Category Archives: (G) Hacking News

This old ransomware has been revamped as Bitcoin-stealing malware

An old form of ransomware has been re-purposed to steal bitcoin by altering the addresses of wallets and redirecting payments into accounts owned by the attacker.

Little of the malicious code has been changed so a number of security products will still identify it as the file-locking malware, despite this version’s new role in outright stealing cryptocurrency.

Detailed by researchers at Fortinet, this Bitcoin stealing campaign has its origins in Jigsaw – a form of ransomware which appeared in April 2016 and infamous for displaying the face of horror film antagonist it is named after.

The source code of Jigsaw has been available for a long time and is widely distributed online, so the attack is unlikely to be the work of the original ransomware author because anyone with knowledge of C# code could theoretically tailor the malware to their own ends.

In this instance, the author is looking to take advantage of the popularity of blockchain-based bitcoin, which is still by far the most valuable cryptocurrency.

References in the code refer simply refer to the malware as ‘BitcoinStealer’ – although this can only be uncovered by reverse-engineering, so victims will never see this give-away of the software’s intentions.

The main goal of the malware is to modify the clipboard content of Bitcoin wallets so that the currency within ends up in the hands of the attackers


While common sense might indicate that users would notice that the bitcoin address has changed, BitcoinStealer replaces the legitimate address with a forged one – but this forged address has similar or the same symbols at the beginning and end of the string, in order to trick the user into believing it is the intended address.

Address spoofing used to redirect Bitcoin payments.

Image: Fortinet

Researchers say that these attacks have successfully stolen at least 8.4 Bitcoin, which currently works out at around $62,000 (£48,000). So while the attack is basic, it is seemingly effective.

During the course of the investigation into the malware, Fortinet uncovered similar projects for building and modifying cryptocurrency stealers being advertised on underground forums.

This episode goes to show that even the most basic cyber attacks can result in a big loss for victims. Bitcoin users should always double-check to see if they’re sending payments to the right address.

Hackers are selling backdoors into PCs for just $10

Cyber criminals are offering remote access to IT systems for just $10 via a dark web hacking store — potentially enabling attackers to steal information, disrupt systems, deploy ransomware and more.

The sales of backdoor access to compromised systems was uncovered by researchers at security company McAfee Labslooking into the sale of remote desktop protocol (RDP) access to hacked machines on underground forums — some of which are selling access to tens of thousands of compromised systems.

RDP access is a standard tool which allows one user to connect to and control another user’s computer over a network. The process is often used for support and administration, but in the wrong hands, RDP can be leveraged with devastating consequences — researchers point to how SamSam ransomware campaigns begin with RDP access as an example of this.

Leveraging RDP access also provides a bonus to the attacker because they don’t need to use tools like spear-phishing emails or exploit kits.


Systems advertised for sale on the forum range from Windows XP through to Windows 10, with access to Windows 2008 and 2012 Server most common. The store owners also offer tips for how those using the illicit logins can remain undetected.

Examining the IP addresses of compromised machines listed in one online store led researchers to discover that three belonged to a single international airport.

“This is definitely not something you want to discover on a Russian underground RDP shop,” said John Fokker, head of cyber investigations for McAfee Advanced Threat Research.

Further investigation found that two of the IP addresses were presented alongside a screenshot of a login screen which could be accessed via RDP with three user accounts tied to the system — one of which being the administrator account.

Perhaps most significantly, McAfee says the accounts are associated with two companies which provide airport security: one in camera surveillance, and one in security and building automation.


But with tens of thousands of RDP logins for sale, the airport wasn’t the only sensitive system found up for sale — researchers discovered criminals selling access to devices in government, hospitals and nursing homes.

All of those organisations which have been identified as having access to their systems up for sale have been informed and McAfee is working with them to uncover how machines were compromised.

In order to protect against this type of attack, researchers recommend the use of complex passwords and two-factor authentication, and disabling RDP connections over the internet. It’s also recommended that system administrators keep an eye out for suspicious IP addresses and unusual login attempts.

“Even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock. Just as we check the doors and windows when we leave our homes, organizations must regularly check which services are accessible from the outside and how they are secured,” said Fokker.

