Industry Intel

Cybercriminals continue diversifying their portfolios of standardized fraudulent services, in an attempt to efficiently monetize their malicious ‘know-how’, further contributing to the growth of the cybercrime ecosystem. In a series of blog posts highlighting the emergence of the boutique cybercrime-friendly E-shops, we’ve been emphasizing on the over-supply of compromised/stolen accounting data, efficiently aggregated through the TTPs (tactics, techniques and procedures) described in our “Cybercrime Trends – 2013” observations.

We’ve recently spotted a newly launched all-in-one cybercrime-friendly E-shop, offering a diversified portfolio of managed/DIY services/products, exposing a malicious infrastructure worth keeping an eye on. Let’s take a peek inside the E-shop’s inventory and expose the fraudulent infrastructure behind it.

More details:

read more…

Relying on the systematic and persistent spamvertising of tens of thousands of fake emails, as well as the impersonation of popular brands for the purpose of socially engineering gullible users into downloading and executing malicious attachments found in these emails, cybercriminals continue populating their botnets.

We’ve recently intercepted a currently circulating malicious campaign, impersonating JJ Black Consultancy.

More details:

read more…

PayPal users, watch what you click on!

We’ve recently intercepted a currently circulating malicious spamvertised campaign which is impersonating PayPal in an attempt to trick socially engineered end users into clicking on the malware-serving links found in the emails.

More details:

Sample screenshot of the spamvertised email:

read more…

Cybercriminals continue to systematically release DIY (do-it-yourself)type of cybercrime-friendly offerings, in an effort to achieve a ‘malicious economies of scale’ type of fraudulent model, which is a concept that directly intersects with our ‘Cybercrime Trends – 2013‘ observations.

We’ve recently spotted yet another subscription-based, DIY keylogging based botnet/malware generating tool. Let’s take a peek inside its Web based interface, and expose the cybercrime-friendly infrastructure behind it.

More details:

read more…

Since the WSJ report was released, endpoint security solutions have received a lot of media attention. As many have started to ask “Is AV really dead?”, I felt it was a good idea to talk about it from my perspective.

Let’s get this out of the way right off the bat: no, AV is not dead. However, what is dead, and has been for many years now, is the traditional, reactive AV protection approach that uses signature-based detection. Within the security industry, it is common knowledge that this approach to threat prevention doesn’t scale to address the tactics used by today’s cybercriminals.

In the realm of providing defenses from an increasingly sophisticated adversary, endpoint protection has never been more important. The endpoint is the primary point of entry in most corporate compromises. To keep up with modern malware, the methods for discovering and addressing new endpoint threats needs to change. AV isn’t dead; it’s evolving.

From our perspective at Webroot, we recognized the inadequacies of traditional AV many years ago, which is why our current endpoint security products are vastly different from traditional technology. When we released our SecureAnywhere™ product family in 2011, we also discontinued our legacy technology offerings as they represented the traditional signature-based security model, which we could see was nearing obsolescence.

Providing defense against today’s cybercriminal tactics required a complete rethink of how to approach the problem. When it comes to defending against an attack, it is crucial to be able to realize when an attack has occurred. The traditional model was not well equipped to handle massive scale distribution of new malware variants at very low volume. The result is very low detection rates due to a lack of awareness. To successfully defend against this tactic, you need visibility into every application on every endpoint. This is a core component to the success of SecureAnywhere solutions: granularity and actionable insight into applications encountered by every Webroot user worldwide.

Beyond rapidly identifying new incidents, our threat intelligence engine resides in the cloud so there is no need for definition updates. All endpoints are always up to date, and as new threats are identified, all users are protected in real time.

There are many other topics I could discuss – remediation, compromise prevention in the face of an active infection, and the impact on system performance – which have undergone complete rethinks for Webroot SecureAnywhere® solutions. The end result speaks for itself. In the third fiscal quarter in 2014 Webroot added 1.4 million new endpoint customers, increasing the contextual awareness of our intelligence network even further and, thereby, improving our capacity to identify never-before-seen attacks as they emerge. Our bookings from new business grew by nearly 200%, and 5,000 businesses trust Webroot technology to secure their networks and endpoints.

Clearly, AV is not dead. In fact, endpoint security has never been more important! The issue at hand is that we can’t let our technology get stagnant. Organizations need a layered protection approach, as well as cloud-based security technology that is designed to grow, learn and continue to evolve to combat the tactics used by today’s cybercriminals. After all, the malware writers don’t rest. Neither should we.

Cybercriminals continue populating their botnets through the persistent spamvertising of tens of thousands of legitimately looking malicious emails, impersonating popular brands, in an attempt to trick socially engineered users into clicking on the malicious links found within the emails.

We’ve recently intercepted an actively circulating spamvertised campaign which is impersonating HM’s Revenue & Customs Department and enticing users into clicking on the malware-serving links found in the emails.

More details:

read more…

In a cybercrime ecosystem, dominated by client-side exploits serving Web malware exploitation kits, cybercriminals continue relying on good old fashioned social engineering tricks in an attempt to trick gullible end users into knowingly/unknowingly installing malware. In a series of blog posts, we’ve been highlighting the existence of DIY (do-it-yourself), social engineeringdriven, Java drive-by type of Web based platforms, further enhancing the current efficient state of social engineering driven campaigns.

Let’s take a peek inside yet another Web based DIY Java applet distribution platform, discuss its features, and directly connect to the Rodecap botnet, whose connections with related malicious campaigns have been established in several previously published posts.

