New variant of Dridex banking Trojan implements polymorphism

Posted: 01 Jul 2019 12:41 PM PDT

Security researchers at eSentire tracked a new campaign spreading a variant of the Dridex banking Trojan that shows polymorphism.

Security experts at eSentire observed a new campaign spreading a variant of the Dridex banking Trojan that implements polymorphism.

The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

Even if the activity of Dridex decreased in the last couple of years, crooks continued to updates it adding new features such the support of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.  

Malware researcher Brad Duncan first observed a new variant of Dridex on June 17 that leverage an Application Whitelisting technique to bypass mitigation via disabling or blocking of Windows Script Host. 

On June 26, 2019, experts at eSentire Threat Intelligence discovered a C2 infrastructure pointing to a similar Dridex variant that was undetected by most of the antivirus listed in VirusTotal service.

“On June 26, 2019, eSentire Threat Intelligence discovered new infrastructure pointing to a similar Dridex variant (see IOCs below).  At the time of discovery, using data from VirusTotal, only six antivirus solutions of about 60 detected suspicious behavior [2].  About 12 hours later, on the morning of June 27, 16 antivirus solutions could identify the behavior.” reads the analysis published by eSentire.

Experts noticed that threat actors continuously change up indicators through the current campaign, making it hard for signature-based defense solutions to detect the threat.

"Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign," eSentire notes.

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. Duncan pointed out that file paths, file names, and associated hashes would change at every computer login.

Attacks begin with spam emails containing weaponized documents, once victims have executed the embedded macros, the malicious code connects to the ssl-pert[.]com domain to download the Dridex installer.

Dridex new

"Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior," eSentire concludes.

Pierluigi Paganini

(SecurityAffairs – Dridex, hacking)

The post New variant of Dridex banking Trojan implements polymorphism appeared first on Security Affairs.

Israel blamed Russia for jamming at Israeli Ben Gurion airport

Posted: 01 Jul 2019 07:13 AM PDT

Israel blamed Russia for jamming at Israeli Ben Gurion airport that disrupted GPS signals, but the Kremlin denies its involvement in the attacks.

Starting from early June, a significant jamming activity has interfered with GPS signals at Israeli Ben Gurion airport causing severe problems to pilots and aircraft.

Israel’s Airports Authority confirmed that the disruption of GPS signals had a “significant impact” on the operations at the airport.

At the time of writing, Israeli authorities are still investigating the source of the jamming activity.

Fortunately, the attacks did not cause any accidents at the airport, explained the Airports Authority. Pilots were forced to use the alternative Instrument Landing System when approaching and landing at the airport.

Russia denied to have carried out the jamming attacks, Russia’s ambassador to Israel defined the accusation as “fake news” that and could not be “taken seriously”.

Experts pointed out that interference with the GPS system only affected flights in the sky over the airport, ground-based sensors were not impacted.

“The Israeli Airline Pilots Association said the GPS problems were a “spoofing” attack that produces incorrect location data.” reported the BBC. “This can mean receivers on planes sometimes reporting their location as miles away from where they actually are. BBC Monitoring said Israeli IDF radio had quoted “high-ranking” sources as blaming Russia for the continuing disruption.”

According to the BBC, the jamming activity could be linked to systems used by the Russia army to protect its planes at the Hmeimim airbase in Syria. The Russian military base is located about 350km north of Ben Gurion.

Russia is operating in Syria due to its political and commercial interests in the country, it deployed airbases and a naval base its territory.

The sky over Syria is crowded, aircraft belonging to the US-led coalition were often involved in operations against the Islamic State.

In the past, Russia was already involved in jamming attacks, jamming systems are an essential component of the Russian military strategy that aims to prevent attacks against its troops in the area.

russian jamming systems 2

In November 2015, Russia announced the deployment of jamming systems in Syria to protect its air forces and prevent attacks against its aircraft.

“It documented more than 10,000 separate incidents of GPS disruption and said Russia was “pioneering” the technique to “protect and promote its strategic interests”.” concludes the BBC.

“Some of the disruption helped to keep drones away from Russian airports, said the report, but it was also used to project a bubble around senior government figures when they visited sensitive locations.

Pierluigi Paganini

(Security Affairs – jamming systems, electronic warfare)

The post Israel blamed Russia for jamming at Israeli Ben Gurion airport appeared first on Security Affairs.

