A Trojan targeting US healthcare organizations attempts to avoid detection by going to sleep for prolonged periods after initial infection, security researchers warn.

Symantec estimates that thousands of organizations have been hit by the Gatak Trojan since 2012. The malware is programmed to spread aggressively across an organization’s network once it gets a foothold.

The healthcare sector in particular has been disproportionately targeted – of the top 20 most affected organizations with the highest number of infected computers, 40 per cent were in the healthcare sector, Symantec reports.

Selling healthcare records is a growing trade on cybercrime forums. This could explain the attackers’ heavy focus on the healthcare sector.

Gatak reels in victims through websites promising product licensing keys for pirated enterprise software packages (backup, 3D scanning software, etc). These supposed software license key generators (keygens) actually come packed with malicious code.

The software nasty also spreads to a lesser extent using watering hole attacks (where the instigator infects websites that members of the group are known to visit).

The malware creates a backdoor on compromised machines before stealing information. Hackers are known for leveraging the malware to break into machines on associated networks, probably using weak passwords and poor security in file shares and network drives.

“In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan,” Symantec reports. “In the case of Shylock, these appear to be older versions of the threat and might even be 'false flag' infections.

“They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent,” it adds.

The malware downloads instructions from pre-programmed URLs. These instructions are hidden in image files using steganography, a technique for hiding data within image files. ®

Sponsored: Customer Identity and Access Management

The Register - Security

Fortinet researcher Kai Lu warns of a fake email app that is capable of stealing login credentials from 15 different mobile banking apps for German banks.

android banking malware masquerading

“Once this malicious app is installed and device administrator rights are granted, when the user first launches a targeted banking app the malicious app sends a request via HTTPS to its C2 server to get the payload. The C2 server then responds with a fake customized login webpage, and the malicious app displays this fake customized login screen overlay on top of the legitimate banking app to collect entered banking credentials,” he explains.

“There is a different customized login screen for each bank targeted by this malware.”

The malware hides the icon from the launcher once the malware is up and running, and victims might be tricked into believing that they have somehow failed to install the app.

But, in the background, the malware tries to prevent some 30 different anti-virus mobile apps from launching, collects information about the device (as well as the “installed app” list) and sends it to the C&C server, and waits for further instructions.

It can be made to intercept incoming SMS messages, send out mass text messages, update the targeted app list, set a new password for the device, and more.

At the moment, it does not pop overlays to steal credit card info (e.g. when the Google Play or PayPal app is started), but that can soon change.

The researcher says that to remove the app, victims must first disable the malware’s device administrator rights in Settings > Security > Device administrators > Device Admin > Deactivate, then uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’. Tech-unsavvy users might want to ask for help with that last step from friends and family who know how to do that.

Lu also recently analyzed another piece of malware that masquerades as an unnamed German mobile banking app. This one also targets five banks in Austria, as well as Google Play (asks users to input credit card info when they start the app).

This particular malware also comes in the form of a fake Flash Player app, and is after credit card info of users of several popular social media apps (Instagram, Skype, WhatsApp, Facebook, etc.).

Help Net Security

AirLink cellular gateway devices by Sierra Wireless are being infected by the infamous Mirai malware.

Sierra Wireless

Sierra Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50 are listed as vulnerable.

“The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” the company noted in a security advisory.

“Based on currently available information, once the malware is running on the gateway it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a Distributed Denial of Service (DDoS) attack on specified targets.”

ICS-CERT pointed out that the malware does not exploit a software or hardware vulnerability in the gateway devices.

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices,” they explained, and added that with the recent release of the Mirai source code on the Internet, more IoT botnets are likely to be created.

Sierra Wireless has advised administrators of these devices to reboot the gateway to eliminate the malware (it resides in memory, so it will be automatically deleted), then immediately change the ACEmanager password to a unique, strong (complex and long) one.

Other attack mitigation options, such as disabling remote access on the devices and IP whitelisting, have been noted.

Help Net Security

Mac malware could piggy-back on your legitimate webcam sessions - yep, the ones you've initiated - to locally record you without detection, a leading security researcher warns.

Patrick Wardle, a former NSA staffer who heads up research at infosec biz Synack, outlined the vulnerability together with counter-measures he’s developed during a keynote presentation at the Virus Bulletin conference. Peeping Tim-stye malware that abuses the video capabilities of an infected computers to record an unwitting user is a threat to both Windows and Mac users. Mac malware such as Eleanor, Crisis, Mokes and others, all attempt to spy on Mac OS X users via their webcam.

