Information Security News|Cyber Security|Hacking Tutorial

Terror exploit kit goes HTTPS all the way

Alisa Esage G — Tue, 28 Nov 2017 13:30:38 +0000

We’ve been following the Terror exploit kit during the past few months and observed notable changes in both its redirection mechanism and infrastructure, which have made capturing it in the wild a more challenging task.

Unlike the RIG exploit kit, which uses predictable URI patterns and distribution channels, Terror EK is constantly attempting to evade detection by using malvertising chains without any static upper referrers (at least to our knowledge) combined with multi-step filtering in some cases, as well as HTTPS throughout the delivery sequence.

Traffic redirection

We’ve noticed consistent malvertising incidents via the Propeller Ads Media ad network, followed by the advertiser’s campaign, which we were able to recognize through URI patterns and other identifying creative choices. Ultimately, the ad redirected to the exploit kit’s first check-in page, which acts as both a decoy and launchpad.

Over time, the threat actors behind Terror have been trying to hide the call to the exploit kit. In one example, they created overly long URLs and used obfuscation to mask their iframe. Interestingly, in other sequences, we witnessed an additional type of filtering that uses unique subdomains. The user is first taken to a page whose current theme is cheap flights and hotels, containing what looks like an affiliate link to the travel site expedia.com:

But the main point of focus here is the additional invisible iframe, created with a unique 15-digit subdomain and refreshed for each new visit:

580773189093524.mistake-hexagon.science/haxit.php
319561824482067.mistake-hexagon.science/haxit.php
239878215504660.mistake-hexagon.science/haxit.php
828990124673515.mistake-hexagon.science/haxit.php
...

This iframe is what creates the final call to the exploit kit landing page. We believe this setup may be to prevent replays that attempt to step over the normal redirection flow, although it was only used for a short period of time.

HTTPS all the things

In late August 2017, we saw Terror EK make an attempt at HTTPS by using free SSL certificates, although it kept switching back and forth between HTTP and HTTPS. At times, there also seemed to be problems with domains that had the wrong certificate:

However, in recent days we’ve observed a constant use of SSL, not only for the exploit kit itself but also at the upper redirection stage.

This is what the traffic looks like using a customized version of the Fiddler web debugger set up as a man-in-the-middle proxy:

Without using a MITM proxy, network administrators will see the SSL handshake with the corresponding server’s IP address, but not the full URIs or content being sent:

Terror EK is one of few exploit kits to have used SSL encryption this year, the other well-documented one being Astrum EK, used in large malvertising attacks via the AdGholas group. Also, unlike RIG EK, which appears to have permanently switched to IP literal URIs after operation ShadowFall, Terror is making full use of domains using new/abused TLDs.

As usual, Terror EK is dropping Smoke Loader, which in turn downloads several more payloads, likely to generate a lot of noise on the network:

Conclusion

Despite no significant advancement with more powerful vulnerabilities being integrated, exploit kit authors are nonetheless still leveraging malvertising as their primary distribution method and attempting to evade detection from the security community, which they monitor closely.

Source:https://blog.malwarebytes.com/threat-analysis/2017/11/terror-exploit-kit-goes-https-all-the-way/

The post Terror exploit kit goes HTTPS all the way appeared first on Information Security Newspaper | Hacking News.

Disdain exploit kit and a side of social engineering deliver Neutrino Bot

Alisa Esage G — Fri, 10 Nov 2017 16:06:53 +0000

Today we picked up new activity from an exploit kit that was first discovered back in August of this year. The Disdain exploit kit, simply identified by a string of the same name found in its source code, is being distributed again after a short interruption via malvertising chains.

Disdain EK relies on older vulnerabilities that have long been patched and some that do not appear to be working properly. From a traffic to infection point of view, this means that the conversion rates are going to be lower than, say, RIG EK, the other most common exploit kit at the moment.

This may explain why we are seeing Disdain being used as a drive-by download alongside a social engineering attack to increase the likelihood of infections. Case in point, the following site was compromised to serve Disdain EK while also distributing a fake Flash Player update:

What’s interesting is that both payloads (Disdain’s malware drop and the so-called Flash update) are actually the same malicious binary, just delivered by different methods. The former is loaded via an iframe injected into the page which triggers the exploit kit and delivers the payload automatically, while the latter is a regular download that requires user interaction to download and run it.

