New point-of-sale malware

Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS). Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments.

Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS “is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked”, consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.

Multigrain was designed with stealth in mind. It is digitally signed, it installs itself as a service called Windows Module Extension and more importantly, it sends data back to attackers via DNS queries.

Stolen payment card data is first encrypted with a 1024-bit RSA key and then it’s passed through a Base32 encoding process. The resulting encoded data is used in a DNS query for log.[encoded_data].evildomain.com, where “evildomain” is a domain name controlled by the attackers. This query will appear in the authoritative DNS server for the domain, which is also controlled by the attackers.

This technique, while not specific to Multigrain, allows attackers to pass data out of restricted environments where other Internet communication protocols are blocked.

Jigsaw Ransomware

A new ransomware program called Jigsaw encrypts users’ files and then begins to progressively delete them until the victim pays the equivalent of $150 in Bitcoin crypto currency.

The ransomware deletes one file after the first hour has passed and then increases the number of files it deletes in every 60-minutes cycle. If no payment has been made within 72 hours, all remaining files will be deleted.

Jigsaw decryptor utility has been developed and available on internet for free. While security experts managed to find a method to decrypt files this time, there’s no guarantee that they’ll be able to do the same for future versions. Ransomware creators are typically quick to fix their errors.jigsaw

When the Jigsaw ransomware is launched it will scan your drives for certain file extension, encrypt them using AES encryption, and append the .FUN extension to the filename. When encrypting a file it will add the filename to a list of encrypted files located at %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. It will also assign a bitcoin address and save it in the %UserProfile%\AppData\Roaming\System32Work\Address.txt file. Finally, Jigsaw will set an autorun that starts ransomware each time you login to Windows. Unfortunately, each time the ransomware starts, it will also delete 1,000 of the encrypted files.

Files associated with Jigsaw:

%UserProfile%\AppData\Roaming\Frfx\
%UserProfile%\AppData\Roaming\Frfx\firefox.exe
%UserProfile%\AppData\Local\Drpbx\
%UserProfile%\AppData\Local\Drpbx\drpbx.exe
%UserProfile%\AppData\Roaming\System32Work\
%UserProfile%\AppData\Roaming\System32Work\Address.txt
%UserProfile%\AppData\Roaming\System32Work\dr
%UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt

Registry associated with Jigsaw:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe %UserProfile%\AppData\Roaming\Frfx\firefox.exe

New ransomware called CryptoHost

crypto

Yet another breed of Ransomware discovered, it encrypts your data and then demands a ransom of .33 bitcoins or approximately 140 USD to get your files back. In reality, though, your data is not encrypted, but rather copied into a password protected RAR archive . Thankfully, the password created by this infection is easily discovered so infected users can get their files back.

When CryptoHost infects your computer it will move following file extensions into the password protected archive located in the C:\Users\[username]\AppData\Roaming folder:

jpg, jpeg, png, gif, psd, ppd, tiff, flv, avi, mov, qt, wmv, rm, asf, mp4, mpg, mpeg, m4v, 3gp, 3g2, pdf, docx, pptx, doc, 7z, zip, txt, ppt, pps, wpd, wps, xlr, xls, xlsl

This file will have a 41 character name and no extension. An example file is 3854DE6500C05ADAA539579617EA3725BAAE2C57. The password for this archive is the name of the archive combined with the logged in user name. So for example, if the name of the user is Test and the RAR archive is located at C:\Users\Test\AppData\Roaming\3854DE6500C05ADAA539579617EA3725BAAE2C57, the password would be 3854DE6500C05ADAA539579617EA3725BAAE2C57Test.

First thing that you want to do it terminate the cryptohost.exe process from the Task Manager.

Now to get your archived data back, you need to extract the password protected RAR archive with your files in it, install the 7-Zip or winrara or Winzip free application. Once it is installed, open up the C:\Users\[username]\AppData\Roaming folder and locate the archive file using the info described above. Now right-click on it and then select the Extract to “foldername” option, enter the password as described above and press enter. You data will now be extracted into a folder name that is the same name as the RAR archive. When done, open that folder and copy all of the folders in it to the root of your C: drive. Your data files should now be restored.

