Provedores de internet podem ter disseminado kit de espionagem FinFisher

Computerworld em 27/09/2017

Pesquisadores da Eset, empresa de segurança cibernética, identificaram na atividade recente do FinFisher — kit de espionagem criado por um hacker identificado como Phineas Fisher — um link com provedores de internet que facilitaria sua execução.

Também conhecido como FinSpy, o FinFisher é um software que possui amplas capacidades de espionagem, como vigilância em tempo real via webcams e microfones, keylogging e extração de arquivos. O que o distingue de outras ferramentas desse tipo, no entanto, são as controvérsias em torno de suas implementações. O FinFisher é vendido a governos que querem vigiar a população na rede de alguma forma ou a agências e autoridades que têm alvos em mente, e inclui softwares maliciosos para realizar monitoramento em massa, e acredita-se que também tenha sido usado por regimes ditatoriais.

Além disso, sua versão mais recente inclui melhorias destinadas a expandir suas capacidades de espionagem, passar despercebido e evitar a análise. A inovação mais importante, no entanto, é a forma como a ferramenta de vigilância se relaciona com o computador alvo.

O que há de novo nas campanhas, em termos de distribuição, é o uso de um ataque em que as comunicações de potenciais vítimas são interceptadas, sendo que provavelmente um provedor de acesso à internet (ISP) é o intermediário. Esse vetor foi usado em dois dos países onde os sistemas Eset detectaram o último spyware do FinFisher; nos cinco países restantes, as campanhas utilizaram vetores de infecção tradicionais.

"Em duas das campanhas, o spyware se espalhou por meio de um ataque intermediário e acreditamos que os provedores de internet tenham desempenhado esse papel", explica Filip Kafka, o analista de malware da ESET que conduziu a pesquisa.

O ataque começa com uma alteração no site de download oficial do WhatsApp, Skype ou VLC Player. Depois de o usuário clicar no link de download, seu navegador recebe um link modificado e é redirecionado para um pacote de instalação com trojan, hospedado no servidor do invasor. Quando você baixa e executa o programa, você não apenas instala o aplicativo legítimo que o usuário esperava, mas também o spyware do FinFisher.

Mecanismo de infecção das últimas versões do FinFisher

"Durante a nossa pesquisa, encontramos uma série de indicadores que sugerem que o redirecionamento está ocorrendo por meio do serviço de um importante fornecedor de internet", diz Filip Kafka, sem revelar o nome. Segundo ele, é a primeira vez que se tem conhecimento público do provável envolvimento de um importante fornecedor de internet na disseminação de malwares. "Essas campanhas do FinFisher são projetos de vigilância sofisticados e sigilosos, sem precedentes em sua combinação de métodos e alcance", completa o analista.

Trojan Using Infected USBs to Help Spread Fileless Malware

Por David Bisson em 31/08/2017 no site The State of Security

A trojan is leveraging infected USB flash disks to help spread fileless malware that abuses legitimate functions on a compromised system.

The baddy, which Trend Micro detects as “TROJ_ANDROM.SVN,” conceals itself within two malicious files on an infected USB. These files are called “addddddadadaaddaaddaaaadadddddaddadaaaaadaddaa.addddddadadaaddaaddaaaadadddddadda” and “IndexerVolumeGuid.” Alternatively, the trojan may use shortcut files, detected as “LNK_GAMARUE.YYMN,” that appear to have the same as the USB flash disk and thereby trick a user into clicking on them.

In either case of TROJ_ANDROM.SVN, clicking the malicious files decrypts some code, loads the results into memory, and runs it. This process, in turn, creates the autostart registry key responsible for loading JS_POWMET.DE, malware which ultimately installsa backdoor known as BKDR_ANDROM.

Infection chain. (Source: Trend Micro)

Trend Micro first detected JS_POWMET.DE back in early August 2017. At the time, its researchers had no idea how the malware arrived on a machine. They reasoned it relied on malicious sites or other malware infections for distribution.

Now the researchers know that an infected USB device is involved. But as pointed out by Trend Micro’s Byron Gelera, it’s not that simple. He explains there’s more to this initial attack sequence than meets the eye:

“Two things are worth noting here. First, the process differs slightly based on the version of Windows installed. The process is relatively straightforward for Windows 10—the registry entry is created, eventually leading to the download and execution of a backdoor onto the affected system. On earlier versions of Windows, however, there is an additional step: a second backdoor (detected as BKDR_ANDROM.SMRA) is also dropped in the %AppData% folder, with the filename ee{8 random characters}.exe. A shortcut to it is also created in the user startup folder, ensuring that this second backdoor is automatically executed.”

Gelera feels this additional step of installing a second backdoor via less sophisticated means could be designed to divert a researcher’s attention away from the fileless malware.

To protect against JS_POWMET.DE, users should not plug in any suspicious USB drives to their computers. If for some reason they need to connect an unknown flash disk, they should make sure to install an anti-virus solution onto their machines and use that software to scan the USB drive’s files for malware before clicking on anything.

Android Ransomware Development Made a Cinch by TDK Mobile Apps

• DAVID BISSON 
• • 
    

Em 25/08/2017 no site The State of Security

Wannabe computer criminals can now easily create Android ransomware thanks to what are known as trojan development kits (TDKs).

