Fake Apex Legends App Spreads Malware

As the popularity of the latest free-to-play battle royale pushes ever higher, malicious Apex Legends apps have been spotted in the Google Play store with upwards of 100,000 downloads. The fake apps typically offer free in-game currency, or free downloads for an already free game, while installing malware onto devices and directing users to enter phishing domains to further compromise themselves.  

Cryptocurrency Wallet Bug Checks User Passwords with Spellchecker

A new bug has been found within the Coinomi cryptocurrency wallet app that quietly submits each user password to Google’s spellchecker without encryption, leaving user accounts vulnerable to attacks if someone is monitoring the web traffic of the application. The bug was discovered by a researcher who noticed that a majority of his funds had gone missing from his Coinomi-stored cryptocurrencies, leading him to investigate the app more extensively. 

Bangladeshi Embassy Site Compromised

Researchers have found that the web site for the Bangladesh Embassy in Cairo has been compromised and was pushing malicious word document downloads to any user who visited the site. Once the download is confirmed, it installs to an innocuous location within ProgramData and begins attempting to contact the command & control server to pull down additional malware. It’s likely that this issue is linked to an earlier attack on the site that left a cryptominer operating for several days and is affecting users who accessed the site during that time. 

Botnet Controls Browsers Even After Being Closed

A new type of cyber attack has been found that uses normal JavaScript and HTML5 functionality to take control of a user’s browser for a number of malicious activities and can even continue operating and commandeering resources after the browser or website has closed. Through these normal capabilities, this type of attack could affect both desktop and mobile browsers and, due to its nature, can be exceedingly persistent on the system once active. 

Multi-OS Ransomware Demands High Payment

The latest ransomware variant to make its rounds, Borontok, has already been spotted encrypting Linux servers and commercial websites, leaving a .rontok extension at the end of the filename. To make matters worse, the demanded ransom payment is 20 Bitcoins, or roughly $75,000, and gives directions to an actual payment site, though it does later offer the user a chance to negotiate for a lower payment. 

This is the third of a three-part report on the state of three malware categories: miners, ransomware and information stealers.

Ransomware is any malware that holds your data ransom. These days it usually involves encrypting a victim’s data before asking for cash (typically cryptocurrency) to decrypt it. Ransomware ruled the malware world since late 2013, but finally saw a decline last year. The general drop in malware numbers, along with defensive improvements by the IT world in general (such as more widespread backup adoption), were factors, but have also led this threat to become more targeted and ruthless.

Delivery methods

When ransomware first appeared, it was typically distributed via huge email and exploit kit campaigns. Consumer and business users alike were struck without much discretion. 

Today, many ransomware criminals prefer to select their targets to maximise their payouts. There’s a cost to doing business when it comes to infecting people, and the larger the group of people you are trying to hit, the more it costs. 

Exploit kits

Simply visiting some websites can get you infected, even if you don’t try to download anything. This is usually done by exploiting weaknesses in the software used to browse the web such as your browser, Java, or Flash. Content management and development tools like WordPress and Microsoft Silverlight, respectively, are also common sources of vulnerabilities. But there’s a lot of software and web trickery involved in delivering infections this way, so the bulk of this work is packaged into an exploit kit which can be rented out to criminals to help them spread their malware. 

Renting an exploit kit can cost $1,000 a month, so this method of delivery isn’t for everyone. Only those cybercriminals who’re sufficiently motivated and funded. 

“Because the cost of exploitation has risen so dramatically over the course of the last decade, we’ll continue to see a drop in the use of 0-days in the wild (as well as associated private exploit leaks). Without a doubt, state actors will continue to hoard these for use on the highest-value targets, but expect to see a stop to Shadowbrokers-esque occurrences. The mentioned leaks probably served as a powerful wake-up call internally with regards to who has access to these utilities (or, perhaps, where they’re left behind).” – Eric Klonowski, Webroot Principal Threat Research Analyst

Exploits for use in both malware and web threats are harder to come by these days and, accordingly, we are seeing a drop in the number of exploit kits and a rise in the cost of exploits in the wild. This threat isn’t going anywhere, but it is declining.

