Νέα phishing εκστρατεία μολύνει τα θύματα με info-stealer και ransomware

 ByDigital Fortress 4 Μαΐου 2020, 13:33



Μια νέα phishing εκστρατεία διανέμει το LokiBot (malware που κλέβει πληροφορίες–info-stealer) και ένα δεύτερο payload με τη μορφή του Jigsaw Ransomware.

Με αυτό το συνδυασμό malware, οι εισβολείς κλέβουν, αρχικά, ονόματα χρηστών και κωδικούς πρόσβασης που είναι αποθηκευμένα σε διάφορες εφαρμογές και στη συνέχεια εγκαθιστούν το Jigsaw Ransomware για ζητήσουν λύτρα από τα θύματα.

Κακόβουλα Υπολογιστικά φύλλα Excel


Τα ακριβή emails που αποστέλλονται στο πλαίσιο αυτής της phishing εκστρατείας δεν έχουν βρεθεί, αλλά τα συνημμένα εμφανίζονται ως τιμολόγια, τραπεζικές μεταφορές, παραγγελίες κλπ.

Η phishing εκστρατεία χρησιμοποιεί συνημμένα Excel αρχεία, με ονόματα όπως Swift.xlsx, orders.xlsx, Invoice For Payment.xlsx, Inquiry.xlsx.

Σε αντίθεση με πολλά phishing έγγραφα, τα συγκεκριμένα φαίνονται νόμιμα ή έστω προσεκτικά φτιαγμένα, ώστε να φαίνονται αξιόπιστα.



Σύμφωνα με τον ερευνητή ασφαλείας James, που ανακάλυψε αυτήν τη phishing εκστρατεία, σε αυτά τα συνημμένα έχει χρησιμοποιηθεί το LCG Kit, που τους επιτρέπει να εκμεταλλεύονται μια παλιά Microsoft Office ευπάθεια εκτέλεσης κώδικα απομακρυσμένα (CVE-2017-11882) στο Equation Editor.

Εάν η ευπάθεια χρησιμοποιηθεί επιτυχώς, θα γίνει λήψη του malware από ένα απομακρυσμένο site και θα ξεκινήσει η εκτέλεσή του.


Σύμφωνα με τον ερευνητή, το cjjjjjjjjjjjjjjjjjjj.exe είναι το LokiBot.


Το LokiBot info-stealer έχει τη δυνατότητα να κλέβει αποθηκευμένα credentials από διάφορους browsers, FTP, mail, και terminal προγράμματα. Στη συνέχεια, στέλνει τα δεδομένα στον command and control server, που ελέγχει ο επιτιθέμενος.

Πρόσθετο ransomware payload

Επιπλέον, η παραλλαγή LokiBot που διανέμεται μέσω της phishing εκστρατείας, έχει ρυθμιστεί ώστε να εγκαθιστά μια παραλλαγή του Jigsaw Ransomware που κρυπτογραφεί τα αρχεία ενός θύματος και προσθέτει την επέκταση .zemblax στα ονόματα των αρχείων.



Τα καλά νέα είναι ότι το Jigsaw αποκρυπτογραφείται εύκολα, οπότε αν μολυνθείτε μπορείτε εύκολα να βρείτε τη λύση.

Τα κακά νέα είναι ότι το Jigsaw Ransomware θα διαγράψει για λίγο τα αρχεία σας μέχρι να πληρώσετε.

Επομένως, εάν μολυνθείτε, φροντίστε να τερματίσετε τη διαδικασία drpbx.exe χρησιμοποιώντας το Task Manager. Αν το κάνετε, το Jigsaw Ransomware θα σταματήσει και δεν θα διαγράψει τα αρχεία σας.

Καθώς αυτή η phishing εκστρατεία χρησιμοποιεί κακόβουλα υπολογιστικά φύλλα Excel, βεβαιωθείτε ότι χρησιμοποιείτε τις πιο πρόσφατες ενημερώσεις ασφαλείας για τις εγκατεστημένες εφαρμογές του Office, ώστε να παραμείνετε προστατευμένοι.

New phishing campaign packs an info-stealer, ransomware punch!!

By Lawrence Abrams May 1, 2020 01:00 PM 0



A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware.

By using this malware combo, the attackers first steal saved user names and passwords stored in a variety of applications and then deploy the Jigsaw Ransomware to try and get a small ransom to sweeten the attack.
Weaponized Excel spreadsheets

The exact emails sent as part of this campaign have not been found, but the attachments impersonate invoices, bank transfers, orders, and business inquiries.