This sneaky Windows malware delivers adware – and takes screenshots of your desktop

A newly uncovered form of stealthy and persistent malware is distributing adware to victims across the world while also allowing attackers to take screenshots of infected machines’ desktops.

Discovered by researchers at Bitdefender, the malware has been named Zacinlo after the name of the final payload that’s delivered by the campaign which first appeared in 2012.

The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.

What makes Zacinlo so unusual is how it is delivered by rootkit, a malicious form of software which can manipulate the operating system and any installed anti-malware in such a way to make the computer oblivious to the existence of the malware. Rootkit-based malware is complex and is therefore rare, accounting for less than one percent of all malware.

Android alert: This new type of rowhammer GPU attack can hijack your phone remotely

Researchers have developed a technique dubbed ‘GLitch’, which uses the WebGL JavaScript graphics library, aided by a device’s integrated GPU, to remotely compromise Android smartphone browsers.

The attack lowers the bar to pulling off so-called rowhammer attacks that flip bits in physical memory to ram through in-built security protections.

The researchers note that most defenses against rowhammer attacks have focused on protecting CPU cores, and show that GPUs that are integrated with CPUs — common on mobile system on chips — are another attack avenue.

With this technique, an attacker could use malicious JavaScript hosted on a website to quickly compromise a smartphone without requiring malware.

A year after rowhammer attacks were first reported in 2014, researchers at Google Project Zero drew attention to vulnerabilities affecting dozens of x86 laptops using bit flips in DRAM to escalate privileges.


The rowhammer problem is the result of shrinking DRAM cells, which has made it harder to isolate memory in one address from corrupting data stored in another.

The work demonstrated that repeated toggling of a DRAM row’s wordline — rowhammering — “stresses inter-cell coupling effects that accelerate charge leakage from nearby rows”, resulting in ‘bit flips’ where a cell’s value changes from 1 to 0 or vice versa.

The two attacks are then combined with the WebGL application programming interface (API), which is used for rendering web graphics in browsers. It also relies on browser support for precision WebGL timers, which allow the side-channel to leak memory addresses.

Meanwhile, the GPU allows for “fast double-sided DRAM access, enabling the rowhammer attack”.

The researchers showed that it was possible to use the technique to bypass the Firefox sandbox on Android.

“The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses,” explained CERT researchers Will Dormann and Trent Novelly.

“This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions is used in a number of microarchitectural attacks, such as rowhammer.”

Precision timers have been disabled in Chrome and Firefox on Android to mitigate the attacks.

Facebook: We’re not the only ones collecting your data across the web

Following CEO Mark Zuckerberg’s two-day grilling before Congress, Facebook is clarifying to users (some confused congressmen among them) how exactly it collects data from people when they’re not logged into Facebook.

In a blog post published Monday, Facebook Product Management Director David Baser explained the basics of various Facebook tools and products, including social plugins, Facebook Login, Facebook Analytics, Facebook Audience Network and Facebook Pixel.

At the same time, the social media giant took the opportunity to point out that it’s not the only popular technology company collecting information about people from across the web. Baser writes:

Many companies offer these types of services and, like Facebook, they also get information from the apps and sites that use them. Twitter, Pinterest and LinkedIn all have similar Like and Share buttons to help people share things on their services. Google has a popular analytics service. And Amazon, Google and Twitter all offer login features. These companies — and many others — also offer advertising services. In fact, most websites and apps send the same information to multiple companies each time you visit them.

Baser notes that Facebook updated its privacy policy to better explain how it collects data on individuals from across the web and what it does with that information.

He also wrote that Facebook requires websites and apps which use its tools “to tell you they’re collecting and sharing your information with us, and to get your permission to do so.” Still, while Facebook may be making its own privacy policy easier to read, it’s unlikely internet users will be clicking on each site’s cookies policy as they browse the web

Coinsecure, not so secure: Millions in cryptocurrency stolen, CSO blamed

The Indian cryptocurrency exchange has accused Dr. Amitabh Saxena, the firm’s Chief Strategy Officer (CSO), of stealing 438 Bitcoins (BTC), worth roughly $3.3 million at the time of writing.

