Multi-Stage Malware Loader Hits Europeans via Signed Malspam

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmrjDKffNtOT802AuAJrLLSSXnZH_IrCmH7XuGuZ0b_7-y-K2e_sXeb79AqIntkQGOkpST-kcH6oB_fg1Q_Mj8FrWJdeFg1kzjQCWU6SbQ2uhVCpqCxxEMKo6T7CrTVbQz77f81UHJ1upH/s1600/Malspam.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="1200" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmrjDKffNtOT802AuAJrLLSSXnZH_IrCmH7XuGuZ0b_7-y-K2e_sXeb79AqIntkQGOkpST-kcH6oB_fg1Q_Mj8FrWJdeFg1kzjQCWU6SbQ2uhVCpqCxxEMKo6T7CrTVbQz77f81UHJ1upH/s640/Malspam.jpg" width="640" /></a></div> Multiple malicious spam campaigns using signed emails have been observed while distributing the GootKit (aka talalpek or Xswkit) banking Trojan with the help of a multi-stage malware loader dubbed JasperLoader over the past few months.<br /> <br /> This loader is the third one detected by Cisco Talos' research team since July 2018, with Smoke Loader (aka Dofoil) being employed by threat actors to drop ransomware or cryptocurrency miner payloads last year, while <a href="https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html">Brushaloader</a> was identified during early 2019 and seen while making use of Living-of-the-Land (LotL) tools such as PowerShell scripts to remain undetected on compromised systems.<br /> <br /> <blockquote class="tr_bq"> “Specifically, we’re tracking a loader known as “JasperLoader,” which has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries with a particular focus on Germany and Italy.” reads the<a href="https://blogs.cisco.com/security/talos/jasperloader-emerges-targets-italy-with-gootkit-banking-trojan"> analysis published </a>by Cisco Talos. “JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult.”</blockquote> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGi30kQTjzXBpfzjPEzBjIpTv1N_a_3WzP2ac00W2nE3spRf0dm-_BQ8VhecIHCS0wkIj_7xbcx3Er7sBlzunjeswyasogyL7g2yRzdqOxDMhUdrqeXGb7ZZaQemgWs911JebbGSu8R5EJ/s1600/Malspam+email+samples.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Malspam email samples" border="0" data-original-height="428" data-original-width="1288" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGi30kQTjzXBpfzjPEzBjIpTv1N_a_3WzP2ac00W2nE3spRf0dm-_BQ8VhecIHCS0wkIj_7xbcx3Er7sBlzunjeswyasogyL7g2yRzdqOxDMhUdrqeXGb7ZZaQemgWs911JebbGSu8R5EJ/s640/Malspam+email+samples.png" title="Malspam email samples" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Malspam email samples</td></tr> </tbody></table> The various malicious campaigns <a href="https://blogs.cisco.com/security/talos/jasperloader-emerges-targets-italy-with-gootkit-banking-trojan">detected by Cisco Talos</a> are localized to match the European country they are targeting, while the attachments employed to start the JasperLoader infection contain either a Visual Basic for Applications (VBS) script or a DOCM documents with VBA macros, both of them used to initiate the payload download process.<br /> <br /> What makes some of these malspam campaigns very dangerous is the fact that the attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails "to maximize the likelihood that they can convince potential victims to open their malicious emails."<br /> <br /> After the JasperLoader malware loader successfully infects its targets, it will check its geolocation and terminate itself if the compromised machine is from Russia, Ukraine, Belarus, or People's Republic of China.<br /> <br /> Next, it gains persistence by adding an LNK shortcut to itself to the infected system's Startup folder to get launched each time the machine is rebooted.<br /> <br /> It will also generate a bot identifier which gets sent to the command-and-control (C2) server allowing it to register the machine to the operators' botnet and it goes in standby, waiting for commands from the C2 server.<br /> <br /> JasperLoader allows the attackers to update the loader, to run Powershell-based arbitrary system commands, and, more importantly, to download the final Gootkit malware payload. (pic)<br /> <br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO-_ZxE6-9_K5w2U8z9KkzK9kFF1B9Ld9EDeEj9lGCR6gG26uiY2ZIXUFl3NLz_N6hCwMWyFhhuEHjZfBJoxEqT2huvjfOYHmxOD75j8Q2qhwq6KvyiAuATz7kEDIYqjuS8bk8fXkcS6po/s1600/Downloading+the+final+malware+payload.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="188" data-original-width="640" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO-_ZxE6-9_K5w2U8z9KkzK9kFF1B9Ld9EDeEj9lGCR6gG26uiY2ZIXUFl3NLz_N6hCwMWyFhhuEHjZfBJoxEqT2huvjfOYHmxOD75j8Q2qhwq6KvyiAuATz7kEDIYqjuS8bk8fXkcS6po/s640/Downloading+the+final+malware+payload.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Downloading the final malware payload</td></tr> </tbody></table> <br /> Signing the malspam messages before sending them to their victims using valid certificates made it possible for the attackers behind JasperLoader malicious email campaigns to confirm their authenticity "as only those with access to the private keys should be able to sign the message."<br /> <br /> <blockquote class="tr_bq"> In addition, "abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader," concluded Cisco Talos.</blockquote> <br /> Indicators of compromise (IOCs) are also provided by the Cisco Talos' research team in the form of <a href="https://alln-extcloud-storage.cisco.com/ciscoblogs/5cc1be63b4832.txt">SHA256</a> attachment hashes, list of used domains and IP addresses. <a href="https://www.bleepingcomputer.com/news/security/europeans-hit-with-multi-stage-malware-loader-via-signed-malspam/"><span style="font-size: xx-small;">Source</span></a></div>

Europe GootKit Hacking News JasperLoader Malspam Malwares Spam Multi-Stage Malware Loader Hits Europeans via Signed Malspam

Multiple malicious spam campaigns using signed emails have been observed while distributing the GootKit (aka talalpek or Xswkit) banking ...

Read more »

18.5 Million Websites Infected With Malware

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX7tz1gHmgqsrr-J_aVIopZgZubXEunrBTNrAq0HQtwzYyAXdSGnrxqAKJ8MdV_UnVTh0u8FWcayQlOibNEOIrGlRrWEzi-F5NSjTd1q6BdRC4z45xNLyFKVRYsZsOWKLNynTKk5o8XcE/s1600/website-malware-attack.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="website-malware-attack" border="0" data-original-height="438" data-original-width="1339" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX7tz1gHmgqsrr-J_aVIopZgZubXEunrBTNrAq0HQtwzYyAXdSGnrxqAKJ8MdV_UnVTh0u8FWcayQlOibNEOIrGlRrWEzi-F5NSjTd1q6BdRC4z45xNLyFKVRYsZsOWKLNynTKk5o8XcE/s640/website-malware-attack.PNG" title="website-malware-attack" width="640" /></a></div>On the internet, there are more than 1.86 billion websites. Around 1% of these -- something like 18,500,000 -- are infected with malware at a given time each week; while the average website is attacked 44 times every day.<br /> <br /> Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock's malware scanners, while a smaller subset also use the firm's cloud-based web application firewall (WAF). <b>The WAF provides insight into <a href="http://www.hackerschronicle.com/search/label/DDoS">DDoS </a>attacks against websites,</b> while the scanners provide insight into the state of malware in websites.<br /> <br /> The analysis shows an increase of <b>around 20% in the number of infected websites over Q3 2017</b>. <b>"We went from about 0.8% of our user base in Q3 to a little over 1% in Q4," Sitelock research analyst Jessica Ortega told SecurityWeek</b>. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.<br /> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi96ShNSJGwhEKKtBYEvxe-DCuwC_l6Ik61yW8duVvKOJ-jjGYp_YboO2RGKwmZmZtP49uzQxRbj6hTRZifQ00legX-H3iuO0w0ooUzTnqxgGvoNsUBTp21NdsOWadOk6BgyvgTPOD-oPo/s1600/website-attack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="800" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi96ShNSJGwhEKKtBYEvxe-DCuwC_l6Ik61yW8duVvKOJ-jjGYp_YboO2RGKwmZmZtP49uzQxRbj6hTRZifQ00legX-H3iuO0w0ooUzTnqxgGvoNsUBTp21NdsOWadOk6BgyvgTPOD-oPo/s640/website-attack.png" width="640" /></a></div><br /> Despite the increase in infected sites, continued Ortega, "The total number of attacks or attempted attacks actually decreased by about 20% -- so what we're seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through."<br /> <br /> The majority of Sitelock's customers are typically small businesses and blogs. "<b>Many website owners remain unaware that website security is their responsibility and rely too heavily </b>on popular search engines and other <b>third parties to notify them when they've been compromised</b>," <b>said Ortega.</b> This doesn't work -- less than 1 in 5 infected websites are blacklisted by the search engines.<br /> <br /> Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of <a href="http://www.hackerschronicle.com/search/label/Wordpress">WordPress</a> sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised.<br /> <br /> It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, <b>Sitelock cleaned an average of 672,655 <a href="http://www.hackerschronicle.com/search/label/Malwares">malici<span id="goog_234162612"></span><span id="goog_234162613"></span>ous </a>files every week. </b>It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages.<br /> <br /> <b>Jessica Ortega, a research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files.</b> Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before.<br /> <br /> One of the problems is that the average website is very easy to compromise. <b>Sitelock's analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS)</b> vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities.<br /> <br /> <blockquote class="tr_bq">Even CSM security updates can be used against the website if they are not immediately installed. <b>"Attackers can see what vulnerabilities have been patched in the latest update, and develop an exploit for those <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerabilities</a>.</b> They then scan the internet for, for example, WordPress sites that haven't yet been updated, and compromise them."</blockquote><br /> Understanding the attackers' motives is key to understanding the threat to small business websites. "A lot of attackers go for the low-hanging fruit, and small business websites are among the softest and easiest targets because so many owners don't even realize they need security," e<b>xplains Ortega</b>. One of the primary motivations is to improve the search engine rankings of the attackers' own customers, by inserting backlinks to the customer website.<br /> <br /> "Or they use it to attack the website's visitors -- for example, by phishing credentials," she continued; "and <b>obviously the longer that a phishing site stays up, the greater the number of credentials it can potentially steal.</b> Or they're just trying to further spread their malware to visitors via exploit kits."<br /> <br /> Compromising small business websites is a numbers game for the criminals. Each site has a relatively small reach in the volume of visitors that can be exploited, but the sheer number of sites combined with the ease of compromise makes it worthwhile. And it is complicated by being perhaps the last refuge of the skiddie. As large companies improve their own security, small companies increasingly attract low-skilled skiddies who hack for personal aggrandizement -- those who do it because they can, and then boast about it.<br /> <br /> <b>Sixteen percent of infected sites were subsequently defaced,</b> often with a political or religious message, often <b>by script skiddies</b>.<br /> For a list of best Android Mobile Hacking Apps: <a href="https://joyofandroid.com/best-hacking-apps-for-android/">Refer Here</a><br /> </div>

DDoS Hacking News Malwares sitelock Vulnerability 18.5 Million Websites Infected With Malware

On the internet, there are more than 1.86 billion websites. Around 1% of these -- something like 18,500,000 -- are infected with malware at ...