Top ArticlesShade Ransomware Decryptor can now decrypt over 750K victims

This campaign is using Excel attachments with names such as Swift.xlsx, orders.xlsx, Invoice For Payment.xlsx, Inquiry.xlsx.

Unlike many phishing attachments, the actors appear to be utilizing legitimate or carefully crafted spreadsheets that have been weaponized to seem believable, as shown below.
Click to see a larger version

According to security researcher James, who discovered this campaign, these attachments have been weaponized using LCG Kit so that they exploit an old Microsoft Office CVE-2017-11882 remote code execution vulnerability in Equation Editor.
Weaponized attachment

If successfully exploited, malware will be downloaded from a remote site and executed.
The vulnerability being exploited to download malware

While this malware has since been removed from the site, James told BleepingComputer that the cjjjjjjjjjjjjjjjjjjj.exe file is LokiBot.

LokiBot has the ability to steal saved login credentials from a variety of browsers, FTP, mail, and terminal programs and then sends it back to the command and control server to be collected by the attacker.
Additional ransomware payload

In addition, this LokiBot variant has been configured to download and install a Jigsaw Ransomware variant that uses a Salvadore Dali mask from the popular Money Heist show as its background.
Jigsaw Ransomware

This Jigsaw Ransomware variant will encrypt a victim's files and append the .zemblax extension to encrypted file's names.
Encrypted Files

The good news is that Jigsaw is easily decrypted, so if you become infected with this variant, be sure to let us know so we can help.

The bad news is that the Jigsaw Ransomware will periodically delete your files until you pay.

Therefore, if you become infected, be sure to terminate the drpbx.exe process using Task Manager so that the Jigsaw Ransomware will be shut down and not delete your files.

As this phishing campaign utilizes malicious spreadsheets that exploit an old Excel vulnerability, simply making sure you are using the latest security updates for your installed Office applications will protect you.

New Android malware steals financial information, bypasses 2FA

By Sergiu Gatlan April 30, 2020 02:21 PM 0



A new banking Trojan can steal financial information from Android users across the United States and several European countries, including the UK, Germany, Italy, Spain, Switzerland, and France.

Dubbed EventBot by researchers at Cybereason Nocturnus who discovered it in March 2020, the malware is a mobile banking trojan and infostealer designed to abuse the Android operating system's accessibility features to steal sensitive financial data.

"EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets," the Cybereason Nocturnus researchers found.

Top ArticlesBugs in WordPress plugins for online courses let students cheat

READ MORE

"Those targeted include applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, Paysafecard, and many more." — the full list of targeted Android apps is available here.

At the moment, the malware is not being distributed via the Google Play Store, with its creators most likely using shady APK hosting websites and rogue APK marketplace for distribution to potential victims' devices.
Apps targeted by EventBot (Cybereason Nocturnus)
Permissions for everything

Once the targets download EventBot on their devices and start the installation process, the malware will ask to be granted a large set of permissions including the capability to run in the background, to ignore battery optimizations, and to prevent the processor from sleeping or the device from dimming the screen.

EventBot also asks to get access to Android's accessibility services which allows it to "operate as a keylogger and can retrieve notifications about other installed applications and content of open windows" once the permissions are granted.

The banking trojan also asks for permission to launch itself after system boot as a simple way to gain persistence on infected devices and run in the background as a service.

It will also request permission to read and receive SMS messages malware, thus gaining the ability to read text messages and steal one-time passcodes (OTPs) it later uses to bypass two-factor authentication (2FA) for accounts using SMS-based 2FA — EventBot also uses webinjects to circumvent 2FA.

EventBot collects the list of installed apps on the Android devices it infects, together with device info like OS and model, data that gets sent to its command-and-control server to be later harvested by its operators.
EventBot requesting permissions (Cybereason Nocturnus)
Still in development but already a threat

Although it is currently in its early stages of development, EventBot can become a major Android malware threat since it is already capable of targeting hundreds of financial apps and the developers add more new feature in each version like encryption, dynamic library loading, and automatic adjustment to device models and locales.

Because the threat actor behind this malware updates it every few days, it's just a matter of time until it catches up to other highly dangerous Android trojans like Cerberus, Anubis, and xHelper.

For instance, EventBot's developers added a layer of obfuscation in the latest version, "perhaps taking the malware one step closer to being fully operational," according to the researchers.

To defend against an EventBot infection you should avoid third-party marketplaces if possible and always install apps only from the Google Play Store as they go through a vetting process that makes sure that most potentially malicious apps are rejected.

