Industry Intel

In a cybercrime ecosystem, dominated by client-side exploits serving Web malware exploitation kits, cybercriminals continue relying on good old fashioned social engineering tricks in an attempt to trick gullible end users into knowingly/unknowingly installing malware. In a series of blog posts, we’ve been highlighting the existence of DIY (do-it-yourself), social engineeringdriven, Java drive-by type of Web based platforms, further enhancing the current efficient state of social engineering driven campaigns.

Let’s take a peek inside yet another Web based DIY Java applet distribution platform, discuss its features, and directly connect to the Rodecap botnet, whose connections with related malicious campaigns have been established in several previously published posts.

More details:

read more…

Recently, a new Android threat named Android.Koler has begun popping up in the news.  According to an article by ARS Technica, it reacts similar to other pieces of ransomware often found on Windows machines.  A popup will appear and state “Your Android phone viewed illegal porn. To unlock it, pay a $300 fine”.  This nasty little piece of malware is infecting people who visit certain adult websites on their phone. The site claims you need to install a video player to view the adult content. Although I can’t say for sure since I haven’t seen the malicious sites, I’m guessing there is a nice walk through on how to allow the installation of apps from unknown sources, or anything not in the Google Play store.

If you have Webroot SecureAnywhere® Mobile installed, it will detect Android.Koler on the internal storage if you run a scan before installing or after you open the app to install it. If you didn’t have SecureAnywhere Mobile installed, things are going to get a bit trickier. The app will open itself very often, so when you press the home button and try to install WSA, or do anything else, it’s near impossible before the screen of shame pops back up. The app claims you are viewing banned/illegal adult content. It then demands you pay a fine of $300 to unblock your device, or it will remain blocked on top of facing felony charges; which, of course, is false. A researcher at BitDefender claims he was able to quickly uninstall the app before it popped back up, but I was unsuccessful with this myself. This is the screen that keeps popping up, and icon you should be looking for:

There is a legitimate “BaDoink” app, which uses the same icon however. This will make it tricky if you’re hoping to get the real version.

What should you do if this happens to you? Many manufacturers have a built-in “safe mode” on their devices’ version of Android. With a little bit of searching on the internet using your device’s model and “safe mode”, you may be able to find instructions on how to get there on that particular device. For example, “Motorola Droid 4 Safe Mode” was all it took to find instructions for the Droid 4 phone.

Once booted into safe mode, you will able to uninstall the malicious app easily because safe mode stops any non system apps from starting on boot up. Once this is done, power off the phone and power it back on to get out of safe mode.

To ensure preventative protection, installing security software such as Webroot SecureAnywhere® Mobile will prevent these issues before they even happen.

With millions of Android users continuing to acquire new apps through Google Play, cybercriminals continue looking for efficient and profitable ways to infiltrate Android’s marketplace using a variety of TTPs (tactics, techniques and procedures). Largely relying on the ubiquitous for the cybercrime ecosystem, affiliate network based revenue sharing scheme, segmented cybercrime-friendly underground traffic exchanges, as well as mass and efficient compromise of legitimate Web sites, for the purpose of hijacking legitimate traffic, the market segment for Android malware continues flourishing.

We’ve recently spotted, yet another, commercially available DIY cybercrime-friendly (legitimate) APK injecting/decompiling app. The tool is capable of facilitating premium-rate SMS fraud on a large scale through the direct modification of legitimate apps to be later on embedded on Google Play through compromised/data mined publisher accounts.

Let’s take a peek at the tool, discuss its features, and relevance in an Android malware market segment which is largely dominated by DIY mobile malware generating revenue sharing affiliate based networks.

read more…

Recently we’ve seen a big change in the encrypting ransomware family and we’re going to shed light on some of the newest variants and the stages of evolution that have led the high profile malware to where it is today. For those that aren’t aware of what encrypting ransomware is, its a crypto virus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.

Cryptolocker

In it’s first evolution of what we know as “Cryptolocker” the encryption key was actually stored on the computer and the victim, with enough effort could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom. In future improvements malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. However, more often than not the malicious dropper didn’t delete the VSS (Volume Shadow Service) and victims still had the option to manually restore files from a previous date using programs like Shadow explorer (OS drive only). For those that don’t know what the VSS is it’s a restorative feature that is included in XP sp2 and later versions of windows. Essentially it is a technology that allows taking manual or automatic backup copies of data and is related to system restore. In newer variants of Cryptolocker the VSS is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles of triples.

CryptoDefense

In one of the more recent variants of encryption ransomware dubbed “CryptoDefense” it no longer has a graphical user interface (GUI). Instead the malware will just open a webpage after encryption and leave a text file at every directory that was encrypted. The instructions to get the key to decrypt your files have you install anonymous tor or other layered encryption browsers so you can pay them directly and securely. this enables malware authors to circumvent a portion of the Zeus fraud avoid the need for money mules (middle man) and increasing the percentage of profit.

