- New Malware Dubbed LockPos Introduces New Injection Technique To Avoid Detection
- Electrum patches a critical flaw that exposed Bitcoin Wallets to hack since 2016
- Turla APT group’s espionage campaigns now employs Adobe Flash Installer and ingenious social engineering
- January 2018 Patch Tuesday security updates fix a zero-day vulnerability in MS Office
- VirusTotal presents the visualization tool ‘VirusTotal Graph’
Posted: 10 Jan 2018 12:50 PM PST
Security Researchers from Cyberbit have discovered a new malware injection technique being used by a variant of Flokibot malware named LockPoS.
A Point of Sale (PoS) malware is a malicious application that steals credit card data from the memory of computers connected to credit card equipment. Once infected the system, the LockPoS malware tries to gain access and read the memory of the current process in use and begin to search for data that have the pattern of credit card information to send to its command and control server.
“Cyberbit malware researchers recently discovered a stealthy new malware injection technique being used by LockPoS that appears to be a new variant of that used by Flokibot.” reads the analysis published by CyberBit.
“LockPoS is a Point-of-Sale (PoS) malware that steals credit card data from the memory of computers attached to point of sale credit card scanners. LockPos reads the memory of currently running processes on the system, searching for data that looks like credit card information and then sends them to the C&C.”
The same botnet associated with the propagation of Flokibot is being used by LockPoS and its source code have some similarities. In that regard, it is important to notice that the malware has some stages to unpack and decryption with different techniques and routines to call the API for injection-related with Flokibot.
There are three main routines used by PoS malware discovered by CyberBit to inject code in the remote process: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx. A core dll file native to Windows System, ntdll.dll, is used in the injection technique. The routines related with ntdll that have a “NT” prefix are associated with Windows API that separates user space from kernel space. The injection technique involves the creation of a section object in the kernel with the use of NtCreateSection to call NtMapViewOfSection as a map to view the section in other process and then copy the code into the section and create a remote thread by using NtCreateThreadEx or CreateRemoteThread to execute the code.
Once a routine from ntdll is called the hexadecimal value of the system call is copied to the EAX register, where a instruction is called to make the thread jump to the kernel mode. The kernel then executes the routine based on the value of EAX register. The parameters from the user stack are copied to the kernel stack and executed.
The malware does not call the routines from ntdll to inject code avoiding Anti Virus detection, instead, it maps the routines from ntdll on the disk to its own virtual address space. By doing so the malware maintains a clean copy of dll that is not detected by anti-virus software.
Also, as Cyberbit researchers noticed, a call to NtMapViewOfSection is handled by the malware for the process of explorer.exe.
“One LockPoS malware injection technique involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code.” continues the analysis.
The security researchers report also notice that improving memory analysis is the only effective way to detection since Windows 10 kernel functions can’t be monitored.
About the author Luis Nakamoto
Luis Nakamoto is a Computer Science student of Cryptology and a enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.
(Security Affairs – PoS malware, cybercrime)
The post New Malware Dubbed LockPos Introduces New Injection Technique To Avoid Detection appeared first on Security Affairs.
Posted: 10 Jan 2018 06:19 AM PST
The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.
Electrum is a free application that's used by many cryptocurrency sites to store bitcoin. Administrators can run their own Electrum server and the software supports hardware wallets such as Trezor, Ledger and Keepkey.
The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.
The vulnerability allowed any website hosting the Electrum wallet to potentially steal the user's cryptocurrency.
The flaw seems to be present in the software for almost two years, it is related to the exposure of passwords in the JSONRPC interface.
The company first issued a security patch failed to address the issue, but it failed, then Electrum opted out to issue a second update on Sunday evening.
The story has begun in November when many researchers observed numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.
The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000.
Of course, the crooks were exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by Bleepingcomputer.com that reported the discovery made by the researcher Dimitrios Slamaris.
The security expert reported Internet wide Ethereum JSON-RPC scans.
The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.
The access to the interface does implement any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds. If the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker's wallet.
Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).
Slamaris teamed with SANS Internet Storm Center expert Johannes Ullrich also uncovered a second campaign, they discovered two IP addresses were scanning specifically hard using these requests:
A user going by the name of “jsmad” noticed that the Electrum wallet app was also exposing a similar JSON RPC online.
“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection.” wrote the user.
“Scans for the JSONRPC interface of Ethereum wallets have already started:
The knowledge of the Electrum password allowed attackers to interact through the JSON RPC interface with the wallers.
The Electrum developers were criticized by the claim of the popular Google white hat hacker Tavis Ormandy who contacted the company.
“Hello, I’m not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy .” wrote Ormandy.
“I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability? If this bug wasn’t already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.
The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.
I made you a demo. It’s very basic, but you get the idea. If you did set a password, some misdirection is required, but it’s still game over, no?
Here is how I reproduced:
(Note: i dont use bitcoin, you can steal my empty wallet if you like)”
In a real attack scenario, hackers could trick Electrum users into accessing a malicious website that could scan for the Electrum’s random JSON RPC port and empty the wallet by issuing commands.
Below a video of such kind of attack shared by a Twitter user.
The Electrum development team released the version 3.0.5 that addresses the vulnerability, users urge to update their wallet app.
According to the developers, the flaw affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.
“In addition, the vulnerability allows an attacker to modify user settings, the list of contacts in a wallet, and the “payto” and “amount” fields of the user interface while Electrum is running.” reads the analysis published by the Electrum development team.
“Although there is no known occurrence of Bitcoin theft occurring because of this vulnerability, the risk increases substantially now that the vulnerability has been made public.”
(Security Affairs – Electrum wallet, Bitcoin)
The post Electrum patches a critical flaw that exposed Bitcoin Wallets to hack since 2016 appeared first on Security Affairs.