Read more »

Intel processors will use hardware-based protections against Meltdown and Spectre 2

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9EtGh1NAW69qca9ByY_y1QdHET3Iwt7bxUc37EhPSlTaJJFQNiy49abJzlV0iIx62d7Ni21AFBKVob3eeDXqBb5jdZeAvaLOseuAkgrXcRP0n-2GjKGTMrF-lz5cEyFGKR21uYXhsOnee/s1600/intel-meltdown-spectre-patch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9EtGh1NAW69qca9ByY_y1QdHET3Iwt7bxUc37EhPSlTaJJFQNiy49abJzlV0iIx62d7Ni21AFBKVob3eeDXqBb5jdZeAvaLOseuAkgrXcRP0n-2GjKGTMrF-lz5cEyFGKR21uYXhsOnee/s640/intel-meltdown-spectre-patch.png" width="640" /></a></div> <br /> Intel has officially pushed out microcode updates with Spectre and Meltdown mitigations for all of the processors it launched in the past five years.<br /> <br /> In addition to this, the company’s CEO announced new, redesigned processor lines that will start shipping later this year and will include hardware-based protection for Meltdown (exploiting CVE-2017-5754, a rogue cata cache load flaw) and variant 2 of Spectre (exploiting CVE-2017-5715, a branch target injection <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability</a>).<br /> <blockquote class="tr_bq"> “While [Spectre] Variant 1 will continue to be addressed via software mitigations, we are making changes to our hardware design to further address the other two,” Intel CEO Brian Krzanich <a href="https://newsroom.intel.com/editorials/advancing-security-silicon-level/">said</a>.</blockquote> “We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 [<a href="http://www.hackerschronicle.com/search/label/spectre">Spectre</a>] and 3 [<a href="http://www.hackerschronicle.com/search/label/meltdown">Meltdown</a>]. Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors. These changes will begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel Core processors expected to ship in the second half of 2018. ”<br /> <br /> He did not offer more details about these protections, but the video included in the announcement says that the Spectre variant 2 fixes will make it so that attackers can’t influence the path the speculative execution process and use misdirections to gain access to sensitive data. The solution, Intel says, “retains the many benefits of speculative execution, while addressing the threat of variant 2.”<br /> <br /> Organizations and users who don’t want to spend money on new processors will have to make do with the firmware updates for the old ones – and suffer some performance impacts.<br /> <br /> <blockquote class="tr_bq"> “We have now released <a href="https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf">microcode updates</a> for 100 percent of Intel products launched in the past five years that require protection against the side-channel method vulnerabilities discovered by Google,” Krzanich noted.</blockquote> <br /> It is on industry partners like Microsoft to implement them via firmware and software updates.<br /> <br /> Krzanich, of course, advised everyone to implement the updates as they are made available.</div>

CVE-2017-5715 Hacking News intel Malwares meltdown spectre Intel processors will use hardware-based protections against Meltdown and Spectre 2

Intel has officially pushed out microcode updates with Spectre and Meltdown mitigations for all of the processors it launched in the pas...

Read more »

5 Million Popular Android Phones found with pre-installed malwares

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZTEE4Eu0Mm9uTy7XH2DIQs9OMuUpOneSwROHzMWaEAGRIQyz4cPiGfLnxYIBUUTRU4_h37MkHB8YdM0X6eIXS6AyFdq7hlUqzphIauQLEFd_jTmyLPnzfjmAti3ZuBbXAqyktg5xU5IQL/s1600/android-botnet-malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Millions of Android infected with RoyyenSys Malware" border="0" data-original-height="380" data-original-width="728" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZTEE4Eu0Mm9uTy7XH2DIQs9OMuUpOneSwROHzMWaEAGRIQyz4cPiGfLnxYIBUUTRU4_h37MkHB8YdM0X6eIXS6AyFdq7hlUqzphIauQLEFd_jTmyLPnzfjmAti3ZuBbXAqyktg5xU5IQL/s640/android-botnet-malware.png" title="Millions of Android infected with RoyyenSys Malware" width="640" /></a></div> <br /> Security researchers at CheckPoint have discovered that Chinese Cyber Criminals are using a malware named as RottenSys to attack android phones all over the world; almost 5 million android devices in their botnet network.<br /> <br /> <blockquote class="tr_bq"> "The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service." according to checkpoint analysis report.</blockquote> <br /> Experts found an unusual self-proclaimed system Wi-Fi service (<b>系统WIFI服务</b>) on a Xiaomi Redmi phone ans started their investigation. They found that the application does not provide any secure Wi-Fi related service to users. Instead, it asks for many sensitive Android permissions such as accessibility service permission, user calendar read access and silent download permission, which are not related to Wi-Fi service. Their key findings were: <br /> <ul style="text-align: left;"> <li>RottenSys, a mobile adware, has infected nearly 5 million devices since 2016.</li> <li>Indications show the malware could have entered earlier in the supplier chain.</li> <li>The attackers have been testing a new botnet campaign via the same C&C server.</li> </ul> <br /> The RottenSys malware implements two evasion techniques:<br /> <br /> <ul style="text-align: left;"> <li>The first technique consists of postponing operations for a set time.</li> </ul> <ul style="text-align: left;"> <li>The second technique uses a dropper which does not display any malicious activity at first. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.</li> </ul> <br /> The malicious code relies on two open-source projects:<br /> <br /> <ul style="text-align: left;"> <li>The <a href="https://github.com/wequick/small">Small virtualization</a> framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.</li> </ul> <ul style="text-align: left;"> <li>The <a href="https://github.com/Marswin/MarsDaemon">MarsDaemon library</a> that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.</li> </ul> <blockquote class="tr_bq"> “This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” according to the same the analysis.</blockquote> <br /> According to the findings, the RottenSys malware began propagating in September 2016. By 12 March 2018; 49,64,460 devices were infected by RottenSys. The <b>top impacted mobile devices brands are Honor, Huawei, and Xiaomi</b>.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXBJHEKCJ1oz9o8PufOTzv_xLou6yIZ9Q0vRJOArfc7r6bT8zbO2SqNS5Zs9VwU197EzHf4eet2quIs8LrENggDTEp67S8-WS-PtW_ez_YDXKdCr9TSnTRshxADpPqIxJ9cwq7KgGg3bm/s1600/android-phones-infected-with-rottebsys-malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="316" data-original-width="747" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXBJHEKCJ1oz9o8PufOTzv_xLou6yIZ9Q0vRJOArfc7r6bT8zbO2SqNS5Zs9VwU197EzHf4eet2quIs8LrENggDTEp67S8-WS-PtW_ez_YDXKdCr9TSnTRshxADpPqIxJ9cwq7KgGg3bm/s640/android-phones-infected-with-rottebsys-malware.png" width="640" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGg8FdzCwQIbAYcRIVctfEi3NM0An11IvuJ5860GPeAoiBxnyNdHtvisEk5BNmpRPtkff5ru3uhhJMSm7s3wdeVie4TX4k7bfzwxxVDSH4RD6fA2H_rut6fv4dy9iFvq5o1vSlOoWIjb5/s1600/chinese-phones-infected-with-malwares.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="329" data-original-width="543" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGg8FdzCwQIbAYcRIVctfEi3NM0An11IvuJ5860GPeAoiBxnyNdHtvisEk5BNmpRPtkff5ru3uhhJMSm7s3wdeVie4TX4k7bfzwxxVDSH4RD6fA2H_rut6fv4dy9iFvq5o1vSlOoWIjb5/s640/chinese-phones-infected-with-malwares.png" width="640" /></a></div> <br /> <br /> RottenSys is totally focusing on aggressive ad network for making huge profits. In the past 10 days alone, it displayed ads 13,250,756 times (commonly called impressions) and out of which 548,822 were converted into ad clicks. We tried to roughly calculate the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for each thousand impressions. According to these calculations, <b>the attackers earned over $1,15,000 from their malicious operation in the last ten days alone!</b></div>

Botnet Chinese Hackers Hacking News honor huawei Malwares rottensys xiomi 5 Million Popular Android Phones found with pre-installed malwares

Security researchers at CheckPoint have discovered that Chinese Cyber Criminals are using a malware named as RottenSys to attack android...

