June 14, 2021

SMS fraud malware now targets OS X users

(LiveHacking.Com) –  SMS fraud is nothing new and is one of the preferred methods of generating income for malware writers on Android and on Windows. The Russian security firm Dr. Web has discovered a piece of malware which attempts to perpetrate SMS fraud on unsuspecting OS X users. Dubbed Trojan.SMSSend.3666, it  is the first program of its kind that targets Mac OS X.

With SMS fraud the malware writers attempt to subscribe victim’s to premium rate SMS services which charges high fees for useless messages. The Android variant is to cause the phone to send a message to one of these premium rate numbers.

The new Mac malware is a fake installer which can be downloaded under the guise of useful software. In this case, the Trojan pretends to be an installer for a program called VKMusic 4, a program meant for use on the VK social network. VK claims it is the largest European social network with more than a 100 million active users.

“In order to continue the ‘installation’ fraudsters ask that the victim enter their cellphone number into an appropriate field and then specify the code found in a reply SMS. By performing these actions the user agrees to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis,” wrote Dr. Web.

Recent outbreaks of OS X malware have used vulnerabilities in Java, however this Trojan doesn’t use a known or unknown vulnerability, rather it is a simple social engineering ploy to trick the user into subscribing to a costly phone service. A relativity small number of OS X users will be affected as first it targets users of VK, second the OS X user needs to download the fake version of VKMusic from an underground web site.

It is anticipated that Apple’s XProtect malware utility will be updated to identify this new Trojan in due course.

Banking Trojan tries to hide from security researchers

Shylock from Shakespeare’s Merchant of Venice. Engraving by G. Greatbach after a painting by John Gilbert.

(LiveHacking.Com) –  In the never-ending cat and mouse chase between malware writers and security researchers a twist has been observed by the security company Trusteer. Recent analysis of a piece of banking and financial malware called Shylock has shown that the authors are trying to add methods which stops the malware from being analyzed. Malware researchers often use virtual machines or remote computers in an operations center or “lab” to perform research on malware. To connect to the machines in the lab, researchers use remote desktop connections. Knowing this, Shylock has been altered to identify and avoid remote desktop environments.

“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Gal Frishman wrote in a blog post. According to Gal, Shylock tries to detect a remote desktop environment by feeding invalid data into a certain Windows function call and then observes the error code returned. It uses this return code to spot remote desktops. If it recognizes a remote desktop sessions it won’t install. It is also possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

“This is good, general purpose financial malware that we see along with Zeus, SpyEye and a host of other malware families that target these institutions,” George Tubin told SC Magazine. “We do see malware doing more things to avoid so-called virtual environments. For instance, sometimes malware has a sleep function, so once it gets in, it won’t start for a time. We see an increasing trend in malware being able to evade virtual environments.”

To find out if it is running in a remote desktop environment Shylock makes a call to the SCardForgetReaderGroup() function in Windows. This innocent function is designed to remove a previously introduced smart card reader group from the smart card subsystem. However it turns out that if the function is called on a normal desktop machine the return values are different to the cases when it is called on a PC using a remote connection. Based on the return code Shylock decides to install or not.

ENISA tells banks to assume that all customer PCs are infected with malware

(LiveHacking.Com) – The EU’s cyber security agency ENISA (European Network and Information Security Agency) has released a report in response to the “High Roller” cyber-attacks. These attacks targetted corporate bank accounts and, according to a  report recently published by McAfee and Guardian Analytics, are responsible for the loss of tens of millions dollars.

As part of the recommendations, ENISA has told the banking industry to  assume that all PCs are infected with malware. The  “High Roller” cyber-attacks used the infamous Zeus malware, which isn’t universally detected by anti-malware programs and as such it is safer for banks to assume that all of its customers’ PCs are infected.

The report also mentions that basic two factor authentication does not prevent man-in-the-middle attacks on transactions. Therefore, ENISA recommends that banks cross check with their customers the details of certain types of transactions. These  cross checks can be performed via SMS or a telephone call.

