Week in security with Tony Anscombe

ESET researchers detail how the operators of the Stantinko botnet have expanded their toolset with a new means of profiting from computers under their control

ESET researchers detail how the operators of the Stantinko botnet have expanded their toolset with a new means of profiting from computers under their control. ESET security researcher Cameron Camp looks back at the key theme of the CyberwarCon conference in Washington, D.C. Top five scams to be on the lookout for this Black Friday and the entire holiday shopping season. All this – and more – on WeLiveSecurity.com.

Smartwatch exposes locations and other data on thousands of children

A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device

Researchers at the AV-Test Institute have uncovered gaping privacy and security holes in the SMA-WATCH-M2 smartwatch that is designed to keep children safe and their parents feeling secure about their offspring.

The security lapses were so severe that the researchers were able to piece together a snapshot of the life and daily habits of a randomly selected 10-year-old child named Anna from Germany. Among other data, the Chinese-made device exposed the girl’s age, place of residence, where she spends most of her day, and the routes she takes. The researchers could even access the sound messages that were transmitted to her device. And that’s still not all – they were even able to monitor Anna’s real-time GPS position.

Obviously, the security shortcomings did not affect just that single device. The team said it could gain access to the location, phone number, photos and conversations of well over 5,000 children, and was quick to note the number of affected users might, in fact, be far higher.

How was this possible, I hear you ask? In addition to communication with the manufacturer’s server being unencrypted, the online interface of the manufacturer’s server was completely unsecured, leaving it entirely open to external unauthorized access. Although an authorization token was generated to prevent unauthorized access, the server does not check it. Which essentially means anyone with enough “hacking” skills should have no problem in accessing user IDs. This allows potential attackers to have the same access that a parent would have.

To sum it up, a device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device for bad actors. This lapse in security was found to affect users in Germany, Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands, and China. There is a possibility that the number of affected people may be well over the previously estimated 5,000.

As much as this case might look like a one-off security lapse, the reality is far from it. We covered a similar recorded event earlier this year. Hence we think it is always important to consider the pros and cons of using such a device.

29 Nov 2019 – 03:47PM

5 scams to watch out for this shopping season

Black Friday and Cyber Monday are just around the corner and scammers are gearing up to flood you with bogus offers

According to Adobe, consumers in the US are predicted to spend a staggering US$143.7 billion this shopping holiday season. Unsurprisingly, smartphones are expected to account for a significant part of the purchases made.

Shopping platforms will be dropping prices and offering deals aiming to unseat the competition. Far too often, what looks too good to be true will, in fact, be a scam designed to separate you from your hard-earned cash. For scammers ’tis the season to be jolly, since unaware shoppers are ripe to be ripped off. Honestly, if that shiny, new iPhone at half its regular price seems too cheap, it probably is. Here are some of the most common types of online shopping scams you should watch out for.

Scam ads

These are an evergreen classic not reserved just for the holidays. You can encounter them all year round, but during shopping holidays they come out in force. Fraudulent ads are usually spread through social media and unfortunately, involve hacked accounts. Usually clicking on such an ad will redirect you to a fraud site, which may be advertising fake goods. In the worst-case scenario, you might just download a malware payload to your device. Refrain from clicking on anything that seems even remotely suspicious and always check for signs of a scam, such as ridiculous prices, grammar mistakes or weird surveys.

Figure 1. Brazilian website promising to include you in a raffle if you fill out a survey

Fake websites

Fake websites come in many shapes and sizes, and during this part of the year con artists will try to leverage seasonal shopping. For example, it might appear that a reputable e-shop launched a separate domain to house its Black Friday or Cyber Monday offerings, but in fact, it’s just a scam. Or, you might just get hit with a homograph attack. It might sound like somebody is going to hit you in the face with a dictionary, but a homograph attack is what happens when adversaries register domains that are similar to the originals but use visually ambiguous characters. And, of course, these fake sites can often have their own, valid certificates that might further misdirect their victims.

