Archive for the ‘malware’ Category
Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection—they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn’t load on emulators researchers use to detect attacks.
The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers—and possibly Google employees screening apps submitted to Play—are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.
Security firm Trend Micro found the motion-activated dropper in two apps—BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious.
Last May, researchers published a bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed "LoJax," creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.
LoJax in May became the first known case of a real-world attack harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced.
LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.
Four months after a mysterious group was outed for a digital espionage operation that used novel techniques to target Mac users, its macOS malware samples continued to go undetected by most antivirus providers, a security researcher reported on Thursday.
Windshift is what researchers refer to as an APT—short for "advanced persistent threat"—that surveils individuals in the Middle East. The group operated in the shadows for two years until August, when Taha Karim, a researcher at security firm DarkMatter, profiled it at the Hack in the Box conference in Singapore. Slides, a brief description, and a report from Forbes are here, here and here, respectively.
A few things make Windshift stand out among APTs, Karim reported in August. One is how rarely the group infects its targets with malware. Instead, it relies on links inside phishing emails and SMS text messages to track the locations, online habits, and other traits of the targets. Another unusual characteristic: in the extremely rare cases Windshift uses Mac malware to steal documents or take screenshots of targets' desktops, it relies on a novel technique to bypass macOS security defenses. (The above-linked Forbes article has more on how this technique, known as a custom URL scheme, allows attacker-controlled sites to automatically install their malware on targeted Macs.)
Federal prosecutors on Tuesday unsealed charges that accused two Chinese government intelligence officers and eight alleged co-conspirators of conducting sustained computer intrusions into 13 companies in an attempt to steal designs for a turbofan engine used in commercial jetliners.
A 21-page indictment filed in US District Court in the Southern District of California said the Jiangsu Province Ministry of State Security, an arm of the People’s Republic of China’s Ministry of State Security, directed the five-year campaign. According to the indictment, between January 2010 to May 2015, the team allegedly used a wide range of methods to break into the computer networks of companies involved in aerospace and turbine manufacturing and Internet and technology services. Their primary goal was stealing data that would allow a Chinese government-owned company to design its own jetliner. With the exception of Capstone Turbines, a Los Angeles-based gas turbine maker, other targeted companies weren’t identified by name and were referred to only as companies A through L.
"Members of the conspiracy targeted, among other things, data and information related to a turbofan engine used in commercial jetliners,” prosecutors wrote in the superseding indictment. “At the time of the intrusions, a Chinese state-owned aerospace company was working to develop a comparable engine for use in commercial aircraft manufactured in China and elsewhere.” The indictment continued:
Most of us don’t think twice about installing software or updates from a trusted developer. We scrutinize the source site carefully to make sure it’s legitimate, and then we let the code run on our computers without much more thought. As developers continue to make software and webpages harder to hack, blackhats over the past few years have increasingly exploited this trust to spread malicious wares. Over the past week, two such supply-chain attacks have come to light.
The first involves VestaCP, a control-panel interface that system administrators use to manage servers. This Internet scan performed by Censys shows that there are more than 132,000 unexpired TLS certificates protecting VestaCP users at the moment. According to a post published last Thursday by security firm Eset, unknown attackers compromised VestaCP servers and used their access to make a malicious change to an installer that was available for download.
Poisoning the source
“The VestaCP installation script was altered to report back generated admin credentials to vestacp.com after a successful installation,” Eset Malware Researcher Marc-Étienne M.Léveillé told Ars. “We don’t know exactly when this happened, but the modified installation script was visible in their source code management on GitHub between May 31 and June 13.” VestaCP developer Serghey Rodin told Ars his organization is working with Eset to investigate the breach to better understand the attack.