Malware Bytes

A week in security (December 28 – January 3)

Malware Bytes Security - Mon, 01/04/2021 - 10:52am

First off we would like to wish all our readers a happy and secure 2021!

Last week on Malwarebytes Labs we presented an overview of developments in the SearchDimension hijackers, we looked at the most enticing cyberattacks of 2020, and we also looked back at the strangest cybersecurity events of 2020.

Other cybersecurity news:
  • Google patched a bug in its feedback tool that could be exploited by an attacker to potentially steal screenshots of sensitive Google Docs documents. (Source: The Hacker News)
  • Section 230: The social media law that is clogging up stimulus talks. (Source: CNet)
  • Apple has lost its copyright battle against iOS virtualization startup Corellium. (Source: TechSpot)
  • Microsoft confirmed that the suspected Russian hackers behind the SolarWinds security breach also viewed some of the company’s source code. (Source: CNN)
  • Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to connected devices. (Source: ZDNet)
  • A data breach broker is selling allegedly stolen user records for 26 companies on a hacker forum. (Source: BleepingComputer)
  • Hackers have livestreamed police raids on innocent households after hijacking their victims’ smart home devices and making a hoax call to the authorities. (Source: BBC News)
  • The US Department of Homeland Security (DHS) has published a guide to the risks that businesses run if they use tech created in China. (Source: The Register)

Stay safe, everyone!

The post A week in security (December 28 – January 3) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The strangest cybersecurity events of 2020: a look back

Malware Bytes Security - Thu, 12/31/2020 - 11:00am

This year is finally coming to an end, and it only took us about eight consecutive months of March to get here. There is a ton to talk about, and that’s without even discussing the literal global pandemic.

You see, 2020’s news stories were the pressure-cooker product of mania, chaos, and the downright absurd. “Murder hornets” made the journey to the US. Mystery seeds from China arrived in US mailboxes. The Pentagon officially released three videos of “unidentified aerial phenomena”—which many interpreted as three videos of alien spacecraft.

Also, a star vanished. Yes. Brighter than our sun, nestled into the same distant galaxy that cradles the constellation of Aquarius, and glinting a pale, cornflower blue onto its neighbors, the massive star simply disappeared one day. No supernova. No stellar collapse. No black hole.

Honestly? Bravo, star.

So, in a year unbridled in strangeness, it only fits that the cybersecurity events we witnessed produced equally head-scratching responses. The following cybersecurity events of 2020 that we’ve collected for you are not the most destructive or the most shocking, or the most attractive, like we covered earlier this week. They are, instead, the mysteries, the embarrassments, and the face-palms.

They are the events that that made us collectively say: “Wait… seriously?”

A digital vaccine for a physical illness

We hate to start our jovial list with coronavirus news, but this was too incredulous to pass up.

In late March, we found threat actors trying to convince unsuspecting victims to install an alleged digital antivirus tool to protect themselves from the physical coronavirus. In the scheme, scam artists built a malicious website that advertised “Corona Antivirus -World’s best protection.”

The website also claimed:

“Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.”


What threat actors were hiding behind the website was an attempt to install the BlackNET Remote Access Trojan, which can deploy DDoS attacks, take screenshots, execute scripts, implement a keylogger, and steal Firefox cookies, passwords, and Bitcoin wallets.

TikTok: an on-again, off-again relationship

Back in December of 2019, the US Army banned its members from downloading the massively popular video sharing app TikTok on government-issued devices. At the time, Army spokesperson Lieutenant Colonel Robin Ochoa described the app to the outlet as “a cyberthreat.”

Fast forward several months to the start of summer, when TikTok then received the worst kind of attention that any up-and-coming app can receive: that from a devoted Reddit user. The Reddit user claimed to have “reverse-engineered the app,” and said that TikTok was nothing more than “a data collection service that is thinly-veiled as a social network.” The app allegedly collected tons of data about users’ phones, the other apps they’ve installed, their network, and some GPS info.

The negative attention piled onto TikTok until, in August, President Donald Trump said he would ban the app from the US market.

With deadlines pressing, TikTok entered a flurry of sales talks, meeting with Microsoft, Oracle, and even Wal-Mart. A deal was initially struck with Oracle and Wal-Mart, with sign-off from the President granted partly in September. But the deal at the time still needed approval from a committee here in the US called the Committee on Foreign Investment in the United States, or CFIUS.

The way TikTok tells the story, that committee ghosted the company for months. As the company told the outlet The Verge:

“In the nearly two months since the President gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement – but have received no substantive feedback on our extensive data privacy and security framework.”

