Cerber 5.0 Ransomware Uses New IP Ranges

The cyber criminals behind the notorious Cerber ransomware family have released three new versions of the malware this week, with the most notable change being the addition of new IP ranges in Cerber 5.0.

Initially spotted in early March, Cerber took a different approach to informing users that they have been infected: it included a .vbs file with a VBScript that caused the compromised machine to speak to the victim. Adding the .CERBER extension to encrypted files, the threat was also observed scanning all accessible network shares for files to encrypt.

Used in massive campaigns worldwide, including one targeting Office 365 users, Cerber has seen numerous upgrades since March, with the second major release observed in early August. Available to other cybercriminals via the ransomware-as-a-service model, Cerber was estimated in August to generate $2.3 million in annual revenue.

Cerber 4.0, the latest major variant of the malware, was released about a month and a half ago, roughly one week after the threat was observed killing database processes on the infected machines and just over a month after Cerber 3.0 emerged.

On Thursday, security researchers observed version 5.0 of the ransomware being distributed, less than 24 hours after version 4.1.6 had been released. Several hours later, version 5.0.1 also emerged, showing that the malware’s developers are aggressively updating their software.

While analyzing Ceber 5.0, Check Point security researchers noticed that it uses new IP ranges for the command and control (C&C) communication. One of the IP ranges, however, was observed in version 4.1.6, but the rest of them are brand new, it seems. Just as before, the security researchers explain, the malware broadcasts messages to all IP addresses via UDP.

Other changes in the new variant include the fact that it skips 640 bytes when encrypting a file (compared to 512 bytes before), and that it doesn’t encrypt files smaller than 2,560 bytes (compared to 1,024 bytes before). Moreover, the ransomware now also targets files that feature the .secret extension.

At the moment, the ransomware is being distributed via spam emails and exploit kits, specifically Rig-V exploit kit. As with the previous variants, the malware randomly generates encrypted file extensions using 4 random alphabetic letters.

The malware continues to search for databases and files related to them, and can encrypt various database file types, Check Point says. The malware drops a ransom note on the desktop to inform users on the infection, and also drops an interactive .hta file with information in different languages. The rest of the features are unchanged from the previous releases.

By Ionut Arghire

Source http://www.securityweek.com/cerber-50-ransomware-uses-new-ip-ranges

Terror groups likely to be first to unleash cyber weapons

Terror groups, not nation states, are the most likely to unleash devastating cyber weapons, according to Eugene Kaspersky, chief executive and co-founder of security firm Kaspersky Lab.

“I am 99.99% sure some nation states have developed top secret cyber weapons,” he told attendees of IPExpo at Excel in London. Unlike traditional weapons, cyber weapons can be reverse engineered, improved and used on those who developed them, so nation states are unlikely to use them on each other.

“But I am really afraid some terrorist group will pay cyber criminals to develop and deploy such weapons on their behalf,” he said, noting that some cyber criminals work like mercenaries, providing cyber crime services to anyone who is willing to pay.

Kaspersky said cyber weapons are likely to fall in one of three categories: those aimed at causing physical damage, destroying critical data and telecommunications.

He cited Stuxnet and attacks on power suppliers in Ukraine as examples of the first, the attack on Saudi Aramco an example of the second, and the telecommunication blackout in Estonia in 2007 an example of the third.

“We are living in a dangerous world, where we can’t trust anything. Cyber is now just about everywhere, and it is vulnerable. Everything can be stolen and is open to compromise,” said Kaspersky.

Critical infrastructure is the most “problematic” and probably the “scariest” area, he said, because cyber criminals are well-resourced and can attack even well-protected networks.

“Cyber criminal groups are very professional and have shown that they can get past the security of well-known companies that typically invest a lot in cyber defence,” said Kaspersky.

He warned that all operating systems are under attack. “It is not only Microsoft Windows, but also Android, Mac OS, Linux and iOS,” he said.

According to Kaspersky, the vast majority (384 million) of malicious files detected are aimed at Windows, compared with Android (18 million) and Mac OS (30,000).

