Home Tags Password-protected

Tag: password-protected

Web exposed MongoDB installs wiped by bitcoin ransoming script scum

Patch or perish Some 2,000 MongoDB installations have been compromised by an attacker demanding administrators pay 0.2 bitcoins (US$206) to have lost data returned. Victor Gevers (@0xDUDE), penetration tester and chairman of the GDI.foundation, noticed the attacks while reporting exposed non-password-protected MongoDB installations to owners. One open server contained a ransom warning message in place of the database content Gevers expected. Rather than encrypt the data, the attacker, "harak1r1," ran a script that replaced the database's content with the ransom message. So far 16 organisations appear to have paid harak1r1. John Matherly, the brains behind security search engine Shodan, where many exposed MongoDBs can be found, has warned since 2015 of the dangers of exposed installations. Back then he warned of some 30,000 exposed MongoDB instances open to the internet without access controls, a number that has since fallen to about 25,000, with version 2.4.9 being the most popular install. Gevers told BleepingComputer old MongoDB instances were deployed to cloud services, saying a whopping 78 percent of Amazon Web Services hosts were running known-vulnerable versions of the platform. Those old versions exposed databases to the internet, a problem that is fixed in the current releases. Gevers says he is receiving requests for assistance from ransomed and exposed organisations, and recommends MongoDB administrators check logs and ensure unauthorised accounts have not been added. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub

Microsoft Finds Cerber Ransomware Activiity Increased During Holidays

Microsoft security researchers warn that after a brief quiet period, the Cerber ransomware family has reemerged with a vengeance to target holiday shoppers and enterprise business data files. The holidays are no time to drop one's guard when it comes to cyber-security.After tracking the popular Cerber ransomware family and noticing a decline in activity earlier this month, the Microsoft Malware Protection Center warns that attackers have ratcheted up their efforts during what is considered a slow period at many businesses, but a prime shopping time for online bargain hunters.Microsoft's security researchers have uncovered a pair of new  campaigns, including a flood of new spam that exploits the uptick in ecommerce transactions during the season.The Cerber ransomeware is constantly evolving. Not content with encrypting user files and holding them for ransom, last month Cerber's authors expanded into databases and files associated with critical business applications. Version 4.1.5 of the ransomware was coded to seek out Microsoft Access, MySQL and Oracle database files.
In some cases Cerber shuts down running databases so that the malware can encrypt files in use. In the latest wave, attackers are spamming inboxes with malicious attachments that download and install the ransomware.

The malware masquerades as password-protected zip files.

The passcode is typically provided in the body of the email, which is another red flag for potential malware, that purportedly contains online order and delivery details.Attackers are also using an exploit kit to spread Cerber over malicious and compromised websites.

The sites use vulnerabilities like those found in older versions of Adobe Flash to download and execute the latest version of Cerber on a victim's machine.

This tactic is proving particularly effective in Asia and Europe, telemetry data from Microsoft's Windows Defender anti-malware software shows.Adding a new wrinkle in Cerber's development, version information has been removed from the ransomware's configuration data, making it somewhat tougher to track its evolution, observed Microsoft security specialists Rodel Finones and Francis Tan Seng, in their exhaustive analysis of the threat.Cerber is also casting a wider net, targeting an additional 50 file types, while excluding .cmd, .exe. and .msi, a first for this type of ransomware.Cerber also now prioritizes Office folders containing critical files, suggesting that attackers are targeting enterprise environments.

Corporate networks are overflowing with sensitive information and business-critical software, adding urgency to efforts to protect against ransomware and its damaging effects.Behind the scenes, two sets of additional IP address ranges have been added to the command-and-control server setup used by the malware to communicate with attackers.

Finally, a Tor proxy site has replaced the three proxy sites that formerly provided a payment site.

The privacy-enhancing Tor (The Onion Router) network employs encryption and relays to conceal an Internet user's location."For cyber-criminals, releasing a new version of malware not only increases [the] likelihood of evading antivirus detection; it's also a way of increasing the complexity of malware," the Microsoft security researchers  noted. "Cerber's long list of updated behavior indicates that the cyber-criminals are highly motivated to continue improving the malware and the campaigns that deliver it."

Research on unsecured Wi-Fi networks across the world

The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data. Confidential data can be protected by encrypting traffic at wireless access points.
In fact, this method of protection is now considered essential for all Wi-Fi networks.

But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions). Security of Wireless Networks Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users. Encryption type used in public Wi-Fi hotspots across the world Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all.

This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in.

Fortunately, modern online banking systems and messengers do not transfer unencrypted data.

But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point. The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points.

The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it.

From a data security point of view, using WEP is not much different from using open networks.

This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use. Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family.

The protocols from this family are currently the most secure.

The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner.
It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization. When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner. It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average.
If the encryption key is strong, it will take years to hack it.
Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal. Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure.
In particular, they allow brute-force and dictionary attacks.

There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals. Geography of Unsecured Wi-Fi Access Points Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country) We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list. Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption. Share of Wi-Fi hotspots that use WPA/WPA2 (by country) However, even when using an encrypted connection, you should not completely rely upon this security measure.

There are several scenarios that could compromise even well-encrypted network traffic.

These include fake access points with names that duplicate or mimic real ones (for example, TrainStation_Free or TrainStation Free) and compromised routers forwarding traffic without encryption to attackers (malware tools that infect such devices are already “in the wild”).

At any rate, taking care of your own security is a good idea. Recommendations for Users There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places. Do not trust networks that are not password-protected. Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password.

This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment. To maximize your protection, turn off your Wi-Fi connection whenever you are not using it.

This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too. If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere. To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings.
It is recommended to enable this option when visiting any websites you think may lack the necessary protection. If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them. And, of course, you should use dedicated security solutions.

They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat. One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security.

This module protects users connected to Wi-Fi networks by providing a secure encrypted connection channel.
Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (mail services, social networks, etc.).