Read more »

ISRO computers infected with Malwares, Could be Hacked

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtAoCP4N_b7bZzZsDPujcRd4jTlXUpqHy2oQBMrNtsCQ68UOoIJwYgYhb-Mf3QFHpBMeM12af-3wFRZrJNX_TVnHPr9xC9UpPyIjz6fcK9Nt4KB7csDCkPXfhbwwt1AFVohsoWD4oK9MQx/s1600/ISRO-infected-with-trojan.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Malware-attack-on-ISRO" border="0" data-original-height="338" data-original-width="666" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtAoCP4N_b7bZzZsDPujcRd4jTlXUpqHy2oQBMrNtsCQ68UOoIJwYgYhb-Mf3QFHpBMeM12af-3wFRZrJNX_TVnHPr9xC9UpPyIjz6fcK9Nt4KB7csDCkPXfhbwwt1AFVohsoWD4oK9MQx/s640/ISRO-infected-with-trojan.jpg" title="Malware-attack-on-ISRO" width="640" /></a></div> <br /> Security researchers have claimed that a malware has infected computer systems of India’s premier space research agency, <a href="http://www.hackerschronicle.com/search/label/isro">Indian Space and Research Organization</a> (ISRO).<br /> <br /> Indian and French security experts believe that using the <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability</a>, hackers could have easily taken control of ISRO’s command rocket launches.<br /> <br /> On December 2017, the researchers detected a trojan malware, known as <a href="http://www.hackerschronicle.com/search/label/xtremerat">XtremeRAT</a>, in ISRO servers and they immediately reported to the agency by an Indian researcher. However, ISRO responded and resolved the issue only after French researcher Robert Baptiste reached out to the agency on Twitter.<br /> <br /> “ISRO in their conversation with me informed that that investigated and found a UTM login port that was not mapped internally to any systems.They claimed to have disabled that port for now,” said Baptiste quoting ISRO’s communication.<br /> <br /> The <a href="http://www.hackerschronicle.com/search/label/Malwares">malware </a>had infected the ISRO’s Telemetry, Tracking and Command Networks (ISTRAC) whose main function is to provide tracking support for all the satellite and launch vehicle missions of ISRO.<br /> <br /> “The malware was probably infected on a computer that had access to servers used for Tracking and Command (TTC) services that help launch vehicle lift-off till injection of a satellite. A computer which was probably used to command rocket launches and separation of a satellite. I say ‘probably infected’ because no one knows which computer was used,” said the Indian researcher.<br /> <br /> <b>XtremeRAT </b>is a commercially available <a href="http://www.hackerschronicle.com/search/label/rat">remote access Trojan</a> (RATs) used by hackers to conduct cyber espionage. There are a number of RATs that are available for free and can be purchased online. It allows the hacker to hack specific target’s servers and databases.<br /> <br /> "If infected with a <a href="http://www.hackerschronicle.com/search/label/Trojan">trojan</a>, the attacker owns the computer. The hacker can command the computer to do absolutely anything he wants. He just has to use the Remote Desktop Protocol (RDP) to access a computer. Has there been a data loss? most likely yes,” says the Indian researcher. </div>

Hacking News isro Malwares rat Trojan xtremerat ISRO computers infected with Malwares, Could be Hacked

Security researchers have claimed that a malware has infected computer systems of India’s premier space research agency, Indian Space a...

Read more »

Saposhi a new malware to take down all IoT devices is out

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ8p7qWG1DwmBPgKLhzzWdUqUSRexWf70vpudaCzjinTSUdHMKaE0_AZwb1d8bUoIhdL-tpGAdYEPROknhA8DhDrAq9wy5caeaAv26qLpkHmmO5kzkSKNxBtR4vv5R83lUiTNqHsbbyYy9/s1600/Saposhi-DDoS-Malware.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Saposhi a new malware to take down all IoT devices is out" border="0" data-original-height="750" data-original-width="1000" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ8p7qWG1DwmBPgKLhzzWdUqUSRexWf70vpudaCzjinTSUdHMKaE0_AZwb1d8bUoIhdL-tpGAdYEPROknhA8DhDrAq9wy5caeaAv26qLpkHmmO5kzkSKNxBtR4vv5R83lUiTNqHsbbyYy9/s640/Saposhi-DDoS-Malware.jpg" title="Saposhi a new malware to take down all IoT devices is out" width="640" /></a></div> <br /> Cybersecurity agencies detected a new malware <b>Saposhi</b> , which can cripple the entire industries by taking over electronic devices and turning them into 'bots', which can be used for <a href="http://www.hackerschronicle.com/search/label/DDoS">Distributed Denial of Service</a> (DDoS) attacks .<br /> <br /> The <b>new malware Saposhi was detected around 15 days ago</b> according to a report of the Hindu, and is currently being watched and studied.<br /> <br /> <b>“Saposhi is similar in its intensity to Reaper, which was taking over millions of devices at the rate of 10,000 devices per day.</b> Various cybersecurity agencies are currently keeping tabs on it to get a better idea of what it is capable of,” he said.<br /> <br /> A Central Government organisation <b>'the Computer Emergency Response Team (CERT)', had issued an alert about malwares </b>Mirai, and Reaper, but has not yet issued any alert regarding the new malware.<br /> <br /> <b>“We need to first ensure that the information we have is indeed substantiated before raising alarm bells.</b> Right now, what we know for sure is that Saposhi exists, and is highly capable. Factors like whether it is aimed at any particular kind of device, or has a specific purpose are still being verified,” a officer said.<br /> <br /> <a href="http://www.hackerschronicle.com/search/label/Malwares">Malwares </a>which are primarily aimed at DDoS attacks first creates a 'botnet,'network of bots, these botnet are used to ping a server at the same time. If the<b> number of pings increases beyond the server’s capacity, the server crashes and denies service.</b> Saposhi, Reaper and Mirai are DDoS attack malwares.<br /> <br /> In July 2016, small and medium internet service providers in Maharashtra fell prey to a DDoS attack, which caused disruption in the services of several Internet Service Providers (ISP) in the State.<br /> <br /> In 2016, Mirai, using a botnet of 5 lakh devices, had caused the servers of Dyn, a leading domain name service provider, to crash, affecting services of popular websites like Twitter, Netflix and Reddit.<br /> <br /></div>

Botnet CyberSecurity DDoS Malwares Mirai News Reaper Saposhi Saposhi a new malware to take down all IoT devices is out

Cybersecurity agencies detected a new malware Saposhi , which can cripple the entire industries by taking over electronic devices and t...

Read more »

Chinese Firm selling Smartphones with pre-installed Banking Malwares

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWokGpvxoy8oZjI0OOsnHmsDJZF42nU3B2PxFze5HaOa9uatC4LEkVg6JPnXiv6LK5yg0JGyZjpvyd3JgOk3TNKrvx_vJDxS5UWTw4GiOwILGCCyX7he3Pua0OTE6aDE_PpfX0qkCaaIb0/s1600/triada-trojan-preinstalled-on-brand-new-smartphones.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Triada Trojan pre-installed brand new Smartphones" border="0" data-original-height="840" data-original-width="1280" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWokGpvxoy8oZjI0OOsnHmsDJZF42nU3B2PxFze5HaOa9uatC4LEkVg6JPnXiv6LK5yg0JGyZjpvyd3JgOk3TNKrvx_vJDxS5UWTw4GiOwILGCCyX7he3Pua0OTE6aDE_PpfX0qkCaaIb0/s640/triada-trojan-preinstalled-on-brand-new-smartphones.jpg" title="Triada Trojan pre-installed brand new Smartphones" width="640" /></a></div> <br /> More than 40 models of low-cost Android smartphones are sold already infected with the Triada banking trojan, says Dr.Web, a Russia-based antivirus vendor. The security vendor published today a list of 42 Android models its researchers analyzed and found to be infected with the Android.Triada.231 trojan.<br /> <br /> <a href="http://www.hackerschronicle.com/search/label/Triada" target="_blank">Triada </a>is a very powerful Android banking trojan discovered in early 2016. It can root devices and then infect Zygote, a core <a href="http://www.hackerschronicle.com/search/label/Android" target="_blank">Android operating system</a> process, where it's almost impossible to remove without wiping the entire device and reinstalling the OS. Dr.Web says <b>it found the trojan on newly shipped devices from</b> lesser-known brands —mostly based in <b>China</b>— such as Leagoo, Doogee. Vertex, Advan, Cherry Mobile, and others.<br /> <br /> <br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCB5gEGCxF-NDcRb8zROpOkYNcfqXWrJuWu5nGZ7-WKEfCP56LQWC_pGRKufzMaaE1kdwqnC7yqDCV_RXJoF38NysnwpRwrV6AX9zqdeI-2twH-AP21yv4X4I5g-g81ZbGbh-Dc1_dzjTM/s1600/how-triada-works.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="1229" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCB5gEGCxF-NDcRb8zROpOkYNcfqXWrJuWu5nGZ7-WKEfCP56LQWC_pGRKufzMaaE1kdwqnC7yqDCV_RXJoF38NysnwpRwrV6AX9zqdeI-2twH-AP21yv4X4I5g-g81ZbGbh-Dc1_dzjTM/s400/how-triada-works.png" width="306" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">How Triada Works</td></tr> </tbody></table> <br /> <br /> "<b>The <a href="http://www.hackerschronicle.com/search/label/Malwares" target="_blank">malware </a>is present in the devices which are sold not only in Russia but globally</b>," a Dr.Web spokesperson told <b>Bleeping Computer</b> earlier today via email. "For instance, in Poland, Indonesia, China, the Checz Republic, Mexico, Kazakhstan and Serbia."<br /> <br /> Dr.Web's recent discovery isn't new, but it's a continuation of previous research. Back in July 2017, researchers found the same Triada trojan on four low-cost Android smartphone models —Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Researchers continued to look into the matter and eventually discovered 42 smartphone models that were coming with malware pre-installed out of the box.<br /> <br /> Experts say that their discovery over the summer didn't deter whoever was behind this action to stop. For example, they found Triada pre-installed on Leagoo M9 phones, a model launched in December 2017.<br /> <br /> The antivirus vendor says it contacted all affected vendors, believing one of their shared resellers was injecting the trojan before shipping devices forward. Instead, researchers figured out that a <b>software developer from Shanghai was most likely the source of the Triada infection</b>.<br /> <br /> "This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation," researchers say. "Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles."<br /> <br /> Researchers say this Triada-infected application developed by the Shanghai company was signed with the same certificate that was seen in another malware infection, in November 2016 —an Android app with over 1 million downloads on the Google Play Store that was infecting users with the Android.MulDrop adware.<br /> <br /> In the end, this is just another case when users suffer the consequences of companies that fail to validate their software supply chain.<br /> <br /> The list of Android smartphone models that Dr.Web found infected with the Triada trojan right out of the box is below:<br /> <div class="content shadow-radial"> Leagoo M5<br /> Leagoo M5 Plus<br /> Leagoo M5 Edge<br /> Leagoo M8<br /> Leagoo M8 Pro<br /> Leagoo Z5C<br /> Leagoo T1 Plus<br /> Leagoo Z3C<br /> Leagoo Z1C<br /> Leagoo M9<br /> ARK Benefit M8<br /> Zopo Speed 7 Plus<br /> UHANS A101<br /> Doogee X5 Max<br /> Doogee X5 Max Pro<br /> Doogee Shoot 1<br /> Doogee Shoot 2<br /> Tecno W2<br /> Homtom HT16<br /> Umi London<br /> Kiano Elegance 5.1<br /> iLife Fivo Lite<br /> Mito A39<br /> Vertex Impress InTouch 4G<br /> Vertex Impress Genius<br /> myPhone Hammer Energy<br /> Advan S5E NXT<br /> Advan S4Z<br /> Advan i5E<br /> STF AERIAL PLUS<br /> STF JOY PRO<br /> Tesla SP6.2<br /> Cubot Rainbow<br /> EXTREME 7<br /> Haier T51<br /> Cherry Mobile Flare S5<br /> Cherry Mobile Flare J2S<br /> Cherry Mobile Flare P1<br /> NOA H6<br /> Pelitt T1 PLUS<br /> Prestigio Grace M5 LTE<br /> BQ 5510</div> </div>