There are still only around 600 aimed at iOS, but Kaspersky believes nation states are behind most of those. He also blamed the lack of Mac OS threat on the lack of good Mac OS engineers.

“We struggle to find good Mac OS engineers to work for us, and I am guessing that cyber criminals have the same problem.”

Despite painting a gloomy picture, Kaspersky said the situation was far from hopeless because there are things that can be done to reduce the likelihood and impact of cyber attacks.

According to Kaspersky, essential practices for enterprises for protecting critical data include regular security audits and sound cyber security strategies, minimising all network connections by allowing only those that are absolutely necessary for the business to function, and allowing only trusted applications and processes because “endpoint security controls are not enough on their own”.

Essential practices for operators of industrial control systems, particularly operators of critical infrastructure, include air-gapping critical systems, continually monitoring trusted processes using a secure operating system, and putting all new equipment onto secure operating systems.

In support of this approach, Kaspersky Lab has developed a secure operating system for it process monitoring system, which is a combination critical infrastructure operators can use until they are able to migrate all systems to a secure operating system.

“This migration process will take years, but the sooner we start, the sooner we will be in a position that is much more secure,” he said.

By Warwick Ashford

Source http://www.computerweekly.com/news/450400518

Release of Mirai IoT botnet malware highlights bad password security

The malware code behind the IoT botnet responsible for the recent, massive DDoS attacks has been released. And although there are lessons to be learned from it, experts suspect the release will cause more harm than good.

The Mirai botnet malware was released in the hacking-community website Hack Forums by a user named Anna-senpai, who claims to be the author of the code. Mirai was the botnet malware used in the distributed denial-of-service (DDoS) attack that took down the site of infosec journalist Brian Krebs and was clocked at 620 Gbps. Both names Anna and Mirai reference Japanese anime. Anna-senpai adopted the honorific senpai because the hacker sees himself or herself as a teacher for those wanting to use the Mirai malware. But the Japanese word for teacher is sensei, not senpai.

Anna-senpai did not take responsibility for that attack and said it was time to leave the game. In the forum post, Anna-senpai wrote, when he or she first got into the DDoS industry, “I wasn’t planning on staying in it long. I made my money,” and now it’s time to get out. “So, today, I have an amazing release for you. With Mirai, I usually pull max 380k [380,000] bots from Telnet alone. However, after the Kreb [sic] DDoS, ISPs [have] been slowly shutting down and cleaning up their act. Today, max pull is about 300k [300,000] bots and dropping.”

Anna-senpai went on to describe the system requirements for running the malware and tips for configuring the Mirai botnet malware. Anna-senpai claimed someone should be able to set up a working botnet in under one hour with the scripts and code provided.

Experts said the malware does take skill to implement properly, but Rick Holland, vice president of strategy for San Francisco-based Digital Shadows Ltd., said the “code release is particularly dangerous, since it once again lowers the barrier to entry for threat actors.”

“This release will cause more harm than good. The good that will come out of it is that it will raise awareness around denial-of-services attacks,” Holland told SearchSecurity. “Of course, awareness isn’t a security control and won’t be able to prevent DDoS attacks. Organizations will need to move from awareness to actual mitigation.” MalwareTech said on Twitter it might not be so easy for threat actors to get started with the code.

Jean-Philippe Taggart, senior security researcher at Malwarebytes, based in Santa Clara, Calif., said this opens the possibility of more large botnets, as well as the possibility that “a less experienced attacker might accidentally damage these IoT [internet of things] devices through poor coding and lack of experience.”

“Mitigating against an IoT DDoS is difficult, as these machines can have legitimate IP addresses, making filtering bona fide traffic difficult,” Taggart told SearchSecurity. “A more advanced threat actor could also patch these IoT devices in such a way as to only allow them to be accessible by them.”

Gunter Ollmann, CSO of Vectra Inc., based in San Jose, Calif., said the Mirai IoT botnet malware could be modified in unknown ways in the future.