Disdain’s landing page exploits older Internet Explorer vulnerabilities and attempts to load Flash exploits as well, although in our tests these did not work.

That payload is Neutrino Bot, which we have documented on this blog before when it was served in malicious spam campaigns as well as via the now defunct Neutrino exploit kit. Neutrino Bot, AKA Kasidet , is a multi-purpose piece of malware famous for its information stealing abilities.

In the past few weeks, there have been a few developments in the exploit kit scene beyond the long running RIG exploit kit, where threat actors are attempting new tricks both from an evasion and distribution point of view. Despite this, there remains a lack of innovation in what really matters at the end of the day: the exploits being used to deliver drive-by infections.

While some groups have switched to pure social engineering-based attacks, others are attempting either or both methods at once. In the current threat landscape, the campaigns that have the most success are those that can draw a lot of traffic and use clever techniques to fool users.

Systems that have been patched regularly would not be affected by this exploit kit, but at the same time users should beware of non-legitimate software updates. Many of the so-called “Flash Player” or “Video Player” updates typically push adware and, as we saw recently with the BadRabbit outbreak, even ransomware.

Source:https://blog.malwarebytes.com/threat-analysis/2017/11/disdain-exploit-kit-served-side-social-engineering/

The post Disdain exploit kit and a side of social engineering deliver Neutrino Bot appeared first on Information Security Newspaper | Hacking News.

EXPLOIT KIT ACTIVITY QUIETS, BUT IS FAR FROM SILENT

Alisa Esage G — Sat, 15 Apr 2017 16:27:39 +0000

Over the past six months, the roar of exploit kits has quieted to a whimper. But that doesn’t mean exploit kit threats are nonexistent. According to security experts, gangs behind them are regrouping, tweaking code and finding fresh software exploits to target.

Here are the exploit kits and exploit kit trends to watch for over the next six months.

RIG: Down But Not Out

According to Zscaler, the RIG exploit kit is diminished, but continues to drop various ransomware payloads such as CryptoShield, Cerber and Locky, primarily in the geographic locations of South America, Southeast Asia, and Australia. That’s a shift, according to Zscaler, from targeting Western Europe, North America, and Russia.

“Unless anything changes, Rig is the exploit kit to watch out for as we head into summer 2017,” said Brad Duncan, threat intelligence analyst, Unit 42, Palo Alto Networks.

He said Rig is the most prevalent exploit kit Unit 42 has seen since Angler exploit kit disappeared in the summer of 2016 and Neutrino exploit kit went private later in September 2016. Rig was formerly a mid-tier exploit kit compared to others; however, it’s been by far the most common since late 2016, he said.

Microsoft has also been tracking RIG (which it calls Meadgive). “Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file,” Microsoft noted.

The Dawn of Sundown

As RIG continues to diminish its impact, the Sundown exploit kit has been sluggishly gaining momentum over the past year. Recently, authors have made noteworthy changes to its landing page. According to Zscaler, those changes include rebranding the exploit kit “Nebula.”

“Where .xyz domains had been the primary choice for hosting landing pages, since Feb. 9, the [criminal organization Yugoslavian Business Network] has been registering domains with many other generic top-level domains in the name of Brian Krebs,” wrote Derek Gooley, security researcher at Zscaler.

Earlier this month, it was the Sundown exploit kit that gained some traction dropping the banker Trojan DiamondFox, Gooley said.

FireEye reports Sundown has shown a propensity of adapting frequently to changes; for example, URI changes and incorporating new techniques such as steganography.

Magnitude at Low Volumes

Once a dominant exploit kit, Magnitude is a shadow of its former threat, according to security experts. “The Magnitude EK continues to operate at low volume, with restricted regional distribution. We typically observe Magnitude affecting Southeast Asian users who visit illegal streaming sites,” Gooley wrote.

He notes that Magnitude’s modus operandi includes distribution via malicious ads distributed via popup and pop-under ad networks attempting to install the Cerber ransomware.

New Terrors

New exploit kits also continue to surface, such as the Terror exploit kit; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.

Terror is typical of newer exploit kits. “It’s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,” said Deepen Desai, senior director of research and operations at Zscaler. Keeping activity regional and limited in scope, he said, suggests criminals are fine tuning Terror before rolling it out to a larger pool of victims.