Android Malwares News Triada Trojan Chinese Firm selling Smartphones with pre-installed Banking Malwares

More than 40 models of low-cost Android smartphones are sold already infected with the Triada banking trojan, says Dr.Web, a Russia-base...

Read more »

Hundreds of WordPress & Joomla websites infected by ionCube Malware

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCISRo1hVEm5OFH1EX19PrnmdBIUzNSp6gAAdsBSrLx5s5IaAAgkIQAr0prPNAVrgGoobG6Ffa2swbhS559R1Ho20Z1KVrXHE_G4Ke8WQH-K_8pQ3Fg3bwrEVSvnKMoZtlvlZlp57xHcUT/s1600/Wordpress-ionCube-Malware.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Joomla infected by malware" border="0" data-original-height="330" data-original-width="680" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCISRo1hVEm5OFH1EX19PrnmdBIUzNSp6gAAdsBSrLx5s5IaAAgkIQAr0prPNAVrgGoobG6Ffa2swbhS559R1Ho20Z1KVrXHE_G4Ke8WQH-K_8pQ3Fg3bwrEVSvnKMoZtlvlZlp57xHcUT/s640/Wordpress-ionCube-Malware.jpg" title="Wordpress infected by malware" width="640" /></a></div> <br /> Security researchers at SiteLock have discovered that hundreds of websites based on WordPress, Joomla and CodeIgniter have been infected with <a href="http://www.hackerschronicle.com/search/label/Malwares" target="_blank">malware </a>that masquerades as legitimate ionCube-encoded files.<br /> <br /> ionCube is an encoding technology used to protect PHP software from being viewed, changed, and run on unlicensed computers.<br /> <br /> The experts were analyzing an infected <a href="http://www.hackerschronicle.com/search/label/Wordpress" target="_blank">WordPress </a>website when discovered a number of suspicious obfuscated files – such as “<b>diff98.php</b>” and “<b>wrgcduzk.php</b>” – appearing almost identical to legitimate ionCube-encoded files. Further analysis conducted revealed that hundreds of websites were infected by the same ionCube Malware.<br /> <br /> “While reviewing an infected site, the SiteLock Research team found a number of suspiciously named, obfuscated files that appear almost identical to legitimate ionCube-encoded files. We determined the suspicious ionCube files were malicious, and found that hundreds of sites and thousands of files were affected.” reads the analysis published by SiteLock.<br /> <br /> “<b>Overall, our investigation found over 700 infected sites, totalling over 7,000 infected files.</b>”<br /> <br /> Further analysis revealed that attackers also compromised <a href="http://www.hackerschronicle.com/search/label/Joomla" target="_blank">Joomla </a>and <a href="http://www.hackerschronicle.com/search/label/CodeIgniter" target="_blank">CodeIgniter </a>websites. Threat actors packed their malware in a manner that appears ionCube-encoded files.<br /> <br /> The malicious code could theoretically infect any website based on a web server running PHP, once decoded, the fake ionCube files compose the ionCube malware.<br /> <br /> “While there’s still some degree of obfuscation, the presence of the <b>$_POST and $_COOKIE </b>superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code.” continues the analysis. “It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present.” <br /> <br /> <br /> The researchers also provided recommendations to mitigate the ionCube Malware, they suggest administrators check the presence of ionCube-encoded files as an indicator of compromise.<br /> <br /> If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat, the researchers also suggest the adoption of a web application <a href="http://www.hackerschronicle.com/search/label/Firewall" target="_blank">firewall </a>(WAF).<br /> <br /> “If you find indicators of this infection, we strongly recommend having your site scanned for malware as soon as possible, as this malware seldom appears on its own.” concluded the analysis.<br /> <br /> “This is especially important if you are using an ionCube-encoded application, as manually differentiating the malicious files from the legitimate ones is difficult, and <b>it is common to see up to 100 slightly different variants of this malware on a single site.</b> “<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG2L3QHgleFLiGBwrwUF9mAtKK6KMFj1qG1bwIDIBEqOjGYAeNF0kz2JPqNiiS_RdFwXk7-WnV885oD1wfunLLE6tQ_692BaUArItvSegjDxj7phn5zy7BLYBBRSD4WaimFw9PlUpFhiG0/s1600/ionCube-Malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="ionCube Malware" border="0" data-original-height="516" data-original-width="940" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG2L3QHgleFLiGBwrwUF9mAtKK6KMFj1qG1bwIDIBEqOjGYAeNF0kz2JPqNiiS_RdFwXk7-WnV885oD1wfunLLE6tQ_692BaUArItvSegjDxj7phn5zy7BLYBBRSD4WaimFw9PlUpFhiG0/s640/ionCube-Malware.png" title="ionCube Malware" width="640" /></a></div> </div>

CodeIgniter ionCube Joomla Malwares News Wordpress Hundreds of WordPress & Joomla websites infected by ionCube Malware

Security researchers at SiteLock have discovered that hundreds of websites based on WordPress, Joomla and CodeIgniter have been infected...

Read more »

Thousands of Jenkins Servers Hacked to mine Monero

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi30dKMYj2OqNHjon8iwHK-B2-NX3L8DMpuxaf4Uz35m9U95sYLWh6_RvDzVGhuVrhQBYPWzbBpLejYYk90VBl9AMWNMvPogHpX7d3VRjqIr5V0IUmp6dSy7nu3y_d2rB5N5Vmkbf9Pebv8/s1600/JenkinsMinerMalware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Jenkins-Hacked-to-Mine-Monero" border="0" data-original-height="455" data-original-width="1250" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi30dKMYj2OqNHjon8iwHK-B2-NX3L8DMpuxaf4Uz35m9U95sYLWh6_RvDzVGhuVrhQBYPWzbBpLejYYk90VBl9AMWNMvPogHpX7d3VRjqIr5V0IUmp6dSy7nu3y_d2rB5N5Vmkbf9Pebv8/s640/JenkinsMinerMalware.png" title="Jenkins-Hacked-to-Mine-Monero" width="640" /></a></div> A hacker group has made over $3 million by breaking into Jenkins servers and installing malware that mines the Monero cryptocurrency.<br /> <br /> Hackers are targeting <a href="http://www.hackerschronicle.com/search/label/Jenkins" target="_blank">Jenkins</a>, a continuous integration/deployment web application built in Java that allows dev teams to run automated tests and execute various operations based on test results, including deploying new code to production servers. Because of this, Jenkins servers are extremely popular with both freelance web developers, but also with large enterprises.<br /> <br /> A cyber security research firm announced it uncovered the footprint of a large hacking operation targeting Jenkins servers left connected to the Internet.<br /> <br /> <b>Hackers using Jenkins RCE flaw</b><br /> Attackers were leveraging <a href="https://jenkins.io/security/advisory/2017-04-26/" target="_blank">CVE-2017-1000353</a>, a vulnerability in the Jenkins Java deserialization implementation that allows attackers to run malicious code remotely without needing to authenticate first. Hackers used this vulnerability to make Jenkins servers download and install a <a href="http://www.hackerschronicle.com/search/label/Monero" target="_blank">Monero </a>miner (minerxmr.exe).<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGiJBIbSv3T6AcNnIggGFU6KI9Fa7h_RMAkL2X178JZtCNr18o3UaL6pDbIrFHphdQhExL1qczWJZima4L3odaVMSPBcfBENnzYP2UvBu0xMYyf3g12jVpeh5-tHTLbcfz8CFuWHiG5EZ3/s1600/Jenkins-Servers-Hacked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Jenkins-Servers-Hacked" border="0" data-original-height="438" data-original-width="894" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGiJBIbSv3T6AcNnIggGFU6KI9Fa7h_RMAkL2X178JZtCNr18o3UaL6pDbIrFHphdQhExL1qczWJZima4L3odaVMSPBcfBENnzYP2UvBu0xMYyf3g12jVpeh5-tHTLbcfz8CFuWHiG5EZ3/s640/Jenkins-Servers-Hacked.png" title="Jenkins-Servers-Hacked" width="640" /></a></div> The miner was being downloaded from an IP address located in <a href="http://www.hackerschronicle.com/search/label/Chinese%20Hackers" target="_blank">China </a>and assigned to the Huaian government network. It is unclear if this is the attacker's server, or a compromised server used to host the miner on behalf of the hackers.<br /> <br /> The attackers have been active for months. This has allowed them to mine and already <b>cash out over 10,800 Monero, which is over $3.4 million</b>, at the time of writing.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAqpuzY6xKEdjtbSmFtVncj31DDAvoeEG1EWeQhjXtUuETPrbwk2kSmDGOM-LnQyGWO_h9yvUBMqsK8YJ89JXXivyRoJryex7oY0lESJFLvrzSy6GjANkgpdJ_SN23HSFr9OMHvLoQy1vc/s1600/Monero-Mining-Malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Monero-Mining-Malware" border="0" data-original-height="475" data-original-width="1175" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAqpuzY6xKEdjtbSmFtVncj31DDAvoeEG1EWeQhjXtUuETPrbwk2kSmDGOM-LnQyGWO_h9yvUBMqsK8YJ89JXXivyRoJryex7oY0lESJFLvrzSy6GjANkgpdJ_SN23HSFr9OMHvLoQy1vc/s640/Monero-Mining-Malware.png" title="Monero-Mining-Malware" width="640" /></a></div> Researchers say the group appears to have compromised mostly Jenkins instances running on Windows operating systems.<br /> <br /> <b>Over 25,000 Jenkins servers left exposed online</b><br /> Attackers aren't the only ones who've noticed the large number of Jenkins servers available online. In mid-January, security researcher Mikail Tunç published <a href="https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/" target="_blank">research</a> highlighting that there were over 25,000 Jenkins servers left exposed to Internet connections at the time of his research.<br /> <br /> Also on Friday, Researchers released new research on other hackers leveraging the <b>CVE-2017-10271</b> flaw to infect Oracle WebLogic servers with malware. This vulnerability has been under active exploitation <b>since early December 2017</b>, and one group has already made <b>more than $226,000</b>.<br /> <br /> Besides Jenkins and <b>Oracle WebLogic</b> servers, hackers are also targeting <b>Ruby on Rails, PHP, and IIS </b>servers, also deploying Monero-mining malware.<br /> <br /> Monero-mining malware is already this year's biggest <a href="http://www.hackerschronicle.com/search/label/Malwares" target="_blank">malware trend/problem</a>, with numerous malware distribution campaigns spreading such payloads on any unsecured computer/server crooks can get their hands on.</div>