Email campaigns

Spam emails are a great way of spreading malware. They’re advantageous for criminals, as they can hit millions of victims at a time. Beating email filters, creating a convincing phishing message, crafting a dropper, and beating security in general is tough to do on a large scale, however. Running these big campaigns requires work and expertise so, much like an exploit kit, they are expensive to rent. 

Targeted attacks

The likelihood of a target paying a ransom and how much that ransom is likely to be is subject to a number of factors, including:

• The country of the victim. The GDP of the victim’s home nation is correlated to a campaign’s success, as victims in richer countries are more likely to shell out for ransoms 
• The importance of the data encrypted
• The costs associated with downtime
• The operating system in use. Windows 7 users are twice as likely to be hit by malware as those with Windows 10, according to Webroot data
• Whether the target is a business or a private citizen. Business customers are more likely to pay, and pay big

Since the probability of success varies based on the target’s circumstances, it’s important to note that there are ways of narrowing target selection using exploit kits or email campaigns, but they are more scattershot than other, more targeted attacks.

RDP

Remote Desktop Protocol, or RDP, is a popular Microsoft system used mainly by admins to connect remotely to servers and other endpoints. When enabled by poor setups and poor password policies, cybercriminals can easily hack them. RDP breaches are nothing new, but sadly the business world (and particularly the small business sector) has been ignoring the threat for years. Recently, government agencies in the U.S. and UK have issued warnings about this completely preventable attack. Less sophisticated cybercriminals can buy RDP access to already hacked machines on the dark web. Access to machines in major airports has been spotted on dark web marketplaces for just a few dollars.

Spear phishing

If you know your target, you can tailor an email specifically to fool them. This is known as spear phishing, and it’s an extremely effective technique that’s used in a lot of headline ransomware cases.

Modular malware

Modular malware attacks a system in different stages. After running on a machine, some reconnaissance is done before the malware reinitiates its communications with its base and additional payloads are downloaded. 

Trickbot

The modular banking Trojan Trickbot has also been seen dropping ransomware like Bitpaymer onto machines. Recently it’s been used to test a company’s worth before allowing attackers to deploy remote access tools and Ryuk (ransomware) to encrypt the most valuable information they have. The actors behind this Trickbot/Ryuk campaign only pursue large, lucrative targets they know they can cripple.

Trickbot itself is often dropped by another piece of modular malware, Emotet. 

What are the current trends?

As we’ve noted, ransomware use may be on the decline due to heightened defences and greater awareness of the threat, but the broader, more noteworthy trend is to pursue more carefully selected targets. RDP breaches have been the largest source of ransomware calls to our support teams in the last 2 years. They are totally devastating to those hit, so ransoms are often paid.

Modular malware involves researching a target before deciding if or how to execute and, as noted in our last blog on information stealers,they have been surging as a threat for the last six months. 

Automation

When we talk about selecting targets, you might be inclined to assume that there is a human involved. But, wherever practical, the attack will be coded to free up manpower. Malware routinely will decide not to run if it is in a virtualised environment or if there are analysis tools installed on machines. Slick automation is used by Trickbot and Emotet to keep botnets running and to spread using stolen credentials. RDP breaches are easier than ever due to automated processes scouring the internet for targets to exploit. Expect more and more intelligent automation from ransomware and other malware in future.

What can I do?

• Secure your RDP
• Use proper password policy. This ties in with RDP ransomware threats and especially applies to admins.
• Update everything
• Back up everything. Is this backup physically connected to your environment (as in USB storage)? If so, it can easily be encrypted by malware and malicious actors. Make sure to air gap backups or back up to the cloud.
• If you feel you have been the victim of a breach, it’s possible there are decryption tools available. Despite the brilliant efforts of the researchers in decryption, this is only the case in some instances.

What can Webroot do?

