New Coronavirus-Themed Malware Locks You Out of Windows, but there's a simple fix

By Lawrence Abrams April 2, 2020 04:46 PM 2



With school closed due to the Coronavirus pandemic, some kids are creating malware to keep themselves occupied. Such is the case with a variety of new MBRLocker variants being released, including one with a Coronavirus theme.

MBRLockers are programs that replace the 'master boot record' of a computer so that it prevents the operating system from starting and displays a ransom note or other message instead.

Some MBRLockers such as Petya and GoldenEye also encrypt the table that contains the partition information for your drives, thus making it impossible to access your files or rebuild the MBR without entering a code or paying a ransom.
Petya Ransomware
First MBRLocker with a Coronavirus theme

Last week, MalwareHunterTeam discovered the installer for a new malware with the name of "Coronavirus" being distributed as the COVID-19.exe file.



When installed, the malware will extract numerous files to a folder under %Temp% and then executes a batch file named Coronavirus.bat. This batch file will move the extracted files to a C:\COVID-19 folder, configure various programs to start automatically on login, and then restart Windows.
Coronavirus.bat file

After Windows is restarted, a picture of the Coronavirus will be displayed along with a message stating "coronavirus has infected your PC!"
The Coronavirus image shown after the first reboot

Analysis by both SonicWall and Avast states that another program will also be executed that backs up the boot drive's Master Boot Record (MBR) to another location and then replaces it with a custom MBR.
MBR being backed up and overwritten
Source: SonicWall

On reboot, the custom Master Boot Record will display a message stating "Your Computer Has Been Trashed" and Windows will not start.
MBRLock lock screen

Thankfully, the analysis by Avast shows that a bypass has been added to the custom MBR code that allows you to restore your original Master Boot Record so that you can boot normally. This can be done by pressing the CTRL+ALT+ESC keys at the same time.

Further research by BleepingComputer has discovered another variant from the same developer called 'RedMist'. When installed, instead of showing the Coronavirus image, it shows an image of Squidward stating "Squidward is watching you".

Like the Coronavirus version, this variant will warn you that after rebooting you will not be able to gain access to Windows again.
Squidward/RedMist version

This variant also supports the CTRL+ALT+ESC bypass so that you can restore the original MBR.

It should be noted that these infections do not delete your data or destroy the partition table. Simply restoring the MBR from the backup location will allow you to start Windows and access your data again.
A steady stream of MBRLockers being made

BleepingComputer has been able to find numerous MBRLocker variants being released over the past week using different messages, memes, and inside jokes,

All of these MBRLocker variants are being made with a publicly available tool that was released on YouTube and Discord. BleepingComputer will not be publishing the name of the tool to prevent further variants from being released.

Below is a small sample of the various MBRLockers released this week and created using this utility.












BleepingComputer believes that all of these MBRLockers are being created for 'fun' or as part of 'pranks' to be played on people.

While it is not known if they are being distributed maliciously, users should still be especially careful of running any programs shared by other people, especially on Discord, without first scanning them using VirusTotal.

Microsoft: Emotet Took Down a Network by Overheating All Computers

By Sergiu Gatlan April 3, 2020 03:25 PM 0



Microsoft says that an Emotet infection was able to take down an organization's entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment.

"After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services," DART said.

"The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week."
All systems down within a week

The Emotet payload was delivered and executed on the systems of Fabrikam — a fake name Microsoft gave the victim in their case study — five days after the employee's user credentials were exfiltrated to the attacker's command and control (C&C) server.

Before this, the threat actors used the stolen credentials to deliver phishing emails to other Fabrikam employees, as well as to their external contacts, with more and more systems getting infected and downloading additional malware payloads.

The malware further spread through the network without raising any red flags by stealing admin account credentials authenticating itself on new systems, later used as stepping stones to compromise other devices.

Within 8 days since that first booby-trapped attachment was opened, Fabrikam's entire network was brought to its knees despite the IT department's efforts, with PCs overheating, freezing, and rebooting because of blue screens, and Internet connections slowing down to a crawl because of Emotet devouring all the bandwidth.
Emotet attack flow (Microsoft DART)

"When the last of their machines overheated, Fabrikam knew the problem had officially spun out of control. 'We want to stop this hemorrhaging,' an official would later say," DART's case study report reads.

"He’d been told the organization had an extensive system to prevent cyberattacks, but this new virus evaded all their firewalls and antivirus software. Now, as they watched their computers blue-screen one by one, they didn’t have any idea what to do next."

Based on what the official said following the incident, although not officially confirmed, the attack described by Microsoft's Detection and Response Team (DART) matches a malware attack that impacted the city of Allentown, Pennsylvania in February 2018, as ZDNet first noticed.

At the time, Mayor Ed Pawlowski said that the city had to pay nearly $1 million to Microsoft to clean out their systems, with an initial $185,000 emergency-response fee to contain the malware and up to $900,000 in additional recovery costs, as first reported by The Morning Call.
Emotet infection aftermath and containment procedures

"Officials announced that the virus threatened all of Fabrikam’s systems, even its 185-surveillance camera network," DART's report says.

