Month: February 2016

A DHS report confirms the use of BlackEnergy in the Ukrainian outage, still unknown its role

Posted on

A report issued by the DHS CERT confirms that the outage in Ukraine was caused by a well-coordinated attack still unclear the BlackEnergy role.

In December, a major outage hit a region in Ukraine, more than 225,000 customers were affected by the interruption of the electricity. Security experts speculate the involvement of Russian nation-state actors that have used the BlackEnergy to infect SCADA systems of Ukrainian grid and critical infrastrcuture.

According to a Ukrainian media TSN, the power outage was caused by the destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.

Now a new report published by the DHS Industrial Control Systems Cyber Emergency Response Team confirms that the outage was caused by a cyber attack.

The report is based on interviews with operations and IT staff at six Ukrainian organizations involved in the attacks. The thesis has been supported first by the SANS industrial control systems team, but it is still unclear the real impact of the BlackEnergy malware of the incident.


The SANS report reported that attackers flooded the call centers at the power authorities with phone calls, the intent of the attackers was to prevent customers from reporting the incident to the companies operating the critical infrastructure.

The DHS report highlights the possibility that the two strains of malware were used by the attackers after the outage in an attempt either to destroy evidence the intrusion or make recovery more difficult.

“Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.” states the report.

“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.”

“The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”

The report confirmed that every company victim of the attack was infected with the BlackEnergy malware, but avoided to provide further details on the role played by the malware.

“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”


FighterPOS Malware Can Now Spread on Its Own

Posted on

Brazilian POS malware gets worm-like features. A POS (Point of Sale) malware family has just taken a dangerous turn in its evolution after Trend Micro researchers observed that it has now gained the ability to replicate itself and spread to other local systems.

Called FighterPOS, this malware family was first seen in April 2015, when Trend Micro researchers discovered it targeting POS terminals in Brazil.

At that time, researchers speculated that FighterPOS was a one-man operation, probably run by a local Brazilian hacker. Trend Micro also reported that the person behind the malware used it to steal 22,000 credit card details and that its author was selling a version of his malware on the Dark Web for around $5,000 (€4,500).

FighterPOS evolves into Floki Intruder

Based on data picked up by their security products, the same Trend Micro experts are nowreporting on a new variation of the FighterPOS malware family, which they dubbed Floki Intruder.

According to their investigation, this variant is not developed by the same person that created the original FighterPOS malware. It appears that the source code was sold to someone else, or that the hacker behind the first version might have joined forces with someone else.

File compilation details reveal that a different person put together Floki Invader, a theory that’s also reinforced by the fact that many source code functions and comments are now in English, not Portuguese as they were in FighterPOS.

Floki Intruder can replicate itself

Floki Intruder appears to be much dangerous than the old FighterPOS version. The main difference is the presence of a worm-like feature that goes into effect after Floki infects computers.

This worm-like feature will scan the local network for similar POS terminals, clone itself and infect those devices as well.

“Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network,” Trend Micro’s Erika Mendoza and Jay Yaneza explain. “A propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.”

Despite the presence of English code in the malware’s source, FighterPOS (Floki Intruder) has not moved outside Brazil. Over 93% of all FighterPOS infections are coming from Brazil while only 6% of infected terminals are located in the US.

Floki Intruder geographical spread

Floki Intruder geographical spread


Posted on

Según Huiqing Wang, el profesor del curso de hacking ético de IICS hay otras herramientas para hackear el sistema  y backdoorme es una de esas herramientas. Backdoorme es una utilidad capaz de crear una puerta trasera en equipos de Unix. Backdoorme utiliza una interfaz de Metasploit con más funcionalidades. Backdoorme usa una conexión SSH existente o las credenciales de la víctima, a través de la cual se transferirá y desplegaría una puerta trasera.

Backdoorme viene con una serie de puertas traseras integradas, módulos y auxiliares. Existen puertas traseras como netcat backdoor, msfvenom backdoor y otras. Acuerdo con el curso de hacking ético, pueden usar módulos con cualquier puerta trasera y se usan para hacer puertas traseras más potentes, ocultas o más fáciles de instalar. Auxiliares son operaciones útiles que podrían realizarse para ayudar a la persistencia.



Git clone <Your Clone Folder Name>

cd <your Folder>




Hay diferentes puertas trasera disponible en backdoorme según Huiqing Wang, el profesor del curso de hacking ético.

remove_ssh backdoor: La puerta trasera de remove_ssh quita el servidor ssh en el cliente. Es usado al final de sesión backdoorme para quitar todos los rastros.

ssh_key/ ssh_port backdoor: La puerta trasera de ssh_key crea claves RSA y añade un nuevo puerto de ssh.

setuid backdoor: Puerta trasera setuid trabaja por el bit setuid en un binario mientras que el usuario tiene acceso root, de modo que cuando el usuario ejecuta el binario sin acceso a root, el código binario es ejecutado con acceso de root. Tenga en cuenta que tener acceso root es inicialmente necesario para implementar esta puerta trasera.

shell backdoor: La puerta trasera de shell es una puerta trasera de elevación de privilegios similar a setuid. Se duplica a bash shell a un binario oculto, y establece el bit SUID.

keylogger backdoor: Añade un keylogger en el sistema y enviar por correo electrónico los resultados.

simplehttp backdoor: Instalar python’s SimpleHTTP servidor en el cliente.

user backdoor: Añade nuevo usuario en el cliente.

web backdoor: Instalar servidor de Apache en el cliente.

bash/bash2 backdoor: Utiliza un simple script bash para conectarse a una combinación de IP y puerto específico y enviar los resultados.

metasploit: Emplea msfvenom para crear un tcp reverse binario en el destino, y luego ejecuta el binario para conectar a un shell meterpreter.

netcat/netcat_traditional backdoor: La puerta trasera de netcat utiliza netcat, proporciona al usuario un shell interactivo.

perl backdoor: La puerta trasera de perl es un script escrito en perl que redirige el resultado a bash, y cambia el proceso para ver menos llamativo.

php backdoor: La puerta trasera de php ejecuta un backdoor php que redirige el resultado a bash. No se instala automáticamente un servidor web, pero en su lugar, utiliza el módulo de web.

pupy backdoor: La puerta trasera de pupy usa n1nj4sec’s Pupy backdoor.

python backdoor: La puerta trasera de python, utiliza un script en python para ejecutar comandos y enviar los resultados al usuario.

web backdoor: La puerta trasera de web ejecuta un backdoor php que redirige el resultado a bash y se instala automáticamente un servidor web


Hay diferentes módulos disponible en backdoorme según el curso de hacking ético.

Módulo Poison: Realiza bin envenenamiento del equipo y compila un ejecutable para llamar a una utilidad de sistema y una puerta trasera existente.

