Security researchers have discovered a Linux-based remote access trojan (RAT) that uses an unusual stealth technique to remain out of sight from security products.

The malware, dubbed CronRat, hides in the calendar subsystem of Linux servers (“cron”) on a non-existent day, 31 February, according to a blog post by security researchers at Sansec.

The researchers said that CronRat “enables server-side Magecart data theft which bypasses browser-based security solutions”. The malware was discovered on several eCommerce websites injecting Magecart payment skimmers in server-side code.

Sansec director of threat research Willem de Groot said that digital skimming is moving from the browser to the server, and this is yet another example.

“Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” he added.

The malware uses Linux’s cron job scheduling utility to hide from discovery. It adds several tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid but would generate a run time error when executed.

“However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding,” said researchers.

According to researchers, the malware is a sophisticated Bash program that features self-destruction, timing modulation, and a custom binary protocol to communicate with a foreign control server. Upon launch, it contacts the control server using an exotic feature of the Linux kernel that enables TCP communication via a file using a fake banner for the Dropbear SSH service. This also helps to keep the malware hidden.

It also contacts a server hosted on Alibaba in China, and uses a custom binary protocol with random checksums, to avoid detection by firewalls and packet inspectors.

Once contact with a C2 server is established, it drops its disguise and sends and receives numerous commands, and downloads a malicious dynamic library. Afterwards, the malware is ready to run any command on a compromised system.

While investigating this RAT, the researchers wrote another specially crafted RAT client to intercept commands. This led to the discovery of yet another RAT that researchers hope to study in-depth later.

The Mekotio banking trojan continues to be used in new attacks, despite the arrests of people associated with its propagation, according to a new report.

Security researchers at Check Point Research found the malware in new attacks and discovered it uses new tactics to avoid detection.

“The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July,” according to Check Point Research (CPR). “It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.”

As soon as the arrests were announced, the Mekotio malware developers — believed to be based in Brazil — quickly updated their malware with new features designed to prevent detection.

Mekotio continues to distribute phishing emails that contain malicious links or malicious .ZIP files.

The phishing email sent to victims claims there is a digital tax receipt pending submission. When the victims click the link in the email, a malicious .ZIP archive is downloaded from a malicious website.

An analysis of more than 100 attacks in recent months revealed the use of a simple obfuscation method and a substitution cipher to bypass detection by cyber security products.

As well as that, the trojan developers appear to have included a batch file, which has been redesigned with several levels of obfuscation, and a new PowerShell script for malware. It also uses Themida, a legitimate program that prevents the malware from cracking or reverse engineering. With these methods, the final Trojan payload is protected.

Once installed on a victim’s machine, the Mekotio trojan attempts to steal credentials for banks and financial services and transfer them to a criminal-controlled command-and-control (C2) server.

Researchers said that banking trojans are commonplace in Latin America.

“One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection,” researchers said.

“Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering, and trick users. To protect yourself against this type of attack, be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document.”

Security researchers have revealed a flaw in compilers that could add vulnerabilities to open source projects. Dubbed Trojan Source, the researchers said the attack was potent within the context of software supply chains, such as this year’s SolarWinds attacks.

“If an adversary successfully commits targeted vulnerabilities into open-source code by deceiving human reviewers, downstream software will likely inherit the vulnerability,” said researchers.

Researchers said the attack exploits subtleties in text-encoding standards, such as Unicode, to produce source code with logically encoded tokens that are in a different order from how they are displayed, leading to vulnerabilities.

“These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens,” said researchers.

They added that compilers and interpreters adhere to the logical ordering of source code, not the visual order.

Hackers can use multiple techniques to exploit the visual reordering of source code tokens, according to researchers.

The first technique is called “Early Returns.” This causes a function to short circuit by executing a return statement that visually appears to be within a comment.

The second is “Commenting-Out.” This causes a comment to visually appear as code, which in turn is not executed.

Lastly, there are “Stretched Strings.” These cause portions of string literals to visually appear as code, which has the same effect as commenting-out and causes string comparisons to fail.

There is also a variant that uses homoglyphs, which are characters that appear nearly identical to letters.

“An attacker can define such homoglyph functions in an upstream package imported into the global namespace of the target, which they then call from the victim code,” said researchers.

This attack variant is tracked as CVE-2021-42694.

Researchers said to defend against such attacks, compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.

“Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals,” they added. “Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings.”

Emotet, a notoriously stealthy malware, was first discovered in 2014. An early version of the banking trojan intercepted internet traffic to steal credentials.

Between 2016 and 2017, hackers reprogrammed Emotet to function as a loader, allowing its operators to download payloads or executable code onto infected hosts.

In 2020, Emotet’s attacks became global with its authors resorting to Trickbot and Qbot - Windows-based trojans - to infiltrate banking networks. A botnet of compromised machines was also set up to sustain the attacks.

What's more, access to hijacked computers and devices was sold in an infrastructure-as-a-service offering, a practice more commonly known as malware-as-a-service in the cyber security industry.

Althugh the Emotet botnet was disrupted by Europol in January 2021, which saw investigators seize control of several hundred servers that comprised Emotet’s infrastructure, it has since made a surprise return.

How does Emotet spread?

As of 2021, Emotet can bypass signature-based detection and propagate through five known installers: NetPass.exe, Outlook scraper, credential enumerator, Mail PassView, and WebBrowserPassView.

Here’s a run-down of each spreader module.

1. NetPass.exe: Captures network passwords stored on a system or external drives

2. Outlook scraper: Harvests email addresses and names from victims' Outlook accounts to send phishing emails from compromised accounts

3. Credential enumerator: Combines bypass and service modules into one self-extracting RAR file. The bypass component identifies network resources by locating writable share drives through server message blocks (SMB) protocol or brute-forcing an administrator's account. Upon finding the target system, the service component writes Emotet onto the disk.

4. Mail PassView: Forwards passwords and account details of email clients including Mozilla Thunderbird, Hotmail, Yahoo, and Gmail to the credential enumerator module

5. WebBrowserPassView: Gathers passwords stored in browsers, including Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera for use by the credential enumerator module

How stealthy is Emotet?

By and large, hackers inject Emotet through malspam- emails with malicious attachments or links- that mimic legitimate business communications and marketing campaigns.

For instance, a July 2018 Emotet malspam campaign of masqueraded PayPal receipts, shipping notifications, and outstanding multi-state information sharing and analysis center (MS-ISAC) invoices. After an unsuspecting user opens or clicks a malspam attachment, Emotet penetrates local networks through built-in spreader modules.

Among Emotet's defining traits are tenacity and endurance. Several applications share dynamic link libraries (DLL), allowing Emotet to adapt and renew its capabilities constantly. Additionally, Emotet generates random files that emulate Windows services in the system root directory. Execution of these services propagates malware throughout the network.

Attacks via Emotet can also result in permanent loss of confidential or proprietary information, service interruptions, high replacement costs, and negative publicity for an organization.

What are some ways to combat Emotet?

MS-ISAC and the national cyber security and communications integration center (NCCIC) recommend the following countermeasures against Emotet:

1. Revisit Group Policy settings

Windows’ Group Policy feature lets administrators configure and update operating systems, applications, and users' settings from a centralized location. A group policy object (GPO) refers to settings configured using the group policy editor in the Microsoft Management Console (MMC).

GPOs may also be used to create a Windows Firewall policy that restricts one of Emotet's access points: inbound SMB traffic. The protocol allows shared access to files, printers, and serial ports across a network.

2. Enable automatic antivirus updates

Keep your antivirus programs up-to-date by ensuring auto-updates to the software. A good precaution is to block file attachments commonly associated with malware, such as .exe and .dll files, and that antivirus software cannot scan, such as .zip files.

3. Implement filters for emails

A malspam filter on the email gateway can help shield against spam messages with malicious content and block potentially rogue IP addresses. Organizations may also mark external emails with a banner or icon to indicate their origin.

Businesses can also deploy domain-based message authentication, reporting, and conformance (DMARC), a security system that uses domain name system (DNS) records and digital signatures to detect email spoofing.

4. Train employees

Employee education goes a long way toward preventing targeted Emotet attacks. Cyber security experts recommend companies instruct their employees not to open suspicious emails, post sensitive data online, or respond to unsolicited emails requesting personal information.

How do you respond to an Emotet attack?

Malware variations can complicate security, reducing its effectiveness over time. If your system or network has been compromised, NCCIC and MS-ISAC recommend the following measures.

Using an antivirus program, assess system vulnerabilities and isolate the infected workstation. Avoid logging into the infected system using domain or local administrator credentials.

