Posts Tagged ‘Trojan’
Friday, April 24, 2015 @ 02:04 PM gHale
A Trojan called Janicab uses an undocumented function in LNK shortcut file type to infect Windows and Mac systems so it can pass command line arguments not visible to Windows’s file manager.
Janicab, in existence since 2013, relies on Python and VBScripts to infect machines.
The malware used THE RLO (right-to-left override) technique, which resorts to a special Unicode character for languages where text goes from right to left. It can end up inserted anywhere in a text string, marking the beginning of the reversed writing.
This method goes in files with a double extension to make them appear as harmless DOC or PDF data, when in fact they are executables.
Janicab’s covert actions also include getting the addresses for the command and control (C&C) servers from third-party online sources.
The IPs end up obfuscated via an algorithm that translates seemingly random numbers that have the pattern “our (.*)th psy anniversary” into the appropriate addresses. This tactic was in previous versions of the malware.
A variant of Janicab for Windows delivered as a LNK file includes invisible shell commands enumerated in a string using the “&-” operator, said researchers at F-Secure in a blog post.
In one case, the malware tries to pass as a shortcut for a JPG image, but the target location points to Command Prompt (cmd.exe), where the malicious commands end up executed, the researchers said.
A malicious script encoded with Microsoft Script Encoder appends at the end of the LNK file; it contains the instructions for dropping decoy files in order to quash suspicions when the user launches the shortcut.
The evolution of Janicab also ends up shown by the use of “snapIt.exe,” an application designed for capturing desktop screenshots.
The variant integrates anti-analysis routines that check if the malware is running in a virtual machine (VirtualBox, Parallels and VMware) or a system intended for analyzing threats by verifying the presence of processes belonging to process managers, network analyzers, debugging and startup tools, F-Secure researchers said.
Tuesday, April 7, 2015 @ 04:04 PM gHale
Reconnaissance operations are ongoing against companies related to the energy sector across the world, researchers said.
A Trojan, dubbed Laziok by Symantec, has been in campaigns running between January and February, in attacks that focused mostly on targets in the Middle East.
Its purpose is to collect information about the infected systems, the details being useful for the attacker allowing him or her to decide the best course of the operation, said Symantec researchers.
In an initial stage of infection, Laziok determines if the compromised computer represents an interest to the attacker by gathering configuration data.
If the system is not attractive, the infection stops. In the opposite case, Laziok will then deliver additional malware (custom variants of Cyberat and Zbot) with different functionality, downloaded from servers in the U.S., UK and Bulgaria.
The data initially collected by the threat includes the name of the computer, the software installed, RAM and hard disk size, GPU and CPU details and the antivirus solution available.
“During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” Symantec security response manager Christian Tripputi said in a blog post.
From the telemetry data provided by the security company, the most affected region is the United Arab Emirates, which reported 25 percent of the infections.
Additional countries that represent an interest to the attacker judging from the number of detections are Pakistan, Saudi Arabia and Kuwait, each accounting for 10 percent of the total infections.
Laziok has also been in systems in Qatar, Oman, Oman, the U.S., the UK, India, Indonesia, Colombia, Cameroon and Uganda.
The initial attack vector is an email purporting to come from the moneytrans[.]eu domain functioning as an outgoing (SMTP) server, Tripputi said.
The messages have attached a malicious Excel file with an exploit for CVE-2012-0158, a buffer overflow security glitch in the ListView/TreeView ActiveX controls in the MSCOMCTL.OCX library that allows remote code execution.
Although the attacker relies on non-advanced methods and tools known on the underground market, researchers said the risk posed is not negligible since systems oftentimes remain unpatched against old glitches, making them susceptible to non-sophisticated attacks.
Friday, March 14, 2014 @ 06:03 PM gHale
There is now a Trojan that hacks WiFi routers in order to spread the Sality malware family.
Sality is one of the oldest malware families out there, and it is partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on, said researchers from Russian AV company Dr. Web.
It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the WiFi-hacking Trojan, Rbrute, to propagate itself.
“When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan,” the researchers said.
In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then instructs the router to change the DNS addresses stored in its settings.
“As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector,” the researchers said. Win32.Sector is just another name for Sality.
Rbrute compromises the router so other machines using it could ultimately end up infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.
Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.
Rbrute Trojan, the researchers said, can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.
Monday, March 10, 2014 @ 06:03 PM gHale
A new HTTPS RAT for Android-based mobile devices is now for sale on underground marketplaces, researchers said.
The remote administration tool (RAT) is Dendroid, and costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a blog post by Peter Coogan, a Symantec researcher.
One of the moves for the RAT is to convert a well-known legitimate Android app and turn it into a Trojan and then get it placed onto Android marketplaces. Then the victim would need to download it and then it is off to the races.
The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim suffers an infection, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.
“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim’s contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”
Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding users should also carefully monitor their service bills for any irregular charges.
“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don’t get rolled out to all users as it is dependent on the individual’s service carrier to push out said updates.”
Tuesday, March 4, 2014 @ 05:03 PM gHale
A new version of the Gameover malware is able to steal online banking credentials and has a kernel-level rootkit that makes it very hard to remove, researchers said.
Gameover is a computer Trojan based on the Zeus banking malware whose source code leaked over the Internet in 2011. Gameover stands apart from other Zeus-based Trojan programs because it uses peer-to-peer technology for command and control instead of traditional servers, making it more resilient to takedown attempts, according to researchers at Sophos.
At the beginning of February, researchers from security firm Malcovery Security, reported a new variant of Gameover was going out as an encrypted .enc file in order to bypass network-level defenses. The latest move from Gameover authors comes from using a kernel rootkit called Necurs to protect the malware’s process from terminating and its files from deletion, Sophos researchers said in a blog post.
The latest Gameover variant is going out through spam emails purporting to come from HSBC France with fake invoices in .zip attachments. These attachments don’t contain the Gameover Trojan program itself, but a malicious downloader program called Upatre which, if run, downloads and installs the banking malware.
If this first stage of the infection is successful, the new Gameover variant attempts to install the Necurs rootkit which operates as a 32-bit or 64-bit driver depending on the Windows version used by the victim. The malware tries to exploit a Windows privilege escalation vulnerability patched by Microsoft in 2010 in order to install the Necurs driver with administrator privileges.
If the system ends up patched and the exploit fails, the malware triggers a User Account Control (UAC) prompt to ask the victim for administrator access. The UAC prompt should look suspicious considering the user opened what he believed to be an invoice, researchers said.
However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.
“The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet,” researchers said.
Zeus and its spin-offs continue to be popular with cybercriminals. A new report from Dell SecureWorks, found Zeus variants accounted for almost half of all banking malware seen in 2013.
In addition to stealing online banking credentials and financial information, bad guys are increasingly using such malware to collect other types of data. Security firm Adallom just found a Zeus variant designed to steal Saleforce.com credentials and scrape business data from the compromised accounts.