Archive for the ‘malware’ Category
A new piece of advanced espionage malware, possibly developed by nation-supported attacker, targeted three US companies in the utilities industry last month, researchers from security firm Proofpoint reported on Thursday.
Employees of the three unnamed companies, a Proofpoint reported, received emails purporting to come from the National Council of Examiners for Engineering and Surveying. This non-profit group develops, administers, and scores examinations used in granting licenses for US engineers. Using the official NCEES logo and the domain nceess[.]com, the emails said that the recipients failed to achieve a passing score on a recent exam. The attached Word document was titled Result Notice.doc.
Malicious macros embedded into the document attempted to install a package of full-featured malware Proofpoint calling LookBack. Components included a remote-access trojan written in C++ and a proxy tool for communicating with a command and control server. Once LookBack is installed, it gives attackers a full range of capabilities that include:
Posted in BlueKeep RDP Flaw, BlueKeep RDP Vulnerability, BlueKeep Vulnerability, botnet malware, cryptocurrency malware, hacking news, Linux botnet, Linux Vulnerability, malware, windows Vulnerability | Comments (0)
Researchers have discovered some of the most advanced and full-featured mobile surveillanceware ever seen. Dubbed Monokle and used in the wild since at least March 2016, the Android-based application was developed by a Russian defense contractor that was sanctioned in 2016 for helping that country’s Main Intelligence Directorate meddle in the 2016 US presidential election.
Monokle uses several novel tools, including the ability to modify the Android trusted-certificate store and a command-and-control network that can communicate over Internet TCP ports, email, text messages, or phone calls. The result: Monokle provides a host of surveillance capabilities that work even when an Internet connection is unavailable. According to a report published by Lookout, the mobile security provider that found Monokle is able to:
- Retrieve calendar information including name of event, when and where it is taking place, and description
- Perform man-in-the-middle attacks against HTTPS traffic and other types of TLS-protected communications
- Collect account information and retrieve messages for WhatsApp, Instagram, VK, Skype, imo
- Receive out-of-band messages via keywords (control phrases) delivered via SMS or from designated control phones
- Send text messages to an attacker-specified number
- Reset a user’s pincode
- Record environmental audio (and specify high, medium, or low quality)
- Make outgoing calls
- Record calls
- Interact with popular office applications to retrieve document text
- Take photos, videos, and screenshots
- Log passwords, including phone unlock PINs and key presses
- Retrieve cryptographic salts to aid in obtaining PINs and passwords stored on the device
- Accept commands from a set of specified phone numbers
- Retrieve contacts, emails, call histories, browsing histories, accounts and corresponding passwords
- Get device information including make, model, power levels, whether connections are over Wi-Fi or mobile data, and whether screen is on or off
- Execute arbitrary shell commands, as root, if root access is available
- Track device location
- Get nearby cell tower info
- List installed applications
- Get nearby Wi-Fi details
- Delete arbitrary files
- Download attacker-specified files
- Reboot a device
- Uninstall itself and remove all traces from an infected phone
Commands in some of the Monokle samples Lookout researchers analyzed lead them to believe that there may be versions of Monokle developed for devices running Apple’s iOS. Unused in the Android samples, the commands were likely added unintentionally. The commands controlled iOS functions for the keychain, iCloud connections, iWatch accelerometer data, iOS permissions, and other iOS features or services. Lookout researchers didn’t find any iOS samples, but they believe iOS versions may be under development. Monokle gets its name from a malware component a developer titled "monokle-agent."
Researchers have exposed a network of Facebook accounts that used Libya-themed news and topics to push malware to tens of thousands of people over a five-year span.
Links to the Windows and Android-based malware first came to researchers’ attention when the researchers found them included in Facebook postings impersonating Field Marshal Khalifa Haftar, commander of Libya’s National Army. The fake account, which was created in early April and had more than 11,000 followers, purported to publish documents showing countries such as Qatar and Turkey conspiring against Libya and photos of a captured pilot that tried to bomb the capital city of Tripoli. Other posts promised to offer mobile applications that Libyan citizens could use to join the country’s armed forces.
According to a post published on Monday by security firm Check Point, most of the links instead went to VBScripts, Windows Script Files and Android apps known to be malicious. The wares included variants of open source remote-administration tools with names including Houdina, Remcos, and SpyNote. The tools were mostly stored on file-hosting services such as Google Drive, Drobbox, and Box.
Yesterday on Twitter, Samsung's US support team reminded everyone to regularly—and manually—virus-scan their televisions.
Samsung's team followed this up with a short video showing someone in a conference room going 16 button-presses deep into the system menu of a Samsung QLED TV to activate the television's built-in virus-scan, which is apparently "McAfee Security for TV."
Unsurprisingly, Samsung got immediate pushback on these tweets and almost as immediately deleted them.