ENISA also calls on the different national Computer Emergency Response Teams (CERTs) and law enforcement agencies to cooperate closer to help bring down the command and control servers used by the criminals.

The recommendations have been published due to the  nature of the “High Roller” attacks. First, these attacks are highly automated making them fast and easily missed. Second, the attacks are sophisticated with the ability to bypass two-factor authentication and fraud detection. Thirdly, the attacks are highly targeted.  Only PCs from users with corresponding high balances were targeted.

Hacked Skype accounts used to spread Trojan that spies on Syrian activists

(Credit: EFF)

A new remote access trojan (RAT), known as BlackShades, has been found targeting Syrian activists. The Trojan which is being distributed via instant messages from within hacked Skype accounts contains surveillance capabilities which are being used to spy on anti-regime activists in Syria.

According to the Electronic Frontier Foundation, BlackShades is part of an ongoing campaign which uses social engineering to install surveillance software to spy on Syrian opposition activists. The campaign also includes a numerous phishing attacks which attempt to steal YouTube and Facebook login information.

Previous attacks installed versions of the remote access tool, DarkComet RAT, which the EFF says send information back to an IP address in Syria. The Blackshadres RAT, used in the latest attacks, has keystroke logging and remote screenshots capabilites. The malware is distributed via Skype as a “.pif” file.

The conversation show in the picture shows the compromised Skype account of an officer of the Free Syrian Army. The sender claims that the link is for an important new video but in fact is the Trojan. Later friend of the officer asked if his account was safe but he replied that his account had been compromised.

“EFF urges Syrian activists to be especially cautious when downloading files over the internet, even in links that are purportedly sent by friends,” EFF’s Eva Galperin and Morgan Marquis-Boire wrote. “As members of the Syrian opposition become more savvy in using encryption, satellite networks, and other tools to evade the Assad regime’s extensive internet surveillance capabilities, pro-Syrian-government malware campaigns have increased in frequency and sophistication.”

A more detailed analysis of the Trojan can be found here.

New Variants of Flashback Trojan for OS X Found

(LiveHacking.Com) – New variants of the Flashback trojan for OS X have been spotted by Security researchers from Intego. Flashback.G does not use an installer (unlike the previous incarnations) meaning if a user visits a web page (and they have not applied Apple’s Java updates) then the installation will occur without any user interaction. For those with up to date Java installations the trojan will trigger a certificate alert but they won’t be asked for the user password.

The trojan horse uses three methods to infect Macs. First it tries to install via one of two known Java vulnerabilities, one from way back in 2008, the other from last year. Successful exploitation of these vulnerabilities means the machine becomes infected without any user intervention. Those running Mac’s with the latest Java updates will not be affected by these first two attempts. However if the Java exploits fail then the trojan attempts again with a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Users who click on “Continue” will open the machine to infection.

Once installed the trojan patches applications like Safari and Skype to sniff out usernames and passwords, specially for sites like Google, Yahoo!, CNN and PayPal. A possible clue that a Mac has become infected is that applications like Safari start to crash as the trojan code makes the programs unstable.

“I don’t want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated,” said Peter James, a spokesman for Intego, who spoke to ComputerWorld. “The Java vulnerability [approach] doesn’t require user interaction, and they’re putting victims into a strainer,” he added, referring to the social engineered-style fake certificate tactic that’s employed only if the Mac is invulnerable to the Java exploits.

Apple Updates XProtect to Include Revir PDF Trojan

(LiveHacking.Com) – Apple has updated the minimalistic antivirus solution included with Mac OS X to detect the PDF Revir Trojan horse. The Trojan, which hides in a PDF file, infects OS X machines with multiple pieces of malicious code, including a backdoor.

The PDF  document itself is taken from a Chinese article that was circulating late last year and contains text related to political issues, which some readers could find offensive. The malware installs the backdoor, Imuler.A.

Apple added a signature for Revir on Friday to the detection engine called XProtect included with Mac OS X 10.6 and Mac OS X 10.7.

