Tag Archives: Malware

New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet

Just a year after Mirai—biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks—completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet.

Dubbed ‘IoT_reaper,’ first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits vulnerabilities in various IoT devices and enslaves them into a botnet network.

IoT_reaper malware currently includes exploits for nine previously disclosed vulnerabilities in IoT devices from following manufactures:

  • Dlink (routers)
  • Netgear (routers)
  • Linksys (routers)
  • Goahead (cameras)
  • JAWS (cameras)
  • AVTECH (cameras)
  • Vacron (NVR)

Researchers believe IoT_reaper malware has already infected nearly two million devices and growing continuously at an extraordinary rate of 10,000 new devices per day.

This is extremely worrying because it took only 100,000 infected devices for Mirai to took down DNS provider Dyn last year using a massive DDoS attack.

Besides this, researchers noted that the malware also includes more than 100 DNS open resolvers, enabling it to launch DNS amplification attacks.

Currently, this botnet is still in its early stages of expansion. But the author is actively modifying the code, which deserves our vigilance.” Qihoo 360 researchers say.

Meanwhile, researchers at CheckPoint are also warning of probably same IoT botnet, named “IoTroop,” that has already infected hundreds of thousands of organisations.

“It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organisations make proper preparations and defence mechanisms are put in place before attack strikes.” researchers said.

According to CheckPoint, IoTroop malware also exploits vulnerabilities in Wireless IP Camera devices from GoAhead, D-Link, TP-Link, AVTECH, Linksys, Synology and others.

At this time it is not known who created this and why, but the DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second in size.

“Our research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come.” CheckPoint researchers warned.

You need to be more vigilant about the security of your smart devices. In our previous article, we have provided some essential, somewhat practical, solutions to protect your IoT devices.

Also Read: How Drones Can Find and Hack Internet-of-Things Devices From the Sky.

Hackers Use New Flash Zero-Day Exploit to Distribute FinFisher Spyware


FinSpy—the infamous surveillance malware is back and infecting high-profile targets using a new Adobe Flash zero-day exploit delivered through Microsoft Office documents.

Security researchers from Kaspersky Labs have discovered a new zero-day remote code execution vulnerability in Adobe Flash, which was being actively exploited in the wild by a group of advanced persistent threat actors, known as BlackOasis.

The critical type confusion vulnerability, tracked as CVE-2017-11292, could lead to code execution and affects Flash Player for major operating systems including Windows, Macintosh, Linux and Chrome OS.

Researchers say BlackOasis is the same group of attackers which were also responsible for exploiting another zero-day vulnerability (CVE-2017-8759) discovered by FireEye researchers in September 2017.

Also, the final FinSpy payload in the current attacks exploiting Flash zero-day (CVE-2017-11292) shares the same command and control (C&C) server as the payload used with CVE-2017-8759 (which is Windows .NET Framework remote code execution).

So far BlackOasis has targeted victims in various countries including Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.

The newly reported Flash zero-day exploit is at least the 5th zero-day that BlackOasis group exploited since June 2015.

The zero-day exploit is delivered through Microsoft Office documents, particularly Word, attached to a spam email, and embedded within the Word file includes an ActiveX object which contains the Flash exploit.

The exploit deploys the FinSpy commercial malware as the attack’s final payload.

“The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits,” the Kaspersky Labs researchers say.

FinSpy is a highly secret surveillance tool that has previously been associated with Gamma Group, a British company that legally sells surveillance and espionage software to government agencies across the world.

FinSpy, also known as FinFisher, has extensive spying capabilities on an infected system, including secretly conducting live surveillance by turning ON its webcams and microphones, recording everything the victim types on the keyboard, intercepting Skype calls, and exfiltration of files.

To get into a target’s system, FinSpy usually makes use of various attack vectors, including spear phishing, manual installation with physical access to the affected device, zero-day exploits, and watering hole attacks.

“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab.

“Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”

Kaspersky Lab reported the vulnerability to Adobe, and the company has addressed the vulnerability with the release of Adobe Flash Player versions and

Just last month, ESET researchers discovered legitimate downloads of several popular apps like WhatsApp, Skype, VLC Player and WinRAR (reportedly compromised at the ISP level) that were also distributing FinSpy.

So, businesses and government organizations around the world are strongly recommended to install the update from Adobe as soon as possible.

Microsoft will also likely be releasing a security update to patch the Flash Player components used by its products.

Powered by WPeMatico

Hackers demand nude images instead of money

We thought that we’d seen everything but hackers managed to hit a new low. Last month the news about a new ransomware that demands nude photos instead of the usual cryptocurrency started circulating the online world. The new ransomware is called nRansomware and works very similar to Locky – it is a malicious software that infects your device and locks some of the files on your system. Luckily the new threat is not a state of the art malicious software. While Locky encrypts your data, nRansomeware is known only to lock your screen. It is unfortunate enough but not absolutely devastating.

Up until now, when a PC was infected with ransomware, the cybercriminals behind it were after immediate monetary gain. However, hacker’s shady techniques are continually evolving. Online troublemakers are starting to realize that Bitcoin and most of the virtual cryptocurrencies are not as secure and untraceable as they initially thought. Payments can easily be tracked, so they decided to get creative by releasing ransomware that demands ten nude photos from the victims to “unlock” their computer.

The new ransomware feels like a yet another episode of the modern-day nightmares described in the hit TV series Black Mirror. When infected, your computer displays the text below instead of your desktop. The ruthless message from the hackers is placed on a background containing offensive language and multiple images of Thomas the Tank Engine.

