The Hacker News — Cyber Security, Hacking, Technology News

Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.

Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.

Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.

However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.

The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.

Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.

If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting "down.pzchao.com," which resolved to an IP address (125.7.152.55) in South Korea at the time of the investigation.

The threat actors behind the attack campaign have control over at least five malicious subdomains of the "pzchao.com" domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.

The payloads deployed by the threat actors are "diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," researchers noted.

The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a 'java.exe' file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.

For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.

PZChao's final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.

The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:

• Real-time and offline remote keystroke logging
• Listing of all active processes and opened windows
• Listening in on conversations via microphone
• Eavesdropping on webcams' live video feed
• Allowing for remote shutdown and reboot of the system
• Downloading binaries from the Internet to remote host
• Modifying and stealing files and more.

While the tools used in the PZChao campaign are a few years old, "they are battle-tested and more than suitable for future attacks," researchers say.

Active since 2010, Iron Tiger, also known as "Emissary Panda" or "Threat Group-3390," is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.

For further insights, you can read the detailed technical paper [PDF] published by Bitdefender.

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.

Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems.

Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.

Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.

CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.

According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.

CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.

CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware

Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it's running on and then installs itself accordingly.

Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.

Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.

CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.

As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to 'flexberry(dot)com' on port 2223, whose information is hardcoded in the 'crossrat/k.class' file.

CrossRAT Includes Inactive Keylogger Module

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.

Interestingly, Patrick noticed that the CrossRAT has also been programmed to use 'jnativehook,' an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.

"However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete," Patrick said.

How to Check If You're Infected with CrossRAT?

Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.

For Windows:

• Check the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\' registry key.
• If infected it will contain a command that includes, java, -jar and mediamgrs.jar.

For macOS:

• Check for jar file, mediamgrs.jar, in ~/Library.
• Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

For Linux:

• Check for jar file, mediamgrs.jar, in /usr/var.
• Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.

How to Protect Against CrossRAT Trojan?

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.

"As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java," Patrick said.

"Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra)."

Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.

Refuting allegations that its anti-virus product helped Russian spies steal classified files from an NSA employee's laptop, Kaspersky Lab has released more findings that suggest the computer in question may have been infected with malware.

Moscow-based cyber security firm Kaspersky Lab on Thursday published the results of its own internal investigation claiming the NSA worker who took classified documents home had a personal home computer overwhelmed with malware.

According to the latest Kaspersky report, the telemetry data its antivirus collected from the NSA staffer's home computer contained large amounts of malware files which acted as a backdoor to the PC.

The report also provided more details about the malicious backdoor that infected the NSA worker's computer when he installed a pirated version of Microsoft Office 2013 .ISO containing the Mokes backdoor, also known as Smoke Loader.

Backdoor On NSA Worker's PC May Have Helped Other Hackers Steal Classified Documents

This backdoor could have allowed other hackers to steal classified documents and hacking tools belonging to the NSA from the machine of the employee, who worked for the Tailored Access Operations (TAO) group of hackers at the agency.

For those unaware, United States has banned Kaspersky antivirus software from all of its government computers over suspicion of Kaspersky's involvement with the Russian intelligence agency and spying fears.

Though there's no substantial evidence yet available, an article published by US news agency WSJ last month claimed that Kaspersky Antivirus helped Russian government hackers steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.

However, the article, which quoted multiple anonymous sources, failed to provide any solid evidence to prove if Kaspersky was intentionally involved with the Russian spies or some hackers simply exploited some zero-day bug in the Antivirus product.

Kaspersky lives up to its claims that its antivirus software detected and collected the NSA classified files as part of its normal functionality, and has rigorously denied allegations it passed those documents onto the Russian government.

Now, in the recent report published by the anti-virus firm said between September 11, 2014, and November 17, 2014, Kaspersky Lab servers received confidential NSA materials multiple times from a poorly secured computer located in the United States.

The company's antivirus software, which was installed on the employee's PC, discovered that the files contained malware used by Equation Group, a 14-year-old NSA's elite hacking group that was exposed by Kaspersky in 2015.

Kaspersky Claims it Deleted All NSA Classified Files

Besides confidential material, the software also collected 121 separate malware samples (including a backdoor) which were not related to the Equation Group.

The report also insists that the company deleted all classified documents once one of its analysts realized that the antivirus had collected more than malicious binaries. Also, the company then created a special software tweak, preventing those files from being downloaded again.

"The reason we deleted those files and will delete similar ones in the future is two-fold; we do not need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials," Kaspersky Lab report reads. 

"Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions."

Trojan Discovered on NSA Worker's Computer

The backdoor discovered on the NSA staffer's PC was actually a Trojan, which was later identified as "Smoke Bot" or "Smoke Loader" and allegedly created by a Russian criminal hacker in 2011. It had also been advertised on Russian underground forums.