"Its finance department couldn’t complete any external banking transactions, and partner organizations couldn’t access any databases controlled by Fabrikam. It was chaos.

"They couldn’t tell whether an external cyberattack from a hacker caused the shutdown or if they were dealing with an internal virus. It would have helped if they could have even accessed their network accounts.

"Emotet consumed the network’s bandwidth until using it for anything became practically impossible. Even emails couldn’t wriggle through."

Microsoft's DART — a remote team and one that would deal with the attack on site — was called in eight days after the first device on Fabrikam's network was compromised.

DART contained the Emotet infection using asset controls and buffer zones designed to isolate assets with admin privileges.

They eventually were able to completely eradicate the Emotet infection after uploading new antivirus signatures and deploying Microsoft Defender ATP and Azure ATP trials to detect and remove the malware.

Microsoft recommends using email filtering tools to automatically detect and stop phishing emails that spread the Emotet infection, as well as the adoption of multi-factor authentication (MFA) to stop the attackers from taking advantage of stolen credentials.
Emotet infection chain (CISA)
Emotet infections can lead to severe outcomes

Emotet, originally spotted as a banking Trojan in 2014, has evolved into a malware loader used by threat actors to install other malware families including but not limited to the Trickbot banking Trojan (a known vector used in the delivery of Ryuk ransomware payloads).

Emotet was recently upgraded with a Wi-Fi worm module designed to help it spread to new victims via nearby insecure wireless networks.

Recently, in January 2020, the Cybersecurity and Infrastructure Security Agency (CISA) warned government and private organizations, as well as home users, of increasing activity around targeted Emotet attacks.

In November 2019, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) also warned of the dangers behind Emotet attacks, saying at the time that the malware "provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to further compromise through the deployment of ransomware."

Emotet ranked first in a 'Top 10 most prevalent threats' ranking published by interactive malware analysis platform Any.Run at the end of December 2019, with triple the number of sample uploads submitted for analysis when compared to the next malware in the top, the Agent Tesla info-stealer.

CISA provides general best practices to limit the effect of Emotet attacks and to contain network infections within an Emotet Malware alert published two years ago and updated earlier this year.

Discord Turned Into an Account Stealer by Updated Malware

By Lawrence Abrams April 3, 2020 06:07 PM



A new version of the popular AnarchyGrabber Discord malware has been released that modifies the Discord client files so that it can evade detection and steal user accounts every time someone logs into the chat service.

AnarchyGrabber is a popular malware distributed on hacking forums and in YouTube videos that steals user tokens for a logged-in Discord user when the malware is executed.

These user tokens are then uploaded back to a Discord channel under the attacker's control where they can be collected and used by the threat actor to log in as their victims.

The original version of the malware is in the form of an executable that is easily detected by security software and only steals tokens while it is running.
Modify Discord client files to evade detection

To make it harder to detect by antivirus software and to offer persistence, a threat actor has updated the AnarchyGrabber malware so it modifies the JavaScript files used by the Discord client to inject its code every time it runs.

This new version is given the very original name of AnarchyGrabber2 and when executed will modify the %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file to inject JavaScript created by the malware developer.

For example, the index.js file normally looks like the following image for an unmodified Discord client.
Unmodified index.js file

When AnarchyGrabber2 is executed, the index.js file will be modified to inject additional JavaScript files from a 4n4rchy subfolder as shown below.
AnarchyGrabber2 modified index.js file

With these changes, when Discord is started the additional malicious JavaScript files will be loaded as well.

Now, when a user logs into Discord, the scripts will use a webhook to post the victim's user token to a threat actor's Discord channel with the message "Brought to you by The Anarchy Token Grabber".
Stealing a Discord user token

MalwareHunterTeam, who found this new variant and shared it with us, told BleepingComputer that "skids are sharing them everywhere."

What makes these Discord client modifications such a problem is that even if the original malware executable is detected, the client files will be modified already.

As security software does such a poor job detecting these client modifications, the code will stay resident on the machine without the user even knowing their accounts are being stolen.
Discord needs to do client integrity checks

This is not the first time a Discord malware has modified the client's JavaScript files.

In October 2019, BleepingComputer broke the news that a Discord malware was modifying the client files to turn the client into an information-stealing Trojan.

At the time, Discord had stated that they would look into ways to prevent this from happening again, but unfortunately, those plans never happened.

The proper way these modifications can be detected is for Discord to create a hash of each client file when a new version is released. If a file is modified, then the hash for that particular file will change.

Discord can then perform a file integrity check on startup and if a file has been detected, display a message like the one below that was created by BleepingComputer.
Discord File Check Mockup

Until Discord adds client integrity into their client's startup, Discord accounts will continue to be at risk from malware that modifies the client files.

BleepingComputer has contacted Discord about this malware and the file integrity checks but has not heard back as of yet.

Zoom's Web Client is Down, Users Report 403 Forbidden Errors

By Sergiu Gatlan April 3, 2020 11:20 AM



Zoom users are currently reporting that they are unable to use the Zoom web client or start and attend webinars, with reports saying that the web client is throwing '403 Forbidden' errors.

Other reports mention time out errors saying that "Your connection has timed out and you cannot join the meetings. Verify your networkk connectivity and try again."

