Archives for 

Malware

ESET security researchers Dissect the Backdoor Used by NotPetya Operators

What was first considered a ransomware attack turned into a much more complicated situation as researchers at the Slovakian security software firm ESET found a backdoor written into some software updates the Ukrainian M.E.Doc, the main source of infection breakout unleashed last week in Ukraine.

According to a post by Security Week, ESET researchers had performed an exhaustive analysis of the infected software and found out that the malware identified as NotPetya was intended to remove data not withhold it encrypted for money. Reuters had reported earlier, but could not confirm, an announcement allegedly by the people behind the attack demanding 256,000$ in bitcoins in return for decryption of all infected devices.

However, researchers linked the attack with TeleBots, a persistent threat group previously known as BlackEnergy and Sandworm. The cybercriminals in questions had made several attempts to compromise Ukrainian establishments before. Their choice of M.E.Doc is rather interesting. The tax accounting software is used by 80 percent of the Ukranian companies and is installed on around 1 million computers across the country.

Researchers confirmed that had the attackers not had access to the source code, the backdoor installation in the software would not have been possible. They estimated that the attackers had the source code since the beginning of the year. Infectious updates were distributed at least three times: as early as April 14th as a test, on May 15th to drop the XData ransomware which comprised the smokescreen attack to distract attention and on June 22nd to drop NotPetya.

These updates occurred without alarming the M.E.Docs developers as several other clean updates were released during that time.

The 5 megabytes backdoor written in .NET framework was injected in one of the application modules and then pushed as an update. The methods of the backdoor class which is called MeCom are invoked by the request for updates called periodically by the legitimate code to check for updates. Therefore, attackers were able to send the harvested information in cookies files without generating alarmingly excessive network traffic.

The backdoor also features code that gives cybercriminals the chance to control infected machines through a binary blob the analysis of which revealed it to be “an XML file that could contain several commands at once.”

The commands include but are not limited to: RunCmd, DumpData, MinInfo, GetFile, Payload and AutoPayload.

According to ESET notes, this makes the backdoor a “fully-featured cyberespionage and cybersabotage platform at the same time” since using this commands will allow attackers to run shell command, gather system and user information such as proxies, emails and passwords, collects files and execute payloads.

The malicious backdoor allows the attackers to know exactly which organisation were infected using EDRPOU a unique legal entity identifier all companies in Ukraine have and thus target specific companies with customised strategies.

The backdoor kept the harvested data waiting to be sent in the Windows registry under the HKEY_CURRENT_USER\SOFTWARE\WC key. According to ESET, this will allow investigators to distinguish compromised machines. Although malware fingerprints were found on network-connected devices that didn’t even have the infected software installed, which means that the size of the attack is yet unknown and other backdoors are probably still out there waiting for a signal.

Due to security reasons, M.E.Doc servers were seized by the police and experts could not perform a forensic analysis. However, ESET researchers are sure the servers were compromised.

As the servers remain offline, further updates to resolve the backdoor are still not possible and many unanswered questions will keep everyone working on the matter awake at night until they know for sure: for how long the backdoor had been activated and whether or not it was used to distribute other malware.

What we might view as worthy discoveries, the Ukrainian police views as a national security threat as major companies across Ukraine were compromised. The M.E.Doc servers were seized by the police pending investigations, the Russian government was initially accused of the attack and now Ukraine’s security service is teaming with NATO to  better deal with future cyber threats.

The preparation and patience the attackers behind the NotPetya demonstrated are both admirable and disturbing; many researchers agree that we have not yet seen the end of this well-planned attack. Hopefully, any other backdoors will be detected and contained before the attackers’ next move.

Share Button

OceanLotus, an evolved version of backdoor seen on MacOS by Wildfire

A new variant of the OceanLotus backdoor was detected by researchers in Palo Alto Networks in their recent WildFire cloud analysis platform. Paloalto’s Unit 42 reported that this new variant is developed by the same Vietnamese group who released its precedent in 2015 and is one of the most sophisticated backdoors seen in macOS to […]
Share Button
Continue reading →

Petya Or NotPetya Ransomware creates a havoc all over the world – A step ahead of WanaCry with no kill switch

Petya has impacted all over the world starting from pharmaceutical companies, oil gaints, airports, hospitals, ports and many banks. The method of infection is similar to Wannacry with leaked NSA EthernalBlue, (MS17-010) infected thousands of people including hospital networks. Petya differs from typical ransomware as it also overwrites and encrypts the master boot record (MBR) […]
Share Button
Continue reading →

More than 800 Android Apps on Google Play potentially infected with Xavier Trojan – Trend

Trend micro researchers have discovered a Android Trojan ad library named Xavier that steals user’s information without user knowledge. More than 800 Android apps which embedded the ad library appears to have infected with the malware. Xavier has self-protect mechanism that allows it to escape both static and dynamic analysis making it harder to detect. […]
Share Button
Continue reading →

PLATINUM malware steals data using Intel’s Active Management Technology ( AMT) bpassing Windows Firewall

Microsoft published an article about the exploitation of Intel’s AMT tools stealing government data for espionage purposes. The hack works independently of the Operating system which can bypass any windows firewall at the moment. The malware has been active since at least 2009 primarily responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, […]
Share Button
Continue reading →

“Doxware”- Evolution of Ransomware, a new form of malware threat for 2017

As security controls and defense measures for computer systems become more sophisticated, cyber criminals have taken one step ahead in the world of Ransomware. The most profitable ransomware attacks has taken a leap with doxing. What is Doxware ? “Ransomware is the art of encrypting data on a network, users PC or Mac and asking for […]
Share Button
Continue reading →

Gooligan malware campaign steals more than 1 Million Google Accounts using Android phones – Checkpoint

Researchers from Checkpoint have identified that a dubbed malware Gooligan has infected more than 1.3 million Android users globally. Android targeted malware campaign infects devices and steals authentication tokens which is then used to access data from Google apps such as Google play, Gmail, google photos google docs, google drive and many others. The malware […]
Share Button
Continue reading →

An exploit can completely bypasses Mac’s malware Gatekeeper

Gatekeeper is the security feature of Mac OS X that protects users from malicious applications and code execution on their Mac computers. It warns Mac users from installing unsigned apps or the ones downloaded through an unencrypted connection. Gatekeeper does an efficient job of preventing the installation of Trojans and applications with malicious codes. However, […]
Share Button
Continue reading →

Smartphone browsers can deliver powerful DDoS attack with 4.5billion requests causing Flood Attack

One of the most malicious attacks that can ever be launched on a website is being flooded with multiple requests that it cannot handle, otherwise known as DDoS’es. According to internet security researchers, this nightmare may have recently become a reality after one site was targeted in such a manner with an aim of overwhelming […]
Share Button
Continue reading →

Two new Point of Sale malware targeted on Small and Medium Business in the United States

Two new malwares that affect point of sale (PoS) machines have been detected by the researchers at Trend Micro. The malware have been affecting small and medium sized businesses or SMBs, primarily in the United States. These two malwares have been named Katrina and CenterPoS by their developers. Trend Micro researchers had earlier reported PoS […]
Share Button
Continue reading →