• Detect and stop ransomware. Prevention is always best, and it’s what we’re best at.
• Block malicious URLs and web traffic.
• Rollback changes made by some ransomware.
• Offer support. Our support is excellent and easy to reach. As well as helping to tackle any possible ransomware attack, our team will investigate the root cause and help you secure your organisation against future attacks. Specialised security hardening tools that can be deployed from your console to your machines in a few clicks.
• For more technical details see our Ransomware Prevention Guide.

I’m excited to share that Webroot has entered into an agreement to be acquired by Carbonite, a leader in cloud-based data protection for consumers and businesses.

Why do I think this is such good news for customers, partners and our employees?  

For customers and partners, the combined Webroot and Carbonite will create an integrated solution for their top security needs today and a platform for us to build upon in the future. When surveyed, SMBs and MSPs consistently name endpoint security and backup and data recovery services among their top priorities.

For our threat intelligence partners, the addition of new data sources will make our threat intelligence services even more powerful.

We see great opportunities ahead building on the solutions you trust—endpoint and network protection, security awareness training and threat intelligence services—and extending them to backup and data recovery and beyond.

For employees, we see a great future of growth for a team with a shared culture. Both Webroot and Carbonite have tremendously talented team members who together will bring even more innovative solutions to market. But, just as important, both companies have a culture of customer focus, where customer success is the ultimate proof of company success. 

Until the transaction closes, we must operate as separate companies. After close, which we expect to happen in the first calendar quarter of 2019, I look forward to sharing more information about our plans.

In the meantime, customers and partners can expect:  

• The same commitment to customer care and support. You will have access to your same account reps and award-winning customer support team.
• Future solutions that combine Webroot’s threat intelligence driven portfolio with Carbonite’s data protection solutions.
• Extended sales channels and partner ecosystems. Carbonite partners will provide additional channels for Webroot to reach new customers and partners worldwide.

The most important point I want to underline is that our commitment to you will not change, and we are just expanding the family of people dedicated to building great solutions to protect you and your customers. 

Mike Potts
President & CEO, Webroot

In my blog, Password Constraints and Their Unintended Security Consequences, I advocate for the use of passphrases. Embedded in the comments section, one of our readers Ben makes a very astute observation:

What happens when attackers start guessing by the word instead of by the letter? Then a four-word passphrase effectively becomes a four-character password.

What Ben is describing is called a “passphrase token attack,” and it’s real. With a good passphrase, the attack is not much of a threat though. First, a definition, then I’ll explain why.

What’s a token?

In the context of a passphrase token attack, a token is a grouping of letters, AKA a word. The passphrase made famous by the comic xkcd, “correct horse battery staple,” is 28 characters long. But, in a passphrase token attack, I wouldn’t try to guess all possible combinations of 28 letters. I would guess combinations of entire words, or tokens, each representing a group of characters.

The math behind passphrases

One might assume, as Ben did, that a four-word password is the same as a four-character password. But that’s a math error. Specifically, 95≠1,000,000. 

Here’s why: There are 95 letters, numbers, and symbols that can be used for each character in a password. However, there are over a million words in the English language. For simplicity’s sake, let’s call it an even million words. If I’m thinking of a single character, then at most you have to try 95 characters to guess it. But if I ask you to guess which word I am thinking of, then you may need to guess a million words before you have guessed the word that I am thinking of. 

So while there are 95^4 possible combinations of characters for a four-character password, there are over 1,000,000^4 combinations of words for a four-word password. 

You might be thinking “But nobody knows a million words,” and you are correct. According to some research, the average person uses no more than 10,000. So, as an attacker, I’d try combinations of only the most common words. Actually, I may be able to get by with a dictionary as small as 5,000 words. But 5,000^4 is still a whole lot more combinations than 95^4.

Here is one list of 5,000 of the most commonly used words in the English language, and another of the 10,000 most commonly used words. Choosing an uncommon word is great, but even words in the top 5,000 are still far better than a complex nine-character password.