Cryptocurrency Hacking News Jenkins Malwares Miner Monero News Thousands of Jenkins Servers Hacked to mine Monero

A hacker group has made over $3 million by breaking into Jenkins servers and installing malware that mines the Monero cryptocurrency. H...

Read more »

Russian military involved in NotPetya attacks: UK

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> </div> <br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghzYNI6Anca1BCGPLXTKDzKA8JIHruZe9_LhR5xzxe8ZwQXo9WmTcdPFX5m1gDRJ_HRv73E1fkym1SmN75JvW1fkuPTqLa0w4zl0DvFRx01JjU-MYf3BvK9XYJvqNf-aHMNXN5ZMDQwySm/s1600/Russian+military+involved+in+NotPetya+attacks.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Russian military involved in NotPetya attacks: UK" border="0" data-original-height="450" data-original-width="800" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghzYNI6Anca1BCGPLXTKDzKA8JIHruZe9_LhR5xzxe8ZwQXo9WmTcdPFX5m1gDRJ_HRv73E1fkym1SmN75JvW1fkuPTqLa0w4zl0DvFRx01JjU-MYf3BvK9XYJvqNf-aHMNXN5ZMDQwySm/s640/Russian+military+involved+in+NotPetya+attacks.jpg" title="Russian military involved in NotPetya attacks: UK" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Russian military involved in NotPetya attacks: UK</td></tr> </tbody></table> <br /> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> The UK government has officially accused the Russian government of June's disruptive and hugely costly NotPetya malware attack.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> "The UK Government judges that the Russian government, specifically the <a href="http://www.hackerschronicle.com/search/label/Russian%20Millitary">Russian military</a>, was responsible for the destructive NotPetya cyber-attack of June 2017," Foreign Office minister for Cyber Security, Tariq Ahmad, said in a statement.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> "The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe, costing hundreds of millions of pounds."</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> Initially, NotPetya was thought to be <a href="http://www.hackerschronicle.com/search/label/Ransomeware">ransomware</a>, but security researchers quickly concluded it was more likely to be destructive <a href="http://www.hackerschronicle.com/search/label/Malwares">malware</a> designed to wipe systems.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> The UK's National Cyber Security Centre (NCSC) today revealed it came to the same conclusion, noting that the malware was only masquerading as ransomware and its main purpose was to disrupt.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> The NCSC said the Russian military was "almost certainly responsible" for the NotPetya attack.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> Shipping container firm Maersk, FedEx's Dutch delivery subsidiary TNT Express, and UK firm Reckitt Benckiser were among global firms that suffered severe disruptions and several hundred million dollars in lost revenue. However, the <b>firms</b>, however, <b>were collateral damage in the ongoing conflict between Ukraine and Russia</b>.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> Below is the flow of Petya Attack Flow : </div> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfrK5YZfsqC6QuFhNHu1m9yN_VZ7bbK1oGuZ3gdTmJCRxM5MnqajYsWTSdyjs9ViXPqGXr_u29ZWWuvHag9u8MigR588GTZBzHjPW2xZEIGrzqxScUBcTeKBZNaJNzFkswON6w0bYBQ0vx/s1600/petya-attack-flow.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Russian military involved in NotPetya attacks: UK" border="0" data-original-height="424" data-original-width="800" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfrK5YZfsqC6QuFhNHu1m9yN_VZ7bbK1oGuZ3gdTmJCRxM5MnqajYsWTSdyjs9ViXPqGXr_u29ZWWuvHag9u8MigR588GTZBzHjPW2xZEIGrzqxScUBcTeKBZNaJNzFkswON6w0bYBQ0vx/s640/petya-attack-flow.png" title="Russian military involved in NotPetya attacks: UK" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Russian military involved in NotPetya attacks: UK</td></tr> </tbody></table> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> <br /></div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> <b>NotPetya employed the NSA <a href="http://www.hackerschronicle.com/search/label/Exploits">exploits </a>for Windows known as EternalBlue and EternalRomance</b> as well as credential-dumping tools to spread internally across networks once one machine was infected. The exploits were leaked in April by The Shadow Brokers.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> The malware<b> initially infected organizations via a compromised update from Ukraine</b> accounting software provider MEDoc. Its MEDoc software is one of two accounting packages required for companies doing business in Ukraine and is widely used by Ukraine agencies.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> Maersk, which used MEDoc at its Ukraine offices, recently revealed it was forced to reinstall 45,000 PCs, 4,000 servers and 2,000 applications hit by NotPetya. The company reported losses of $300m due to the incident.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> NCSC notes that Ukraine's financial, energy and government institutions bore the brunt of NotPetya. However, the "indiscriminate design" of the malware caused it to spread to other European and Russian businesses.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> Though it is unusual to officially blame another nation for a cyber attack, the US and Five-Eye partners blamed the WannaCry ransomware attack on North Korea. The idea, in part at least, is to name and shame nation-state attackers for their actions.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> <b>Russia and North Korea have consistently denied responsibility for the NotPetya, WannaCry, and other cyber attacks.</b></div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> The UK's Ahmad said the Kremlin has positioned Russia in direct opposition to the West.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> "It doesn't have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather than secretly trying to undermine it," he said.</div> <div style="background-color: white; color: #080e14; font-family: Raleway, sans-serif; font-size: 18px; line-height: 30px; margin-bottom: 21px;"> "The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm."</div> </div>

Hacking News Malwares News notPetya Ransomware Russian Hackers Russian Military Russian military involved in NotPetya attacks: UK

Russian military involved in NotPetya attacks: UK The UK government has officially accused the Russian government of June's di...

Read more »