Módulo Cron: Añade una puerta trasera existente a crontab del usuario root para correr con una frecuencia determinada.

Módulo Web: Configura un servidor web y una página web que dispara la puerta de atrás. Simplemente visita el sitio y la puerta trasera se iniciará.

Módulo User: Agrega un nuevo usuario en el equipo.

Módulo Startup: Permite puertas traseras que se generó con los archivos bashrc y init.

Módulo Whitelist: Las listas blancas de IP’s para que sólo la IP puede conectarse a la puerta trasera.

Servidores Unix se utilizan en muchas empresas y hay gran cantidad de vulnerabilidades de seguridad en el sistema Unix. Hay una gran cantidad de medidas de seguridad que se pueden implementar para asegurar un sistema Unix. Usted puede aprender más acerca de la arquitectura de seguridad de Unix y cómo proteger contra las herramientas del tipo backdoorme durante el curso de hacking ético del International Institute of Cyber Security.



Posted on Updated on

Las bases de datos pueden ser un tesoro de datos sensibles. Normalmente la mayor parte de bases de datos contienen los datos sensibles, datos confidenciales de las empresas, gente, propiedad intelectual, empleados, o clientes. Los datos pueden incluir la información de cliente, salario de empleado, dirección de empleado, registros pacientes, datos financieros, números de la tarjeta de crédito y mucho más. Desde el punto de vista de empresa de seguridad en bases de datos, un base de datos de cualquier empresa u organización, es un sistema que se forma por un conjunto de datos organizados, los cuales se almacenan o estructuran en nube o en servidores local, y cuyo tratamiento y acceso requiere de aplicaciones que aprueban modificarlos o utilizarlos. Según consultores de servicios de auditoría de base de datos, el acceso concurrente por parte de varios usuarios sin soluciones de seguridad de base de datos implica muchos riesgos como perdidos o robo de datos. Según una encuesta de empresa de seguridad en bases de datos, los datos perdidos o robados, especialmente los datos sensibles, pueden causar daños de marca, multas graves, juicios y desventaja competencia.

Estos riesgos obligan a las empresas a tomar en cuenta aspectos como la seguridad de base de datos e implementación de soluciones de seguridad de base de datos. Alternativamente las empresas pueden tomar ayuda de servicios de seguridad de base de datos que incluyen respaldo y recuperación en caso de incidentes, causados por errores humanos, desastres naturales y en muchos casos por ataques cibernéticos.

Los servicios de seguridad de base de datos implican protegerlos de actividades indebidas que pongan en peligro la estructura, disponibilidad, consistencia e integridad de base de datos. Además los reglamentos de privacidad de protección de datos personales requieren la implementación de soluciones y servicios de seguridad de base de datos para alinear con la ley de protección de datos personales.  Empresas de seguridad en bases de datos deben lograr seguridad de base de datos mediante procedimientos que permiten controlar el acceso, reestructurar o actualizar la base datos acuerdo a los requisitos de las aplicaciones sin necesidad de modificar mucho el diseño del modelo de datos. Las empresas u organizaciones pueden implementar solución de seguridad de base de datos en el nivel de la aplicación, el nivel de almacenamiento o el nivel de la base de datos según expertos de empresas de seguridad en bases de datos. La solución de seguridad de base de datos implementada en nivel de almacenamiento (en disco o cinta), asegura contra el riesgo en el caso que se pierdan los medios de almacenamiento. Pero la misma solución de seguridad de base de datos no puede asegurar frente a empleados internos o infraestructura infectada por malware.

La solución de seguridad de base de datos implementada en el nivel de la aplicación representa otra opción y proporciona el mayor nivel de control. Pero la misma solución de seguridad de base de datos no puede proteger en el caso que se pierdan los medios de almacenamiento. Además implementación de la solución de seguridad de base de datos en el nivel de la aplicación requiere muchos cambios en la aplicación y a veces no puede ser un planteamiento viable.

Debido a estas complejidades, muchas empresas u organizaciones están eligiendo ayuda de expertos de empresas de seguridad en bases de datos para que puedan implementar soluciones avanzadas. Estos servicios de seguridad de base de datos proporcionan seguridad al nivel almacenamiento, al nivel aplicación y al nivel de datos en flujo.



Según expertos de IICS – Instituto Internacional de seguridad Cibernética, las soluciones, servicios de seguridad de base de datos pueden añadir nuevos niveles de seguridad en su empresa y ayudar su empresa a proteger y administrar datos confidenciales de forma eficaz. Los servicios deben incluir los servicios de auditoría de base de datos y cursos de seguridad de base de datos. Los servicios de seguridad de base de datos gestionarán la confidencialidad, integridad y continuidad de la información empresarial, incrementando con esto la credibilidad y confiabilidad de la empresa. Los siguientes son algunos aspectos y ventajas de los servicios de auditoría de base de datos:

  • El servicio de auditoría de base de datos incluye pruebas de intromisiones. Eso le ayudaría poner controles de seguridad en los bases de datos.
  • Toda la infraestructura de base de dato se somete a los servicios de auditoría de base de datos. Sin ayuda de los servicios de auditoría de base de datos, no pueden conocer todos los riesgos y vulnerabilidades.
  • Los servicios de auditoría de base de datos ayudan a implementar un sistema de monitoreo. El sistema tiene la capacidad de supervisar y verificar todas las actividades. Este sistema puede descubrir cualquier actividad indebida o errónea.
  • Creación de los procesos por desarrollar y mantener información detallada sobre las vulnerabilidades y riesgos empresariales de redes y aplicaciones.
  • Aseguran de la implementación de los procedimientos para la gestión de controles criptográficos para el resguardo y fortalecimiento de base de datos después de terminación de los servicios de auditoría de base de datos.
  • Los servicios de auditoría de base de datos aseguran implementación y ejecución periódica de los procesos de respaldos.
  • Generar las políticas y procedimientos para la eficaz gestión de los proveedores de servicios y terceros.
  • Implementan el plan de continuidad del negocio, forense y recuperación de los datos en caso de un ataque cibernético.
  • La infraestructura de base de datos estaría protegida contra el fuego, el robo y otras formas de daño físico. Los servicios de seguridad de base de datos desarrollan las políticas de seguridad física y seguridad lógica.