Figure 2. An example of a fake website

Bogus gift cards and coupons

Apart from jaw-dropping discounts, coupons are a popular way to reel customers in. That makes it a popular method for bad actors to bamboozle you. If you get enticed by the fake coupon and click on it, an installer can be downloaded to your device, which might install a banking trojan. A similar case was uncovered recently involving fraudulent McDonald’s coupons. Coupons and gift cards are usually distributed through the official channels of the company such as an app, so it’s best to stick to those. Any unsolicited coupons should set your spidey sense tingling.

Figure 3. A fake gift card example

Illicit discount or coupon apps

Alternatively, instead of receiving coupons by email, you may stumble upon Black Friday- or Cyber Monday-themed apps that are likely to appear on unofficial app repositories. These will have the same aim as all the aforementioned scams: pray on your trust and entice you with the promise of a great deal. Your best course of action is to stick to Google Play or the App Store. Most retailers tend to have official apps, but imposters have been known to sneak past the sentries into the walled gardens of platforms’ storefronts. So always pay attention to the app’s description, negative reviews and the permissions it requests.

Phishing attacks

Phishing attacks are one of the most widespread scams out there. For example, a criminal might send you an email posing as Amazon and telling you that there was an issue with your order. To proceed they will ask you to provide your personal information that may include your credit card number and home address, which you shouldn’t do under any circumstances. If you ever receive such a message, use the official channels of the company to check if they did it. So, keep your eyes peeled for thematic promotional emails that may ask you to fill out your personal information to claim your ‘prize’.

Figure 4. Have you ever seen a Louis Vuitton bag at such a steep discount?

According to ESET telemetry, of all the Black Friday-related emails you will get in one day an average of 11% will be spam emails, which can very often be more than only annoying. These are just the statistics that were recorded a week before the Black Friday craze begins. So, be sure to read anything that piques your interest extra thoroughly and don’t let your guard down while you’re on the hunt for that perfect deal. Happy hunting!

28 Nov 2019 – 11:30AM

Cryptocurrency exchange loses US$50 million in apparent hack

UPbit has announced that, as a precaution, all transactions will remain suspended for at least two weeks

Cryptocurrency exchange UPbit announced today that it lost almost US$50 million worth of ether (ETH) in an apparent security breach.

According to this statement by Lee Seok-woo, the CEO of the exchange’s operator Dunamu, around 342,000 ETH were moved from the platform’s ‘hot wallet’ to this unrecognized wallet today shortly after 1 p.m. local time. Client funds were not affected, said the South Korea-based cryptocurrency exchange.

The incident was also noted on Twitter by Whale Alert, a service that tracks major cryptocurrency transactions.

🚨 🚨 🚨 🚨 342,000 #ETH (49,848,273 USD) transferred from #Upbit to unknown wallet

Tx: https://t.co/HairAS3gee

— Whale Alert (@whale_alert) November 27, 2019

UPbit said that, in the wake of the incident, it moved all virtual coins to cold wallets. Cold-storing is a method used for the long-term storage of cryptocurrencies offline in order to reduce the likelihood of funds being stolen. By contrast, hot wallets are connected to the internet and used to carry out transactions.

The exchange has also halted all deposits and withdrawals and said that, in order to protect its clients’ virtual funds, the transactions will remain suspended for two weeks. The exchange said that it will cover the loss from its own funds. Additional details are scarce; notably, there’s no word on how the theft is thought to have taken place.

Launched two years ago, UPbit went on to become one of South Korea’s largest cryptocurrency exchanges. Just months ago, its users were targeted in a phishing campaign with a fake giveaway used as the pretense. Weeks earlier, another major South Korean cryptocurrency exchange, Bithumb, lost up to US$20 million worth of digital money in a suspected inside job.

Indeed, recent years have seen a string of cyberattacks against providers of infrastructure that caters to virtual currencies and their users, including high-profile thefts of people’s virtual money. Recent ESET research, too, discovered a range of mobile apps aimed at parting people from their cryptocurrency assets.