Check Point said both Rig and Terror have recently been tracked delivering a wide variety of threats, from ransomware and banking Trojans to spambots and BitCoin miners. The security firm reported an uptick in Terror exploit kits in the month of March.

GongDa and KaiXin

Researchers are keeping their eyes on two older exploit kits targeting Korea named GongDa and KaiXin. In January, FireEye reported a Korean news site was redirecting visitors to the GongDa exploit kit, exposing them to malware.

“While GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. Despite its shortcomings when compared to newer EK’s such as Angler or Neutrino, GongDa proves that old tricks (or vulnerabilities) can still work effectively,” wrote FireEye in a research note earlier this year.

Zscaler has spotted a new KaiXin exploit kit campaign as recently as last month. KaiXin, first identified in 2012, also targets Asian sites (Korea in particularly). It’s latest incarnation of the exploit kit features an older antivirus fingerprinting script that attempts to determine the use of security products on the targeted PC’s filesystem before continuing execution. The KaiXin campaign offers exploits for Java, Flash, and Silverlight and if successful installs various Chinese adware packages.

New Targets

But the vital ingredient to a successful exploit kit is a fresh supply of vulnerabilities. To that end, security experts at Unit 42 of Palo Alto Networks note a trend by cybercriminals to target new vulnerabilities in Microsoft’s Edge browser.

Ryan Olson, intelligence director, said crooks behind Sundown have added new Microsoft Edge browser vulnerabilities to their list of attack vectors. Some of the vulnerabilities, according to Olson, include memory corruption flaws within the browser’s rendering engine. He said Microsoft patched the vulnerability last year, nevertheless they found their way into Sundown exploit kit.

Another example of new targets comes from an exploit kit called DNSChanger, spotted in December by Proofpoint researchers. Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router. The goal is to attack vulnerable routers running outdated software and open ports for malicious purposes.

Copycat Trend

Researchers at FireEye said they have noticed a bevy of low-level exploit kit copycat operations that are most likely one-man operations. “While mostly recycling pre-existing techniques, their presence has been fairly consistent, albeit not being a huge threat in terms of numbers,” said Zain Gardezi, staff vulnerability researcher at FireEye.

In these particular cases, it has been observed that the copycats are usually attached with one ad service for a longer period of time for malvertisment delivery, Gardezi said. Their usage of registered domains are also limited due to the fairly distinguishable pattern. “Some copycats seem to use one particular IP for 3 to 4 days, instead of domain names, and then move on to another,” Gardezi said. Sundown, for example, is known for using old exploits from older exploit kit packages from established players.

With so many big players out of commission, it has given rise to smaller players cutting-and-pasting old exploits to create their own patchwork EKs, FireEye said.

Exploit Kit Struggles

According to researchers, worries of a sudden resurgence in exploit kit activity are low. Unit 42’s Duncan credits better browser security with reducing the effectiveness of exploit kits. Others credit stepped-up defensive mitigation efforts.

“Google Chrome is currently at 58 percent market share, and it’s a much harder nut to crack for exploit kit authors, I think. Using Chrome as a web browser, I haven’t been able to infect any Windows hosts through exploit kits in recent months,” Duncan said.

He also notes the dwindling popularity of some favorite targets of exploit kits, such as Internet Explorer and Microsoft Edge, are pushing some threat actors out of the EK racket. Duncan said IE and Edge now only have a combined market share of 25 percent.

For its part, Microsoft’s exploit research shows many of the operators behind exploit kits such as Neutrino aren’t making splashy headlines anymore because many have gone into “private” mode, choosing to quietly cater to select cybercriminal groups.

The post EXPLOIT KIT ACTIVITY QUIETS, BUT IS FAR FROM SILENT appeared first on Information Security Newspaper | Hacking News.

Copy-Pasting Sundown Exploit Kit Has Been Offline for More Than a Month

Alisa Esage G — Fri, 14 Apr 2017 02:59:23 +0000

King of copy-paste exploits, the Sundown exploit kit, has been offline since March 8, and this also includes most of its variations, according to security researcher Kaffeine and Jérôme Segura of Malwarebytes.

While exploit kit operators have taken vacations in the past, they never lasted this long, and these were usually during the winter holidays or the summer months.

It is highly likely that we’ve seen the last of the Sundown exploit kit, which appeared on the market in June 2015, but has remained a small-time player until the summer of 2016.