Con los cursos de seguridad de base de datos aprenderán gestionar los riesgos, los incidentes de seguridad, las vulnerabilidades existentes, y disminuir los riesgos de incumplimiento a la legislación de protección de datos personales. Los siguientes son algunos aspectos y ventajas de las capacitaciones de seguridad de base de datos:

  • Puede aumentar la eficacia reduciendo los costes de gestión vinculados a la seguridad en bases de datos en los entornos de gran escala, con la arquitectura de gestión de seguridad enseñada durante la capacitación de seguridad de base de datos.
  • Con el curso de seguridad de base de datos, puede aprender en tiempo real las habilidades de seguridad en base de datos con mucha práctica.
  • Durante el curso de seguridad de base de datos puede implementar la seguridad sobre infraestructura real y agregar mayores niveles de seguridad.
  • Personalizan capacitaciones y cursos de seguridad de base de datos para que se integren fácilmente en sistemas de gestión de base de datos implementados y otras soluciones de seguridad.
  • Enseñan la implementación de la solución de cifrado de bases de datos de alta garantía durante el curso de seguridad de base de datos.
  • Además temas como simplificación de las obligaciones de cumplimiento de privacidad de datos, cómo aplicar mejores prácticas y normas de cumplimiento, la copia de seguridad y automatización de respaldo están parte del curso de seguridad de base de datos.


Snowden Says FBI can hack San Bernardino terrorist’s iPhone using acid and lasers

Posted on Updated on

Edward Snowden joins the iPhone hack party, says FBI can use acids and lasers to hack it. Amidst the ongoing debate whether or not Apple should unlock the iPhone, or provide backdoor access to the iPhone belonging to one of the shooters of the San Bernardino shootings, Edward Snowden said that the government can gain access to San Bernardino shooter Syed Rizwan Farook’s iPhone 5c by using acid, lasers and other very delicate instruments without the assistance of Apple.


In court filings last week in which the Department of Justice requested a judge compel Apple to assist them in opening the phone, the government said, “The phone may contain critical communications and data prior to and around the time of the shooting that, thus far: (1) has not been accessed; (2) may reside solely on the phone; and (3) cannot be accessed by any other means known to either the government or Apple.”

Former NSA contractor and privacy activist Edward Snowden who appeared in a virtual talk at Johns Hopkins University said the third statement is not totally true.

“The problem is, the FBI has other means… They told the courts they didn’t, but they do. The FBI does not want to do this,” Snowden said during his talk.

Called “de-capping,” this extremely risky hacking method involves removing and de-capsulating the phone’s memory chip to expose it to direct, microscopic scrutiny and exploitation.

According to some security experts, performing the decapping hack should be technically possible. Decapping is a mechanism where the main processor chip of the phone is physically attacked to probe its contents. The process first uses acid to remove the chip’s encapsulation. After that, a laser drills down into the chip in an attempt to expose the portion of the memory that contains the iPhone’s unique ID (UDID) data. From there they would place tiny probes on the spot and read out the UDID bit by bit, as well as the algorithm used to untangle it.

Once the FBI has extracted the targeted data, they could put it on a super computer and gear up to recover the missing pass code by simply trying all possible combinations until one unlocks the iPhone data. Since the process is being done outside the iOS, there is no 10-try limit or self-destruct mechanism that can wipe the data.

The only drawback is that if at any point there’s even a slight mistake in the decapping or attack process, the chip could be destroyed and all access to the phone’s memory lost forever. This may be a major reason the FBI may not be willing to take the risk to recover the data this way and rather rely on a backdoor entry via Apple.

On the other hand, Apple doesn’t seem to be willing to break into that iPhone, and Apple CEO Tim Cook says that, even though “we mourn the loss of life and want justice for all those whose lives were affected,” the fact that the FBI wants to create a backdoor that can be installed on every phone is still a security threat.

“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control,” Cook pointed out.

By the end of the week, the company is set to file its legal response to the FBI’s court order, though Tim Cook has said he wants the government to drop the order and let a federal commission make the decision.


Hezbollah-Affiliated Hackers Breach Israeli Security Camera System

Posted on

Hackers tap into feeds from Israel’s Defense Ministry. Qadmon (or Kadimon), one of Hezbollah’s hacking units has revealed it managed to breach many of Israel’s CCTV systems, having had access to camera feeds from various government buildings, Israeli news sites Ynet and Times of Israel report, quoting a news broadcast of Hezbollah-linked al-Manar TV station.

Qadmon, whose name translates from Arabic as “We’re Coming” claims to have accessed live video feeds from cameras inside government buildings in Tel Aviv and Haifa.

The group says its prize target was the Defense Ministry’s Kirya compound in Tel Aviv, from where the hackers also provided screenshots to al-Manar reporters, along with an interview.

Data on the provided screenshots revealed the breach took place on February 14. The news report was also accompanied by a quote from the group’s members who said “We will reach you even if you are in your offices. The next step will be greater.”

Qadmon members also bragged about breaking into over 5,000 Israeli websites during the past year, some of which contained information about Israeli security forces.

Qadmon formed in 2013, has evolved over time

The group, which appeared on the hacking scene in 2013, has grown tremendously in capabilities since its early days. In its beginnings, Qadmon hackers were spotted defacing unimportant Israeli sites and taking over Facebook accounts for random Israeli citizens.

Most of the attacks were timed to coincide with the death of Lebanese militants, killed by Israeli forces, and had little effect, except to annoy its targets.

Israel officials have not acknowledged the incident, but Israel rarely does. Hezbollah is a paramilitary group that originates from Lebanon. Some consider it a terrorist group, other consider it a political party. Views depend on each person’s stance on the Israeli-Arab World conflict.

It is to no surprise to see Hezbollah developing a cyber-division, especially after ISIS (Daesh) hackers created quite some trouble for US forces in cyber-space.

US School Agrees to Pay $8,500 to Get Rid of Ransomware

Posted on

Ransomware shuts down school website for a week. Administrators of the Horry County school district (South Carolina, US) have agreed to make a $8,500 / €7,600 payment to get rid of a ransomware infection that has affected the school’s servers.

The ransomware took root during the past week, on Monday, February 8, and affected 25 servers that stored information for Horry County elementary schools, WBTW reports.

Immediately after school employees noticed problems accessing their data, its IT personnel took down all servers to prevent the ransomware from spreading to more computers. Shutting down the servers affected the school’s online services.

Ransomware asked for 20 Bitcoin School officials discovered that the ransomware asked 0.8 Bitcoin per computer, for a total of 20 Bitcoin. The school’s IT staff said the ransomware penetrated their network through an older server running outdated equipment.

Local South Carolina law enforcement and the FBI were brought in to investigate, but as in many similar cases, they could do little to help.

After spending countless hours trying to find a way around the ransomware’s encryption, and failing, the school’s administration has approved Monday, February 15, a payment that would cover the ransom demand.

Local newspapers reported that the school had troubles making the payment in the beginning because the sum needed to be converted in Bitcoin, something for which legal papers were needed.

Everything is now up and running

At the time of this article, the school’s website is up and running, meaning that the payment went through and the school received the decryption keys that allowed them to recover their files and return their network online.

