Security Week 49: new adventures of Coinhive, the phishers' stupid mistake, the password trading shop is covered
News in Russian , more in English
Mining cryptocurrencies on other people's computers is trendy work, but slow and ungrateful. To which only tricks do not have to go unhappy gold miners! Last week, we talked about how Coihnive was built into a plugin for communication with an online consultant. But the adventures of a successful mining script continue: this time sophisticated minds have found a way to keep it working even after closing the window with the source site. It is simply opened in a separate window, which is hidden behind the Windows taskbar.
So far, the ninja miner has been found on only one portal (adult website), and it is dangerous only for those who use the Chrome browser. The code on the "parent" site calculates the dynamic position for the new browser window using the following formula:
Horizontal position = (current screen width) - 100px
Vertical position = (current screen height) - 40px
')
It is not difficult to guess that the window opened in these coordinates is just under the toolbar. Besides the fact that the miner hides so well visually, he also tries not to overload the CPU and act covertly, in the best traditions of the ninja: its creators clearly decided to take not the power of the miner, but the number of installations.
You can see the extra window only if you have a transparent panel. But the unauthorized process can be detected and easily stopped in the task manager.
News in Russian , more in English
Whoever is in the Cobalt gang does not do mailings, he definitely has a lot to learn in the field of working with mail. By sending messages for targeted phishing, the poor fellow put the full list of phishing emails in the “To” line, not in the “Bcc”. And not the first time - in March of this year, a similar open letter lit up 1,880 targets among the financial organizations of Kazakhstan.
The disclosed attack was a mailing to the personal addresses of employees of letters warning of changes allegedly occurred in the SWIFT system. Rather, there was nothing in the body of the letter, just the attached RTF document was called Swift changes. On opening, he used CVE-2017-11882 , a recently discovered vulnerability in the formula insertion mechanism in Microsoft Office, which allows executing program code without user intervention. Microsoft put the corresponding patch back in November, however, as usual, not all were updated. Those who did not have time - they received the tool Cobalt Strike, which is theoretically used for pentesting. It was he who connected the infected computer to the attackers' command center.
Among the recipients of the malicious distribution were mainly financial institutions from Russia and Turkey, but also came across employees of European, Middle Eastern and American banks.
News in Russian , more in English
The darknet site LeakBase was trading passwords from MySpace and LinkedIn accounts that had been opened, but suddenly started redirecting users to a completely legitimate site that allowed you to check if your password was broken. The sudden benevolence is explained simply: LeakBase owners were arrested as a result of the unwinding of the Hansa case - another site that sells hard drugs.
It turns out that the Dutch police seized him in the summer and for some time did not advertise their operation, managing the resource on their own. They tried to track the connections of the criminals and collected a decent catch, including dealers of stolen passwords with LeakBase.
It is not yet very clear whether it is possible to bring criminals to justice for password trading: the data offered by the site leaked to public access much earlier as a result of mass hacking.
Starship
Resident non-hazardous "stealth" - "ghost" -virus. It affects COM and EXE files only on drives A: and B: when creating a file, the MBR of the hard drive when you run the infected file. As a result, the virus ensures its presence in the computer’s RAM and is portable to other computers with the minimum number of infected objects, which makes it somewhat difficult to detect. This ideology has one more “virtue”: when a newly created file is infected, there is no need to keep track of a critical DOS error (int 24h).
Files hit standard using a "ghost" algorithm.
When infecting a disk, it is recorded in the most recent disk sectors and in the Partition Table sets the address of the active boot sector to its beginning. When referring to the corrected MBR and the last sectors of the disk, the “stealth” mechanism is used.
Depending on its counters, when accessing the disks, it “beeps a Morse code” and displays “stars” on the screen. It contains the string: "> STARSHIP_1 <". Intercepts int 13h, 20h, 21h, 27h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Mining cryptocurrencies on other people's computers is trendy work, but slow and ungrateful. To which only tricks do not have to go unhappy gold miners! Last week, we talked about how Coihnive was built into a plugin for communication with an online consultant. But the adventures of a successful mining script continue: this time sophisticated minds have found a way to keep it working even after closing the window with the source site. It is simply opened in a separate window, which is hidden behind the Windows taskbar.
So far, the ninja miner has been found on only one portal (adult website), and it is dangerous only for those who use the Chrome browser. The code on the "parent" site calculates the dynamic position for the new browser window using the following formula:
Horizontal position = (current screen width) - 100px
Vertical position = (current screen height) - 40px
')
It is not difficult to guess that the window opened in these coordinates is just under the toolbar. Besides the fact that the miner hides so well visually, he also tries not to overload the CPU and act covertly, in the best traditions of the ninja: its creators clearly decided to take not the power of the miner, but the number of installations.
You can see the extra window only if you have a transparent panel. But the unauthorized process can be detected and easily stopped in the task manager.
Cobalt hackers have leaked their targets through mail ... again
News in Russian , more in English
Whoever is in the Cobalt gang does not do mailings, he definitely has a lot to learn in the field of working with mail. By sending messages for targeted phishing, the poor fellow put the full list of phishing emails in the “To” line, not in the “Bcc”. And not the first time - in March of this year, a similar open letter lit up 1,880 targets among the financial organizations of Kazakhstan.
The disclosed attack was a mailing to the personal addresses of employees of letters warning of changes allegedly occurred in the SWIFT system. Rather, there was nothing in the body of the letter, just the attached RTF document was called Swift changes. On opening, he used CVE-2017-11882 , a recently discovered vulnerability in the formula insertion mechanism in Microsoft Office, which allows executing program code without user intervention. Microsoft put the corresponding patch back in November, however, as usual, not all were updated. Those who did not have time - they received the tool Cobalt Strike, which is theoretically used for pentesting. It was he who connected the infected computer to the attackers' command center.
Among the recipients of the malicious distribution were mainly financial institutions from Russia and Turkey, but also came across employees of European, Middle Eastern and American banks.
Closed password trading service LeakBase
News in Russian , more in English
The darknet site LeakBase was trading passwords from MySpace and LinkedIn accounts that had been opened, but suddenly started redirecting users to a completely legitimate site that allowed you to check if your password was broken. The sudden benevolence is explained simply: LeakBase owners were arrested as a result of the unwinding of the Hansa case - another site that sells hard drugs.
It turns out that the Dutch police seized him in the summer and for some time did not advertise their operation, managing the resource on their own. They tried to track the connections of the criminals and collected a decent catch, including dealers of stolen passwords with LeakBase.
It is not yet very clear whether it is possible to bring criminals to justice for password trading: the data offered by the site leaked to public access much earlier as a result of mass hacking.
Antiquities
Starship
Resident non-hazardous "stealth" - "ghost" -virus. It affects COM and EXE files only on drives A: and B: when creating a file, the MBR of the hard drive when you run the infected file. As a result, the virus ensures its presence in the computer’s RAM and is portable to other computers with the minimum number of infected objects, which makes it somewhat difficult to detect. This ideology has one more “virtue”: when a newly created file is infected, there is no need to keep track of a critical DOS error (int 24h).Files hit standard using a "ghost" algorithm.
When infecting a disk, it is recorded in the most recent disk sectors and in the Partition Table sets the address of the active boot sector to its beginning. When referring to the corrected MBR and the last sectors of the disk, the “stealth” mechanism is used.
Depending on its counters, when accessing the disks, it “beeps a Morse code” and displays “stars” on the screen. It contains the string: "> STARSHIP_1 <". Intercepts int 13h, 20h, 21h, 27h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/344460/
All Articles