According to a complaint filed with local law enforcement in New Delhi by Coinsecure CEO Mohit Kalra and posted on the firm’s website, Saxena allegedly was the only one — aside from the CEO — to hold the keys to the Coinsecure main wallet.

During the extraction of Bitcoin Gold (BTG) and private keys for customer trading, Saxena allegedly claimed that 438 Bitcoins were “lost” through the process.

Kalra is not convinced.

According to the police complaint, Saxena told the CEO on the 9th of April that the funds had been lost “due to some attack.”

“As the private keys are kept with Dr. Amitabh Saxena, we feel that he is making a false story to divert our attention and he might have a role to play in this entire incident,” the complaint reads. “The incident […] does not seem convincing to us.”

Bitdefender Releases FREE GandCrab Ransomware Decryption Tool

The latest ransomware kicking everyone’s ass is Gandcrab which has infected an estimated 50,000 computers, fortunately for the victims, Bitdefender has released a free Gandcrab ransomware decryption tool as a part of the No More Ransom Project.

Bitdefender Releases FREE GandCrab Ransomware Decryption Tool


There’s nothing particularly notable about the ransomware itself other than it combines two existing exploit kits to compromise people and it takes payment in Dash, which is a privacy coin, rather than Bitcoin (which is a first as far as I know).

White hats have released a free decryption tool for GandCrab ransomware, preventing the nasty spreaders of the DIY malware from asking their victims for money.

GandCrab has been spreading since January 2018 via malicious advertisements that lead to the RIG exploit kit landing pages or via crafted email messages impersonating other senders, infecting an estimated 53,000 computers in the process.

In exchange for the decryptor, the crooks behind GandCrab ask for a ransom of anywhere between hundreds and hundreds of thousands of dollars in DASH, a crypto-currency that has just made its debut in cybercrime. The developers of GandCrab use a ransomware-as-a-service business model that allows people with little technical skill to get a piece of the action.


The ransomware itself is spreading via malicious adverts and landing pages with Rig Exploit Kit combined with phishing style e-mails copying receipts from popular e-commerce services.

You can find the Gandcrab decryption tool here:

GandCrab Ransomware decryption tool

Ransomware demands tied to GandCrab infections have reached up to an exorbitant $600,000+, orders of magnitude higher than is common in ransomware scams. Ransomware scammers more typically demand between $300 and $500.

The newly developed (free) antidote works for all known versions of the ransomware. The nasty encrypts personal data on victims’ machines.

Security firm Bitdefender developed the GandCrab ransomware decryption tool in collaboration with Europol and Romanian Police. The effort is the latest under the No More Ransom project.

No More Ransom was launched in July 2016, introducing a new level of cooperation between law enforcement and the private sector to fight ransomware.

The last ransomware we wrote about was WannaCry which someone managed to foil by registering a non-existent domain which effectively shut it down:

WannaCry Ransomware Foiled By Domain Killswitch

I think Gandcrab is still going to cause a fair amount of damage and honestly, the visibility of these type of decryption tools outside of the tech and specifically infosec community is quite low, so do help share this article and let people know they may have a way out if they have been infected.

Ransomware victims paying up and would do so again: Telstra

Ransomware writers looking for targets to pay up should start looking in the south-west Pacific, according to the third installment of the Telstra Security Report.

Surveying 1,252 people, of which 40 percent were in Europe, 23 percent from Australia, and 37 percent from elsewhere in Asia-Pacific, the report said approximately half of businesses paid malware ransoms.

47 percent of Australian businesses who found themselves victims of ransomware paid the ransom, which was consistent across APAC,” the report said. “Some 60 percent of ransomware victims in New Zealand and 55 percent in Indonesia paid the ransom, making it the highest for Asia. In Europe, 41 percent of respondent ransomware victims paid up.”

Of those that paid up, 87 percent of Asian businesses got their data back, followed by 86 percent in Australia, and 82 percent in Europe. The report added that in the absence of proper backups, 83 percent of organisations in Australia would pay again, with Europe clocking in at 80 percent, and 76 percent of Asian responders saying they would pay again.

Under Armour’s MyFitnessPal Sees 150 Million Accounts Compromised

The MyFitnessPal virtual health and wellness assistant has copped to a data breach affecting 150 million accounts; hackers made off with user names, email addresses and bcrypt-hashed passwords.