Your computer has been locked. You can only unlock it with the special unlock code. Go to protonmail.com and create an account. Send an email to 1_****_yourself_1@protonmail.com. We will respond immediately. After we reply, you must send at least ten nude pictures of you. After that, we will have the verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web.

It does sound gross, doesn’t it? The last thing you want is perverts bidding over imagery of your naked body. Hackers have been stealing intimate images from celebrities for a long time. Sadly, now they are starting to realize that they can make a buck by extorting regular people too. You no longer have to be rich or famous to attract hackers’ attention.

Is it a prank or a sign of the new way hackers will be making money out of the innocent? The time will show. One is for sure, cryptocurrencies are not untraceable, and cyber bullies with twisted minds exist out there. They are not afraid to pray on the weak by continuously finding new ways to avoid being caught. The chances of becoming a victim of such ransomware are rare to impossible if you are protected and follow our tips for staying out of trouble.

The post Hackers demand nude images instead of money appeared first on Panda Security Mediacenter.

Read More

Dridex, the Latest Version of the Credential Theft Malware

At the beginning of the year we talked about a new evolution of cyber theft in the banking sector, and today, we are pleased to share a report that has been painstakingly prepared by the malware laboratory at Panda Security on the latest version of Dridex, a famous banking Trojan known for its sophistication and ability to go undetected on infected computers.

What is Dridex?

The present document gathers analysis of a new variant of harmful code called “Dridex”, specifically the fourth version.

Dridex is a banking Trojan famous for its sophistication and its ability to go undetected on the devices it infects. These devices, once infected, are incorporated onto a modular botnet, at which point malicious characteristics, whether external or their own, can be freely added to them, via modules or libraries (sold separately).


The first version appeared toward the end of 2014. At the beginning of 2015, a new, important update was launched, giving way to a second version. When looking at the earlier versions of Dridex, the most stable and resistant of them was the third, which was launched in April 2015 and was used in well-known cyberattacks up until the fourth version, the latest known version and subject of this report, which was found in February of 2017.

No new major updates for Dridex had been found since the dismantlement of important components of the botnet, carried out by government agencies in 2015.

This new variant of the banking Trojan incorporates new functionalities. One of these is called AtomBombing, a functionality whose aim is to inject code without calling suspicious APIs to avoid being detected by monitoring systems. It incorporates the DLL hijacking technique to achieve persistence. Finally, various cryptographic methods were optimized and used to obtain the configuration.

Characteristics of the Trojan

The following are some static properties of the analysed file.

The hash of the Trojan:

MD5 001fcf14529ac92a458836f7cec03896
SHA256 a6db7759c737cbf6335b6d77d43110044ec049e8d4cbf7fa9bd4087fa7e415c7


The internal date of creation of the analyzed sample is May 16, 2017. The file in question was compiled to be executed in 64 bit environments and, at the same time, simulate the legitimate dll of Microsoft.

Figure 1. File properties

Additionally, it is encrypted with a distinctive algorithm to avoid detection by antiviruses.

It has been observed that the executable has a fairly high number of sections, 11 in total, as we can see in Figure 2:

Figure 2. Static information of the analyzed binary

In the DATA section, we can observe that the entropy is at 7.799, and is a fairly large in size. It is in this section that the highly encrypted and packaged binary (which, once decrypted, becomes the real malicious code) can be found.

In the first decrypted layer, the executable stores memory in the process, then copies the code and, finally, summons it and runs it, as we see in Figure 3:

Figure 3. Jump to shellcode

The first thing the code does is to obtain the addresses of the functions that it will eventually be using. It does this with a dynamic search through the libraries downloaded by the program.

To carry out this task, it runs through the PEB_LDR_DATA structure and the LDR-MODULE structures to locate the base address of the loaded dlls. It proceeds to access the offset of the export table in order to run through all of the functions exported by the dll and find the address of the sought function in he computer’s memory.

Figure 4. Enumeration of loaded modules

The shellcode, in turn, checks to see whether there is a hook in the undocumented LdrLoadDll function, accessing its address and checking whether the first byte is the same as E9, the equivalent of a jmp assembler.

Figure 5. Hook Verification

If the previous verification was successful, it proceeds to demap the dll memory process with the name “snxhk.dll” which is an Avast and AVG library that creates hooks to monitor processes happening in the sandbox.

Figure 6. Library: snxhk.dll

Finally, the shellcode decrypts the executable found in the DATA section in the computer’s memory, copies it into the base image’s address, and then runs the new resulting executable.

Figure 7. Decrypted executable

In summary, the full process of the sample being unpacked can be seen in Figure 8, where it is detailed more schematically.

Figure 8. Complete unpacking process

Make sure to use advanced cybersecurity solutions like Adaptive Defense 360 that monitor the organization’s systems in real time, detecting and stopping any suspicious behavior that could be harmful to your business.

For more information, download the full report:

The post Dridex, the Latest Version of the Credential Theft Malware appeared first on Panda Security Mediacenter.

Read More

Decoding pickpockets and malware

Decoding pickpockets and malware - the most dangerous online threats of 2017

Malware attacks can seem as random as a pickpocket cleaning out your pocket in the city center – these things happen and you just happened to be there. While pickpockets are a great metaphor for cybersecurity – neither pickpockets nor malware are completely random events. Pickpockets aren’t just taking a random walk in the park […]

The post Decoding pickpockets and malware appeared first on Avira Blog.

Read More