Luckily, modern Macs contain a hardware-based LED indicator that can alert users when the camera is in use. And physically covering the built-in camera - a la Mark Zuckerberg - also provides a low-tech approach to locking out snoopers, with the downside that it also prevents legitimate use.

Wardle has uncovered a fresh dimension to the problem. After examining various "webcam-aware" OS X malware samples, Wardle identified a new "capability" that would permit this type of malware to stealthily monitor the system for legitimate user-initiated video sessions before surreptitious piggyback on these conversations in order to covertly record the user. There are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.

During his presentation, titled Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings, Wardle outlined the threat together with techniques geared towards detecting "secondary" processes that attempt to access an existing video session on OS X.

“I have not seen any malware using this technique at this time [but] this is something that would be trivial for malware to do, and there aren’t any tools to detect this capability,” Wardle explained, adding there “may be malware already (ab)using this technique that we just haven’t detected”.

Malware along the lines Wardle discussed would be able to record both sides of a conversation once it detects the webcam being used.

Waddle has a released a free Oversight tool that he says can detect and identify any process that accesses the webcam before giving users the ability to either block or allow a process. All these notifications/alerts are logged, so a system admin (say on a corporate network) could reactively also look through the logs to see what was using the webcam. ®

Sponsored: Boost business agility and insight with flash storage for analytics

The Register - Security

The RIG exploit kit recently stopped distributing Tofsee and cybercriminals have decided to use the botnet’s own spamming capabilities to deliver the malware, Cisco’s Talos team reported on Thursday.

Tofsee, a multi-purpose malware that has been around since 2013, allows cybercriminals to conduct various activities, including click fraud, cryptocurrency mining, DDoS attacks and sending spam.

Up until June 2016, cybercriminals distributed the malware using the RIG exploit kit and malvertising campaigns. Then, after the notorious Angler exploit kit disappeared from the scene, cybercriminals started leveraging RIG to deliver other payloads, which experts believe might have been more profitable.

After RIG stopped delivering Tofsee, cybercriminals turned to email spam campaigns to infect computers. Typically, the Tofsee botnet has been used to send spam emails advertising adult dating and pharmaceutical websites. However, in August, researchers noticed that the spam messages had changed and started delivering Tofsee malware downloaders.

The volume of these spam emails has gradually increased since mid-August, reaching more than 2,000 messages on some days in September, Cisco Talos reported.

The spammy emails are adult-themed and they purport to come from women in Russia and Ukraine. Recipients are instructed to download and open the ZIP archive attached to the messages as it allegedly contains pictures of the sender.

Instead of pictures, the archive contains an obfuscated JavaScript file that includes a WScript downloader designed to fetch and run an executable from a remote server controlled by the attacker. Once the file is executed, the system becomes infected with Tofsee.

The malware connects to various SMTP relays, which it uses to send spam emails. The threat also initiates HTTP connections as it simulates clicking on ads as part of its click fraud mechanism.

Since the demise of Angler, the RIG exploit kit has been used to deliver the SmokeLoader (aka Dofoil) backdoor and other malware. Its developers have been working on improving the kit with new exploits and command and control (C&C) patterns that could help it evade detection.

Earlier this week, researchers reported that RIG had taken the place of Neutrino in a massive malvertising campaign that delivered CryptMIC ransomware. The campaign had previously used Neutrino, which took the leading position after Angler disappeared.

Related: Cisco Targets RIG Exploit Kit

Related: Kaspersky Confirms Lurk Gang Developed Angler Exploit Kit

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Android malware is becoming more resilient courtesy of newly adopted techniques that also allow malicious programs to avoid detection, Symantec reveals.

The mobile ecosystem is constantly expanding and becoming more feature-rich, and so is the mobile threat landscape. Most recently, a large number of malware families targeting the Android operating system were observed incorporating new techniques that allow them to both evade detection and maintain their presence on infected device even after being discovered.

One of these techniques is packing, which Android malware has been leveraging more freqently in recent months, Symantec’s security researchers explain. According to the Security firm, the amount of packed Android malware has increased from 10% to 25% in the nine months between December 2015 and August 2016.

Another trending technique among Android malware authors is the use of MultiDex malicious applications, which are programs that use two Dalvik Executable (DEX) files to deliver the final payload. Android apps usually contain executable code within DEX files, but typical Android programs have a single DEX file. Detection focuses on a single DEX file as well, and splitting the payload between two DEX files allows malware authors to evade detection in one simple move.

According to Symantec, malware authors are also creating Instant Run-based malware, or malicious programs that leverage the Instant Run feature released with Android Studio 2.0. The feature was designed to help developers quickly deploy updates to a debug application, all through simply pushing these updates in the form of .zip files.