Why and how to use a passphrase

There are two major strengths of passphrases: 

1. Passphrases allow for longer, more secure passwords. It’s length that makes a passphrase a killer password. A password/passphrase that’s 20 lowercase characters long is stronger than a 14 character password that uses uppercase letters, lowercase letters, numbers, and symbols. 
2. Passphrases can be easy to remember, making creating and using passwords a lot less painful. “Aardvarks eat at the diner” is easy to remember and, at 26 characters long and including uppercase and lowercase letters, is more than 9 trillion times stronger than the password “eR$48tx!53&(oPZe”, or any other complex, 16-character password, and potentially uncrackable.

Why potentially uncrackable? Because “aardvark” is not one of the 10,000 most frequently used words and, if a word is not in the attacker’s dictionary, then you win. This is why it helps to use foreign-language words. Even common foreign words require an attacker to increase the size of their dictionary, the very factor that makes passphrase token attacks impractical. Learning a word in an obscure foreign language can be fun and pretty much assures a passphrase won’t be cracked.

As we’ve seen, cracking a passphrase can be far more difficult than cracking a password, unless you make one of two common mistakes. The first is choosing a combination of words without enough characters. “I am a cat,” for example. Although it’s four words, it’s only 10 characters long and an attacker can use a conventional brute force attack, even for a passphrase. Spaces between words can be used to increase the length and complexity of passphrases.

The second most common mistake is using a common phrase as a passphrase. I can create a dictionary of the top 1,000,000 common phrases and, if you’re using one, then it only takes at most 1,000,000 guesses to crack (about the same as a complex three-character password). 

So create your own unique passphrases and you’re all set. Most experts recommend passphrases be at least 20 characters long. But if you only go from eight characters to 16 upper and lower case letters, you’ll already be 430 trillion times better off. And if you’re creating a passphrase for a site requiring a number or symbol, it’s fine to add the same number and symbol to the end of your phrase, provided the passphrase is long to begin with.

As a side note, according to math, a five word passphrase is generally stronger than a four word passphrase, but don’t get too hung up on that.

So Ben, you are 100% right about the reality of passphrase token attacks. But, with a strong passphrase, the math says it doesn’t matter. Note: If this stuff fascinates you, or you suffer from insomnia, you might enjoy “Linguistic Cracking of Passphrases using Markov Chains.” You can download the PDF or watch this riveting thriller on YouTube. Sweet dreams.

This is the second of a three-part report on the state of three malware categories: miners, ransomware, and information stealers. 

As noted in the last blog, mining malware is on a decline, partly due to turmoil affecting cryptocurrencies. Ransomware is also on a decline (albeit a slower one). These dips are at least partly the result of the current criminal focus on information theft.

Banking Trojans, hacks, leaks, and data-dealing are huge criminal enterprises. In addition to suffering a breach, companies might now be contravening regulations like GDPR if they didn’t take the proper precautions to secure their data. The ways in which stolen data is being used is seeing constant innovation. 

Motivations for data theft

Currency

The most obvious way to profit from data theft is by stealing data directly related to money. Examples of malware that accomplishes this could include:

• Banking Trojans. These steal online banking credentials, cryptocurrency private keys, credit card details, etc. Originally for bank theft specialists, this malware group now encompasses all manner of data theft. Current examples include Trickbot, Ursnif, Dridex.
• Point of Sale (POS). These attacks scrape or skim card information from sales terminals and devices.
• Information stealing malware for hijacking other valuables including Steam keys, microtransactional or in-game items

Trade

Data that isn’t instantly lucrative to a thief can be fenced on the dark web and elsewhere. Medical records can be worth ten times more than credit cards on dark web marketplaces. A credit card can be cancelled and changed, but that’s not so easy with identity. Examples of currently traded information include:

• Credit cards. When cards are skimmed or stolen, they’re usually taken by the thousands. It’s easier to sell these on at a reduced cost and leave the actual fraud to other crooks.
• Personal information. It can be used for identity theft or extortion, including credentials, children’s data, social security information, passport details, medical records that can be used to order drugs and for identity theft, and sensitive government (or police) data

Espionage

Classified trade, research, military, and political information are constant targets of hacks and malware, for obvious reasons. The criminal, political, and intelligence worlds sometimes collide in clandestine ways in cybercrime. 

