Posts Tagged ‘Trojan’
Friday, April 24, 2015 @ 02:04 PM gHale
A Trojan called Janicab uses an undocumented function in LNK shortcut file type to infect Windows and Mac systems so it can pass command line arguments not visible to Windows’s file manager.
Janicab, in existence since 2013, relies on Python and VBScripts to infect machines.
The malware used THE RLO (right-to-left override) technique, which resorts to a special Unicode character for languages where text goes from right to left. It can end up inserted anywhere in a text string, marking the beginning of the reversed writing.
This method goes in files with a double extension to make them appear as harmless DOC or PDF data, when in fact they are executables.
Janicab’s covert actions also include getting the addresses for the command and control (C&C) servers from third-party online sources.
The IPs end up obfuscated via an algorithm that translates seemingly random numbers that have the pattern “our (.*)th psy anniversary” into the appropriate addresses. This tactic was in previous versions of the malware.
A variant of Janicab for Windows delivered as a LNK file includes invisible shell commands enumerated in a string using the “&-” operator, said researchers at F-Secure in a blog post.
In one case, the malware tries to pass as a shortcut for a JPG image, but the target location points to Command Prompt (cmd.exe), where the malicious commands end up executed, the researchers said.
A malicious script encoded with Microsoft Script Encoder appends at the end of the LNK file; it contains the instructions for dropping decoy files in order to quash suspicions when the user launches the shortcut.
The evolution of Janicab also ends up shown by the use of “snapIt.exe,” an application designed for capturing desktop screenshots.
The variant integrates anti-analysis routines that check if the malware is running in a virtual machine (VirtualBox, Parallels and VMware) or a system intended for analyzing threats by verifying the presence of processes belonging to process managers, network analyzers, debugging and startup tools, F-Secure researchers said.
Tuesday, April 7, 2015 @ 04:04 PM gHale
Reconnaissance operations are ongoing against companies related to the energy sector across the world, researchers said.
A Trojan, dubbed Laziok by Symantec, has been in campaigns running between January and February, in attacks that focused mostly on targets in the Middle East.
Its purpose is to collect information about the infected systems, the details being useful for the attacker allowing him or her to decide the best course of the operation, said Symantec researchers.
In an initial stage of infection, Laziok determines if the compromised computer represents an interest to the attacker by gathering configuration data.
If the system is not attractive, the infection stops. In the opposite case, Laziok will then deliver additional malware (custom variants of Cyberat and Zbot) with different functionality, downloaded from servers in the U.S., UK and Bulgaria.
The data initially collected by the threat includes the name of the computer, the software installed, RAM and hard disk size, GPU and CPU details and the antivirus solution available.
“During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” Symantec security response manager Christian Tripputi said in a blog post.
From the telemetry data provided by the security company, the most affected region is the United Arab Emirates, which reported 25 percent of the infections.
Additional countries that represent an interest to the attacker judging from the number of detections are Pakistan, Saudi Arabia and Kuwait, each accounting for 10 percent of the total infections.
Laziok has also been in systems in Qatar, Oman, Oman, the U.S., the UK, India, Indonesia, Colombia, Cameroon and Uganda.
The initial attack vector is an email purporting to come from the moneytrans[.]eu domain functioning as an outgoing (SMTP) server, Tripputi said.
The messages have attached a malicious Excel file with an exploit for CVE-2012-0158, a buffer overflow security glitch in the ListView/TreeView ActiveX controls in the MSCOMCTL.OCX library that allows remote code execution.
Although the attacker relies on non-advanced methods and tools known on the underground market, researchers said the risk posed is not negligible since systems oftentimes remain unpatched against old glitches, making them susceptible to non-sophisticated attacks.
Friday, March 14, 2014 @ 06:03 PM gHale
There is now a Trojan that hacks WiFi routers in order to spread the Sality malware family.
Sality is one of the oldest malware families out there, and it is partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on, said researchers from Russian AV company Dr. Web.
It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the WiFi-hacking Trojan, Rbrute, to propagate itself.
“When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan,” the researchers said.
In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then instructs the router to change the DNS addresses stored in its settings.
“As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector,” the researchers said. Win32.Sector is just another name for Sality.
Rbrute compromises the router so other machines using it could ultimately end up infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.
Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.
Rbrute Trojan, the researchers said, can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.
Monday, March 10, 2014 @ 06:03 PM gHale
A new HTTPS RAT for Android-based mobile devices is now for sale on underground marketplaces, researchers said.
The remote administration tool (RAT) is Dendroid, and costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a blog post by Peter Coogan, a Symantec researcher.
One of the moves for the RAT is to convert a well-known legitimate Android app and turn it into a Trojan and then get it placed onto Android marketplaces. Then the victim would need to download it and then it is off to the races.
The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim suffers an infection, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.
“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim’s contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”
Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding users should also carefully monitor their service bills for any irregular charges.
“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don’t get rolled out to all users as it is dependent on the individual’s service carrier to push out said updates.”