So, did the administration claim a national security threat and then just… forget about it?

Data leakers suffer leaked data

In January, the FBI seized the domain of the website, which claimed to have more than 12 billion records that contained personal information that was pilfered from more than 10,000 data breaches. The website offered a “subscription” service, letting users buy access to the database for months at a time.

It was a pretty nefarious service and after the FBI seized the domain, the saga actually continued in May.

You see, an older database of itself actually leaked online, including information belonging to countless users who bought WeLeakData’s subscription services. Now, the tables had turned—login names, email addresses, hashed passwords, IP addresses, and even private messages between users were being sold and purchased online.

Shade ransomware operators turn to the light

In April, a group that claimed to have developed the Troldesh ransomware—also known as the Shade ransomware—publicly published all of its remaining decryption keys for anyone still suffering from an earlier attack.

Posting on GitHub, the group said:

“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”

The decryption keys were real, and were even used by Kaspersky to help develop a decryption tool, which, in time, would be used by the No More Ransom initiative which helps victims of ransomware retrieve encrypted data without having to pay a ransom.

So, what changed these threat actors into threat solvers? A sudden clarity of the conscience? Or was it that Troldesh wasn’t really paying out anymore, so it wasn’t worth the trouble of keeping it running?

We don’t know, but we’re happy either way.

One password to ruin them all

Earlier this month, Florida police raided the home of former government data scientist Rebekah Jones who, after being fired in May, had continued to post statistics about the state’s COVID-19 cases and deaths. The police said they investigated Jones because she had allegedly gained unauthorized access into the state’s emergency-responder system to send a wide alert to government employees.

But, according to Jones, that’s not true. Jones told CNN that she did not access the state’s emergency-responder system, and that she did not author the widely sent message.

When The Tampa Bay Times followed up with the Florida police to ask what measures they had implemented to safeguard the system, the police were tight-lipped.

According to Ars Technica, that stonewalling might be because the actual truth was far too embarrassing: Every single employee who logs into the system uses the same username and password, both of which are available to the public online.

Source: Ars Technica

Where’s the face-palm emoji?

Of printers and problems

This Fall, we started getting reports about a new type of malware that we were allegedly not detecting, which was instead being reported by the built-in anti-malware features on macOS.

When we investigated further, though, we found that most of these “malware” reports were related to Hewlett-Packard (HP) printing drivers, and that many of the messages that users received generally popped up whenever those users had tried to print something on their HP printers. Curious, no?

The problem, we found, lied within certificates. What’s that? Allow us to explain.

Certificates help keep the Internet running. They are a way to verify that the server you connect to is really owned and operated by the business you’re trying to communicate with, like, say, your online bank. But for years now, Apple has increasingly pushed software developers into using certificates to cryptographically sign and verify their own software. Without developer signoff, software users will have a ton of trouble using that software on Apple devices.

Back to the HP printer problem. It turns out that an HP certificate that was used to sign HP drivers had been revoked. By who, you ask?

By HP! Seriously. As the company told The Register:

“We unintentionally revoked credentials on some older versions of Mac drivers. This caused a temporary disruption for those customers and we are working with Apple to restore the drivers.”

Unfortunately, we’re still getting reports of these problems today, and threat actors are jumping on the opportunities, setting up malicious websites that promise to fix the problem.

Dead eye

This is more of a digital surveillance story than a straight cybersecurity tale, but it deserved a place on our list as an honorable mention. This year, Motherboard revealed that a secretive company had been selling stealthy surveillance products to cops.

The products? Cameras hidden within vacuum cleaners, baby car seats, and gravestones.

Source: Motherboard


To a new year

We’re almost in 2021, but a new day doesn’t magically bring new, improved cybersecurity across the globe. Instead, read the news, install antivirus, and protect yourself online. It’s the most clear-headed advice out there.

The post The strangest cybersecurity events of 2020: a look back appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The most enticing cyberattacks of 2020

Malware Bytes Security - Wed, 12/30/2020 - 11:00am

In 2020, we experienced a major shift. Much of the world pitched in to limit the spread of the coronavirus, with people changing their daily routines to include a mixture of working from home, standing in socially-distanced lines, and awaiting local rules about what they could and could not do with members of different households.

It was a stressful and confusing time, and during it, cybercriminals adapted—sometimes a little too well.  

