Week in security with Tony Anscombe

ESET researchers detail how the operators of the Stantinko botnet have expanded their toolset with a new means of profiting from computers under their control

ESET researchers detail how the operators of the Stantinko botnet have expanded their toolset with a new means of profiting from computers under their control. ESET security researcher Cameron Camp looks back at the key theme of the CyberwarCon conference in Washington, D.C. Top five scams to be on the lookout for this Black Friday and the entire holiday shopping season. All this – and more – on WeLiveSecurity.com.

Smartwatch exposes locations and other data on thousands of children

A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device

Researchers at the AV-Test Institute have uncovered gaping privacy and security holes in the SMA-WATCH-M2 smartwatch that is designed to keep children safe and their parents feeling secure about their offspring.

The security lapses were so severe that the researchers were able to piece together a snapshot of the life and daily habits of a randomly selected 10-year-old child named Anna from Germany. Among other data, the Chinese-made device exposed the girl’s age, place of residence, where she spends most of her day, and the routes she takes. The researchers could even access the sound messages that were transmitted to her device. And that’s still not all – they were even able to monitor Anna’s real-time GPS position.

Obviously, the security shortcomings did not affect just that single device. The team said it could gain access to the location, phone number, photos and conversations of well over 5,000 children, and was quick to note the number of affected users might, in fact, be far higher.

How was this possible, I hear you ask? In addition to communication with the manufacturer’s server being unencrypted, the online interface of the manufacturer’s server was completely unsecured, leaving it entirely open to external unauthorized access. Although an authorization token was generated to prevent unauthorized access, the server does not check it. Which essentially means anyone with enough “hacking” skills should have no problem in accessing user IDs. This allows potential attackers to have the same access that a parent would have.

To sum it up, a device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device for bad actors. This lapse in security was found to affect users in Germany, Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands, and China. There is a possibility that the number of affected people may be well over the previously estimated 5,000.

As much as this case might look like a one-off security lapse, the reality is far from it. We covered a similar recorded event earlier this year. Hence we think it is always important to consider the pros and cons of using such a device.

29 Nov 2019 – 03:47PM

5 scams to watch out for this shopping season

Black Friday and Cyber Monday are just around the corner and scammers are gearing up to flood you with bogus offers

According to Adobe, consumers in the US are predicted to spend a staggering US$143.7 billion this shopping holiday season. Unsurprisingly, smartphones are expected to account for a significant part of the purchases made.

Shopping platforms will be dropping prices and offering deals aiming to unseat the competition. Far too often, what looks too good to be true will, in fact, be a scam designed to separate you from your hard-earned cash. For scammers ’tis the season to be jolly, since unaware shoppers are ripe to be ripped off. Honestly, if that shiny, new iPhone at half its regular price seems too cheap, it probably is. Here are some of the most common types of online shopping scams you should watch out for.

Scam ads

These are an evergreen classic not reserved just for the holidays. You can encounter them all year round, but during shopping holidays they come out in force. Fraudulent ads are usually spread through social media and unfortunately, involve hacked accounts. Usually clicking on such an ad will redirect you to a fraud site, which may be advertising fake goods. In the worst-case scenario, you might just download a malware payload to your device. Refrain from clicking on anything that seems even remotely suspicious and always check for signs of a scam, such as ridiculous prices, grammar mistakes or weird surveys.

Figure 1. Brazilian website promising to include you in a raffle if you fill out a survey

Fake websites

Fake websites come in many shapes and sizes, and during this part of the year con artists will try to leverage seasonal shopping. For example, it might appear that a reputable e-shop launched a separate domain to house its Black Friday or Cyber Monday offerings, but in fact, it’s just a scam. Or, you might just get hit with a homograph attack. It might sound like somebody is going to hit you in the face with a dictionary, but a homograph attack is what happens when adversaries register domains that are similar to the originals but use visually ambiguous characters. And, of course, these fake sites can often have their own, valid certificates that might further misdirect their victims.

Figure 2. An example of a fake website

Bogus gift cards and coupons

Apart from jaw-dropping discounts, coupons are a popular way to reel customers in. That makes it a popular method for bad actors to bamboozle you. If you get enticed by the fake coupon and click on it, an installer can be downloaded to your device, which might install a banking trojan. A similar case was uncovered recently involving fraudulent McDonald’s coupons. Coupons and gift cards are usually distributed through the official channels of the company such as an app, so it’s best to stick to those. Any unsolicited coupons should set your spidey sense tingling.

Figure 3. A fake gift card example

Illicit discount or coupon apps

Alternatively, instead of receiving coupons by email, you may stumble upon Black Friday- or Cyber Monday-themed apps that are likely to appear on unofficial app repositories. These will have the same aim as all the aforementioned scams: pray on your trust and entice you with the promise of a great deal. Your best course of action is to stick to Google Play or the App Store. Most retailers tend to have official apps, but imposters have been known to sneak past the sentries into the walled gardens of platforms’ storefronts. So always pay attention to the app’s description, negative reviews and the permissions it requests.