Now time to manually remove Cryptohost:

When CryptoHost is installed it will create a file called cryptohost.exe and store it in the C:\Users\[username]\AppData\Roaming folder. It will alsocreate an autorun called software that executes the ransomware on login. To remove this infection, simply end the cryptohost.exe process using Task Manager and then delete the cryptohost.exe file. To remove the autorun you can delete this registry value:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software %AppData%\cryptohost.exe

CryptoHost is currently being bundled with a uTorrent installer that when installed extracts the cryptohost.exe to the %AppData% folder and executes it. Once executed, CryptoHost will move all files that match certain extensions into a password protected RAR archive located in the %AppData% folder. The name of the archive will be a SHA1 hash of the following information with any dashes removed.

When the archive is finished being created, the ransomware will then perform a listing of the files in the archive and save that list to the %AppData%\Files file and display the above message to pay.

Search and Remove the following Files associated with the CryptoHost Ransomware:

%Temp%\uTorrent.exeuTorrent.exe
%AppData%\cryptohost.exe
%AppData%\files
%AppData%\processor.exe

Search and Remove the following Registry entries associated with the CryptoHost Ransomware:

HKCU\Software\Classes\FalconBetaAccount
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software %AppData%\cryptohost.exe

Ransomware is the talk of the town lately now-Rokku

One of the most recent threats, known as Rokku Ransomware, is among a growing list of clever ransomware that offers alternative means of paying the ransom fee to decrypt files that have been encrypted by the malware. In the case of Rokku, it is offering computer users a QR scan code, to quickly and conveniently access a payment processing site.

As usual, the infection point is with spam email that comes attached with all sorts of files laced with malware. These email attachments, if downloaded and executed, will start the Rokku ransomware’s encryption process, which uses a hard-to-break (not impossible) RSA-512 crypto algorithm.

rokku

First and foremost, Rokku makes sure to delete shadow volume copies from your hard drive, so backup software won’t be able to recover non-encrypted versions of your files. If you have backups stored offline, then you can restore them from that source. However, with no shadow volume copies, recovering them from the same hard drive is technically impossible.

when Rokku encrypts a victim’s data it will use the Salsa20 algorithm and will encrypt each files with its own unique key. A file’s key is then encrypted using RSA and stored in the last 252 bytes of the associated file. This allows the developers to provide individual decryption keys for test file decryption. This is also the first ransomware that I know of that uses the Salsa20 algorithm, which provides much greater encryption speeds compared to AES. In each folder that is encrypted and in the victim’s Startup folder, Rokku will create two ransom notes titled README_HOW_TO_UNLOCK.HTML and README_HOW_TO_UNLOCK.TXT. These ransom notes contain information on what has happened to the victim’s files and links to Rokku’s Tor payment site.

An interesting feature of Rokku is the use of the Google Website Translator Plugin in the ransom notes. This allows them to create one English ransom note and easily use the translator for those who do not understand English.

Ransomware Petya encrypts not files but whole hard drive

To achieve its goal, the attacker sends out innocuous looking email that purports to be from a job applicant, with instructions to download a CV hosted in a Dropbox folder. When following the link, an EXE file is downloaded. When running the exe file, the PC crashes with a bluescreen and reboots. Prior to the reboot, the Master Boot Record (MBR) of the system is manipulated in a way which allows Petya to control the boot process.

Petya sets itself apart by the volume of data it tries to encrypt. While most ransomware are content encrypting single files, usually documents that seem important, Petya goes for the entire hard drive instead. After the user unwittingly runs the ransomware carrying program, Petya takes over the bootloaded and restarts the computer. Then it will display a screen informing the user that Windows is performing a check disk operation when, in fact, it is already tying to encrypt the entire disk in the process. Once done, it reveals its true colors, literally, directing the victim to browse to a specific website using TOR for anonymity. The website, in turn, contains instructions on how to pay the ransom. The ransom doubles in price after 7 days.

newp

We recommend not paying the requested ransom and as soon as you read this blog, ensure that all your data is backed up. That way, you can just copy that image back across, should the worst happen.

This is by no means the first ransomware online, it’s part of a worrying trend that seems to line up businesses as more lucrative victims than individuals – one hospital this year has already paid $17,000 in bitcoins after it was locked out of its network.

As with many of these attacks, Petya relies on computer users clicking links sent in emails before really considering what they are, or the potential implications. One sure-fire way to cut down on these is just to simply refuse to open random files from people you don’t know. Be careful , do not open any attachments of click on any links that you have no concern about or not expecting.

