Category: Security News

AZORult Trojan Uses Signed Certificate to Appear Legitimate

Post author By Brian Tigges
Post date January 28, 2019

A variation of a trojan by the name of AZORult was recently discovered by Minerva Labs to be using a self-signed certificate (that did not belong to Google) to appear as a legitimate update service signed by Google. When installing a program or running an executable on your computer, usually there will be a box or a little green shield (Windows) somewhere saying that the program is legitimate and has a signed certificate by the company to prove so. In this case AZORult used a real signed certificate to make the malware appear as a legitimate program on people’s machines, however the signer was NOT Google. This trojan’s purpose is to phish and steal as much information from a computer as it can. Some of the things AZORult will look for include: saved passwords (in browsers or otherwise), browser cookies, Skype chat history and files in Skype chat history, files on the desktop of the pc, files with specific extensions on the pc, a list of installed programs, a list of running currently processes, the username, computer name, and operating system type. In order for a person to encounter AZORult, they must first get infected by the first stage of the malware — a delivery service. AZORult is delivered onto one’s computer through another malware such as Seamless, which utilizes iframe exploits to deliver its payload. Once Seamless is on the computer, another payload is dropped called Ramnit. Ramnit once again collects some information from the computer and then finally drops AZORult. AZORult itself isn’t extremely dangerous and can be easily removed using tools provided by Symantec. The purpose of AZORult is to collect information from someone’s computer, and open a gateway for other payloads to be executed. What makes AZORult potentially dangerous is that it can act as a delivery service for other payloads.

The way that Minerva detected the fake certificate being used by the malware was through a report sent in by one of their customers. The customer went to run GoogleUpdate.exe on their computer, and Minerva’s Anti-Evasion Platform prevented the executable from running. Although the program did have a signed certificate, this does not mean that the program is safe.

This is the signature on the fake GoogleUpdate.exe
(Image provided by Minerva)

What makes this variant of AZORult stand out from others commonly found on people’s computers is that not only does it trick people into thinking it’s a legitimate Google program that is signed for, but it also will go and replace the regular GoogleUpdate.exe (located in: C:\Program Files\Google\Update\GoogleUpdate.exe.) with the malicious version. This allows the malware to gain administrative permissions easily and remain on the system with a much lesser chance of being detected. To protect yourself from trojans like so, always be wary of what you are downloading and where you are downloading from and be extra cautious of links. If you receive a suspicious link do some research about the link before clicking on it. Something as simple as clicking on a link could allow an iframe exploit to do something to your computer.

For those interested more in iframe exploits, a new blog will be posted tomorrow explaining exactly what they are, how they work, and how potentially damaging they can be. To read more about the technical workings of AZORult click here.

Tags malware

Security News

How North Korea Used Skype to Hack Chile’s ATM Network

Post author By Brian Tigges
Post date January 16, 2019

Ever sent or received a file through Skype? One Chilean employee (a supposedly trusted IT professional) working for the company Redbanc messed up big time when he decided to go job searching — on company time – and took part in a staged “job interview” via Skype. An employee (who’s name, as far as I am aware, has not been disclosed to the public) was looking around at jobs back in December while he was at work for Redbanc. Redbanc is the company in charge of ATM processing services for the majority of ATM machines in the country of Chile, and has connections with every single Chilean bank as well. This employee found a position on LinkedIn that looked promising to them and they contacted the “company” thinking they were going to take part in a virtual job interview via Skype. The hackers behind the fake LinkedIn replied, and the employee then took place in the staged interview. The interview started out as a fake conversation between the employee and the hacker(s), and then turned to a point in which the hacker(s) asked the employee to fill out a fake application. The way that the hackers delivered said application to the employee was via Skype’s file transfer system. Without hesitation, the employee downloaded the file (ApplicationPDF.exe) onto their Windows 7 work computer through Skype and opened it. A fake pdf was brought up for the employee to fill out, as malicious code executed in the background, giving the hackers access to the entire network and processing system of every single ATM machine in Chile.

The hacker group that claimed responsibility for this attack is known as the Lazarus Group (AKA Hidden Cobra, or Kimsuky). The Lazarus Group is the hacker group that claimed responsibility for the Sony hack back in 2014, and the WannaCry ransomware that infected an estimated 230,000 computers in 2017. The security firm Flashpoint confirmed that the attack carried out by the Lazarus Group utilized a toolkit called “PowerRatankba” which has supposed links to North Korean hackers known as “Bureau 121” (121국). The program is written in Visual Basic, and when opened, resembles a legitimate-looking application for a user to fill out. The malware itself actually has a second payload. After the user downloads the malicious file and runs it, the malware will create a connection to a server to call to the second payload and download a Powershell reconnaissance tool. This allows the hackers to basically control the compromised computer system at their will. The next task for the malware is to call to the server and ensure a connection is made, (in this case via HTTPS) and then delete the Powershell script afterwards. Then PowerRatankba will scrape the PC for as much information as it can obtain, including; which user is currently logged into Windows on the machine and their UAC level, the processlist, proxy settings on the machine, checks for open file shares and Remote Desktop Protocol ports in an attempt to find open ports. If the user logged into the computer does have admin rights, PowerRatankba will attempt to download yet another payload from their server which allows the hackers more leverage over the system.

Below is a picture of the GUI that is shown to the user when the executable is open (provided by Flashpoint):

The infiltration itself actually took place in December, but was not publicized until Chilean Senator Felipe Harboe blasted the company Redbanc on Twitter for not disclosing their breach to the public. Redbanc then acknowledged the infiltration, but did not disclose more information to the public. This attack would not have happened if there had not been an incompetent employee who decided to download a suspicious file via Skype onto their work computer to partake in a “job interview”.

(For more information on the virus itself visit here or here.)

Tags atm, malware, money

Security News

How Malicious Apps on the Google Play Store Compromised User Data from 196 Countries.

Post author By Brian Tigges
Post date January 10, 2019
No Comments on How Malicious Apps on the Google Play Store Compromised User Data from 196 Countries.

At the start of this year, new spyware was discovered within a few apps on the Android Google Play store. This spyware, labelled “MobSTSPY” was intended to scrape information from the user’s device and steal while being the least susceptible. A user would unknowingly download a totally legitimate-looking application from the Google Play store with the spyware in it, and upon launching the application they would be prompted with a Facebook or Google login screen. Without even entering any information, in the background the application has already compromised the device and given the hacker the ability to connect to the device and upload files from the device. “MobSTSPY” is capable of dumping contacts, stealing SMS conversations, reading clipboard items, finding the location of the device, take text documents, pictures, audio files, and upload them to the perpetrator’s system.

Today, it is pretty common to have an app ask you to sign into Facebook or Google when first launching it. The reason for this is because a lot of games will allow you to record your progress in the game, collect badges, earn points, and share your progress with others easily by using the linked social media account to do so. The spyware would bring up a promising, yet false login screen for Facebook or Google and once the user enters their info they’ve been compromised. The malicious applications had the most downloads in India and Russia, but still managed to find their way onto people’s devices from about 196 different countries.

The spyware was hidden in an array of applications on the Google Play store. The most common applications the spyware was hidden in were apps such as: a Flappy Bird look-a-like, a flashlight app, a Windows 7 emulator for Android, and other various applications. The way the spyware would retrieve your information is through a C&C server. “MobSTSPY” specifically uses Firebase Cloud Messaging to transfer compromised data to it’s server, then the hacker could access and do as he or she pleased with the stolen information.

Originally Reported by TrendMicro.