Based on user reports on DownDetector, Zoom users from the US East Coast and Western Europe are most affected by these ongoing issues,

According to the platform's status page, the Zoom web client is under maintenance and, as detailed on the company's dev forum, Zoom is "working to get the Zoom Web Client and Zoom Web SDK back online."
Zoom outage map (DownDeetector)

A Zoom spokesperson confirmed the web client outage, and advised users to download and install the desktop application until the issues are resolved.

"Our team is currently aware of issues with users joining Zoom meetings and webinars using Zoom’s web client," a statement from a Zoom spokesperson says.

"In the interim, we recommend downloading and installing Zoom from zoom.us/download to connect to your meeting. We are working on it and will post further information and updates on status.zoom.us shortly.

"Sorry for the inconvenience. Thank you very much for your patience."
Zoom timeout error (aleksandr.borovsky)

Software company Zoom provides users with a cloud-based communication platform that can be used for video conferencing, online meetings, and chat and collaboration via mobile, desktop, and telephone systems.

Zoom has seen a quick increase of new monthly active users since the start of 2020, with millions of employees and students who are now working and learning from home using the platform.

Zoom has gained around 2.22 million new users this year alone, while only 1.99 million were added last year. In total, it now has over 12.9 million monthly active users, with Bernstein Research analysts saying last month that Zoom saw a user growth of about 21% since the end of 2019 as reported by CNBC.

Facebook Messenger: Η desktop εφαρμογή είναι πλέον διαθέσιμη!

ByPohackontas  3 Απριλίου 2020, 15:50

Το Facebook Messenger μόλις κυκλοφόρησε μια desktop εφαρμογή για MacOS και Windows, η οποία παρέχει στους χρήστες τη δυνατότητα να συνομιλούν μέσω βίντεο από τον υπολογιστή τους, διατηρώντας έτσι την επικοινωνία και την επαφή τους με φίλους, οικογένεια και άλλα πρόσωπα σε κάθε γωνιά του πλανήτη.

Αυτή την περίοδο, οι άνθρωποι χρειάζονται και χρησιμοποιούν περισσότερο από ποτέ την τεχνολογία, τόσο για την δουλειά τους όσο και για να επικοινωνούν με άτομα από το επαγγελματικό και το προσωπικό τους περιβάλλον, ακόμα και αν δεν μπορούν να βγουν από το σπίτι τους. Ενδεικτικά, τον προηγούμενο μήνα σημειώθηκε περισσότερο από 100% αύξηση των χρηστών που χρησιμοποιούν τον browser του desktop τους για φωνητικές κλήσεις και βίντεο στο Messenger. Τώρα που υπάρχουν εφαρμογές για MacOS και Windows, έρχεται στο desktop σας η καλύτερη εκδοχή του Facebook Messenger, η οποία προσφέρει απεριόριστες και δωρεάν ομαδικές βιντεοκλήσεις.

Σε αυτό το σημείο, αξίζει να αναφερθούν ορισμένα highlights της νέας εφαρμογής Messenger:

Ομαδικές βιντεοκλήσεις σε μεγαλύτερη οθόνη: Έχετε τη δυνατότητα να επικοινωνήσετε με την οικογένεια και τους φίλους σας, να συμμετάσχετε σε ένα workout ή να ψυχαγωγηθείτε.

Εύκολη σύνδεση: Δεν χρειάζεται να γνωρίζετε το email ή τον αριθμό τηλεφώνου κάποιου, αφού οι φίλοι που έχετε στο Facebook έχουν Messenger.

Multitasking: Μπορείτε να έχετε εύκολη πρόσβαση στις συνομιλίες σας ενώ μπαινοβγαίνετε στην εφαρμογή, κάνοντας παράλληλα άλλα πράγματα στον υπολογιστή σας.

Ειδοποιήσεις: Μπορείτε να λαμβάνετε ειδοποιήσεις για νέα μηνύματα, ώστε να βρίσκετε απευθείας τη συζήτηση που αναζητάτε. Μπορείτε να επιλέξετε να απενεργοποιήσετε (mute) ή να αναβάλλετε (snooze) τις ειδοποιήσεις.
Οι συνομιλίες συγχρονίζονται στο κινητό και τον υπολογιστή σας: Με αυτόν τον τρόπο, δεν θα χάνετε ποτέ μια κλήση ή ένα μήνυμα, ανεξάρτητα από τη συσκευή που χρησιμοποιείτε.

Όλα όσα σας αρέσουν στο Messenger θα τα έχετε σε μεγαλύτερη οθόνη, συμπεριλαμβανομένων των GIF και του dark mode που υπάρχουν στη συνομιλία.


Μπορείτε να κατεβάσετε την εφαρμογή από το Microsoft Store ή το Mac App Store. Αυτή η desktop εφαρμογή του Facebook Messenger εγγυάται να διευκολύνει την καθημερινή σας επικοινωνία με οικεία και άλλα πρόσωπα, ώστε να συνεχίσετε να κοινωνικοποιείστε ακόμα και κατά το “social distancing” που επιβάλλουν οι υφιστάμενες συγκυρίες.