Information Technology

A banking Trojan has been detected that abuses YouTube, Pastebin, and other public platforms in order to spread and control compromised machines. 

On Friday, ESET wrapped up a series on banking Trojans present in Latin America — including Janeleiro, a new malware sample similar to Casbaneiro, Grandoreiro, and Mekotio — but this one does not just hit that region; instead, campaigns have been detected across Brazil, Mexico, and Spain. In a blog post, the cybersecurity researchers said that the Trojan, named Numando, has been active since 2018. Written in Delphi, this financial malware displays fake overlay windows to dupe victims into submitting sensitive data, such as the credentials used to access financial services. As is the case for many banking Trojan variants, Numando is spread almost “exclusively” through spam and phishing campaigns, ESET says. These attempts are not exactly sophisticated, as of the time of writing, no more than a few hundred victims have been traced. As a result, it appears that Numando is “considerably less successful” than other Latin American Trojans, including Mekotio and Grandoreiro.  It’s likely that the operator’s lack of sophistication has contributed to a low infection rate. In recent campaigns, spam sent to distribute Numando are composed of a phishing message and a .ZIP attachment included with the email.  A decoy .ZIP file is downloaded, together with an actual .ZIP file that contains a .CAB archive — bundled with a legitimate software app — an injector, and the Trojan. The malware is hidden in a large .BMP image file, of which samples are below:
ESET

If the software app is executed, the injector is side-loaded and the malware is then decrypted using an XOR algorithm and a key. Once installed on a target machine, Numando will create fake overlay windows when a victim visits financial services. If users submit their credentials, they are stolen and sent to the malware’s command-and-control (C2) server.  Numando also abuses public services including Pastebin and YouTube to manage its remote configuration settings.  “The format is simple — three entries delimited by “:” between the DATA:{ and } markers,” ESET explained. “Each entry is encrypted separately the same way as other strings in Numando — with the key hardcoded in the binary. This makes it difficult to decrypt the configuration without having the corresponding binary, however, Numando does not change its decryption key very often, making decryption possible.” Google was informed of the videos found by the cybersecurity team and the ones that have been detected have since been taken down.  Example YouTube remote config upload
ESET
Numando is also able to simulate mouse clicks and keyboard actions, hijack PC shutdown and restart functions, take screenshots, and kill browser processes.  “Unlike most of the other Latin American banking trojans covered in this series, Numando does not show signs of continuous development,” ESET says. “There are some minor changes from time to time, but overall the binaries do not tend to change much.” In other recent Trojan news, in May, Kaspersky unmasked Bizarro, a prolific Trojan detected recently across Europe. Bizarro has honed in on the customers of at least 70 banks across countries including Brazil, Argentina, and Chile, but now appears to be focused on European victims.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have unmasked a lengthy campaign against the aviation sector, beginning with the analysis of a Trojan by Microsoft. 

On May 11, Microsoft Security Intelligence published a Twitter thread outlining a campaign targeting the “aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT.” The operator of this campaign used email spoofing to pretend to be legitimate organizations in these industries, and an attached .PDF file included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine.  According to Microsoft, the malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data.  Microsoft’s security team has been monitoring the campaign, and now, Cisco Talos has also contributed its findings on the operation.  Cisco Talos researchers Tiago Pereira and Vitor Ventura published a blog post on Thursday documenting the scheme, dubbed “Operation Layover,” which has now been linked to an actor that has been active since at least 2013 — and has been targeting aviation for at least two years.  In addition to Microsoft’s investigation, the cybersecurity company has established connections between this threat actor to campaigns against other sectors, spanning over the past five years. 