“The botnet agent is particularly versatile and has a number of precoded install packages for a wide variety of common system-on-chip platforms,” Ollmann told SearchSecurity. “This means that copycat botnet operators will not need to learn or understand the differences of the platforms, but can target them anyway; in essence, dumbing down the skill level needed to launch such attacks going forward.”

Anna-senpai said the Mirai malware propagated by brute-forcing IoT device passwords via Telnet in a way that is 80 times faster and 20 times less resource-intensive than traditional botnet malware Qbot.

Ollmann said one impressive feature of the malware was the ability to use multiple IP address to bypass port exhaustion in Linux.

“The purpose here is to increase the total number of outbound connections that can be created and to overload the receiving device by exhausting their number of inbound connections, which will likely be maxed out at 65k [65,000] for a single port or protocol,” Ollmann said. “DDoS caused by connection saturation is often preferred as an attack vector because it doesn’t require high volumes of traffic. Therefore, a DDoS state can be achieved using a smaller number of attacking devices and requires less bandwidth to achieve the desired goals.”

Jerry Gamblin, lead security analyst at CARFAX, based in Centreville, Va., said the Mirai code highlighted troubles with users leaving the default passwords on IoT devices.

“The fact that devices are still running Telnet should be shocking, but, unfortunately, it isn’t,” Holland said. “The same is true for admin:admin credentials. All too often, we see nonexistent or poor security on these types of devices.”

Ollmann said this is a design flaw that IoT makers will have to consider in the future.

“All such devices need to ship with some kind of default credentials, so that the purchaser can configure the device for their own network environment. The real problem is that the owners are negligent in not changing these accounts after installation,” Ollmann said. “Future vendors of products like this should perhaps adopt practices which force the owner of the device to change the default password before they’re allowed to proceed further with configuration — and also to do some basic password integrity checking to prevent common or reused passwords. This would be pretty easy to do.”

Ollmann suggested a few basic security procedures to mitigate risk.

“The obvious advice for reducing the probability of compromise today is change the default admin credentials on the IoT device, or change or remove any other nonadmin credentials on the device,” Ollmann said. “And ensure that the IoT device sits behind a firewall and that the firewall is configured to drop by default all protocols not absolutely required for the operation of the IoT device.”

Holland said the first step toward mitigating the risk of having your IoT devices used in a DDoS botnet is to be aware of your IoT footprint.

“Far too often, organizations aren’t aware of the actual IoT inventory within their environments. The next step is to understand the available configuration settings of the devices that are deployed. These could be quite limited, given the lack of security practices within IoT,” Holland said. “Ultimately, we will need to apply pressure to IoT vendors that security must be built into the devices, because unlike many traditional IT assets — like endpoints or servers — bolting on security isn’t an option.”

by Michael Heller

Source http://searchsecurity.techtarget.com/news/450400369

HDDCryptor Leverages Open Source Tools to Encrypt MBR

Malware that uses open source tools for malicious purposes isn’t new, yet ransomware leveraging such tools to encrypt the entire hard drive by rewriting the MBR (Master Boot Record) is, researchers warn.

The new malicious program that combines the two is called HDDCryptor, but also known as HDD Cryptor or Mamba ransomware. The threat was spotted for the first time in the beginning of this year, although it caught the attention of researchers in the past several weeks after was featured in a larger campaign.

Earlier this year, researchers detailed disk-level ransomware variants such as Petya, which emerged in March, but only manipulated the MBR to take over the boot process but didn’t encrypt user’s files. To encrypt user files too, Petyastarted dropping additional ransomware, called Mischa, and their modus operandi was already adopted by a ransomware variant called Satana.

HDDCryptor, however, leverages the DiskCryptor open source tool to strongly encrypt user’s data and to overwrite the MBR, Renato Marinho, Director at Morphus Segurança da Informação, explains.

According to Trend Micro researchers, the new piece of ransomware targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), while also locking the drive. Because of its damaging routine, the ransomware should be treated as a “very serious and credible threat not only to home users but also to enterprises,” Trend Micro says.