If multiple workstations are infected, the following steps are advised:

1. Disconnect infected machines from the network
2. Temporarily disable the network to prevent the malware from spreading
3. Reexamine existing systems for Emotet indicators and move those unaffected to a separate local area network
4. Reset passwords for domain and local accounts, including any applications stored on the compromised machines

Post attack, Emotet resets Outlook’s default settings to auto-forward all emails to an external address, leaving your data vulnerable. It is, therefore, crucial to review log files and Outlook settings to determine the initial access point or malware source.

Recent Emotet developments

A coordinated global action dubbed "Operation Lady Bird" brought down Emotet in January 2021. A total of eight countries contributed to the mission, including France, Lithuania, Netherlands, and the United States. With support from European Union Agency for Criminal Justice Cooperation (Eurojust) and European Union Agency for Law Enforcement Cooperation (Europol), global police forces in Germany and Ukraine shut down Emotet's servers, which led to arrests.

While the threat has been neutralized, it is advisable to take precautions to counter variants and replicas.

“A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like EMOTET,” explained Europol in a press release.

“Users should carefully check their email and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and emails that implore a sense of urgency should be avoided at all costs.”

However, in November 2021, multiple security researchers observed that the notorious malware strain is back in the wild and infecting systems. The researchers claimed that the new version of Emotet is being distributed by Trickbot; while in the past Emotet installed TrickBot, the threat actors are now using a method dubbed "Operation Reacharound" to rebuild the Emotet botnet using TrickBot's existing infrastructure.

"It appears that Emotet is now delivered in systems already compromised by TrickBot, " said Nikos Mantas, incident response expert at Obrela Security Industries. "This change in the delivery of the payload displays a new mindset by the attackers themselves. Instead of sending malicious emails and risking triggering any defence mechanisms, Emotet now is opting for stealthier delivery inside already infected systems. If Trickbot has gone unnoticed, then Emotet should be as well."

An Android Trojan campaign has been charging unsuspecting victims around €36 (£31) per month since at least November 2020, researchers have found.

Known as GriftHorse, the Trojan masquerades under seemingly innocent Android applications such as puzzle games, educational software, dating apps, as well as a translator that had garnered more than 500,000 downloads alone.

The GriftHorse campaign was developed using the Apache Cordova mobile application development framework, which allows developers to use HTML5, CSS3, and JavaScript for cross-platform mobile development. However, the technology also makes it possible for the developers to deploy updates to apps without requiring users to update the app manually.

Although oftentimes useful for quick fixes, this capability can also be abused to host malicious code on the server as well as execute it in real-time.

Once an app was downloaded, victims were asked to verify their identity using an SMS code which, in reality, subscribed them to being charged around €36 (£31) per month through their ​​phone bill. Many of the affected users failed to notice the theft for the first few months, and were only able to stop the unsolicited payments by contacting their mobile network provider.

This means that, as of today, some 10 million victims from over 70 countries, including the UK, could have lost €360 (£310) each to cyber criminals.

Researchers from mobile security company Zimperium zLabs reported the Trojan to Google earlier this year, which in turn removed the malicious applications from the Google Play store. It's likely that the last payment will have been taken in April 2021, when the campaign was last reported active.

Zimperium’s researchers believe that the malicious apps “are still available on unsecured third-party app repositories” and continue to place Android users at risk.

It also highlights “the risk of sideloading applications to mobile endpoints and user data”, as well as the need for “advanced on-device security”, according to Zimperium researchers ​​Aazim Yaswant and Nipun Gupta.

Android users should verify the identity of the apps they wish to download and conduct an assessment provided by Zimperium, the researchers have warned.

“​​[The] GriftHorse Android Trojan takes advantage of small screens, local trust, and misinformation to trick users into downloading and installing these Android Trojans, as well frustration or curiosity when accepting the fake free prize spammed into their notification screens,” said Yaswant and Gupta.

Hackers are pushing a bogus version of a remote desktop app AnyDesk through search results on Google. The fake app contains a trojan that is part of a new campaign designed to control a victim's computer.

Researchers at CrowdStrike first spotted the malware last month. Researchers said the suspicious file masquerading as AnyDesk called "AnyDeskSetup.exe" was being written to disk and exhibiting suspicious behavior.

The executable wasn't a legitimate version but had been weaponized with additional capabilities. To evade detection by Google's advert security, the malware attempted to launch a PowerShell script that had been renamed rexc.exe to bypass detection.

