Information Technology

A banking Trojan focused on Brazilian targets has evolved from using pornography as a distribution model to phishing email models. 

ESET researchers have named the Trojan Ousaban, a mixture of “boldness” and “banking trojan.” Kaspersky researchers track the malware as Javali, one of four major banking Trojans in Brazil — alongside Guildma, Melcoz, and Grandoreiro.  Thought to have been in active circulation since 2018, the malware is written in Delphi, a coding language commonly employed for Trojans in the region.  The term “boldness” has stemmed from the malware’s roots in using sexual imagery as a lure and distribution vector. According to the researchers, some of the images used could be considered “obscene.”  However, Ousaban has moved on since its roots in pornography and has now adopted a more typical approach in distribution. Phishing emails are sent using themes such as messages claiming there were failed package delivery attempts that ask users to open files attached to the email.  The file contains an MSI Microsoft Windows installer package. If executed, the MSI extracts a JavaScript downloader that fetches a .ZIP archive containing a legitimate application which also installs the Trojan through DLL side-loading. 

A more complicated distribution chain has also been traced, in which the legitimate app has been tampered with to fetch an encrypted injector that obtains a URL containing remote configuration files for a command-and-control (C2) server address and port, as well as another malicious file that changes various settings on a victim’s PC.  Ousaban contains typical capabilities of a Latin American banking Trojan, including the installation of a backdoor, keylogging, screenshot capabilities, mouse and keyboard simulation, and the theft of user data.  When victims visit banking institutions, screen overlays are employed to harvest account credentials. However, unusually for malware in the region, Ousaban will also attempt to steal account usernames and passwords from email services by using the same overlay technique.  ESET says the Trojan’s persistence mechanism includes the creation of either a .LNK file or VBS loader in the Windows startup folder, or alternatively, the malware will modify the registry. In addition, Ousaban uses Themida or Enigma binary obfuscation to hide its executable files and will inflate their sizes to roughly 400MB “to evade detection and automated processing.” Kasperksky says that Javali/Ousaban has expanded beyond its Brazilian base in the past year or so, but ESET has yet to find any links between the Trojan and a suggested presence in Europe.  Last month, ESET explored Janeleiro, a .NET Trojan operating in Brazil with similarities to Casbaneiro, Grandoreiro, and Mekotio. This banking malware is being used in targeted attacks against enterprise and government entities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new cryptocurrency stealer variant is being spread through a global spam campaign and potentially through Discord channels. 

Dubbed Panda Stealer, Trend Micro researchers said this week that the malware has been found targeting individuals across countries including the US, Australia, Japan, and Germany. The malware begins its infection chain through phishing emails and samples uploaded to VirusTotal also indicate that victims have been downloading executables from malicious websites via Discord links.  Panda Stealer’s phishing emails pretend to be business quote requests. So far, two methods have been linked to the campaign: the first of which uses attached .XLSM documents that require victims to enable malicious macros. If macros are permitted, a loader then downloads and executes the main stealer.  In the second chain, an attached .XLS file contains an Excel formula that hides a PowerShell command. This command attempts to access a paste.ee URL to pull a PowerShell script to the victim’s system and to then grab a fileless payload.  “The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL,” Trend Micro says. “The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.”

Once downloaded, Panda Stealer will attempt to detect keys and addresses associated with cryptocurrency wallets holding funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH). In addition, the malware is able to take screenshots, exfiltrate system data, and steal information including browser cookies and credentials for NordVPN, Telegram, Discord, and Steam accounts. While the campaign has not been attributed to specific cyberattackers, Trend Micro says that an examination of the malware’s active command-and-control (C2) servers led the team to IP addresses and a virtual private server (VPS) rented from Shock Hosting. The server has since been suspended.  Panda Stealer is a variant of Collector Stealer, malware that has been sold in the past on underground forums and through Telegram channels. The stealer has since appeared to have been cracked by Russian threat actors going under the alias NCP/su1c1de.The cracked malware strain is similar but uses different infrastructure elements such as C2 URLs and folders. “Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel,” the researchers note. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.” Trend Micro says there are similarities in the attack chain and fileless distribution method to Phobos ransomware. Specifically, as described by Morphisec, the “Fair” variant of Phobos is similar in its distribution approach and is being constantly updated to reduce its footprint, such as reducing encryption requirements, in order to stay under the radar for as long as possible.  The researchers also noted correlations between Phobos and LockBit in an April 2021 report.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Signal
Encrypted instant messaging app Signal has tried to run a series of Instagram ads to show the amount of data the social media platform and its parent company Facebook collect about users and how it uses the data to push targeted ads. But that attempt was quickly shut down by Facebook, Signal said in a blog post. Signal explained how it created some targeted ads featuring its own branding to illustrate that if an ad was being used to target a K-pop fan, it would say so. Or if the user was a teacher, it would also say so. “We created a multi-variant targeted ad designed to show you the personal data that Facebook collects about you and sells access to,” Signal said. “The ad would simply display some of the information collected about the viewer which the advertising platform uses. Facebook was not into that idea. “Facebook is more than willing to sell visibility into people’s lives, unless it’s to tell people about how their data is being used. Being transparent about how ads use people’s data is apparently enough to get banned; in Facebook’s world, the only acceptable usage is to hide what you’re doing from your audience.” Signal has recently gained a flood of new users after Facebook-owned WhatsApp announced new terms of service that would allow it to share user profile data with Facebook in some circumstances. The new terms are due to take effect on May 15. Signal became the fastest growing app in Q1 2021, according to mobile ad analytics App Annie.