Today, we’re going to talk about some of the most nefarious and shameful tricks we saw online in 2020. What we’re sharing is not a list of the most destructive attacks or the most serious—as that list would certainly be topped by the recent SolarWinds attack. Instead, this is a list of the cyberattacks and cyberattack techniques that surprised us, whether because of their near-imperceptibility, or because of their severe harshness.

These are the most enticing—or the most impossible-to-ignore—cyberattack lures and cyberattack capabilities of 2020.

Coronavirus, coronavirus, coronavirus

Beginning in February, Malwarebytes and many other cybersecurity researchers had already recorded a significant uptick in coronavirus lures being used to trick people into opening malicious emails and visiting dangerous websites.

First up, we found cybercriminals who impersonated the World Health Organization to distribute a fake coronavirus e-book. That attack vector must have worked, because in the same month, cybercriminals again impersonated the World Health Organization to spread the invasive keylogger Agent Tesla.

Other, similar efforts included impersonations of the non-descript “Department of Health” with pleas for donations, and reported Pakistani state-sponsored threat actors spreading a Remote Administration Tool through a coronavirus-themed spearphishing campaign. In fact, even the operators for the most-wanted cyberthreats Emotet and TrickBot switched up their lure language to focus on coronavirus.

One of the many impersonations found online immediately following the pandemic

We see this story during every major crisis: A panicked and confused public look for answers anywhere, including their inboxes. By taking advantage of this fear, threat actors are able to swindle countless victims who only wanted some guidance and clarity in their lives.

Tupperware credit card skimmer just one of many similar attacks

In the earliest days of responding to the coronavirus pandemic, local and state governments across the world began shutting down non-essential storefronts in an effort to limit the spread of COVID-19. While grocery stores and pharmacies remained open, other retail stores were sometimes forced to shift to an entirely online business model, since foot traffic became non-existent. This meant more stores selling more items online, and more people making their purchases on the Internet.

But where online shopping increased, so did attempts to steal online credit card data.

In March, Malwarebytes uncovered an active cyberattack against the food storage product-maker Tupperware. In the attack, threat actors managed to compromise Tupperware’s primary website by inserting a malicious code within an image file that would trigger a fraudulent payment form during the checkout process.

To unsuspecting users, the cyberheist was nearly undetectable. Upon trying to checkout from Tupperware’s online store, victims would first be shown a fraudulent, convincing payment form that asked for their credit card number, expiration date, and three-digit security code.

The rogue payment form that greeted victims of the attack on Tupperware

After victims confirmed their credit card details, they then received a warning notice that the website had timed out, and that they had to enter their credit card details a second time. Though this second payment form was actually legitimate, it was too late—the cyberthieves already had what they wanted.

The Tupperware attack was just one of many similar attacks in 2020. In fact, in March alone, we recorded a 26 percent increase in credit card skimming attacks compared to the month earlier. And February itself wasn’t a quiet month, as we also found threat actors hiding a credit card skimmer within a fake content delivery network.

Emotet blends into the crowd (of email attachments)

In 2020, one of the most devastating cyberthreats seriously improved its camouflage.

For more than two years, a dangerous malware called Emotet has proved to be one of the biggest threats facing businesses across the world. That’s because Emotet, which began as a banking Trojan, has evolved into a sophisticated threat that often serves as a first step into broader and longer-lasting cyber damage.

For most businesses today, an Emotet attack is no longer just an Emotet attack. Instead, a successful Emotet attack can go undetected for days or even weeks. In the meantime, threat actors can use Emotet to download a separate banking Trojan called Trickbot, and yet another ransomware called Ryuk.

Making matters worse is that, over the years, Emotet has become increasingly hard to spot on first read. The banking Trojan is primarily spread through malspam, which are malicious emails that contain dangerous attachments like macro-enabled documents or other dangerous links. While similar malspam efforts are easy to detect, like the one-off billing invoice from a never-seen email address, Emotet is different.

In roughly one year, Emotet found a way to not only insert itself into active email threads, but to also copy and re-send legitimate email attachments so as to hide its own malicious payload amongst a set of documents that an email user may already recognize.

In tandem with implementing these new techniques, Emotet also came roaring back in the summer. Months later, it also received a superficial facelift, lurking within in a fake Microsoft Office update request.

We don’t know when we’ll finally be rid of Emotet, but we know that day can’t come soon enough.

Ransomware grows fond of extortion  

In November of last year, a security staffing firm based in Pennsylvania faced an impossible deadline. They had just been hit with a ransomware attack, and, in one of the first documented cases at the time, they were given an option: pay the ransom, or your confidential files get leaked online for everyone to see.