When it comes to aviation targets, sample emails containing malicious .PDFs were very similar to those obtained by Microsoft. The emails and .PDF attachments are aviation-themed, with mentions of trip itineraries, flight routing, private jets, quotes, charter requests, cargo details, and more.Based on passive DNS telemetry, the team believes the threat actor is located in Nigeria, due to 73% of IPs connected to hosts, domains, and the attacks at large originate from this country. Pseudonyms appear to include the handle “Nassief2018” on hacking forums, as well as the monikers “bodmas” and “kimjoy.” The cybercriminal started by using the off-the-shelf CyberGate malware and does not appear to have gone beyond commercially available code since. The threat actor has also been linked to crypter purchases from online forums, email addresses, and phone numbers, although these findings have not been verified.  CyberGate has since been replaced with AsyncRAT in recent campaigns, with over 50 samples detected that are communicating with a command-and-control (C2) server used by the threat actor. As of now, eight more domains linked to AsyncRAT deployment have been detected, the majority of which were registered over 2021. RevengeRAT and AsyncRAT, however, are not the only brands of malware in use. One domain spotted by the team also indicates that the operator is using a variant of njRAT in cyberattacks.   “Actors that perform smaller attacks can keep doing them for a long period of time under the radar,” Cisco Talos says. “However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like big game hunting.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
China has applied to join an Asia-Pacific trade pact that currently has 11 members including Australia, New Zealand, and Japan, the country’s Ministry of Commerce (MOFCOM) said on Thursday. The trade pact, called the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), currently has 11 members that represent about $13.5 trillion in GDP, or 13.4% of global GDP, making it one of the largest trade pacts in the world. Chinese Commerce Minister Wang Wentao submitted the application to New Zealand’s Trade Minister Damien O’Connor in a written letter on Thursday, the department said in an online statement. The two officials have also had phone communications about the member application, it added. New Zealand acts as the depositary for the CPTPP, the government that handles various administrative tasks for the pact, such as requests to join. The CPTPP was ratified in 2018 and incorporates the Trans-Pacific Partnership (TPP), which was scrapped in 2018 after former US President Donald Trump withdrew the US from the trade pact. The TPP needed to be ratified by the US to go into force. To join the CPTPP, China would need no member to object to its accession into the trade pact, which will be tricky given Australia is among its members.

Tensions between Australia and China has grown steadily over the past 18 months, with Australia, alongside the UK and US, yesterday announcing a trilateral security pact aimed at addressing the defence and security concerns posed by China within the Indo-Pacific region. Although China was not mentioned when announcing AUKUS, Australian Prime Minister Scott Morrison said the Indo-Pacific region was increasingly becoming “more complex”. AUKUS will see the three countries create initiatives that increase cyber capabilities, artificial intelligence, quantum technologies, and undersea capabilities. The three countries will also promote deeper information and technology sharing between themselves. Australia on Thursday also appealed the World Trade Organization’s decision to allow China to impose tariffs on Australia’s wine exports, Australia’s Trade Minister Dan Tehan said in a statement.  Meanwhile, Morrison last year did almost everything but name China as the actor responsible for cyber attacks that targeted all levels of government in Australia, as well as the private sector. “Australia doesn’t judge lightly in public attributions, and when and if we choose to do so, it is always done in the context of what we believe to be in our strategic national interest,” Morrison said at the time. Current members of the CPTPP include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. The United Kingdom submitted a formal request to join the CPTPP earlier this year, and a working group for its accession has been established.Related Coverage More

Image: Getty Images/iStockphoto
The economics of surveillance capitalism and a world of paranoid apps will transform the domain name system (DNS), says Geoff Huston, chief scientist at APNIC Labs, part of the Asia Pacific Network Information Centre.

Knowing the domain names of the websites you visit, or servers that apps access on your behalf, is valuable intelligence. DNS traffic is especially valuable because it reflects what users are doing in real time. “The names you asked for, and when you ask for them, say an awful lot about you,” Huston said in his presentation to the APNIC 52 conference on Wednesday. “The network betrays you. You’re leaving big, filthy, muddy footprints on the carpet, mate. We can see where you’re going. And that’s the problem,” he said. “Real-time data, right here, right now. Not last week, not last month. This second. You couldn’t get more valuable.” Others with more noble motives are monitoring DNS traffic too, looking for the telltale signs of malicious activity, such as the rapidly-changing domain names used by botnets. And as Edward Snowden revealed in 2013, the members of the Five Eyes signals intelligence agencies are also keen on sucking up all that DNS traffic.

