Home Tags Cat

Tag: cat

Bludgeoned by orcs: What it’s like to die repeatedly in Shadow...

To win this game, combat mastery wonrsquo;t be enough.

But will pre-battle prep be fun?

In the grey area between espionage and cyberwar

Understanding the intentions in the cat-and-mouse online battle is getting harder.

Mysterious cat-and-mouse-themed Trojan RAT is potentially dangerous, but its creators and...

The highly skilled nature of the threat actors behind Felismus, and their ability to cover their tracks, means that no-one knows their identity or their target.

BrandPost: Letting the Cat Out of the Bag: Public Cloud has...

By Gary Thome, VP and chief engineering at HPE, Software-defined and Cloud Group Technology, like everything else, has trends or cycles.

Cloud started more than 10 years ago and was the hot, new tech trend.

But now…are things starting to shift again? Are organizations thinking twice before automatically moving essential workloads to the public cloud?The answer is yes – and for a variety of reasons.

A few born-in-the-cloud companies have now moved from the public cloud back to on-premises data centers – DropBox is a high-profile example.

And the public cloud performance (or lack thereof) was a big reason why.To read this article in full or to leave a comment, please click here

One-third of Americans are willing to eat lab-grown meat regularly

They're also more willing to eat dog, cat, and horse meat if it's grown in a lab.

Google Play faces cat and mouse game with sneaky Android malware

What’s the best way to avoid Android malware? Downloading all your apps from the Google Play store -- where software is vetted – is perhaps the best advice.  But that doesn’t mean Google Play is perfect.[ Android is now ready for real usage in the enterprise. Read InfoWorld's in-depth guide on how to make Android a serious part of your business. | Get the best office suite and the 38 best business-worthy apps for your Android device. ] Security researchers do find new Android malware lurking on Google’s official app store.

That’s because hackers are coming up with sneaky ways to infiltrate the platform, despite the vetting processes that protect it.To read this article in full or to leave a comment, please click here

Cheerleading company can get copyrights, pursue competitors, Supreme Court says

The high court ponders copyrighted uniforms, Van Gogh, and cat-shaped lamps.

I had my cats’ poop sequenced—for science

A study is looking at the microbiome of our pets, and my cats are taking part.

Biden leads government call at SXSW for more (select) data transparency

Moonshot hopes, medical data sharing, and a “Cyber National Guard.”

Squid, eyes, and blood, oh my! 2017’s best biology images

Bird blood, cat fur, early brains, and the cutest baby squid.

Fileless attacks against enterprise networks

This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab participated in the forensic analysis, discovering the use of PowerShell scripts within the Windows registry.

Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

The banker that encrypted files

Many mobile bankers can block a device in order to extort money from its user.

But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data.
In addition to that, this modification is attacking more than 2,000 financial apps around the world. We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.

According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand. Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player. Preparing the groundwork The Trojan is capable of interacting with protection mechanisms in the operating system.

For example, it requests rights to overlay other apps or the right to be a default SMS application.

This allows Faketoken to steal user data even in the latest versions of Android. Once the Trojan becomes active, it requests administrator rights.
If the user denies the request, Faketoken repeatedly refreshes the window asking for these rights, which leaves the victim with little choice. The Trojan imitating “Yandex.Navigator” to request administrator rights Once it has received administrator rights, Faketoken starts requesting the necessary permissions: to access the user’s text messages, files and contacts, to send text messages and make calls.

These requests will also be repeatedly displayed until the user agrees to provide access. The Trojan then requests the right to display its windows on top of other applications.

This is necessary to block the device and steal user data by displaying phishing pages. The Trojan requesting the right to display its windows on top of other applications The final request at the preparatory stage is for the right to be the default SMS application – this allows Faketoken to covertly steal text messages on the latest versions of Android.

The Trojan integrates the options necessary for the user to work with SMS. However, on some Android devices and versions when the user attempts to send an SMS via Faketoken it returns an error.

As a result, the user cannot send SMS messages until they manually change the SMS application.

The Trojan doesn’t like that, and will start requesting the right again. Manipulations with application shortcuts can also be added to the preparatory stage.

After launching, Faketoken starts downloading an archive containing file icons of several applications (the version being analyzed here has eight) related to social networks, instant messengers and browsers.

Then it tries to delete the previous shortcuts to these applications and create new ones. On the test devices the Trojan failed to remove the previous shortcuts which eventually led to the appearance of duplicates It is not clear why it does this because the shortcuts created by Faketoken lead to the original applications. Data theft Once the shortcuts are installed, the next stage of the Trojan’s work begins – the theft of user data.

Faketoken downloads a database from the server containing phrases in 77 languages for different device localizations. Screenshot of the database with phrases in different languages Using these or other phrases from the database, depending on the operating system language, the Trojan will show the user various phishing messages. Examples of phishing messages displayed by the Trojan If the user clicks on the message, the Trojan opens a phishing page designed to steal passwords from Gmail accounts.
In addition to that, the Trojan overlays the original Gmail application with this page for the same purpose – to steal the password. Phishing page imitating the login page of the Gmail mail service However, the Trojan doesn’t limit itself to Gmail. Like most modern mobile Trojans, Faketoken overlays the original Google Play app with its phishing window to steal the victim’s bank card details. Phishing page used by the Trojan to steal credit card details The Trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server.
In our case, Faketoken received a list of 2,249 financial applications from around the world. Example of the Trojan’s phishing pages designed for different applications It should be noted that the Trojan integrates functionality enabling it to call some of the methods from the HTML page it received from the C&C server.

As a result, in addition to the phishing functionality, the pages described above can get certain information about the device including the address of the Gmail account and, even worse, reset the device to factory settings. What’s more, Faketoken can perform the following actions upon command from the C&C server: Change masks to intercept incoming text messages; Send text messages to a specified number with a specified text; Send text messages with a specified text to a specified list of recipients; Send a specified text message to all contacts; Upload all text messages from the device to the malicious server; Upload all the contacts from the device to the malicious server; Upload the list of installed applications to the malicious server; Reset the device to factory settings; Make a call to a specified number; Download a file to the device following a specified link; Remove specified applications; Create a notification on the phone to open a specified page or run a specified application; Start overlaying specified applications with a specified phishing window; Open a specified link in its own window; Run an application; Block the device in order to extort money for unblocking it.

This command may include an option indicating the need to encrypt files. Ransomware banker As mentioned above, the ransomware functionality in mobile banking Trojans is now commonplace, after being pioneered by Svpeng in early 2014. However, the new Faketoken version can not only extort money by blocking the screen but also by encrypting user files. Screenshot of the Trojan code that renames and then encrypts files. Once the relevant command is received, the Trojan compiles a list of files located on the device (external memory, memory card) corresponding to the given list of 89 extensions and encrypts them.

The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom.

The Trojan receives the encryption key and the initialization vector from the C&C server.

The encrypted files include both media files (pictures, music, videos) and documents.

The Trojan changes the extension of the encrypted files to .cat. In conclusion, we would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently), which may be because most files stored on a mobile device are copied to the cloud.
In other words, demanding a ransom in return for decrypting them is pointless.