The Hacker News — Cyber Security, Hacking, Technology News

Security researchers have been warning of a new trick that cybercriminals are leveraging to hide their malicious code designed to re-introduce the infection to steal confidential information from Magento based online e-commerce websites.

So, if you have already cleaned up your hacked Magento website, there are chances your website is still leaking login credentials and credit card details of your customers to hackers.

More than 250,000 online stores use open-source Magento e-commerce platform, which makes them an enticing target for hackers, and therefore the security of both your data and your customer data is of the utmost importance.

According to the researchers at Sucuri, who have previously spotted several Magento malware campaigns in the wild, cybercriminals are currently using a simple yet effective method to ensure that their malicious code is added back to a hacked website after it has been removed.

To achieve this, criminals are hiding their 'credit card stealer reinfector' code inside the default configuration file (config.php) of Magento website, which gets included on the main index.php and loads with every page view, eventually re-injecting the stealer code into multiple files of the website.

Since config.php file gets automatically configured while installing Magento CMS, usually it is not recommended for administrators or website owners to change the content of this file directly.

Here's How Magento's Reinfector Code Works

The reinfector code spotted by researchers is quite interesting as it has been written in a way that no security scanner can easily identify and detect it, as well as it hardly looks malicious for an untrained eye.

Hackers have added 54 extra lines of code in the default configuration file. Here below, I have explained the malicious reinfector code line-by-line, shown in the screenshots, written inside the default config.php file.

At line no. 27, attackers set error_reporting() function to false in an attempt to hide errors messages that could reveal the path of the malicious module to site admins.

From line no. 31 to 44, there's a function called patch() that has been programmed to append the malicious code for stealing confidential information into legitimate Magento files.

This patch() function uses 4 arguments, values of which defines the path of a folder, name of a specific file resides in that path needs to be infected, file size required to check if it is necessary to reinfect the given file, a new file name to be created, and a remote URL from where the malicious code will be downloaded in real-time and injected into the targeted file.

From line 50 to 51, attackers have smartly split up the base64_decode() function in multiple parts in order to evade detection from security scanners.

The line 52 includes a base64 encoded value that converts to "http://pastebin.com/raw/" after getting decoded using the function defined in line 50-51.

The next four sets of variables from line 54 to 76 define the four values required to pass arguments to the patch() function mentioned above.

The last line of each set includes a random eight character value that concatenated with the link variable encoded in line 52, which eventually generates the final URL from where the patch() function will download the malicious code hosted on remote Pastebin website.

From line 78 to 81, attacker finally executes patch() function four times with different values defined in line 54-76 to reinfect website with the credit card stealer.

"As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly," researchers advise.

It should be noted that similar technique can also be used against websites based on other content management system platforms such as Joomla and WordPress to hide malicious code.

Since attackers mostly exploit known vulnerabilities to compromise websites at the very first place, users are always recommended to keep their website software and servers updated with the latest security patches.

Remember the 'Olympic Destroyer' cyber attack?

The group behind it is still alive, kicking and has now been found targeting biological and chemical threat prevention laboratories in Europe and Ukraine, and a few financial organisation in Russia.

Earlier this year, an unknown group of notorious hackers targeted Winter Olympic Games 2018, held in South Korea, using a destructive malware that purposely planted sophisticated false flags to trick researchers into mis-attributing the campaign.

Unfortunately, the destructive malware was successful to some extent, at least for a next few days, as immediately after the attack various security researchers postmortem the Olympic Destroyer malware and started attributing the attack to different nation-state hacking groups from North Korea, Russia, and China.

Later researchers from Russian antivirus vendor Kaspersky Labs uncovered more details about the attack, including the evidence of false attribution artifacts, and concluded that the whole attack was a masterful operation in deception.
Now according to a new report published today by Kaspersky Labs, the same group of hackers, which is still unattributed, has been found targeting organisations in Russia, Ukraine, and several European countries in May and June 2018, specifically those organizations that respond to and protect against biological and chemical threats.

New Attack Shares Similarities With Olympic Destroyer

During their investigation, researchers found that the exploitation and deception tactics used by the newly discovered campaign share many similarities with the Olympic Destroyer attack.

"In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past," the researchers said. "They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection."