“All kinds of folk actually spread DNS information all over the place,” Huston said. “The problem is, it doesn’t matter what your motives are, good or bad. Sniffing is sniffing. An invasion of privacy is invasion of privacy, irrespective of the colour of the hat you’re wearing. And this is not good.” Grafting privacy onto decades-old protocols The core DNS protocols date back to the 1980s, and they’re based on a domain name structure that was developed in the 1970s. Everything happens out in the open, unencrypted. “How can we stop folk crowding around the digital exhaust pipe sniffing these fumes?” asks Huston. There are methods for preventing third parties from snooping on your DNS traffic, but they haven’t seen wide adoption. One way to make DNS surveillance more difficult is to use a public open DNS server, such as Google’s 8.8.8.8, Cloudflare’s 1.1.1.1, OpenDNS, or Quad9 rather than your local ISP’s servers — because ISPs have been known to sell their DNS logs to advertisers. That can be combined with using an encrypted DNS connection, such as DNS over TLS, DNS over HTTPS (DoH), or DNS over the more lightweight QUIC protocol. If you do that, you’re doing a “tolerably good job” of hiding in the crowd, Huston said. “But that first part of the bargain? I’ve got to trust Google. Yeah right. I’ve got to trust the very folk who are experts in assembling my profile.” To put it another way: If we have to compromise our privacy to a third party, which third party represents the least risk to us, both now and in the future? It’s a difficult choice. But wait. Maybe we don’t have to compromise our privacy at all. Enter Oblivious DNS, a cryptographically private DNS name space One innovative solution is Oblivious DNS, first written up as a draft engineering standard in 2018 and a formal paper [PDF] in 2019. “The concept is delightfully simple,” Huston wrote in 2020, although some might argue with his use of the word “simple” once they read his explanation. ODNS uses a chain of DNS servers interacting via a pipeline of encrypted transactions. The details will be fascinating for DNS aficionados, but the overall strategy is easy to explain. The DNS server close to you knows who you are, so it can return the answer to you, but not what your query was because it’s encrypted. The DNS server at the other end knows what DNS query it has to resolve, because you used that server’s public key to encrypt the transaction, but not who asked for it. A similar approach called Oblivious DoH (ODoH), described in a draft standard in 2020, wraps the entire DNS transaction in an encrypted envelope. The advantage of ODoH is that it doesn’t try to cram everything into the existing DNS packet format, meaning it can be slightly more elegant. The disadvantage is that it requires separate infrastructure from the existing DNS. But why would anyone pay for all this? Huston’s future of bloated, paranoid apps “In terms of economics, the DNS is a wasteland,” Huston told APNIC 52. “I don’t pay for queries, you don’t pay for queries. Who funds all this? Well, my ISP funds a lot of it. And it sort of comes out of what I pay them,” he said. That means there’s no incentive for ISPs to improve DNS privacy. “For ISP fees, the DNS becomes a part of Mr Cost, it’s not Mr Income, and so there’s a lot of resistance to making Mr Cost grow bigger because that’s the way you basically kill your business.” The public servers are there, but who funds them? And how many users will change their DNS settings on their devices anyway? “In some ways, improving the DNS is a labour of love. It’s not a labour for wealth and profit,” Huston said. “Most folk just simply use their ISP’s resolver, because that’s the one you’re paying for, and that’s the one person who actually has an obligation to do this for you… So by and large, open DNS resolvers aren’t really going to take the DNS and run away over the hills.” Huston thinks there’s one place where the privacy-protecting DNS protocols might take hold, though it won’t be for your benefit: inside the apps on your devices. Facebook’s mobile app, for example, weighs in at more than 200 megabytes because it contains an entire operating system, including an entire network stack. “Facebook is paranoid about a number of things. It’s paranoid about the platform snooping on it. It’s paranoid about other applications on the same platform snooping on the Facebook app,” Huston said. “Facebook is incredibly valuable. It’s spent a lot of time and money understanding me, and assembling a profile of me that it can sell to advertisers. The last thing it wants to do is to give any of that information away to anyone else. It’s their data,” he said. “Applications that divorce themselves from the DNS infrastructure as we know it is an inevitable and near-term future.” Huston sees this progression as part of broader, historical waves of change that have “played out right now in front of our very eyes”. The internet has gradually been transforming from network-centric services, to platform-centric services, to application-centric services. “The DNS is being swept up with this, and almost every single part of the DNS changes as soon as the DNS becomes sucked into application space,” he said. “Single coherent namespace? Nah, historical rubbish. Because the entire namespace then becomes application-centric, and different applications will have a different namespace to suit their needs.” Related Coverage More

The NSW government has announced the state will undergo a trial of home-based quarantine for people arriving in Australia based around a mobile app using geolocation and face recognition. The pilot will be jointly operated by NSW Health and NSW Police and entails a seven-day home-based quarantine program for around 175 people. It will be run across a four-week period and commence sometime this month.   The app will use geolocation and face recognition technology to monitor whether a person is complying with the state’s quarantine rules. It will also provide people with a testing schedule and symptom checker. The government added that the mobile app would be supplied by random in-person checks and penalties would be doled out to individuals who breach their isolation during home-based quarantine. Elsewhere: Technology could make fighting COVID less restrictive but privacy will take a hit The mobile app is based on one that is already being trialled in South Australia, the NSW government said in a statement. “This will build on the evidence that’s been collected through the South Australian trial as part of the national plan where we utilise technology, particularly facial recognition and location-based services apps on your phone, to help police continue to check-in on a person during their home-based quarantine,” NSW Minister for Jobs, Investment, Tourism, and Western Sydney Stuart Ayres said.