To leverage this technique, malware authors are packing the malware payload portion of their app in code fragments that are hidden in the .zip file. The good news is that this technique can be used only on Android Lollipop and later SDK levels, and that it applies only to debug-version apps installed via sideloading. Applications distributed via Google Play are safe from it.

Recently, Android malware families also began using “strange” values in the application manifest file (AndroidManifest.xml) and in the compiled resources file (resources.arsc), yet another attempt to hide the malicious code from scanners. The use of inaccurate size values and magic values in headers can fool detection tools. Malware authors might also insert junk data into the string pool and at the end of files, or mismatch XML namespaces to hinder detection.

Symantec’s researchers also explain that, while malware that gains root privileges on the infected device is typically difficult to remove, a newly employed technique is being used to further lock the malware installation. The method leverages Android’s Linux roots in the process, in particular the chattr Linux command, which makes files immutable.

Basically, when the command is used on a file, it prevents the file from being deleted, even with root privileges. Now, malware authors have included the chattr utility, encrypted, into their malicious application, and are leveraging it “to copy and lock the payload APK into the system folder, further confusing attempts at removal,” Symantec explains.

To stay protected from these types of threats, users are advised to keep their apps and operating system updated at all times and to install programs only from trusted sources, such as Google Play. Moreover, users should install a mobile security application and should back up important data frequently, to ensure they don’t lose valuable information in the event of malware compromise.

Related: Xiny Android Trojans Can Infect System Processes

Related: Android Botnet Uses Twitter for Receiving Commands

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

A security researcher unveiled a new iOS attack technique called SandJacking, which allows someone with physical...

access to an unlocked iPhone to load malicious apps on the device. The SandJacking attack uses a flaw in XCode 7 regarding certificates. How does the attack exploit this flaw, and how dangerous is SandJacking compared to other iOS threats?

To keep its ecosystem malware free, Apple requires all apps to be distributed via its official App Store. Each app is reviewed to ensure it is reliable, performs as expected and is free of offensive or malicious features; it also runs in a sandbox to prevent other processes from accessing it and its associated data. Each app has to be signed with an Apple Developer ID certificate. These are only available to members of Apple's Developer Program, who have to go through a verification process, which can include having to provide government-issued photo identification like a driver's license or passport. On the whole, these security controls work very well, though there have been some notable cases where malware has still managed to infect numerous iOS devices: WireLurker, XcodeGhost and AceDeceiver. SandJacking is now another example.

Before the release of iOS 8.3, one attack technique was to replace a legitimate app with a rogue version by simply assigning the malicious app a similar identifier, known as a bundle ID, and overwriting the original application. IOS 8.3 now prevents the installation of an app that has an ID similar to an existing one. However, while this check prevents a legitimate app from being overwritten and replaced during the installation process, it doesn't provide any safeguard during the restore process.

Chilik Tamir from Mi3 Security recently demonstrated how an attacker with physical access to an unlocked iPhone can create a backup, remove the legitimate app, install his rogue version of the deleted app and then restore the backup. This SandJacking attack works on non-jailbroken iPhones and gives the attacker access to the sandbox data of the app it replaces. The malicious app still has to be signed, but in Xcode version 7 -- a suite of software development tools created by Apple -- programmers are allowed to create iOS apps using unvalidated certificates that can be obtained by simply providing an Apple ID and then distributing them directly, avoiding Apple's application review and store restrictions. Creating an Apple ID is a simple process requiring only a name and an email address.

Although apps created with these unvalidated certificates have limited capabilities compared to regular apps where the developer has been through the formal verification process to obtain a certificate -- they can't access Apple Pay or in-app purchase features for example -- they can still access personal data such as the victim's address book and calendar. They're also likely to go undetected by the user, who would have to check the app's certificate and the device's provisioning settings to verify the developer's identity.

The SandJacking attack itself is not as dangerous a threat as other iOS threats, such as YiSpecter, XcodeGhost and Backdoor.MAC.Eleanor, which offer the attacker full control of the compromised device, because the attacker would need physical access to the device to pull a SandJacking attack off. It could be used while a phone is being repaired, or by a family member or law enforcement agency who has access to the device. But any type of smartphone that is unlocked and in the possession of someone other than the owner has to be regarded as potentially compromised. What the attack shows is how reliant the internet and technology as a whole is becoming on digital certificates when deciding whether something or someone should be trusted or not. Those who issue digital certificates need to ensure the internet and security systems can actually trust them.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how a pirated app beat Apple's App Store security

Learn how to avoid mobile application malware and security risks

Discover how your enterprise can defend itself against fake apps

This was first published in September 2016

SearchSecurity: Security Wire Daily News

A new report from McAfee Labs shows that while malware overall continues to increase, web-based threats and Mac OS malware have declined in recent months.