Sundown was an accidental success

Its rise was favored by the shutdowns of the Angler and Nuclear exploit kits, and the Neutrino exploit kit voluntarily entering a private mode, with a smaller number of clients.

All of the above were professionally-coded exploit kits, which are web-based applications that automate the process of exploiting browser and OS vulnerabilities and installing malware on the computers of users.

On the other hand, Sundown was known since its birth only for using old or copy-pasted exploit packages, usually from the bigger market players.

Exploit kits, which are usually rented on the cyber-criminal underground, work based on the trust buyers and EK operators have in each other.

Because of its copy-pasting practices, very few crooks trusted Sundown and its creators, a group known as the Yugoslav Business Network (YBN).

Sundown EK ad on a German-speaking underground hacking forum [Source: Zscaler]

Sundown – the king of copy-pasted exploits

After the disappearances of Angler, Nuclear, and Neutrino, Sundown rose through the ranks because there were very few exploit kits left alive and kicking during the summer and autumn of 2016.

While RIG established itself as the de-facto leader on the exploit kit market, the Magnitude exploit kit remained a private toolkit, exclusively used by one group. This left the door open for YBN, who heavily invested in expanding its exploit arsenal over the summer.

As usual, the group wasn’t either creative of technically talented, and simply stole what it could from its competitors, past EKs, and publicly available exploit code, as reports from Trustwave and Zscaler pointed out last fall.

Sundown was going through changes before it disappeared

Since then, several variations of the Sundown exploit kit have appeared, such as Bizarro, Greenflash, Nebula, and Terror, all trying to capitalize on Sundown’s popularity, just like Sundown capitalized from previous EKs.

According to a Cisco Talos report from late March, right before it stopped all activity from known servers, the original Sundown exploit kit had suffered heavy modifications, such as better operational security, the removal of any YBN mentions, and changes to the way it delivered its payloads.

Furthermore, after Cisco and GoDaddy had been hounding its operators with domain takedowns, Sundown started migrating to a new registrar.

Sundown’s fate unsure

After activity from the classic Sundown variant had stopped out of the blue, all we can do is speculate on what happened.

For starters, we cannot say Sundown morphed into a new version, mainly because the exploit kit left too many clues behind for security researchers not to recognize it if it came back, even under a different brand.

We also cannot say that Sundown rebranded as the Terror EK, as Trustwave already proved this was a different exploit kit, based on Sundown, but marketed by a user going by the name of 666_KingCobra, and not by YBN.

Furthermore, while Sundown and the Bizarro, Greenflash, and Nebula variants have gone silent, Terror continued to be available on underground forums, even rebranding a few times as Blaze, Neptune, or Eris. This reinforces the theory that Sundown and Terror’s maintainers aren’t connected.

We’ll probably have to wait a few more months before we find out what happened with Sundown. When Angler and Nuclear disappeared off the market, it usually took two-three months before researchers discovered what truly happened.

Exploit kit market is a barren place right now

In the meantime, the exploit kit market, which has close ties with spam and malvertising operators, is populated by exploit kits such as RIG, RIG-v, Terror, KaiXin and the closed-circuit Magnitude and Neutrino.

Another exploit kit that appeared and died in the past few months includes RIG-E, also known as the Empire exploit kit.

Source:https://www.bleepingcomputer.com/

The post Copy-Pasting Sundown Exploit Kit Has Been Offline for More Than a Month appeared first on Information Security Newspaper | Hacking News.

New, Poorly-Made Terror Exploit Kit Drops Monero Cryptocurrency Miner

Alisa Esage G — Tue, 10 Jan 2017 15:04:40 +0000

Security researchers from Trustwave and Malwarebytes have come across a new, poorly assembled exploit kit that appears to be the work of a one-man crew.

Named Terror EK, this exploit kit was first detected at the start of December. From the get-go, Terror got Trustwave’s attention due to the generally poor quality of how the exploit kit had been deployed.

Terror EK author appears to have no experience with exploit kits

Unlike almost all other exploit kits, Terror hosted its landing pages and its exploits on the same server, a big no-no in terms of exploit kit operation security.

Furthermore, Terror used an ancient technique known as “carpet bombing” by delivering all exploit packages to all users arriving on the landing pages. This delivery method is considered deprecated, and all exploit kit use filters to select only vulnerable users before deploying exploits.