HDDCryptor is being distributed via files downloaded from malicious websites, and is installed by dropping multiple components to the system’s root folder. These components include dcapi.dll (detected as Ransom_HDDCRYPTOR.A), dccon.exe(to encrypt the disk drive), dcrypt.exedcrypt.syslog_file.txtMount.exe (scans mapped drives and encrypts files stored on them), netpass.exe (to scan for previously accessed network folders), netuse.txt (to store information about mapped network drives), and netpass.txt (to store user passwords).

To gain persistence, the malware adds a new service called DefragmentServiceand executes it via command line. Some of the analyzed samples, researchers say, also showed network-encrypting behavior, though others had no propagation routines. However, the Mount.exe component was clearly meant for enumerating mounted drives to encrypt their files, as well as for discovering previously connected drives or cached disconnected network paths and connecting to them using all credentials captured using the tool netpass.exe.

In addition to leveraging DiskCryptor (which supports AES, Twofish and Serpent encryption, including their combinations, in XTS mode) for disk and network file-level encryption, the ransomware abuses the open source disk encryption software to overwrite the Master Boot Record (MBR). The malware displays its ransom note by adding a modified bootloader instead of using the system’s normal log-in screen.

The security researchers also observed that the ransomware would forcefully reboot the compromised system after two hours of full disk activity (no user interaction needed), and that it would reboot the machine twice in some cases. Moreover, they reveal that the copy of the DiskCryptor dropped by the malware was the same file available on the open source tool’s download page (the software hasn’t been updated since September 7, 2014, it appears), but that a modified version of netpass.exe was used.

“HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals,” Trend Micro researchers note.

According to Marinho, the password used to encrypt the disk is given as a parameter. The researcher also notes that there is a chance that the same password is used on all compromised machines, or that the password is “something related to the victims’ environment, like the hostname, or something like that.” He also notes that the ransomware’s authors might be focused on servers and that they have already received payment from at least four victims.

By Ionut Arghire

Source http://www.securityweek.com/hddcryptor-leverages-open-source-tools-encrypt-mbr

Version 3 of Qadars Trojan Targets UK Banks

The customers of 18 banks in the United Kingdom have been targeted by cybercriminals in a campaign leveraging the latest major version of the Qadars banking Trojan.

Qadars has been around since 2013, but IBM X-Force researchers said the third major version of the malware was only released in the first quarter of 2016. Since 2015, cybercriminals have been using the malware in attacks aimed at Australia, Canada, the United States and the Netherlands, but the latest variant has been set up to target the U.K. as well.

The malware has a modular architecture and provides all the features needed by cybercriminals to steal money from bank accounts, including web injections fetched in real time from a remote server, systems for monitoring and manipulating browser activity, SMS hijacking apps for bypassing 2FA, and automated transfer system (ATS) panels that make it easier to manage operations.

In addition to banks, the Trojan has been used to steal credentials for social networks, sports betting websites, e-commerce platforms and payment services.

Qadars v3 variants bring improved performance for web injection mechanisms, and they are better at evading detection and preventing researchers from analyzing them. Obfuscation has been enhanced, and the Tor network is used for downloading modules and for C&C communications.

In order to gain administrator rights on the targeted machine, the Trojan displays a fake Windows security update, which triggers a user account control (UAC) dialog that keeps popping up until the victim clicks “Yes” and grants Qadars elevated privileges.

“Qadars attack volumes, compared to Trojans like Neverquest or Dridex, are more humble. While it is not one of the top 10 financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities,” explained IBM’s Limor Kessem and Hanan Natan. “It’s possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible.”

Based on the Qadars v3 release notes published in May 2016, researchers believe the malware’s author is most likely a Russian-speaking black hat.

Qadars is not the only banking Trojan spotted recently in attacks aimed at the U.K. The list of threats configured to target the country also includes Panda Banker, Marcher and Ramnit.

By Eduard Kovacs

Source http://www.securityweek.com/version-3-qadars-trojan-targets-uk-banks

Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

The actor behind the Ursnif banking Trojan has been using new evasive macros in their latest infection campaign, demonstrating continuous evolution of tools and techniques, Proofpoint researchers reveal.

