Malvertising: The most popular way to spread Malware

Malvertising: The most popular way to spread Malware

Malvertising, formally known as Malicious advertising is one of the most popular ways which attackers and people with malicious intent use to spread Malware to targeted systems. Infact, 1 in every 100 advertisements you see online is a Malvertisement injected by Malware.

The attackers basically uses online advertisements in the websites you visit to deliver different kind of Malware to your system. The worst part about this method of spreading Malware is that it requires almost no interaction from the user to affect his system.

How Malvertising works:

Malvertising attacks generally begin by the atackers submitting some kind of malicious advertisement in the form of text, image or a video to the advertising agencies. This malicious advertisement might be delivered to the users visiting the websites associated with these advertising networks and they often appear in the form of legitimate advertisements.

Related: Cyborg Ransomware spreading via fake Windows update

Malvertising

Most of these Malvertisements come in the form of pop up ads or flashy warning or alerts that attract or scare the users into clicking them immediately. This might even be a warning message saying that your browser has been infected by a Malware and click here to remove it, ironically. So, in a way these attackers also heavily rely on social engineering for spreading their Malware, however some of them do not even need any kind of interaction from the user to get downloaded to his system.

So, once you click on a Malvertisement in the website you just visited or sometimes when you just load a webpage that contains a malicious advertisement, the following things happen.

Related: Purelocker Ransomware: Working and evasion

  1. The malicious code embedded into the malvertisement will now get executed and the Malware will be installed on the target system.
  2. The user might get redirected to a malicious website which hosts the Malware.
  3. Redirect you to a fake version of an official website to trick you into gathering your personal and confidential information.
  4. Try to exploit your browser using any existing vulnerabilities and install any toolbars or malicious extensions.

Tips to protect yourself from Malvertising:

In General, a proactive nature is highly essential to protect yourself from getting infected by a Malware and the consequences. The following are some of the tips which you could follow to save yourself from a Malware attack.

Malvertising

  • The most common Malvertising attacks occur is through your web browser. So, it is important that you keep all your browsers and the software that connect to the internet updated to the latest versions at all times.
  • Try using an ad blocker on unknown sites to prevent pop up and redirect ads.
  • Use an anti virus program and corresponding extension on your browser to scan and eliminate any malicious files and to block the downloads of Malware to your system.
  • Resist yourself from clicking on suspicious ads or links and make sure not to open any links or emails sent to you by unknown source or untrusted sources.
  • Check your list of installed programs and browser extensions regularly and uninstall any unnecessary ones.

Worst comes to worse, after taking all these precautions you might still be a victim to a Malvertising attack. So, it is always better to keep a local backup copy of all your important files.

Related: Top 4 Dangerous Android Malware discovered in 2019

This will help you to restore all your data in case of a Malware attack when you can just format your entire system and restore your data and start fresh and simply hope that you would be safer this time.

Let us know in the comments below what you know about Malvertising and If you know any other tips to prevent a Malware from infecting your device.

Cyborg Ransomware spreading via fake Windows update

Cyborg Ransomware spreading via fake Windows update

Cyborg Ransomware is the latest Ransomware that has been identified by researchers to target Windows-based systems and it is currently spreading through fake emails about a Windows update with the subject line that reads, “Critical Microsoft Windows Update!”. 

Cyborg Ransomware

The email poses as a one that has been sent by Microsoft is clearly fake which could be easily identified by the improper formatting, lack of official headers or logos and also the fact that Microsoft never sends critical updates over email to its users.

The Ransomware is embedded into the fake update attachment included in the email, which is apparently an executable file with a .jpg extension. The file has been given a randomly generated name and its approximately 28KB in size. The executable file’s purpose is to deliver a Malware to the target system, which according to the code of the Cyborg Ransomware is another executable file downloaded from GitHub.

Also Read: Purelocker Ransomware: Working and Evasion Techniques 

How the Cyborg Ransomware Works:

As mentioned earlier, the main part of the Cyborg Ransomware is the attachment sent in the fake Windows update email. Once the victim of the targeted system clicks on or opens the attachment in the email, it will download an executable file containing the malware from the GitHub website. The file that was downloaded was named as bitcoingenertor.exe and it was supposedly downloaded from the account misterbtc2020, which has now been removed from GitHub.

Once the Cyborg Ransomware embedded in the file bitcoingenerator.exe has been downloaded to the targeted system, it will then start encrypting all the data files in the victim’s system and add the extension .777 to the encrypted files. The memory dump of the Ransomware file with the list of file extensions to encrypt is given below.

Cyborg Ransomware

Once all the data files in the target system have been encrypted by the Cyborg Ransomware, it then leaves a ransom note in the form of a text file named, Cyborg_DECRPT.txt on the desktop of the target system. The Ransom note instructs the victim to send a Ransom of $500 in the form of bitcoins to the provided wallet and to send an email to the provided email id to be able to get the decryption key to decrypt all the files in the victim’s system that has been encrypted by the Cyborg Ransomware.

