Top IT Security Bloggers
TrendLabs - Malware Blog
-
New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
TrendLabs - Malware BlogWe found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as “Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March. We’ve been actively monitoring this threat since its emergence and early development, and saw it being frequently updated. KovCoreG, active since 2011, is a long-running campaign known for using the Kovter botnet malware, which was distributed mainly through malvertisements and exploit kits. Kovter has been involved in click fraud operations since 2015, using fraudulent ads that have reportedly cost businesses more than US$29 million. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement and cybersecurity experts, including Trend Micro.
The post New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign appeared first on . -
Gambling Apps Sneak into Top 100: How Hundreds of Fake Apps Spread on iOS App Store and Google Play
TrendLabs - Malware BlogWe found hundreds of the fake apps on iOS App Store and Google Play, with descriptions that are inconsistent with their content. While the apps’ descriptions varied, they share the same suspicious behavior: They could transform into gambling apps that may get banned for violating local government regulations and app store policies.
The post Gambling Apps Sneak into Top 100: How Hundreds of Fake Apps Spread on iOS App Store and Google Play appeared first on . -
Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website
TrendLabs - Malware BlogWe recently found and analyzed a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio. We found two variants of the malware family. The first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, is actually incorporates a persistence mechanism.
The post Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website appeared first on . -
Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads
TrendLabs - Malware BlogBy Carl Maverick Pascual (Threats Analyst) Cybercriminals continue to use cryptocurrency-mining malware to abuse computing resources for profit. As early as 2017, we have also observed how they have applied fileless techniques to make detection and monitoring more difficult. On August 2, we observed a fileless cryptocurrency-mining malware, dubbed GhostMiner, that weaponizes Windows management instrumentation...
The post Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads appeared first on . -
Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
TrendLabs - Malware BlogWe discovered a series of incidents where the credit card skimming attack Magecart was used to hit the booking websites of chain-brand hotels — the second time we’ve seen a Magecart threat actor directly hit ecommerce service providers instead of going for individual stores or third-party supply chains.
The post Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites appeared first on . -
When PSD2 Opens More Doors: The Risks of Open Banking
TrendLabs - Malware BlogWe looked into the security implications of the changing banking paradigm with PSD2 in place. Our research highlights the current and new risks that the financial industry will have to defend against, and predict how cybercriminals will abuse and attack Open Banking.
The post When PSD2 Opens More Doors: The Risks of Open Banking appeared first on . -
Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload
TrendLabs - Malware BlogSkidmap, a Linux malware that we recently stumbled upon, demonstrates the increasing complexity of recent cryptocurrency-mining threats. This malware is notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar.
These kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — attackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can also set up a secret master password that gives it access to any user account in the system. Conversely, given that many of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits, misconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or administrative access to the system.
The post Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload appeared first on . -
Hacking LED Wristbands: A ‘Lightning’ Recap of RF Security Basics
TrendLabs - Malware BlogWe’re always eager for new research and learning opportunities, but this time, serendipitously, the opportunity found us. At the closing party of the Hack In The Box Amsterdam conference — where we presented our industrial radio research and ran a CTS contest — we were given LED wristbands to wear. They’re flashing wristbands meant to enhance the experience of an event, party, or show. At the beginning, we were not interested in the security impact; we just wanted to learn. Later on, however, we discovered that the RF link was used to transport an industrial protocol: DMX512 (Digital MultipleX 512), the same protocol used to pilot large light exhibitions.
The post Hacking LED Wristbands: A ‘Lightning’ Recap of RF Security Basics appeared first on . -
From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer
TrendLabs - Malware BlogLast June, I disclosed a use-after-free (UAF) vulnerability in Internet Explorer (IE) to Microsoft. It was rated as critical, designated as CVE-2019-1208, and then addressed in Microsoft’s September Patch Tuesday. I discovered this flaw through BinDiff (a binary code analysis tool) and wrote a proof of concept (PoC) showing how it can be fully and consistently exploited in Windows 10 RS5.
A more in-depth analysis of this vulnerability is in this technical brief. As mentioned, CVE-2019-1208 is a UAF vulnerability. This class of security flaws can corrupt valid data, crash a process, and, depending on when it is triggered, can enable an attacker to execute arbitrary or remote code. In the case of CVE-2019-1208, an attacker successfully exploiting this vulnerability could gain the same rights as the current user in the system. If the current user has administrative privileges, the attacker can hijack the affected system — from installing or uninstalling programs and viewing and modifying data to creating user accounts with full privileges.
The post From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer appeared first on . -
September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
TrendLabs - Malware BlogMicrosoft’s September Patch Tuesday covered 80 CVEs, 17 of which were rated critical, and included patches for Azure DevOps Server, Chakra Scripting engine, and Microsoft SharePoint. Sixty-two were labeled as important and included patches for Microsoft Excel, Microsoft Edge, and Microsoft Exchange. Only one was rated as moderate.
The post September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days appeared first on .