TDKs automate the process of developing new mobile malware by leveraging a version of the computer-aided software engineering (CASE) tool model. These device-aided malware engineering (DAME) utilities enable an actor to quickly create a ransomware variant on their devices. All they need to do is install an application containing a TDK.

Unfortunately, such programs aren’t hard to find.

Symantec Security Response detected one such app advertised on hacking forums and a popular Chinese social media platform. It leads a wannabe malware developer through the process of specifying the new ransomware’s display message on a victim’s locked screen, the key needed to unlock the device, an icon displayed by the malware, algorithms used to randomize the program’s code, and animation that will display on the infected device. With an easy-to-use interface, computer criminals with low levels of technical expertise would have no problem filling out the on-screen customization form.

The malware generator app. (Source: Security Response)

Dinesh Venkatesan of Security Response explains what happens after a user finishes setting the ransomware’s parameters:

“… [T]he user hits the “create” button and, if they haven’t already done so, is asked to subscribe to the service. The app allows the user to start an online chat with the app’s developer where they can arrange a one-time payment. Once the user has subscribed, they can continue with the process, making as many ransomware variants as they desire.”

All that remains then is for the user to decide how they’d like to distribute their ransomware to unsuspecting users. For those who fall victim to the attack campaign, the malware locks their device and demands a ransom payment in exchange for the unlock key.

The ransomware created using the Trojan Development Kit in action. (Source: Security Response)

At this time, it appears the app discovered by Venkatesan and his colleagues targets Chinese users mainly. The TDK also creates only lockers and not encrypters. But none of that is set in stone. The app’s creators could modify their program with expanded language support and built-in encryption capabilities. Not to mention how other malicious app developers might be spending their time.

Given these threats, it’s imperative that mobile users follow some simple steps to prevent a ransomware infection. They should, for instance, update their devices on a regular basis and install a mobile anti-virus solution onto their phones. They should also back up their mobile data on a regular basis.

For additional ransomware prevention strategies, click here

Trojans para Android imitam apps para chamar táxi

Alex Drozhzhin
Em 28/08/2017 no site Kaspersky Lab

Você está com pressa, tentando chegar ao trabalho, uma reunião de negócios, um encontro. Então decide usar seu app de táxi favorito como sempre, mas dessa vez, algo parece diferente: suas informações de cartão de crédito estão sendo solicitadas. Suspeito? Talvez não – aplicativos esquecem informações às vezes, e tudo que você tem que fazer é adicioná-las e esperar o taxista.
Contudo, depois de um tempo, percebe que dinheiro tem sumindo da sua conta. O que aconteceu? Você pode ter sido premiado com um mobile Trojan. Esse tipo de malware foi usado recentemente para roubar dados bancário por meio da sobreposição de aplicativos para solicitar táxi.

O Faketoken Trojan já existe há bastante tempo, e foi atualizado ao longo dos anos. Nossos especialistas batizaram a atual versão de “Faketoken.q” e no momento ele sabe diversos truques.

A partir do momento que entra em um smartphone (julgando pelo ícone do malware, o Faketoken entra no smartphone por meio de mensagens de SMS para baixar alguma foto) e instalar os módulos necessários, o Trojan esconde seu atalho e inicia suas atividades em segundo plano.
Primeiro, o Trojan está interessado nas ligações do usuário. Logo que uma é iniciada, a gravação começa. Quando a chamada termina, o Faketoken encaminha o arquivo de áudio para o servidor do criminoso. Ele também verifica quais apps o dono do smartphone usa.

Quando o Faketoken detecta o lançamento de um aplicativo cuja interface consegue imitar, ele a sobrepõe imediatamente. Para isso, utiliza as funções padrões do Android que permitem a exibição de telas sobre os outros apps. Diversos apps legítimos, como messengers e gestores de abas usam essa função.

A janela sobreposta utiliza a mesma cor da interface do aplicativo de verdade. Nessa janela, o Trojan faz o usuário inserir seu número de cartão de crédito, incluindo o código de verificação.

Na verdade, o Faketoken.q segue uma variedade gigantesca de apps que possui uma coisa em comum: nesses, uma requisição de inserção de dados de pagamento não parecem coisa de outro mundo. Entre os aplicativos atacados estão diversos bancários: Android Pay, o Google Play Store, reserva de voos e hotéis e pagamento de tickets de estacionamento – bem como para reservar táxis.

No momento do roubo do dinheiro do usuário, o Faketoken ainda tem mais subterfúgio: intercepta as mensagens SMS, escondendo-as do usuário. O vírus as encaminha para o servidor do criminoso, das quais senhas de confirmação de transação de uso único são extraídas.

A julgar pelo pequeno número de ataques registrados e os artefatos de UI, diríamos que os pesquisadores de nosso laboratório colocaram as mãos em uma versão de teste do Trojan, não a final.

Não podemos subestimar os criadores assíduos do Faketoken. Muito provavelmente irão melhorar o Trojan, e uma onda de ataques pode resultar da versão “comercial” do vírus em algum momento.