In the latest observed distribution campaign, the Trojan is dropped onto the victim’s computer via weaponized Word documents. Before the infection takes place, however, the malicious macros in these documents check the machine to ensure that the Trojan can successfully evade detection and hinder analysis.

Previously, the threat would check for the public IP address of the infected machine and for the number of accessed Microsoft Word files to determine whether it was running inside a virtual environment. Now, the actor behind it, known as TA530, decided to add new sandbox evasion checks to the malicious macros, to better tailor the threat for evasion, researchers explain.

Following the recent update, the macro checks whether the filename contains only hexadecimal characters before the extension and ensures that there are at least 50 running processes with a graphical interface via Application.Tasks.Count. Moreover, it includes a process blacklist using Application.Tasks and has also expanded the list of strings it checks using MaxMind.

In the newly spotted campaign, the threat actor also used a Painted Event control (observed as Img_Painted) for macro execution when the user opened the document. Usually, malware uses autorun options for macro execution like Document_Open(), but Ursnif has decided to adopt said ActiveX control instead.

This week, a highly personalized spam campaign associated with this threat has been observed utilizing company names, personal names, titles, etc., to deliver the malicious Word documents. To lure the unsuspecting user to enable the macro, the document claims to be protected against unauthorized use. Once the user allows the macro to run, Ursnif ID “30030” is dropped, targeting Australian banking sites with web injects.

Following the update, the malicious macro checks if the Word filename contains only hexadecimal characters, because files submitted to sandboxes often use SHA256 or MD5 hash as the filename. Thus, the malicious payload is dropped onto the target system only if the filename contains letters after “f”, underscores, or spaces and if an extension is appended to it.

The macro also checks the number of running processes with a graphical interface, because real systems usually have more than 50 tasks, while sandboxes have as few as possible. Next, the macro performs a case-insensitive check against a blacklist of processes that could be present in a sandboxed environment, such as “fiddler”, “vxstream”, “vbox”, “tcpview”, “vmware”, “process explorer”, “vmtools”, “autoit”, “wireshark”, “visual basic”, and “process monitor”.

The macro also abuses the well-known geo-location service MaxMind to check whether the target machine is located in Australia, because it is targeting only this country in the latest campaign. More specifically, the macro checks that the results returned by MaxMind include “OCEANIA,” the region of the tropical Pacific Ocean that includes Australia.

The results are checked against an expanded list of blacklisted networks and the infection process is dropped if the target machine is located in one of these networks. Interestingly, in addition to security vendors, the list also includes networks belonging to “hospital”, “university”, “school”, “science”, “army”, “veterans”, “government”, and “nuclear.” Most probably, this check was included to minimize exposure to researchers and military or government entities, researchers say.

The actor behind this Ursnif campaign is also responsible for various other large-scale personalized attacks and is constantly adding new evasion techniques to the malicious macros used in infection campaigns. At the moment, the actor appears focused on preventing the execution of its malware on sandbox systems and on avoiding networks associated with security vendors and other entities.

“Over the last few years, malware sandboxes have become a more common component of the defenses that organizations and enterprises deploy to protect their users and their data. As the examples from this analysis demonstrate, threat actors are concentrating their research and innovation of malware sandbox evasion in an effort to remain ahead of their victims’ defenses,” Proofpoint researchers concluded.

By Ionut Arghire

Source http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques

Windows Trojan Targets Android, iOS Devices via USB Connection

A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.

The threat, dubbed “DualToy” by Palo Alto Networks, has been around since January 2015. While the malware has mainly targeted users in China, the security firm reported that individuals and organizations in the United States, United Kingdom, Thailand, Spain and Ireland were also impacted.

Researchers discovered more than 8,000 unique DualToy samples. Earlier variants were only capable of infecting Android devices, but the Trojan’s developers added iOS capabilities within six months after the threat was first spotted.

On infected Windows PCs, DualToy injects processes, modifies browser settings and displays ads. When an Android or iOS device is connected to the infected PC via USB, the malware starts conducting various activities.