Last month, Signal exposed it was possible to gain arbitrary code execution through Cellebrite tools. The tools are used to pull data out of phones the user has in their possession. Signal CEO Moxie Marlinspike said that Cellebrite contains “many opportunities for exploitation” and he thought Cellebrite should have been more careful when creating their forensic tools. Related Coverage Facebook says ACCC’s ad tech probe makes a number of incorrect assumptionsSocial media giant said the watchdog has misconstrued Facebook’s position and that its overall inquiry requires much more consideration, analysis, and stakeholder engagement. Facebook vs. Google: Similar models, diverging perspectivesThe two kings of internet advertising have employed different strategies in addressing recent threats, moves that indicate a growing shift in business focuses. Data of 553m Facebook users dumped online: how to see if you are impactedThe data is old but that doesn’t mean it still can’t be used. WhatsApp tries again to explain what data it shares with Facebook and whyWhatsApp will soon display a banner in your smartphone app explaining when it will share your data with Facebook. ‘Anti-Facebook’ MeWe social network adds 2.5 million new members in one weekPeople all over the world are leaving Facebook and Twitter and privacy-first social network MeWe is scooping these disaffected users up onto its platform. More

Security legend McAfee, which is shedding its enterprise business, and bandwidth provider Akamai Technologies, which is transitioning to being more of an enterprise security company, both this afternoon reported Q1 results  that topped analysts’ expectations.Akamai said its sales of its security software and services rose by 29%, year over year, to $310 million.McAfee said its consumer security business, which excludes revenue from the enterprise business that McAfee is selling off, rose by 25%, year over year. McAfee and Akamai shares were both unchanged in late trading.  Akamai CEO Tom Leighton said that the company was “pleased with our excellent start in 2021,” noting that “revenue, margins and earnings all [exceeded] expectations.”Added Leighton, “We continued to capitalize on the substantial opportunities for our business, as demonstrated by the very strong growth of our security and edge applications solutions and strong traffic growth on the Akamai Intelligent Edge Platform.”Akamai’s total revenue in the three months ended in March rose 10%, year over year, to $843 million, yielding a net profit of $1.38 a share.

Analysts had been modeling $830 million and $1.30 per share.Akamai did not offer a forecast.McAfee’s total revenue in the three months ended in March rose 13%, year over year, to $773 million, yielding a net profit of 44 cents a share.Analysts had been modeling $732 million and 36 cents per share.McAfee announced March 8th it would sell its enterprise security business to private equity firm Symphony Technology Group for $4 billion in cash. The enterprise business is categorized as “discontinued operations” within the quarterly results, while the remaining consumer business is continuing operations. For the current quarter, McAfee sees revenue from its remaining business, excluding enterprise, of $430 million to $434 million. For the full year, the company sees revenue from continuing operations in a range of $1.77 billion to $1.79 billion.

Tech Earnings More

Researchers have found three new malware families used in a widespread phishing campaign entrenched in financial crime.

On Tuesday, FireEye’s Mandiant cybersecurity team said the malware strains, dubbed Doubledrag, Doubledrop, and Doubleback, were detected in December 2020. The threat actors behind the malware, described as “experienced and well-resourced,” are being tracked as UNC2529.  Organizations in the US, EMEA region, Asia, and Australia have, so far, been targeted in two separate waves.  Phishing messages sent to potential victims were rarely based on the same email addresses and subject lines were tailored to targets; in many cases, threat actors would masquerade as account executives touting services suitable for different industries — including defense, medicine, transport, the military, and electronics.  Over 50 domains, in total, were used to manage the global phishing scheme. In one successful attack, UNC2529 successfully compromised a domain owned by a US heating and cooling services business, tampered with its DNS records, and used this structure to launch phishing attacks against at least 22 organizations.  The lure emails contained links to URLs leading to malicious .PDF payloads and an accompanying JavaScript file contained in a .zip archive. The documents, fetched from public sources, were corrupted to render them unreadable — and so it is thought that victims might become annoyed enough to double-click the .js file in an attempt to read the content. 