Phishing attacks

Phishing attacks are one of the most widespread scams out there. For example, a criminal might send you an email posing as Amazon and telling you that there was an issue with your order. To proceed they will ask you to provide your personal information that may include your credit card number and home address, which you shouldn’t do under any circumstances. If you ever receive such a message, use the official channels of the company to check if they did it. So, keep your eyes peeled for thematic promotional emails that may ask you to fill out your personal information to claim your ‘prize’.

Figure 4. Have you ever seen a Louis Vuitton bag at such a steep discount?

According to ESET telemetry, of all the Black Friday-related emails you will get in one day an average of 11% will be spam emails, which can very often be more than only annoying. These are just the statistics that were recorded a week before the Black Friday craze begins. So, be sure to read anything that piques your interest extra thoroughly and don’t let your guard down while you’re on the hunt for that perfect deal. Happy hunting!

28 Nov 2019 – 11:30AM

Cryptocurrency exchange loses US$50 million in apparent hack

UPbit has announced that, as a precaution, all transactions will remain suspended for at least two weeks

Cryptocurrency exchange UPbit announced today that it lost almost US$50 million worth of ether (ETH) in an apparent security breach.

According to this statement by Lee Seok-woo, the CEO of the exchange’s operator Dunamu, around 342,000 ETH were moved from the platform’s ‘hot wallet’ to this unrecognized wallet today shortly after 1 p.m. local time. Client funds were not affected, said the South Korea-based cryptocurrency exchange.

The incident was also noted on Twitter by Whale Alert, a service that tracks major cryptocurrency transactions.

🚨 🚨 🚨 🚨 342,000 #ETH (49,848,273 USD) transferred from #Upbit to unknown wallet

Tx: https://t.co/HairAS3gee

— Whale Alert (@whale_alert) November 27, 2019

UPbit said that, in the wake of the incident, it moved all virtual coins to cold wallets. Cold-storing is a method used for the long-term storage of cryptocurrencies offline in order to reduce the likelihood of funds being stolen. By contrast, hot wallets are connected to the internet and used to carry out transactions.

The exchange has also halted all deposits and withdrawals and said that, in order to protect its clients’ virtual funds, the transactions will remain suspended for two weeks. The exchange said that it will cover the loss from its own funds. Additional details are scarce; notably, there’s no word on how the theft is thought to have taken place.

Launched two years ago, UPbit went on to become one of South Korea’s largest cryptocurrency exchanges. Just months ago, its users were targeted in a phishing campaign with a fake giveaway used as the pretense. Weeks earlier, another major South Korean cryptocurrency exchange, Bithumb, lost up to US$20 million worth of digital money in a suspected inside job.

Indeed, recent years have seen a string of cyberattacks against providers of infrastructure that caters to virtual currencies and their users, including high-profile thefts of people’s virtual money. Recent ESET research, too, discovered a range of mobile apps aimed at parting people from their cryptocurrency assets.

27 Nov 2019 – 05:06PM

Stantinko botnet adds cryptomining to its pool of criminal activities

ESET researchers have discovered that the criminals behind the Stantinko botnet are distributing a cryptomining module to the computers they control

The operators of the Stantinko botnet have expanded their toolset with a new means of profiting from the computers under their control. The roughly half-million-strong botnet – known to have been active since at least 2012 and mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan – now distributes a cryptomining module. Mining Monero, a cryptocurrency whose exchange rate oscillates in 2019 between US$50 and US$110, has been the botnet’s monetizing functionality since at least August 2018. Before that, the botnet performed click fraud, ad injection, social network fraud and password stealing attacks.

In this article, we describe Stantinko’s cryptomining module and provide an analysis of its functionality.

This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection. Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique.

We will describe the module’s obfuscation techniques and offer, in a separate article for fellow malware analysts, a possible approach to deal with some of them.

Since Stantinko is constantly developing new and improving its existing custom obfuscators and modules, which are heavily obfuscated, it would be backbreaking to track each minor improvement and change that it introduces. Therefore, we decided to mention and describe only what we believe are significant adjustments in comparison with earlier samples relative to the state in which the module is to be described. After all, we intend just to describe the module as it currently is in this article.

Modified open-source cryptominer

Stantinko’s cryptomining module, which exhausts most of the resources of the compromised machine by mining a cryptocurrency, is a highly modified version of the xmr-stak open-source cryptominer. All unnecessary strings and even whole functionalities were removed in attempts to evade detection. The remaining strings and functions are heavily obfuscated. ESET security products detect this malware as Win{32,64}/CoinMiner.Stantinko.

Use of mining proxies

CoinMiner.Stantinko doesn’t communicate with its mining pool directly, but via proxies whose IP addresses are acquired from the description text of YouTube videos. A similar technique to hide data in descriptions of YouTube videos is used by the banking malware Casbaneiro. Casbaneiro uses much more legitimate-looking channels and descriptions, but for much the same purpose: storing encrypted C&Cs.