Coincidentally, when the ransomware incident happened, the school’s administration was looking into hiring an outside security provider.

About the same time this was happening on the East Coast, a similar, more high-profile incident was in full swing on the West Coast. On the same day, February 15, the Hollywood Presbyterian Medical Center in Los Angeles approved a $17,000 payment to free its IT network of a ransomware infection that almost shut its operations in the previous week.

Faulty Update From Microsoft, “KB3126446” Puts Windows 7 /8.1 In A Reboot Loop

Posted on

Microsoft’s KB3126446 update for Windows 7 /8.1 makes PCs and Laptops go in a reboot loop.

Botching up updates has become a habit for Microsoft and its engineers. The new update, KB3126446 released yesterday as part of February 2016 Patch Tuesday seems to be pushing Windows 7 computers into a longer reboot loop.

KB3126446 update was issued by Microsoft to fix security vulnerabilities in Microsoft Windows, as part of bulletin MS16-017 and is available for Windows 7/8.1 and Windows Server 2012 R2. However, when users of Windows 7 Service Pack 1 apply the patch, their PC/laptop goes on a reboot loop.

Faulty Update From Microsoft, "KB3126446" Puts Windows 7 /8.1 In A Reboot Loop

“This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker uses Remote Desktop Protocol (RDP) to log on to the target system and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk,” Microsoft says.

Basically, what it could happen after installing the update is for your PC to reboot several times, but the number of restarts is not yet specified. But once this reboot loop comes to an end, you should be able to start re-using the computer normally, with no other issues likely to be caused by this update.

Microsoft has acknowledged the problem and explained that “you may have to restart the computer multiple times after you install this security update on a Windows 7-based computer that is running RDP 8.0.”


LA hospital coughs up $17,000 to free PCs held to ransom by hackers

Posted on Updated on

How to make an infection go away in US healthcare system – throw money at it.

A hospital in Los Angeles, California, has paid a US$17,000 (£11,900, AU$23,800) ransom to hackers who injected its computers with malware that scrambled its files.

It appears PCs at the Hollywood Presbyterian Medical Center were infected and paralyzed by ransomware, which silently encrypts documents and refuses to hand over the decryption key until a sum is paid.

Allen Stefanek, the hospital’s CEO, said in a statement on Wednesday that the 40 Bitcoin ransom was coughed up as it was “the quickest and most efficient way to restore our systems and administrative functions.”

The malware started poisoning the Tinseltown center’s computers on February 5, we’re told, forcing some patients to be treated elsewhere and pushing medics back to the era of fax machines and pen and paper. On Monday, systems were back to full health, and it was stressed that people’s private records were not harmed by the software nasty.

The $17,000, though a decent wedge, is somewhat lower than the earlier reported $3.6m ransom of 9,000 BTC. The infection has been described as “random” rather than targeted, suggesting a staffer opened a dodgy email or visited a malicious website that caused the network to be laid low.


Experiment tracks what happens to stolen credentials

Posted on

We all know that hackers are looking to steal credentials and get their hands on sensitive data, but exactly how does this process work?

Researchers at data protection company Bitglass carried out its second ‘Where’s Your Data’ experiment, creating a digital identity for an employee of a fictitious retail bank, a functional web portal for the bank, and a Google Drive account, complete with real credit-card data.

The team then leaked ‘phished’ Google Apps credentials to the Dark Web and tracked activity across the fictitious employee’s online accounts. Within the first 24 hours, there were five attempted bank logins and three attempted Google Drive logins. Files were downloaded within 48 hours of the initial leak. Bitglass’ Cloud Access Security Broker (CASB) monitoring showed that over the course of a month, the account was viewed hundreds of times and many hackers successfully accessed the victim’s other online accounts.

Faceless cyber criminal hacker

Over 1,400 visits were recorded to the Dark Web credentials and the fictitious bank’s web portal and one in ten hackers attempted to log in to Google with the leaked credentials. 94 percent of hackers who accessed the Google Drive uncovered the victim’s other online accounts and attempted to log into the bank’s web portal.

In addition 12 percent of hackers who successfully accessed the Google Drive attempted to download files with sensitive content. Hackers came from more than 30 countries, though 68 percent all logins came from Tor-anonymized IP addresses, of non-Tor visits to the website 34.85 percent came from Russia, 15.67 percent from the US and 3.5 percent from China.

“Our second data-tracking experiment reveals the dangers of reusing passwords and shows just how quickly phished credentials can spread, exposing sensitive corporate and personal data,” says Nat Kausik, CEO of Bitglass. “Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data”.

More detail of the experiment and its findings is available in the full report which can be downloaded from the Bitglass website.


South Korea raises cyber attack warning amid heightened regional tensions

Posted on Updated on

Following the North Korean long-range missile launch and the subsequent closing of the Kaesong Industrial Complex, South Korean government offices have again raised the InfoCon cyberthreat warning level.

South Korea increased its cyberthreat level for a second time in less than a month on Sunday in response to what it said was a growing danger posed by North Korean cyber attacks.

Three government offices that track cyber threats — the Ministry of Defense; the National Information Service; and the Ministry of Science, ICT and Future Planning — raised the cyberthreat level as tensions on the Korean peninsula ratchet up.

“We believe there’s a larger possibility that North Korea may launch cyber attacks on the South, and recently upgraded our Information Operation Condition (InfoCon),” a defense ministry official was quoted as saying in the local media.

The Defense Ministry raised the InfoCon warning one notch to level three. The five-tier threat level system is used by the military to assess threats to the government’s IT network.

South Korea’s Ministry of Science, ICT and Future Planning (MSIP) also increased its cyberthreat assessment one notch from “moderate” or level one, to “substantial”, the equivalent of level two, following a week of escalating tensions in East Asia after North Korea launched a space rocket on February 7 and put a small weather satellite into orbit.

The Korea Internet & Security Agency (KISA), an arm of the science ministry, said cyberthreats to the nation increased from moderate to substantial for private sector websites, ecommerce sites, and email addresses “because of [the] North Korean long-range missile launch and closing of Kaesong Industrial Complex”.

“In substantial cyberthreat level [to the] private sector, KISA and MSIP recommend that every corporation raise cybersecurity monitoring, people update their PC software, and don’t open unknown emails,” a KISA official said.

South Korea’s National Intelligence Service, its spy agency, could not be reached for comment on its cyberthreat assessment.

On February 11, North and South Korea cut off an emergency “hot line” between the military of the two countries as hundreds of staff were repatriated to the South, days after Seoul announced it will withdrawal its participation in the Kaesong Industry Complex, the last remaining inter-Korean economic cooperation project.