Interestingly, this Trojan communicated with the command and control servers apparently set up by a Chinese individual going by the name "Zhou Lou," using the e-mail address "zhoulu823@gmail.com."

Since executing the malware would not have been possible with the Kaspersky antivirus enabled, the staffer must have disabled the antivirus software to do so.

"Given that system owner's potential clearance level, the user could have been a prime target of nation states," the Kaspersky report reads. 

"Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands."

More details on the backdoor can be found here.

For now, the Kaspersky anti-virus software has been banned by the U.S. Department of Homeland Security (DHS) from all of its government computers.

In the wake of this incident, Kaspersky Lab has recently launched a new transparency initiative that involves giving partners access to its antivirus source code and paying large bug bounties for security issues discovered in its products.

A few months back we reported how opening a simple MS Word file could compromise your computer using a critical vulnerability in Microsoft Office.

The Microsoft Office remote code execution vulnerability (CVE-2017-0199) resided in the Windows Object Linking and Embedding (OLE) interface for which a patch was issued in April this year, but threat actors are still abusing the flaw through the different mediums.

Security researchers have spotted a new malware campaign that is leveraging the same exploit, but for the first time, hidden behind a specially crafted PowerPoint (PPSX) Presentation file.

According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry.

Researchers believe this attack involves the use of a sender address disguised as a legitimate email sent by a sales and billing department.

Here's How the Attack Works:

The complete attack scenario is listed below:
Step 1: The attack begins with an email that contains a malicious PowerPoint (PPSX) file in the attachment, pretending to be shipping information about an order request.

Step 2: Once executed, the PPSX file calls an XML file programmed in it to download "logo.doc" file from a remote location and runs it via the PowerPoint Show animations feature.

Step 3: The malformed Logo.doc file then triggers the CVE-2017-0199 vulnerability, which downloads and executes RATMAN.exe on the targeted system.

Step 4: RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely.
Remcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone.

Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well.

The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Own an Android smartphone?

Hackers can secretly install malicious apps, games, and pop-up adverts on your smartphone remotely in order to make large sums of money.

Security researchers at Cheetah Mobile have uncovered one of the world's largest and most prolific Trojan families, infecting millions of Android devices around the world.

Dubbed Hummer, the notorious mobile trojan stealthily installs malicious apps, games, or even porn apps onto victim's phones and yields its creators more than $500,000 (£375,252) on a daily basis.

First discovered in 2014 by Cheetah Mobile, Hummer gained traction in early 2016 when the Trojan family was infecting "nearly 1.4 Million devices daily at its peak" with 63,000 infections occurring daily in China, according to researchers at Cheetah Mobile Security Research Lab.

"This Trojan continually pops up ads on victims' phones, which is extremely annoying," researchers wrote in a blog post. "It also pushes mobile phone games and silently installs porn applications in the background. Unwanted apps appear on these devices, and they are re-installed shortly after users uninstall them."

Even after the number of phones infected has declined, Hummer is still infecting nearly 1 Million new devices per day, making it the most widespread trojan family in the world.

Every time Hummer installs a new app on the infected devices, it's developers make 50 cents. Therefore, the group behind this Trojan is believed to be making more than half a million dollars (over $500,000) daily.

...and over $15 Million per month.

Here's How Hummer Work:

Once a device is infected with Hummer, the Trojan proceeds to root the phone to gain administrator privileges, which allowed it to discreetly install unwanted apps, games, porn apps as well as malware in the background.

These apps and malware end up consuming large amounts of network traffic, potentially affecting the victims with large bills from their Internet providers.

"In several hours, the trojan accessed the network over 10,000 times and downloaded over 200 APKs, consuming 2 GB of network traffic," the researchers noted.

Hummer is almost Impossible to Uninstall

The bad news for affected Android users is that Hummer is extremely difficult if not impossible to get rid of, because the Trojan takes control of the phone at admin level, making it impossible for traditional antivirus tools to uninstall Hummer.

The dangerous part: It is impossible to delete the Trojan through a factory reset due to the fact Hummer comes equipped with up to 18 different separate rooting exploits that allow it to root itself on a phone, the researchers said.

Recently, Trend Micro researchers also detected a similar threat known as Godless that came with Android rooting exploits, affecting 90 percent of all Android devices available in the market today.

Hummer spreads itself using a different number of domain names and third-party app stores, tricking users into downloading malicious apps or fake versions of popular apps like Facebook or Twitter.

The researchers claim to have traced the source of the Trojan family to an "underground internet industry chain" in China, based on an email address linked to the domain names used by the malware.

India (154,248), Indonesia (92,889), Turkey (63,906), China (63,285) and Mexico (59,192) are the top five countries where Hummer has made most of its victims, but the Trojan is also infecting Android users in the U.S. and Europe.

Google’s Android mobile platform has been a primary target of attackers, so it's better for you to avoid downloading apps from outside of the Google Play Store or untrusted sources. Moreover, always "review the developer" even if downloading apps from official app store.