PoisonTap Hacking Tool Compromises Computers via USB Stick

If you step away from your computer, an attacker could quickly insert a USB stick and take control using a series of vulnerabilities. The device costs only $5. While most people know not to leave their computer alone in a public space, locking the system with a password gives many users a feeling of security.A new hacking tool released this week has shown how illusory that feeling is, demonstrating the danger of leaving any system unsupervised. The tool, known as PoisonTap, can be loaded onto a $5 Raspberry Pi barebones computer and will take over the internet connection of any system to which it is connected. Once plugged in, the program will steal the victim’s cookies for the top 1 million Web sites, expose internal routers to the Internet, and allow remote access to the system.The hacker behind the program, Samy Kamkar, a security researcher best known for creating the MySpace worm in 2005, announced the tool on Nov. 16.“When plugged into a locked or password-protected computer, it takes over all internet traffic momentarily,” Kamkar said in a video explaining the attack. “The back door and remote access persists even after the device is removed and you walk away.” The attack is a bold demonstration that leaving a computer unattended is never a good idea. When PoisonTap is plugged into a computer the device masquerades as an Ethernet device. The computer immediately sends a request to PoisonTap for an IP address, even if it is locked or password-protected. The address that PoisonTap returns makes it seem that “almost all IP addresses on the Internet are part of PoisonTap’s LAN,” Kamkar said.The result is that the targeted computer will send all its Internet traffic through PoisonTap.PoisonTap will intercept any requests to the Web and steal cookies to the top 1 million Web sites. The cookies could then be used by an attacker to automatically log into sites without needing a username and password, although the effectiveness of such an attack depends on the site’s security requirements.The program can also poison the browser cache and redirect requests for certain Web sites to go to an attacker-owned site, essentially giving control of the browser to the attacker, Kamkar said.“Whenever the Web socket is open, the attacker can remotely send command to the victim and force their browser to execute JavaScript code,” he said. “This allows that attacker to make requests as the user, with the user cookies and view the responses, with no visibility to the user.”There is very little a consumer can do to secure against the attack, he said.“To protect a client machine, I suggest adding cement to all you USB ports,” he said. The program will not run on computers that have file system encryption, such as FileVault, because the browser does not run in the background.Web sites can protect against parts of the attack by requiring all traffic to use HTTPS. While that seems to be a basic precaution, only 21 percent of the top–100 non-Google sites require HTTPS by default, according to a 2016 analysis by Google.Overall, the attack is able to avoid a laundry list of security protections, including password protected lock screens, same-origin policies in the browser, two-factor authentication and DNS pinning.

Meet PoisonTap, the $5 tool that ransacks password-protected computers

EnlargeSamy Kamkar reader comments 48 Share this story The perils of leaving computers unattended just got worse, thanks to a newly released exploit tool that takes only 30 seconds to install a privacy-invading backdoor, even when the machine is locked with a strong password. PoisonTap, as the tool has been dubbed, runs freely available software on a $5/£4 Raspberry Pi Zero device. Once the payment card-sized computer is plugged into a computer's USB slot, it intercepts all unencrypted Web traffic, including any authentication cookies used to log in to private accounts. PoisonTap then sends that data to a server under the attacker's control.

The hack also installs a backdoor that makes the owner's Web browser and local network remotely controllable by the attacker. Enlarge Samy Kamkar PoisonTap is the latest creation of Samy Kamkar, the engineer behind a long line of low-cost hacks, including a password-pilfering keylogger disguised as a USB charger, a key-sized dongle that jimmies open electronically locked cars and garages, and a DIY stalker app that mined Google Streetview. While inspiring for their creativity and elegance, Kamkar's inventions also underscore the security and privacy tradeoffs that arise from an increasingly computerized world. PoisonTap continues this cautionary theme by challenging the practice of password-protecting an unattended computer rather than shutting it off or, a safer bet still, toting it to the restroom or lunch room. Kamkar told Ars: The primary motivation is to demonstrate that even on a password-protected computer running off of a WPA2 Wi-Fi, your system and network can still be attacked quickly and easily.

Existing non-HTTPS website credentials can be stolen, and, in fact, cookies from HTTPS sites that did not properly set the 'secure' flag on the cookie can also be siphoned. Unsecured home or office routers are similarly at risk. Kamkar has published the PoisonTap source code and additional technical details here and has also released the following video demonstration:
PoisonTap - exploiting locked machines w/ Raspberry Pi Zero. Once the device is inserted in a locked Mac or PC (Kamkar said he hasn't tested PoisonTap on a Linux machine), it surreptitiously poisons the browser cache with malicious code that lives on well after the tool is removed.

That makes the hack ideal for infecting computers while they are only briefly unattended. Here's how it works. Once the PoisonTap software is installed, the Raspberry Pi device becomes a miniature Linux computer that presents itself as an Ethernet network. Like a router, it's responsible for allocating IP addresses for the local network through the dynamic host configuration protocol.
In the process, the device becomes the gateway for sending and receiving traffic flowing over the local network.
In this sense, PoisonTap is similar to a USB exploit tool demonstrated in September that stole login credentials from locked PCs and Macs. Through a clever hack, however, PoisonTap is able to become the gateway for all Internet traffic as well.
It does this by defining the local network to include the entire IPv4 address space. With that, the device has the ability to monitor and control all unencrypted traffic the locked computer sends or receives over its network connection. PoisonTap then searches the locked computer for a Web browser running in the background with an open page. When it finds one, the device injects HTML iframe tags into the page that connect to the top 1 million sites ranked by Alexa.

Because PoisonTap masquerades as the HTTP server for each site, the hack is able to receive, store, and upload any non-encrypted authentication cookies the computer uses to log in to any of those sites. Given its highly privileged man-in-the-middle position, PoisonTap can also install backdoors that make both the Web browser and connected router remotely accessible to the attacker.

To expose the browser, the hack leaves a combination of HTML and JavaScript in the browser cache that produces a persistent WebSocket. PoisonTap uses what's known as a DNS rebinding attack to give remote access to a router. That means attackers can use PoisonTap to remotely access a browser as it connects to a website or to gain administrative control over the connected router.