Late last month, the science ministry increased the cyberthreat level from normal to “moderate” about one week after computers in South Korea received a barrage of malicious emails, around the same time North Korea tested a nuclear device.

The Defense and Science ministries both said that no new series of cyber attacks have been detected this time around. “We believe North Korea is more likely to launch cyber attacks than before and we’re keeping close tabs on potential signs,” said one Defense ministry official, according to local media reports.

South Korea is the target of many cyber attacks, and in particular, its government offices, financial and IT sectors, and the accounts of its personnel get hit by advanced persistent threats (ATP), phishing, and smishing attacks frequently.

The last time the cyberthreat level was this high was in 2013, following a wave of attacks that downed scores of government, banking, and media sites including the website of the presidential office. That attack took place on the 63rd anniversary of the start of the Korean War, on June 25.

Malware used in the 2013 attack has been dubbed by cyber professionals as DarkSeoul. The attack was tracked by officials who linked it to a single IP address in China. South Korea blames the North for that attack.

North Korea was also blamed by South Korea and the US for the Sony Pictures hack in November 2014, which forced the company to pull its film,The Interview, from theatrical release. But conclusive evidence that the country was indeed behind the attack remains to this day scant at best. That incident employed a phishing attack.


The security review: Remtasu and Facebook cheat sheet

Posted on

From an outbreak of malicious spyware to the UK’s bill on investigatory powers, here’s our comprehensive breakdown of cybersecurity news from the past week.

Remtasu is disguised in Facebook hacking tool

ESET’s Camilo Gutierrez Amaya reported how Remtasu, a well-known piece of spyware, which first surfaced almost four years ago, is now appearing in disguise on an app to hack into Facebook accounts. Whereas previous incarnations of Remtasu were spread in email attachments, this strain is coming from direct download sites and is installed when a user downloads and executes the file themselves after seeing adverts for it’s capabilities. Mr. Amaya noted that “although having security software can help in detecting malicious content, taking care of what you click on will bring further protection against such threats”.

How to isolate VBS of JScript malware with visual studio


ESET’s Diego Perez detailed how you can use Microsoft Visual Audio to isolate malware and debug a computer. “This is one of the methods we use at the ESET Laboratory to analyze a file written in JavaScript,” explains Mr. Perez. “Using these processes and tools, we can study each step in a possible malware infection, understand its goals and grab the original code from samples which are strongly obfuscated.”

Facebook security cheat sheet

Social sharing on networking sites has become commonplace, but many users still aren’t fully utilizing Facebook’s security features, and, furthermore, do not understand the implications of sharing personal information publicly online. ESET released its Facebook cheat sheet to coincide with Safer Internet Day detailing how to customize privacy settings and avoid compromising personal information.

Southwest Airlines flight giveaway scams spread on Facebook

Southwest Airlines

Once again Facebook users have been duped into liking and sharing a Facebook page, in the belief that they might be rewarded with a first class plane ticket. A page purporting to be Southwest airlines received 23,000 shares and 14,500 likes on one such post. “The end result of all these shenanigans, of course is to trick Facebook users into poor decisions – whether it be taking online surveys which earn affiliate cash for the scammers, signing up for expensive premium rate mobile services, or spamming the unwary with unwanted (and sometimes malicious) messages,” noted security analyst Graham Cluley.

ICS calls for latest draft investigatory powers bill to go further to protect privacy

The Intelligence and Security Committee in the UK deemed the latest Draft Investigatory Powers Bill as a “missed opportunity”, according to its latest report. The bill aims to give issues such as mass data collection and hacking by British spies a more comprehensive legal framework, but the ICS stated that it “fails to deliver the clarity so badly needed in this area”.

Cybersecurity e-learning course launches in the UK for HR staff


It was reported that a free online course to help HR professionals effectively deal with cybersecurity issues has been launched in the UK. This comes a year after government statistics found that online security breaches can cost businesses up to $2.1 million. The minister for Culture and the Digital Economy, Ed Vaizey, stated that “HR professionals handle sensitive personal data so it’s crucial they are able to protect this properly”.


Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning

Posted on

Adobe has stopped distribution of an update believed to be triggering the deletions.

Adobe Systems has stopped distributing a recently issued update to its Creative Cloud graphics service amid reports a Mac version can delete important user data without warning or permission.

The deletions happen whenever Mac users log in to the Adobe service after the update has been installed, according to officials from Backblaze, a data backup service whose users are being disproportionately inconvenienced by the bug. Upon sign in, a script activated by Creative Cloud deletes the contents in the alphabetically first folder in a Mac’s root directory. Backblaze users are being especially hit by the bug because the backup service relies on data stored in a hidden root folder called .bzvol. Because the folder is the alphabetically top-most hidden folder at the root of so many users’ drives, they are affected more than users of many other software packages.

“This caused a lot of our customers to freak out,” Backblaze Marketing Manager Yev Pusin wrote in an e-mail. “The reason we saw a huge uptick from our customers is because Backblaze’s .bzvol is higher up the alphabet. We tested it again by creating a hidden file with an ‘.a’ name, and the files inside were removed as well.”

Backblaze officials have published three videos that show the deletion bug in action, including the one below.

On Friday morning, Adobe Creative Cloud users flooded Twitter with complaints about the unauthorized data deletions. Many users who don’t use Backblaze (the reporter of this Ars story included) will find the first folder in their Mac root drive is .DocumentRevisions-V100,
a folder that stores data required for Mac autosave and Version history functions to work properly. Deleting its contents could have negative consequences. The Adobe bug could also have dire consequences for users who have important folders with spaces in them, since those also assume a top alphabetically sorted spot on the Mac hard drive (which by default is labeled Macintosh HD).

An Adobe spokeswoman issued a statement that read: “We are aware that some customers have experienced this issue and we are investigating in order to resolve the matter as quickly as possible. We are stopping the distribution of the update until the issue has been resolved.” The version that appears to be causing the deletions is, Pusin said.

Creative Cloud users who have not yet installed the update should hold off doing so until Adobe releases detailed guidance. People who have already installed the update shouldn’t log in for the time being. One work-around for people who have installed the update and want to log in right away is to create a folder that assumes the alphabetically top-most spot in the root folder. A hidden folder with the name “.aaaaa” comes to mind, but the Backblaze guidance, perhaps offering some comic relief for its aggrieved users, suggested creating a folder called “.adobedontdeletemybzvol.”


HummingBad Android Malware Is a Dangerous Rootkit with a Bright Future

Posted on

Android malware comes with rootkit component to show ads. A new Android malware family is targeting users to show unwanted ads and forcibly install dangerous applications, Check Point’s security team has discovered.

Called HummingBad, this threat was first seen packed inside adult-themed applications downloaded from third-party app stores.

