Wednesday, January 22, 2020

WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation

WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation

Posted: January 22, 2020 by Jérôme Segura

In the early days, practically all tech support scammers would get their own leads by doing some amateur SEO poisoning and keyword stuffing on YouTube and other social media sites. They’d then leverage their boiler room to answer incoming calls from victims.

Today, these practices continue, but we are seeing more advanced operations with a clear separation between lead generation and actual call fulfillment. Malvertising campaigns and redirections from compromised sites to browser locker pages are owned and operated by experienced purveyors of web traffic.

There is one particular browser locker (browlock) campaign that had been eluding us for some time. It stands apart from the others, striking repeatedly on high-profile sites, such as the Microsoft Edge Start page, and yet, eluding capture. In addition, and a first to our knowledge, the browser locker pages were built to be ephemeral with unique, time-sensitive session tokens.

In November 2019, we started dedicating more time to investigating this campaign, but it wasn’t until December that we were finally able to understand its propagation mechanism. In this blog, we share our findings by documenting how threat actors used targeted traffic-filtering coupled with steganography to create the most elaborate browser locker traffic scheme to date. More: Malwarebytes Labs

World's Biggest Data Breaches & Hacks

Great presentacion !

informationisbeautiful.net

Safely check if your details have been compromised in any recent data breaches: https://haveibeenpwned.com/

Tuesday, January 21, 2020

Malwarebytes has discovered a strain of malware on the Unimax (UMX) U686CL, a low-end smartphone sold by Virgin Mobile Group subsidiary Assurance Wireless.

Jimmy Aki

Jan 13, 2020 @ 22:10 UTC

Low-end smartphones across the United States have a new problem to deal with, malware. Malwarebytes has discovered a strain of malware on the Unimax (UMX) U686CL, a low-end smartphone sold by Virgin Mobile Group subsidiary Assurance Wireless.

The phones, which are made in China, are sold through a U.S. government program that subsidizes phone services to low-income families, called Lifeline.

As Malwarebytes reported, there have been several reports concerning the phones since late 2019, with multiple users complaining that some of the pre-installed apps are malicious. Researchers went on to purchase the phone, only to find that the complaints were true.

Adups and HiddenAds

To begin with, they discovered that one of the apps on the phones- named Wireless Update- contained a malware known as Adups. The malware was created by a Chinese company bearing the same name, and was billed as a means of allowing firmware vendors to update their code.

However, researchers at Kryptowire found in 2017 that its manufacturers were able to ship updates to the software without getting permission from the devices’ vendors and users. Malwarebytes explained that the software still does the same thing to this day.

“From the moment you log into the mobile device [the UMX U686CL], Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own,” researchers explained.

Although they pointed out that the apps were initially free of any malware, the fact that they’re installed without consent means that Adups (the software manufacturers) could just as well do the same thing at any time.

That’s not all. They also found suspicious code in the Settings app. As they explained, the app was filled with a heavily obfuscated malware strain,’ and from the set of characters used in writing its code, they opined that it was of Chinese origin.

They explained that it was meant to act as a dropped for HiddenAds; a popular second-stage malware payload.
Difficult to Uninstall

The company explained that they couldn’t confirm if the malware was installed by the device manufacturers. They might as well have been installed by any of the third parties that had access to the devices while in transit. But, that’s unlikely.What’s troublesome is the fact that the two malware were said to be non-removable, thanks to their strategic location. Adups is hidden in the Wireless Update app, and any user that uninstalls or disables that will miss out on critical updates going forward.

On the flip side, the Settings app, as we all know, is non-removable. Taking it out will make the device effectively unusable, leaving users stuck with the malware it houses

Monday, January 20, 2020

Microsoft Issues Windows Security Update for 0Day Vulnerability

Microsoft released two out of band security updates today for remote code execution (RCE) and denial of service (DoS) security vulnerabilities impacting Internet Explorer and Windows Defender, respectively.

The first one is a zero-day RCE vulnerability tracked as CVE-2019-1367 and disclosed by Clément Lecigne of Google’s Threat Analysis Group.

The CVE-2019-1367 scripting engine memory corruption vulnerability is known to have been exploited in the wild and it "exists in the way that the scripting engine handles objects in memory in Internet Explorer."

"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user" says Microsoft. More: bleepingcomputer.com

Malware Must Die!: MMD-0065-2020 - Linux/Mirai-Fbot's new encryption ...

Malware Must Die!: MMD-0065-2020 - Linux/Mirai-Fbot's new encryption ...: Prologue I setup a local brand new ARM base router I bought online around this new year 2020 to replace my old pots, and yesterday, it wa...

Stelios-DASOS PC Security Info