Attackers still must overcome any password protections safeguarding an exposed router.

But given the large number of unpatched authentication bypass vulnerabilities or default credentials that are never changed, such protections often don't pose much of an obstacle. PoisonTap challenges a tradition that can be found in almost any home or office—the age-old practice of briefly leaving a locked computer unattended.

And for that reason, the ease and thoroughness of the hack may be understandably unsettling for some people.
Still, several safeguards can significantly lower the threat posed by the hack.

The first is to, whenever possible, use sites that are protected by HTTPS encryption and the transmission of secure cookies to prevent log-in credentials from being intercepted.

A measure known as HTTP Strict Transport Security is better still, because it prevents attack techniques that attempt to downgrade HTTPS connections to unsecured HTTP. As a result, neither Google nor Facebook pages can be triggered by computers infected by PoisonTap.
Sadly, multi-factor authentication isn't likely to provide much protection because it generally isn't triggered by credentials provided in authentication cookies. End users, meanwhile, should at a minimum close their browsers before locking their computer or, if they're on a Mac, be sure to enable FileVault2 and put their machine to sleep before walking away, since browsers are unable to make requests in such cases. Regularly flushing browser caches is also a sound, albeit imperfect, measure.

For the truly paranoid, it may make more sense to simply bring laptops along or to turn off machines altogether.

Russia-linked phishing campaign behind the DNC breach also hit Podesta, Powell

The spear-phishing e-mail received by Clinton campaign staffer William Rinehart matches messages received by both former Secretary of State Colin Powell and Clinton campaign chairman John Podesta.The Smoking Gun reader comments 28 Share this story The breach of personal e-mail accounts for Clinton presidential campaign chairman John Podesta and former Secretary of State Colin Powell have now been tied more closely to other breaches involving e-mail accounts for Democratic party political organizations. Podesta and Powell were both the victims of the same form of spear-phishing attack that affected individuals whose data was shared through the “hacktivist” sites of Guccifer 2.0 and DCLeaks. As Ars reported in July, the spear-phishing attack used custom-coded Bit.ly shortened URLs containing the e-mail addresses of their victims.

The URLs appeared in e-mails disguised to look like warnings from Google about the victims’ accounts.

These spear-phishing attacks were tracked by the security firm SecureWorks as part of the firm’s tracking of the “Fancy Bear” threat group (also known as APT28), a hacking operation previously tied to a phishing campaign against military and diplomatic targets known as Operation Pawn Storm. As The Smoking Gun reported in August, one of these e-mails was sent to William Rinehart, a staffer with the Clinton presidential campaign. Rinehart’s e-mails were leaked on the DCLeaks site.

DCLeaks also carried the e-mails of Sarah Hamilton, an employee of a public relations firm that has done work for the Clinton campaign and for the DNC. Hamilton's e-mails were offered to The Smoking Gun by someone claiming to be Guccifer 2.0 via a password-protected link on the DC Leaks site. E-mails with the same crafted Bit.ly Web addresses were found in the e-mails of both Podesta and Powell, as Motherboard’s Lorenzo Franceschi-Bicchierai reports. Podesta’s e-mails were shared by WikiLeaks; Powell’s were posted on DCLeaks.

That would suggest a firm connection between the DC Leaks  / Guccifer 2.0 campaign (already linked to Russian intelligence) and the source of the WikiLeaks DNC files.

Second hacking group targets SWIFT-connected banks

Odinaff shares links with Carbanak A second group of hackers – Odinaff – has broken into the SWIFT system, the fulcrum of the global financial payments system. Odinaff were found to be using the same approach as those who stole $81m from the Bangladesh central bank earlier this year. Attacks involving the Odinaff trojan and associated tools appear to have begun in January, 2016.

The attacks have hit a wide range of regions with the US the most frequently targeted, followed by Hong Kong, Australia, the UK, and Ukraine. It’s unclear to what extent these attacks have been successful – much less how much money the hackers have extracted. The targets are mostly banks and other financial institutions. Malware is spread through spear-phishing emails, many of which come with malicious macros. Password-protected RAR archives are another potential lure. Some Odinaff infections have been pushed through botnets onto already-infected machines.
Security firm Symantec has found evidence of tools capable of manipulating SWIFT customers’ transfer logs and wiping computers to hide traces of activity, it claims. “The attacks involving Odinaff share some links to the Carbanak group, whose activities became public in late 2014,” according to its security response team. “Carbanak also specializes in high-value attacks against financial institutions and has been implicated in a string of attacks against banks, in addition to point of sale intrusions.” Three command and control IP addresses connected to previously reported Carbanak campaigns also feature in Odinaff.
It may be that the two groups are cooperating with each other. Kevin Bocek, chief cybersecurity strategist at Venafi, said: “These attacks on SWIFT are like old-school bank robberies for a digital age; the hackers are taking money right from the bank’s safe." “This is a shift from previous attacks that have been more focused on stealing from banking customers.

After the success of the first SWIFT hack, it’s unsurprising to see the headlines doing the rounds again and I’d be shocked if this is the last we see of it.” ®

Odinaff Trojan Targeting SWIFT Messaging System Used by Banks

Symantec warns of the growing risk from a malware variant that is targeting the SWIFT messaging system that banks use for financial transfers. Symantec issued a warning on Oct. 11 about an emerging malware dubbed Odinaff that is going after the SWIFT m...

Polyglot – the fake CTB-locker

Cryptor malware programs currently pose a very real cybersecurity threat to users and companies.

Clearly, organizing effective security requires the use of security solutions that incorporate a broad range of technologies capable of preventing a cryptor program from landing on a potential victim’s computer or reacting quickly to stop an ongoing data encryption process and roll back any malicious changes. However, what can be done if an infection does occur and important data has been encrypted? (Infection can occur on nodes that, for whatever reason, were not protected by a security solution, or if the solution was disabled by an administrator.) In this case, the victim’s only hope is that the attackers made some mistakes when implementing the cryptographic algorithm, or used a weak encryption algorithm. A brief description The cryptor dubbed Polyglot emerged in late August.

