Security Week 52: Telegram and the Rat King, the next miners, large-scale bruteforce Wordpress

News in Russian , more in English

A new malware was identified, attributed to the Remote Access Trojan family, which experts who found it called Telegram-RAT. It differs from a rat herd similar to it in that it actively uses public cloud services: API for Telegram bots as an HTTPS communication channel and Dropbox for storing the combat load.

However, the animal in general was surprisingly quick and quick-witted. Living proof that even from ready-made bricks can collect something witty. It is distributed quite standardly - the authors use banal phishing and the memorable vulnerability CVE-2017-11882, the same one that Microsoft patched back in November. But then events are developing more interesting: the Trojan downloads a “combat load” from Dropbox via a link disguised from a shortening URL service shortening links. The file (by the way, Dropbox administrators have already deleted it) is a 16-megabyte binary, where the code itself, all the libraries necessary for its execution, and even the Python interpreter are crammed. The large file size lull the suspicion of some antiviruses, and they skip it without any complaints.

And then begins to work rat magic. In order to transform a respectable computer into a Nutcracker, the attacker used the publicly available code of the RAT-via-Telegram malware with minor changes. Before the attack began, the hacker had previously created his own Telegram bot and embedded his token in the RAT configuration file. After deploying the TelegramRAT client, you can play the rat king by communicating with infected machines via the bot channel and sending them your august will in simple command format. Since the transmission of malicious traffic goes, thanks to Telegram, via SSL, most of the anti-virus tools of a rodent are not taken.
')
The teams give the attacker the opportunity to bite into different parts of the system: take screenshots, execute malicious files, record audio from a microphone, turn off the computer ... In general, a strong witchcraft.

New infection through Facebook

News in Russian , more in English

Telegram is not the only instant messaging service that can be put to the service of attackers: Facebook Messenger has again become a peddler of infection.

The trojan is unoriginally hidden in an archive called video_xxxx.zip, where xxxx is not a hint of adult content, but a four-digit number. If the user, by absent-mindedness, launches an executable stored in the archive, he will get Digmine on his computer - a rather primitive malware that can only talk to the command server and follow its instructions. So far, C & C sends Digmine a package to install the Miner cryptocurrency miner Monero and a malicious extension for Chrome.

Once established, the extension sends private messages to all contacts of the victim with the same infected archive. True, the attack will not work if the user does not store Facebook credentials in the browser. The epidemic is also safe for users of any other browsers, including mobile versions of the same Chrome. Platform users other than Windows are also safe, of course.

As soon as the researchers who discovered the malware contacted Facebook, the administrators removed the malicious links from all the users' messages - however, nothing prevents the attackers from changing the link and starting a new one. In addition, Facebook offered to anyone who suspects that their computer was infected, a free scan for viruses. Sad, but still a gift for the New Year.

Tsunami drowns Wordpress sites

News in Russian , more in English

A miner of cryptocurrency can be put on a computer, and better on a victim server, in various ways: taking off the Monero rate adds temptations to attackers of all stripes Obviously, our next heroes of the week decided that all social engineering there is not serious. What a good old brute force!

WordPress sites have become the target this time: since last Monday, they have been turned into miners one by one, cracking them by simply bruising the admin passwords. Apparently, the attack is carried out from one botnet, but large and toothy: more than 10 thousand IP addresses, more than 14 million attempts to enter a password per hour on more than 190 thousand target sites.

On hacked WordPress-sites, a variation on the theme of the malware Kaiten, aka Tsunami, is being poured, which is hidden on the servers, creating its copies with the names taken from an arbitrary file on the server. Commands the malware receives through unencrypted IRC channels. As a rule, they do not shine with diversity: download a script from somewhere, then execute it as one of the background processes. “High management” tells infected computers to either join the brute force or mine cryptocurrency using some version of XMRig. From time to time, the workload is redistributed, but no server is brute-force or mine-mining at the same time. This means that the botnet is actually much more than 10 thousand machines involved in the attack. When searching for passwords, publicly available login-password lists are used, as well as heuristic algorithms that take into account the domain name and the contents of the attacking site.

The guys from Wordfence spotted eight command servers (four of them with IP addresses belonging to the French cloud service provider OVH). They also managed to reach two cryptographic wallets containing Monero more than 100 thousand dollars. Almost certainly, this is not all: in most cases, wallets were encrypted.

Brute-force attacks on WordPress are historically not very successful, but here, apparently, the stars converged: on the one hand, the Monero rate soared twice, on the other - on December 5, a fresh base of 1.4 billion username and password combinations in the form of plain text was published. How not to try your luck?

Antiquities

Liberty

Resident dangerous virus. It affects COM and EXE files when they are executed. EXE files are standard. If a COM file is damaged, it is written to its end, and 78h bytes of code are written to the beginning (decryption of the virus body and transition to it), the old beginning of the file is encrypted and stored inside its body. If there is not enough free space when infecting a file located on a diskette, the virus infects a boot- op diskette. The old boot sector and the body of the virus write to the 40th track of the floppy disk (non-standard formatting is used), and it can destroy information on floppy disks of size 1M.

The memory is infected either when the infected COM file is started or when it is booted from an infected floppy disk.

Some time after booting from a floppy disk, the virus decrypts and displays the line: “MAGIC MAGIC MAGIC MAGIC ....” on the screen, printer and serial ports. When the 10th boot from floppy disk treats it. Intercepts interrupts 8, 10h, 13h, 14h, 17h, ICh, 21h. It contains the lines: "Liberty", "-MYSTIC - COPYRIGHT © 1989-2000, by SsAsMsUsEsL".

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.