27 Nov 2019 – 05:06PM

Stantinko botnet adds cryptomining to its pool of criminal activities

ESET researchers have discovered that the criminals behind the Stantinko botnet are distributing a cryptomining module to the computers they control

The operators of the Stantinko botnet have expanded their toolset with a new means of profiting from the computers under their control. The roughly half-million-strong botnet – known to have been active since at least 2012 and mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan – now distributes a cryptomining module. Mining Monero, a cryptocurrency whose exchange rate oscillates in 2019 between US$50 and US$110, has been the botnet’s monetizing functionality since at least August 2018. Before that, the botnet performed click fraud, ad injection, social network fraud and password stealing attacks.

In this article, we describe Stantinko’s cryptomining module and provide an analysis of its functionality.

This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection. Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique.

We will describe the module’s obfuscation techniques and offer, in a separate article for fellow malware analysts, a possible approach to deal with some of them.

Since Stantinko is constantly developing new and improving its existing custom obfuscators and modules, which are heavily obfuscated, it would be backbreaking to track each minor improvement and change that it introduces. Therefore, we decided to mention and describe only what we believe are significant adjustments in comparison with earlier samples relative to the state in which the module is to be described. After all, we intend just to describe the module as it currently is in this article.

Modified open-source cryptominer

Stantinko’s cryptomining module, which exhausts most of the resources of the compromised machine by mining a cryptocurrency, is a highly modified version of the xmr-stak open-source cryptominer. All unnecessary strings and even whole functionalities were removed in attempts to evade detection. The remaining strings and functions are heavily obfuscated. ESET security products detect this malware as Win{32,64}/CoinMiner.Stantinko.

Use of mining proxies

CoinMiner.Stantinko doesn’t communicate with its mining pool directly, but via proxies whose IP addresses are acquired from the description text of YouTube videos. A similar technique to hide data in descriptions of YouTube videos is used by the banking malware Casbaneiro. Casbaneiro uses much more legitimate-looking channels and descriptions, but for much the same purpose: storing encrypted C&Cs.

The description of such a video consists of a string comprised of mining proxy IP addresses in hexadecimal format. For example, the YouTube video seen in Figure 1 has the description “03101f1712dec626“, which corresponds to two IP addresses in hexadecimal format – 03101f17 corresponds to 3.16.31[.]23 in decimal dotted-quad format, and 12dec626 is 18.222.198[.]38. As of the time of writing, the format has been slightly adjusted. The IP addresses are currently enclosed in “!!!!”, which simplifies the very process of parsing and prevents possible changes of the YouTube video HTML structure turning the parser dysfunctional.

Figure 1. Example YouTube video whose description provides an IP address for the module’s communication with the mining pool

In earlier versions, the YouTube URL was hardcoded in CoinMiner.Stantinko binary. Currently the module receives a video identifier as a command line parameter instead. This parameter is then used to construct the YouTube URL, in the form https://www.youtube.com/watch?v=%PARAM%. The cryptomining module is executed by either Stantinko’s BEDS component, or by rundll32.exe via a batch file that we have not captured, with the module loaded from a local file system location of the form %TEMP%%RANDOM%%RANDOM_GUID%.dll.

We informed YouTube of this abuse; all the channels containing these videos were taken down.

Cryptomining capabilities

We have divided the cryptomining module into four logical parts, which represent distinct sets of capabilities. The main part performs the actual cryptomining; the other parts of the module are responsible for additional functions:

suspending other (i.e. competing) cryptomining applications detecting security software suspending the cryptomining function if the PC is on battery power or when a task manager is detected, to prevent being revealed by the user Cryptomining

At the very core of the cryptomining function lies the process of hashing, and communication with the proxy. The method of obtaining the list of mining proxies is described above; CoinMiner.Stantinko sets the communication with the first mining proxy it finds alive.

Its communication takes place over TCP and is encrypted by RC4 with a key consisting of the first 26 characters of the number pi (including the decimal separator, hardcoded in the string “3,141592653589793238462643“) and then base64 encoded; the same key is used in all samples we have seen.

