Ειδοποιήσεις

In this age of digital risks, protecting yourself from the constant barrage of cyberthreats is a full-time job. Cybercrime, data breaches, and internet attacks are on the rise. In fact, it is estimated that the global economy will lose around $2 trillion by 2019 due to Cybercrime.

And scammers will never run out of ideas to exploit you. Their tactics evolve as sure as technology advances. It’s like playing a game of cybersecurity whack-a-mole, as criminals think of infinite ways to secretly steal your hard-earned cash.

We’ve always been warning you about how vulnerable your router can be if it’s not configured properly. Hackers can hijack it to harvest your personal information, commandeer your smart devices, install malware on your computer and redirect your traffic to fake websites.

This newly discovered malware campaign does precisely that. If you’re not careful about, cybercriminals can quickly all drain your bank accounts without warning!

The Mantis strikes

The new malware in question is a nasty spyware/adware Android app called Roaming Mantis.This malicious app propagates itself not via third-party app downloads nor phishing scams but a technique known as DNS hijacking.

DNS hijacking of unsecured Wi-Fi routers is nothing new, of course, and we’ve talked about this technique before with malware like Switcher and other malicious DNS changers.

It’s when hackers alter your router’s DNS settings to intercept your traffic then redirect you to fake versions of legitimate sites designed to steal your credentials, banking information, and even the codes you use for two-factor authentication.

If your router’s DNS servers have been switched to the attackers’, they can hijack and redirect all your traffic to any site they want.

It’s a serious problem, indeed. Once your router is compromised and its DNS settings altered, potentially all of the computers and gadgets in your network can be exploited and targeted.

What’s a DNS?

But first, you may be wondering what DNS means. A DNS or domain name system is often called the phone book for the internet.

It translates the IP addresses of websites to domain names that are easier to read and remember (for example, Google.com is translated to the IP address 74.125.239.2 and vice-versa).

The communication between your computer and a DNS system is critical to correctly direct your web traffic.

This Mantis roams to siphon your identity

According to Kaspersky Labs researchers, once a router is compromised, cybercriminals will then use its altered DNS settings to redirect Android users to fake versions of real sites.

 

These fake sites will then display a pop-up warning message that states “To better experience the browsing, update to the latest chrome version.”

If you bite and click “OK,” your phone will then download and install a fake version of the Google Chrome browser, which is, in fact, the Roaming Mantis malware in disguise.

The fake Chrome browser will then ask for a variety of permissions including the collection of the device’s account information, the management of SMS and phone calls, the ability to record audio, control storage, install packages, draw overlay window, etc.

Once permissions are granted, and Roaming Mantis is installed, it will immediately show this fake warning message: “Account No.exists risks, use after certification.”

 

If you click “Enter” at this point, the malicious app will start a local web server on the compromised Android device, and it will open a fake version of the Google website. This site will try and fool you into entering the name and date of birth associated with your configured Gmail account.

Now here’s the rub. Since Roaming Mantis has permissions to read your SMS text messages, it allows the attackers to see and intercept all the two-factor authentication codes sent to your phone.

This means that with Roaming Mantis and compromised DNS settings, hackers can potentially get into all your social media, email accounts, and banking accounts without you knowing it (until it’s too late)!

Where did it come from?

Upon analysis of the malware code, Kaspersky Lab researchers discovered references to South Korean mobile banking and gaming applications. It also uses one of China’s leading social media sites, Sohu.com, as its command-and-control server. This suggests that Roaming Mantis has Asian origins.

As of this writing, Roaming Mantis was detected more than 6,000 times from over 150 unique users. It is flagged by Kaspersky as Trojan-Banker.AndroidOS.Wroba.

The most affected countries were South Korea, Bangladesh, and Japan but due to the nature of the attack, this campaign can spread quickly to other countries like the United States and Europe.

It’s still unknown what techniques the attackers used to hijack the DNS settings of vulnerable routers, but it’s likely via brute-forcing weak passwords or other malicious apps like Switcher.

How to protect yourself from the Roaming Mantis

As usual, please refrain from downloading and installing Android apps from unknown third-party sources. Only download apps from official app stores like Google Play and check user feedback too before installing.

It’s also wise to shore up your router’s security by changing its default administrator username and password and by updating its firmware regularly.

 

The information contained in this website is for general information purposes only. The information is gathered from Komando while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

An online search engine shows the full decrypted password of accounts that were leaked in several data leaks. Users can pay $10 in Bitcoin and several other crypto coins to have their password removed. At the moment the site claims its overloaded but silently runs a crypto mining script.

