victims' devices through the support of JavaScript," confirms ESET's inquiry.

Loots banking and personal information- 

Once the malware successfully invades a system, Mispadu uses false popup notifications to convince possible targets to share personal data. The primary aim of the trojan is to obtain critical system knowledge like- commonly used Latin American banking apps menu and downloaded safety products. The trojan also steals information from several network browsers and e-mail consumers. This includes Google Chrome, Mozilla Firefox, Outlook, Internet Explorer, and many more.

"Mispadu can also steal crypto funds like Bitcoins using a technique like a clipboard hijacking. But fortunately, no such case has appeared to date," says ESET. The elements of the Google Chrome expansion that the trojan uses for sharing can also collect users' transaction information and debit card data through various sites by scouring the information from data application lists. "For securing a backdoor entry in your device, Mispadu can automatically capture a screenshot, regulate your keyboard and mouse controls, and recover commands," say the experts.

Windows Security Warning- Ransomware is Rapidly Growing and Got Difficult to Guard Against




Security experts are predicting an unusual rise in ransomware attacks and a strategic change in the cybercrime ecosystem which is directed to evade detection and fail the existing defense mechanisms against it. As the ransomware attacks will expand in scale with a heightened influence, few dominant players currently present are expected to disperse themselves into multiple smaller ones.

Ransomware infects the victim's computer by locking down the hard drive and encrypting the data present onto the system, then the attacker asks the victim to pay the demanded ransom in due time and if the victim fails to do so, the data is gone forever. The virus spreads across infected networks via a worm and encrypts several machines in a row. After an in-depth analysis of various 'Windows security threats' such as coin miners, file-less malware, ransomware, PUAs, banking Trojans, Global cybersecurity company, Bitdefender concluded that out of all, the threat posed by ransomware is growing rapidly. Reportedly, it has grown 74 percent, year on year. GandCrab had been one of the most prevalent and sophisticated ransomware since its arrival in 2018, it kept on strengthening its defense and upgrading its delivery methods to bypass detections. After its death, ransomware experienced its first and indeed a steep fall in the cybercrime ecosystem in terms of severity of a particular threat. However, a new birth means several new players will enter the scene and might hit the security layers even harder than GandCrab, experts have the potential candidates under the radar. One such threat is being anticipated from 'Sodinokibi (aka REvil or Sodin)'.

The upsurge in ransomware attacks in 2019 has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to declare that it was nearing to qualify as a "large-scale cyber event." According to an August 2019 publication, ransomware "has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks."

"The fall of GandCrab, which dominated the ransomware market with a share of over 50 percent, has left a power vacuum that various spinoffs are quickly filling. This fragmentation can only mean the ransomware market will become more powerful and more resilient against combined efforts by law enforcement and the cybersecurity industry to dismantle it," the report reads.

New Hacking Group Deploying Backdoors and Ransomware in Windows via Word docs


Researchers from Proofpoint have detected a scheme of malware campaigns from a new hacking group called TA2101, that's targeting various organizations from Germany and Italy, creating backdoor malware into their security systems. These attackers also trick people by impersonating the United States Postal Service and tax entities and distributing 'Maze Ransomware' as well as banking Trojans. The research group noted that these attackers use legal and licensed penetration tools like Cobalt Strike and Metasploit after entering the network. These tools are used by organizations to secure their network by analyzing loopholes and vulnerabilities, meanwhile, adversaries like Cobalt Group, APT32, and APT19 exploit this software by installing backdoors.

Deploying Backdoors in Windows via Word Docs 

These malicious actors have been tricking victims into clicking through phishing emails that contain ransomware and even banking trojans- by sending email alerts that require immediate action, like emails from the German Federal Ministry of Finance, United States Postal Service, law enforcement and finance firms. But, what's happening behind the curtains is them deploying ransomware in your windows via a word document, that opens when you open the attachment.