Just like Olympic Destroyer, the new attack also targets users affiliated with specific organisations using spear-phishing emails that appear as coming from an acquaintance, with an attached document.

If the victims open the malicious document, it leverages macros to download and execute multiple PowerShell scripts in the background and install the final 3rd-stage payload to take remote control over the victims' system.

Researchers found that the technique used to obfuscate and decrypt the malicious code is same as used in the original Olympic Destroyer spear-phishing campaign.

The second-stage script disables Powershell script logging to avoid leaving traces and then downloads the final "Powershell Empire agent" payload, which allows fileless control of the compromised systems over an encrypted communication channel.

Hackers Target Biological and Chemical Threat Prevention Laboratories

According to the researchers, the group has attempted to gain access to computers in countries, including France, Germany, Switzerland, Russia, and Ukraine.
Researchers found evidence of hackers primarily targeting people affiliated with an upcoming biochemical threat conference, called Spiez Convergence, held in Switzerland and organized by Spiez Laboratory.

Spiez Laboratory played an essential role in investigating the poisoning in March of a former Russian spy in the UK. The U.K. and the U.S. both said Russia was behind the poisoning and expelled dozens of Russian diplomats.

Another document targeted Ministry of Health in Ukraine.

It is not yet known that who behind these attacks, but Kaspersky advises all biochemical threat prevention and research organizations to strengthen their IT security and run unscheduled security audits.

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks.

The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers from Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called LuckyMouse.

LuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year.

The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain "access to a wide range of government resources at one fell swoop."

According to the researchers, the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks.
Although LuckyMouse has been spotted using a widely used Microsoft Office vulnerability (CVE-2017-11882) to weaponize Office documents in the past, researchers have no proofs of this technique being used in this particular attack against the data center.

The initial attack vector used in the attack against the data center is unclear, but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center.

The attack against the data center eventually infected the targeted system with a piece of malware called HyperBro, a Remote Access Trojan (RAT) deployed to maintain persistence in the targeted system and for remote administration.

"There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites," the researchers said in a blog post published today.

"These events suggest that the data center infected with HyperBro and the waterholing campaign are connected."

As a result of the waterholing attack, the compromised government websites redirected the country's visitors to either penetration testing suite Browser Exploitation Framework (BeEF) that focuses on the web browser, or the ScanBox reconnaissance framework, which perform the same tasks as a keylogger.

The main command and control (C&C) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP, specifically to a MikroTik router running a firmware version released in March 2016.

Researchers believe the Mikrotik router was explicitly hacked for the campaign in order to process the HyperBro malware's HTTP requests without detection.

It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.

Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.

Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.

"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.

To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.

VPNFilter 'ssler' — Man-in-the-Middle Attack Module

Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.

"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.

This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.

The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.

These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.

To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.

"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.

To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.

VPNFilter 'dstr' — Device Destruction Module

As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.

The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.

This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.

Simply Rebooting Your Router is Not Enough

Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.

Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.

This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.

Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.

For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.

And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Despite the continual emergence of new cyber attacks because of misconfigured servers and applications, people continue to ignore security warnings.

A massive malware campaign designed to target open Redis servers, about which researchers warned almost two months ago, has now grown and already hijacked at least 75% of the total servers running publicly accessible Redis instances.

Redis, or REmote DIctionary Server, is an open source, widely popular data structure tool that can be used as an in-memory distributed database, message broker or cache. Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet.

Dubbed RedisWannaMine, a similar malware leveraging same loophole was discovered in late March by data center security vendor Imperva and designed to drop a cryptocurrency mining script on the targeted servers—both database and application.

According to Imperva's March blog post, this cryptojacking threat was "more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers' infection rate and fatten their wallets."

A newly published report from the same security firm has now revealed that three-quarters of the open Redis servers accessible from the Internet (over port 6379) contain malicious sets of a key-value pair in the memory, indicating despite multiple warnings administrators continue to leave their servers vulnerable to hackers.

Out of total compromised servers, 68 percent systems were found infected using similar keys, named "backup1, backup2, backup3," which were attacked from a medium-sized botnet located at China (86% of IPs), according to the data Imperva collected from their self-set-up publicly available Redis servers to serve as a honeypot.

Moreover, the attackers have now found using the compromised servers as a proxy to scan and find vulnerabilities, including SQL injection, cross-site scripting, malicious file uploads, and remote code executions, in other websites.