 

 

(screenshot of the breachedpasswords site, cryptocurrency addresses are redacted)

 

The website ‘breachedpasswords.website’ claims it’s searching through 1.4 billion passwords. This is very well possible because a database with 1.4 billion leaked passwords is widely available on the dark web. Earlier, a ‘white hat’ hacker created a website where users could check whether their password was in the database. The site works by entering an email address or domain after which the website will show parts of the leaked email addressed and the first two characters of the password.

The new search engine shows the entire password, which means it’s also possible to obtain the password of other users. Users can pay $10 in crypto coins to be removed from the database. Obviously, it’s not recommended to pay, by paying you’re financing a cybercriminal. Instead change the password of the affected accounts.

At the moment the site doesn’t work, instead the results page appears to be loading forever. In reality, the website utilizes 100% of your CPU power by running the Crypt Loot script to mine the ‘’Monero’’ cryptocurrency.

The Bitcoin address at the website shows the cybercriminal behind the site hasn’t received any payment yet.

 

The information contained in this website is for general information purposes only. The information is gathered from MyCE while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Μία νέα καμπάνια απάτης (Phishing) με στόχο την Κύπρο έρχεται μέσω ηλεκτρονικού μηνύματος και έχει σχεδιαστεί για να ξεγελάσει τους χρήστες στη λήψη κακόβουλων αρχείων, χρησιμοποιώντας το Πανεπιστήμιο Κύπρου ως αποστολέα.

Εάν έχετε λάβει το ακόλουθο ηλεκτρονικό μήνυμα, παρακαλώ όπως μην ανοίξετε τα συνημμένα αρχεία γιατί περιέχουν κακόβουλο λογισμικό.

 

Σε περίπτωση που τα συνημμένα αρχεία έχουν ανοιχθεί παρακαλώ όπως αποσυνδέσετε τον υπολογιστή από το δίκτυο και επικοινωνήσετε άμεσα με τον διαχειριστή του συστήματος σας.

 

Μετά από ανάλυση των Internet headers όπως φαίνεται πιο κάτω, το συγκεκριμένο μήνυμα προέρχεται από την διεύθυνση IP 185.9.147.24 η οποία ανήκει στη Ρωσική Ομοσπονδία.
Οι διαχειριστές μπορούν να προβούν στις απαραίτητες ενέργειες για αποκλεισμό της αναφερόμενης IP διεύθυνσης και των Hash (υπογραφών) των μολυσμένων αρχείων από την περίμετρο του δικτύου τους.

Ανάλυση Μολυσμένων Αρχείων / IoCs: ΔΕΣ EΔΩ

 

Ακολουθούν σχετικές εικόνες.

 

 

Πληροφορίες Αρχείου

Type PE32 executable (GUI) Intel 80386, for MS Windows
Size 1062992 bytes
MD5 80eb2f4facc593847ce5666635689fa3
SHA1 9e662e0af45a7fc82b2dd836820d3aa715dfdd77
SHA256 231c4ad3e3b57abc4e80a9e7aff9ab492dc20295da9daec656095c5b8af5635c
SHA512 beccc2a99dc69d8339a73300db1d9e33c47b881d7c1a422589bc3edc444d07ee3f9ba18eeed8f32213b527f754241c3afe0428565e6067353992337d1c92857c

 

Λειτουργίες Κακόβουλου Λογισμικού

  • Checks if Microsoft Office is installed
  • Submission file is bigger than most known malware samples
  • Classification label
  • Creates files inside the user directory
  • Creates temporary files
  • Disables application error messsages (SetErrorMode)
  • May try to detect the Windows Explorer process (often used for injection)
  • PE file has an executable .text section and no other executable section
  • Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)
  • Performs DNS lookups
  • Posts data to webserver
  • Queries the cryptographic machine GUID
  • Reads software policies
  • Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
  • Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
  • Spawns processes
  • Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
  • Urls found in memory or binary data
  • PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)
  • Binary may include packed or encrypted code
  • Creates a process in suspended mode (likely to inject code)
  • Creates mutexes
  • Enables debug privileges
  • May sleep (evasive loops) to hinder dynamic analysis
  • PE file contains strange resources
  • Reads the hosts file
  • Sample file is different than original file name gathered from version info
  • Tries to load missing DLLs
  • Uses a known web browser user agent for HTTP communication
  • Antivirus detection for unpacked file
  • Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
  • Tries to harvest and steal browser information (history, passwords, etc)
  • Tries to harvest and steal ftp login credentials
  • Tries to steal Mail credentials (via file access)
  • Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

 

Βήματα Μετριασμού

Ανεύρεση και Διαγραφή των παρακάτω αρχείων που έχουν δημιουργηθεί από κακόβουλο λογισμικό

