xaxam: (Default)
[personal profile] xaxam

Краткое изложение киноэпопеи Ридли Скотта

Ябдля батюшки царя
Родила богатыря,
Но что-то пошло не так...
Пушкин гениально предвидел всё.
[syndicated profile] incident_handler_feed

1. Introduction

While hunting some phishing emails these days, I came across a malware campaign similar to EngineBox, a banker capable of stealing user credentials from multiple banks [1]. XPCTRA, as I call today’s variant, in addition to banking data, steals online digital wallet users’ credentials from services such as Blockchain.info and PerfectMoney.

The malspams used in the campaign try to induce the victim to open a supposed bank bill link. It actually leads to the download of the XPCTRA dropper, that is, the part of the malware responsible for  environment recognition and downloading new components. Once executed, it initiates a connection with an Internet address to download other malware parts responsible for later malicious actions.

In this diary, I present the XPCTRA analysis the indicators of compromise used in this campaign.

2. Threat analysis

Unlike the previous variant, XPCTRA (read it like “expectra”) does not make use of as many layers of encoding as EngineBox did to try bypassing security layers, which made the analysis simpler.

Look at the diagram shown in Figure 1 and the textual description below to understand the threat flow, from malicious e-mail to data theft:

  • The infection vector (malspam) links to a supposed PDF invoice, which actually leads the victim to download an executable file (dropper);
  • Once executed, the dropper downloads a “.zip” file, unzips and executes the malware payload;
  • It then begins a series of actions, including:
    • Persists itself into the OS, in order to survive system reboot;
    • Changes Firewall policies to allow the malware to communicate unrestrictedly with the Internet;
    • Instantiates “Fliddler”, an HTTP Proxy that is used to monitor and intercept user access to the financial institutions;
    • Installs the Fiddler root certificate to prevent the user from receiving digital certificate errors;
    • Points Internet Browsers settings to the local proxy (Fiddler);
    • Monitors and captures user credentials while accessing the websites of 2 major Brazilian banks and other financial institutions;
    • Stolen credentials are sent to criminals through an unencrypted C&C channel;
    • Establishes an encrypted channel to allow the victim’s system to be controlled by the attackers (RAT);
    • Monitors and captures user credentials while accessing email services like Microsoft Live, Terra, IG and Hotmail. These accesses are used to spread the malware further;

Figure 1 - XPCTRA Threat Flow

NOTE: The XPCTRA sample analysed here (idfptray.exe) was not yet known by VT (VirusTotal) until my submission.

3. Quasar RAT

After posting EngineBox malware analysis [1] last month, through community feedback, I came to know that the threat embedded a framework called Quasar RAT [2] developed in C#. The goal of this framework is to provide a tool for remote access and management of Windows computers— hence the name, RAT (Remote Access Tool).

It turns out the variety of functions the open-source framework has, such as remote desktop, keylogger, etc., made it quite attractive for cybercriminals who ended up using it as a RAT (Remote Access Trojan) tool within their malware.

Notice in Figure 2 the similarity of Quasar RAT directory tree on the left, and the XPCTRA code on the right.

Figure 2—Similarity between Quasar RAT and XPCTRA directory trees

In addition to Quasar, XPCTRA incorporates Fiddler to play the role of HTTP Proxy and, of course, the code responsible for intercepting communications with financial institutions and sending SPAM as well.

4. Digital currency wallets

In addition to banking credentials, XPCTRA is able to steal digital currency wallet’s credentials hosted online like Blockchain.info, PerfectMoney and Neteller. Look at Figures 3 and 4 for code snippets of capturing moments and sending user credentials from some of these institutions.

Figure 3 - Capturing user’s PerfectMoney credentials


Figure 4 – Sending data to C&C

5. Final words

The result of this analysis draws our attention to the security of digital currency wallets, especially those “hosted” in the cloud. Just as customers of traditional financial institutions have faced over the years the most diverse fraud attempts and had to protect themselves, so should digital money users. Give preference to services that offer a second authentication factor for transactions and be sure to enable it.

6. Indicators of compromise (IOCs)


MD5 (250920178234282343294329423.exe) = 4fec5a95ba8222979b80c0fc83f81edd
MD5 (idfptray.exe) = 339c48b0ac25a9b187b8e76582580570


coca.cheddarmcmelt.top TCP/8799
coca.cheddarmcmelt.top TCP/222

7. References

[1] https://morphuslabs.com/enginebox-malware-amea%C3%A7a-clientes-de-mais-de-10-bancos-brasileiros-a8061c4c3cda
[2] https://github.com/quasar/QuasarRAT

Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Всем секурности!