The code of the hashing algorithm is downloaded from the mining proxy at the beginning of the communication and loaded into memory – either directly or, in earlier versions, from the library libcr64.dll that is first dropped onto the disk.

Downloading the hashing code with each execution enables the Stantinko group to change this code on the fly. This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution. The main benefit of downloading the core part of the module from a remote server and loading it directly into memory is that this part of the code is never stored on disk. This additional adjustment, which is not present in earlier version, is aimed at complicating detection because patterns in these algorithms are trivial for security products to detect.

All instances of Stantinko’s cryptomining module we’ve analyzed mine Monero. We deduced this from the jobs provided by the mining proxy and the hashing algorithm. For example, Figure 2 is a job sent by one of the proxies.

{“error”:null,”result”:{“status”:”OK”}}
{“method”:”job”,”params”:”blob”:”0b0bbfdee1e50567042dcfdfe96018227f25672544521f8ee2564cf8b4c3139a6a88c5f0b32664000000a1c8ee5c185ed2661daab9d0c454fd40e9f53f0267fe391bdb4eb4690395deb36018″,”job_id”:”281980000000000a10″,”target”:”67d81500″,”height”:1815711}}

Figure 2. Example mining job received from a mining pool proxy

We analyzed the hashing algorithm used and found that it was CryptoNight R. Since there are multiple cryptocurrencies that use this algorithm, its

CyberwarCon – the future of nation‑state nastiness

How the field of play has changed and why endpoint protection still often comes down to doing the basics, even in the face of increasingly complex threats

The news cycle is awash with coverage of campaigns that have nation-state fingerprints all over them. Now, here at CyberwarCon in Washington, D.C., there’s a deluge of energy surrounding the subject from all corners of the globe.

From information campaigns of all kinds to serious hacking attempts, the new field of play involves big, well‑financed players. Hacking used to be about pranks, money grabs or disgruntled digital natives getting revenge; now it’s about settling national scores.

From a research perspective, it’s still about keeping computer systems safe, regardless of the intended target or the source. And while we don’t get into picking sides, it looks like this trend is rising sharply (the conference doubled in size since last year) and will continue to grow in importance.

From talks about budding, would-be digital forces being stood up by up-and-coming states embroiled in operational growing pains, to the tried-and-true worthy adversaries, the subject is no longer a secret; it’s something the world has to deal with.

It’s interesting to note the extent to which nation states engage in combined campaigns, including disinformation, active hacking, false flags, and A/B testing of new techniques to judge their effectiveness. Defenders, conversely, are having to stand up new techniques to combat the tactics in a sort of cat-and-mouse exercise that promises to span the years to come.

We are here, presenting our recent research on the Dukes family of campaigns, trying to share with the research community the natural evolution of tactics of a family of threat actors that have been adapting techniques to suit their changing targets and dodge detection for years.

Being in D.C. means the lawmaker crowd is also here, trying to grapple with what may be appropriate engagement both tactically and legally, depending on the context. Is it appropriate to strike back kinetically to a pervasive, impactful exploit leveled against your country? While some are ready to quick-launch in retaliation, others take a wait-and-see approach where a certain level of thoughtfulness about appropriate response seems wise. Both approaches will be debated for years.

Meanwhile, it’s interesting to note how many of the super-expensive tactics with the latest tools start by someone clicking on a malicious email. Alarming, actually…

So, protection often comes back to operational security and doing the basics, something we’ve been preaching for years here at WeLiveSecurity. And while we’d like to think we’re making a difference, there’s still a lot of work to do, especially keeping folks safe against increasingly complex threats launched by well-heeled adversaries.

25 Nov 2019 – 11:30AM

Week in security with Tony Anscombe

ESET researchers publish their findings on Mispadu, a banking trojan targeting Brazil and Mexico, and on DePriMon, a downloader with a unique installation technique

ESET researchers uncover Mispadu, an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. In another research effort, ESET experts dissect DePriMon, a malicious downloader with an installation technique that has not been observed in the wild before. As cyberattackers hijacked the accounts of many users of the newly-launched Disney+ streaming service, we offer advice to prevent having your accounts on streaming subscriptions hacked. For more information, go to WeLiveSecurity.com.