PowerWare uses Windows PowerShell to encrypt files

PowerWare a crypto-ransomware, how it is different from other crypto malware is that it is fileless, which is a tactic adopted by other malware families pushed in prolific exploit kits such as Angler. A malware family called PowerSniff has similar behaviors to PowerWare, including fileless infections.

Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.

The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks. The program that actually does all the encrypting of the files is PowerShell. A script is downloaded and fed to PowerShell. This means no ‘traditional’ malware – no additional executable needed – just a text document (script).

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC. The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.

Who viewed me on Instagram

Recently, a malicious application called “InstaCare – Who cares with me” was released via Google Play Store and App Store. This application serves as a hook to lure Instagram users, pretending to let them know who has viewed their profile; but in reality it abuses the authentication process to connect to Instagram. It steals your instagram password and gains access to your profile.

This app displays your friend list in order, who cares your profile most with your profile interaction. This app can show you up to most recent 100 list for your Instagram profile.

instagram_IMG

It’s common for many applications to use API’s or authorization protocols such as OAuth to authenticate with third-party applications. This is very convenient for users as they can use the same credentials to authenticate with different applications and services. The problem here is that this feature can be used maliciously for some applications to gain access to the user’s information, such as their profile and contacts, or to steal their credentials.

Last week the InstaAgent developer “Turker Bayram” released a new app for the Android and iOS AppStore, after his (malicious) app “InstaAgent” was pulled by Apple&Google from their AppStores. It was astonishing that Apple and Google didn’t have a closer look at his new application. One should assume a developer who already published a malicious app, should be watched more closely. His new app is called “Who Viewed Me on Instagram” (Android Version 50K – 100K downloads), and “InstaCare – Who cares with me?” (iOS Version top grossing app in Germany Category: Entertainment). The app promises the same functionality as InstaAgent .

iPhones can get infected even if they are not jail broken

A brand new malware strain is just discovered, a sneaky attacks that has fooled not only Apple’s app review team into allowing malware apps into the App Store, but that can also quietly install apps on any iOS device without the user’s explicit knowledge or permission. A jailbreak status is not even needed for the attack to work.

AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken. The attack requires a PC to deploy the software. Called AceDeceiver, the malware is currently affecting users in China. Three AceDeceiver apps disguised as wallpaper tools made their way onto the App Store between July 2015 and February 2016.

This is not the first iOS malware that we have seen in the recent times. Researchers found a strain of malware called YiSpecter that targeted jailbroken as well as non-jailbroken devices in Taiwan and China. The app, however, leveraged private APIs that are signed with enterprise certificates to look authentic.

As for AceDeceiver, only users in China seem to be affected for now. However, it adds, that with slight tweaks, users in other regions can also be targeted. Apple normally prides itself on iOS’ security, but has still had to periodically remove App Store titles because of dangerous code.

Chinese App creates another App Store inside Apple’s iOS App Store

An iOS app that provided access to pirated apps successfully got through Apple’s strict approval process. The Chinese developers of an app called Happy Daily English have found a way to go around Apple’s review process and embed a fully functional iOS app store inside their application and had it hosted on the official iOS App Store itself.

For non-Chinese users, the app would be a simple educational app that taught Chinese users English, but for Chinese users, the app would transform itself into an app store that allowed them to install rogue, pirated or cracked apps using various tricks, without requiring users to go through the side-loading process.

The app got approved and added to Apple’s website when the iOS App Store reviewers accessed the app, from somewhere outside China, and didn’t notice anything strange, seeing its educational interface. On top of this, ZergHelper was coded in Lua, a programming language that allowed the developers to dynamically update the app, but without going through Apple’s app review process. This technique allowed the developers to change the app’s behavior without the risk of being discovered during subsequent updates.

The malicious store-in-store app existed on the official App Store from October 30, 2015, to February 19, 2016. Apple removed the app after it was reported by its discoverer.

Triada Trojan Exists in memory and uses Zygote process to Hook all Applications on Android

Dubbed Triada (Backdoor.AndroidOS.Triada), this malware family was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user. The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence. The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.

The Triada trojan was clearly developed by cybercriminals who have a clear understanding of how Android functions at a core level and a tremendous amount of research and work went into developing this malware.

It also marks the first time that malware developed for Android has the same complexity as malware written for Windows. Before now most of the threats encountered on mobile devices were not nearly as well developed and were very primitive in nature.
Users are more at risk of being affected by Triada if they download and install apps from unknown sources as opposed to from the Google Play Store.