According to the information available to us, it is distributed in spam emails that contain a link to a malicious RAR archive.

The archive contains the cryptor’s executable code. Here are some examples of the links used: hXXp://bank-info.gq/downloads/reshenie_suda.rar hXXp://bank-info.gq/downloads/dogovor.rar When the infected file is launched, nothing appears to happen. However, the cryptor copies itself under random names to a dozen or so places, writes itself to the autostart folder and to TaskScheduler. When the installation is complete, file encryption starts.

The user’s files do not appear to change (their names remain the same), but the user is no longer able to open them. When encryption is complete, the cryptor changes the desktop wallpaper, (interestingly, the wallpaper image is unique to each victim) and displays the ransom message. The cryptor’s main window New desktop wallpaper with the “open key” block unique to each victim computer The user is offered the chance to decrypt several files for free. The free trial decryption window After this, the user is told to pay for file decryption in bitcoins.

The cryptor contacts its C&C, which is located on the Tor network, for the ransom sum and the bitcoin address where it should be sent. C&C communication window From this moment on, the cryptor allows the user to check the ransom payment status on the C&C. Ransom payment details If the ransom is not paid on time, the cryptor notifies the user that it’s no longer possible to decrypt their files, and that it is about to ‘self-delete’. Last window displayed by Polyglot Imitating CTB-Locker Initially, this cryptor caught our attention because it mimics all the features of another widespread cryptor – CTB-Locker (Trojan-Ransom.Win32.Onion).

The graphical interface window, language switch, the sequence of actions for requesting the encryption key, the payment page, the desktop wallpapers – all of them are very similar to those used by CTB-Locker.

The visual design has been copied very closely, while the messages in Polyglot’s windows have been copied word for word. The main graphical interface windows: Polyglot CTB-Locker List of encrypted files: Polyglot CTB-Locker Window for the trial decryption of 5 random files: Polyglot CTB-Locker The private key request window: Polyglot CTB-Locker The desktop wallpapers: Polyglot CTB-Locker The ‘connection failed’ error message: Polyglot CTB-Locker Offline decryption instructions: Polyglot CTB-Locker The similarities do not stop there.

Even the encryption algorithms used by the cybercriminals have clearly been chosen to imitate those used in CTB-Locker. Polyglot CTB-Locker Algorithms used for file encryption File content is packed into a ZIP archive and then encrypted with AES-256. File content is compressed with Zlib and then encrypted with AES-256. Algorithms used while working with the keys ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. Extensions of encrypted files File extensions are not changed. File extensions are changed, depending on version:– .ctbl– .ctb2– 7 random lower-case Latin symbols Demo decryption 5 files are decrypted for free as a demo.

Their decryption keys and file names are saved in the registry. 5 files are decrypted for free as a demo.

Their decryption keys are only stored in the RAM memory while the process is running. C&C location C&C is in the Tor network, communication is via a public tor2web service. C&C is in the Tor network, communication is via a Tor client integrated into the Trojan, or (in some versions of CTB-Locker) via a public tor2web service. Traffic protection / obfuscation Bitwise NOT operation. AES encryption. That said, we should note the following: a detailed analysis has revealed that Polyglot was developed independently from CTB-Locker; in other words, no shared code has been detected in the two Trojans (except the publicly available DLL code). Perhaps the creators of Polyglot wanted to disorient the victims and researchers, and created a near carbon copy of CTB-Locker from scratch to make it look like a CTB-Locker attack and that there was no hope of getting files decrypted for free. C&C communication The Trojan contacts the C&C server located on Tor via a public tor2web service, using the HTTP protocol. Prior to each of the below data requests, a POST request is sent with the just one parameter: “live=1”. Request 1. At the start of operation, the Trojan reports the successful infection to the C&C.

The following data is sent to the C&C: {“ip”:”xxx.xxx.xxx.xxx”,         //ip address of the infected computer“method”:”register”,         //action type. “register” = Trojan informs C&C of new infection“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,         //Infected computer’s ID“version”:”10f”,         //Trojan version contained in its body“info”:”Microsoft (build xxxx), 64-bit”,         //OS version on the infected computer“description”:” “,         //Always a whitespace (” “)“start_time”:”14740xxxxx”,         //Trojan’s start time“end_time”:”0″,         //Encryption finish time. 0 = no encryption has run yet“user_id”:”5″         //Number hardwired in the sample} This data block is passed through a bitwise NOT operation, encoded into Base64 and sent to the C&C in a POST request. Contents of the sent request Parameters of the POST request: signature – CRC32 from the sent dataver – Trojan versiongcdata – data, with contents as described above. Request 1 and the reply received from the C&C Request 2. When the Trojan has finished encrypting the user’s data, it sends another request to the C&C.

The content of the request is identical to that of request 1 except the field “end_time”, which now shows the time encryption was completed. Request 3. This is sent to the C&C to request the bitcoin address for payment and the ransom sum to be paid. {“method”:”getbtcpay”“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”} The C&C replies to this request with the following data: {“code”:”0″,“text”:”OK”,“address”:”xxxxxxxx”,         //bitcoin address (may vary)“btc”:0.7,         //amount to be paid in BTC (may vary)“usd”:319.98         //amount to be paid in USD (may vary)} Request 4. This is sent to request a file decryption key from the C&C. {“method”:”getkeys”,“key”:””,“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,“info”:[“DYqbX3m9u0Pk9bE9Rg2Co3empC2M/yrnqgNS3r0AT2vwCw8Zas08bd4BNiO3XuAqi6/5WQ0VBiUkRUToo+YFL/QtPkiRIQ/D9RyKhzpBHlNpf2hPb9eloDzpkonQl7L6cQyJ2FipEG2ggZOdTDBcNAEAAAA=”]} Request 5. The Trojan reports that data decryption has been completed and states the number of decrypted files to the C&C. {“method”:”setend”,“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,“decrypted”:”1″} Description of the encryption algorithm During our analysis of the malicious code, it became evident that the Trojan encrypts files in three stages, creating intermediate files: First, the original file is placed in a password-protected ZIP archive.