The app is part of a trend in the Android malware ecosystem, one that includes malicious applications that were built specifically to show ads and install other apps, for the monetary gain of their creators, who are part of various shady affiliate and referral programs.

HummingBad works just like Brain Test and Ghost Push

Previous Android malware families that employed this tactic include Brain Test and Ghost Push. As with those two, HummingBad is also capable of rooting the device, coming with a special rootkit component that makes sure the malware starts with root privileges every time the device boots.

The rest of HummingBad’s internal structure is split into two, and each part tasked with its own attack routine: showing ads and installing unwanted apps.

HummingBad can be used for much more dangerous attacks

Check Point researchers point out that, by making a few modifications to their code, the authors behind this campaign could find it very easy to perform much more malicious actions, outside just showing ads.

“Moreover, as the malware installs a rootkit on the device, it enables the attacker to cause severe damage if he decides to change his objectives, including installing key-logger, capturing credentials and even bypassing encrypted email containers used by enterprises,” researchers explain.

For now, HummingBad is quite harmless if you think of what it could really be capable of pulling off on its victims.

Security analysts say the malware has been spotted only on a few targets, but that its C&C (command and control) servers are still active, meaning it could still be a large-scale threat, just like Ghost Push and Brain Test, which affected millions of devices, sometimes via the official Google Play Store.

HummingBad attack flow

HummingBad attack flow

Poseidon Group, a single actor behind a long series of attacks

Posted on

Experts at Kaspersky Lab have linked a series of cyber attacks started in 2001 to a single threat actor called the Poseidon Group.

Experts at Kaspersky Lab have identified a single threat actor behind a long-known campaign of cyberattacks financially motivated.

The group of hackers identified by Kaspersky dubbed Poseidon Group attempts to extort money to corporate victims.

The researchers believe the group has been active since 2001, the hackers developed malicious code to infect systems that use English and Portuguese settings.

“During the latter part of 2015, Kaspersky researchers from GReAT (Global Research and Analysis Team) got hold of the missing pieces of an intricate puzzle that points to the dawn of the first Portuguese-speaking targeted attack group, named “Poseidon.” The group’s campaigns appear to have been active since at least 2005, while the very first sample found points to 2001″ Kaspersky wrote in a post .

The attackers spread the malware through spear-phishing emails, the messages include malicious office documents as an attachment. Once the malware compromises a system in the target network, it tries to map its topology searching for sensitive data to exfiltrate.

In order to map the network and make lateral movements, the malware searches for all administrator accounts on both the local machine and the network.

The Poseidon group not only steal data from victims, it tries to use the information gathered to blackmail victims into contracting the hacking crew.

“The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm,” continues Kaspersky. ” Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation.”

Experts at Kaspersky revealed that at least 35 companies have been targeted by the Poseidon Group, including organizations in banking, government, telecommunications, manufacturing and energy, and media industries.

Map-of-Targets Poseidon Group

This the first time that a security firm link the Poseidon Group’s attacks to a single threat actor.

“We noticed that several security companies and enthusiasts had unwittingly reported on fragments of Poseidon’s campaigns over the years. However, nobody noticed that these fragments actually belonged to the same threat actor.” states the report from Kaspersky

“By carefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a single group operating since at least 2005, and possible earlier, and still active on the market,”

Kaspersky informed victims of the attacks and disclosed the indicators of compromise to allow firms to identify the threat.


Windows 10 spies on you despite disabling tracking options or installing anti-spying app

Posted on

Analyst reveals that Windows 10 is amassing huge amount user data despite of user disabling the three tracking options.

We all know that Windows 10 spies on users. We had reported spying issues associated with Windows 10 even as Microsoft had released theWindows 10 Technical Preview Version in August, 2014. After almost a year after when Windows 10 Final Build was released, Microsoft had confirmed that Windows 10 spied on users in November 2015. It had added at that time that even it cant stop Windows 10’s telemetry program from spying on users.

However, till this week the extent of Windows 10’s nefarious spying activities were not known. So a Voat user CheesusCrust decided to research the amount of data that Windows 10 reports back to the Redmond based servers. CheesusCrust’s published his research on Voat under the title of Windows 10 telemetry network traffic analysis, part 1.

Windows 10 spies on you despite disabling tracking options or installing anti-spying app

According to his research, he found that Windows 10 sends data back to Microsoft servers thousands of times per day. The surprising thing about his research is that he found that it was spying on him even after choosing a custom Windows 10 installation and disabling the all three pages of tracking options which are all enabled by default.

Here is the list of things ChessusCrust used for this analysis

  1. I have installed DD-WRT on a router connected to the internet and configured remote logging to the Linux Mint laptop in #2.
  2. I have installed Linux Mint on a laptop, and setup rsyslog to accept remote logging from the DD-WRT router.
  3. I have installed Virtualbox on the Linux Mint laptop, and installed Windows 10 EnterprisePNG on Virtualbox. I have chosen the customized installation option where I disabled three pages of tracking options.
  4. I have configured the DD-WRT router to drop and log all connection attempts via iptables through the DD-WRT router by Windows 10 Enterprise.
  5. Aside from installing Windows 10 Enterprise, and verifying the internet connection through ipconfig and ping, I have not used the Windows 10 installation at all (the basis for the first part of this analysis)
  6. Let Windows 10 Enterprise run overnight for about 8 hours (while I slept).
  7. I use perl to parse the data out of syslog files and insert said data into a Mysql database.
  8. I use perl to obtain route data from, as well as nslookup PTR data, and insert that into the Mysql database.
  9. Lastly, I query and format the data for analyzing.

Here is what he found. In an eight hour period Windows 10 tried to send data back to 51 different Microsoft IP addresses over 5500 times. After 30 hours of use, Windows 10 sent his user data to a whopping 113 IP addresses which he has listed in the thread.

CheesusCrust has more surprises for us. He then repeated his test on another Windows 10 clean installation with all data tracking options disabled. Only this time he installed a third party tool called DisableWinTracking (available on GitHub), which is supposed to stop Windows 10 spying attempts including the hidden ones.

On this DisableWinTracking installed PC, CheesusCrust found that at the end of the 30 hour period Windows 10 had still managed report back his data to Redmond based servers a whopping 2758 times to 30 different IP addresses.

This means that even after disabling the telemetry options offered by Microsoft and installing anti spying software available in the market, Windows 10 goes on its merry ways of tracking user data. It would also seem that the ‘disable telemetry options’ provided by Microsoft after a huge outcry against Windows 10 spying, are actually doing nothing and only a showpiece installed to pacify the users.

CheesusCrust has plenty more surprises in store for Windows 10 users when he will publish part 2 of his analysis.