"Cybereason believes EventBot could be the next influential mobile malware because of the time the developer has already invested into creating the code and the level of sophistication and capabilities is really high," Cybereason Head of Threat Research Assaf Dahan said.

"By accessing and stealing this data, Eventbot has the potential to access key business data, including financial data. Mobile malware is no laughing matter and it is a significant risk for organizations and consumers alike."

EventBot indicators of compromise (IOCs) including malware sample hashes, and IP addresses and domains of its command and control servers, are available at the end of Cybereason Nocturnus' report.

Starting last month, the TrickBot​​​​​ gang has also begun using a malicious Android app dubbed TrickMo that steals transaction authentication numbers (TANs) — including one-time passwords (OTP), mobile TAN (mTAN), and pushTAN authentication codes — to bypass the 2FA protection used by various banks

Threat actors release Troldesh decryption keys

RANSOMWARE


Posted: April 28, 2020 by Pieter Arntz


A GitHub user claiming to represent the authors of the Troldesh Ransomware calling themselves the “Shade team” published this statement last Sunday:


“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”
Are these the real Troldesh decryption keys?

Yes. Since the statement and the keys were published the keys have been verified as our friends at Kaspersky have confirmed the validity of the keys and are working on a decryption tool. That tool will be added to the No More Ransom project. The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Dutch police, Europol’s European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

In the past, a few decryption tools for some of the Troldesh variants have already been published on the “No More Ransom” website. We will update this post when the Kaspersky decryptor is released and would like to warn against following the instructions on GitHub unless you are a very skilled user. The few extra days of waiting shouldn’t hurt that much and a failed attempt may render the files completely useless.
When is it useful to use the Troldesh decryption tool?

Before you go off and run this expected tool on your victimized computer as soon as it comes out, check if your encrypted files have one of these extensions:
xtbl
ytbl
breaking_bad
heisenberg
better_call_saul
los_pollos
da_vinci_code
magic_software_syndicate
windows10
windows8
no_more_ransom
tyson
crypted000007
crypted000078
rsa3072
decrypt_it
dexter
miami_california

If the file extensions from your affected system(s) do not match one on the list above, then your files are outside of the scope of this decryption tool. If you do find a match you should wait for the decryption tool to be published.
Why would this gang publish the Troldesh decryption keys?

The reason for all this is unknown and subject to speculation. We can imagine a few different reasons. From not very likely to credible.
Maybe their conscience caught up with them. After all they do apologize to the victims. But these are only the victims that didn’t pay or were unable to recover their files despite paying the ransom.
The Shade team may suspect that someone has breached their key vault and they were forced or decided on their own accord to publish the keys for that reason. But we have seen no claims to support that possibility.
The profitability of the ransomware had reached its limit. Ransom.Troldesh has been around since 2014 and we saw a steep detection spike once the threat actors ventured outside of Russian targets in February of 2019. But after that initial spike the number of detections gradually faded out. It was still active and generating money though.Number of Malwarebytes detections of Ransom.Troldesh from July 2018 till April 2020
The development of this ransomware has reached its technical limit and the team will focus on a new software project. The team stated to have stopped distribution in the end of 2019, but failed to let on what they are currently working on.
What we know

All we know for sure is that the keys have been verified and a decryption tool is in the works. All the rest are speculations based on a statement made on GitHub by an account by the name of “shade-team” that joined GitHub on April 25th, just prior to the statement.

Victims can keep their eyes peeled for the release of the decryption tool. We’ll keep you posted.

Stay safe!

Windows 10 KB4549951 update fails to install, causes BSODs

By Sergiu Gatlan April 23, 2020 07:11 PM 1




The Windows 10 KB4549951 cumulative update is reportedly failing to install and is causing blue screens of death (BSOD) after installation reboots, among other issues, according to user reports.

KB4549951 is a cumulative update with security fixes released as part of this April 2020 Patch Tuesday for Windows 10, version 1909 and for Windows 10, version 1903.

To install KB4549951, you can either check for updates via Windows Update or manually download it for your Windows version from the Microsoft Update Catalog. Admins can distribute the update to users in their enterprise environments via Windows Server Update Services (WSUS).

For users with automatic updates enabled, installing this cumulative update requires no additional actions.

Microsoft says that they are not currently aware of any issues with the KB4549951 update according to this Windows support entry.


KB4549951 installation failures


Even though usually there are workarounds to install problematic updates manually when encountering errors, users who had to deal with KB4549951 failing to install have reported via Microsoft's official Feedback Hub, on the Microsoft Community website, and via Reddit that none of them helped.