Proofpoint researchers have been observing these impersonators from October 16 until November 12, 2019, their collected data gave a clear sight of the attacker's target, how they operate by sending spams to companies, IT units from Germany, Italy, and United States. “Researchers also Observed a consistent set of TTP (Tactics, Techniques, and Procedures) that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns”, Proof point said.

Among the samples, the emails contained attached weaponized word documents which when opened, made the system perform a series of commands- that is turning on PowerShell script, which eventually downloads and installs the Maze ransomware. In targets related to Healthcare Vertical and companies, the emails and word documents installed IcedID payload trojan into the system.

A New Malware that steals Personal Information via Discord App


Hey there, all the gamers and tech freaks. Beware! A new malware is coming right at you. Also known as 'Spidey Bot' by its researchers, this malware is quite dangerous as it can take all your personal information such as passwords, IP addresses, emails, contacts, and Discord usernames. The Windows Malware does this by inserting itself into the Discord app's cipher.


As if this wasn't enough, the malware can also get a backdoor entrance into your device by copying the first 50 letters typed in your keyboard which may contain critical information such as recently used passwords. This is done in order to get more malware fixed in your device. Discord is an application that is specifically designed for the video gaming community. It is also a digital platform where various PC gamers from across the world can connect and form a community of their own.

Lately, Discord has also become an ideal platform for users who have been thrown out from Twitter and Reddit for their peculiarly offensive comments; hence they are free to express their thoughts here. Sadly, you won't be able to grasp if your Discord file is affected, and even if you do, you can't do anything much about it. The best you can do is remove the software and then reinstall it to confirm that you are safe. Therefore, having the best antivirus is the only solution to prevent your computer from malware threats. Even the software company Discord is helpless in countering to user problems.

"Unluckily, there's nothing any Discord can do to anticipate threats here. Still, the user should be careful while clicking on unknown links and should be critical of downloading unfamiliar software. Doing so can invite Malware to your system. Installing an untrusted program can alter your Discord on your PC," tweeted Discord in response to user complaints. This is not the problem with the language but it's on the user end. The only alternative solution to this Malware threat is by telling the user to access the Discord app via their phones and gaming consoles instead of your computers.

17 Trojan infested apps you need to delete from your iPhone right now!


Just like the ancient Greek story, where soldiers sneak into the gates of troy by hiding inside a wooden horse similarly Trojans sneak in your phone in the face of harmless apps that you voluntarily install. Apple users are being warned about such apps, to check their devices against a list of malware apps and delete them according to a report by Wandera.

Research team at Wandera, a software-as-a-service firm, has identified 17 apps that install malicious Trojan module on iOS devices. Apple says that the infected apps have been removed from the app store but after examination they found that the apps did not contain the claimed Trojan malware. Instead, the apps were removed because of being adware specifically called the "clicker Trojan malware" and included code that enabled artificial click-through of add and made it seem like you viewed an advertisement which is against App Store's guidelines. Apple further said that the protective tools of App Store have been updated to detect such apps.

 Below is the list of infected apps:

RTO Vehicle Information
EMI Calculator & Loan Planner
File Manager - Documents
Smart GPS Speedometer
CrickOne - Live Cricket Scores
Daily Fitness - Yoga Poses
FM Radio PRO - Internet Radio
My Train Info - IRCTC & PNR​ (not listed under developer profile)
Around Me Place Finder
Easy Contacts Backup Manager
Ramadan Times 2019
Pro Restaurant Finder - Find Food
BMI Calculator PRO - BMR Calc
Dual Accounts Pro
Video Editor - Mute Video
Islamic World PRO - Qibla
Smart Video Compressor

The developer of these is AppAspect Technologies, from India with apps for iOS as well as Android. Wandera said that on examining these apps, they didn't contain the clicker Trojan malware but they used too. Covington thinks it's a possibility that they used to contain Trojan but were pulled from the store, and republished after removing the Trojan module, perhaps the bust on Play store made them retreat and focus their attention on iOS.