DirCrypt

In this most recent change in encrypting ransomware. Instead of going after various file extensions, all files are encrypted into RTF documents with a *.enc.rtf extension. This one really blind sides the victim as you’ll get no pop up GUI or web page once encryption completes; you have to open one of your documents to find that it was encrypted. All documents will have the same content similar to what is shown. One big improvement that is quite nasty for victims is the encryption is no longer a static one time deal. This variant will actively seek out and encrypt any new or modified files written to drives. We noticed while testing a collected sample that when we attempted to save screenshots, that it immediately encrypted them. We expect future encrypting ransomware variants to include these tactics as the evolution continues.

Webroot SecureAnywhere users are proactively protected from the variants shown. We are constantly working with the evolving threat landscape to protect against the newest variants as they progress.

Webroot support is always more than happy to help with removal and any questions regarding infections.

Deceptive vendors of PUAs (Potentially Unwanted Applications) continue relying on a multitude of traffic acquisition tactics, which in combination with the ubiquitous for the market segment ‘visual social engineering‘, continue tricking tens of thousands of users into installing the privacy-violating applications. With the majority of PUA campaigns, utilizing legitimately looking Web sites, as well as deceptive EULAs (End User License Agreements), in 2014, the risk-forwarding practice for the actual privacy-violation, continues getting forwarded to the socially engineered end user.

We’ve recently intercepted a rogue portfolio consisting of hundreds of thousands of blackhat SEO friendly, legitimate applications, successfully exposing users to the Sevas-S PUA, through a layered monetization relying on OpenCandy/Conduit affiliate based revenue sharing networks.

More details:

read more…

*Editors Notes:  The purpose of this research was to see exactly how this scam is carried out, and the extent to which it is done.  DO NOT TRY THIS AT HOME. We used a clean machine, off network, to monitor the activity of the scammer.

Have you ever received a phone call from a tech support person claiming to be from Microsoft, and that your Windows based machine has been found to have a virus on it?  These cold calls typically come from loud call centers, and are targeting the uninformed and naïve in hopes of gaining access to their individual machines, and ultimately the victim’s credit cards

While there are many variants of this kind of scam, we recently received one of these phone calls and we decided to see just what happened.  The company that called us, which we later found out to be called Arjun Inc, called claiming they have received notifications that there are errors on the PC and they are calling to help correct those errors.

After playing along, we followed the directions of the agent.  The agent asked us to open the Event Viewer (which typically shows errors) and claims that those errors could cause the computer to crash and they need to fix the issues.  These are not actually critical errors, and as this scam is aimed at less tech savvy users, it can be seen how this is believed.

From this point, our agent asks to Remote Control the PC and instructed us on how to set up the Remote session.  The agent then logged in, looked at a few things, and installs the programs CCCleaner and Advanced Windows Care by Iobit. After this, we were advised that the installed programs will always run and protect the computer.  However, this is not the case as the programs installed don’t have ‘shields’ and thus, no real-time protections. He also says they will protect me from porn sites and potentially dangerous websites, but of course they do not.

At this point, the agent turns into a sales person.  He tells us how much the estimated costs of repairs will be and then proceeds to try and process the transaction through their spicywebtech.com login.  He told me that he had corrected the issues with my PC already via the Advanced Windows Care program, however, it’s plain as day that he never actually clicked the ‘repair’ button and thus never performed the ‘repairs’.

During the call, the agent informs us that their company (Windows Help and Support) is “part of Microsoft”, and I’m also advised that I won’t need to purchase antivirus for my PC any longer.

While the software loaded onto the machine were not malicious, they would not work as advertised by our agent, and could be consider unwanted programming.  By letting a stranger into your machine without verifying beyond reasonable doubt to their identity, you put yourself, your data, and your network at risk.  Never trust cold calls from strangers, and remember, Microsoft will never call you.

We have a full recording of the conversation up and live. If you’re interested in all the steps and how these scammers sound, give it a listen.

Here at Webroot, we are constantly on the lookout for malevolent Android apps. In most cases, you do something malicious with your app and you get marked accordingly, but it’s not always that simple.

Two weeks ago an app called “Virus Shield” popped up on the Google Play store. Within days, Virus Shield became Google Play’s #1 paid app. With thousands of reviews and a 4.7 star rating, who would question it?  Well, a few people did, the code was looked at, and Google pulled it from the store.  They have even gone as far as to make amends with those scammed in the process.

Here’s the app description previously seen on Virus Shield’s Google Play page:

Virus Shield is an Antivirus that protects you and your personal information from harmful viruses, malware, and spyware.

Improve the speed of your phone with just one click. This app was designed so that anyone can use and protect their phone.