Mandiant says the .js file, that is heavily obfuscated, contains the Doubledrag downloader. Alternatively, some campaigns have used an Excel document with an embedded macro to deliver the same payload.  Upon execution, Doubledrag attempts to download a dropper as the second stage of the attack chain. This dropper, Doubledrop, is an obfuscated PowerShell script designed to establish a foothold into an infected machine by loading a backdoor into memory.  The backdoor is the final malware component, Doubleback, malware created in both 32-bit and 64-bit versions.  “The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them,” Mandiant notes. “One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines.” There are some indicators that the malware is still in progress, as existing functionality will scan for the existence of antivirus products — such as those offered by Kaspersky and BitDefender — but even if detected, no action is taken.  Analysis of the new malware strains is ongoing.  “Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups,” the researchers say.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Five serious vulnerabilities in a driver used by Dell devices have been disclosed by researchers. 

On Tuesday, SentinelLabs said the vulnerabilities were discovered by security researcher Kasif Dekel, who explored Dell’s DBUtil BIOS driver — software used in the vendor’s desktop and laptop PCs, notebooks, and tablet products.  The team says that the driver has been vulnerable since 2009, although there is no evidence, at present, that the bugs have been exploited in the wild.  The DBUtil BIOS driver comes on many Dell machines running Windows and contains a component — the dbutil_2_3.sys module — which is installed and loaded on-demand by initiating the firmware update process and then unloaded after a system reboot — and this module was subject to Dekel’s scrutiny.  Dell has assigned one CVE (CVE-2021-21551), CVSS 8.8, to cover the five vulnerabilities disclosed by SentinelLabs. Two are memory corruption issues in the driver, two are security failures caused by a lack of input validation, and one logic issue was found that could be exploited to trigger denial-of-service.  “These multiple critical vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges,” the researchers say. 

The team notes that the most crucial issue in the driver is that access-control list (ACL) requirements, which set permissions, are not invoked during Input/Output Control (IOCTL) requests.  As drivers often operate with high levels of privilege, this means requests can be sent locally by non-privileged users.  “[This] can be invoked by a non-privileged user,” the researchers say. “Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused “by design.” Functions in the driver were also exposed, creating read/write vulnerabilities usable to overwrite tokens and escalate privileges.  Another interesting bug was the possibility to use arbitrary operands to run IN/OUT (I/O) instructions in kernel mode.  “Since IOPL (I/O privilege level) equals to CPL (current privilege level), it is obviously possible to interact with peripheral devices such as the HDD and GPU to either read/write directly to the disk or invoke DMA operations,” the team noted. “For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process.” SentinelLabs commented:  “These critical vulnerabilities, which have been present in Dell devices since 2009, affect millions of devices and millions of users worldwide. As with a previous bug that lay in hiding for 12 years, it is difficult to overstate the impact this could have on users and enterprises that fail to patch.” Proof-of-Concept (PoC) code is being withheld until June to allow users time to patch. Dell was made aware of Dekel’s findings on December 1, 2020. Following triage and issues surrounding some fixes for end-of-life products, Dell worked with Microsoft and has now issued a fixed driver for Windows machines.   The PC giant has issued an advisory (DSA-2021-088) and a FAQ document containing remediation steps to patch the bugs. Dell has described the security flaw as “a driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools [which] contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure.” “Local authenticated user access is first required before this vulnerability can be exploited,” Dell added. “We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers,” a Dell spokesperson said. “We have seen no evidence this vulnerability has been exploited by malicious actors to date. We appreciate the researchers working directly with us to resolve the issue.”  Update 18.35 BST: Inclusion and improved clarity of the module’s loading process. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Acronis has shored up $250 million in new funds, with plans to tap the monies to expand its product support and partner network. It also is open to further acquisitions if potential candidates can drive the company’s goal of providing deeper and broader data protection.Its latest funding round was led by private equity firm CVC Capital Partners, which dished out some $220 million, with other investors contributing the remaining $30 million, said Acronis’ founder and CEO Serguei Beloussov. He and with his partners remain the company’s largest shareholders.This marked the Singapore-based data security vendor’s third, and biggest, funding round that involved external investors. It secured $147 million from investors led by Goldman Sach in 2019, following its first round in 2004 when it raised $11 million. 