McAfee Labs Threat Report: September 2016, published (PDF) today, comprises three special studies together with the usual current malware statistics. The studies are an analysis of information theft (methods and prevention); an analysis of the ransomware threat to hospitals, and "A crash course in security data science, analytics, and machine learning."

According to statistics from McAfee, new malware samples in Q2 2016 totaled more than 40 million, which is the second highest quarterly figure ever recorded. The total number of samples in the McAfee 'zoo' now stands at more than 600 million.

New samples of mobile malware detected in Q2 stand at just fewer than 2 million, which is the highest ever quarterly number. The zoo now contains around 11 million samples of mobile malware.

Ransomware continues to accelerate. New samples in Q2 were in excess of 1.3 million, while the total number of ransomware is around 7.25 million and is increasing by an average of 128% year on year. 

New malicious signed binaries declined throughout 2015, but are now increasing again. About 1.5 million were detected in Q2, 2016; and the total number of samples now stands at around 22 million.

The most dramatic growth, however, is the return of the macro malware. In Q3 2014, less than 10,000 new samples were detected. By Q1 2016 this had grown to more than 50,000 new samples -- and in Q2 2016 this jumped to just under 180,000 new samples. The total number of macro samples now stands at more than 600,000, with a growth of 39% in the last quarter alone.

Only Mac OS X malware bucks the trend, with new samples falling back to around 7,500 samples in Q2 from more than 25,000 in Q1. McAfee Labs believes this drop is caused by dramatically reduced activity from a single adware family, OSX.Trojan.Gen. Nevertheless, the total number of Mac OS samples in the zoo now stands at just under 90,000.

Web threats, however, are continuing to decline, with the number of new suspect URLs having now dropped for five successive quarters. New phishing URLs have declined from around 1.4 million in Q4 2015 to just over 500,000 in Q2 2016. New spam URLs have fallen from 2 million in Q3 2015 to around 400,000 in Q2 2016. Global spam volumes, however, have now been increasing over the last three quarters.

The report's study into information theft is based on the Intel Security 2016 Data Protection Benchmark Study commissioned by Intel Security and undertaken by Ponemon. It finds that the retail and financial services sector have the best defenses against data loss, and attributes this to the frequency of attacks and the high value of the data held. Conversely, healthcare and manufacturing are the least prepared sectors. McAfee attributes this to historically fewer attacks. However, the transition of criminal attacks aimed at replaceable payment card numbers to the less replaceable PII, PHI and intellectual property now makes these sectors mainstream targets.

"Industry sectors such as healthcare and manufacturing present both opportunity and motive for cybercriminals," explains Vincent Weafer, Vice President for Intel Security's McAfee Labs. "Their relatively weak defensive capabilities coupled with highly complex environments simplify breaches and subsequent data exfiltration. The cybercriminals' motive is ease of monetization, with less risk." 

The overall picture of breach prevention is not reassuring. Contrary to some reports, the time to detection is still increasing. "Breaches happen to far too many companies," says the report. "Worse, they are not discovered nearly often enough by internal security teams, leading to a long gap between detection and remediation. And if the internal team is not detecting the breaches, it is also not preventing them."

Other problem areas include a lack of visibility into the cloud (only 12% of companies are confident); weak monitoring of physical devices such as thumb drives (involved in 40% of breaches while only 37% of companies monitor physical connections to endpoints); and inconsistent monitoring of access to or sharing sensitive information.

The report's 'crash course in security data science, analytics, and machine learning' is in part a response to the attacks against 1st generation anti-malware companiesS (such as McAfee) by the new generation endpoint security companies that primarily use machine learning to detect malware presence. The report states very clearly that McAfee understands the science behind machine learning (which most 1st gen vendors do because they have been using machine learning to one degree or another for the last 10 years).

The report describes the use of analytics as evolving in three distinct phases, described as versions 1 to 3. The anti-malware industry has used Analytics 1.0 for years in a descriptive and diagnostic manner. Analytics 2.0 is emerging today, and is what is now used by the new generation companies. (1st gen anti-malware companies are also beginning to move into this area, as demonstrated by Symantec's new SEPC product launch).

Analytics 3.0 "moves the focus to predictive and prescriptive analytics." It will be possible with the combination of big data, deep learning, and cognitive computing. "We expect that most security vendors will deploy Analytics 3.0 by 2020," concludes McAfee.