Millions of android devices Hacked

<div dir="ltr" style="text-align: left;" trbidi="on"> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY6e9DfRhBXaB1PX0ZsVaCJn8DW8B-yU7mVYfgw8Tv9t9h0VSn6V5VGc_GzTBD3yEi-Ofhg-8lEj_RnthL73FSM7KnDBpNlpP7yKnmK5-6VxFkOcBn13vLXDEd-c9O6YnpRtUJVzoEM8C8/s1600/Millions-Of-Android-Users-Hacked-By-This-Cryptomining-Attack.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Millions of android devices Hacked" border="0" data-original-height="420" data-original-width="800" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY6e9DfRhBXaB1PX0ZsVaCJn8DW8B-yU7mVYfgw8Tv9t9h0VSn6V5VGc_GzTBD3yEi-Ofhg-8lEj_RnthL73FSM7KnDBpNlpP7yKnmK5-6VxFkOcBn13vLXDEd-c9O6YnpRtUJVzoEM8C8/s640/Millions-Of-Android-Users-Hacked-By-This-Cryptomining-Attack.png" title="Millions of android devices Hacked" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Millions of android devices Hacked</td></tr> </tbody></table> <br /> <div style="background-color: white; border: 0px; color: #222222; font-family: helvetica, arial, sans-serif; font-size: 17px; font-stretch: inherit; line-height: 27px; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> The Android operating system and its apps are usually more exposed to security problems and the presence of malware of all kinds. With the arrival of the cryptocurrencies, this was the new focus to explore the users.</div> <div style="background-color: white; border: 0px; color: #222222; font-family: helvetica, arial, sans-serif; font-size: 17px; font-stretch: inherit; line-height: 27px; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> A new campaign was recently detected and was obliging the mining of these crypto-coins.</div> <div style="background-color: white; border: 0px; color: #222222; font-family: helvetica, arial, sans-serif; font-size: 17px; font-stretch: inherit; line-height: 27px; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> This new campaign is equal to many others that have been known in the past and have affected Android smartphones.<b> By routing users to dedicated sites, they are making a profit for attackers, </b>either through the display of advertising or, as in this case, by offering a processor to mine crypto-coins.</div> <div style="background-color: white; border: 0px; color: #222222; font-family: helvetica, arial, sans-serif; font-size: 17px; font-stretch: inherit; line-height: 27px; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> In this case, Android users were even alerted to a supposed high processing problem and should put a captcha code in order for the situation to be resolved.</div> <div style="background-color: white; border: 0px; color: #222222; font-family: helvetica, arial, sans-serif; font-size: 17px; font-stretch: inherit; line-height: 27px; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> While this process was going on, in incognito, they were mining virtual currency for the attackers. It was only a few minutes, but it surrendered to those who set up this scheme.<br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVrX4VrCL_lj9LcuMw3XsAWRJS_WnQPskBKOD3euTVO5kR3GLw9iWe_A50_WL4q0aYw0BrqqpQWMYkhdz8MSD1UFFbFhAKMwUa5iHcv967DmHhN39cOAraM8IMQSzqHz_i6wG_qJNSdof4/s1600/IMG-6.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Millions of android devices Hacked" border="0" data-original-height="664" data-original-width="800" height="530" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVrX4VrCL_lj9LcuMw3XsAWRJS_WnQPskBKOD3euTVO5kR3GLw9iWe_A50_WL4q0aYw0BrqqpQWMYkhdz8MSD1UFFbFhAKMwUa5iHcv967DmHhN39cOAraM8IMQSzqHz_i6wG_qJNSdof4/s640/IMG-6.jpg" title="Millions of android devices Hacked" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Millions of android devices Hacked</td></tr> </tbody></table> <br /> <div style="border: 0px; font-stretch: inherit; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> This form of attack was included and disguised in several apps, which directed users to these sites dedicated to mining, discreetly and without them realizing that they were being used.</div> <div style="border: 0px; font-stretch: inherit; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> The number of victims is not known but is high. We have identified at least 5 domains using the same captcha and the same keys as the Coinhive site. <b>At least 2 of these sites had more than 30 million hits per month and the 5 combined domains had about 800,000 visits per day,</b> with an average of 4 minutes per visit.</div> <div style="border: 0px; font-stretch: inherit; margin-bottom: 20px; padding: 0px; vertical-align: baseline;"> As with the browser version of this type of attack, the sum of many users makes it profitable for attackers. It is only a few minutes that, accumulated, can revert significantly to who is managing the attack.<br /> <br /></div> </div> </div>

Android Cryptocurrency Hacking News Malwares News Millions of android devices Hacked

Millions of android devices Hacked The Android operating system and its apps are usually more exposed to security problems and the pr...

Read more »

Zero-day vulnerability found in Telegram

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA-cNL6Fal2i1LFz43EYL7drbl57ZLgqrdAbHhdmybDGTagsG4C6Qvx_TTS5FgwQx7SMTlAIX-brWQ4pHGnAotzHZDZF_fKnWxDOBkGxr8sFLhQOXyGuoQVR0h06wHrsIZ_FwwcA0hfPX1/s1600/telegram-zeroday-vulnerability.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="466" data-original-width="732" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA-cNL6Fal2i1LFz43EYL7drbl57ZLgqrdAbHhdmybDGTagsG4C6Qvx_TTS5FgwQx7SMTlAIX-brWQ4pHGnAotzHZDZF_fKnWxDOBkGxr8sFLhQOXyGuoQVR0h06wHrsIZ_FwwcA0hfPX1/s640/telegram-zeroday-vulnerability.png" width="640" /></a></div> <br /> Research conducted by Kaspersky showed that the zero-day flaw was based on the <a href="https://www.fileformat.info/info/unicode/char/202e/index.htm" target="_blank">RLO </a>(right-to-left override) Unicode method, which is generally used for coding languages written from right to left, such as Arabic and Hebrew. However, it can also be used by hackers to dupe unknowing recipients into downloading malware, for example disguised as images.<br /> <br /> Kaspersky analysts identified “several scenarios of <a href="http://www.hackerschronicle.com/search/label/Zero-Day" target="_blank">zero-day</a> exploitation in the wild by threat actors.” The threats identified were two-fold. First, the exploit was used to deliver mining software, allowing hackers to use the victim’s machine to mine <a href="http://www.hackerschronicle.com/search/label/CryptoCurrency" target="_blank">cryptocurrency </a>including “Monero, Zcash, Fantomcoin and others.”<br /> <br /> Second, a backdoor was installed allowing <a href="http://www.hackerschronicle.com/search/label/Cyber%20Crime" target="_blank">cybercriminals </a>to gain remote access to the victim’s computer after which it started to “operate in a silent mode,” allowing “the threat actor to remain unnoticed in the network and execute different commands, including the further installation of spyware tools.”<br /> <br /> Kaspersky says its analysis suggests the cybercriminals are of <a href="http://www.hackerschronicle.com/search/label/Russian%20Hackers" target="_blank">Russian </a>origin, and the company has offered some tips to protect your PC against attack.  These include not downloading and opening unknown files from untrusted sources, avoiding sharing sensitive personal information in messenger apps and making sure to have reliable antivirus software installed on your machine.<br /> <br /> It appears that only Russian cybercriminals were aware of this <a href="http://www.hackerschronicle.com/search/label/Vulnerability" target="_blank">vulnerability</a>, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals.</div>

Hacking News Malwares News Russian Hackers Telegram Vulnerability Zero-Day Zero-day vulnerability found in Telegram

Research conducted by Kaspersky showed that the zero-day flaw was based on the RLO (right-to-left override) Unicode method, which is gen...

Read more »

New AndroRAT found, exploiting Rooting Vulnerability

<div dir="ltr" style="text-align: left;" trbidi="on"> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQaGho1rE0MYQqEGOAPLEjLxhg3aSXXE0WWpln3Vjy1GTlEcjUDJ9AR4Hwe1Gy-XrSiCg-avCQOt8RYwD6MABqpfekK-k-HBHikdwSv3Kdk1s8kVsu9TgZX4r-m90syf-YyYRwJ_o14zI/s1600/AndroRAT_malware.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="468" data-original-width="888" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQaGho1rE0MYQqEGOAPLEjLxhg3aSXXE0WWpln3Vjy1GTlEcjUDJ9AR4Hwe1Gy-XrSiCg-avCQOt8RYwD6MABqpfekK-k-HBHikdwSv3Kdk1s8kVsu9TgZX4r-m90syf-YyYRwJ_o14zI/s640/AndroRAT_malware.jpg" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">New AndroRAT found, exploiting Rooting Vulnerability</td></tr> </tbody></table> <br /> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture. This AndroRAT targets <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>, a publicly disclosed vulnerability in 2016 that allows attackers to penetrate a number of older Android devices to perform its privilege escalation.</div> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> RATs have long been a common Windows threat, so <b>it shouldn't be a surprise that it has come to Android</b>. A RAT has to gain root access — usually by exploiting a <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability </a>— in order to have control over a system.<b> Discovered in 2012, </b>the original authors intended AndroRAT — <a href="https://forum.xda-developers.com/android/apps-games/androrat-remote-administration-tool-t2734932">initially a university project </a>— as an open-source client/server application that can provide remote control of an <a href="http://www.hackerschronicle.com/search/label/Android">Android </a>system, which naturally attracted cybercriminals.</div> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> This new variant of AndroRAT disguises itself as a malicious utility app called TrashCleaner, which is presumably downloaded from a malicious URL. The first time TrashCleaner runs, it prompts the Android device to install a Chinese-labeled calculator app that resembles a pre-installed system calculator. Simultaneously, the TrashCleaner icon will disappear from the device’s UI and the RAT is activated in the background.</div> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG_dFWhyphenhyphenokqpobyjnG8ynbQ2gJGlFK11zcZUGVZRcQluN7XUjJKE6QJpM4_oZDL2slP-VbLmcPWQauu9k4m40AcPBCGEsahR95UiL8Ah3vKqdsfZryffr1jZCtX67C1F_fL7P398YFAi0/s1600/TrachCleaner.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="139" data-original-width="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG_dFWhyphenhyphenokqpobyjnG8ynbQ2gJGlFK11zcZUGVZRcQluN7XUjJKE6QJpM4_oZDL2slP-VbLmcPWQauu9k4m40AcPBCGEsahR95UiL8Ah3vKqdsfZryffr1jZCtX67C1F_fL7P398YFAi0/s1600/TrachCleaner.jpg" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Icon of the malicious TrashCleaner</td></tr> </tbody></table> <br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4YyKssi2ASFC2VtKhwr6OrsRdetN-0OFhEBujZLtuPEGGny5IfUh71z7WEPt08JFrb8zUcBwui-oAZNQRq3XMwXyJXF0DvV4EYLS3duKHxSMFHvtq_lPCEk55mbE13HhuZvkWrdQoE3Q/s1600/AndroRAT_Calculator.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="147" data-original-width="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4YyKssi2ASFC2VtKhwr6OrsRdetN-0OFhEBujZLtuPEGGny5IfUh71z7WEPt08JFrb8zUcBwui-oAZNQRq3XMwXyJXF0DvV4EYLS3duKHxSMFHvtq_lPCEk55mbE13HhuZvkWrdQoE3Q/s1600/AndroRAT_Calculator.jpg" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Icon of the Chinese-labeled calculator app</td></tr> </tbody></table> </div> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions. It performs the following malicious actions found in the original AndroRAT:</div> <ul style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin: 0px 0px 0px 30px; outline: 0px; padding: 0px; vertical-align: baseline;"> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Record audio</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Take photos using the device camera</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of system information such as phone model, number, IMEI, etc.</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of WiFi names connected to the device</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of call logs including incoming and outgoing calls</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of mobile network cell location</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of GPS location</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of contacts list</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of files on the device</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of list of running apps</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of SMS from device inbox</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Monitor incoming and outgoing SMS</li> </ul> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> Apart from the original features of the <a href="http://www.hackerschronicle.com/search/label/AndroRAT">AndroRAT</a>, it also performs new privileged actions:</div> <ul style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin: 0px 0px 0px 30px; outline: 0px; padding: 0px; vertical-align: baseline;"> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of mobile network information, storage capacity, rooted or not</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of list of installed applications</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of web browsing history from pre-installed browsers</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of calendar events</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Record calls</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Upload files to victim device</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Use front camera to capture high resolution photos</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Delete and send forged SMS</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Screen capture</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Shell command execution</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of WiFi passwords</li> <li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Enabling accessibility services for a key logger silently</li> </ul> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> <b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><i style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Targeting CVE-2015-1805</i></b></div> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> Google already <a href="https://source.android.com/security/advisory/2016-03-18">patched </a>CVE-2015-1805 in March 2016,<b> but devices that no longer receive patches or those with a long rollout period are at risk of being compromised by this new AndroRAT variant. </b> Older versions of Android, which are still being used by a significant number of mobile users, may still be vulnerable.</div> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> <b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><i style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Indicators of Compromise (IoCs)</i></b></div> <table style="background: rgb(255, 255, 255); border-collapse: collapse; border-spacing: 0px; border: 1px solid rgb(228, 228, 228); color: #777777; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline; width: 619px;"><tbody style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> <tr style="background: rgb(241, 241, 241); border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295"><b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">SHA256</b></td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108"><b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">App Label</b></td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187"><b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Package Name</b></td></tr> <tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr> <tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">fde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr> <tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr> <tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr> </tbody></table> <div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;"> <br /></div> </div>