How to protect yourself:

While the most common way the Cyborg Ransomware is currently spreading across Windows systems is through a fake email prompting the targeted users to install a critical Windows update by sending an attachment, there are also other ways through which the Cyborg Ransomware might make its way to your system.

Basically anyone who gains access to the Ransomware builder file from the GitHub repository or from other means could build their own version of the Cyborg Ransomware and then either embed it to an attachment and send it to you as an email with different contents or even attach it to a link and attempt to spread it through malvertising methods.

Either way, it is important that you protect yourself from these kinds of Ransomware and it is always recommended that you regularly backup all your important files and keep both a local copy and a one stored in the cloud. Also, do not click on any attachments or open emails from suspicious senders or visit shady websites that might be a target of malvertising.

Even Microsoft has released an official set of guidelines and preventive measures you could take to stay away from the Ransomware. You could view those guidelines here.

Purelocker Ransomware: Working and evasion

Purelocker Ransomware: Working and evasion

Purelocker Ransomware is the latest Ransomware in town and it seems to be designed to specifically target production servers at the enterprise level. The Purelocker Ransomware was detected last week by researchers at Intezer and IBM X-Force.

Upon analysis, they have identified that the Ransomware has been used by Cobalt Gang and FIN6 among other threat groups mainly targeting Windows and Linux based servers. The name Purelocker has been assigned to this Ransomware as it has been written completely using a programming language called Purebasic.

Purebasic is a pretty uncommon programming language but the choice of this particular language by the attackers has to do with the fact that the code written using Purebasic is compatible across multiple platforms like Windows, Linux, and macOS, making it easier for the attackers to target multiple operating systems at once.

Also, since the Purebasic programming language is not that common or popular, the Antivirus companies are finding it difficult to generate reliable and accurate detection engines and signatures to be able to detect the Purelocker Ransomware. This is also part of the reason why the Ransomware went undetected even after being active for several months.

Detection process:

According to the researchers, the initial process involved in analyzing a Windows Sample of the Purelocker Ransomware and they have identified it to be a 32-bit DLL file which was posing as a C++ based cryptography library called Crypto++. The researches become suspicious as some of the functions in the library were related to music playback and controls.

purelocker

Evasion Techniques:

As mentioned earlier, the Purelocker Ransomware managed to stay undetected by popular Anti Virus engines for the first few weeks after its attack. The attackers managed to stay under the radar by using the Purebasic programming language to write the ransomware instead of using some popular programming language which is widely popular and has several detection signatures already available.

Also, the attackers behind the Purelocker Ransomware has programmed it so that it will only begin its execution in its target attack system after ensuring that it is not being analyzed or used for debugging by anyone. If that is not the case, the Ransomware would automatically exit itself from the target system, without even deleting itself.

The Ransomware also executes from the regsrv32.exe, so it verifies that it is indeed executed by the process, and also that the current year on the target system is 2019 and that it has administrator rights on the system. If any of these checks fail, the ransomware would immediately exit the system as mentioned above, so as to not leave any traces of its functionality or working.

Working of Purelocker Ransomware:

Once the Ransomware performs all the verification checks on the target systems and if it gets the desired results, it will start working by first encrypting all the files on the target system with the AES+RSA combination using a hardcoded RSA Key.

The Ransomware mainly executes the data files on the system with .CR1 extension and it mostly ignores the executable files in the target system. It then proceeds to delete all the originals of the files it has encrypted to prevent the user from performing file recovery. Finally, it leaves a ransom note as a text file in the user’s desktop with the name, YOUR_FILES.txt.

purelocker

While, a traditional Ransomware includes the information about how much Ransom the attackers want the victims to send to them and the means to send that, which is typically a bitcoin-based transaction, the attackers behind the Purelocker Ransomware has instructed the victims to contact them via email instead.

They also seem to use an anonymous and encrypted email service provider for this purpose with different email addresses for each of the victims. Once the attackers communicate with the victims and get their desired ransom amount, they then send the decryption keys to the victims using the same email addresses they have provided for contacting them.

Unconventional ways of Purelocker Ransomware:

Right from using an unconventional programming language like Purebasic to code the Ransomware, its evasion technique, and even the way the Ransomware functions and collects the Ransom from the victims, it is clearly evident that this is different in a lot of ways from the Ransomware that usually are talked about in the news.

This clearly shows that the attackers behind this Ransomware are rapidly improving and innovating the ways they use to perform targeted attacks. Therefore, it is important, now more than ever, for us to focus more on the security of our systems and try to be as safe as possible with our data and devices.

