- Russian hacker Alexander Zhukov extradited by Bulgaria to US
- Security Affairs newsletter Round 197 – News of the week
- DarkHydrus adds Google Drive support to its RogueRobin Trojan
- “Collection #1” Data Breach Analysis – Part 1
Posted: 20 Jan 2019 10:54 AM PST
Bulgaria has extradited a Russian hacker that was indicted by a US court for mounting a sophisticated hacking scheme to the United States.
According to the Russian embassy in Washington, the Russian hacker Alexander Zhukov was extradited on January 18. The Russian embassy has chosen to disclose the news on the VK social network, the Russian version of Facebook. The hacker is currently held in a jail in Brooklyn, New York.
“Employees of the Consulate General in New York will visit him in jail soon,” the embassy said.
Zhukov is accused of being involved in a sophisticated ad fraud scheme that leverages advertising and malware to compromise computer networks.
In November, law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud
The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.
3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.
The United States Department of Justice indicted 8 individuals from Russia, Kazakhstan, and Ukraine, one of them is Zhukov.
Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own
The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts, fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.
The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.
Zhukov, aka Nastra, was arrested in Bulgaria, where he had lived since 2010, in November.
“According to Kommersant newspaper, which claims to have spoken with a friend of Zhukov, the hacker stood out on the dark web for the selective way he chose his jobs, staying away from credit-card theft or child pornography.” reported the AFP.
“Zhukov was earning about $20,000 per month on his fake ad-view contracts, but was exposed after a conflict with his US client, Kommersant said.”
(SecurityAffairs – Zhukov, ad fraud)
The post Russian hacker Alexander Zhukov extradited by Bulgaria to US appeared first on Security Affairs.
Posted: 20 Jan 2019 05:32 AM PST
A new round of the weekly SecurityAffairs newsletter arrived!
The best news of the week with Security Affairs.
Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal
Once again thank you!
(SecurityAffairs – Microsoft partner portal, data leak)
The post Security Affairs newsletter Round 197 – News of the week appeared first on Security Affairs.
Posted: 19 Jan 2019 11:31 PM PST
Security experts attributed new malicious campaigns to the DarkHydrus APT group (aka Lazy Meerkat), threat actors used a new variant of the RogueRobin Trojan and leveraged Google Drive as an alternative C2 channel.
DarkHydrus was first discovered by experts at Palo Alto Networks’ Unit 42 team in July when the group carried out attacks aimed at a government agency in the Middle East.
Threat actors focused their activity in the Middle East, they used
On January 9, experts at 360’s Threat Intelligence Center (360 TIC) first observed attacks leveraging lure Excel documents written in Arabic.
“This malware is a lure Excel document with
The final stage malware is a backdoor written in C#.
According to the analysis made by malware researchers from Palo Alto Networks, the text file includes parts of a Windows Script Component (.SCT) file that once concatenated delivers a version of the RogueRobin trojan.
“The New_Macro function starts by concatenating several strings to create a PowerShell script that it will write to the file %TEMP%\WINDOWSTEMP.ps1. The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%\12-B-366.txt.” reads the analysis published by PaloAlto Networks.
The samples of the RogueRobin Trojan analyzed by Palo Alto Networks implement additional functionality, they include the use of
The main communication channel with the C2 server is the DNS tunneling.
“A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode. This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API.” continues Palo Alto Networks. “The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.”
Once activated, the malware will receive via DNS tunneling from the C2 server a list of settings that allows it to interact with the Google Drive.
The commands are exchanged leveraging a file uploaded by the Trojan to Google Drive, every change to the is interpreted as a command.
The RogueRobin Trojan also checks is it is running in a virtualized environment or a sandbox before triggering the payload.
According to Palo Alto Networks, the malware also checks for common analysis tools running on the system and the presence of a debugger.
“Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect
Experts speculate the DarkHydrus group continues its operations and improved its techniques and its arsenal. The recent attacks show DarkHydrus group is abusing open-source penetration testing techniques such as the AppLocker bypass.
(SecurityAffairs – hacking, DarkHydrus)
The post DarkHydrus adds Google Drive support to its RogueRobin Trojan appeared first on Security Affairs.
Posted: 19 Jan 2019 10:31 PM PST
Cybersecurity expert Marco Ramilli has analyzed the huge trove of data, called Collection #1, that was first disclosed by Troy Hunt.
One of the first questions I wanted to answer was: "What are the most used passwords ?". I am aware that many researches wrote about the most used passwords, but now I do have the opportunity to measure it. To get real used passwords and to evaluate the reality. So let's see what are the most used passwords out there!
So far the most used passwords are: "123456", "q1w2e3r4t5y6", "123456789", "1qaz2wsx3edc", followed by most common passwords like "12345678" and "qwerty". By observing the current graph and comparing it to common researches on frequently used passwords such as here, here, and here we might appreciate a significative difference: the pattern complexity! In fact, while years ago the most used passwords were about names, dates or simple patters such as "qwerty", today we observe a significative increase in pattern complexity, but still too easy to be brute-forced.
A second question came by looking at leaked emails. "What are the domain names of the most leaked emails ?" Those domains are not the most vulnerable domains but rather the most used ones. So I'm not saying that those domains are/or have been vulnerable or Pwned, but I am trying to find what are the most leaked email providers. In other words if you receive an email from "@gmail.com" what is the probability that it has been leaked and potentially compromised ? Again I cannot answer to such a question since I do not have the total amount of "@gmail.com" accounts all around the word, but I think it might be a nice indicator to find out what are the most leaked email domain names.
The most leaked emails come from "yahoo.com", "gmail.com", "aol.com" and "hotmail.com". This is quite interesting since we are mostly facing personal emails providers (domains) rather then professional emails providers (such as company.com). So apparently, attackers are mostly focused in targeting people rather then companies (maybe attacking not professional websites and/or distributing malware to people rather then companies domain names). Another interesting data to know is about the unique leaked email domain names: 4426, so far !
Finally, it would be great to know from what sources data is coming from ! At such a point I have no evidences of what I am going to write about, but I made some deductions from the data leaked structure. The following image shows collection-1 structure.
Are you interested in Marco Ramilli’ conclusions? Give a look at his post:
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|