According to Wandera, the Trojan not only performed adware but also steal information and data to send to external command or controller, create back-doors, performance degradation, battery drain and heavy bandwidth use. The fact that they published on App Store and remained undetected is alone a matter of concern. “We were amazed with this one,” Wandera VP Michael Covington said in a statement to Forbes. “We've seen a couple of issues creep into the Apple App Store over the last few months—and it always seems to be the network element.”

Apple stands it's ground that any such Trojan malware existed, saying there was no danger beyond ad click-through fraud. But the good news is, the problem is solved on deleting the apps and no remains are left behind. “There is no access to special frameworks that might have left something behind,” Covington explained.

Russian Companies infected by a virus masquerading as accounting documents


In September, Russian companies faced the problem of malicious software disguised as accounting documents. The launch of the virus led to leaks of personal data of users and the connection their computers to the botnet. Check Point company claims that 15.3% of Russian Internet users received such letters only in a month.

According to Check Point, the Pony malware has been activated since the beginning of the business season, in September, and was in second place on the list of the most active malware by the end of the month.

The company said that Pony was distributed via email through malicious EXE files simulating accounting requests. Topics and titles of such letters were called something like this: "Closing documents Tuesday" and "Documents September". Pony is able to steal user credentials, monitor system and network operations, install additional malware and turn devices into a botnet.

Specialists of Rostelecom-Solar recorded in September phishing emails with similar titles, confirms Igor Zalevsky, the head of the Solar JSOC incident investigation department.

"The simplest and most effective defense against such attacks is content filtering on the mail gateway. It is necessary to stop sending executable files of any format by e-mail," emphasizes Mr. Zalevsky.

Attacks like Pony are standard practice, said Vladimir Ulyanov, the head of the Zecurion analytical center. According to him, such malware is easier to monetize because accountants work with important data, but are not always well aware of information security risks.

"All companies work with closing documents, but not all employees know what these documents look like," explains Mr. Ulyanov.

The expert is sure that it is necessary to deal with such attacks and raising staff awareness.

Pony belongs to spyware, and it is included in the top 3 types of malicious software used by cybercriminals. So, according to the rating, Cryptoloot is in the first place in the top of the most aggressive malware in Russia, which uses other people's computers and their resources for mining cryptocurrencies. The XMRig malware is in third place, which is also used for mining.

Pos Malaysia: Malware Attack Disrupts Internal Systems and Online Services



IT infrastructure of Pos Malaysia, postal delivery service in Malaysia, took a major hit from ransomware which rendered some of its online services inaccessible. After detecting the attack on Sunday, the company took immediate measures to shut down internal systems and parts of its online systems; they also lodged a police report with Royal Malaysia Police for attempted malware attack and reached out to concerned authorities to ensure the safety of their systems and database.

The website of the company was displaying an error message during the downtime, which said, “Sorry, we are under maintenance.” It was discovered during a system update on October 20 and since then, the company released three statements insisting on the safety of customers’ personal data and sensitive information. It assured that no user data was compromised and the issues are being rectified. Gradually, several of Pos Malaysia’s online services have been made accessible while over the counter services remain available at the company’s branches nationwide. However, the officials refrained from providing a specific timeline for the entire restoration of the halted services.

Seemingly, it was a major attempt that caused disruption in the company’s internal systems and online services for the past few days and subsequently affected the overall company’s operations.

In a statement on Facebook, Pos Malaysia told, “Our team has managed to rectify and restore several of the system and online services. We assure our customers that their data and personal information are safe.”

“We extend our apologies for the inconvenience caused and thank our customers for their kind understanding, patience and support during this period. We will provide regular updates from time to time,” it added.

Announcing that the services will be restored and made fully accessible gradually, a spokesperson told The Star, "Customers and business partners may now gradually access our services. Over the counter services at all branches remain available.”