While details of how hackers exploited the accounts are still emerging, this appears to be the largest data breach of 2018 to date.

The intrusion occurred in February, but the Under Armour–owned company said in a notice that it wasn’t aware of the breach until March 25. Fortunately, the affected data did not include Social Security numbers or driver’s license numbers, because the app doesn’t collect that information; nor did it affect payment card data, which in another win for network segmentation, is collected and processed separately.

While the event thankfully doesn’t impact financial accounts, John Gunn, CMO at VASCO Data Security, pointed out that there’s an opportunity to up the ante on data security across the board.

“This event, like similar ones where credit-card data is not taken in a breach, demonstrates the value of enforcing security requirements,” he said, via email. “If businesses applied the Payment Card Industry Data Security Standards (PCI DSS) to all data and not just credit-card information, you would see a lot less personal information, such as user names, email addresses and passwords, getting into the hands of hackers.”

MyFitnessPal users are being required to change their passwords. In terms of mitigation, users should of course immediately do that, but they should also be aware that the information taken could be used for phishing attacks, which is where the real danger lies. Any user should avoid clicking on links in emails, social media posts or other messages that seem to have come from Under Armour or MyFitnessPal.

Also, if a user repurposes the MyFitnessPal password on any other websites, especially for banking accounts or similar websites, they should immediately change their passwords on those websites – and choose a different, strong password for each one.

“The reuse of passwords in situations like this may seem like short lapse in judgment, but this data that aligns names and email addresses with passwords is a potential disaster for anyone who reuses their passwords across multiple sites and accounts,” said Lisa Baergen, marketing director of MasterCard-owned NuData Security, via email.

College Kids Turn to Crypto-Mining, Riddling Higher-Ed Networks

The higher-education landscape has become a fertile field for growing crypto-mining revenue. College students are crypto-mining from their dorm rooms, while outside actors are targeting their online activities for web-based attacks.

According to Vectra’s 2018 RSA Conference Edition of its Attacker Behavior Industry Report, higher education is a prime arena given that students are usually not protected by universities’ open networks. These same students also do their own crypto-mining, because they get free electricity.

“Students are more likely to perform crypto-mining personally as they don’t pay for power, the primary cost of crypto-mining,” said Chris Morales, head of security analytics at Vectra. “Universities also have high-bandwidth capacity networks with a large volume of easy targets, especially as students are more likely to use untrusted sites (like illegal movies, music and software) hosting crypto-mining malware.”

The report, which analyzed traffic and collected metadata from more than 4.5 million devices and workloads from customer cloud, data-center and enterprise environments, found that 60% of cryptocurrency mining detections occurred in higher education, followed by entertainment and leisure (6%), financial services (3%), technology (3%) and healthcare (2%). Mining overall has surged with the rising price of cryptocurrencies like Bitcoin, Monero and Ethereum.

  • Colleges and universities aren’t just over-indexing in crypto-mining. The highest volume of attacker behaviors per industry were in higher education (3,715 detections per 10,000 devices) followed by engineering (2,918 detections per 10,000 devices).
  • This is primarily due to command-and-control (C&C) activity in higher education, according to the report, and internal reconnaissance activity in engineering. To the former point, C&C activity in higher education, with 2,205 detections per 10,000 devices, is four times above the industry average of 460 detections per 10,000 devices.
  • These early threat indicators usually precede other stages of an attack and are often associated with opportunistic botnet behaviors, Vectra said.
  • Higher education can only respond to students when they detect crypto-mining with a notice the activity is occurring. They can provide assistance in cleaning machines, or in the case of the student being responsible, they can issue a cease-and-desist. As such, the problem is likely to persist.
  • “Students are exceedingly intelligent and very enterprising,” said Daniel Basile, executive director of the Security Operations Center (SOC) at ‎Texas A&M University. “This is a time that many of them are working with new technologies, and it is not surprising that they utilizing their machines for cryptocurrency mining. However, there is also a large increase in websites that will crypto-jack your PC while you are on their website. This new trend of mining Bitcoin for revenue instead of ads can directly affect students. With the increase in online video streaming resources, this creates a large amount of cryptocurrency mining.”