Android AndroRAT Hacking News Malwares News rat Rooting Trojan Vulnerability New AndroRAT found, exploiting Rooting Vulnerability

New AndroRAT found, exploiting Rooting Vulnerability Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (ide...

Read more »

Anti-Virus Killer Android Virus, Detected

<div dir="ltr" style="text-align: left;" trbidi="on"> A new variation of mobile <a href="http://www.hackerschronicle.com/search/label/Malwares">malware</a> that affects <a href="http://www.hackerschronicle.com/search/label/Android">Android</a> based devices has been detected by the <a href="http://quickheal.com/">Quick Heal Labs</a>. An innovative feature of this malware is that it detects certain mobile security applications on the device and modifies their databases in order to avoid detection. <br /> <h3> Quick Heal Detection: Android.AVPasser.A</h3> As all other forms of Android malware, this variant too has the capability to modify certain system files and steal private data and information, and then broadcast the same to remote servers. <br /> <h3> Dynamic Analysis of the Malware</h3> Once the <b>Android.AVPasser.A</b> malware enters an Android device, it creates multiple icons in the Application Tray of the device. The screenshots below show the icons that are created by the malware.<br /> <br /> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitXv_WA-ZpYVSC7JfArb2scRnmIIUX9EnPZ4o4z2JK8czLJmHTXUJNKjc28rbOZVABW0UDRZGJ4e_4vip3xp5EnoGGlQtBUVuyo244kUupKIwtccDsqvIrGgYyu8xj_foTzqkSKHfKUM9y/s1600/001.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitXv_WA-ZpYVSC7JfArb2scRnmIIUX9EnPZ4o4z2JK8czLJmHTXUJNKjc28rbOZVABW0UDRZGJ4e_4vip3xp5EnoGGlQtBUVuyo244kUupKIwtccDsqvIrGgYyu8xj_foTzqkSKHfKUM9y/s1600/001.png" width="240" /></a></div> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBjit_c2yjLQx_9UlvppANvdN6OA_n4fcCI9x3VJJdz8n91RMlHbKH_5L4fXI9iwxSNRg49j_G87lL_nRL2MPKq4CtBhjL8v3bP102Et-i3uVpKbg883z3M35AzjTHGPWC7P9LRgZ7gZUs/s1600/002.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBjit_c2yjLQx_9UlvppANvdN6OA_n4fcCI9x3VJJdz8n91RMlHbKH_5L4fXI9iwxSNRg49j_G87lL_nRL2MPKq4CtBhjL8v3bP102Et-i3uVpKbg883z3M35AzjTHGPWC7P9LRgZ7gZUs/s1600/002.png" width="242" /></a></div> <br /> <div dir="ltr" style="text-align: left;" trbidi="on"> If the user clicks on any of these icon shortcuts, the icons vanish from the Application Tray. However, upon viewing the Active Applications window one can still see the <i>SystemService.class</i> running in the background. This can be viewed in the screenshot below.<br /> <br /> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOIHsstwP4PYwGdOYFAqdW_3nPDyvoIFBdEpDOKwgbsNvE2YAZlsNglJ6SH82MYObs8PJDa0hKsP__TXSvDX7tdtKy_brrN-LqFObP-GvEs9ZtnmP6rKpR-ncJTwyp9XgGpBFb8UwysOPu/s1600/003.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOIHsstwP4PYwGdOYFAqdW_3nPDyvoIFBdEpDOKwgbsNvE2YAZlsNglJ6SH82MYObs8PJDa0hKsP__TXSvDX7tdtKy_brrN-LqFObP-GvEs9ZtnmP6rKpR-ncJTwyp9XgGpBFb8UwysOPu/s1600/003.png" width="192" /></a></div> <br /> <h3> What this Malware Does</h3> Upon installation, this malware has the capability of stealing the following data from the compromised device: <br /> <ul> <li>Photos</li> <li>SMS messages</li> <li>Contacts</li> <li>Call history</li> <li>Videos recorded by the front and rear cameras</li> <li>GPS location and history of the device</li> <li>Device specific data such as:</li> <ul> <li>Build version</li> <li>Device ID</li> <li>IMEI (International Mobile Station Equipment Identity)</li> <li>IMSI (International Mobile Subscriber Identity)</li> <li>MDN (Mobile Directory Number)</li> </ul> <li>Additionally, the application also gains control over the network activity and visits a malicious URL as shown below:</li> </ul> <br /> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeAH-7znkJo7Dvd-by4_C1NthxOpoiW0b34uiTs9FVKohtntU1bFoWsT8YVDAgIS6sDKXe1gIFABdzGyGBExv-8h2THYaaudS1BBIbRtScqoAuz0l0YUhIbmwxX7Z_y9bqGbhrO-BsRKYj/s1600/004.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="20" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeAH-7znkJo7Dvd-by4_C1NthxOpoiW0b34uiTs9FVKohtntU1bFoWsT8YVDAgIS6sDKXe1gIFABdzGyGBExv-8h2THYaaudS1BBIbRtScqoAuz0l0YUhIbmwxX7Z_y9bqGbhrO-BsRKYj/s1600/004.png" width="400" /></a></div> <br /> <h3> Other Activities by the Malware:</h3> <b>#1</b> Once it enters an Android device, the malware checks for the existence of a config.txt file at a preset location on the device. If found, the malware deletes the file and creates a malicious file of its own.</div> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQf1PqtGZloPUMHrwrDS5I9tgE9H4P2nmS4exr8cuQ80ZsXFHGyd_oTCIQdgL_BDNPlGFs9mf-4BBV6LtGpjJneUChsRRraszzi1Zq57N6MtoOEn2prc0PSg8aZhahsXCV_WgNz2DeZ3PO/s1600/005.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQf1PqtGZloPUMHrwrDS5I9tgE9H4P2nmS4exr8cuQ80ZsXFHGyd_oTCIQdgL_BDNPlGFs9mf-4BBV6LtGpjJneUChsRRraszzi1Zq57N6MtoOEn2prc0PSg8aZhahsXCV_WgNz2DeZ3PO/s1600/005.png" width="200" /></a></div> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguPNcdqpGfFgSpBIiSZyzZaQdgNuLhWGSmtmQpmSGfEu8BTdRDfO9RSZIfp3WY1oNzv6aTLjw-PcYKbrkgDDIOwOF6c7gqFCWVUwbRkVEDFpxnn69byfUJ3W-qhjiIiZkow61Xq8Qu7FZm/s1600/006.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguPNcdqpGfFgSpBIiSZyzZaQdgNuLhWGSmtmQpmSGfEu8BTdRDfO9RSZIfp3WY1oNzv6aTLjw-PcYKbrkgDDIOwOF6c7gqFCWVUwbRkVEDFpxnn69byfUJ3W-qhjiIiZkow61Xq8Qu7FZm/s1600/006.png" width="320" /></a></div> <div dir="ltr" style="text-align: left;" trbidi="on"> <b>#2</b> The malware broadcasts the information that it collects in the following conditions: <br /> <ul> <li>When any SMS is received by the device</li> <li>When any media connection is mounted or unmounted</li> <li>When the device screen goes ON or OFF</li> </ul> <b>#3</b> The malware calls CameraPicService from the SystemService.class and then runs a thread at an interval of 2 minutes to check the number of cameras connected to the device.<br /> <br /> <b>#4</b> Lastly, the malware collects and analyzes all the packages that are installed on the compromised device and matches them to see if any of them is a mobile security application. Once an application is confirmed to be a mobile security application, the malware modifies the database of the security application in order to to avoid detection.<br /> Source: <a href="http://quickheal.com/" target="_blank">Quickheal</a> </div> </div>

Android Malwares Anti-Virus Killer Android Virus, Detected

A new variation of mobile malware that affects Android based devices has been detected by the Quick Heal Labs . An innovative feature of ...