As a means of attack

While gold and gemstones are worth money, the codes to a safe or blueprints to a jewellery store are also worth a lot, despite not having much intrinsic value. Similarly, malware can be used to case an organisation and identify weaknesses in its security setup. This is usually the first step in an attack, before the real damage is done by malware or other means. 

“In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.” –From a story that appeared in the New York Times

Just another day in the Cobalt/Carbanak Heists 

Some examples of “reconnaissance” malware include:

• Carbanak. This was the spear-tip of an attack in an infamous campaign that stole over €1 billion ($1.24 billion) from European banks, particularly in Eastern Europe. The Trojan was emailed to hundreds of bank employees. Once executed, it used keylogging and data theft to learn passwords, personnel details, and bank procedures before the main attacks were carried out, often using remote access tools. ATMs were hacked to spill out cash to waiting gang members and money was transferred to fraudulent accounts.
• Mimikatz, PsExec, and other tools. These tools are freely available and can help admins with legitimate issues like missing product keys or passwords. They can also indicate that a hacker has been on your network snooping. These software capabilities can be baked into other malware.
• Emotet. Probably the most successful botnet malware campaign of the last few years, this modular Trojan steals information to help it spread before dropping other malware. It usually arrives by phishing email before spreading like wildfire through an organisation with stolen/brute-forced credentials and exploits. Once it has delivered its payload (often banking Trojans), it uses stolen email credentials to mail itself to another victim. It’s been exfiltrating the actual contents of millions of emails for unknown purposes, and has been dropping Trickbot recently, but the crew behind the campaign can change the payload depending what’s most profitable. 

“Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”- An August 2018 warning from the American DHS

• Trickbot/Ryuk. Trickbot is a banking Trojan capable of stealing a huge array of data. In addition to banking details and cryptocurrency, it also steals data that enables other attacks, including detailed information about infected devices and networks, saved online account passwords, cookies, and web histories, and login credentials. Trickbot has been seen dropping ransomware like Bitpaymer onto machines, but recently its stolen data is used to test a company’s worth before allowing attackers to deploy remote access tools and Ryuk (ransomware) to encrypt the most valuable information they have. The people behind this Trickbot/Ryuk campaign are only going after big lucrative targets that they know they can cripple.

What are the current trends?

Emotet is hammering the business world and, according to our data, has surged in the last six months of 2018:

Data recorded between 1 July and December 31, 2018. Webroot SecureAnywhere client data.

Detection of related malware surged alongside these detections. Almost 20% of Webroot support cases since the start of December have been related to this “family” of infections (Emotet, Dridex, Ursnif, Trickbot, Ryuk, Icedid).

What can I do?

• Update everything! The success of infections such as WannaMine proved that updates to many operating systems still lag years behind. Emotet abuses similar SMB exploits to WannMine, which updates can eliminate.
• Make sure all users, and especially admins, adhere to proper password practices.
• Disable autoruns and admin shares, and limit privileges where possible.
• Don’t keep sensitive information in plain text.

What can Webroot do?

• Webroot SecureAnywherehome security products detect and remove information stealers including Emotet, Trickbot, Ursnif, Heodo, and Mimikatz, as well as any other resultant malware.
• Our Identity and Privacy Shield stops keylogging and clipboard theft, even if malware isn’t detected.
• Ongoing cybersecurity education and trainingfor end users is a must for businesses to stay secure. Remember: phishing and email tend to be the top delivery methods for this malware. 
• As well as helping you clean machines, Webroot’s support (in the case of infections such as Emotet) will help you plug security holes. Our specialised security hardening tools can be deployed through our console to all endpoints in a few clicks.

Information theft can be a very complicated business, but to tackle it, the basics have to be done. Criminals will always go for the low hanging fruit, so lifting your organisation’s data out of this category should be your first priority.But proper device protection and knowledge of good cyber hygiene are also essential to protecting your data. Stay tuned to the Webroot blog for the latest information on the newest threats.