The new attack works by setting a malicious key-value pair in the memory and saving it as a file in the /etc/crontabs folder that forces the server to execute the file.

"Attackers usually set values that include commands to download external remote resource and run it. Another popular type of command is adding SSH keys, so the attacker can remotely access the machine and take it over," Nadav Avital, security research team leader at Imperva, explains in a blog post.

To protect Redis servers from falling victim to such attacks, administrators are advised never to expose their servers to the Internet, but if required, apply authentication mechanism to prevent unauthorized access.

Also, since Redis doesn't use encryption and stores data in plain text, you should never store any sensitive data on these servers.

"Security issues commonly arise when people don’t read the documentation and migrate services to the cloud, without being aware of the consequences or the adequate measures that are needed to do so," Avital said.

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack.

Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday.

Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices.

Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices.

The court documents said the hacking group behind the massive malware campaign is Fancy Bear, a Russian government-aligned hacking group also known as APT28, Sofacy, X-agent, Sednit, Sandworm, and Pawn Storm.

The hacking group has been in operation since at least 2007 and has been credited with a long list of attacks over the past years, including the 2016 hack of the Democratic National Committee (DNC) and Clinton Campaign to influence the U.S. presidential election.

"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," John Demers, the Assistant Attorney General for National Security, said in a statement.

Among other, Talos researchers also found evidence that the VPNFilter source code share code with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.

VPNFilter has been designed in a way that it could be used to secretly conduct surveillance on its targets and gather intelligence, interfere with internet communications, monitor industrial control or SCADA systems, such as those used in electric grids, other infrastructure and factories, as well as conduct destructive cyber attack operations.

The seizure of the domain that is part of VPNFilter's command-and-control infrastructure allows the FBI to redirect attempts by stage one of the malware (in an attempt to reinfect the device) to an FBI-controlled server, which will capture the IP address of infected devices and pass on to authorities around the globe who can remove the malware.

Users of SOHO and NAS devices that are infected with VPNFilter are advised to reboot their devices as soon as possible, which eliminates the non-persistent second stage malware, causing the persistent first-stage malware on their infected device to call out for instructions.

"Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure," the DoJ said.

Since VPNFilter does not exploit any zero-day vulnerability to infect its victims and instead searches for devices still exposed to known vulnerabilities or having default credentials, users are strongly recommended to change default credentials for their devices to prevent against the malware.

Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.

If your router is by default vulnerable and can't be updated, it is time you buy a new one. You need to be more vigilant about the security of your smart IoT devices.

More than half a million routers and storage devices in dozens of countries have been infected with a piece of highly sophisticated IoT botnet malware, likely designed by Russia-baked state-sponsored group.

Cisco's Talos cyber intelligence unit have discovered an advanced piece of IoT botnet malware, dubbed VPNFilter, that has been designed with versatile capabilities to gather intelligence, interfere with internet communications, as well as conduct destructive cyber attack operations.

The malware has already infected over 500,000 devices in at least 54 countries, most of which are small and home offices routers and internet-connected storage devices from Linksys, MikroTik, NETGEAR, and TP-Link. Some network-attached storage (NAS) devices known to have been targeted as well.

VPNFilter is a multi-stage, modular malware that can steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infrastructure and factories.

The malware communicates over Tor anonymizing network and even contains a killswitch for routers, where the malware deliberately kills itself.

Unlike most other malware that targets internet-of-things (IoT) devices, the first stage of VPNFilter persists through a reboot, gaining a persistent foothold on the infected device and enabling the deployment of the second stage malware.

VPNFilter is named after a directory (/var/run/vpnfilterw) the malware creates to hide its files on an infected device.

Since the research is still ongoing, Talos researchers "do not have definitive proof on how the threat actor is exploiting the affected devices," but they strongly believe that VPNFilter does not exploit any zero-day vulnerability to infect its victims.

Instead, the malware targets devices still exposed to well-known, public vulnerabilities or have default credentials, making compromise relatively straightforward.

Talos researchers have high confidence that the Russian government is behind VPNFilter because the malware code overlaps with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.

Although devices infected with VPNFilter have been found across 54 countries, researchers believe the hackers are targeting specifically Ukraine, following a surge in the malware infections in the country on May 8.