According to Trustwave, this initial version of Terror used eight different exploits, delivered to all users at the same time from the same page:

CVE-2014-6332 – Internet Explorer
CVE-2016-0189 – Internet Explorer
CVE-2015-5119 – Adobe Flash
CVE-2015-5122 – Adobe Flash
CVE-2013-1670/CVE-2013-1710 – Firefox
CVE-2014-1510/CVE-2014-1511 – Firefox
CVE-2014-8636 – Firefox
CVE-2015-4495 – Firefox

These initial attacks didn’t last long, and towards the end of December, researchers said this initial Terror EK installation was pulled down, as the crook switched to the Sundown EK, which they ran for about a week.

After this week, the crook changed back to the Terror EK once more, but to a new version, one that copied several exploits from the Sundown EK, presumbly after testing them first-hand.

In fact, many security researchers mistook Terror for Sundown, due to how much of Sundown’s code the Terror author had copied.

In line with the crook’s general lack of knowledge for exploit kit deployments, he forgot to obfuscate (mask) his payloads, revealing to security researchers his current exploits, which were:

CVE-2013-2551 – Internet Explorer
CVE-2014-6332 – Internet Explorer
CVE-2015-7645 – Adobe Flash
CVE-2016-4117 – Adobe Flash

During all this switching around, despite the different exploits used to infect victims, the final malware payload was the same, which was a miner for the Monero cryptocurrency.

Again, showing the malware author’s lack of awareness for proper operational security (OpSec) techniques, the crook hosted the configurations for his cryptocurrency mining operation on GitHub and Pastebin, where security researchers could easily take them down. A second good news is that this cryptocurrency miner only works on 64-bit systems.

“After tracking this kit for over a month, we strongly suspect that this is a one-man operation,” said Simon Kenin of Trustwave. “Crypto mining is not that profitable, however for a one-man operation this is a good solution. Once the host is infected and as long as it keeps running the miner, you profit. No hassle whatsoever.”

Source:https://www.bleepingcomputer.com/

The post New, Poorly-Made Terror Exploit Kit Drops Monero Cryptocurrency Miner appeared first on Information Security Newspaper | Hacking News.

INSIDE THE RIG EXPLOIT KIT

Alisa Esage G — Sat, 05 Nov 2016 04:30:12 +0000

Today’s most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear. That has made it public enemy No. 1 when it comes exploit kits. Now Cisco Talos researchers are hoping to shed new light into the ongoing development of the potent EK in hopes of neutralizing the RIG EK threat.

As with the unraveling of any EK, one of the keys to stopping infection rates is determining infection routes and how adversaries bypass security software and device.

In a deep analysis of RIG, Cisco Talos team outlined recently the unique nature of the exploit kit. In a nutshell, like other exploit kits the crew behind RIG are using gates to redirect their victims to their exploit kit. But what makes RIG unique, according Cisco Talos researchers is the way RIG combines different web technologies, such as DoSWF, JavaScript, Flash and VBscript to obfuscate the attack.

Making matters worse, each separate attack strategy utilizes “dynamically changing encoding and encryption for all files transmitted. Talos dissection of RIG also reveals this technique ensures scripts look different every time an attack session is launched. This, Cisco Talos said “ensures (attackers) can’t be detected by simple string matches or hash values.”

At the heart of the RIG attack, researchers say, is a three-pronged attack strategy that leverages either a JavaScript, Flash, VBscript-based attacks as needed.

With RIG, when it comes to the delivery of malware files, “the same malware file often gets written and executed multiple times on the victim’s PC. If one method doesn’t work or is blocked by an anti-malware solution, they have a couple of backup methods. All stages and methods are obfuscated, some more, some less,” Cisco Talos wrote.

As part of its RIG campaign analysis Cisco Talos noted that most infections were initiated through compromised websites. “These are websites which were hacked and then the adversaries added malicious code into the website which redirected the user to the gate. The gate then redirects the user to the EK landing page,” according to Holger Unterbrink, the author of the blog.

To a lesser extent, Unterbrink said, other RIG campaigns used gates which were using malvertising techniques, redirecting traffic to the adversary’s infection chain. Here victims are funneled into either a JavaScript, Flash, VBscript-based attack. In the end, all of these scripts are downloading and execute the same malware file which the exploit kit wants to install on the victim’s machine.