Researchers reviewed the process and found "AnydeskSetup.exe'' running from the user's Downloads directory. They said this wasn't the normal version of the application, as it was signed by Digital IT Consultants Plus Inc. instead of AnyDesk creators, philandro Software GmbH. The network activity generated by the application was to a domain (anydeskstat[.]com) registered on April 9, 2021 and hosted at a Russian IP address.

When executed, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command-line switch of "-W 1" to hide the PowerShell window. At this point, researchers launched a thorough investigation and found the PowerShell script the hackers used was similar to another piece of malware hiding as a Zoom installer in April.

"The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource," said researchers.

The malvertising campaign itself sends victims to a URL clone of the legitimate AnyDesk website and provides a download link for the trojan installer. Researchers found three intermediary websites used in this campaign.

Researchers said the hackers are spending $1.75 per click, but this doesn't equate to getting a shell on a target they're interested in.

"While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets," said researchers.

Researchers notified customers and alerted Google to the malvertising campaign. "It appears that Google expeditiously took appropriate action because, at the time of this blog, the ad was no longer being served," researchers said.

Hackers have abused an open source development tool provided by Microsoft to deliver password-stealing trojans to unsuspecting victims.

Security researchers at Anomali Threat Research observed a new campaign whereby threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver the Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer.

Researchers said the campaign appeared to have begun in April this year and was ongoing. Hackers used MSBuild — a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” — to deliver RemcosRAT and RedLine stealer using callbacks.

The files delivered contained encoded executables and shellcode — some were hosted on Russian image-hosting site, “joxi[.]net.” While researchers couldn’t determine the distribution method of the .proj files, these files’ objective was to execute either Remcos or RedLine Stealer. Most of the malware analyzed delivered Remcos as the final payload.

Once installed on the victim’s computer, the Remcos trojan allows hackers to remote control, remote admin, remote anti-theft, remote support, and pentest a machine.

While Remcos is commercial software created by Breaking Security, hackers often use it for malicious purposes. Researchers said the software enables full access to the infected machine with features like anti-AV, credential harvesting, gathering system information, keylogging, persistence, screen capture, script execution, and more.

The other malware observed in the campaign is Redline Stealer. This malware is written in .Net and when installed on a victim’s system, it can steal multiple types of data, such as cookies, credentials, crypto wallets, NordVPN credentials, stored web browser information, and system information. It will also search for multiple products, including cryptocurrency software, messaging apps, VPNs, and web browsers.

Using MSBuild allows hackers to evade detection while installing malicious payloads directly to a targeted computer's memory.

"The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations," said researchers.

"This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially."

The full source code for the Cerberus banking malware has been released online after being leaked by one of its developers, cyber security company Kaspersky has found.

Kaspersky experts have been monitoring Cerberus since July 2020, although the Trojan virus was originally tracked in the summer of 2019.

In late February 2020, ThreatFabric researchers published a report claiming that Cerberus had been restructured and enhanced with RAT (Remote Access Trojan) abilities and was capable of stealing multi-factor authentication (2FA) tokens from Google Authenticator.

Although at the time Cerberus was still in its test phase, ThreatFabric warned users that the malware could be released “soon”.

Their predictions were proven right in late July, when the Cerberus source code went up for auction after the breakup of its development team.

Kaspersky researchers have found that one of the authors made the decision to publish the project source code on a popular Russian-speaking underground forum, most likely intending it to be accessed only by premium users.

However, cyber criminals are now able to acquire Cerberus for free, resulting in a rapid increase in cyber attacks on mobile banking in Russia as well as other European countries.

Kaspersky security researcher Dmitry Galov said that the “findings regarding Cerberus v2 are a warning to everyone implicated by Android security and Android banking security in particular”.

“We’re already seeing an increase in attacks on users since the source code was published. It’s not the first time we’ve seen something like this happen, but this boom of activity since the developers abandoned the project is the biggest developing story we’ve tracked for a while,” he added.

“We continue to investigate all found artefacts associated with the code, and will track related activity. But, in the meantime, the best form of defence that users can adopt involves aspects of security hygiene that they should be practicing already across their mobile devices and banking security.”

Kaspersky has warned Android users to only download and install applications from the Google Play store, as well as deactivate the function in smartphone settings for installing programmes from unknown sources.

