Security Week 11: Doubtful Banking News, Miner Killer, Bank Imitation
News
And here is a curious fresh find of our colleagues. Some enterprising comrades decided to provide the public with unusual news. However, the news was so-so: not a very fresh exploit IE and Trojan Buhtrap, known since 2014. And all this stuff was posted on a number of Russian news sites, from where they were distributed to readers. Unnoticed, of course.
An exploit for Internet Explorer (CVE-2016-0189), also known as VBScript Godmode, was not written by the attackers themselves - they were backed up from open source. Troyan, in fact, also only slightly modified. He, by the way, has always been used to steal money from the accounts of legal entities. So, apparently, there was an attempt to get to the computers of financiers.
Some doubt is the effectiveness of this whole event. How many people read news not on mobile devices, but from stationary computers? How many of them still use Internet Explorer, which has not been patched since 2016? And among them were there many financiers? Well, by the way, let the authors of this campaign be engaged in the analysis.
')
News
Some kind of attacker developed almost the first of its kind fileless “black miner”, approached the task responsibly and meticulously ... and in three weeks of the campaign earned nothing at all, two hundred dollars. But his code unexpectedly helped create a tool against other miners.
In order to function successfully without the need to have a file on the infected system, this malware uses PowerShell. For the ability to leave no trace of a find called GhostMiner.
As the autopsy showed, the malware is potentially able to infect servers running MSSQL, phpMyAdmin and OracleWebLogic. However, specimens captured in the wild sought only random WebLogic servers on the network, penetrating them through the vulnerability described last October.
Once inside the coveted trough, the malware launched two PowerShell scripts that loaded two components into memory. One of them, slightly modified XMRig, was engaged in the actual production of Monero, the other was responsible for the reproduction of the infection by budding. But the most interesting thing: the miner started working only after the malware eliminated potential competitors - all other cryptocurrency miners who could be on the server. At the same time, the creators of GhostMiner showed exceptional knowledge of their business: they not only added the ability to delete mining processes using blacklists of known threats, but also taught their child to search for competitors by command line arguments and TCP ports to which suspicious processes were connected.
The solution turned out to be so simple and successful that the researchers at Menerva Labs even decided to turn it into a tool that they called MinerKiller and uploaded to GitHub with minimal changes. A kind of recognition of the involuntary merit of the authors of the malware in the field of cybersecurity.
News
FakeBank, the well-known to security experts, which has been distributed through social networks and third-party application stores (not Google Play), has become even more malicious. Previously, he only stole financial and near-financial data, and also intercepted incoming SMS messages from banks and prevented from opening legitimate banking applications.
Now, FakeBank has learned to redirect calls to the bank to other numbers and, conversely, to mask the phone number of fraudsters during incoming calls, so that the user has the impression that he is being called from a bank. This is done by flashing with the user interface.
Pretending to be employees of the bank, criminals entice valuable information: card details and even a CVV code. Fortunately, in Android 8.0 Oreo, applications are no longer allowed to manage the interface, and therefore the owners of phones with this OS have a new version of the malware.
So far, all the attacks of FakeBank 2.0 have taken place only in South Korea, but we should not relax either: the first version of FakeBank was aimed specifically at Russian banks.
Instead of traditional legends of olden times, in this issue we decided to talk about a horoscope that will help survive in the world of cyber threats. Who are you on the zodiac sign - a set of end heads or a chamber brass band? Inadequate practical advice you can find here .
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
And here is a curious fresh find of our colleagues. Some enterprising comrades decided to provide the public with unusual news. However, the news was so-so: not a very fresh exploit IE and Trojan Buhtrap, known since 2014. And all this stuff was posted on a number of Russian news sites, from where they were distributed to readers. Unnoticed, of course.
An exploit for Internet Explorer (CVE-2016-0189), also known as VBScript Godmode, was not written by the attackers themselves - they were backed up from open source. Troyan, in fact, also only slightly modified. He, by the way, has always been used to steal money from the accounts of legal entities. So, apparently, there was an attempt to get to the computers of financiers.
Some doubt is the effectiveness of this whole event. How many people read news not on mobile devices, but from stationary computers? How many of them still use Internet Explorer, which has not been patched since 2016? And among them were there many financiers? Well, by the way, let the authors of this campaign be engaged in the analysis.
')
Miner vs. Miners
News
Some kind of attacker developed almost the first of its kind fileless “black miner”, approached the task responsibly and meticulously ... and in three weeks of the campaign earned nothing at all, two hundred dollars. But his code unexpectedly helped create a tool against other miners.
In order to function successfully without the need to have a file on the infected system, this malware uses PowerShell. For the ability to leave no trace of a find called GhostMiner.
As the autopsy showed, the malware is potentially able to infect servers running MSSQL, phpMyAdmin and OracleWebLogic. However, specimens captured in the wild sought only random WebLogic servers on the network, penetrating them through the vulnerability described last October.
Once inside the coveted trough, the malware launched two PowerShell scripts that loaded two components into memory. One of them, slightly modified XMRig, was engaged in the actual production of Monero, the other was responsible for the reproduction of the infection by budding. But the most interesting thing: the miner started working only after the malware eliminated potential competitors - all other cryptocurrency miners who could be on the server. At the same time, the creators of GhostMiner showed exceptional knowledge of their business: they not only added the ability to delete mining processes using blacklists of known threats, but also taught their child to search for competitors by command line arguments and TCP ports to which suspicious processes were connected.
The solution turned out to be so simple and successful that the researchers at Menerva Labs even decided to turn it into a tool that they called MinerKiller and uploaded to GitHub with minimal changes. A kind of recognition of the involuntary merit of the authors of the malware in the field of cybersecurity.
Do not call, we will call you
News
FakeBank, the well-known to security experts, which has been distributed through social networks and third-party application stores (not Google Play), has become even more malicious. Previously, he only stole financial and near-financial data, and also intercepted incoming SMS messages from banks and prevented from opening legitimate banking applications.
Now, FakeBank has learned to redirect calls to the bank to other numbers and, conversely, to mask the phone number of fraudsters during incoming calls, so that the user has the impression that he is being called from a bank. This is done by flashing with the user interface.
Pretending to be employees of the bank, criminals entice valuable information: card details and even a CVV code. Fortunately, in Android 8.0 Oreo, applications are no longer allowed to manage the interface, and therefore the owners of phones with this OS have a new version of the malware.
So far, all the attacks of FakeBank 2.0 have taken place only in South Korea, but we should not relax either: the first version of FakeBank was aimed specifically at Russian banks.
Horoscope
Instead of traditional legends of olden times, in this issue we decided to talk about a horoscope that will help survive in the world of cyber threats. Who are you on the zodiac sign - a set of end heads or a chamber brass band? Inadequate practical advice you can find here .
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/352484/
All Articles