The archive has the same name as the original file plus the extension “a19”; Polyglot encrypts the password-protected archive with the AES-256-ECB algorithm.

The resulting file again uses the name of the original file, but the extension is now changed to “ap19”; The Trojan deletes the original file and the file with the extension “a19”.

The extension of the resulting file is changed from “ap19” to that of the original file. Flowchart of the search and file encryption actions performed by Polyglot A separate AES key is generated for each file, and is nothing more than a ‘shared secret’ generated according to the Diffie-Hellman protocol on an elliptic curve. However, first things first. Before encrypting any files, the Trojan generates two random sequences, each 32 bytes long.

The SHA256 digests of each sequence become the private keys s_ec_priv_1 and s_ec_priv_2.

Then, the Bernstein elliptic curve (Curve25519) is used to obtain public keys s_ec_pub_1 and s_ec_pub_2 (respectively) from each private key. The Trojan creates the structure decryption_info and writes the following to it: a random sequence used as the basis for creating the key s_ec_priv_1, the string machine_guid taken from the registry, and a few zero bytes. struct decryption_info {        char s_rand_str_1[32];        char machine_guid[36];        char zeroes[12];}; Using the private key s_ec_priv_2 and the cybercriminal’s public key mal_pub_key produces the shared secret mal_shared_secret = ECDH(s_ec_priv_2, mal_pub_key).

The structure decryption_info is encrypted with algorithm AES-256-ECB using a key that is the SHA256 digest of this secret.

For convenience, we shall call the obtained 80 bytes of the encrypted structure encrypted_info. Only when Polyglot obtains the encrypted_info value does it proceed to generate the session key AES for the file. Using the above method, a new pair of keys is generated, f_priv_key and f_pub_key. Using f_priv_key and s_ec_pub_1 produces the shared secret f_shared_secret = ECDH(f_priv_key, s_ec_pub_1). The SHA256 digest of this secret will be the AES key with which the file is encrypted. To specify that the file has already been encrypted and that it’s possible to decrypt the file, the cybercriminals write the structure file_info to the start of each encrypted file: struct file_info {        char label[4] = {‘H’,’U’, ‘I ‘, 0x00};        uint32_t label2 = 1;        uint64_t archive_size;        char f_pub_key[32];        char s_ec_pub_1[32];        char s_ec_pub_2[32];        char encrypted_info[80];}; The elliptic curve, the Diffie-Hellman protocol, AES-256, a password-protected archive – it was almost flawless.

But not quite, because the creator of Polyglot made a few mistakes during implementation.

This gave us the opportunity to help the victims and restore files that had been encrypted by Polyglot. Mistakes made by the creators As was mentioned earlier, all the created keys are based on a randomly generated array of characters.

Therefore, the strength of the keys is determined by the generator’s strength.

And we were surprised to see the implementation of this generator: A graphical representation of the random sequence generation procedure Let’s convert this function into pseudocode so it’s easier to follow: Please note that when another random byte is selected, the entire result of the function rand() is not used, just the remainder of dividing the result by 32. Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC. Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file.

Although there was a password-protected archive below the layer of symmetric encryption, we already knew that the cybercriminal had made another mistake. Let’s look at how the archive key is generated: We can see that the key length is only 4 bytes; moreover, these are specific bytes from the string MachineGuid, the unique ID assigned to the computer by the operating system.

Furthermore, a slightly modified MachineGuid string is displayed in the requirements text displayed to the victim; this means that if we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive. The MachineGuid string displayed in the requirements screen Conclusion Files that are encrypted by this cryptor can be decrypted using Kaspersky Lab’s free anti-cryptor utility RannohDecryptor Version 1.9.3.0. All Kaspersky Lab solutions detect this cryptor malware as:Trojan-Ransom.Win32.PolyglotPDM:Trojan.Win32.Generic MD5 c8799816d792e0c35f2649fa565e4ecb – Trojan-Ransom.Win32.Polyglot.a

New batch of leaked Colin Powell e-mails lambasts Trump and Clinton

reader comments 27 Share this story Add former Secretary of State Colin Powell to the list of high-ranking Washington insiders whose leaked e-mails are rankling their peers with just weeks to go before the US presidential election. DC Leaks, a site that researchers at security firm ThreatConnect have linked to the Russian government, has published 26 months of Powell's e-mails, spanning from June 2014 to last month, news organizations reported Wednesday.

The trove, which contains highly candid comments lambasting presidential candidates Donald Trump and Hillary Clinton, are part of a new batch that's separate from Powell e-mails leaked a few years ago. Powell aides reportedly confirmed the new compromise, telling The New York Times that the leaked messages "are his e-mails." In the e-mails, Powell describes Trump as a "national disgrace" and portrays the candidate as someone who is unfit to be president. As reported by Politico, Powell wrote in a June 23 e-mail to former Secretary of State Condoleezza Rice that "if Donald were to somehow win, by the end of the first week in office he'd be saying 'What the hell did I get myself into?'" The e-mails also castigate Clinton aides for linking Clinton's use of a private e-mail server during her tenure as secretary of state to Powell's use of a private e-mail address while he held the same post. The Clinton campaign’s “email ploy this week didn't work and she once again looks shifty if not a liar,” Powell wrote on August 20 to someone he worked with at the White House. “Trump folks having fun with her.” There are many more highly critical remarks on a range of people and highly charged issues.
It remains unclear how the 26 months of e-mail, which all appear to have been sent to or received from Powell's Gmail account, were compromised. Many of the similar leaks attributed to Russian hackers, including one from Tuesday involving the World Anti-Doping Agency, have stemmed from spear phishing attacks, which use personalized e-mails to trick a target into inadvertently revealing login credentials to the attacker. Another possibility is that Powell used the same password to protect both his Gmail account and a separate account from a server that was compromised in the past.
Indeed, Powell's e-mail address and password hash are contained in the list of 68 million Dropbox accounts compromised in 2012 that was made public two weeks ago, an independent security researcher said. The leak comes a few months after a person or group with the name Guccifer 2.0 published e-mails taken from one or more hacks of the Democratic National Committee.
Some of the contents that appeared to show Democratic officials denigrating former Democratic candidate Bernie Sanders before he was defeated in the primaries led to the resignation of DNC Chair Debra Wasserman Schultz. Powell's e-mails were published on a password-protected portion of DC Leaks that was available only to select news outlets.
So far, there have been no definitive reports on precisely how the messages were obtained by DC Leaks. Listing image by DoD News