The report's analysis of the ransomware threat explains its value to the criminal extortionists. In one underground forum, Intel researchers monitored a ransomware developer advertising his wares. "Intel Security," notes the report, "learned the ransomware author and distributer received BTC189,813 during the campaigns, which translates to almost $ 121 million. Of course, there are costs associated with these crimes such as renting botnets and purchasing exploit kits. Nonetheless, the current balance is around $ 94 million, which the developer claims to have earned in only six months."

At this time ransomware is particularly targeting the healthcare sector. "As targets, hospitals represent an attractive combination of relatively weak data security, complex environments, and the urgent need for access to data sources, sometimes in life or death situations," comments Weafer. Nevertheless, says the report, "McAfee Labs expects a growing number of new industry sectors to be targeted by the extensive networks launching such attacks."

Last last week, Intel announced that it would spin would spin off its security division as an independent company under the name McAfee. 

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:


SecurityWeek RSS Feed

Macro-based malware is growing into full-featured malware capable of detecting and bypassing traditional security tools, Barkly researchers have discovered.

Macro-based malware: The past

Malware peddlers have been misusing Word macros to deliver malware for nearly fifteen years.

The approach, which takes advantage of the macros’ capability to automatically execute a series of instructions as a single command, has initially been used in the early 2000s.

As users became accustomed to it, this malware delivery tactic was abandoned, only to resurface again in late 2014, allowing criminals to prey on newer generations of computer users.

In the last two years, they have cycled through many different approaches for tricking users into enabling Word macros, but the malicious Word documents usually contained just scripts that would be triggered to download a dropper, which would then download the final malicious payload from a C&C server.

Macro-based malware: The future?

Barkly researchers have recently spotted a new wave of phishing emails that deliver booby-trapped Word documents posing as invoices, and asking users to enable macros in order to view the content:

Macro-based malware

But this run was unlike many others before it, because the criminals have decided to leverage a second-stage executable payload embedded directly into the Word document.

“One thing that makes this latest version of [well-known downloader] Hancitor stand out is that its payload is already bundled as a binary object directly in the Word doc. It’s this payload that pings the C2 server. What it receives are pointers back to two additional binary objects (one executable and one DLL), which it downloads and executes,” the researchers explained. The executed dynamic linked library (DLL) calls is what allows the attackers access to operating system resources and to grab additional payloads.

The change in approach is an attempt to throw traditional security tools off the malware’s scent.

In this particular spam campaign, Hancitor attempts to drop the Pony and Vawtrak information-stealing Trojans, but it could just as easily be any other type of malware.

Protecting users against macro-based malware

In enterprise setups, employees can be protected through a combination of AV and behavioral-based protection, email filtering, and event monitoring, the researchers advised. Educating users on how to spot malicious emails and phishing attempts, and making sure that they can report incidents easily and without fear of negative repercussions, is also a must.

In Office 2016, Microsoft has added a new feature that allows enterprise administrators to block all macros from running in Office documents that come from the Internet.

Non-enterprise users must still rely on their own capabilities to spot these attempts, but endpoint security solutions and spam filters used by popular email providers can be of great help.

Help Net Security

Crafty GovRAT malware is found targeting U.S. government employees

The U.S. Capitol building in Washington.

Credit: Matt Wade

A tough-to-detect malware that attacks government and corporate computers has been upgraded, making it more aggressive in its mission to steal sensitive files, according to security firm InfoArmor.

Last November, InfoArmor published details on GovRAT, a sophisticated piece of malware that’s designed to bypass antivirus tools. It does this by using stolen digital certificates to avoid detection.

[ Roger Grimes' free and almost foolproof way to check for malware. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Through GovRAT, hackers can potentially steal files from a victim’s computer, remotely execute commands, or upload other malware to the system.

Earlier this year, however, the makers of GovRAT came out with a second version, according to a new report from InfoArmor. The malware features an additional function to secretly monitor network traffic over the victim’s computer -- something with scary consequences.

“If you’re downloading something from a particular resource, the hackers can intercept the download and replace it with malware,” said InfoArmor CIO Andrew Komarov on Friday.

Last year, InfoArmor said that earlier versions of GovRAT had attacked more than 15 governments around the world, in addition to seven financial institutions and over 100 corporations.

The number of GovRAT victims, however, is growing, according to InfoArmor. That’s partly because the maker behind the malware has been selling it to other hackers on Hell Forum, a black market website, Komarov said.

Buyers of GovRAT have also been supplied with a stolen database of 33,000 Internet accounts, some of which belong to U.S. government employees, InfoArmor said. It includes email addresses, hashed passwords, full names, and addresses.

Hackers can use the contact information to carry out GovRAT attacks on U.S. government targets, Komarov said. That can be done through phishing emails or
InfoWorld Security