Sep. 26th, 2017 07:16 am
scif_yar: (Default)
[personal profile] scif_yar posting in [community profile] ru_sysadmins
11 октября в 9:00 (МСК). Онлайн мастер-класс от профессионального хакера на стороне добра Паулы Янушкевич: Безопасность корпоративной Windows
[syndicated profile] betanews_feed

Posted by Ian Naylor

Welcome to the exciting world of Progressive Web Apps. You're likely reading this because you've been converted to the PWA cause: a best-of-both-worlds fusion of website reliability and app functionality. Finally, we have a mobile friendly way to combine the speed and directness of websites (no downloads required) with the functionality of apps, like offline browsing, home screen installation and push notifications. With brands from Twitter to the Washington Post and Lancôme (more on that later) embracing the possibilities of PWAs, the question is no longer "Should you have a PWA?" but "What are the implications for my business?" So, before deciding to… [Continue Reading]


Sep. 25th, 2017 05:53 pm
lxe: (280)
[personal profile] lxe
Я так понимаю, что на фоне взятия дедушкой Каином реванша за выборы-2008 ("чтобы победить Обаму, им надо стать"), самой правильной тактикой для сил контрреволюции было бы оставить несчастную Аляску в покое, а просто перекупить кого-нибудь из демократов. Не обязательно умеренных, просто договороспособных. Понимающих, так сказать, все отчаяние своего положения. Не надо говорить, что таких не бывает, я новости читаю - уже есть.
lxe: (fall happens)
[personal profile] lxe
(к параллельной дискуссии у [personal profile] glav)

...а тем, что о вкусе устриц надо спрашивать тех, кто их ел, а о свободе, словами, кажется, лорда Байрона - "князя и индейца чероки"; или, в наше время, полевых командиров и глав государств с неконкурентной политической системой. Вот они как раз отлично отличают свою личную свободу от "общественного договора", "убеждений коллектива" и прочих придворных статистических агрегатов.

Опыт, на всякий случай, абсолютно воспроизводимый; один простой человек, его поставивший, сейчас доучивается на магистра политологии.

А чтобы лучше понять смысл любого законодательного запрета, нужно смотреть на следующую цель тех, кто его добился. Нетривиально, правда?
[syndicated profile] betanews_feed

Posted by Brian Fagioli

Today, Apple releases macOS 10.13 High Sierra to the public after a series of beta releases. It has some cool new aspects, but for the most part, its is a very boring release. Don't get me wrong, the new APFS file system and the ability to use an eGPU, for instance, are both very big deals, but let's be honest -- the average user probably won't care. Overall, the apparent differences are few and far between -- mostly in applications such as Safari and Photos -- and you know what? That is a good thing. The fact that High Sierra… [Continue Reading]

[syndicated profile] betanews_feed

Posted by Sead Fadilpašić

Employees given one of the most popular choices of Android smartphones can now expect their devices to arrive preconfigured, meaning they can use them out of the box without the typical tedious -- albeit necessary -- setup process. A new tool rolled out by Google, called zero-touch enrolment, aims to result in less work for both administrators and end-users. Admins will be sure all corporate policies are always in place, and end users only need to log in to start using their new smartphone. As of today, the deployment method is available from Google’s zero-touch carrier partners, including BT and Deutsche Telekom in Europe, Verizon,… [Continue Reading]

[syndicated profile] bleeping_computer_feed

Posted by Catalin Cimpanu

Hours before Apple was supposed to launch its new macOS version — codenamed High Sierra (10.13) — Patrick Wardle, a well-known Apple security researcher, former NSA hacker, and Chief Security Researcher at Synack, published a video demonstrating a zero-day exploit in the company's upcoming OS. [...]
[syndicated profile] betanews_feed

Posted by Mihăiță Bamburic

GoPro started a trend when it launched the Hero4 line with 4K video recording. Today, it is pretty much impossible to find a new action camera that does not advertise this feature -- even when, in reality, most are not actually capable of it. The Hawkeye Firefly 8S is different. It is the first action camera that I have tested that offers true 4K video recording. It is also among the most affordable options on the market, which, on paper, makes it great value for money. But how good is it in the real world? I've tested it to find… [Continue Reading]

[syndicated profile] betanews_feed

Posted by Brian Fagioli

The Kodi media center is facing a lot of scrutiny in the media lately. Some people feel that the negative coverage is "fake news." It is important to remember that Kodi is not illegal. With that said, it can be made so with piracy-related addons. Since Kodi is open source, even if the developers removed the ability to install addons, other people could easily fork the code to add it back. Pandora's box cannot be closed. Many people that use Kodi do so with a dedicated Linux-based operating system, such as the excellent LibreELEC. You see, these distros exist only to run… [Continue Reading]