"Currently, proactive steps are being taken by our IT recovery team to ensure minimal impact to our customers and business partners. While contingency plans are being considered to rectify and restore online operations, the majority of our services at all Pos Malaysia branches are still available," he added.

People who have made shipments via Pos Malaysia or have pending shipments and it required them to share any sensitive data with the postal delivery company, odds are it would have been compromised in the attempted malware attack, therefore, they are advised to check their private credentials where necessary.

A new Malware that makes ATMs to dispense all the cash is making the hype, here's everything you need to know.


Malware isn't a new thing, as we all are quite aware of it, but it varies with time, and so does the threat levels that it imposes. A Malware may attempt to swipe your password, or infiltrate your system, or quietly monitor your browsing activity. However, the most threatening Malware is one that tries to steal all that you have earned. This is known as Jackpotting, which targets only ATMs. The name is termed so because jackpotting forces the ATMs to give all the cash that it has inside it. This can be a concern for the general public as the cases of jackpotting are rising every day.


"Hackers throughout the globe are apprehending this is a low-cost and simple way to get some easy money. The ATMs with old software are targeted using black market code software, and the hackers are strolling off with millions in their pockets," says a collaborative study of Motherboard and German newsroom Bayerischer Rundfunk.

When jackpotting occurs, it doesn't matter how tech-savvy your ATM or bank is, the reason being is it all depends on the software. If the ATMs run on insecure and antiquated software, hackers can effortlessly steal out all your money. A few of the prominent cases of jackpotting attacks happened in Germany in the year 2017. Earlier studies claim that the cases of jackpotting have decreased in numbers but a new study reveals that it has become very common. "Survey conducted in 2019 shows that the crimes are rising," says David Tente, ATM Industry Association. Other unknown sources accepted the same. "Crimes are happening, but mostly it's not announced," said one.

The crimes in countries like Russia and Germany and many other places in Europe are mostly carried out by Russian software named Cutlet. The software can be purchased for a mere $1,000. While in the U.S, Ploutus D is a popular software for jackpotting. "The wicked fellows are trading this malware to anybody," says David Sancho, proficient at jackpotting, cybersecurity firm Trend Micro. "Probably this can stir any nation around the globe."

Cybersecurity Researchers Discovered Attack Which Uses WAV Audio Files to Hide Malicious Code


We are living in an age where user security being breached is one of the most familiar headlines we come across in the cybersecurity sphere, attackers have continued to discover unprecedented ways to compromise user data and have strengthened the older ones.

A widely used technique which allows hackers to break into computers and extract user data without getting noticed is resurfacing again, this time making the detention even more complex by embedding the malware inside audio files resembling the regular WAV format audio files on the computer, according to the cybersecurity researchers at Cylance, a California based software company that develops antivirus programs and other software to prevent malware.

Hackers employed a method known as ‘Steganography’ to hide and deliver malware, it involves hiding a file, video or message with the help of some other file. Researchers at Cylance discovered the malicious code embedded inside the WAV audio files with each file containing a ‘loader component’ which decodes and executes the malware. The threat actors carry out these malicious activities using a crypto mining application known as XMRig Monero CPU Miner.

Although, hackers have used viruses and spyware to infect files and break into computers previously, this is the first time ever where a file has been explicitly used to deliver a crypto mining software into a system. Cybercriminals are always looking to undo the measures taken by security officials. It is evident from how they are now employing even sophisticated strategies as earlier, the only way to deliver crypto mining malware was through malicious scripts on browsers, websites or software programs that came with malware.

Referencing from the statements given by Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, to Help Net Security.  “One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV files contained Meterpreter to establish a reverse-shell to have remote access into the infected machine. The other WAV files contain the XMRig Monero crypto-miner,”

“Attackers are creative in their approach to executing code, including the use of multiple files of different file formats. We discovered several loaders in the wild that extract and execute malicious code from WAV audio files. Analysis revealed that the malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code” the researchers at Cylance pointed out.