This was the work of the so-called “Maze Crew,” operators behind the Maze ransomware.

In Pennsylvania, the clock was ticking, and the Maze Crew began to signal that it wasn’t playing around. Using an email address connected to Maze ransomware attacks, someone from the Maze Crew emailed a reporter at Bleeping Computer and basically bragged about their attack. In their email, they wrote:

“I am writing to you because we have breached Allied Universal security firm (, downloaded data and executed Maze ransomware in their network.

They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.”

We gave them time to think until this day, but it seems they abandoned payment process.”

The security firm refused to pay Maze Crew’s ransom, and, true to its word, Maze Crew released 700 MB of data and stolen files from the attack.

Interestingly, the operators behind Maze ransomware claimed in November that they were retiring. Whether or not they’re to be believed, the damage they’ve done is everlasting. Following that extortion stint they pulled last year, other threat actors followed suit. In fact, according to one report in August, 30 percent of all ransomware attacks now involves extortion threats. In 22 percent of attacks, threat actors actually take the first step in fulfilling those threats, having exfiltrated data from their targets.

If only threat actors didn’t look to other threat actors for inspiration.

Release the Kraken

In October, our threat intelligence team published its findings on a cyberthreat that is as elusive and as slippery as its name: Kraken.

The attack first came through a malicious document—that was likely spread through spearphishing campaigns—that promised information about obtaining workers’ compensation. Opening the document enabling its content will then allow for a connection to “yourrighttocompensation[.]com” and it will result in a separate, downloaded image. Inside, a malicious macro starts a chain of events that loads and executes a payload from memory.

The payload is a .Net DLL that injects an embedded shellcode into the Windows Error Reporting service, WerFault.exe. But before the attack can actually trigger, the DLL performs a few, sly tricks to avoid detection. First, it checks for the presence of a debugger by measuring the time it takes to complete a certain set of instructions. Then, it checks for the presence of VMware or VirtualBox. It then checks for a processor feature, and the shellcode then also checks for a debugger. After one last, final debugging check, it creates its final shellcode in a new thread.

After all that work, the final shellcode in a set of instructions makes an HTTP request to download a malicious payload.

There is a bit of good news here, though. On further investigation, we found that this sneaky threat was not tied to any active APT group, but instead was the work of red team activities testing security.


Imposter syndrome

In April, our team discovered that a group of threat actors had built a malicious website meant to serve as a gate to the Fallout exploit kit, which can distribute the Raccoon information stealer.

The method itself is nothing new, and threat actors build malicious websites all the time for just these types of attacks. What did surprise us, though, is the organization that the threat actors tried to impersonate: It was us, Malwarebytes.

The malicious domain, at malwarebytes-free[.]com, presented users with much of the same information on our own homepage, as that information was simply swiped and reposted.

Scammers created a convincing copy of our site because they copied everything we wrote

The domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and was, at the time, hosted in Russia at 173.192.139[.]27. When we looked closer, we found a short piece of JavaScript on the copycat site that checked a user’s web browser. If the user was visiting the site on Internet Explorer, they would be led to a malicious URL which belonged to the Fallout exploit kit.

If these cyberthieves were trying to flatter us, it didn’t work.

A very long year

In 2020, not only did the coronavirus prove to be one of the most long-running lures to trick people into having their machines infected, but the capabilities of malware increased dramatically.

It isn’t all doom and gloom this year, though. Malwarebytes has done an enormous amount of work to keep you safe, and we’re constantly tracking what goes bump in the night to make sure you’re safe throughout the day.

Also, we shouldn’t get ahead of ourselves and judge all cyberthreats this year by the most alluring ones. In fact, tomorrow, we’re going to take a look at the strangest cyber events of 2020, and, spoiler alert, sometimes threat actors mess up hard.  

The post The most enticing cyberattacks of 2020 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

SearchDimension search hijackers: An overview of developments

Malware Bytes Security - Tue, 12/29/2020 - 11:05am
Background information on SearchDimension

SearchDimension is the name of a family of browser hijackers that makes money from ad clicks and search engine revenues. The family was named after the domain that popped up in 2017, and they still sometimes use the letter combo SD in the names of their browser extensions.

Recent developments in the SearchDimension family

Over the last year we have seen this family evolve and expand into the world of PUPs and adware. Below are some of the latest additions to their arsenal.