A malicious pairing of cryptor and stealer

We have already seen some cryptor attacks where malicious programs with different functions have been used in combination.

For example, one version of the Shade cryptor checks victim computers for signs of accounting activity; if it finds any, it doesn’t encrypt the files, but instead installs remote control tools in the infected system.

The bot can then be used by cybercriminals to steal money, a much more profitable outcome than just receiving a ransom to decrypt some files. The owners of the RAA cryptor, however, took a different tack.

The Trojan is delivered in emails that mostly target corporate users.

After a successful infection, RAA executes its main task, i.e. encrypts the user’s files. However, it doesn’t stop there: some versions of RAA also include a Pony Trojan file, which steals confidential information from the infected computer. Using the stolen data, the cybercriminals can gain access to the victim’s mail clients and other resources. We can assume that the owners of RAA use these resources to carry out targeted attacks – sending out emails with the cryptor malware to the addresses on the victim’s contact list.

This substantially improves the probability of subsequent infections. In this article, we will provide details of how a pair of malicious programs – a new version of the RAA cryptor and the Pony stealer Trojan – work in unison. The RAA cryptor The RAA cryptor (Kaspersky Lab verdict: Trojan-Ransom.JS.RaaCrypt) was first detected in June 2016.
It caught the attention of researchers and analysts due to the fact that it was written entirely in JavaScript, which is a rarity when it comes to ransomware cryptor Trojans. We recently detected a new version of this Trojan that has a few differences from earlier known modifications. Let’s have a closer look at this particular sample, which has been assigned the verdict Trojan-Ransom.JS.RaaCrypt.ag. Propagation The body of this new version of RAA is a script in JScript (with a .js file extension).

The malicious script is sent to potential victims attached to a spam message in a ZIP file with the password ‘111’. The attack is aimed primarily at corporate users: the message mimics finance-related business correspondence, and the script’s name is similar to those shown below: Счета на оплату _ август 2016 согласовано и отправлено контрагенту для проведения оплаты _aytOkOTH.doc.js (Invoice_August 2016 approved and sent to contractor for payment _aytOkOTH.doc.js) Счета на оплату _ август 2016 согласовано и отправлено контрагенту для проведения оплаты _EKWT.doc.js (Invoice_August 2016 approved and sent to contractor for payment _ EKWT.doc.js) “Let’s presume we made a concession when we allowed you to postpone your due payment. “We understand you may have difficulties, but do we have to wait for another two months? To be honest, we don’t really want to go to court. Please make all the payments in next few days.” The message includes a notice saying: “The company… notifies you that in line with internal security regulations, all outgoing emails are subject to asymmetric encryption. Dear client, your password for this message is 111.” People who know what ‘asymmetric encryption’ is will probably just smile at this; however, the message is obviously targeting a different audience. It should be noted that sending malicious content in a password-protected archive is a well-known trick used by cybercriminals to prevent anti-malware systems installed on mail servers from unpacking the archive and detecting any malicious content.

To unpack an archive like this, the anti-malware product must automatically retrieve the password from the message, which isn’t always possible. For an infection to occur, users have to unpack the archive themselves and launch the .js file. Script obfuscation The code of the malicious script was deliberately obfuscated to complicate things for malware analysts.

The content of the script looks like this in the source code: Fragment of the obfuscated code If we restore the line breaks and indents, it becomes obvious that the obfuscation involves renamed variables and functions, as well as strings hidden in the global array.

After de-obfuscation and function renaming, the same section of code becomes much easier to read. Fragment of de-obfuscated code The script is nearly 3,000 lines long. Most of this is taken up by an implementation of the legitimate DLL CryptoJS, and an implementation of the RSA encryption procedure, which was also taken from public sources by the cybercriminals. How the Trojan works To lull the victim into a false sense of security, the RAA cryptor demonstrates a fake Microsoft Word document immediately after it launches.

This document is in fact an RTF file specially crafted by the cybercriminals. (The document is contained in the Trojan’s body encoded in Base64 format.) The fake document displayed to the victim While the user is reading the message about a document that’s supposedly not being displayed properly, the Trojan is doing its dirty work: Registers itself to be autostarted with Windows; Deletes the registry key associated with the VSS service (to prevent the restoring of files from shadow copies); Sends a request to the C&C server (unlike all previous versions of this Trojan, this version doesn’t wait for the delivery of keys from the server – the request is only sent so the cybercriminals can collect statistics); Proceeds to search for files and encrypts them. Key generation Unlike earlier RAA modifications, this version of the cryptor does not request an encryption key from the C&C.
Instead, the Trojan generates a session key on the client.

To do so, it calls the WinAPI function RtlGenRandom which is considered a cryptographically secure generator of pseudorandom numbers. To ensure it can call WinAPI functions from JS code, the Trojan uses a legitimate third-party OCX component called DynamicWrapperX.