"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide," Talos researcher William Largent said in a blog post.

The researchers said they released their findings prior to the completion of their research, due to concern over a potential upcoming attack against Ukraine, which has repeatedly been the victim of Russian cyber attacks, including large-scale power outage and NotPetya.

If you are already infected with the malware, reset your router to factory default to remove the potentially destructive malware and update the firmware of your device as soon as possible.

You need to be more vigilant about the security of your smart IoT devices. To prevent yourself against such malware attacks, you are recommended to change default credentials for your device.

If your router is by default vulnerable and cannot be updated, throw it away and buy a new one, it's that simple. Your security and privacy is more than worth a router's price.

Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.

Luring users on social media to visit lookalike version of popular websites that pop-up a legitimate-looking Chrome extension installation window is one of the most common modus operandi of cybercriminals to spread malware.

Security researchers are again warning users of a new malware campaign that has been active since at least March this year and has already infected more than 100,000 users worldwide.

Dubbed Nigelthorn, the malware is rapidly spreading through socially engineered links on Facebook and infecting victims’ systems with malicious browser extensions that steal their social media credentials, install cryptocurrency miners, and engage them in click fraud.

The malware was pushed through at least seven different Chrome browser extensions—all were hosted on Google's official Chrome Web Store.

These malicious Chrome browser extensions were first discovered by researchers at cybersecurity firm Radware, after a "well-protected network" of one of its customers, an unnamed global manufacturing firm, got compromised.
According to a report published by Radware, the malware operators are using copies of legitimate Google Chrome extensions and injecting a short obfuscated malicious script into them to bypass Google's extension validation checks.

Researchers named the malware "Nigelthorn" after one of the malicious extensions which was the copy of popular 'Nigelify' extension designed to replace all pictures on a web page with gifs of 'Nigel Thornberry.'

Nigelthorn Propagates Through Links Sent Over Facebook

Nigelthorn is spreading through socially engineered links on Facebook, which if clicked redirects victims to fake YouTube page, asking them to download a malicious Chrome extension, to continue playing the video.

Once installed, the extension executes a malicious JavaScript code that makes victims' computers part of a botnet.

A similar malware, dubbed Digimine, emerged last year that also worked by sending socially engineered links over Facebook Messenger and installed a malicious extension, allowing attackers to access the victims' Facebook profile and spread the same malware to their friends' list via Messenger.

We recently wrote about another similar malware campaign, dubbed FacexWorm, that was also distributed by sending socially engineered links over Facebook Messenger and redirected users to fake YouTube page, asking them to install a malicious Chrome extension.

NigelThorn Steals Password for Facebook/Instagram Accounts

The new malware majorly focuses on stealing credentials for victims' Facebook and Instagram accounts and collecting details from their Facebook accounts.

This stolen information is then used to send malicious links to friends of the infected person in an effort to push the same malicious extensions further. If any of those friends click on the link, the whole infection process starts over again.

NigelThorn also downloads a publicly available, browser-based cryptocurrency mining tool as a plugin to trigger the infected systems to start mining cryptocurrencies, including Monero, Bytecoin or Electroneum.

Over the period of just 6 days, the attackers appeared to generate approximately $1,000 in cryptocurrencies, mostly Monero.

Nigelthorn is also persistent as to prevent users from removing the malicious extensions, it automatically closes the malicious extension tab each time the user opens it prevents removal.

The malware also blacklists a variety of clean-up tools offered by Facebook and Google and even prevents users from making edits, deleting posts and making comments.

List of Malicious Chrome Extensions

Here's the name of all seven extensions masquerading as legitimate extensions:

• Nigelify
• PwnerLike
• Alt-j
• Fix-case
• Divinity 2 Original Sin: Wiki Skill Popup
• Keeprivate
• iHabno

Although Google has removed all of the above-listed extensions, if you have installed any of them, you are advised to immediately uninstall it and change passwords for your Facebook, Instagram and as well as for other accounts where you are using the same credentials.

Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.

If you receive a link for a video, even if it looks exciting, sent by someone (or your friend) on Facebook messenger—just don't click on it without taking a second thought.

Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials.

Dubbed FacexWorm, the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month.

New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.

It is not the first malware to abuse Facebook Messenger to spread itself like a worm.