 

Αρχείο 1: C:\Users\user\AppData\Roaming\87EAD9\9CD990.hdb

Type Non-ISO extended-ASCII text, with no line terminators
MD5 AE501536B67ACC457C770FA05D5F46F8
SHA1 1C033FF6A52650B8979FC694A8945E533E74231C
SHA256 0217208B5F64BAF64C3F9B0EA7831257EA9A0F29A5AF8D67E246645A5865C2BA
SHA512 76E1190E641F0F38D907F26731CC1E36469D28BEB827F657FDAF7BB47BB775E2189E8DED43D333A47BE5085E7AF57772B66781A1C424C8592985AADE264A45AA

 

Αρχείο 2: C:\Users\user\AppData\Roaming\87EAD9\9CD990.lck

Type very short file (no magic)
MD5 C4CA4238A0B923820DCC509A6F75849B
SHA1 356A192B7913B04C54574D18C28D46E6395428AB
SHA256 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA512 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A

 

Αρχείο 3: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227477682-2585267231-2215363254-1001\3135eda23b225cc6165555b12a32949e_600410b4-7d41-4743-bb5e-17120cb8243b

Type data
MD5 045E14DBA50BE72C42A6734D537723C8
SHA1 1E97345AC6A614EAC19A6B7583B5301C316A934C
SHA256 31E7F079E6918FC6E2759262CFDBC0144BFF329EEE983C6002AB9E2104CDB2C7
SHA512 72D0751C3410BCA5432277E7724EE682D69C3116ED6BD7C849A539925561F179EFEE03A4A25DAAC85259745D78B3AA00A05F6BD303D02E1DD4C03A106022890E

 

Αρχείο 4: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2019-3-12.163.5652.1.aodl

Type

data

MD5

B0123EEADA56BBB73AA0D70639E6073A

SHA1

7D3359543B865489E2816459AFFD95D2F88A61D6

SHA256

E280F72D9A5E8569DB398584D569DF1E78F01AA9666004CB679945D467DF97A9

SHA512

E545A3D3926C6EF21136FB73B90F1931BA143F51A043E75B518642E5CEB051909E14C55238FD913F85004D69E3E3CFCB2BE1C95B3D63172D16BB40E2F9C11512

 

Αρχείο 5: C:\Users\user\AppData\Roaming\87EAD9\9CD990.lck

Type

very short file (no magic)

MD5

C4CA4238A0B923820DCC509A6F75849B

SHA1

356A192B7913B04C54574D18C28D46E6395428AB

SHA256

6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

SHA512

4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A

 

Αρχείο 6: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227477682-2585267231-2215363254-1002\90367eee3146d09e4f4b426cc7bd2065_600410b4-7d41-4743-bb5e-17120cb8243b

Type

data

MD5

F0DE693DB21B95A470A6F4F20E9036A0

SHA1

8E3A13815F99BE424AE0F9237C1CFDD7CFABBE05

SHA256

B3AB0E751D0CE255988690B066D7375B257D1F80CCE4757C17443A87F5421E32

SHA512

90FA36DB1BA46F9F44B9C9B3461FD698B69B27210EAF748D21B5E2A49F90276EB9B2E5AF06DE7DBF67C8740A6814AFD08112E55C8BEF56EF882CE94798A43951

 

An onrush of attacks using phishing, social engineering, exploits, and obfuscation are being used to spread a Quant Loader Trojan capable of distributing ransomware and password stealers.

The Information security training researchers at Barracuda last month began spotting malicious zipped Microsoft internet shortcut files with a “. url” file extension claiming to be billing documents but actually lead to remote script files.

The files actually use a variation on the CVE-2016-3353 proof-of-concept which, contain links to JavaScript files and in some cases Windows Script Files, are heavily obfuscated, and all result in downloading and running Quant Loader when allowed to execute, according to a blog post

The professionals spotted the attack in a series of mini-campaigns, each of which lasted less than a day and used a single domain serving malicious script files over Samba and a single variant of Quant being distributed from a handful of domains. The attacks also utilized an email content and file name pattern with some emails having no text content and only a subject line, Information security training  experts said.

Rod Soto, Information security training analyst at JASK, told the attack matches current observations of other malicious campaigns where scripting languages are being used to execute exploitation and infection payloads and bypass standard browser protections.

“Scripting languages are perceived as less dangerous than actual files, as they are usually trusted by the operating system and operate under current user rights, so it takes deeper inspection into the actual code in order to assess its maliciousness,” said Soto. “These types of attacks are growing in popularity and are also called fileless malware.”

 

The information contained in this website is for general information purposes only. The information is gathered from Security Newspaper while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.