Should cybersecurity be taught in schools?

Experts weigh in on whether schools should teach kids the skills they need to safely reap the benefits of the online world

With education being one of the key factors in everyone’s life, the education system of any country seeks to provide children not only with elementary competencies, but also equip them with at least some of the skills that they’ll need to successfully navigate their daily lives. In our technology-infused era, then, there’s a strong argument for including also basic cybersecurity skills among the kinds of skills that help people thrive in life.

Besides parents, schools, too, clearly have a role to play here. Hence, this installment in our series of articles marking this year’s Antimalware Day will attempt to answer several questions that revolve around the importance of cybersecurity education in the classroom. In so doing, we will also rely on input from several organizations, mainly from Latin America, that have an active role in educating future generations.

Do children and young people finish primary and secondary education with sufficient skills to stay safe online?

It is safe to say that young people are too often unaware of the risks that excessive sharing of photos and posting sensitive information on social media involves, nor do they associate such habits with problems that may ensue, such as grooming, sexting, cyberbullying, and phishing. After all, this is confirmed by findings gathered in a project called “Promoting information security in the school environment” (only available in Spanish) and prepared by the National University of Córdoba, Argentina. As the project’s creators explain, the proliferation of such poor cyber-habits has created the need for parents and educational institutions to actively seek information about privacy and security, notably about various aspects of data protection, cryptography, and prevention from identity and information theft and web-based cyberattacks.

Meanwhile, the Computer Emergency Response Team of the National Autonomous University of Mexico (UNAM-CERT) echoes the view in that children and teens don’t have sufficient cybersecurity skills when they complete primary and secondary education. While computing classes do sometimes include aspects of good cyber-hygiene practices, online behavior isn’t thoroughly addressed. “Just as children are taught about earthquake prevention, they should be educated about the responsible use of information technologies,” said UNAM-CERT.

According to Argentina Cibersegura, an NGO that carries out security awareness projects in Argentina, the poor cyber-hygiene skills of young people are due to several reasons. They include the fact that every school gets to decide whether or not it will include cybersecurity basics in its curricula and that teachers themselves are often unable to teach digital skills and specifically cybersecurity.

The United Kingdom, for one, has unveiled new statutory guidance that, among other things, imposes the obligation on elementary schools to implement cybersecurity education into their curricula as of 2020. To aid the process, the schools can even rely on detailed guidelines that should help them prepare pupils for the modern challenges of the online world.

That said, many experts note that curricular changes are unlikely to be enough. “[W]hilst the forthcoming changes to the curriculum are to be welcomed – they need to be funded appropriately – with the right level of teacher training. Unless something changes to provide funding and training, perhaps as part of the election campaign, it’s hard to see how these changes on their own will be sufficient,” Claire Levens, Policy Director of the NGO Internet Matters, told WLS.

Is there enough awareness about the importance of cybersecurity education?

It’s common for people to deal with a problem only when it ‘hits close to home’. As a result, according to UNAM-CERT, many people use technology without giving much thought to the risks of having their personal information stolen until they themselves or their relatives become the victims of cybercrime.

“Information security is often seen as merely a cost, rather than an investment. This results in the failure to allocate resources towards cyber-preparedness, even though investing in education, for example, could bring savings thanks to avoiding cyberattacks and their impacts,” said UNAM-CERT.

Additionally, teaching kids about cybersecurity from an early age could actually help many of them discover this dynamic field and ultimately contribute to closing the talent gap that plagues the industry.

Should cybersecurity education be part of formal education?

Spain, for one, has also considered the idea of adopting official guidelines to ensure that children are taught about online risk and safety behaviors from an early age. Beside adapting Spain’s law to the European Union’s General Data Protection Regulation (GDPR), the country’s Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights also contains a section on the need for increasing the role of cybersecurity education in school curricula. By extension, the section stipulates that the education system guarantees the opportunity for all children to learn to use technology in a responsible and respectful way, as well as in a manner that protects their personal data.