The malware’s developers are counting on the fact that when a user connects a mobile device to the infected computer, that device is likely already authorized, making it easier to use existing pairing records to interact with it in the background.

“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Palo Alto Networks researcher Claud Xiao explained in a blog post.

In order to infect Android and iOS devices, the Trojan checks for the presence of the Android Debug Bridge (ADB) and iTunes on the compromised Windows machine. If these applications are not found, the malware downloads and installs them.

ADB and iTunes are used by DualToy to install various applications on Android and iOS devices connected via USB to the infected computer. In the case of Android, several Chinese-language games were downloaded from a third-party app store.

On iOS phones and tablets, the malware collects system information and sends it back to its command and control (C&C) server. The data includes the device’s name, type, version, model number, serial number, IMEI, IMSI, firmware, and phone number.

DualToy also downloads several .ipa files (iOS application archives), including one that asks users to provide their Apple ID and password. The harvested credentials are encrypted and sent to a remote server.

This app, named Kuaiyong, is a third-party iOS app store, similar to ZergHelper, which in February managed to slip through Apple’s review process and made it onto the official App Store.

Palo Alto Networks has compared DualToy to AceDeceiver and WireLurker, both of which target iOS devices when they are connected to an infected computer.

By Eduard Kovacs

Source http://www.securityweek.com/windows-trojan-targets-android-ios-devices-usb-connection

Bitcoin.org Warns of Possible State-Sponsored Attacks

Bitcoin.org, the organization that oversees the development of the Bitcoin software, has warned users that state-sponsored attackers will likely target the upcoming release.

Bitcoin Core, the open source client for Bitcoin, validates the blockchain and all transactions. Bitcoin Core 0.12.1 was released in April and developers will soon make available version 0.13.0.

In a security notice published on Wednesday, Bitcoin.org said it has reason to believe that the Bitcoin Core 0.13.0 binaries will be targeted by state-sponsored threat actors. Users have been provided an encryption key that can help verify the legitimacy of Bitcoin Core binaries.

“We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website,” the security notice reads.

“In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers,” Bitcoin.org warned.

Experts pointed out that the Bitcoin.org website does not use HTTP Public Key Pinning (HPKP), which allows a government that controls a certificate authority (CA) to generate its own certificate for the site. The attacker can hijack the website’s IP and replace the key provided by Bitcoin.org with their own.

China, which appears to be the main suspect in this case, does control a CA, namely the China Internet Network Information Center (CNNIC). CNNIC’s new certificates were banned last year by Mozilla and Google after one of the organization’s intermediate certificates was used to issue fake Google certificates.

Bitcoin’s popularity and high value has made it a tempting target for various types of threat actors. Several Bitcoin exchanges have been attacked over the past months and some of them were even forced to shut down their operations due to the breaches they suffered.

The latest victim is Hong Kong-based Bitfinex, one of the world’s largest digital currency exchanges. The company had tens of millions of dollars worth of Bitcoin stolen as a result of a hack that is still being investigated.

By Eduard Kovacs

Source: Security Week

Locky Targets Hospitals in Massive Wave of Ransomware Attacks

A massive Locky ransomware campaign spotted this month targets primarily the healthcare sector and is delivered in phishing campaigns.

The payload, researchers at FireEye said, is dropped via .DOCM attachments, which are macro-enabled Office 2007 Word documents. Especially hard hit are hospitals in the United States followed by Japan, Korea and Thailand, according to research published Wednesday by FireEye.

Researcher Ronghwa Chong said this blitz of macro-based Locky ransomware is a new tactic for cybercriminals who in March primarily distributed Locky ransomware via spam campaigns with the payload delivered via JavaScript attachments.

“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits,” Chong wrote. “Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

It was just this June when researchers at Proofpoint observed an uptick in the distribution of the Dridex banking Trojan and a new version of the Locky ransomware being distributed via a resurgence of the Necurs botnet. By taking a closer look at the Locky spoofed emails, network pattern of the ransomware and the DOCM attachment, researchers were able to find a distinct connection between major waves spam pushed out by attackers this month that indicate coordinated efforts by single or multiple attackers.

