Tag: malware

Categories
General Learning

What are iframes?

An iframe, also known as an inline frame, is something used in html to embed another document (page) within the current html document on a website. A web developer can choose the size of their iframe depending on the application. You can have an iframe as large as a page, or as small as a 1×1 pixel box making it undetectable by the human eye. Within an iframe, a person with malicious intent could embed a harmful website or utilize xss (cross-site-scripting) to execute scripts in the background while you browse the site. For example, someone could host a website and have a landing page that looks completely normal. In the background of their site however, there’s an iframe somewhere with malicious code embedded. The site could then bring up an actual legitimate login screen for a service like Google or Facebook but then their code records every keystroke you type in. For example, a person could be on a website reading an article, then be asked to sign in to “share” what they’re reading with others. Although the login process the site presents to you is actually legitimate, an iframe with malicious code on the website somewhere could record everything they typed in.

A security flaw with Microsoft’s Internet Explorer 5 back in 2002, and again in 2015 with Internet Explorer 11, allowed malicious people to utilize xss and iframes to their advantage and steal information quite easily. Usually in order for someone to use an iframe and code to their advantage they would have to get people onto their website first to be able to execute bad code and listen. However, this bug with IE5 and IE11 allowed the hackers to listen in on their site AND the other site which they placed within their iframe. This attack was widespread and very serious and was quickly addressed by Microsoft.

As far as preventing yourself from iframe exploits go, there is not much you can do. Inline frames are NOT always used for malicious purposes and are actually quite common on most sites. The best thing you can do is be extra cautious about signing into anything on a website not directly associated with the website, and keep up to date with your browser updates.

Categories
Security News

AZORult Trojan Uses Signed Certificate to Appear Legitimate

A variation of a trojan by the name of AZORult was recently discovered by Minerva Labs to be using a self-signed certificate (that did not belong to Google) to appear as a legitimate update service signed by Google. When installing a program or running an executable on your computer, usually there will be a box or a little green shield (Windows) somewhere saying that the program is legitimate and has a signed certificate by the company to prove so. In this case AZORult used a real signed certificate to make the malware appear as a legitimate program on people’s machines, however the signer was NOT Google. This trojan’s purpose is to phish and steal as much information from a computer as it can. Some of the things AZORult will look for include: saved passwords (in browsers or otherwise), browser cookies, Skype chat history and files in Skype chat history, files on the desktop of the pc, files with specific extensions on the pc, a list of installed programs, a list of running currently processes, the username, computer name, and operating system type. In order for a person to encounter AZORult, they must first get infected by the first stage of the malware — a delivery service. AZORult is delivered onto one’s computer through another malware such as Seamless, which utilizes iframe exploits to deliver its payload. Once Seamless is on the computer, another payload is dropped called Ramnit. Ramnit once again collects some information from the computer and then finally drops AZORult. AZORult itself isn’t extremely dangerous and can be easily removed using tools provided by Symantec. The purpose of AZORult is to collect information from someone’s computer, and open a gateway for other payloads to be executed. What makes AZORult potentially dangerous is that it can act as a delivery service for other payloads.

The way that Minerva detected the fake certificate being used by the malware was through a report sent in by one of their customers. The customer went to run GoogleUpdate.exe on their computer, and Minerva’s Anti-Evasion Platform prevented the executable from running. Although the program did have a signed certificate, this does not mean that the program is safe.


This is the signature on the fake GoogleUpdate.exe
(Image provided by Minerva)

What makes this variant of AZORult stand out from others commonly found on people’s computers is that not only does it trick people into thinking it’s a legitimate Google program that is signed for, but it also will go and replace the regular GoogleUpdate.exe (located in: C:\Program Files\Google\Update\GoogleUpdate.exe.) with the malicious version. This allows the malware to gain administrative permissions easily and remain on the system with a much lesser chance of being detected. To protect yourself from trojans like so, always be wary of what you are downloading and where you are downloading from and be extra cautious of links. If you receive a suspicious link do some research about the link before clicking on it. Something as simple as clicking on a link could allow an iframe exploit to do something to your computer.


For those interested more in iframe exploits, a new blog will be posted tomorrow explaining exactly what they are, how they work, and how potentially damaging they can be. To read more about the technical workings of AZORult click here.

Categories
Security News

How North Korea Used Skype to Hack Chile’s ATM Network

Ever sent or received a file through Skype? One Chilean employee (a supposedly trusted IT professional) working for the company Redbanc messed up big time when he decided to go job searching — on company time – and took part in a staged “job interview” via Skype. An employee (who’s name, as far as I am aware, has not been disclosed to the public) was looking around at jobs back in December while he was at work for Redbanc. Redbanc is the company in charge of ATM processing services for the majority of ATM machines in the country of Chile, and has connections with every single Chilean bank as well. This employee found a position on LinkedIn that looked promising to them and they contacted the “company” thinking they were going to take part in a virtual job interview via Skype. The hackers behind the fake LinkedIn replied, and the employee then took place in the staged interview. The interview started out as a fake conversation between the employee and the hacker(s), and then turned to a point in which the hacker(s) asked the employee to fill out a fake application. The way that the hackers delivered said application to the employee was via Skype’s file transfer system. Without hesitation, the employee downloaded the file (ApplicationPDF.exe) onto their Windows 7 work computer through Skype and opened it. A fake pdf was brought up for the employee to fill out, as malicious code executed in the background, giving the hackers access to the entire network and processing system of every single ATM machine in Chile.

The hacker group that claimed responsibility for this attack is known as the Lazarus Group (AKA Hidden Cobra, or Kimsuky). The Lazarus Group is the hacker group that claimed responsibility for the Sony hack back in 2014, and the WannaCry ransomware that infected an estimated 230,000 computers in 2017. The security firm Flashpoint confirmed that the attack carried out by the Lazarus Group utilized a toolkit called “PowerRatankba” which has supposed links to North Korean hackers known as “Bureau 121” (121국). The program is written in Visual Basic, and when opened, resembles a legitimate-looking application for a user to fill out. The malware itself actually has a second payload. After the user downloads the malicious file and runs it, the malware will create a connection to a server to call to the second payload and download a Powershell reconnaissance tool. This allows the hackers to basically control the compromised computer system at their will. The next task for the malware is to call to the server and ensure a connection is made, (in this case via HTTPS) and then delete the Powershell script afterwards. Then PowerRatankba will scrape the PC for as much information as it can obtain, including; which user is currently logged into Windows on the machine and their UAC level, the processlist, proxy settings on the machine, checks for open file shares and Remote Desktop Protocol ports in an attempt to find open ports. If the user logged into the computer does have admin rights, PowerRatankba will attempt to download yet another payload from their server which allows the hackers more leverage over the system.

Below is a picture of the GUI that is shown to the user when the executable is open (provided by Flashpoint):

The infiltration itself actually took place in December, but was not publicized until Chilean Senator Felipe Harboe blasted the company Redbanc on Twitter for not disclosing their breach to the public. Redbanc then acknowledged the infiltration, but did not disclose more information to the public. This attack would not have happened if there had not been an incompetent employee who decided to download a suspicious file via Skype onto their work computer to partake in a “job interview”.

(For more information on the virus itself visit here or here.)