Late last year, Trend Micro researchers discovered a Monero-cryptocurrency mining bot, dubbed Digmine, that spreads through Facebook messenger and targets Windows computers, as well as Google Chrome for cryptocurrency mining.
Just like Digmine, FacexWorm also works by sending socially engineered links over Facebook Messenger to the friends of an affected Facebook account to redirect victims to fake versions of popular video streaming websites, like, YouTube.

It should be noted that FacexWorm extension has only been designed to target Chrome users. If the malware detects any other web browser on the victim's computer, it redirects the user to an innocuous-looking advertisement.

How Does the FacexWorm Malware Work

If the malicious video link is opened using Chrome browser, FacexWorm redirects the victim to a fake YouTube page, where the user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video.

Once installed, FacexWorm Chrome extension downloads more modules from its command and control server to perform various malicious tasks.

"FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened," the researchers said.

"Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage."

Since the extension takes all the extended permissions at the time of installation, the malware can access or modify data for any websites the user opens.

Here below I have listed a brief outline of what FacexWorm malware can perform:

• To spread itself further like a worm, the malware requests OAuth access token for the Facebook account of the victim, using which it then automatically obtains the victim's friend list and sends that malicious, fake YouTube video link to them as well.
• Steal the user's account credentials for Google, MyMonero, and Coinhive, when the malware detects that the victim has opened the target website’s login page.
• FacexWorm also injects cryptocurrency miner to web pages opened by the victim, which utilizes the victim computer's CPU power to mine Cryptocurrency for attackers.
• FacexWorm even hijacks the user's cryptocurrency-related transactions by locating the address keyed in by the victim and replacing it with the one provided by the attacker.
• When the malware detects the user has accessed one of the 52 cryptocurrency trading platforms or typed keywords like "blockchain," "eth-," or "ethereum" in the URL, FacexWorm will redirect the victim to a cryptocurrency scam webpage to steal user's digital coins. The targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info.
• To avoid detection or removal, the FacexWorm extension immediately closes the opened tab when it detects that the user is opening the Chrome extension management page.
• The attacker also gets a referral incentive every time a victim registers an account on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.

So far, researchers at Trend Micro have found that FacexWorm has compromised at least one Bitcoin transaction (valued at $2.49) until April 19, but they do not know how much the attackers have earned from the malicious web mining.

Cryptocurrencies targeted by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).

The FacexWorm malware has been found surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain. But since Facebook Messenger is used worldwide, there are more chances of the malware being spread globally.

Chrome Web Store had removed many of the malicious extensions before being notified by Trend Micro researchers, but the attackers keep uploading it back to the store.

Facebook Messenger can also detect the malicious, socially engineered links and regularly block the propagation behavior of the affected Facebook accounts, researchers said.

Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.

Dr. Mordechai Guri, the head of R&D team at Israel's Ben Gurion University, who previously demonstrated various methods to steal data from an air-gapped computer, has now published new research named "BeatCoin."

BeatCoin is not a new hacking technique; instead, it's an experiment wherein the researcher demonstrates how all previously discovered out-of-band communication methods can be used to steal private keys for a cryptocurrency wallet installed on cold storage, preferably an air-gapped computer or Raspberry Pi.

For those unaware, keeping your cryptocurrency protected in a wallet on a device which is entirely offline is called cold storage. Since online digital wallets carry different security risks, some people prefer keeping their private keys offline.

Air-gapped computers are those that are isolated from the Internet, local networks, Bluetooth and therefore, are believed to be the most secure devices and are difficult to infiltrate or exfiltrate.

If you are new to this topic, we recommend reading our previous articles, detailing how highly-motivated attackers can use specially designed malware to exfiltrate data from an air-gapped computer via light, sound, heat, electromagnetic, magnetic, infrared, and ultrasonic waves.
For BeatCoin experiment, Dr. Guri deployed malware on an air-gapped computer that runs a Bitcoin wallet application and then performed each attack vector one-by-one to transmit the wallet keys to a nearby device over covert channels.

"In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code," the paper [PDF] reads. "The malware can be pre-installed or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet’s computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade."

Results shown in the above chart suggests AirHopper, MOSQUITO, and Ultrasonic techniques are the fastest way to transmit a 256-bit private key to a remote receiver, whereas, Diskfiltration and Fansmitter methods take minutes.