• Prevents harmful apps from being installed on your device.
• Scans apps, settings, files, and media in real time
• Protects your personal information
• Strong antivirus signature detection
• Very low impact on battery life
• Runs in the background
• No, ZERO pesky advertisements

Too bad it doesn’t actually do any of these things. So what about the malicious things it does instead? Well, it doesn’t do anything malicious either. In fact, it has hardly any code at all.

Let’s take a step back to those reviews. How did an app get such a huge amount of good reviews in such a short period? I think that’s where the real deception was happening.

Here are some stipulations for writing reviews on Google Play:

• You must install an app to be able to review it.
• Reviews are tied to your Google Account.
• You can only review any app once per account.

I’m not clear on the exact process, but it seems the author created automation to use fake accounts to install the app, write a review, and then repeat the process continually in order to bust review ratings and download counts.

Suddenly, a no-name app has become Google Play’s top paid app. Other users now see it at the top of the charts, install it for themselves for $3.99, and the author makes a profit.

Although the app itself didn’t have malicious code, there was definitely malicious intent. For this reason, we’ve marked this app as Android.FakeApp in case it ends up on any other Android marketplaces.

With WordPress continuing to lead the CMS market segment, with the biggest proportion of market share, cybercriminals are actively capitalizing on the monocultural insecurities posed by this trend, in an attempt to monetize the ubiquitous (for the cybercrime ecosystem) TTPs (tactics, techniques and procedures). Despite actively seeking new and ‘innovative’ ways to abuse this trend, cybercriminals are also relying on good old fashioned reconnaissance and ‘hitlist’ building tactics, in an attempt to achieve an efficiency-oriented ‘malicious economies of scale’ type of fraudulent/malicious process.

We’ve recently spotted a managed WordPress installations-targeting, XML-RPC API abusing type of DDos (Denial of Service) attack service, whose discovery intersects with a recently launched mass widespread WordPress platform targeting campaign.

read more…

Cybercriminals continue actively abusing/mixing legitimate and purely malicious infrastructure, on their way to take advantage of clean IP reputation, for the purpose of achieving a positive ROI (return on investment) out of their fraudulent/malicious activities, in terms of attribution and increasing the average lifetime for their campaigns. Acting as intermediaries within the exploitation/social engineering/malware-serving chain, the market segment for this type of cybercrime-friendly services continues flourishing, with more vendors joining it, aiming to differentiate their UVP (unique value proposition) through a variety of ‘value-added’ services.

We’ve recently spotted yet another managed/on demand redirector generating service, that’s empowering potential cybercriminals with the necessary infrastructure for the purpose of launching (layered) fraudulent/malicious (multiple) redirector enabled attacks, capable of bypassing popular Web filtering solutions. Let’s profile the service, discuss its relevance within the cybercrime ecosystem, and provide actionable intelligence on the static redirectors managed by it.

More details:

read more…

Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host.

We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA. Let’s profile the campaign, and provide actionable intelligence on the infrastructure behind it.

More details:

read more…

For years, cybercriminals have been building ‘hit lists’of potential targets through automated and efficiency-oriented reconnaissance TTPs (tactics, techniques and procedures).  The aim is to fraudulently/maliciously capitalize on these databases consisting of both corporate and government users. Seeking a positive return on their fraudulent/malicious activities, cybercriminals also actively apply basic QA (Quality Assurance) processes, standardization, systematic releasing of DIY (do-it-yourself) cybercrime-friendly applications – all to further ensure a profitable outcome for their campaigns. Thanks to the active implementation of these TTPs, in 2014, the market segments for spam-ready managed services/blackhat SEO (search engine optimization) continue to flourish with experienced vendors starting to ‘vertically integrate’ within the cybercrime ecosystem which is an indication of an understanding of basic business/economic processes/theories.

We’ve recently spotted a cybercrime-friendly service that’s offering commercial access to 50M+ ccTLD zone transfer domains whose availability could lead to a widespread mass abuse. Let’s profile the service and discuss its relevance/potential for abuse in the overall threat landscape.

More details:

read more…

Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry.

In a series of blog posts we’ve published throughout 2013, we proactively highlighted the emergence of the TDoS (Telephony Denial of Service) attacks in the context of cybercriminals’ growing non-attributable capabilities to target and exploit (basic) vulnerabilities in telephone/mobile systems internationally. Largely relying on fraudulently obtained SIM cards and compromised accounting data at legitimate VoIP providers, as well as active utilization of purely malicious infrastructure, TDoS vendors constantly seek new tactics to apply to their OPSEC procedures.

Having proactively profiled the TDoS market segment throughout 2013, we’re also keeping eye on value-added services/features, namely, the modification of a mobile device/USB dongle’s International Mobile Station Equipment Identity (IMEI), for the purpose of adding an additional layer of anonymity to the fraudulent/DoS process. Let’s profile several vendors offering IMEI modification services and discuss their relevance within the TDoS market segment.

More details:

read more…