City Council of Somerville bans facial recognition technology

Posted: 01 Jul 2019 05:51 AM PDT

City Council of Somerville, a Boston suburb, has voted to ban the use of facial recognition system by police and other city offices.

The City Council of Somerville, Massachusetts, a Boston suburb, has decided to ban the use of facial recognition system by police and other city departments.

Last week, the Somerville City Council expressed a unanimous vote (11-0) to prohibit the use of facial recognition technology. The technology represents a serious threat to citizens’ privacy.

“Councilor Ben Ewen-Campen, the sponsor of the measure, said its passage is a "reminder that we are in charge of our own society."” reported the AP press agency.

“Ewen-Campen worked on the issue with the American Civil Liberties Union of Massachusetts.”

Facial recognition technology

Mayor Joseph Curtatone also announced that he will support the measure to prevent the abuse of facial recognition systems.

According to Kade Crockford, director of the Technology for Liberty Program at the ACLU, Somerville is the first city of the US East Coast to ban the facial recognition technology.

“In Massachusetts, a bill in the State Legislature would put a moratorium on facial recognition and other remote biometric surveillance systems.” reported the NYT.

In May, San Francisco was the first city in the US to ban facial recognition technology.

“San Francisco, long at the heart of the technology revolution, took a stand against potential abuse on Tuesday by banning the use of facial recognition software by the police and other agencies.” reported the NYT.

“The action, which came in an 8-to-1 vote by the Board of Supervisors, makes San Francisco the first major American city to block a tool that many police forces are turning to in the search for both small-time criminal suspects and perpetrators of mass carnage.”

Pierluigi Paganini

(SecurityAffairs – facial recognition, hacking)

The post City Council of Somerville bans facial recognition technology appeared first on Security Affairs.

Singapore Government will run its third bug bounty program

Posted: 01 Jul 2019 02:03 AM PDT

Singapore has announced the third bug bounty program aimed at assessing the security of government systems exposed online.

The government of Singapore has announced its third bug bounty program aimed at assessing the level of security implemented for government systems exposed online.

The bug bounty program sees the involvement of the Cyber Security Agency of Singapore (CSA) and the Government Technology Agency of Singapore (GovTech).

Like previous programs, this bug bounty initiative program will be operated through the HackerOne platform.

The bug bounty program will run from July to August and will see the participation of 200 international hackers and 100 local hackers. The organization will offer payouts between $250 and $10,000 for each vulnerability reported by the experts.

The Government will present the results of the program in September.

“The Singapore Government's latest bug bounty program is part of a strategic initiative and commitment to build a secure and resilient Smart Nation by strengthening collaboration with the cybersecurity industry and community.” reads the press release. “GovTech's bug bounty program will run from July to August 2019 and will cover nine Internet-facing government digital services and information and communication technology systems with high user interaction.”

Singapore bug bounty

In December 2017, Singapore's Ministry of Defence (MINDEF) invited roughly 300 white hat hackers from around the world to participate its first bug bounty program. The hackers found 35 vulnerabilities that were paid a total of $15,000.

The second program run earlier in 2019 and resulted in the discovery of 26 security flaws that were paid a total of $12,000.

Pierluigi Paganini

(SecurityAffairs – Singapore, bug bounty)

The post Singapore Government will run its third bug bounty program appeared first on Security Affairs.

ViceLeaker Android spyware targets users in the Middle East

Posted: 01 Jul 2019 01:06 AM PDT

Experts at Kaspersky have uncovered a spyware campaign dubbed ViceLeaker that spreads in the Middle East to spy on Android users. 

Kaspersky spotted a spyware campaign, tracked as ViceLeaker, that spreads in the Middle East to steal device and communications data from Android users. 

The ViceLeaker campaign has been active at least since May 2018 when it targeted dozens of mobile Android devices belonging to Israeli citizens.

The same campaign was also monitored by researchers at Bitdefender that dubbed the malware Triout.

The attack chain starts with malicious Telegram and WhatsApp messages containing links to Trojanized apps, one of which was a fake application named “Sex Game For Adults.”

Attackers aim to backdoor legitimate applications with an unusual injection technique dubbed Smali.

The mobile malware also aims to inject legitimate mobile applications with a backdoor for persistent access once it has compromised an Android device. 