The description of such a video consists of a string comprised of mining proxy IP addresses in hexadecimal format. For example, the YouTube video seen in Figure 1 has the description “03101f1712dec626“, which corresponds to two IP addresses in hexadecimal format – 03101f17 corresponds to 3.16.31[.]23 in decimal dotted-quad format, and 12dec626 is 18.222.198[.]38. As of the time of writing, the format has been slightly adjusted. The IP addresses are currently enclosed in “!!!!”, which simplifies the very process of parsing and prevents possible changes of the YouTube video HTML structure turning the parser dysfunctional.

Figure 1. Example YouTube video whose description provides an IP address for the module’s communication with the mining pool

In earlier versions, the YouTube URL was hardcoded in CoinMiner.Stantinko binary. Currently the module receives a video identifier as a command line parameter instead. This parameter is then used to construct the YouTube URL, in the form https://www.youtube.com/watch?v=%PARAM%. The cryptomining module is executed by either Stantinko’s BEDS component, or by rundll32.exe via a batch file that we have not captured, with the module loaded from a local file system location of the form %TEMP%%RANDOM%%RANDOM_GUID%.dll.

We informed YouTube of this abuse; all the channels containing these videos were taken down.

Cryptomining capabilities

We have divided the cryptomining module into four logical parts, which represent distinct sets of capabilities. The main part performs the actual cryptomining; the other parts of the module are responsible for additional functions:

suspending other (i.e. competing) cryptomining applications detecting security software suspending the cryptomining function if the PC is on battery power or when a task manager is detected, to prevent being revealed by the user Cryptomining

At the very core of the cryptomining function lies the process of hashing, and communication with the proxy. The method of obtaining the list of mining proxies is described above; CoinMiner.Stantinko sets the communication with the first mining proxy it finds alive.

Its communication takes place over TCP and is encrypted by RC4 with a key consisting of the first 26 characters of the number pi (including the decimal separator, hardcoded in the string “3,141592653589793238462643“) and then base64 encoded; the same key is used in all samples we have seen.

The code of the hashing algorithm is downloaded from the mining proxy at the beginning of the communication and loaded into memory – either directly or, in earlier versions, from the library libcr64.dll that is first dropped onto the disk.

Downloading the hashing code with each execution enables the Stantinko group to change this code on the fly. This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution. The main benefit of downloading the core part of the module from a remote server and loading it directly into memory is that this part of the code is never stored on disk. This additional adjustment, which is not present in earlier version, is aimed at complicating detection because patterns in these algorithms are trivial for security products to detect.

All instances of Stantinko’s cryptomining module we’ve analyzed mine Monero. We deduced this from the jobs provided by the mining proxy and the hashing algorithm. For example, Figure 2 is a job sent by one of the proxies.


Figure 2. Example mining job received from a mining pool proxy

We analyzed the hashing algorithm used and found that it was CryptoNight R. Since there are multiple cryptocurrencies that use this algorithm, its

CyberwarCon – the future of nation‑state nastiness

How the field of play has changed and why endpoint protection still often comes down to doing the basics, even in the face of increasingly complex threats

The news cycle is awash with coverage of campaigns that have nation-state fingerprints all over them. Now, here at CyberwarCon in Washington, D.C., there’s a deluge of energy surrounding the subject from all corners of the globe.

From information campaigns of all kinds to serious hacking attempts, the new field of play involves big, well‑financed players. Hacking used to be about pranks, money grabs or disgruntled digital natives getting revenge; now it’s about settling national scores.

From a research perspective, it’s still about keeping computer systems safe, regardless of the intended target or the source. And while we don’t get into picking sides, it looks like this trend is rising sharply (the conference doubled in size since last year) and will continue to grow in importance.

From talks about budding, would-be digital forces being stood up by up-and-coming states embroiled in operational growing pains, to the tried-and-true worthy adversaries, the subject is no longer a secret; it’s something the world has to deal with.

It’s interesting to note the extent to which nation states engage in combined campaigns, including disinformation, active hacking, false flags, and A/B testing of new techniques to judge their effectiveness. Defenders, conversely, are having to stand up new techniques to combat the tactics in a sort of cat-and-mouse exercise that promises to span the years to come.

We are here, presenting our recent research on the Dukes family of campaigns, trying to share with the research community the natural evolution of tactics of a family of threat actors that have been adapting techniques to suit their changing targets and dodge detection for years.

Being in D.C. means the lawmaker crowd is also here, trying to grapple with what may be appropriate engagement both tactically and legally, depending on the context. Is it appropriate to strike back kinetically to a pervasive, impactful exploit leveled against your country? While some are ready to quick-launch in retaliation, others take a wait-and-see approach where a certain level of thoughtfulness about appropriate response seems wise. Both approaches will be debated for years.

Meanwhile, it’s interesting to note how many of the super-expensive tactics with the latest tools start by someone clicking on a malicious email. Alarming, actually…

So, protection often comes back to operational security and doing the basics, something we’ve been preaching for years here at WeLiveSecurity. And while we’d like to think we’re making a difference, there’s still a lot of work to do, especially keeping folks safe against increasingly complex threats launched by well-heeled adversaries.

25 Nov 2019 – 11:30AM