More details:

read more…

Recently, a new Android threat named Android.Koler has begun popping up in the news.  According to an article by ARS Technica, it reacts similar to other pieces of ransomware often found on Windows machines.  A popup will appear and state “Your Android phone viewed illegal porn. To unlock it, pay a $300 fine”.  This nasty little piece of malware is infecting people who visit certain adult websites on their phone. The site claims you need to install a video player to view the adult content. Although I can’t say for sure since I haven’t seen the malicious sites, I’m guessing there is a nice walk through on how to allow the installation of apps from unknown sources, or anything not in the Google Play store.

If you have Webroot SecureAnywhere® Mobile installed, it will detect Android.Koler on the internal storage if you run a scan before installing or after you open the app to install it. If you didn’t have SecureAnywhere Mobile installed, things are going to get a bit trickier. The app will open itself very often, so when you press the home button and try to install WSA, or do anything else, it’s near impossible before the screen of shame pops back up. The app claims you are viewing banned/illegal adult content. It then demands you pay a fine of $300 to unblock your device, or it will remain blocked on top of facing felony charges; which, of course, is false. A researcher at BitDefender claims he was able to quickly uninstall the app before it popped back up, but I was unsuccessful with this myself. This is the screen that keeps popping up, and icon you should be looking for:

There is a legitimate “BaDoink” app, which uses the same icon however. This will make it tricky if you’re hoping to get the real version.

What should you do if this happens to you? Many manufacturers have a built-in “safe mode” on their devices’ version of Android. With a little bit of searching on the internet using your device’s model and “safe mode”, you may be able to find instructions on how to get there on that particular device. For example, “Motorola Droid 4 Safe Mode” was all it took to find instructions for the Droid 4 phone.

Once booted into safe mode, you will able to uninstall the malicious app easily because safe mode stops any non system apps from starting on boot up. Once this is done, power off the phone and power it back on to get out of safe mode.

To ensure preventative protection, installing security software such as Webroot SecureAnywhere® Mobile will prevent these issues before they even happen.

With millions of Android users continuing to acquire new apps through Google Play, cybercriminals continue looking for efficient and profitable ways to infiltrate Android’s marketplace using a variety of TTPs (tactics, techniques and procedures). Largely relying on the ubiquitous for the cybercrime ecosystem, affiliate network based revenue sharing scheme, segmented cybercrime-friendly underground traffic exchanges, as well as mass and efficient compromise of legitimate Web sites, for the purpose of hijacking legitimate traffic, the market segment for Android malware continues flourishing.

We’ve recently spotted, yet another, commercially available DIY cybercrime-friendly (legitimate) APK injecting/decompiling app. The tool is capable of facilitating premium-rate SMS fraud on a large scale through the direct modification of legitimate apps to be later on embedded on Google Play through compromised/data mined publisher accounts.

Let’s take a peek at the tool, discuss its features, and relevance in an Android malware market segment which is largely dominated by DIY mobile malware generating revenue sharing affiliate based networks.

read more…

Recently we’ve seen a big change in the encrypting ransomware family and we’re going to shed light on some of the newest variants and the stages of evolution that have led the high profile malware to where it is today. For those that aren’t aware of what encrypting ransomware is, its a crypto virus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.

Cryptolocker

In it’s first evolution of what we know as “Cryptolocker” the encryption key was actually stored on the computer and the victim, with enough effort could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom. In future improvements malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. However, more often than not the malicious dropper didn’t delete the VSS (Volume Shadow Service) and victims still had the option to manually restore files from a previous date using programs like Shadow explorer (OS drive only). For those that don’t know what the VSS is it’s a restorative feature that is included in XP sp2 and later versions of windows. Essentially it is a technology that allows taking manual or automatic backup copies of data and is related to system restore. In newer variants of Cryptolocker the VSS is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles of triples.

CryptoDefense

In one of the more recent variants of encryption ransomware dubbed “CryptoDefense” it no longer has a graphical user interface (GUI). Instead the malware will just open a webpage after encryption and leave a text file at every directory that was encrypted. The instructions to get the key to decrypt your files have you install anonymous tor or other layered encryption browsers so you can pay them directly and securely. this enables malware authors to circumvent a portion of the Zeus fraud avoid the need for money mules (middle man) and increasing the percentage of profit.

DirCrypt

In this most recent change in encrypting ransomware. Instead of going after various file extensions, all files are encrypted into RTF documents with a *.enc.rtf extension. This one really blind sides the victim as you’ll get no pop up GUI or web page once encryption completes; you have to open one of your documents to find that it was encrypted. All documents will have the same content similar to what is shown. One big improvement that is quite nasty for victims is the encryption is no longer a static one time deal. This variant will actively seek out and encrypt any new or modified files written to drives. We noticed while testing a collected sample that when we attempted to save screenshots, that it immediately encrypted them. We expect future encrypting ransomware variants to include these tactics as the evolution continues.

Webroot SecureAnywhere users are proactively protected from the variants shown. We are constantly working with the evolving threat landscape to protect against the newest variants as they progress.

Webroot support is always more than happy to help with removal and any questions regarding infections.

Deceptive vendors of PUAs (Potentially Unwanted Applications) continue relying on a multitude of traffic acquisition tactics, which in combination with the ubiquitous for the market segment ‘visual social engineering‘, continue tricking tens of thousands of users into installing the privacy-violating applications. With the majority of PUA campaigns, utilizing legitimately looking Web sites, as well as deceptive EULAs (End User License Agreements), in 2014, the risk-forwarding practice for the actual privacy-violation, continues getting forwarded to the socially engineered end user.

We’ve recently intercepted a rogue portfolio consisting of hundreds of thousands of blackhat SEO friendly, legitimate applications, successfully exposing users to the Sevas-S PUA, through a layered monetization relying on OpenCandy/Conduit affiliate based revenue sharing networks.

More details:

read more…