If you do accidentally get infected by this Trojan horse, F-Secure has put up manual instructions for removing the backdoor.

Popureb.E Rootkit Stops MBR From Being Restored

The Microsoft Malware Protection Center has posted a blog about a variant of the Win32/Popureb.B Trojan tagged Popureb.E which has a driver to protect its malicious MBR and other data it stored on disk from being changed.

The result of these changes is that if your system becomes infected the MBR will need to be fixed from the System Recovery Console with the “fixmbr” command. Then the PC needs to be restored to a pre-infected state using the a recovery CD.

The way Popureb.E protects itself on the MBR is by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

To find out how to use your system’s recovery options, please read the following Microsoft articles:


BlackHole RAT – New Mac Trojan

Security researchers from Sophos have spotted a new piece of malware. Which in itself isn’t unusual, but this one is as it targets Mac OS X and not Windows.

According to the client end of the malware, used by the attacker to send commands to the remote machine, the software is still beta quality and not yet finished. The implication is that development is on-going and a more sophisticated version of the software is planned.

Known as BlackHole RAT the software seems to be a port of the well-known Remote Access Tool/Trojan (RAT) for Windows known as darkComet. SophosLabs have dubbed the trojan as OSX/MusMinim-A.

At the moment there are no reports of this tool spreading in the wild and the doesn’t come with a deliverly mechanism meaning that attackers wishing to use it need to find a way to infect the remote Mac with the server component via a vulnerability in a browser or plugins etc.

The functionality of the so-called beta is fairly limited and current only allows the attacker to:

  • Placing text files on the desktop
  • Sending restart, shutdown or sleep commands
  • Running arbitrary shell commands
  • Placing a full screen window with a message that only allows you to click reboot
  • Sending URLs to the client to open a website
  • Popping up a fake “Administrator Password” window to try and solicit the administration credentials from the victim

However this is enough to cause damage to the remote machine and has the potential for online fraud.

http://ithreats.net have posted a YouTube video of BlackHole RAT in action.

New Variant of GpCode Back – Still Demanding Ransom Money to Free Your Data

A new variant of the troublesome and harmful GpCode trojan has been detected by Kaspersky Lab. Tagged as Trojan-Ransom.Win32.GpCode.ax this trojan, which spreads via malicious websites and P2P networks, encrypts files on the infected computer and then asks for money in order to decrypt the files. Such trojans are of known as ransomware or cryptovirology.

The original version of this trojan called Trojan.PGPCoder or Virus.Win32.Gpcode was isolated back in 2005 and variations have been appearing almost yearly. However this new manifestation has some troubling improvements.

In the past some of the variants had a weakness where the encrypted file was written to a new location on the disk (as a new file) and the old file deleted. This meant that the old (unencrypted) version of the file could be recovered using an undelete tool. However this new variant directly overwrites data in the file, which makes it impossible to use data-recovery tools.

The program uses either RSA-1024 or AES-256 encryption and then demands $120, to be paid by direct bank transfer, to decrypt the files. As with all blackmailers there is a warning not to tell the police or other authorities: “And remember: any harmful or bad words to our side will be a reason for ignoring your message and nothing will be done”.

Since the trojan searches your hard disk and starts encrypting the files sequentially, it is suggested that if you know your computer is infected then resetting it immediately might offer a way of possibly stopping the encryption before too much data has been made unrecoverable.

On top of up-to-date anti-virus software and a firewall, the best defence against this type of malware is to have good and frequent backups of your data.

Stuxnet: Super Trojan For Cyber Terrorists

The trojan that was used to disrupt Iran’s nuclear programme has been traded on the black market and could be used by terrorists, according to Sky News sources.

Senior cyber-security figures have said the Stuxnet worm – the first to have been used to damage targets in the real world – could be used to attack any physical target which relies on computers.

The list of vulnerable installations is almost endless – they include power stations, food distribution networks, hospitals, traffic lights and even dams.

Read the full story here.

Related Articles: