Gozi Banking Trojan Campaigns Target Global Brands

Gozi, one of the oldest banking Trojans out there, is using highly elaborated webinjects along with behavioral biometrics for fraud protection bypass in new campaigns targeting global brands, buguroo researchers warn.

Discovered in 2007, Gozi has had its source code leaked twice, which has led to the creation of new variants, including the newly discovered GozNym, which borrows capabilities from the Nymaim Trojan too. GozNym has been already spotted in various campaigns, initially targeting users in the United States and Canada, and then migrating to Europe.

The new Gozi campaigns are focused mainly on banks and financial services in Spain, Poland, and Japan, but some target users in Canada, Italy, and Australia. According to researchers, Gozi’s operators are using new techniques that haven’t been perfected. As soon as that happens, however, the infection campaigns will spread to the United States and Western Europe.

In Spain, the malware was being distributed via malicious links leveraging URL shortening services, which led to compromised WordPress sites. The number of affected Spanish companies is relatively low, at least when compared to those in Poland and Japan, researchers say. The servers used for the distribution of configurations and webinjects for campaigns in Canada, Italy and Australia were inactive or disabled at the time of the research.

Some of the brands impacted in these campaigns include PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and many more, buguroo reveals in a report. These attacks reveal that Gozi continues to evolve, as it is now using dynamic web injection. It uses a high degree of automation to optimize the selection of mules after profiling the victim: the most important targets might even see the live intervention of operators, researchers say.

Gozi uses web injection that is very elaborate and optimized to avoid detection, which allows it to go virtually undetected. Furthermore, its operators immediately refine the code after an attack has been discovered. The updated code ensures that the defensive measures by institutions under attack are rendered useless.

When the infected user attempts a transaction, the malware’s command and control (C&C) server is notified in real time and immediately serves the user false information necessary to carry out fraudulent transfers. The user sees a deposit-pending alert requesting the security key to complete the transfer but the real transfer page that is present to the bank is hidden beneath it. Thus, the unsuspecting user is inadvertently entering the requested key and sends money to a “mule.”

The security researchers observed that Gozi is delivering both automated and manual customized responses from the control panel. Some users are assigned to a specific mule in a particular country, and the operator decides how much money would be transferred. Other users are assigned to a random mule and a fixed amount is transferred. In the end, it all depends on the value of the target, as operators assign greater operations to more reliable mules, researchers say.

The new campaigns also revealed that, for certain versions of the webinjects, the Trojan would send a kind of biometric information to the control panel, including details on how long the user takes to move from an input field to the next or the time between keystrokes. Based on these values, the malware then attempts to bypass protection systems that leverage user behavior and fills the necessary fields to perform fraudulent transfers.

The webinjects used in these campaigns show similarities to a malware family called Gootkit, but this is not surprising, since Gozi has shared webinjects with other malware in the past. The similarities between Gozi and GootKit webinjects, however, weren’t limited to code and techniques, but also to the dates and times corresponding to updates in the corresponding automatic transfer system (ATS) panels once impacted companies make changes to hinder Trojan’s operations.

“These facts—the complexity of these webinjects, their detailed elaboration and the fast updates once they stop functioning properly—once again point to the trend toward professionalization of malware services. These are probably sold by independent underground businesses that specialize in delivering malicious code for use by different organizations and made available, for a price, for multiple families of malware and campaigns,” the report reads.


Posted in Malware | Tagged | Leave a comment

Hacker wins $5,000 for Chrome, Firefox address bar spoofing flaw

The “omnibox” vulnerability makes it easier to phish or steal user’s data.

Posted in Vulnerabilidad | Tagged | Leave a comment

1.4 Billion Android Devices Affected by Linux TCP Flaw

The security bug discovered in the Linux kernel’s implementation of the TCP protocol also affects a large portion of the Android ecosystem, mobile security vendor Lookout reports.

According to researchers, CVE-2016-5696, the Linux TCP bug, affects around 80 percent of all Android devices in use today, which is around 1.4 billion devices. The reason for this is the fact that the Android OS is built on a modified version of the Linux kernel.

The Linux Foundation has already taken all the steps to mitigate this security flaw, having patched the Linux kernel on July 11, 2016.

All Android versions 4.4 or higher affected

The security bug, CVE-2016-5696, allows an attacker who is not in a man-in-the-middle position to probe servers or users for active connections and then guess the packet sequence.

This enables the attacker to enter the packet flow between two parties, sniff on unencrypted traffic, or shut down encrypted connections. All Linux kernel versions between v3.6 and up to v4.7 are vulnerable.

The first vulnerable version that featured this TCP implementation flaw, version 3.6, was released in 2012 and was also used to create the Android OS 4.4 (KitKat).

Using a VPN will protect Android users

Since security researchers disclosed the flaw last week, Google has not yet released any security patches. Google usually releases security patches at the start of each month, but it is highly unlikely that the Android OS would feature a security patch for such a massive feature like the TCP stack just after a few weeks.

Even if security vendors have not discovered any weaponized exploit utilizing this flaw, Lookout recommends that all users protect themselves by encrypting their traffic.

Users can do this by using encrypted apps, navigating sites via their HTTPS versions, or by employing a VPN. For more technical users, the Lookout team recommends the following steps:

“  If you have a rooted Android device you can make this attack harder by using the sysctl tool and changing the value for net.ipv4.tcp_challenge_ack_limit to something very large, e.g. net.ipv4.tcp_challenge_ack_limit = 999999999  ”

Posted in Cyber Security | Leave a comment

Shade Ransomware Adds RAT Features to Spy on High-Value Victims

Crooks use RAT to assess the financial status of infected victims and decide on how much money to ask for.
The crooks behind the most recent versions of Shade have added an interesting new tidbit to their malware, installing a modified version of TeamViewer on infected systems so they could spy on their targets and adjust the ransom note accordingly.

This new Shade version only targets Russian companies that are running accounting software on their computers.

New Shade version delivers a RAT, but only to Russian businesses

Kaspersky researchers say that this new Shade version, prior to infecting the target, during its installation routine, actively scans the computer name for strings such as “BUH,” “BUGAL,” “БУХ,” “БУГАЛ.” These strings are likely to be found on computers used by the accounting departments at Russian-speaking companies.

If Shade finds any of these strings, it stops the ransomware installation process and delivers another trojan called Teamspy, also known TVSPY, TVRAT, or SpY-Agent.

The trojan contains a modified version of TeamViewer 6 that the malware authors have altered to hide its GUI. The trojan also includes the legitimate 7Zip archiving tool and the NirCmd command-line utility.

Furthermore, the crooks are also installing the TeamViewer VPN driver and the RDP Wrapper Library, used to open VPN connections and interact with the RDP protocol.

All of these utilities delivered inside Teamspy allow the crooks to modify OS settings on infected systems, open an RDP connection, and use TeamViewer to connect to the infected system.

Crooks using Teamspy to determine the proper ransom sum

Kaspersky suggests that the crooks are using Teamspy’s RAT (Remote Access Trojan) features to gather intelligence on the infected computer, to determine the appropriate ransom sum.

“The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” suggests Kaspersky’s Fedor Sinitsyn.

Teamspy is quite a powerful RAT and allows a crook to record audio from infected systems, record the victim’s desktop, run terminal commands, and download and install other executables.

Crooks are delivering the Shade ransomware at a later point

This last feature is most likely used to deliver the Shade ransomware at a later point in time, after crooks deemed the target important and decided on the ransom amount.

Shade is one of today’s most popular ransomware families, but Kaspersky researchers cracked its encryption and have provided a free decrypter via the No More Ransom initiative. Another name for the Shade ransomware is Troldesh.

This is not the first time malware specifically targets Russian businesses. During late June, Dr.Web discovered a trojan coded in 1C, a programming language used mostly in Russa. This trojan was delivering ransomware to companies using 1C:Enterprise, a popular accounting software in Russia.

Shade ransomware website

Shade ransomware website
Posted in Cyber Security, Malware, Pentest | Leave a comment

Australia Online Census Shutdown After Cyber Attacks

Cyber Attack Hits Australia Online Census Service

Australia was forced to reassure its citizens that their personal data was secure Wednesday, after malicious attacks by overseas hackers prompted an embarrassing shutdown of the online census.

Australians are required to complete the census every five years or face fines, and this was the first time there had been a major push for people to fill in the survey online.

But as thousands of people headed to the official website Tuesday evening, a series of denial-of-service attacks — attempts to overwhelm an online system to prevent people accessing it — prompted authorities to take the site offline.

“It was an attack, and we believe from overseas,” said David Kalisch from the Australian Bureau of Statistics, which organises the census.

“The scale of the attack, it was quite clear it was malicious,” he told the Australian Broadcasting Corporation.

The census website was not back online Wednesday.

The attacks are an embarrassment for the government, which earlier this year confirmed that the weather bureau, which reportedly owns one of the nation’s largest supercomputers, suffered a “cyber intrusion” in 2015.

The Labor opposition jumped on the incident, labelling it “the worst-run census in Australian history” and “one of the worst IT debacles Australia has ever seen”.

But Prime Minister Malcolm Turnbull insisted that no data had been compromised.

The ABS had acted with “an abundance of caution” in shutting down the site after a large-scale denial of service attempt followed by a hardware failure when a router became overloaded, he said.