“The similarities between these methods and known threat actor TTPs may indicate an association or willingness to emulate adversary activity, perhaps to avoid direct attribution,” the researchers further remarked.

In order to stay guarded, users are advised to have proper anti-virus tools installed on their computers and stay alert while downloading any kind of file from the internet.

HP Patches a Critical Vulnerability Targeting Windows Pcs


A critical vulnerability that uses unmonitored privilege escalation in the Open Hardware Monitor tool in order to infect Windows PCs that run software's dependent on it was as of late discovered by security research firm SafeBreach.

HP has already issued a patch fixing the said flaw after it came to their notice.

Among others, one of the most commonly discovered bundled software that utilizes the Open Hardware Monitor is HP TouchPoint Analytics, an apparatus that keeps running on many HP laptops and desktops around the world and along these lines putting a similar number of customers in danger.
Since devices, for example, HP TouchPoint Analytics are stacked assigned services and are accordingly whitelisted by numerous 'anti-malware' tools and this is most likely one of the main reasons why the flaw is said to be a 'potentially critical' one.

Because HP's laptops and desktop systems while being utilized for personal use, are additionally broadly utilized in enterprises that manage conceivably very sensitive data. This makes the disclosure considerably more sensitive, since, through this privilege escalation process, attackers could essentially target IT administrator setups, enter specific terminals, introduce 'arbitrary and malicious' DLL files into the framework and access the machines being referred to, and thusly gain access to the high sensitivity data.

For this situation, the HP TouchPoint Analytics tool had high, root-level framework access, and being a whitelisted instrument, enabled attackers to escalate the 'system privilege' to access critical parts of the system. Potential use cases for hackers here incorporate "data theft, undetected tracking of users and critical surveillance activities."

"These types of vulnerabilities are alarming because they indicate the ease with which malicious hackers could mount supply-chain attacks targeting and breaching highly trusted elements of our software ecosystem. This should be a clear signal to security teams that they need to increase their frequency of testing and analysis of their security envelope, in order to match the pace of criminals who are constantly innovating ways to hack into the most vulnerable parts of IT systems," said Itzik Kotler, co-founder and chief technology officer of SafeBreach.

The flaw has since been patched by HP, although SafeBreach warns and makes reference to any other organization utilizing the Open Hardware Monitor tool is still possibly in danger.


Smominru Botnet Affecting Over 4,000 Windows Systems Every Day


Affecting Windows machines across the globe, Smominru has been labeled as one of the most rapidly spreading botnet malware, as per a report by data center and cloud security company, Guardicore Labs. The infection rate of this computer malware has been detected to be up to 47,000 machines per day and in the month of August alone, it compromised almost 90,000 computers, according to the report.

While attacking, Smominru compromises Windows PCs by using the NSA exploit, EternalBlue and brute-force on various services like RDP, TELNET, MS-SQL, and others. The malware is configured to steal the target's credentials and then install a cryptominer and Trojan module to compromise the network. After establishing a foothold, the malware moves laterally to affect as many systems as it potentially can inside the targeted organization.

Reportedly, the US, Russia, China, Taiwan, and Brazil witnessed the maximum number of attacks, however, other countries remain equally vulnerable to the computer malware which saw an upsurge in recent times. To exemplify, we can look at the largest network targeted and hence compromised by Smominru, which was a healthcare provider in Italy, it left a total of 65 hosts affected.

The unspecified and non-targeted nature of the attacks was notable as the compromised networks ranged from medical firms to higher-education institutions, the victims infected by the malware included cybersecurity companies as well.

It has been discovered that around 85% of the attacks are carried out on Windows 7 and Windows Server 2008 systems, while, some others are observed to be taking place on Windows XP, Windows Server 2012, and Windows Server 2003.

Seemingly, the failure of company administrators to timely patch their computer networks and servers is one of the primary reasons for the networks being compromised, although for a lot of organizations, the inability is a result of logistical scarcity, for others, it's simply due to negligence and not being regularly updated with the requirements of the sector.