[syndicated profile] betanews_feed

Posted by Mark Wycislik-Wilson

Apple is switching from Microsoft Bing to Google search to power Siri and Search in iOS, and Spotlight in macOS. The changeover is taking place right now, and should be complete by the end of the day. The search switch coincides with the launch of macOS High Sierra, but Mac users will find that Bing will still be used for image searches in both Siri and Spotlight. See also: iOS 11 is causing massive battery drain problems Google kills off Google Instant search with immediate effect Warning: Toggles in the iOS 11 Control Center don't let you turn off Bluetooth… [Continue Reading]

[syndicated profile] betanews_feed

Posted by Brian Fagioli

AMD has been making big moves lately, releasing the Radeon RX Vega graphics cards and its Ryzen 3, 5, 7, and Threadripper desktop processors. The company now has a very diverse portfolio that can meet the needs of many consumers with various budgets. Intel is not content to be out of the spotlight, however. After all, the company has long been the market leader for consumer desktop performance. Today, Intel announces its much-anticipated 8th Gen Intel Core desktop processors. Believe it or not, pricing is quite reasonable. This line ranges from Core i3 to i7, meaning regardless of your budget or needs, there should be… [Continue Reading]


Sep. 25th, 2017 02:11 pm
yostrov: (Default)
[personal profile] yostrov
This entry was originally posted at http://ymarkov.dreamwidth.org/363258.html. Please comment there using OpenID.
Согласно USA Today, в воскресенье 24-го сентября 2017 некий Эмануэль Кидега Самсон (25 лет от роду) прибыл в небольшую церковь в городке Антиох близ Нэшвилля, Теннесси, с пистолетом. Сначала он застрелил на парковке Мелани Смит (39 лет), а потом вошёл в церковь через заднюю дверь и открыл огонь по прихожанам, ранив восьмерых человек (включая пастора и его жену), из них двоих тяжело. Один из прихожан, Роберт Энгл (22-х лет), исполнявший обязанности швейцара, атаковал стрелка. В рукопашной Самсон умудрился выстрелить себе в левую часть груди, на чём его активность прекратилась. Тогда швейцар пошёл и достал пистолет из своей машины, вернулся и держал Самсона на мушке, пока не прибыла полиция. Согласно другому источнику, Энгл изначально полагал, что его пистолет был при нём. Обнаружив, что это не так, он всё равно атаковал Самсона. Вот Самсон (под конвоем) и Энгл (с чьим-то ребёнком):
Полагаю, что этот инцидент никем не будет интерпретирован, как "под дулом пистолета белый угнетатель не дал самовыразиться африканцу."
prof_eug: (Default)
[personal profile] prof_eug
«Город-метро» путём оптимизации структуры управления сократит 25% чиновников, начиная с высшего, высокооплачиваемого политического звена: старейшин частей города, их заместителей, аппарата советников, помощников и т.д. «Город-метро» сократит на треть административные расходы Таллинна.

Прямая ссылка: https://youtu.be/NCCkOLSh1ls

[syndicated profile] betanews_feed

Posted by Alan Buckingham

The Internet of Things, commonly called the IoT, has become a hot topic these days for both the right and wrong reasons. It can be incredibly useful and time saving because of all the things that can be automated around the house, but there are also security risks. Since the very early days of both Amazon Echo (Alexa) and the Wink home automation hub, the two products have worked together. Now that relationship is getting stronger, with the arrival of yet more Alexa compatible Wink products. While some of these new items will integrate straight with Alexa, others require a… [Continue Reading]

[syndicated profile] betanews_feed

Posted by Chris Wiles

It doesn’t seem that long ago that all website editing was made by hand, coded carefully, put live and tested until the page worked as planned. The advantage of producing web pages in this manner is that it developed coding skills and enabled just about anyone to get a basic website live. Tools such as Dreamweaver came along in the early 00’s and changed everything, offering the ability to create web pages from simple templates, even closing off areas to non-developers so people making site changes could only edit the text components across a site. Adobe Brackets is an old-school code editor produced by… [Continue Reading]

[syndicated profile] betanews_feed

Posted by Sead Fadilpašić

Five percent of all small and medium-sized companies in the entire world were victims of a ransomware attack in 2016 alone, with the money paid out to reclaim data reaching new highs, new research has revealed. Datto's new State of the Channel Ransomware Report found that an estimated $301 million (£222 million) was paid to ransomware hackers from 2016-2017. The report, which was based on a poll of more than 1,700 managed service providers that work with more than 100,000 SMBs, also found that 99 percent of respondents believe the number of ransomware attacks will increase in the next two years. The financial strain… [Continue Reading]

September 2017

34 5 67 89
10 11 12 13 14 15 16
24 252627282930

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 26th, 2017 05:23 am
Powered by Dreamwidth Studios