0x80070bc2, 0x800f0900, 0x80070003, 0x80073701, 0x800f080a, 0x800f0986, and 0x80070002 errors while attempting to install KB4549951 were spotted and reported by multiple users since the cumulative update was released by Microsoft on April 14.

"It downloads and installs. During restart, I get msg that it could not install and it restores my PC back to before the update," one user says on Microsoft's Feedback Hub. "Last failed install attempt on ‎4/‎21/‎2020 - 0x80070003 troubleshooter could not fix the problem."

"Having now spent two hours waiting for these two updates to download and install then on restart it tells me we were unable to install so resetting back to how it was," another report adds.
Some of the KB4549951 issues reported via the Feedback Hub
Also causing BSODs and networking issues


More than a fair share of the user reports we saw since KB4549951 was released more than a week ago are mentioning blue screens of death (BSODs) after the system crashes during the restart that follows the update's installation process. In most of these cases, the device will reboot and will remove the update on its own.

"Windows Update KB4549951, released in the past week, caused a "BLUE SCREEN OF DEATH" on my laptop with the error message "BOOT DRIVE INACCESSIBLE", one report says.

"I came to this conclusion after 3 system restores, uninstalling recent updates sequentially and checking update reviews online. It appears that this specific update causes a system CRITICAL issue. Unfortunately, I can't pause updates for longer than a month so this is a ticking time-bomb if it's not fixed!"

Other users have also reported problems with their Windows 10 devices being unable to boot again after installing the KB4549951 cumulative update.

"My perfectly working PC died while automatically installing KB4549951 (never rebooted). Tried automatic repair, all other repair options including uninstall latest update," one Feedback Hub report says.

"Nothing worked. It was stuck in the BSoD loop, stating 'Critical Process Died'. SrtTrail log stated, 'A recently serviced boot binary is corrupt.' So I decided to clean install the Windows again. Formatted C drive, fresh clean install. Again after automatic update installing KB4549951 the system crashed and is going into 'automatic repair' mode."
Windows 10 BSOD after CRITICAL_PROCESS_DIED error
Display issues and freezes when using streaming services


Other users have experienced combinations of multiple errors ranging from their files being deleted, WiFi networking, and display issues [1, 2] that, in some cases, made their devices unusable.

"Since installing this update I have had a variety of serious issues. BSOD, Wifi connectivity issues, Display adaptor issues and a general system slowdown," a Feedback Hub report details."Streaming has become impossible on any service from Netflix to iTunes. The nastiest one is when the display goes into hibernation, the explorer goes into recovery mode and I have to restart the whole system. Not happy. when will there be a fix?"

Similar issues caused by streaming services are reportedly leading to system freezes according to other reports, with the problems disappearing once the cumulative update is uninstalled.

"Immediately after installing KB4549951 all streaming services (netflix/stan/ect) through both Edge and Chrome caused hard freezing the instant any video began playback (even the previews)," a Feedback Hub reports reads. "This issue was only triggered through playback via browser, gaming, and videos on HDD were unaffected."

"This issue was reproduced consecutively about 10 times while trying various settings to isolate the cause. Immediately after uninstalling KB4549951, postponing updates, and restarting PC, the issue was resolved and playback via browser was normal. Event Viewer shows no critical or unexpected events outside of the PC being terminated incorrectly."

As usual, it's important to understand that these issues are most probably affecting a limited number of users and that rolling back the update will most likely fix any issues you might be experiencing.
Uninstalling KB4549951


Before uninstalling the KB4549951 Cumulative Update, you should know that you would also be removing mitigation for vulnerabilities affecting the Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Cloud Infrastructure, Windows Virtualization, Microsoft Graphics Component, Windows Kernel, Windows Media, Windows Shell, Windows Management, Windows Fundamentals, Windows Virtualization, Windows Storage and Filesystems, Windows Update Stack, and the Microsoft JET Database Engine.

If the issues you are experiencing after installing this cumulative update are making your Windows device unusable and you are willing to remove the security fixes it comes with, follow the procedure described below to roll back KB4549951.

Microsoft says in the update's details from the Microsoft Update Catalog that it can be removed "by selecting View installed updates in the Programs and Features Control Panel."

The step by step procedure requires you to open Control Panel, go to Programs > Programs and Features, and click on View installed updates in the left sidebar.

Next, right-click on KB4549951's entry in the list and confirm when asked if "Are you sure you want to uninstall this update?". Next, you'll have to click 'Yes' when asked and then restart your device.
Uninstalling the KB4549951 update