Stage one of the attack is driving traffic to a compromised website which starts the redirection chain. The compromised website loads a malicious Flash (SWF) file. Next, that Flash file inserts one or two iFrames into the compromised site. Now, the victim’s browser is redirected via the iFrame to the gate.

“The gate – which is nothing else than another web site on another server – does some checks and redirects the user again, but now to the exploit kit landing page – again another web page on another server,” Unterbrink said.

Lastly, the exploit kit landing page includes three JavaScript variables – a JavaScript which loads a Flash (SWF) exploit, a VBscript with an exploit, and a third JavaScript that also contains an exploit. “This is a very complex infection chain with all of these steps using their own obfuscation techniques,” Unterbrink said.

The SWF file is heavily obfuscated by commercial protection software called DoSWF, a professional Flash SWF encryptor. This Flash file itself, creates two malicious iFrames, according to Talos, that are served up inside a malicious website. One is generated instantly, the other is generated and placed into the compromise website a bit later after a timer in the first Flash file times out.

Unterbrink says the reason for the timed delay is unclear, but theorizes it could be as a backup mechanism if the first compromise fails.

Next, depending on vulnerabilities in the victim’s browser, either iFrame, both filled with JavaScript code, redirects the victim to the RIG exploit kits landing page. Here the victim’s browser is faced with three embedded scripts hidden inside corresponding JavaScript variables.

One of the scripts hidden inside the RIG EK landing page is a VBscript. “After a couple of tests on the target system, (the VBscript) executes the DoMagic() function, which downloads the main malware payload of the campaign such as ransomware using the URL stored in the script,” according to Talos.

A second script is also present on the RIG EK landing page that has the capability of inserts random comments such as “/*sw7586sdd*/” in between the JavaScript code used, Talos notes. “These comments are changed per session, which means that the Base64 encoded blob looks different in every session,” Talos researcher wrote in a technical write up outlining their research.

This script then executes another malicious Flash (SWF) file that is once again obfuscated by the DoSWF Flash tool. Talos says it is working on de-obfuscating the code, but for now asserts the code “seems to be a type of shellcode payload which gets decoded at runtime, combined with other strings stored in the SWF, and finally executed by an exploit.”

The remaining JavaScript file in the RIG exploit kit landing page, according to Talos, is exploiting CVE-2013-2551 (aka MS13-037) to download and infect the victim. MS13-037 is a vulnerability that exploits an integer overflow vulnerability on Internet Explorer, according to a Microsoft security bulletin from May 2013.

“The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8,” according to a technical description of MS13-037 by Rapid7.

According to Talos, MS13-037 includes code that drives the victim to a URL to download the final EK malware.

In the campaigns tracked by Cisco Talos for this report, it said payloads included ransomware (mainly CRYPTFILE2 and including Locky and CryptXXX), Trojans (Gamarue and Gootkit) and some broken executables, Unterbrink said.

Protecting against RIG disabling all unnecessary browser plugins, recommends Cisco Talos. “Patching and updating is mandatory for all browsers and their plugins. Any browser with an unpatched outdated Flash plugin will get infected, it is just a question of time,” Unterbrink said. That time horizon, he said will be small. “I would guess something from minutes to a few days, depending on your luck and surfing behavior.”

Source:https://threatpost.com

The post INSIDE THE RIG EXPLOIT KIT appeared first on Information Security Newspaper | Hacking News.

New PonyForx Infostealer Malware Sold on Russian Hacking Forums

Alisa Esage G — Tue, 27 Sep 2016 09:21:54 +0000

PonyForx is a fork of the more popular Pony infostealer. A crook named Cronbot is currently selling a new malware variant on Russian underground hacking forums that appears to be a successful fork of an older and very advanced infostealer called Pony.

Named Fox but currently identified by researchers as PonyForx or Fox Stealer, this new malware is currently at v1.0 and has been put up for sale since around August 11, this year.

Its author says this is a fork of the Pony infostealer, plus additional support for other applications that PonyForx can target and extract information and login credentials.

Pony, also known as Fareit, is an old, reputable (among crooks), and reliable information-stealing malware that can get passwords and all sorts of data from a wide range of applications, from browsers to email clients, and from FTP applications to Bitcoin wallets.