Speaking to ZDNet in a video call, Beloussov said the new funds would help support the company’s growth across several areas, including bolstering its partner ecosystem and product portfolio. In particular, Acronis would look to support a larger number of workload types on its flagship offering, Cyber Protect. The data security platform currently is optimised to secure 30 different workload types including Linux, VMWare, and Microsoft Hyper-V. “We want to extend [this so] support is deeper and broader, and we can protect our customers’ compete infrastructure,” Beloussov said, adding that the vendor hoped to add application workloads such as Netsuite and Salesforce, to its portfolio. The funds injection also would drive research and development efforts to integrate machine learning and artificial intelligence (AI) capabilities with its network and security infrastructure, he said.

The aim here was to enhance the platform’s ability to detect, predict, and prevent potential system downtime, whether this was due to security attacks, natural disaster, or hardware and software faults, he noted. Machine learning also could be leveraged to help network administrators speed up their decision-making and more quickly resolve problems, he added. In some cases, it could do so without any human intervention and with much faster and better results, he said. The technology also could be tapped to improve the quality and speed of Acronis’ product development, Beloussov said. Noting that the company had a product development team of 1,600, including 1,000 engineers, he said this number was not always big enough to support a company of Acronis’ size. Hence, a good way to augment and advance such human resources was through machine-assisted intelligence, he said.The CEO also was open to making further acquisitions if potential candidates could help Acronis provide broader and deeper protection as well as better enable its partner ecosystem, which included managed services providers (MSPs), telcos, cloud providers, and cloud services aggregators.  The vendor currently has 10,000 active MSPs on its network, in addition to another 5,000 that were registered but not actively engaged. The company would be looking to grow this number with the new funds, which also would be used to provide more training and certification programmes for its partners. Here, special focus would go towards Asia-Pacific and Japan, where the service provider markets were growing rapidly but were less developed compared to the US, Beloussov said. He also revealed plans to expand in China, where Acronis would soon open its first office–likely in Beijing or Shanghai–and a data centre.The vendor currently operates 26 data centres worldwide and plans to increase this number to 111. Earlier this year, it launched a site in Bhutan and planned to open data centres in India and Indonesia.The latest funds, which Acronis said pushed its value to more than $2.5 billion, also would be tapped to grow its engineering team in key markets, including Singapore, Israel, and Bulgaria.RELATED COVERAGE More

Phishing emails claiming to be from a delivery company are being used to deliver a new version of a form of malware which is used to deliver ransomware and other cyber attacks.Buer malware first emerged in 2019 and is used by cyber criminals to gain a foothold on networks which they can exploit themselves, or to sell that access on to other attackers to deliver their own malware campaigns, most notably, ransomware attacks.Now cybersecurity researchers at Proofpoint have uncovered a new variant of Buer which is written in an entirely different coding language to the original malware. It’s unusual for malware to be completely changed in this way, but it helps the new campaigns remain undetected in attacks against Windows systems.The original Buer was written in C programming language, while the new variant is written in Rust programming language – leading researchers to name the new variant RustyBuer. “Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities,” said Proofpoint.RustyBuer is commonly delivered via phishing emails designed to look as if they come from delivery company DHL, asking the user to download a Microsoft Word or Excel document which supposedly details information about a scheduled delivery.SEE: Network security policy (TechRepublic Premium)The delivery is in fact fake, but cyber criminals know that the Covid-19 pandemic has resulted in more people ordering more items online, so messages claiming to be from delivery companies have become a common trick to lure people into opening malicious messages and downloading harmful files.

In this instance, the malicious document asks users to enable macros – by asking them to enable editing – in order to allow the malware to run. The fake delivery notice claims that the user needs to do this because the document is ‘protected’ – even using the logos of several anti-virus providers in an effort to look more legitimate to the victim.If macros are enabled, the RustyBuer is delivered to the system, providing the attackers with a backdoor into the network and the ability to compromise victims with other attacks, including ransomware. The new version of the malware, combined with improvements to email lures suggest that the authors of Beur are hard at work to make their product as effective as possible, providing those they sell it to on underground forums with both a means of compromising networks themselves, as well as selling on access to infected machines to others.”The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” Proofpoint researchers wrote in a blog post. “Based on the frequency of RustyBuer campaigns observed by Proofpoint, researchers anticipate we will continue to see the new variant in the future,” they added. One way organisations can help prevent Buer, RustyBuer and other forms of malware from being able to be run from phishing emails is to disable macros in Microsoft Office products for users who don’t need them.MORE ON CYBERSECURITY More