Back in February, ThreatFabric reported that Cerberus was able to target communication applications such as Gmail, Outlook, and Telegram, as well as numerous banking applications, including Lloyds Bank Mobile Banking, Wells Fargo Mobile, and Santander.

An evolved form of the Qbot malware entered the top-ten index of the most prevalent security threats for the first time last month, with the banking Trojan ranking as the tenth most pertinent risk.

The Trojan has undergone several changes since it was first active in 2008, with researchers most recently discovering in June that hackers have bolstered Qbot with new functions and stealth capabilities.

Its prevalence has, as a result, surged to see it enter the Check Point Research top-ten malware index for the first time, with the company discovering several campaigns using Qbot’s new strain between March and August 2020.

These campaigns include Qbot being distributed by the Emotet Trojan, which itself ranked as the number one most prevalent threat to businesses during August. The campaign alone affected 5% of organisations globally in July.

"Threat actors are always looking at ways to update existing, proven forms of malware and they have clearly been investing heavily in Qbot’s development to enable data theft on a massive scale from organizations and individuals," said director for threat intelligence and research products at Check Point, Maya Horowitz.

"We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection infrastructures like Emotet's to spread the threat even further," she added. "Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users and advise employees to be cautious when opening emails, even when they appear to be from a trusted source."

While Qbot represents a more pertinent threat than ever before, Emotet remains at the summit of the index for the second month in a row, with the advanced and self-propagating Trojan affecting 14% of organisations globally.

Once a fully-fledged banking Trojan, Emotet has most recently been used as a distributor of other malware strains, recently, for example, in the campaign in which it spread Qbot. Emotet uses multiple methods to stay persistent and deploys evasion techniques to avoid detection. This threat is also commonly spread through phishing campaigns.

The threats that followed Emotet include Agent Tesla, an advanced RAT functioning as a keylogger and information stealer, as well as Formbook, an information stealer that harvests credentials from web browsers, collects screenshots, and monitors keystrokes. Both malware types affected 3% of organisations each during August.

Check Point Research also published information about the most commonly exploited threats during August, as part of its indexing, with the web server exposed git repository information disclosure ranking number one, and affecting 47% of organisations globally. This information disclosure vulnerability could be successfully exploited to allow the unintentional disclosure of user account information.

This exploit was followed by the MVPower DVR remote code execution flaw, exploited to execute arbitrary code in affected routers, as well as the Dason GPON router authentication bypass, which can allow remote attackers to obtain sensitive information.

Researchers at ThreatFabric have released a report detailing their findings on BlackRock, the Android banking Trojan. Discovered in May, BlackRock steals login credentials and credit card information and has targeted 337 financial, communication, dating and social networking apps.

According to ThreatFabric, BlackRock poses as a fake Google Update and requests accessibility privileges. Once the Trojan gets the needed privileges, it grants itself additional permissions so it can function without requiring any further interaction with the device’s user.

BlackRock can collect device information, perform overlay attacks, act as a keylogger, push system notifications to the C2 server, curb antivirus use and even prevent uninstallation.

ThreatFabric says BlackRock is based on Xerxes banking malware code, which was a strain of the LokiBot Android banking Trojan discovered in 2019.

LokiBot was observed as rented malware between 2016 and 2017. The Trojan’s source code was later leaked.

In 2018, MysteryBot, which included upgrades to the LokiBot Trojan so it worked on newer Android devices, was observed to be active. Parasite, MysteryBot’s successor, was also based on LokiBot, though it ultimately disappeared from the threat landscape, and Xeres replaced it in 2019. Fast-forward to May 2020, and BlackRock emerged.

“After investigation, it became clear that this newcomer is derived from the code of the Xerxes banking malware, which itself is a strain of the LokiBot Android banking Trojan. The source code of the Xerxes malware was made public by its author around May 2019, which means that it is accessible to any threat actor,” the report says.

“When source code of malware is leaked or made publicly accessible it is pretty common to see the threat landscape being supplemented with new malware variants or families based on the said code,” the report continued.

Thus far, BlackRock’s targets for credential theft have included the following apps:

• Gmail
• Microsoft Outlook
• Google Play
• Uber
• Amazon
• eBay
• Netflix
• Cash App
• Coinbase
• Binance

It’s also targeted various banking apps in an effort to steal credentials, including:

• Barclays
• Santander
• Royal Bank of Scotland
• Lloyds
• ING
• Wells Fargo.

