Monthly Archives: July 2017

Hackers are making their malware more powerful by copying WannaCry and Petya ransomware tricks

Hackers responsible for one of the most common forms of banking Trojans have learned lessons from the global WannaCry ransomware outbreak and the Petya cyberattack, and have equipped their malware with a worm propagation module to help it spread more efficiently.

The credential-stealing Trickbot has been hitting the financial sector since last year and more recently it has added a long list of UK and US banks to its targets. The attacks are few in number but highly targeted. The malware is spread via emails that claim to be from an international financial institution, which then lead the victim to a fake login page used to steal credentials.

 

Now the gang behind Trickbot are testing additional techniques with a new version of the malware — known as 1000029 — and researchers at Flashpoint who’ve been watching it say it can spread via Server Message block (SMB), crudely replicating the exploit that allowed WannaCry and Petya to quickly spread around the world.

A Windows security flaw known as EternalBlue was one of many allegedly known to US intelligence services and used to carry out surveillance before being leaked by the Shadow Brokers hacking group. The exploit leverages a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using wormlike capabilities.

Using SMB, Trickbot can now scan domains for lists of servers via the NetServerEnum Windows API and establish the number of computers on the network using Lightweight Directory Access Protocol (LDAP) enumeration.

The malware can also leverage inter-process communication to propagate and execute a PowerShell script as a final payload in order to download an additional version of Trickbot — this time masked as ‘setup.exe’ into the shared drive.

Crucially, this test version of Trickbot doesn’t appear to be fully implemented by the hacking gang behind the malware, nor does it have the ability to randomly scan external IPs for SMB connections, unlike the worm behind the WannaCry ransomware.

Nonetheless, researchers warn that this development once again demonstrates the evolving, professional work of the cybercrime gang behind Trickbot as they examine further ways to steal financial data from banks and private wealth management firms.

Ultimately, if successfully deployed, the worm could allow Trickbot to infect other computers on the same network as the machine initially compromised by a phishing email, either for the further stealing of credentials and further account take over, or even to rope them into a botnet for further spread of malware.

“Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and NotPetya and is attempting to replicate their methodology,” said Vitali Kremez, director of Research at Flashpoint.

While Trickbot isn’t as prolific as the likes of Zeus, Gozi, Ramnit, and Dridex, researchers warn that Trickbot will continue to be “formidable force” in future, as its authors look to add more potent capabilities to this dangerous malware.

Ransomware: This free tool lets you decrypt files locked by a common version of the malware

Emisoft has released a free decryption tool for the latest version of Nemucod ransomware — meaning you can get your files back for free.

 

  • Victims of the latest version of one of the most common forms of ransomware could now be able to get their files back without giving in to cybercriminals’ demands — thanks to the release of a new decryption tool.
  • The Nemucod ransomware family has been active since at least 2015 and has remained one of the most common ransomware threats for much of the time since. Researchers have cracked previous versions of Nemucod, but the group behind the ransomware doesn’t give up and continually releases new versions in an effort to stay one step ahead of security companies.
  • Indeed, those behind Nemucod released a new version of their ransomware — NemucodAES — delivering the malicious component via a PHP script and PHP interpreter in order to encrypt the victim’s files.
  • Like previous versions of the ransomware, NemucodAES dupes victims into clicking on a malicious link that delivers the malware through emails that claim to contain information about an undelivered package.
  • However, one key difference to previous incarnations is that it has changed the type of encryption from from RC4 to a mix of AES-128 in ECB mode and RSA encryption in order to make the files more difficult to decrypt with a randomly generated 128-bit per-file key.
  • Those infected with NemucodAES are presented with a ransom note demanding a Bitcoin ransom of $300 in exchange for the return of their files.
  • However, those who fall foul of this latest version of Numucod may not have to pay the ransom in order to regain access to their system as researchers at Emsisoft have released a free decryption tool for NemucodAES.
  • “Not to be outplayed by cybercriminals, our lab promptly went to work and produced a new version of our decrypter to handle NemucodAES and free victim’s files,” the company said in a blog post.
  • Emsisoft is part of the No More Ransom initiative, a partnership between law enforcement and cybersecurity firms which provides free keys for unlocking encrypted files and information on how to avoid getting infected with ransomware in the first place.

India’s Reliance Jio suffers data breach

A database containing information on over 120 million Reliance Jio customers has been leaked, according to reports from local media in India.

Fonearena first reported on Monday that sensitive details such as names, mobile numbers, email addresses, and Aadhaar Number — a 12 digit random number issued to residents by the Unique Identification Authority of India — had been leaked and made available on a now-pulled website magicapk.com, which was shared via social media sites in India.

The website reportedly asked visitors to enter a Reliance Jio mobile number to get access to SIM details.

“We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic,” a Jio spokesperson told the publication.

“We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement.”

Jio, which shook the Indian telecom market with cheap data and free calls last year, also said it has informed law enforcement agencies about the reported breach and will “follow through to ensure strict action is taken”.

Fonearena stands by its claims, however, with the article’s writer confirming he had found valid information on the magicapk.com website.

Reliance Jio is an LTE mobile network operator in India and a wholly-owned subsidiary of Reliance Industries, based in Mumbai, India.

Jio is planning nationwide domination, banking on its “future proof” IP network to bring transformational changes to the Indian digital services space.