Security Week 10: where to hide the miner and a brief excursion into darknet marketing
News 1, News 2
Fans of free-currency cryptocurrency seem to be puzzled by the question of where to hide a miner so that they won't be found any longer. As you know, where everything banal has already been tried, open space for creativity. So, some craftsmen found a source of inspiration in the beautiful face of the Hollywood star Scarlett Johansson.
Monero hunters entered the miner's code directly into the star's photo in PNG format. This allowed fraudsters not only to express themselves, but also to use legal photohosting at imagehousing.com to store the malware. But at the same time to deceive part of the antivirus.
')
The cybercriminals have chosen PostgreSQL database servers as a target for the attack. Before deploying mining on the server, discerning Johansson fans carried out reconnaissance of computing power so as not to mine anywhere (more precisely, where it is unprofitable).
Having made sure that the server was valid, the fraudsters downloaded a photo sharing photo onto it, and then extracted the malicious code from it using the standard Linux utility dd. Next, the file was given full rights, and when it was launched, it created the getter program itself.
When the campaign was discovered, it was specifically this work of art that was removed from the hosting, but no one knows how many more muddy photos contain the same (or other) code.
The authors of another Monero-miner have found a way to conveniently hide their offspring, one might say, on the surface. To store the installer, cryptocurrency hunters decided to use GitHub. Where else to hide the malicious code, if not among other code?
For greater reliability, cryptocurrency hunters have created a mass of forks of projects that are in the public domain, and they have an installer in each: indeed, a lot is not enough. At the same time, they did not become original in spreading the malware by selecting time-tested fake updates of the Adobe Flash Player.
In response to an attempt to clear GitHub from contagion, the criminals used the tactics of the Lernean hydra: while some infected pages were deleted, the miner appeared on others. As the greats said, the key to success is the ability to go to your goal, despite the failures.
News
But not only miners are fed up with a cybercriminal. Since the beginning of the year, at least three campaigns involving the Qrypter trojan were recorded, the authors of which prefer to rent their software on independent attacks. Malware-as-a-Service, so to speak. And, like the rest of the heroes of our collection, they approach the matter with the soul.
The malware merchants have relied on active marketing: they advertise their offspring, offer favorable rates to those who wish to resell it and provide customer support through the Black & White Guys forum.
Among the advantages of the Trojan, colorfully painted by the authors, are remote control over the infected device, including access to webcams, unlimited manipulations with files and programs, and the ability to control the task manager. In addition, the malware monitors the firewalls and antiviruses running on the computer.
However, by advertising their services, they were not limited to descriptions of the merits of the “product”. In order to finally convince potential customers of the exclusivity of their program, craftsmen clearly demonstrate the shortcomings of competing solutions. And not in theory, but in practice: the developers periodically post the hacked versions of other Trojans to darknet.
So, malware specialists not only spread their malware, but also provide an opportunity for completely outside attackers to use the work of their competitors. Enchanting hotbed of infection.
Yanshort Family
Viruses of the family in a standard way infect EXE files in all directories of the current disk. Not dangerous. Infected files contain the string "motherfucker" by which the virus distinguishes between infected and non-infected files. The virus “Yanshort-1961” is manifested by playing the melody “Yankee Doodle Dandy” when launching an infected program. Under some conditions, programs affected by the Yanshort-1624 virus freeze at startup.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Fans of free-currency cryptocurrency seem to be puzzled by the question of where to hide a miner so that they won't be found any longer. As you know, where everything banal has already been tried, open space for creativity. So, some craftsmen found a source of inspiration in the beautiful face of the Hollywood star Scarlett Johansson.
Monero hunters entered the miner's code directly into the star's photo in PNG format. This allowed fraudsters not only to express themselves, but also to use legal photohosting at imagehousing.com to store the malware. But at the same time to deceive part of the antivirus.
')
The cybercriminals have chosen PostgreSQL database servers as a target for the attack. Before deploying mining on the server, discerning Johansson fans carried out reconnaissance of computing power so as not to mine anywhere (more precisely, where it is unprofitable).
Having made sure that the server was valid, the fraudsters downloaded a photo sharing photo onto it, and then extracted the malicious code from it using the standard Linux utility dd. Next, the file was given full rights, and when it was launched, it created the getter program itself.
When the campaign was discovered, it was specifically this work of art that was removed from the hosting, but no one knows how many more muddy photos contain the same (or other) code.
The authors of another Monero-miner have found a way to conveniently hide their offspring, one might say, on the surface. To store the installer, cryptocurrency hunters decided to use GitHub. Where else to hide the malicious code, if not among other code?
For greater reliability, cryptocurrency hunters have created a mass of forks of projects that are in the public domain, and they have an installer in each: indeed, a lot is not enough. At the same time, they did not become original in spreading the malware by selecting time-tested fake updates of the Adobe Flash Player.
In response to an attempt to clear GitHub from contagion, the criminals used the tactics of the Lernean hydra: while some infected pages were deleted, the miner appeared on others. As the greats said, the key to success is the ability to go to your goal, despite the failures.
Black marketing among cybercriminals
News
But not only miners are fed up with a cybercriminal. Since the beginning of the year, at least three campaigns involving the Qrypter trojan were recorded, the authors of which prefer to rent their software on independent attacks. Malware-as-a-Service, so to speak. And, like the rest of the heroes of our collection, they approach the matter with the soul.
The malware merchants have relied on active marketing: they advertise their offspring, offer favorable rates to those who wish to resell it and provide customer support through the Black & White Guys forum.
Among the advantages of the Trojan, colorfully painted by the authors, are remote control over the infected device, including access to webcams, unlimited manipulations with files and programs, and the ability to control the task manager. In addition, the malware monitors the firewalls and antiviruses running on the computer.
However, by advertising their services, they were not limited to descriptions of the merits of the “product”. In order to finally convince potential customers of the exclusivity of their program, craftsmen clearly demonstrate the shortcomings of competing solutions. And not in theory, but in practice: the developers periodically post the hacked versions of other Trojans to darknet.
So, malware specialists not only spread their malware, but also provide an opportunity for completely outside attackers to use the work of their competitors. Enchanting hotbed of infection.
Antiquities
Yanshort Family
Viruses of the family in a standard way infect EXE files in all directories of the current disk. Not dangerous. Infected files contain the string "motherfucker" by which the virus distinguishes between infected and non-infected files. The virus “Yanshort-1961” is manifested by playing the melody “Yankee Doodle Dandy” when launching an infected program. Under some conditions, programs affected by the Yanshort-1624 virus freeze at startup.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/352240/
All Articles