The trial is being conducted as part of efforts to remove the state’s hotel quarantine system for the majority of people who are coming into Australia, Ayres said. He added that both the NSW and federal governments hope the findings will inform future quarantine programs and provide information for how best to come up with alternatives for people who do not have access to smartphones. In terms of privacy, the app will use the same mechanisms as the current Service NSW check-in regulations, the NSW government said. All participants who are chosen for the pilot will have already had both doses of a government-approved COVID-19 vaccine.See also: Living with COVID-19 creates a privacy dilemma for us all On the same day, the South Australian trial that commenced late last month will expand in October to allow home-based quarantine for up to 250 people every week. The South Australian trial has had 98 participants to date.Tasmania also reportedly announced it will begin a 30-day home-based quarantine trial for residents returning home from regional New South Wales next week.The Tasmanian trial will be for eligible travellers who have been fully vaccinated against COVID-19. Travellers will also be required to return a negative test, and must perform the home-based quarantine in a house with no other residents. Elsewhere in Australia, Western Australia also has a home quarantine app in place for arrivals into the state. The app used in Western Australia, called G2G Now, has also been used in some cases within the Northern Territory.Updated at 3:55pm AEST, 17 September 2021: South Australia announced expansion of its home-based quarantine trial. Related Coverage More

Nevada Restaurant Services (NRS), the owner of popular slot machine parlor chain Dotty’s, has disclosed a data breach that exposed a significant amount of personal and financial information. In a statement, the company confirmed that “certain customers” were affected by the breach and explained that the information includes Social Security numbers, driver’s license numbers or state ID numbers, passport numbers, financial account and routing numbers, health insurance information, treatment information, biometric data, medical records, taxpayer identification numbers and credit card numbers and expiration dates.The Las Vegas-based company has about 600 employees, an annual revenue of more than $70 million and operates about 200 locations across Nevada, Oregon and Montana and Illinois. They also operate Red Dragon taverns and hotels, Laughlin River Lodge, Bourbon Street Sports Bars, La Villita Casino and Hoover Dam Lodge.”In January 2021, NRS identified the presence of malware on certain computer systems in its environment. NRS immediately commenced an investigation to determine the full nature and scope of the incident and to secure its network,” the company said in a statement. “Through this investigation, NRS determined that it was the target of a cyber-attack and that, in connection with the cyber event, an unauthorized actor was able to copy certain information from the system on or before January 16, 2021.”The company added that the information leaked for each person was not the same. They plan to send out notification letters to victims of the incident but noted that they will only mail the letters if they have “valid mailing addresses.”An assistance line at (833) 909-3914 has been created for those who may wonder if they were affected by the breach but did not receive a letter. 

Vital Vegas reported in July that Dotty’s has about 300,000 customers in its player database.NRS confirmed that after the attack, they took steps to increase security and put in place “technical safeguards to its environment.” They will be providing free identity protection services as is customary in situations like this. But the company urged victims of the breach to “remain vigilant against incidents of identity theft and fraud,” while also using their one free credit report check allowed each year. They listed other suggestions for victims like putting fraud alerts on their file and placing credit freezes on accounts. “However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit,” the company added.   More

Bitdefender has released a universal decryptor for REvil/Sodinokibi victims infected before July 13, 2021.In a statement, the cybersecurity company said it created the tool with “a trusted law enforcement partner” in an effort to help the many victims who had been infected with the ransomware. There are multiple REvil victims who either refused to pay a ransom or paid a ransom but did not get working decryption keys before the ransomware group went dark on July 13 following a massive July 4 attack on Kaseya, an IT solutions developer for MSPs and enterprise clients.The group has since resurfaced and leaked information about multiple victims, even announcing a new victim on Thursday as Bitdefender rolled out its decryptor. Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet that they began seeing dozens of downloads of the decryptor as soon as they released it. The company has also been contacted privately by several victims who have been waiting for help since the emergence of the group. Botezatu noted that it is impossible to estimate how many victims REvil has managed to infect since 2019 because not all victims report infections or reach out for support.When asked why the decryptor only works for victims infected before July 13 and not after, Botezatu said that he could not discuss specifics, but explained that the main difference is “related to the decryption keys that we have available from our trusted law enforcement partner.”