Guri has also shared two videos. The first one demonstrates exfiltration of private keys from an air-gapped computer, which hardly took a few seconds to transmit data to a nearby smartphone using ultrasonic waves.
In the second video, the researcher transmitted private keys stored on a Raspberry Pi device to the nearby smartphone using the RadIoT attack—a technique to exfiltrate data from air-gapped internet-of-things (IoT) and embedded devices via radio signals.

"The radio signals - generated from various buses and general-purpose input/output (GPIO) pins of the embedded devices - can be modulated with binary data. In this case, the transmissions can be received by an AM or FM receiver located nearby the device."

In the last research published earlier this month, Guri’s team also demonstrated how hackers could use power fluctuations in the current flow "propagated through the power lines" to covertly exfiltrate highly sensitive data out of an air gapped-computer.

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage.

Dubbed "Orangeworm," the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms.

According to a new report published by Symantec on Monday, the Orangeworm hacking group has been active since early 2015 and targeting systems of major international corporations based in the United States, Europe, and Asia with a primary focus on the healthcare sector.

"We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare," Symantec said.

After getting into the victim's network, attackers install a trojan, dubbed Kwampirs, which opens a backdoor on the compromised computers, allowing attackers to remotely access equipment and steal sensitive data.

While decrypting, the Kwampirs malware inserts a randomly generated string into its main DLL payload in an attempt to evade hash-based detection. The malware also starts a service on the compromised systems to persist and restart after the system reboots.

Kwampirs then collects some basic information about the compromised computers and send it to the attackers to a remote command-and-control server, using which the group determines whether the hacked system is used by a researcher or a high-value target.
If the victim is of interest, the malware then "aggressively" spread itself across open network shares to infect other computers within the same organisation.

To gather additional information about the victim's network and compromised systems, the malware uses system's built-in commands, instead of using third-party reconnaissance and enumeration tools.

Above shown list of commands help attackers to steal information including, "any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer."

Besides health-care providers and pharmaceutical companies that account for nearly 40% of targets, Orangeworm has also launched attacks against other industries including information technology and manufacturing sectors, agriculture, and logistics.

However, these industries also somehow work for healthcare, like manufacturers that make medical devices, technology companies that offer services to clinics, and logistics firms that deliver healthcare products.
Although the exact motive of Orangeworm is not clear and there's no information that could help determine the group's origins, Symantec believes the group is likely conducting espionage for commercial purposes and there's no evidence that it's backed by a nation-state.

"Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking," Symantec said. "Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack."

The highest percentage of victims has been detected in the United States, followed by Saudi Arabia, India, Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France, and several other countries across the globe.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.

A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.

Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.

Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.

"All the extensions I've highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors," Meshkov says.

After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:

• AdRemover for Google Chrome™ (10 million+ users)
• uBlock Plus (8 million+ users)
• [Fake] Adblock Pro (2 million+ users)
• HD for YouTube™ (400,000+ users)
• Webutation (30,000+ users)

Also Read: Someone Hijacks A Popular Chrome Extension to Push Malware

The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.

To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.

"These commands are scripts which are then executed in the privileged context (extension's background page) and can change your browser behavior in any way," Meshkov says.

"Basically, this is a botnet composed of browsers infected with the fake Adblock extensions," Meshkov says. "The browser will do whatever the command center server owner orders it to do."

The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.

Also Read: Malicious Chrome Extension Hijacks CryptoCurrencies and Wallets

Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.

So, you are advised to install as few extensions as possible and only from companies you trust.

Last year, the popular system cleanup software CCleaner suffered a massive supply-chain malware attack of all times, wherein hackers compromised the company's servers for more than a month and replaced the original version of the software with the malicious one.

The malware attack infected over 2.3 million users who downloaded or updated their CCleaner app between August and September last year from the official website with the backdoored version of the software.

Now, it turns out that the hackers managed to infiltrate the company's network almost five months before they first replaced the official CCleaner build with the backdoored version, revealed Avast executive VP and CTO Ondrej Vlcek at the RSA security conference in San Francisco on Tuesday.

6-Months Timeline of CCleaner Supply Chain Attack

Vlcek shared a brief timeline of the last year's incident that came out to be the worst nightmare for the company, detailing how and when unknown hackers breached Piriform, the company that created CCleaner and was acquired by Avast in July 2017.