The Trojan stores it in its body in a Base64-encoded format, and installs it in the infected system. RAA has both 32-bit and 64-bit versions of DynamicWrapperX so it can attack systems running under both Windows architectures. The Trojan encrypts the generated session key with an RSA algorithm (the public RSA-2048 key is contained within the script) and saves it to a file with the name “KEY-…”, where the multiple periods stand for a unique 36-character infection ID. File encryption RAA searches for and encrypts files with the extensions .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv whose names do not contain the substrings “.locked”, “~”, “$”. When searching for files, the Trojan skips folders named “WINDOWS”, “RECYCLER”, “Program Files”, “Program Files (x86)”, “Windows”, “Recycle.Bin”, “RECYCLE.BIN”, “Recycler”, “TEMP”, “APPDATA”, “AppData”, “Temp”, “ProgramData”, and “Microsoft”. When processing each file, RAA uses the session key to generate a file key and initialization vector (IV).

The contents of the files are encrypted in different ways depending on the file size: 0 to 6,122 bytes: the file is encrypted in full. 6,123 to 4,999,999 bytes: three fragments are selected for encryption in different sections of the file.

The first, 2000- to 2040-byte fragment is selected at the beginning of file; the location and size of the two other fragments depend on the size of the first fragment and the overall size of the file. 5,000,001 to 500,000,000 bytes: two fragments of 90000-125000 bytes are selected for encryption (from the beginning and end of the file). 500,000,001 bytes and larger: not encrypted. A string is added at the end of the encrypted file that contains “IDNUM” (infection ID), “KEY_LOGIC” (indexes to construct the file key from the session key), “IV_LOGIC” (indexes to construct the IV from the session key), and “LOGIC_ID” (possible values are “1”, “2” or “3” – the selected encryption method depending on the file size).

The encrypted file is given the additional extension .locked. The string added to the end of the encrypted file Ransom demand When the files are encrypted, RAA displays a file with the cybercriminals’ demands and contacts in WordPad.

The Trojan fills the text template with a 36-character ID which is unique for each case. The file containing the cybercriminals’ demands The cybercriminals suggest that the victims purchase a file decryption key and software from them.

Two methods of communication are available: email and the Bitmessage service.

The victim is expected to pay for the decryption key in bitcoins. Plus a stealer Trojan The damage caused by the Trojan is not limited to encrypting files. Like some of the earlier versions of RAA, the version we are examining has some added features.

The Trojan contains an executable file encoded in Base64, which it writes to the hard drive at ‘C:\Users\<username>\Documents\ii.exe’ and launches after it has finished encrypting files.

Analysis revealed that ‘ii.exe’ is none other than Pony, a known password-stealing Trojan (detection verdict: Trojan-PSW.Win32.Tepfer.gen). Pony has proved to be an unusually long-lived Trojan.
Its early versions supposedly emerged back in 2011, while in December 2013, as reported by the mass media, it stole the credentials of over 2 million users. Naturally, after all that time Pony’s source code appeared on the web at some point.

Analysis showed that the executable file we are analyzing here was constructed using Pony source code. Pony: confidential data theft To recap, Pony’s main task is to collect confidential information from an infected computer and then send it to the cybercriminals. Step 1.
Stealing information Below is a short list of the information that Pony hunts for. Passwords stored in web browsers Microsoft Internet Explorer Google Chrome Opera Mozilla Firefox K-Meleon Яндекс.Браузер Flock Credentials to dozens of the most popular FTP clients CuteFTP 6\7\8\9\Pro\Lite FTP Navigator FlashFXP 3\4 FileZilla FTP Commander Bullet Proof FTP Client SmartFTP TurboFTP FFFTP COREFTP FTP Explorer ClassicFTP SoftX.org FTPClient LeapFTP FTP CONTROL FTPVoyager LeechFTP WinFTP FTPGetter ALFTP BlazeFtp Robo-FTP 3.7 NovaFTP FTP Surfer LinasFTP Cyberduck WiseFTP Accounts with the most widespread mail clients Microsoft Outlook Mozilla Thunderbird The Bat! Windows Live Mail Becky! Internet Mail Pocomail IncrediMail Various cryptocurrency wallet files PPCoin Primecoin Feathercoin ProtoShares Quarkcoin Worldcoin Infinitecoin Fastcoin Phoenixcoin Craftcoin The Trojan also has the following capabilities: Pony steals the user’s digital certificates. Pony stores a list of the most widespread combinations that users use as passwords. Using this list, it attempts to gain access to the accounts on an infected computer. Step 2.

Data encryption and sending Before sending the collected information to cybercriminals, Pony encrypts it using the RC4 algorithm. When doing so, the Trojan keeps records of the checksums for the obtained data (slightly modified results of the CRC32 algorithm are used.) The sequence is as follows: Calculate the checksum of the non-encrypted data. Write the obtained value next to the input data. Encrypt input data with the RC4 algorithm using the key that the cybercriminals specified when they compiled the Trojan. Calculate the checksum of the encrypted data. Write the obtained value next to the input data. Generate a random 4-byte key Encrypt the input data with the RC4 algorithm using the generated key. Generate a data package ready for sending that can be described with a ToSend structure (see below) struct ToSend { dword random_key; byte* double_encrypted_data; }; struct ToSend dword random_key; byte* double_encrypted_data; A non-encrypted fragment of the generated report Fragment of the report that is ready for sending.

The encryption key is highlighted in red
When the data is brought up to the required form, Pony sends it to the cybercriminals. MD5 Trojan-Ransom.JS.RaaCrypt.ag:68288a9f7a6bc41c9550a417d1721321 Trojan-PSW.Win32.Tepfer.gen (Pony):1de05ee1437d412cd328a6b3bd45fffc

Shade: not by encryption alone

Malefactors continue to expand the features of ransomware as they try to extract maximum benefit from the compromise of infected computers. We recently found an interesting example of such an “upgrade”: a new logic in the latest version of the Shade encryptor currently being spread widely within the territories of Russia and CIS. On the basis of this logic, the ransomware checks the computer for any involvement in accounting activities and, if the check is successful, installs remote control tools into the compromised system instead of encrypting the victim’s files. Accountant, my sweet accountant For the initial check, the updated Trojan (verdict Trojan-Ransom.Win32.Shade.yb) searches the list of installed applications and looks for strings associated with bank software.