Cronbot says PonyForx is Pony updated “for 2016,” with updated support for today’s most popular apps. The crook is offering his malware for rent as an EXE or DLL file for $250 per month. Even if he’s adamant he’s not selling access to the PonyForx source code, he lists a price for it of $2,000.

PonyForx deployed in live attacks

Security researcher Kaffeine, who spotted the ad, says PonyForx has been used in live attacks.

The researcher discovered a campaign in September that was using the Neutrino exploit kit to deliver the Godzilla malware loader to users. In turn, Godzilla would download the PonyForx infostealer, and after it was done, it would deliver the Locky ransomware.

Below is Cronbot’s ad, translated (via Google Translate) to English, and its original Russian form below.

Stiller and passwords netolko - Fox v1.0 We produce a product to sell. Already passed the final stage of testing of the product. About the product: 1. Able to all that he can pony. + Added new software. 2. is actual for 2016. 3. Written in C ++ without any additional libraries. 4. Admin on ponies. Conditions : 1. Only the rent. 2. Provided as EXE and DLL. 3. Sources will not sell. Rent $ 250 per month. Sources $ 2,000 one-time fee.Стилер паролей и нетолько - Fox v1.0 Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта. О продукте : 1. Умеет все что умеет пони. + добавлен новый софт. 2. Актуален на 2016 год. 3. Написан на С++ без дополнительных библиотек. 4. Админка от пони. Условия : 1. Только аренда. 2. Распространяется в виде EXE и DLL. 3. Исходники продавать не будем. Аренда 250$ в месяц. Исходники 2000$ разово.

Source:https://news.softpedia.com/

The post New PonyForx Infostealer Malware Sold on Russian Hacking Forums appeared first on Information Security Newspaper | Hacking News.

Major Exploit Kit Campaign Switches from CryptXXX Ransomware Back to Locky

Alisa Esage G — Mon, 01 Aug 2016 09:48:01 +0000

By mid-July 2016, the Afraidgate campaign stopped distributing CryptXXX ransomware. It is now distributing the “.zepto” variant of Locky. Afraidgate has been using Neutrino exploit kit (EK) to distribute malware after Angler EK disappeared in early June 2016. As we previously reported, this campaign continues to utilize gate domains using name servers from afraid.org.

Changing Payloads

As early as June 29, 2016, we saw the Afraidgate campaign deliver Locky ransomware. This campaign switched between delivering CryptXXX and Locky ransomware during the next two weeks. July 11, 2016, was the last time we saw Afraidgate deliver CryptXXX. Since then, this campaign has been consistently delivering Locky.

Figure 1: Flow chart for an infection from the Afraidgate campaign.

This variant of Locky uses a .zepto file extension for any encrypted files. We started seeing this Zepto variant of Locky after a three-week outage of the Necurs botnet ended on June 21, 2016. Locky had been absent during the outage, but after the botnet returned, Locky also reappeared with new anti-sandboxing and evasion techniques.

Some security vendors have named this new variant Zepto ransomware, but they still highlight its similarities with the previous Locky variant.

Figure 2: Desktop of a Windows host infected with the Zepto variant of Locky.

From Angler EK to Neutrino

Like most campaigns, Afraidgate switched to Neutrino EK after Angler EK disappeared in early June 2016. We have seen two other large-scale campaigns also move from Angler to Neutrino EK: the EITest and pseudo-Darkleech campaigns. For now, Neutrino appears to be distributing the majority of ransomware for EK-based infections. Outliers still exist, like Magnitude EK distributing Cerber ransomware. Rig EK has also been noted for an occasional ransomware infection. But the bulk of EK-based ransomware infections are most often attributed to Neutrino EK.

Example of an Afraidgate Infection

Figure 3: Traffic from an Afraidgate infection filtered in Wireshark.

As noted in our previous post on EK fundamentals, EK-based campaigns start with a compromised website. Pages from the compromised site have injected script that, in this case, lead to an Afraidgate domain behind the scenes.

Figure 4: Injected script in page from a compromised website.

After the victim’s computer connects to the URL on an Afraidgate domain, the server returns more Javascript with an iframe leading to a Neutrino EK landing page.

Figure 5: Afraidgate domain leading to the Neutrino EK landing page.

Neutrino EK domains for this campaign tend to use .top as the top level domain (TLD). Otherwise, we see no surprises. Neutrino is a well-known EK that has been documented by others.