“Each email campaign has a specific ‘one-off’ campaign code that is used to download the Locky ransomware payload from the malicious malware server,” Chong noted. Researchers also noted a malicious URL embedded within the Locky macro code that is encoded using an identical encoding function that varies by a specific key for each campaign. Along with the healthcare sector, also hit hard this month by Locky are the telecom, transportation and manufacturing industries. Locky ransomware is best known for a high-profile infection at Hollywood Presbyterian Medical Center in California in February; the hospital paid a $17,000 ransom to recover its files.

According to security experts, the healthcare sector has been singled out by attackers who view the industry as low hanging fruit when it comes to relying on outdated security procedures coupled with high-value assets. Locky meanwhile has made notable gains over the last several months and now ranks a top malware threat, according to a recent Proofpoint report (PDF).  The research said that among email attacks observed in Q2 that used malicious document attachments, 69 percent featured Locky ransomware.

“This is a 45 percent increase over Q1 for Locky alone,” Proofpoint said. “The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking trojans, as the former appears to be more lucrative,” Chong wrote.

By

Source: Threat Post

 

Adwind RAT Rebrands Yet Again, This Time as JBifrost

The criminal group behind the Adwind RAT, one of the most actively deployed remote access trojans, has re-branded its product once again, this time returning to the malware market with the name of JBifrost.

This particular malware appeared in January 2012, under the name of Frutas RAT, and the following year, in January 2013, it rebranded as the Adwind RAT, a moniker that would stick with all security vendors.

As malware campaigns and the RAT’s activity were exposed across the years, the crooks would always change the malware’s name time and time again. Adwind rebranded as the Unrecom RAT in February 2014, as AlienSpy in October 2014, and as JSocket RAT in June 2015.

JSocket shuts down, and JBifrost appears three months later

After a scorching in-depth report published by Kaspersky in February 2016, the latest incarnation of this RAT known as JSocket shut down soon after.

According to researchers from security vendor Fortinet, the people behind Adwind have gone through the old motions of rebranding their product once again, which, three months later, reappeared on the market on May 15, 2016, as the JBifrost RAT.

Fortinet researchers are 100 percent positive this is a rebranded Adwind RAT, with a new GUI, and only a small set of new features when compared with its previous reincarnation, JSocket.

Adwind (JBifrost) website is now a closed community

The JBifrost website is not available to anyone anymore, and unlike previous instances where anyone could buy the RAT, users now need an invitation code to register on the JBifrost website and purchase the RAT.

Crooks are selling JBifrost as a monthly subscription, $45 for the first month and $40 for a subscription renewal.

Another big change in how the crooks operate is in how they collect their money. Previously, they accepted payments via PerfectMoney, CoinPayments, Advcash, EntroMoney, and Bitcoin.

This time around, they only take Bitcoin, most likely because the other payment methods are not anonymous and may lead law enforcement back to the crooks.

Taking into account Kaspersky’s long-standing cooperation with law enforcement agencies around the world, the Adwind gang seems to be legitimately scared and have taken precautions to hide their operations like never before.

JBifrost comes with minimal changes compared to Adwind

As for the JBifrost changes compared to JSocket, Fortinet said it detected only minor changes that include a new column that shows an infected victim’s keyboard status (in use or not), and a new column that shows the title of the victim’s current window.

There is also a new tab called Misc that allows users to configure additional JBifrost servers, as well as a new feature that lets attackers grab data from web forms displayed inside the Google Chrome browser.

At the time of its analysis, Fortinet says the JBifrost malware had been downloaded from the homepage 1,566 times, and that it has been detected in live malware distribution campaigns.

“Based on our findings, it is clear that Adwind perpetrators intend to stay in business by simply re-branding their RAT whenever they appear in the news. They do so by migrating their current subscribers’ accounts to a new website,” Fortinet’s Rommel Joven and Roland Dela Paz note. “As of this writing, we can confirm that JBifrost RAT is currently being utilized in active attacks, including attacks related to business email compromise (BEC) schemes.”

By Catalin Cimpanu

Source: Softpedia