Posted: 10 Jan 2018 02:48 AM PST
Security researchers from ESET who have analyzed recent cyber espionage campaigns conducted by the dreaded Turla APT group reported that hackers leverage on malware downloaded from what appears to be legitimate Adobe URLs and IP addresses.
Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.
The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
The Turla's arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.
“In recent months, we have observed a strange, new behavior, leading to compromise by one of Turla's backdoors. Not only is it packaged with the real Flash installer, but it also appears to be downloaded from adobe.com.” reads the report published by ESET.
“From the endpoint's perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash
Researchers noted that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016, data were sent back to legitimate URLs at Adobe.com. The download attempts observed by ESET observed were made through HTTP and not via HTTPS, the researchers state with confidence that Adobe was not compromised.
The social engineering technique adopted by Turla group to trick victims into believing they are downloading a legitimate software from Adobe server is very ingenious.
Data collected by the experts revealed that most of the victims belong to the former USSR, targeted entities include embassies and consulates located in East Europe.
At the time of the report is still unclear how the Turla APT group distributed the backdoor through Adobe.com.
Experts speculate that this is possible by compromising a machine on the victim’s network to perform a local man-in-the-middle attack. In this attack scenario, the threat actors redirect traffic from a target system through the compromised server and modifying it on the fly. Another possibility is to leverage on a compromised local gateway that could allow the attackers to potentially intercept and modify traffic for the whole organization.
Other attacks scenarios see Turla executing a man-in-the-middle attack at the ISP level, or BGP hijacking.
“We quickly discarded the hypothesis of a rogue DNS server, since the IP address corresponds to the servers used by Adobe to distribute Flash.” continues the report. “Thus, these are the hypotheses that remain: ➊ a Man-in-theMiddle
Researchers believe the most likely scenario sees attackers controlling the router for the traffic hijacking.
Such kind of attack is any way possible because the files are downloaded via HTTP, for this reason, it is important to avoid installing any update or software that was downloaded through unsecured connections.
Administrators must also check that Flash Player installers downloaded are properly signed with a valid Adobe certificate.
Further information, including the IOCs are included in the report published by ESET.
(Security Affairs – Turla APT group, cyber espionage)
Posted: 10 Jan 2018 12:05 AM PST
Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including the zero-day vulnerability CVE-2018-0802 in MS Office.
Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including a zero-day vulnerability in MS Office. 16 security updates are rated as critical, 38 as important, 1 is rated moderate, and 1 is rated as low in severity. The security updates fix security vulnerabilities in Windows, Office, Internet Explorer, ChakraCore, Edge, ASP.NET, and the .NET Framework.
The January 2018 Patch Tuesday includes three special security advisories that address flaws related to Adobe Flash, Meltdown & Spectre vulnerabilities, an update for Office suite.
The zero-day vulnerability is a memory corruption flaw in Office tracked as CVE-2018-0802, in the past few months it had been actively exploited by multiple attackers in the wild. The vulnerability can be exploited for remote code execution by tricking the victim into opening a specially crafted malicious Word file in MS Office or WordPad.
The flaw was discovered by several experts from Tencent, Qihoo 360, ACROS Security’s 0Patch Team, and Check Point Software Technologies.
Security firm Check Point has published a detailed analysis of the flaw in a blog post including a video PoC of its exploitation.
The flaw is related the memory-corruption issue CVE-2017-11882 that affects all versions of Microsoft Office released in the past 17 years, it resides in the Equation Editor functionality (EQNEDT32.EXE) and was addressed by Microsoft in November.
The analysis of the flaw CVE-2017-11882 allowed the researchers at 0Patch to discover the CVE-2018-0802 fixed in the January 2018 Patch Tuesday.
Microsoft also addressed nine remote code execution and memory disclosure vulnerabilities in MS Office.
Microsoft also addressed an X509 certificate validation bypass vulnerability tracked as CVE-2018-0786 in .NET Framework (and .NET Core) that could be exploited by threat actors to show their invalid certificates as valid.
“Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.” states Microsoft.
The January 2018 Patch Tuesday also addresses a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer, the flaws could be exploited by a remote attacker for code execution by tricking the victim into opening a specially-crafted webpage that triggers a memory corruption error.
Finally, Microsoft also patched a flaw in Outlook for Mac (CVE-2018-0819, aka Mailsploit attack) that could be exploited by attackers to send emails with spoofed identities.
The post January 2018 Patch Tuesday security updates fix a zero-day vulnerability in MS Office appeared first on Security Affairs.
Posted: 09 Jan 2018 10:04 PM PST
VirusTotal announced the availability of a visualization tool, dubbed VirusTotal Graph, designed to help with malware analysis.
The VirusTotal Graph should allow investigators working with multiple reports at the same time, to try to pivot between multiple data points (files, URLs, domains and IP addresses). The observation of the connections across different samples of malware could allow investigators to collect more events from different cases.
"VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.” states VirusTotal.
“It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we've developed VirusTotal Graph."
The tool VirusTotal Graph is based on VirusTotal's data set and was designed to visualize them in a single graphical interface relationship between files, URLs, domains and IP addresses. The graph is navigable, making easier for malware researchers the investigation of malicious codes.
Analysts can build their own network by exploring and expanding each of the nodes in the graph.
The tool includes a search box, node summary section, node expansion section that allows correlation of the information from more entities, node action menu, detection dropdown, and a node list.
VirusTotal also allows users to save the graphs they generated, as well as to share their findings with other users. All saved graphs are public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.
"We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution — expect to see some news around it soon," VirusTotal concludes.
The complete documentation is available at
Virus Total also published two videos that shows main features implemented in the tool.
(Security Affairs – VirusTotal Graph, malware)
The post VirusTotal presents the visualization tool ‘VirusTotal Graph’ appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|