Top 4 Dangerous Android Malware discovered in 2019

Top 4 Dangerous Android Malware discovered in 2019

Android, as we all know is currently the most popular mobile operating system in the world with over 2.5 Billion active devices. While this is good news as more users mean more device models, quicker updates, more apps, and developer support and so on, this sheer popularity of the OS itself makes it a popular target among hackers and cybercriminals.

This is mainly because once they develop a single Malware they could potentially use it to target and attack millions and even billions of Android devices at once.

Even though Google has taken a lot of steps towards improving the security of Android devices with features such as Google Play Protect, instant security updates via the Google Play Store, more controls towards app permissions and such, somehow these Android apps and games filled with Malware find their way to the Google Play Store and ultimately into the Android smartphone of potentially millions of users.

This post will be covering some of the most dangerous Android Malware that was discovered this year in 2019, what kind of apps they affected, the impact they had on your smartphones, and how they work.

Top 4 Dangerous Android Malware discovered in 2019

 

Android Clicker Trojan

 

A Trojan is a type of malware that disguises itself as a genuine and legitimate software or an application and tricks the user into downloading it so that it can execute malicious actions in the background without the knowledge of the user.

This Android Clicker Trojan, which was discovered earlier this August comes in two variants namely Android.Click.312.origin and Android.Click.313.origin and has already been suspected to have affected over 100 Million Android devices.

The Malware was found to be embedded in normal and legitimate-looking popular Android apps like Dictionary apps, music players and photo editors but will affect the device of the user once they install these apps on their devices.

Android Malware

The Android Clicker Trojan works by randomly clicking through advertisements on the internet to generate revenue for its developers. The Malware is designed to only start working 8 hours after it has affected your device thus reducing the chances of getting detected and suspecting that a background process is running on your device and performing all these malicious activities.

Once in action, the Malware will send details about your device including the model number, your location and carrier details to the Command and control server of the developer and this will enable the developers to perform malicious actions such as clicking on advertisements and even subscribing to expensive online services without the knowledge and the consent of the victim.

This not only affects the users but also the people behind the ads as they would be paying for ghost clicks generated by malware instead of an actual user. With over 100 million devices affected and about 34 apps from the Google Play Store infected with this Malware, it is probably one of the most dangerous Android Malware discovered this year.

 

Agent Smith Android Malware

 

The Agent Smith Android Malware has affected over 25 Million Android smartphones and it is quite difficult to detect the presence of this Malware on your Android device even after you are affected.

This is because once the Malware infects your Android device it will automatically replace a genuine app installed on your phone to a version that serves malicious advertisements thus tricking the users into clicking on these ads.

According to researchers, the malware replaces popular apps like Whatsapp or Opera browser and even some of the manufacturer apps like Samsung or Google apps and then it hides in your phone by removing the app icon from the home screen and app drawer.

From here, the app does all the work in the background making it difficult to identify which app is responsible for all these malicious activities.

One good thing about this Android Malware is that it has not yet affected the Google Play Store and is currently spreading through the 9apps.com App store and is only targeting the developing markets.

However, researchers reveal that they have found pieces of code belonging to the Agent Smith Android Malware in some apps on the Google Play Store, however, they were dormant at that time and Google has immediately removed these apps from the Play Store.

 

CamScanner Android Malware

 

CamScanner is one of the most popular Android apps with over 100 Million downloads in the Google Play Store and has a pretty good rating as well.

The app is used for scanning the photos and images of documents to be able to digitally store and edit them on your mobile device and while the app was seemingly genuine and useful all these years, this June, security researchers at Kaspersky has discovered a Malware in the app which evidently showed intrusive and malicious ads to its users and even attempted to subscribe them to expensive paid services online.

Android Malware

The app was infected by this Malware when CamScanner started using a third party advertising module which contained a Trojan dropper in its code.

This incident clearly shows that not even apps that have a good reputation and millions of downloads can be trusted blindly and necessary steps should be taken to ensure that all the apps are completely safe and free from Malware every time you download or update them on your device.

 

Joker Android Malware

 

The Joker Android Malware discovered just a couple of weeks back reportedly has affected over 24 Android apps which have a combined download count of about half a million.

This Malware signs up the users of the affected devices to paid subscription services by stealing their device details and even their SMS messages to get the OTP or confirmation messages from the bank or subscription services.

Android Malware

Most of the apps infected by this Joker Android Malware were wallpaper or customization apps and there was even an Antivirus app that was affected by this Malware. Upon analysis of the Malware code, researchers have reported that some of the code was written in Chinese which gives them a hint about the developers behind this Malware.

The Malware seems to mainly target the users in the European and Asian regions. While Google has already removed the affected apps from the Play Store, it is advisable to uninstall them from your device in case you have downloaded and installed any of them. Below is the list of the apps that were affected by the Joker Android Malware.