March 11, 2017 (5 AM local time)—Attackers first accessed an unattended workstation of one of the CCleaner developers, which was connected to Piriform network, using remote support software TeamViewer.

The company believes attackers reused the developer's credentials obtained from previous data breaches to access the TeamViewer account and managed to install malware using VBScript on the third attempt.

March 12, 2017 (4 AM local time)—Using the first machine, attackers penetrated into the second unattended computer connected to the same network and opened a backdoor through Windows RDP (Remote Desktop Service) protocol.

Using RDP access, the attackers dropped a binary and a malicious payload—a second stage malware (older version) that was later delivered to 40 CCleaner users—on the target computer's registry.

March 14, 2017—Attackers infected the first computer with the older version of the second stage malware as well.

April 4, 2017—Attackers compiled a customised version of ShadowPad, an infamous backdoor that allows attackers to download further malicious modules or steal data, and this payload the company believes was the third stage of the CCleaner attack.

April 12, 2017—A few days later, attackers installed the 3rd stage payload on four computers in the Piriform network (as a mscoree.dll library) and a build server (as a .NET runtime library).

Between mid-April and July—During this period, the attackers prepared the malicious version of CCleaner, and tried to infiltrate other computers in the internal network by installing a keylogger on already compromised systems to steal credentials, and logging in with administrative privileges through RDP.

July 18, 2017—Security company Avast acquired Piriform, the UK-based software development company behind CCleaner with more than 2 billion downloads.

August 2, 2017—Attackers replaced the original version of CCleaner software from its official website with their backdoored version of CCleaner, which was distributed to millions of users.

September 13, 2017—Researchers at Cisco Talos detected the malicious version of the software, which was being distributed through the company's official website for more than a month, and notified Avast immediately.

The malicious version of CCleaner had a multi-stage malware payload designed to steal data from infected computers and send it back to an attacker-controlled command-and-control server.

Although Avast, with the help of the FBI, was able to shut down the attackers' command-and-control server within three days of being notified of the incident, the malicious CCleaner software had already been downloaded by 2.27 million users.

Moreover, it was found that the attackers were then able to install a second-stage payload on 40 selected computers operated by major international technology companies, including Google, Microsoft, Cisco, Intel, Samsung, Sony, HTC, Linksys, D-Link, Akamai and VMware.

However, the company has no proofs if the third stage payload with ShadowPad was distributed to any of these targets.

"Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded a computer, observing a money transfer." Avast said.

"The oldest malicious executable used in the Russian attack was built in 2014, which means the group behind it might have been spying for years."

Based on their analysis of the ShadowPad executable from the Piriform network, Avast believes that the malicious attackers behind the malware have been active for a long time, spying on institutions and organizations so thoroughly.

Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication.

In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.

Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.

Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.

Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—"To better experience the browsing, update to the latest chrome version."
It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to collect device’ account information, manage SMS/MMS and making calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.

"The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker."

If installed, the malicious app overlays all other windows immediately to show a fake warning message (in broken English), which reads, "Account No.exists risks, use after certification."

Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google website, asking users to fill up their names and date of births.
To convince users into believing that they are handing over this information to Google itself, the fake page displays users' Gmail email ID configured on their infected Android device, as shown in the screenshots.

"After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit," researchers said. "Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English."

Since Roaming Mantis malware app has already gained permission to read and write SMS on the device, it allows attackers to steal the secret verification code for the two-factor authentication for victims' accounts.

While analysing the malware code, Researchers found reference to popular South Korean mobile banking and gaming applications, as well as a function that tries to detect if the infected device is rooted.

"For attackers, this may indicate that a device is owned by an advanced Android user (a signal to stop messing with the device) or, alternatively, a chance to leverage root access to gain access to the whole system," the researchers said.

What's interesting about this malware is that it uses one of the leading Chinese social media websites (my.tv.sohu.com) as its command-and-control server and sends commands to infected devices just via updating the attacker-controlled user profiles.
According to Kaspersky's Telemetry data, the Roaming Mantis malware was detected more than 6,000 times, though the reports came from just 150 unique users.

You are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

You should also disable router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird, being used by at least three different sophisticated malware that helped attackers evade detection.