Metel Infiltrates Banks with Malware and Robs ATMs via Transaction Rollbacks

Posted on

The group has not been caught yet, still active in Russia.

A group of crafty cyber-criminals are using malware to infect the IT networks of top-grade banks and are stealing funds using ATM rollback operations.

At the Security Analyst Summit (SAS 2016) held in Tenerife, Spain, security researchers from Kaspersky have uncloaked a new cyber-crime ring that’s using a pretty clever and never-before-seen tactic to rob banks.

The group, nicknamed Metel based on the malware family they use (also known asCorkow), relies on well-targeted spear-phishing campaigns to infect the computer network of a desired bank.

Hackers take control of a bank’s IT network responsible for financial transactions

Once on the bank’s IT system, the malware, which was specifically built for this purpose, will spread to nearby workstations until it manages to infect computers tasked with managing the bank’s financial transactions.

Here, using its keylogging and backdoor capabilities, it allows the Metel group to access core financial operations.

Once this level of access is achieved, Metel can move to the second stage of the attack. The group now sends its members to the ATMs of other banks and asks them to remove money from a valid bank account belonging to the infected bank.

Because inter-bank operations take a while to validate, the Metel group uses their access to the infected bank’s financial IT system to cancel these withdrawal operations, but not before the money is pulled out of the ATM.

The group is still active in Russia

This is called a transaction rollback and reverses the bank account’s balance to the previous value, even if money has been withdrawn from an ATM and is now in the group’s possession.

Using this clever technique, Metel can send multiple carriers to different ATMs in one night, all with the same bank account, and steal huge amounts of money before their intrusion is detected. All the hackers need to do is cancel any withdrawal operation associated with their cash-cow bank account.

Kaspersky reports that, in the summer of 2015, the Metel group managed to steal millions of rubles in one single night. Only victims in Russia seem to be targeted, and the security vendor reports that the group is still active. Until now, Kaspersky says it has cleaned Metel’s malware from the computers of over 30 financial institutions in Russia.

Metel group robs ATMs via transaction rollbacks
Metel group robs ATMs via transaction rollbacks


Posted on Updated on

Recently, Jacob discovered 2 interesting phishing websites,http://maybankk2u%5Bdot%5Dcom  and http://maybank2u-my%5Bdot%5DcomThis 2 websites had the same identical codes and come with a malware in it.

The malware that we discovered is a file infector virus. It scans the system for .html files, .exe and autorun.inf and insert malicious codes into the files.

[ Sample used in the analysis ]
MD5: 44A604F9D96368A83DF55E19644321D3
SHA1: CDBF41310DAE6EFF1127BB92A217369FD2F90B37896568D4F34528AC20468B5C
Malware Sample: index page
Password is “infected29A”

[Backdoor Analysis]
A brief high level overview of the malware infection process flow.

Figure 1 – Infection process

[ Initial Exploitation ]
The backdoor was dropped onto victims’ machine via a malicious VBScript in phishing home page.

Maybank Phishing homepage

Figure 2 – Maybank Phishing homepage

[ VBScript analysis ]
Scrolling down the html source of the webpage, you will come across a large chunk of alphanumeric text. If you look closer at the start of this large chunk of text, you will see the hexadecimal “0x5A4D” which stands for MZ in ascii. Files that start with a MZ header suggests that it is a PE file. You may refer to the following website for more information about PE files.

To download the payload you may either run the VBScript (which I don’t really recommend) or simply copy the entire hexadecimal wall of text into a hex editor and save it as a .exe file.


Figure 3 – MZ header spotted


Figure 4 – Dropping malware into temporary folder

When the VBScript is executed, it drops an executable into the targets’ temp folder. The file names are hard-coded as the malware author is probably trying to hide the malware in plain sight by using a common windows executable name, svchost.exe

The details of the extracted malware from the HTML is as follows:
SHA256: FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
VirusTotal Report: 50/54 (link); 2016-02-03 11:56:14 UTC
Compiled Date/Time: 2008-02-12 11:02:20
Packed: UPX

Let’s unpack the malware using UPX tool itself.

upx decompile

Figure 5 –Unpacking using upx -d

The details of the unpacked malware is as follows:
VirusTotal Report: 44/54 (link); 2016-02-02 23:21:33 UTC
Compiled Date/Time: 2008:02:12 12:02:20+01:00

The malware camouflage itself as a bitdefender management console. Another interesting thing to note is that both the product version and the file version seems to be an ip address (


Figure 6 – Possibly IP address

[ Dynamic Analysis ]
Let’s begin our journey in analyzing this piece of malware. The malware author had used anti reversing techniques to deter malware analyst from reversing it. Using IDA Pro to see the binary isn’t of much use. Using Procmon surface some interesting stuff.


Figure 7 –New file dropped

As we can see from Figure 7, the malware is writing a new executable into “C:\Program Files\Microsoft\DesktopLayer.exe“. After examining the hashes of the newly dropped executable, I can conclude that the malware simply copy and pasted itself into the new location.


Figure 8 – Executing DesktopLayer.exe

After the file has been copied to the new location, A ProcessCreate function is called to execute the newly dropped executable. The current executable will then terminates.


Figure 9 – Executing Default Browser

Analyzing DesktopLayer.exe via olly debugger shows that the malware is attempting to run the default browser in the operating system. For this case here, it is attempting to execute IEXPLORE.EXE. On further examination, we will notice that the malware is actually trying to write process memory into the suspended IEXPLORE.exe process. This technique is known as process hollowing. Once the malware has finished writing its code into IEXPLORE.EXE process, it will then resume the suspended thread.


Figure 10 – Mutex

Based on Figure 10 taken from process explorer tool. We can observe that the malware uses a unique string (KyUffThOkYwRRtgPP) as it’s mutex.

It is also noted that the malware adds the following key into the registry “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit“. By doing so, it is able to maintain it persistency in the victims’ machine.


Figure 11 – Persistent Registry Key

To get the actual malware codes that is running off IEXPLORE.exe, we would need to attach ollydbg into the running process and by using the OllyDumpEx plugin we can dump out the running process.

The dumped process contains some interesting strings.


Figure 12 – Script Tags and Autorun?

There are some more interesting strings in the dump that suggests that there is an Antidote for this virus. It also contained the mutex key and a domain name.


Figure 13 – Antidote is available

I am interested in using the antidote. Analyzing the injected process memory dump we come to this assembly codes. To activate the “Antidot”, we would just need to add a registry key; “HKLM\Software\WASAntidot\disable“.


Figure 14 – Disable Malware

As shown in Figure 15, we can prevent mass infection of the virus by adding the registry key as earlier . We even get to see a nice message box telling us that Antidot is activated.

enabling antidote

Figure 15 – Antidot Activated

The malware loop through the folders in the victims’ machine and edit all html file it come across with the same malicious code we found in the phishing website. It also attempts to infect suitable .exe files with malicious codes. Once these infected executable gets executed, a copy of the same malware will be dropped and executed on the machine.

