Gatak Trojan delivered through fake Software offering

Five year old Gatak Trojan (Trojan.Gatak) is been distributed through an offer of obtaining pirated software to lure its victims. The malware is spread through online adverts offering pirated software keys that could allow use of premium software at a discount if legit.

Once the ad is clicked, a fake key gen page launches and Gatak is simultaneously delivered to the victim.  Much is known about the Gatak trojan but how the developers profit from the malware is still unclear. One theory is that the malware is used to exfiltrate data which is then sold on the dark web,

Some of the premium software which users are targeted to get keys for are

  • SketchList3D (woodworking design software)
  • Native Instruments Drumlab (sound engineering software)
  • BobCAD-CAM (metalworking/manufacturing software)
  • BarTender Enterprise Automation (label and barcode creation software)
  • HDClone (hard disk cloning utility)
  • Siemans SIMATIC STEP 7 (industrial automation software)

FedEx Delivery Notices Dropping Zeus and Fareit Trojans

Not all FedEx deliveries contain packages that users expect.

Security researchers at AppRiver have observed an uptick in spam messages that appear to be shipping notifications from FedEx, but in fact contain Fareit malware, an information stealer that targets email passwords and browser-stored passwords, as well as FTP credentials.

During AppRiver’s analysis, the malware also downloaded a copy of the ever-popular Zeus Trojan onto the infected machine.

According to Troy Gill, manager of security research, the messages appear to contain a shipping receipt for a package that the courier was unable to deliver. The attached file, while it does have .PDF in the name, is actually a file archive utilizing the open source file archiver 7zip. Inside the compressed archive, you will find an executable file (.exe) that contains the Fareit malware.

Continue reading

Malvertising Develops Advanced Fingerprinting to ID Victims

Malvertising continues to increase in prominence and sophistication. One of the newest techniques being used is fingerprinting, a way to check potential victims’ computers with snippets of code injected directly into the ad banner.

According to a Malwarebytes report entitled Operation Fingerprint, exploit kit authors are using advanced “fingerprinting” to preselect and pursue specific victims without any user interaction. The code can quickly rule out non-viable targets, such as honeypots set up by malware researchers to detect malware, or security companies performing ad check validation.

The approach enables exploit kit authors to no longer wait for victims, so they can now actively chase targets while avoiding detection by researchers and anti-malware companies. And it’s cheap: it costs only 19 cents for each 1000 impressions (CPM). Continue reading

Spam Volume Falls in 2015

There’s no question that the threat landscape continues to widen when it comes to cybersecurity, but at least one arena has seen some improvement. The volume of spam email in 2015 actually decreased.email_spam

According to a Kaspersky Lab Security Bulletin, spam volume fell last year to 55.28% of overall email traffic—a decline of 11.48% on the previous year.

Further, more than three quarters (79%) of all emails sent were less than 2KB in size, which shows a steady decrease in email size for spam campaigns over the past few years. Continue reading

Simple Tips for Safe Holiday Shopping

According to security firm ESET, consumers can educate themselves to be aware when shopping online, and they should be following a basic set of best practices.

“As we enter the heart of the holiday shopping season, it’s extremely important to be a smart and safe shopper—especially online,” the company noted. “Cybercriminals prey on consumers who are unaware of the potential risks associated with shopping online.

ESET’s tips included the following:

Don’t be phished – Pay close attention to any spelling and grammatical errors in the body of the email, and also look at the sender’s email address. If you don’t recognize the sender, or didn’t sign up for emails from that address, do not respond.

Keep an eye out for vishing – never provide personal details over the phone; instead, call the supposed supplier back and ensure that you are speaking with a customer representative.

Pay attention to HTTPS – Always ensure sites are running web encryption through HTTPS as opposed to HTTP. Also, look for other signs of secure payment options such as Verified by VISA and any other types of two-factor-authentication. (2FA)

Say NO to search engine ads – Ad servers are regularly being breached by criminals who misdirect people who click onto malicious sites where they try to steal credentials or infect users in a drive-by-download attack.

Be wary of fake coupons – If there’s any doubt over the coupon’s authenticity, check official retail store websites or their social channels.

Also, consumers should always make to be careful what links they click on and where they buy products.

“Pay particular attention to tweeted deals that look too good to be true with shortened links (as they might be trying to lure you to a malicious website),” the company said. “If you’ve never heard of the seller before, look into them online and study their terms and conditions carefully because, as mentioned above, you need to be careful who you are buying from.”

Malicious Adware Uses Certificates to Disable Security Products

A piece of malicious adware dubbed “Vonteera” tricks the operating system into thinking that digital certificates from security companies are untrusted in an effort to prevent anti-malware products from blocking it.

Anti-malware firm Malwarebytes initially detected the threat as a piece of adware that installs potentially unwanted programs (PUPs), but it has now decided to classify it as a Trojan (Trojan.Vonteera) due to the modifications it makes on an infected system. Other security companies have also classified Vonteera as a piece of malware.

When it infects a system, Vonteera creates several tasks in the Windows Task Scheduler. These tasks are used to display ads at regular intervals by opening new tabs in the web browser. The threat also creates a new service called “appinf.exe” and modifies desktop, taskbar and start menu shortcuts for Internet Explorer, Firefox, Chrome, Opera and Safari.

By modifying the shortcuts, Vonteera ensures that whenever one of these applications is launched, they load a script designed to randomize where users get redirected when they open the browser.

In the case of Internet Explorer, the threat adds a new Browser Helper Object (BHO). If Chrome is present, it abuses the ExtensionInstallForcelist key, which specifies a list of apps and extensions that are installed silently and granted all the permissions they request. These apps and extensions cannot be uninstalled by the user. Continue reading