As its name suggests, Early Bird is a "simple yet powerful" technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.

The Early Bird code injection technique "loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected," the researchers said.

The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.

How Early Bird Code Injection Works

Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.

Here's a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.

• Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
• Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
• Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
• Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.

According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.

• "TurnedUp" backdoor, developed by an Iranian hacking group (APT33)
• A variant of "Carberp" banking malware
• "DorkBot" malware

Initially discovered by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.
Dates back to 2012, DorBot is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users' credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims' computers.

Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.

Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars.

Last year, we saw some major ransomware outbreaks, including WannaCry and NotPetya, which wreaked havoc across the world, hitting hundreds of thousands of computers and business networks worldwide.

From small to mid-range businesses, Microsoft Office 365 remains the most widely used and fastest-growing work office suite, so it's no surprise that it has become a primary target for viruses, ransomware, and phishing scams.

In fact, most strains of ransomware target Microsoft productivity apps such as Word, Excel and encrypt sensitive data to hold the company hostage until the ransom is paid.

Now, to combat such cyber attacks, Microsoft has announced some new security features for Office 365 that can help users mitigate the damage done by ransomware and other malware infections.

The new features were initially introduced for OneDrive for Business, but that the company is now rolling them out to anyone who has signed up for an Office 365 Home or Personal subscription, Microsoft Office blog says.

Here below I have briefed the list of new features:

File Recovery and Anti-Ransomware

• Files Restore—Microsoft Office 365 now allows users to restore entire OneDrive to a previous point in time within the last 30 days. This feature can be used to recover files from an accidental mass delete, file corruption, ransomware, or any catastrophic event.

• Ransomware detection & recovery—Office 365 had also introduced a new security feature that detects ransomware attacks and alerts you through an email, mobile, or desktop notification while helping you restore your OneDrive to a point before the malware compromised files.

Security and Privacy Features

Office 365 has added three new features to help keep your confidential or personal data (such as tax documents, family budgets, or a new business proposal) secure and private when sharing them online.

• Password protected sharing links—This feature allows you to set a password for your shared file and folders, preventing unauthorized access even if your recipient accidentally forwards protected documents to others.

• Email encryption—This feature allows users to send/receive end-to-end encrypted emails in Outlook over a secure connection, providing additional protection to minimize the threat of being intercepted.

• Prevent forwarding—Microsoft now enables you to restrict your email recipients from forwarding or copying emails you send to them from Outlook. Besides this, any MS Office document attached to your emails will remain encrypted even after downloading, so if the recipient shares your attachment with others, they will not be able to open it.

Advanced Protection from Viruses and Cybercrime

• Advanced link checking in Word, Excel, and PowerPoint—Office 365 also offers built-in real-time web protection, which monitors every link you click in Word, Excel, and PowerPoint and notifies you if it is suspicious.

File Recovery and Anti-Ransomware features began rolling out starting today and will be available to all Office 365 users soon, while features to help keep your information secure and private (including password protected sharing links, email encryption, and prevent forwarding) will start rolling out in the coming weeks.

Advanced link checking and advanced attachment scanning are already available in MS Outlook that protects you from previously unseen viruses and phishing scams in real-time. However, advanced link checking in Word, Excel, and PowerPoint will roll out in the second half of 2018.

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed "Naver Defender."

Dubbed KevDroid, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.

Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.

Though researchers haven't attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "Group 123," primarily known for targeting South Korean targets.

The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:

• record phone calls & audio
• steal web history and files
• gain root access
• steal call logs, SMS, emails
• collect device' location at every 10 seconds
• collect a list of installed applications

Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim's phone calls, one of the variants even exploits a known Android flaw (CVE-2015-3636) to get root access on the compromised device.

All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.

"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.

"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."

Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.

How to Keep Your Smartphone Secure

Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.

Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:

• Never install applications from 3rd-party stores.
• Ensure that you have already opted for Google Play Protect.
• Enable 'verify apps' feature from settings.
• Keep "unknown sources" disabled while not using it.
• Install anti-virus and security software from a well-known cybersecurity vendor.
• Regularly back up your phone.
• Always use an encryption application for protecting any sensitive information on your phone.
• Never open documents that you are not expecting, even if it looks like it's from someone you know.
• Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
• Keep your device always up-to-date with the latest security patches.