Drawing on this example, Argentina Cibersegura believes that cybersecurity education should be a mandatory part of curricula, not least because “the purpose of schools is to educate citizens – and digital technology cannot be left behind”.

UNAM-CERT echoes this view, noting that cybersecurity education must be compulsory in primary- and secondary education because we live in a digital world and it’s important to ensure that pupils and students can protect themselves by understanding how technologies work and what kinds of risks they involve”.

Are teachers prepared?

Although many teachers may be well-versed in modern technology and may have integrated, for example, collaborative and other tools into their classes, this doesn’t mean that they’re prepared to provide guidance on safe cybersecurity habits.

Indeed, when asked about whether teachers are prepared to teach kids about cybersecurity, Levens of Internet Matters had this to say: “Not at all. We should also be mindful that schools are being asked to do so many things and online safety and security will only ever be a low priority.”

There’s not much cause for optimism

Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon

ESET researchers have discovered a new downloader with a novel, not previously seen in the wild installation technique

DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name, that’s why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a framework.

According to our telemetry, DePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.

Some of the domain names used as C&C servers contain Arabic words, which gives an indication of a region‑specific campaign. However, DePriMon deserves attention beyond its targets’ geographical distribution: it is carefully written malware, with lots of encryption that is used properly.

To help defenders stay safe from this threat, we’ve thoroughly analyzed this newly discovered malware, focusing on the downloader itself. Because we’re missing initial stage(s), which we will refer to here as “the first stage”, we don’t know the initial distribution and compromise vector. What kind of final payload is used in the attacks is another question that remains to be answered.

However, it should be noted that, in a few cases, DePriMon was detected with ColoredLambert malware on the same computers within a short time frame. ColoredLambert is used by the Lamberts (aka Longhorn) cyberespionage group and linked to the Vault 7 leak of CIA capabilities. Our colleagues from Symantec and Kaspersky published their analyses in April 2017.

Technical analysis Stage two

Both DePriMon’s second and third stages are delivered to the victim’s disk in the first stage. The second stage installs itself and loads the third stage using an encrypted, hardcoded path. One of the possible explanations is that it was configured after the first stage of the attack occurred.

The described installation technique is unique. In principle, it is described in the MITRE ATT&CK taxonomy as “Port Monitors”, under both Persistence and Privilege Escalation tactics. We believe DePriMon is the first example of malware using this technique ever publicly described.

The second stage registers the third-stage DLL as a port monitor by creating the following registry key and value:

HKLMSYSTEMCurrentControlSetControlPrintMonitorsWindows Default Print Monitor
Driver = %PathToThirdStageDLL%

Administrator rights are required for creating this registry key.

At system startup, the registered DLL will be loaded by spoolsv.exe with SYSTEM privileges, which, combined with the uniqueness of this method, makes this technique very effective for attackers.

The second stage checks regularly whether there is a file in the %system32% folder with the same name as the third stage DLL file but without the “.dll” extension. This file serves as an uninstallation trigger – should DePriMon find it, it removes both this file and its own components in a secure way by overwriting the binaries and then deleting them.

Stage three

The third stage, responsible for downloading the main payload(s) from DePriMon’s operators, also implements some interesting techniques.

For C&C communication, it uses the Microsoft implementation of SSL/TLS, Secure Channel, instead of common APIs like WinHTTP or WinInet. Its configuration is very complex, as is the way the malware handles it. Finally, the authors have put significant effort into encryption, making the DePriMon malware more difficult to analyze.

C&C communication

DePriMon communicates securely over TLS, however, not on a high level as is a typical scenario in malware. The connection is initialized with a Windows socket and can continue with initialization of an authenticated Security Support Provider Interface (SSPI) session with the Negotiate / NTLM SSP. After that, DePriMon uses Schannel.

SSPI is used/not used according to a particular flag in the configuration file and can utilize the local proxy settings of the machine. The implementation is similar to this example provided by Microsoft.