Read more »

Russia attacks Ukraine with cyber weapon, Snake

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkufqwMk63tMR0xjp5-I1wm07WieL4DbAf_bk96E2khr9KyudVRIG7ss6m8pp6AECyuICHtMbzZBnTJbC5evBnEdcvHbONe8w43iifpTms1XeWoqt4R9GKYc86CVdIlOg_6VrCfI6cXJ36/s1600/Ukraine-cyber-attack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Ukraine's Computers attcked with a Virus, Snake similar to Stuxnet" border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkufqwMk63tMR0xjp5-I1wm07WieL4DbAf_bk96E2khr9KyudVRIG7ss6m8pp6AECyuICHtMbzZBnTJbC5evBnEdcvHbONe8w43iifpTms1XeWoqt4R9GKYc86CVdIlOg_6VrCfI6cXJ36/s1600/Ukraine-cyber-attack.jpg" title="Ukraine's Computers attcked with a Virus, Snake similar to Stuxnet" width="320" /></a></div> <br /> Dozens of computer networks in Ukraine have been infected by an aggressive new cyber weapon called <a href="http://www.hackerschronicle.com/search/label/Snake" target="_blank">Snake</a>, according to expert analysis.<br />  The cyber weapon has been increasingly used since the start of this year, even before protests that led to the overthrow of president Viktor Yanukovych, British-based <a href="http://en.wikipedia.org/wiki/BAE_Systems" rel="nofollow" target="_blank">BAE Systems</a> said in a report published Friday.<br />  The complex composition of <a href="http://www.hackerschronicle.com/search/label/Snake" target="_blank">Snake</a> bears similarities with <a href="http://www.hackerschronicle.com/search/label/Stuxnet" target="_blank">Stuxnet</a>, the <a href="http://www.hackerschronicle.com/search/label/Malwares" target="_blank">malware</a> that disrupted Iran's nuclear facilities in 2010.<br /> Snake—also known as Ouroboros after the serpent in Greek mythology—gives remote attackers "full remote access to the compromised system", BAE said.<br /> Because it can stay inactive for a number of days, it is extremely hard to detect. Although its origins are unclear, its developers appear to operate it in the same timezone as Moscow—GMT plus four hours—and some <a href="http://www.hackerschronicle.com/search/label/Russian%20Hackers" target="_blank">Russian</a> text is embedded into the code, BAE says. BAE has identified 14 cases of Snake in Ukraine since the start of 2014, compared to eight cases in the whole of 2013. In all there have been 32 reported cases in <a href="http://www.hackerschronicle.com/search/label/Ukraine" target="_blank">Ukraine</a> since 2010, out of 56 worldwide.<br />  Nigel Inkster, who until 2006 was the head of operations and intelligence at Britain's MI6 foreign intelligence agency, said Russia was most likely behind the cyber-attacks on Ukraine.<br /> "If you look at it in probabilistic terms... then the list of suspects boils down to one, he told the Financial Times. "Until recently the Russians have kept a low profile, but there's no doubt in my mind that they can do the full scope of cyber attacks, from denial of service to the very, very sophisticated."</div>

Hacking News Malwares News Russian Hackers Snake Stuxnet Ukraine Russia attacks Ukraine with cyber weapon, Snake

Dozens of computer networks in Ukraine have been infected by an aggressive new cyber weapon called Snake , according to expert analysis....

Read more »

Vulnerability in Android Jelly Bean and Kitkat

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB64JLSeKK-sFwz5fG7fHovaSqZY48Pba15HVzbNxSVHCFJ7Q0VhN45sZIUks8aXkdDj31eaKvDVwZSzcAKnxR1hpHGzGiF9LNVVutYHrGx6PcYzWFdBTULGYn8pWzh73_9anxFQ9xZa-z/s1600/android-kitkat-vulnerability.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Vulnerability in Android Jelly Bean and Kitkat" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB64JLSeKK-sFwz5fG7fHovaSqZY48Pba15HVzbNxSVHCFJ7Q0VhN45sZIUks8aXkdDj31eaKvDVwZSzcAKnxR1hpHGzGiF9LNVVutYHrGx6PcYzWFdBTULGYn8pWzh73_9anxFQ9xZa-z/s1600/android-kitkat-vulnerability.png" title="Vulnerability in Android Jelly Bean and Kitkat" width="320" /></a></div> <br /> The researchers at <a href="http://en.wikipedia.org/wiki/Indian_Computer_Emergency_Response_Team" target="_blank">CERT-IN</a>, the Indian governments agency that monitors cyber threats, issued the advisory about the <a href="http://en.wikipedia.org/wiki/Vpn" target="_blank">VPN</a> flaw a few days ago.<br /> A critical flaw has been detected in the virtual private network offered by <a href="http://www.hackerschronicle.com/search/label/Android">Android</a> operating systems in the Indian cyberspace leading to hijack of personal data of users.<br /> Internet security sleuths have alerted consumers of this web-based service to guard against the spread of this <a href="http://www.hackerschronicle.com/search/label/Malwares" target="_blank">virus</a> which affects computer systems and mobile phones using the Android system.<br /> The suspicious activity has been noticed in two Android versions: 4.3 known as '<a href="http://en.wikipedia.org/wiki/Android_Jelly_Bean#Android_4.1_Jelly_Bean_.28API_level_16.29" target="_blank">Jelly Bean</a>' and the latest version 4.4 called '<a href="http://en.wikipedia.org/wiki/Android_Jelly_Bean#Android_4.4_KitKat_.28API_level_19.29" target="_blank">KitKat</a>'.<br /> "A critical flaw has been reported in Android's (<a href="http://www.hackerschronicle.com/search/label/VPN" target="_blank">virtual private network</a>) VPN implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications", said CERT-In in a latest advisory to users of this network.<br /> VPN technology is used to create an encrypted tunnel into a private network over public Internet. Organisations and group of people use such connections to enable employees or acquaintances to securely connect to enterprise networks from remote locations through multiple kinds of devices like laptops, desktops, mobiles and tablets.<br /> The agency said the current malicious application is capable of diverting the VPN traffic "to a different network address" and successful exploitation of this issue "could allow attackers to capture entire communication originating from affected device".<br /> "It is noted that not all applications are encrypting their network communication. Still there is a possibility that attacker could possibly capture sensitive information from the affected device in plain text like email addresses, IMEI number, SMSes, installed applications", the advisory said.<br /> Cyber experts said that this anomaly could only lead to capture and viewing the data which is in plain text and Android applications directly connecting to the server using SSL will not be affected. Websites which use 'https' in their URL will also be safe. The cyber agency has also suggested some counter measures to beat this threat.<br /> "Apply appropriate updates from original equipment manufacturer, do not download and install application from untrusted sources, maintain updated mobile security solution or <a href="http://www.hackerschronicle.com/search/label/Mobile">mobile</a> <a href="http://www.hackerschronicle.com/search/label/Anti%20Virus" target="_blank">anti-virus</a> solutions on the device, exercise caution while visiting trusted or untrusted URLs and do not click on the URLs received via SMS or email unexpectedly from trusted or received from untrusted users", are some of the combat techniques which have been suggested by the agency.</div>

Android Malwares Mobile VPN Vulnerability Vulnerability in Android Jelly Bean and Kitkat

The researchers at CERT-IN , the Indian governments agency that monitors cyber threats, issued the advisory about the VPN flaw a few da...

Read more »

Millions of Vulnerable Android Devices Exposed

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFSeEUslTWF_FPNY8QRBlfYEWBqI3biHqeSj8sY52EGYd6y7xYKq2qTAzeIEUBBAM1fokSkJ_1dfEr8f7heqeuU0xtODAX1sGX-WoyyxPpsmsG7WFodo7p8TrPe1jk8rYPDN_qgnBENcAs/s1600/android-malware.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFSeEUslTWF_FPNY8QRBlfYEWBqI3biHqeSj8sY52EGYd6y7xYKq2qTAzeIEUBBAM1fokSkJ_1dfEr8f7heqeuU0xtODAX1sGX-WoyyxPpsmsG7WFodo7p8TrPe1jk8rYPDN_qgnBENcAs/s1600/android-malware.jpg" width="400" /></a></div> <br /> Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks.<br /><br />Metasploit recently added an exploit module that targets the vulnerability, which was patched in 4.2.2 released one year ago. However, with carriers and device makers reticent to be quick with updates and security patches, close to three-quarters of the Android user base is at risk for attack. For some perspective, Android Central reports that KitKat, the latest version of Android, has yet to hit 2 percent adoption.<br /><br />“I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box,” said Rapid7 senior manager of engineering Tod Beardsley. “And yes, that’s here in the U.S., not some far-away place like Moscow, Russia.”<br /><br />The exploit module, built by contributors Joe Vennix and Joshua Drake, could enable access to the device camera, location data, information stored on a SD card and even the user’s address book. Drake said he was recently able to get code execution on Google Glass using the exploit.<br /><br />The attack exploits a vulnerability that was <a href="http://50.56.33.56/blog/?p=314" target="_blank">disclosed</a> in December 2012. The problem lies with the addJavascriptInterface in WebView. Applications are able to inject Java objects into WebView, including malicious JavaScript which can cause unwanted behavior such as sending expensive SMS messages to premium numbers or giving attackers access to data on the phone. JavaScript can also get around browser security controls, said researcher Neil Bergman, a security consultant who disclosed the vulnerability.<br /><br />Rapid7 said an attacker would need to be man-in-the-middle on a device in order to exploit it, something its new exploit module simplifies. The company demonstrates the exploit in a <a href="https://community.rapid7.com/community/metasploit/blog/2014/02/13/weekly-metasploit-update" target="_blank">video</a>, which is triggered in this case by a malicious QR code the victim scans with their Android smartphone and opens a command shell for the attacker.<br /><br />The best mitigation is to update Android to 4.2.2 or higher, but that isn’t always feasible for users. Device manufacturers and carriers control when updates are rolled out, despite the fact that Google is generally prompt with patches and updates.<br /><br />The carriers and manufacturers have been under fire from privacy and security experts and even the U.S. Federal Trade Commission. Last April, the American Civil Liberties Union asked the FTC to investigate four major carriers, accusing them of deceptive business practices and knowingly selling defective phones to consumers that are shy on security updates and patches. The ACLU requested that the FTC force carriers to warn customers about unpatched vulnerabilities, allow customers with vulnerable phones to escape their contracts without early termination penalties, and provide that customers may exchange at no cost their phones for another that receives regular security updates, or return the phone for a full refund.<br /><br />Last February, the FTC reached a damning settlement with device makers HTC America. The FTC forced HTC to enact expensive security enhancements that included regular security patches for Android devices, establish a security program that focuses on developer security, and submit to security assessments.</div>

Android Malwares Metasploit Vulnerability Millions of Vulnerable Android Devices Exposed

Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable ...

Read more »