“To backdoor legitimate applications, attackers used a Smali injection technique – a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool, add their malicious code, and assemble it with Smali.” reads the analysis published by Kaspersky. “As a result, due to such an unusual compilation process, there were signs in the dex file that point to dexlib, a library used by the Smali tool to assemble dex files.”

ViceLeaker Android spyware

The ViceLeaker APK implements very common spyware features (exfiltration of SMS messages, call logs, and device information) along with backdoor capabilities (upload, download, delete files, camera takeover, and record surrounding audio).

ViceLeaker leverages HTTP for C&C communications and to transfer exfiltrated data.

During the investigation, Kaspersky also spotted a sample of a modified version of the open-source Jabber/XMPP called “Conversations.” The tainted version used by the ViceLeaker group sends the C2 geographical coordinates every time a message was sent via the app. 

The modified Conversations app mimics Telegram messenger, but experts did not find any malicious activity implemented by this specific app.

“Even when we originally thought this was a backdoored version of the Conversations app, used to infect victims, we didn’t discover anything malicious in it,” continues Kaspersky. “This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other, unclear purposes.” 

Experts were aware of the possibility that threat actors might be using a compromised email account, investigating it they found a personal page and a GitHub account that contains a forked Conversation repository.

According to Kaspersky, the ViceLeaker campaign is still ongoing, but currently, attackers have taken down their communication channels.

“The operation of ViceLeaker is still ongoing, as is our research,” Kaspersky concludes. “The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner.”

Pierluigi Paganini

(SecurityAffairs – ViceLeaker, hacking)

The post ViceLeaker Android spyware targets users in the Middle East appeared first on Security Affairs.

Iran-linked APT33 updates infrastructure following its public disclosure

Posted: 30 Jun 2019 11:49 PM PDT

The Iran-linked cyberespionage group APT33 has updated its infrastructure after the publication of a report detailing its activities.

In March, Symantec published a report detailing the activities of Iran-linked cyberespionage group APT33 that was targeting organizations in Saudi Arabia and the United States.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. Most of the targets were in the Middle East, others were in the U.S., South Korean, and Europe. 

Now, according to researchers from Recorded Future, since the publishing of the report, APT33 (aka Elfin) has updated its infrastructure.

Most of the exposed domains no longer resolve to a real IPv4 address, while others moved to new providers. Four domains used in the past were updated the day after publication of the report and resolving to the same IP, which is registered to Swiss-dedicated hosting provider Solar Communications GmBH. 

The actions show that threat actors quickly reacted to the publication of the report, but continued to focus on Saudi Arabian organizations.

“In response to the publication of operations in late March 2019, domains associated with suspected APT33 activity were parked or changed to new hosting providers.” reads the report.

“APT33, or a closely aligned threat actor, continues to control C2 domains in bulk.

  • Over 1,200 domains have been in use since March 28, 2019 alone.
  • 728 of these were identified communicating with infected hosts.
  • 575 of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs.”

Since March, the operations associated with the APT33 group involved over 1,200 domains, 728 C2 domains were identified communicating with infected hosts, 575 with hosts infected by one of 19 mostly publicly available RATs.

Most of the domains (60%) were associated with malware families related to njRAT infections, a malware wasn't previously associated with APT33. Other commodity RATs involved in the attacks and associated with the domains are AdwindRAT and RevengeRAT

APT33 iranian-cyber-operations-infrastructure-7-1

The list targeted entities includes:

  • A conglomerate headquartered in Saudi Arabia, with businesses in the engineering and construction, utilities, technology, retail, aviation, and finance sectors
  • Two Saudi healthcare organizations
  • A Saudi company in the metals industry
  • An Indian mass media company
  • A delegation from a diplomatic institution

The experts at Recorded Future speculate that one APT33 actor, the Nasr Institute, is part of a tiered structure of the Iranian government cyber operations apparatus that also includes APT35 and MUDDYWATER.

“These technical and persona overlaps among Iranian threat actors are not unexpected given the tiered structure of Iranian state management of cyber operations.” concludes the report.

"Within this structure, we assessed that managers are running multiple teams, some of which are associated with government organizations (such as the Nasr Institute), and others that are contracted private companies (such as ITSec Team)," . 

Pierluigi Paganini

(SecurityAffairs – APT33, hacking)

The post Iran-linked APT33 updates infrastructure following its public disclosure appeared first on Security Affairs.