“We have tested the tool against recent attacks and our tool cannot yet decrypt attacks after the July 13 date,” Botezatu said. “We are pleased we are helping victims who have been impacted. Like other industry researchers, we have seen REvil activity start back up. Based on our experience we believe new ransomware attacks are imminent and organizations of all sizes and in all industries should be on high alert.” Botezatu added that the company is working on new versions of decryptors, as well as on decryptors of the most prominent families of ransomware.In a longer statement, Bitdefender said victims with encrypted data were left in the lurch when parts of REvil’s infrastructure went offline and confirmed that they will not be able to comment on certain details of the case until they are allowed to by “the lead investigating law enforcement partner.” “Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible,” Bitdefender said. “We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus. We urge organizations to be on high alert and to take necessary precautions.”The company noted that REvil operators are most likely based in a Commonwealth of Independent States (CIS) country and that the group emerged as a derivative of the GandCrab ransomware in 2019. REvil has attacked thousands of companies across the world, demanding exorbitant ransoms in return for not leaking data. Ransomware expert and Emsisoft threat analyst Brett Callow, who has worked on decryptors for other ransomware strains, said the release will definitely help any pre-13th July victims who’ve been unable to fully recover their data by other means in the weeks since.”The fact that the decryptor was ‘created in collaboration with a trusted law enforcement partner’ would imply that that partner had recovered the keys,” Callow added. Callow noted that REvil attacked at least 360 US-based organizations this year. The RansomWhere research site says the group has brought in at least $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.  More

Aruba announced a new partnership with Cincinnati-based Major League Soccer franchise FC Cincinnati that will see the company outfit the team’s 26,000-seat TQL Stadium with its edge services platform network. The facility is fully digitized and designed to be entirely cashless, leveraging a slate of wired and wireless Aruba products. Jeffrey Weaver, director of high-density solutions for Aruba, told ZDNet that the company was proud to help the MLS team deliver immersive fan experiences and called TQL Stadium one of the most ambitious soccer-specific stadiums globally.”From our Wi-Fi 6 access points and mobility controllers to our CX Series switches and ClearPass network access control solution, all of the network elements are working in tandem to ensure that fans and visitors to TQL Stadium have premier and engaging experiences that enhance their enjoyment of the games and special events they attend,” Weaver said. “The network infrastructure also supports more secure and streamlined stadium operations, from the point of sale devices and security cameras to door access solutions.” The digital fan experience starts from the second you get to the stadium, thanks to mobile ticketing provided by SeatGeek and paperless entry with Fortress wireless scanners. “Mobile ticketing is also important from a business perspective as it eliminates much of the counterfeit ticketing that is widespread throughout entertainment,” said Dan Lolli, vice president of facilities and stadium general manager for FC Cincinnati.

TQL Stadium also has two large Daktronics scoreboards and 14,370 feet of SACO V-STICK S to help show replays, live gameplay, stats and other fun stadium graphics. The stadium has about 200 point-of-sale devices run by Appetize, all of which are cloud-enabled.
Aruba
There are dozens of other digital tools in use at the stadium, including security cameras, door access devices and business applications. Lolli said the goal of the new stadium was to create a next-generation fan experience. “Working with our IT-as-a-Service partner Atomic Data, we determined Aruba was the leader in stadium deployments that provide fans with superior, high-performance, reliable, and consistent experiences while being efficient and cost-effective to manage,” Lolli said. Aruba explained that the stadium had deployed its Wi-Fi 6 indoor and outdoor access points as well as a number of mobility controllers alongside the company’s access switches at the edge for IP audio and video. Lolli explained that the stadium processed more than 16,000 food and beverage transactions over a few hours, with most completed in less than half a second, on opening day. “Our network enables us to provide the exceptional experiences that help us differentiate ourselves from other sporting and non-sporting entertainment options,” Lolli said. “During stadium construction, Aruba’s robust tools enabled Atomic Data to stage our entire network off-site and ship it to our stadium. This streamlined deployment by four to eight weeks versus the traditional on-site approach, helping us meet our opening day deadlines. Since then, Aruba’s software automation has ensured efficient network management on a day-to-day basis.”

ZDNet Recommends More