Conclusion

Domains, IP addresses, and other indicators associated with Neutrino EK and Locky are constantly changing. We continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.

Source:https://researchcenter.paloaltonetworks.com/

The post Major Exploit Kit Campaign Switches from CryptXXX Ransomware Back to Locky appeared first on Information Security Newspaper | Hacking News.

Comcast Users Hit by Malvertising, Exploit Kit, Tech Support Scam in One Go

Alisa Esage G — Thu, 17 Dec 2015 05:50:52 +0000

Trio of threats assaults unsuspecting Comcast Xfinity users. Some users visiting the Comcast Xfinity portal faced a triple threat these past days, being taken on a wild ride by a malicious ad to a page serving ransomware via an exploit kit, and later trying to trick them into calling a phone number in a classic tech support scam.

Researchers from Malwarebytes have detailed their most recently spotted malware campaign, one that affected users searching for content inside Comcast’s portal for Xfinity customers.

Malicious ad delivered via AdWords on the Xfinity portal

Apparently, in some search results, a malicious ad was displayed via Google’s AdWords service, which read, “DirectTV compared to Comcast TV.”

If users clicked on the ad, they would be redirected to the SatTvPro.com website, where the Nuclear Exploit Kit was hosted. This application, often employed by cyber-criminals, scanned the user’s computer for vulnerabilities and infected it with malware. Malwarebytes claims that, most of the times, the CryptoWall ransomware was dished out.

But things didn’t stop here, as right after the user’s computer was infected, the malicious website would also load another site, designed to look like the real Xfinity portal.

Tech support scam served via a fake Xfinity portal

This second website served its part in a tech support scam, where the user would be shown a warning message that read, “Comcast’s security plugin has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location. Call Toll Free 1-866-319-[redacted] for technical assistance.”

Malwarebytes contacted both Google and Comcast about the attacks, and Google removed the malicious ad from its service.

The researchers also contacted the owner of the SatTvPro.com, who, even if he did not respond via email to Malwarebytes, proceeded to upgrade his site from a vulnerable Joomla 2.x CMS to WordPress, effectively removing the infection.

This is not the first time a security vendor observes tech support sites being combined with malvertising and exploit kits. Symantec reported on a similar incident at the start of December.

Malvertising campaign infection steps

Source:https://news.softpedia.com/

The post Comcast Users Hit by Malvertising, Exploit Kit, Tech Support Scam in One Go appeared first on Information Security Newspaper | Hacking News.

Hackers add exploit kit to article asking ‘Is cyber crime out of control?’

Alisa Esage G — Fri, 11 Dec 2015 08:41:08 +0000

Net menaces show warped sense of humour in attack onGrauniad story.

Hackers have hosed an article published by The Guardian using the world’s nastiest exploit kit Angler to pop the machines of exposed readers.

The attack firmly answers the article’s headline positing the question ‘is cybercrime out of control’, based on arguments in a book by one Misha Glenny.

Angler is the most capable and prolific exploit kit in use by criminals. It allows attackers to run choice cuts of the latest Flash, Java, and browser exploits through which un=patched users can be targeted.

FireEye research trio J. Gomez, Kenneth Hsu, and Kenneth Johnson found hackers had dropped a gnarly URL into the syndication links portion of the page which loaded in the background and redirected users to Angler.

“When the syndication link is loaded in the background, readers are eventually redirected to Angler’s landing page via injected HTML that crafts the request to the Angler landing page.

Yes.

“When the syndication link is loaded in the background, readers are eventually redirected to Angler’s landing page via injected HTML that crafts the request to the Angler landing page.

“A memory corruption vulnerability (CVE-2014-6332) in Windows Object Linking and Embedding Automation [is] triggered through VBScript with Internet Explorer.

“In this attack the exploit was based on a publicly available proof-of-concept where techniques were used to attempt arbitrary code execution.”

Angler seeks out any active anti-virus and security products and changes behaviour if the tools are found, forcing the attack to silently fail or run a benign script.

The Guardian says it is fixing the hack.

It comes as The Independent found one of its dusty unloved Word Press sites was hacked through a Flash exploit and was serving shoddy ransomware to a very small number of readers.

Source:https://www.theregister.co.uk/

The post Hackers add exploit kit to article asking ‘Is cyber crime out of control?’ appeared first on Information Security Newspaper | Hacking News.