The malware also infects removable drives by editing the autorun.inf and planting itself in the RECYCLER sub folder. Better unplug your removable drives from the VM before you try analysing this!

The malware attempts to resolve a domain, It also attempts to resolve


Figure 16 – DNS queries in Wireshark

Spawning Shell

Figure 17 – Spawning Shell

Once the malware calls fget-career url. It can executes shell on the target machine if commands are given.

port 4678

Figure 18 – Open port 4678

The malware also attempts to listen on port 4678.


Figure 19 – Port 4678 Opened

One of the common ways to find infected or breached systems that most AV companies use is using IOC.  We should be looking for known (or suspicious) command and control (C&C) traffic on the network and looking for known bad or suspicious indicators on the hosts.

Based on our dynamic analysis, below are the known IOC that we can scan our PCs.

[ Host based Indicator ]

  1. Mutex – KyUffThOkYwRRtgPP
  2. File – C:\Program Files\Microsoft\DesktopLayer.exe
  3. File – temp folder\svchost.exe
  4. Registry Key – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  5. Process – Default Browser with no parent
  6. C:\Program Files\Internet Explorer\complete.dat (Default browser path)
  7. C:\Program Files\Internet Explorer\dmlconf.dat (Default browser path)

[ Network based Indicator ]

  1. (DNS)
  2. User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  3. Listener on port 4678

[ Whois information ]

Sponsoring Registrar IANA ID: 1556
Whois Server:
Referral URL:
Status: ok
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:

Sponsoring Registrar IANA ID: 1556
Whois Server:
Referral URL:
Status: ok
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:


Once again network whois on the suspicious ip we got from the product version earlier on points back to China.

However, based on the analysis done on the malware and based on passive DNS and past whois records from Virustotal and, the ip address we got from product version earlier could likely to be a fake to throw us off.

Another thing to note is that seems to be offline at the moment and it will be expiring in March 2016. Therefore if we are interested to know/plot the infection widespread of this malware or to takeover this malware we can attempt to buy this domain and host our own C&C server.


University of Central Florida Hacked, 63,000+ Social Security Numbers Stolen

Posted on


2015 was devastating for the universities in the United States due to increase in cyber attacks. The hackers were able to steal massive personal data from the University of VirginiaPenn State University, University of Chicago, the University of Maryland and Uniformed Services University.

It seems like 2016 won’t be any different because hackers have managed to steal around 63,000 Social Security numbers and names of previous and current University of Central Florida UCF students as well as employees, which further establish the fact that schools and academic institutions are increasingly becoming the targets of cyber security threats.


This stolen data includes around 600 current student-athletes and ex-student-athletes from the 2014-15 session, student staff managers and salient related positions. That’s not all, others who got their data stolen are current UCF employees and some previous ones who were employed as far back as the 1980s.

The information was disclosed on Thursday and the FBI’s Jacksonville office is investigating the matter with UCF Police along with other agencies. According to FBI officials, the agency has sent out notifications to colleges all over the US “in an effort to identify other potential victims,” reports Orlando Sentinel.

In January this year, the UCF got hints of a problem in their system but did not publicly announced about the hack until a month later after working with experts and related authorities to determine the exact details of what has happened, stated the officials.

The positions that were targeted include the undergraduate student employees, which also include those doing work-study jobs, graduate assistants, adjunct faculty instructors, housing resident assistants, student government leaders and those faculty members who were being paid by the University for teaching additional classes.

The incident highlights an important aspect, that hackers have become pro at stealing data from schools, government and other institutions, states Indiana University’s Center for Applied Cybersecurity Research Director Von Welch.

Welch further added: “It’s an extremely hard situation for folks like UCF to be in. They have the large databases … All it takes is one mistake for hackers to exploit. If you’re anything less than perfect, these hacks can occur.”

The university’s IT department head Joel Hartman stated that it is yet unclear who is behind this attack but it is apparent that the hack was conducted by multiple individuals gradually.

He further stated that the stolen information does not include credit card information and grades but other information such as student and employee ID numbers were hacked. The affected individuals will be notified via letters, which will be mailed by Friday.


Hidden Tear Open-Source Ransomware Spawns 24 Other Ransomware Variants

Posted on

Open source ransomware: the worst idea of all time. The ransomware variant called Hidden Tear, open-sourced as part of an educational project, was used for at least 24 real-life ransomware strains, as security researchers from Kaspersky have discovered in the past days.

The whole story starts with a Turkish security researcher named Utku Sen, who decided last year to create a few test ransomware families and upload them on GitHub.

Utku Sen and his hobby

At first, the researcher created Hidden Tear, in which he left a hidden encryption flaw. Hidden Tear was later used in the Cryptear.B and Linux.Encoder ransomware families, both of which were cracked by Utku himself and various security firms.

After this happened, ransomware authors moved to abusing EDA2, Utku’s second ransomware project. EDA2 didn’t include an encryption flaw but came with a PHP backdoor, laced with a backdoor. Despite this, when the whole Magic ransomware debacle happened, this backdoor was useless, and only the exploits malware author’s good grace allowed infected victims to recover their files.

To release the encryption keys for free, the author of the Magic ransomware blackmailed Utku and forced him to remove both the EDA2 and Hidden Tear projects from GitHub.


Over 24 Hidden Tear variants detected

Unfortunately, removing the ransomware families from GitHub didn’t help at all. Jornt van der Wiel, security researcher from Kaspersky, says that they’ve found 24 other ransomware families that used some of Hidden Tear’s code in their make-up.

One of these families is Trojan-Ransom.MSIL.Tear.c, which was specifically altered to encrypt only files found on the user’s desktop.

Another one, Trojan-Ransom.MSIL.Tear.f, also known as KryptoLocker, was asking users to email the ransomware’s author for their encryption key and was lying about the type of encryption used to lock the files.

Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h were a little bit more complex because they used C&C (command and control) servers while Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k actually used the same C&C server IP.

There were more, but we won’t mention them all since they all contain small updates to the normal Hidden Tear mode of operation.

Some Hidden Tear variants were destroying user files

Some of the few that do stand out are Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, and Trojan-Ransom.MSIL.Tear.q, which encrypted files but forgot to store the encryption key anywhere, effectively losing all the victims’ files.

Even worse, all Hidden Tear variants codenamed from Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v used a C&C server located at “,” sending encryption keys into thin air, dooming the user’s files as well.

The conclusion of all this is that even if security researchers have the best intentions at heart, this will never stop bad guys from abusing their “educational” work.