“The site has not been hacked, it has not been interfered with,” he told reporters in Sydney.

The statistics bureau reassured Australians that their data was secure, with Kalisch saying the shutdown “actually confirms the strong position that the ABS has taken in terms of security”.

Some 2.33 million online forms were submitted before the outage and safely stored.

“The data that comes to ABS is encrypted and it was secured and received safely at the ABS… we have it at the ABS, no-one else has it,” Kalisch said.

On its Twitter account, the ABS Census insisted that no fines would be imposed on the thousands of people unable to complete the survey, provoking even more anger.

“Fine yourselves for the completely incompetent way this was handled,” wrote one respondent to @ABSCensus.

Australians officially have until September 23 to complete the census, with some two thirds of respondents expected to use the internet rather than paper to complete the survey this year.


Posted in Cyber Security | Leave a comment

Researchers hack into software with malware threat

New York: A team of researchers has hacked the working of software with the potential risk of malware — disguised as lucrative advertisements — opening computers and other devices to hijacking.

A team of researchers from Google and the New York University Tandon School of Engineering next week will offer the first public view into shady practices that deliver unwanted advertising and software bundled with legitimate downloads — a problem that occurs far more often than malware attempts.

Their research material, provided by The New York University, suggested that some of the affiliates that distribute such softwares might be complicit in the scheme, which provides layers of deniability that they are installing unwanted software.

 Researchers hack into software with malware threat

Generally, when a person goes to the “legitimate software update or download”, a barrage of advertisements overruns the screen. Sometimes flashing pop-ups warn of the presence of malware, demanding the purchase of what is often fraudulent antivirus software.

On other occasions, the system`s default browser is hijacked, redirecting to ad-laden pages.

The researchers conducted the first analysis of the link between commercial pay-per-install (PPI) practices and the distribution of unwanted software.

Kurt Thomas, a research scientist at Google, and Damon McCoy, an Assistant Professor of Computer Science and Engineering at NYU Tandon and their colleagues cite reports indicating that commercial PPI is a highly lucrative global business, with one outfit reporting $460 million in revenue in 2014 alone.

“If you have ever downloaded a screen saver or other similar feature for your laptop, you have seen a `terms and conditions` page pop up where you consent to the installation,” McCoy explained.

“Buried in the text that nobody reads is information about the bundle of unwanted software programmes in the package you are about to download,” McCoy added.

The report explains that PPI businesses operate through a network of affiliates — brokers who forge the deals that bundle advertisements (often unwanted software) with popular software applications, then place download offers on well-trafficked sites where they are likely to be clicked on.

Parties are paid separately — meaning some legitimate developers do not know their products are being bundled with unwanted software — and they are paid as much as two dollars per install.



Posted in Cyber Security, Vulnerabilidad | Tagged , | Leave a comment

Hackers detail the blood and guts of the 2016 Pwn2Own exploit expo

Kernel carnage bashes browsers and punishes plug-ins. Black Hat Zero Day Initiative researchers have detailed the winning hacks of this year’s Pwn2Own competition, painting a picture of broken browsers and owned systems.

The quartet of Matt Molinyawe, Abdul-aziz Hariri, Jasiel Spelman, and Jason Smith of Trend Micro’s Zero Day Initiative vulnerability clearing house detailed and demonstrated the devastating white hat hacks during their presentations at the Black Hat conference in Las Vegas.

They walked delegates through the exploitation steps of the eight successful Pwn2Own hacks pulled off at the Pwn2Own competition in March, recapping the steps and the 21 vulnerabilities which lead to digital goring of Chrome, Safari, Microsoft Edge, Apple OS X, and Adobe Flash.

“The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state-of-the-art techniques in software exploitation” the quartet says in a 65-page technical paper [PDF] published after the talk.

“Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plug-in … attained through the exploitation of the Microsoft Windows or Apple OS X kernel.”

The attacks, detailed in a bid to improve the hacking chops of delegates, use different attack paths to achieve remote code execution using similar Kernel exploitation methods for attaining read and write capabilities.

Those exploitation methods using browsers as a first vector was rare in former Pwn2Own contests.

Molinyawe, Hariri, Spelman, and Smith say application sandboxing improvements have helped, but did not shutter the attacks used at the contest.

“Application sandboxing is a step in the right direction, but the kernel attack surface remains expansive and exposed,” they say. “Each of the winning entries was able to avoid the sandboxing mitigations by leveraging vulnerabilities in the underlying OSs.”

Mitigations that isolate access to kernel APIs from sandboxed processes will add hurdles to frustrate future attempts to pop god-mode shells, they say.


Posted in Cyber Security, Vulnerabilidad | Leave a comment