Archive for the ‘malware’ Category
Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection—they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn’t load on emulators researchers use to detect attacks.
The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers—and possibly Google employees screening apps submitted to Play—are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.
Security firm Trend Micro found the motion-activated dropper in two apps—BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious.
Last May, researchers published a bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed "LoJax," creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.
LoJax in May became the first known case of a real-world attack harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced.
LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.
Four months after a mysterious group was outed for a digital espionage operation that used novel techniques to target Mac users, its macOS malware samples continued to go undetected by most antivirus providers, a security researcher reported on Thursday.
Windshift is what researchers refer to as an APT—short for "advanced persistent threat"—that surveils individuals in the Middle East. The group operated in the shadows for two years until August, when Taha Karim, a researcher at security firm DarkMatter, profiled it at the Hack in the Box conference in Singapore. Slides, a brief description, and a report from Forbes are here, here and here, respectively.
A few things make Windshift stand out among APTs, Karim reported in August. One is how rarely the group infects its targets with malware. Instead, it relies on links inside phishing emails and SMS text messages to track the locations, online habits, and other traits of the targets. Another unusual characteristic: in the extremely rare cases Windshift uses Mac malware to steal documents or take screenshots of targets' desktops, it relies on a novel technique to bypass macOS security defenses. (The above-linked Forbes article has more on how this technique, known as a custom URL scheme, allows attacker-controlled sites to automatically install their malware on targeted Macs.)
Posted in computer virus, Cyber Attack, cyber security, data recovery software, data security, data wiping malware, Iranian Hackers, malware, shamoon, shamoon malware, state sponsored attack | Comments (0)
Posted in Cyber Attack, Cyber Criminal, file encryption software, hacker arrested, hacking news, Iranian Hackers, malware, Malware attack, ransomware, ransomware attack, Samsam Ransomware | Comments (0)