After that the ransomware looks for “BUH”, “BUGAL”, “БУХ”, “БУГАЛ” (accounting) in the names of the computer and its user.
If a match is found, the Trojan skips the standard file search and encryption procedure and instead downloads and executes a file from the URL stored in the Trojan’s configuration, and then exits. Technically the new features look like this: there is a block of base64-encoded data in the body of the ransomware (which was not present in earlier versions of Shade): We can see the following configuration block when decoding is completed: Shade initiates the check of an infected system in accordance with this configuration block directly after it starts. The executable that Shade.yb Trojan downloads to the user’s computer turned out to be a bot known as Teamspy.

This bot uses the TeamViewer 6 legal remote control utility for communication with its command-and-control (C&C) server and modifies it on-the-fly for the purpose of discreet execution. Plugins (in our case installvpn.pg, rdw.pg, scankey.pg) propagate along with the bot; they are stored in encrypted form and will be decrypted by the ransomware in the RAM only.

A decrypted plugin is basically a DLL with an export named InitPg which is called by the main module of the bot.

There are two plugins which, when executed provide malefactors with opportunities for remote access to an infected machine through the remote Desktop Protocol (RDP): installvpn.pg: covertly installs the TeamViewer VPN driver; and rdw.pg: covertly installs the “RDP Wrapper Library” application and changes system settings in order to enable the RDP connection. The bot does not connect automatically to the VPN, so it is quite possible that the malefactors keep this opportunity for some specific cases. System infection The downloaded Teamspy executable file is basically an NSIS installer.
It includes: NSIS-script script.bin (script that controls the unpacking process); Standard NSIS plugins – nsExec.dll, StdUtils.dll, System.dll; Legal utility NirCmd (file 6kzi6c94h2oeu4); Legal utility 7zip (file vuoup3teqcux6q); Image 2b6zfhf3ui7e03iv6.jpg; and Image 6nmxxselb250du8c.jpg with an embedded password-protected 7z archive. When the installer is started, it executes script.bin.

The script calculates the BLAKE2-512 hash of the 2b6zfhf3ui7e03iv6.jpg content by means of StdUtils.dll and uses the resulting string as a password to the 7z-archive hidden inside 6nmxxselb250du8c.jpg. The following files from the password-protected 7z are extracted to the hidden folder “%APPDATA%\Div”: x64 subfolder containing install64.exe, teamviewervpn.cat, TeamViewerVPN.inf and teamviewervpn.sys files (legal components of TeamViewer); x86 subfolder containing install86.exe, teamviewervpn.cat, TeamViewerVPN.inf and teamviewervpn.sys files (legal components of TeamViewer); avicap32.dll (the bot body); cfmon.exe (legitimate executable file of TeamViewer); installvpn.pg, rdw.pg, scankey.pg (encrypted bot plugins); tv.cfg (encrypted bot config); and Legitimate components of TeamViewer: TeamViewer_Desktop.exe, TeamViewer_Resource_en.dll, tv_w32.dll, tv_w32.exe, tv_x64.dll, tv_x64.exe. The installer starts up cfmon.exe upon unpacking. When this process begins, the malicious library avicap32.dll (which is the body of the bot) is automatically loaded and executed.

This technique of overriding a legitimate DLL with a malicious one is well-known under the name ‘DLL hijack’.

The body of the bot contains several layers of encryption and is obfuscated in order to complicate analysis. Modus operandi of the bot During execution the malicious avicap32.dll modifies the functionality of the TeamViewer process that is running, by intercepting some system calls as well as TeamViewer’s internal procedures. Hiding the software window and its icon in the notification area is one result of such modifications.

The user of the infected computer cannot see the software’s graphic interface (GUI) and may not be suspicious of its presence unless they check a list of running processes. Fragment of the hook installation procedure pseudocode In addition to hiding the TeamViewer interface, avicap32.dll decrypts and uses the data of the tv.cfg configuration file. Decrypted content of tv.cfg The szadminhost field value is an address of the C&C server that communicates with the bot.

Communication is based on the HTTP protocol.

For an example of intercepted traffic please see the following screenshot. In the first request, the bot informs the C&C of its existence.

The C&C responds with a command (in this case “lexec” means file downloading and execution, for information on other commands see below).
In the third enquiry, the bot informs the server of the command execution results: “cmd=1” – success, “cmd=2” – error. The server’s commands are processed in a separate thread started from the procedure installed for the interception of API-function SetWindowTextW. General view of the execution graph of the function that processes and executes server commands Fragment of the execution graph of the function that processes and executes server commands List of strings including commands received by the bot We would like to underline the most interesting commands received by the bot: startaudio / stopaudio: start/stop of audio recording; startvideo / stopvideo: start/stop of video recording of the screen; lexec: download and execute a file from a URL provided by the C&C server; and cmd: provide malefactors with the remote control console. Other commands involve updating the configuration file and some of its fields, updating or deleting plugins, controlling PC power (shutdown, restart), restarting the bot’s own process, or self-deleting. Conclusion The use of the bots offers malefactors a wide range of possibilities to enrich themselves, and even a single successful infection can bring in substantial cash flows.

Essentially the Trojan encryptors pass the initiative to the user (and it’s up to the user to decide whether to pay for their files or not) and the owners take into consideration the average financial solvency of the victim in assigning the ransom sum.

The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash. Kaspersky Lab products detect the bot’s body as Trojan-Spy.Win32.Teamspy.gl; and this malware is also known as TVSPY, TVRAT, SpY-Agent. Victims infected with Shade versions 1 and 2 have a chance to retrieve their data without paying cybercriminals.
IT Security companies joined forces with law enforcement agencies to create a decryption tool, which is available on the NoMoreRansom webpage. MD5 Trojan-Ransom.Win32.Shade.yb 21f4bbcd65d0bff651fa45d442e33877 Trojan-Spy.Win32.Teamspy.gl 4235f3730bbd303d9b3956f489ff240d