No momento, o Trojan tem por foco a Rússia, mas não seria a primeira vez que cibercriminosos roubam ideias uns dos outros, por isso, não há de demorar para que outros adotem o mesmo truque em outros países. Diversos habitantes de cidades utilizam aplicativos para chamar táxis com frequência, de modo que o truque representa uma excelente oportunidade aos criadores de malware.

Abaixo temos diversas dicas para você se proteger do Faketoken e Trojans similares que podem roubar informações de cartão de crédito e interceptar mensagens de SMS com senhas de uso único para a confirmação de pagamentos.

• Para isso, é imprescindível acessar as configurações do Android e proíba a instalação de aplicativos de fontes desconhecidas. Para bloquear, vá em Configurar -> Segurança e desmarque Fontes Desconhecidas.

SPAM DOMAINS IMITATING POPULAR BANKS SPREADING TRICKBOT BANKING TROJAN

Michael Mimoso
Em 15/08/2017 no site Threatpost

Santander Bank customers should be aware of an effective spam campaign spreading the Trickbot banking Trojan that is coming from domains similar to those used by the financial institution.

Researchers at My Online Security and the SANS Institute’s Internet Storm Center say that Santander is not the only bank domain being leveraged, and call the malicious domains “extremely plausible imitations.”

All of the domains, the researchers say, were registered with GoDaddy. Some of them are down, but it’s unknown if GoDaddy took action.A sample of the phony domains sending Trickbot includes: hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, santanderdocs.co.uk, santandersecuremessage.com, and securenatwest.co.uk.

“Almost all of these domains were registered through GoDaddy using various names or privacy services,” said Brad Duncan, a SANS ISC handler. “And these domains were implemented on servers using full email authentication and HTTPS.  Many recipients could easily be tricked into opening the associated attachments.”

One of the messages purporting to be from Santander arrives with a subject line “You have a Santander Secure Email,” and an attachement called “SecureDoc.html,” My Online Security said. The attachments are also sometimes Office documents that require the enablement of macros in order to view the content. The macro instead downloads Trickbot. The HTML files are a twist seen only in the last week, and they download Office documents from the attacker’s server using HTTPS to avoid scanning, Duncan said.

“HTML attachments to download Office documents, eh?  It’s not a new trick,” Duncan said. “But using this method, poorly managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.”

Trickbot is generally considered the successor to the Dyre (or Dyreza) banking malware. Recently, IBM’s X-Force research team along with researchers from Flashpoint spotted spam messages spreading Trickbot through the Necurs botnet. A customized redirection method was introduced in recent versions; Trickbot is known for carrying out man-in-the-browser attacks, using webinjects tailored for a number of banking institutions in an attempt to steal log-in credentials. Newer versions of Trickbot included webinjects for U.S.-based banks.

“They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment,” My Online Security said. “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.” Researchers added that victims who prefer to bank via mobile phones or tablets are especially at risk given they often only see the a sender’s name in the form rather than the complete domain address.

One sample analyzed by the SANS ISC was disguised as coming from Santander and contained an HTML attachment that downloaded a Word document from the same server that sent the email. The Word document contains an image of a phony Santander login page with instructions on what to do if the victim cannot log in, which includes the enablement of macros through the “Enable Content” button.

Duncan said the Word document he analyzed makes an HTTP request to centromiosalud[.]es and a PNG image that is actually a Windows executable. Sometimes the malware is downloaded from the same domain, or cfigueras[.]com.

“A scheduled task was implemented to keep the malware persistent,” Duncan said. “The persistent malware was located in a folder named winapp under the user’s AppData\Roaming directory.”

SANS ISC published a number of indicators of compromise, while My Online Security urges users, especially those running older versions of Office to be wary of these emails, and to under no circumstances “Enable content,” or “Enable macros” in order to view content.

How Just Opening A Malicious PowerPoint File Could Compromise Your PC

Mohit Kumar
Em 14/08/2017 no site The Hacker News

A few months back we reported how opening a simple MS Word file could compromise your computer using a critical vulnerability in Microsoft Office.

The Microsoft Office remote code execution vulnerability (CVE-2017-0199) resided in the Windows Object Linking and Embedding (OLE) interface for which a patch was issued in April this year, but threat actors are still abusing the flaw through the different mediums.

Security researchers have spotted a new malware campaign that is leveraging the same exploit, but for the first time, hidden behind a specially crafted PowerPoint (PPSX) Presentation file.

According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry.

Researchers believe this attack involves the use of a sender address disguised as a legitimate email sent by a sales and billing department.

Here's How the Attack Works:

The complete attack scenario is listed below:

Step 1: The attack begins with an email that contains a malicious PowerPoint (PPSX) file in the attachment, pretending to be shipping information about an order request.

Step 2: Once executed, the PPSX file calls an XML file programmed in it to download "logo.doc" file from a remote location and runs it via the PowerPoint Show animations feature.

Step 3: The malformed Logo.doc file then triggers the CVE-2017-0199 vulnerability, which downloads and executes RATMAN.exe on the targeted system.

Step 4: RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely.

Remcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone.

Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well.

The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.