  • Web push notifications: together with Adware.Adposhel, SearchDimension was among the first families to make full use of the potential provided by web push notifications for advertising.
  • Your browser is managed: the SearchDimension developers created an installer that not only installed their search hijacking extension but also made the “Remove” button disappear on the extension listing, telling frustrated users their browser was not their own to manage
  • One of their most recent additions is a Chromium-based browser that replaces your default browser when you install it. This new default browser then behaves the same as a normal Chrome browser with one of the search hijacker extensions installed.
  • Another new trick comes with extensions that read your browser history to grab the search term the user looked for. The extension then closes the original search tab and opens a new tab with their own search engine looking for that search term. Basically this comes down to lying about the permissions so users will not notice the extension as a search hijacker.
How can you recognize SearchDimension hijackers?

There are many subfamilies and different versions within those families, but there are some tell-tale signs of the SearchDimension family. First and foremost, they use a few website templates that are very typical. These are the six most common ones.

Depending on the referring websites, you may be asked to accept notifications from the search hijacker’s domain. Every domain I have seen from them recently has this option but the referring URL does not always trigger this behavior. So, anyone directly visiting such a domain will not see the notifications prompt.

Then there is one page that comes up very often after you have installed one of the extensions. It looks like this:

The name of the extension and the “sponsors” will vary but the blue and white fields with the circular logo are very typical for the “Thank you for installing … “ page.

The wording in the entry in the list of installed Chrome extensions also comes from a rather limited set, and will usually have one of these formats:

  • Search by {extension name}. The best way to search. This one is by far the most common.
  • This extension configures your Default Search in Chrome browser to provide these features. Which features remain unsaid.
  • {extension name} is an extension that replaces your default search to Yahoo to provide more features. This one seems very specific for the PUP.Optional.SearchDimension subfamily.

Another weak spot in the development process for new variants seems to be the icon. Although they have come up with a lot of them, there is one that is repeated a lot.

The “A” in a blue field is often used for variants that have a short life span. These variants are often only around for a few days before they get removed from the Webstore.

Some variants, including the WebNavigator browsers, add a table of graphics representing Search Recommendations to the search results. This will look like this:

Different subfamilies of SearchDimension

One could divide this family up into subfamilies, based on their behavior, and at Malwarebytes we detect these subfamilies under different names. Below you will find a short description of the methods these subfamilies use and whether there is a Malwarebytes’ detection name for that subfamily.

  • The web push notifications are a part of all the subfamilies. If the user has accepted web push notifications, Malwarebytes will detect them as PUP.Optional.PushNotifications.Generic.
  • The subfamily that only uses the trick to close and open a new search tab will be detected by Malwarebytes as PUP.Optional.SearchEngineHijack.Generic.
  • The variants that change the default search engine and the ones that show “Search Recommendations” will be detected by Malwarebytes as Adware.SearchEngineHijack.Generic.
  • The subfamily that consists of Chromium-based browsers that replace your default browser is detected by Malwarebytes as PUP.Optional.WebNavigator.

Unfortunately, as some of these subfamilies use more than one method of browser hijacking, it is hard to be consistent. So sometimes detection names do not always completely follow this pattern as it depends on which behavior(s) our engine detects. The big advantage of the generic detections by our engine, however, is that it picks up new variants on their first appearance.

Advice on search hijackers and other adware

Changing your default search provider or installing adware should be done with user consent. Which is something these search hijackers often forget. They try to get installed by making promises they do not intend to keep and “forget to mention” what they actually are up to. We have seen search hijackers promising to be ad blockers, privacy protectors, and even ones that promise to provide antivirus protection. At best, they replaced existing advertisements with their own.

Installing a browser extension just to change your default search provider is something I would advise against. It’s easy enough to change the default search engine in the browser settings, and if the one of your choice is not listed there, I would recommend you only install an extension with a proven track record and one that really adds some value.

It’s an error to think that these search hijackers only bother Windows users. Most of the prevalent search hijackers aim at Chrome/Chromium browsers and sometimes Firefox. As a consequence, most of them can also be installed on macOS systems.

Recommended reading

For those interested in this subject, I have gathered some related links.

Removal methods:

How to remove adware from your PC

Browser push notifications: a feature asking to be abused

Adware the series, part 1


Mac adware is more sophisticated and dangerous than traditional Mac malware

Three million users installed 28 malicious Chrome or Edge extensions

Stay safe, everyone!

The post SearchDimension search hijackers: An overview of developments appeared first on Malwarebytes Labs.

Categories: Malware Bytes