The malware’s implementation of TLS via Schannel is similar to this example by Coast Research & Development. It includes creating credentials, performing the client handshake and verifying the server certificate.

Figure 1. Part of the SSPI implementation as output by the Hex-Rays decompiler

After the communication is established, the third stage encrypts and decrypts messages manually each time.

Configuration

The configuration data for DePriMon’s third stage has 27 members, which is an unusually large number for a downloader. It is encrypted with AES-256 and embedded in the binary.

During the first run, DePriMon’s third stage (the downloader itself) decrypts the configuration data with Key 2 (see the IoCs section), encrypts it with Key 3 and stores the encrypted configuration file in a temporary folder. The filename for the configuration file is created via the following process: Starting with the second byte, the value of Key 2 is transformed into a number in base 36 but encoded using custom alphabet “abc…xyz012…789”. The extension of the configuration file is “.tmp”.

An example of a configuration file path: %temp%rb1us0wm99sslpa1vx.tmp.

During the second run, the downloader reads the configuration data from the file, not from itself – this way, the attacker can easily update the configuration.

Thanks to its secure design, the configuration is not left in memory in unencrypted form. Every time the downloader needs to use some element of the configuration file, it decrypts the configuration file, retrieves the member and encrypts the file again.

This design protects the malware’s primary function – C&C communication – against memory forensics.

Figure 2. Part of the code as seen by the Hex-Rays decompiler, which illustrates how the DePriMon malware decrypts the configuration file, saves a few members to local variables and encrypts it again

Of interest in the configuration file are:

Two entries for usernames and two members for passwords – for the proxy server if it is set on the machine. It means attackers are preparing to further their attack via a proxy with credentials. However, we haven’t seen functionality for

What does it take to attract top cybersecurity talent?

From professional backgrounds to competitive salaries – a study delves into what it takes to build strong cybersecurity teams

Cybersecurity professionals are in high demand, but in low supply, the 2019 (ISC)2 Cybersecurity Workforce Study finds. In fact, the supply is so low that it needs to grow by an estimated 145 percent to fill the estimated 4.07 million gap. The United States alone needs growth of 62% to meet the needs of its businesses.

Most participants of the study work in the IT services industry, followed by financial services and government. These professionals come from diverse backgrounds since cybersecurity is a young specialization, but most are likely to have a bachelor’s degree. A majority have degrees in computer science but one in five has an engineering background while a small number has a business degree. There are many paths to get into cybersecurity and not all of them require a university specialization, some are self-taught.

As cybersecurity professionals tend to be male, this leaves a rather large talent pool that organizations could use to bolster their ranks. This can be underlined by the fact that one-third of the respondents of the survey were women.

Most cybersecurity professionals tend to be experienced and remain a steady part of their organizations. On average they spend six years with their employer and hold four security organization certifications. The salaries tend to be competitive with a global average of US$69,000 with certification playing a role in how high your salary is. The highest salary offered is in the United States – US$93,000 if you have certifications; otherwise it can drop to US$76,500. Salaries offered in the Asia Pacific region are also highly dependent on certification if you don’t have any your expected salary can drop by 41%.

Eight out of ten respondents are where they expected to be in their careers based on their expertise while more than half responded that they are very close. They also achieved success in their fields, becoming the go-to source of knowledge for their colleagues and even taking the lead in major security projects.

On the flip side, there are hurdles they have to overcome in their careers. The most frequent obstacle they face is the price of cybersecurity certification. More than half of respondents have to pay some part of it from their own pocket. With that in mind, organizations that pick up the tab for their employees can keep them satisfied. In fact, almost three-quarters of respondents in organizations that do so say they are either very or somewhat satisfied in their jobs.

This may not be a comprehensive blueprint for organizations on how to hire and retain cybersecurity talent, but it should provide them with a good insight into the market. Organizations all over the world have been victims of cyberattacks, so investing in experienced cybersecurity professionals should be a top-tier priority. Especially since hackers don’t discriminate and attack private companies and municipalities alike.

20 Nov 2019 – 04:48PM