To steal credit card information, BlackRock has targeted a wide range of apps, including:

• Twitter
• Skype
• Snapchat
• Telegram
• WhatsApp
• Instagram
• Facebook
• YouTube
• Reddit
• TikTok
• Tinder
• Grindr

Cybersecurity researchers from Kaspersky detailed four Brazilian banking trojans targeting financial institutions in Brazil, Latin America and Europe. Dubbed the Tetrade by researchers, the malware family includes Guildma, Javali, Melcoz and Grandoreiro banking trojans.

Per the report, Guildma has added a host of new features to its campaigns since its inception in 2015. By using phishing emails with compressed email attachments, Guildma can hide malicious payloads and HTML files designed to execute JavaScript code.

Once executed, Guildma downloads the HTML file and uses a legitimate command-line tool such as BITSAdmin to retrieve modules. Guildma also uses NTFS alternate data streams to conceal downloaded payloads and DLL search order hijacking to launch the malware.

Once installed, the final payload monitors for specific bank websites. When the victim opens a specific bank website, threat actors can then execute financial transactions using the victim's computer. Though Guildma has targeted banking users in Brazil in the past, the campaign has since broadened its reach by attacking banking users in Latin America.

Much like Guildma, Javali uses a multi-stage malware deployment process to dupe its victims. Using phishing emails to distribute its initial payload, Javali emails include a file for a Microsoft installer along with an embedded Visual Basic script that downloads the final malicious payload from a remote C2. By using DLL sideloading and obfuscation techniques, Javali can hide its malicious activities.

Melcoz, another trojan app within the Tetrade family, has been linked to a string of attacks in Chile and Mexico since 2018. A variant of the open-source RAT remote access PC, Melcoz uses VBS scripts in installer package files to download the malware and can steal passwords from a user’s memory and browser. It can also steal a user’s Bitcoin wallet and replace the user’s wallet information with hacker’s banking information.

Kaspersky researchers also identified Grandoreiro campaigns targeting Brazil, Mexico, Portugal and Spain since 2016. Hosted on Google Sites pages, Grandoreiro is delivered via compromised websites, Google ads or by using spear-phishing methods. Grandoreiro also uses a domain generation algorithm to hide the C2 address used during the attack.

“Just like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great success, focusing its efforts on evading detection by using modular installers,” said researchers.

“Among the four families we described, Grandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banking institutions,” they continued.

Guildma, Javali, Melcoz and Grandoreiro are all examples of Brazilian banking operations targeting users in multiple countries. Unfortunately, researchers predict these threats will continue to evolve and take on new targets in additional countries.

With trojan detection numbers on the rise, the attention of security professionals is turning towards the packages which facilitate them.

Remote access trojans (RATs) are a type of malware program that allows hackers to covertly gain administrative control over a victim’s computer. Malicious RAT programs work by infiltrating the computer then connecting back to the hacker, giving them unauthorised access from a remote location.

RATs can be as damaging as they sound. Once scurrying around your computer, RATs enable hackers to use your microphone and camera, record on-screen activity, alter personal files, and distribute further malware to other networks. If left unopposed, RAT infections will only worsen.

Fortunately, there are a series of techniques which can be employed to prevent and remove RATs. Read on to learn how to safeguard your computer and keep RATs in the cage.

Individual awareness

Rather obviously, the best way to remove RATs from a computer is to avoid getting them in the first place. The most common route a RAT takes into a computer is through downloaded files, typically sent as attachments in emails.

For organisations with large hubs of administrative staff, meaning a greater number of email addresses to target and a larger risk-surface, employee-awareness of phishing practices must be heightened through comprehensive and recurring training; phishing tactics evolve and so blanket one-day training isn’t sufficient.

Knowing not to open email attachments from unfamiliar addresses, or even the email itself, is a vital step to curtailing malware. Nor should files be downloaded from untrustworthy sources on the web, both of which allow organisations to remain vigilant and clear of any RATs.

Patch management

The second preventative measure is to ensure patch management is constantly up-to-date. Updates are deployed for good reasons, and so it’s essential they are promptly downloaded for both operating systems and browsers alike.

Any time where updates are avoided, whether due to employees being unaware an update is available or if patches are viewed as irritating disruptors to workload, creates a window of opportunity for hackers. For those struggling to keep on top of patch management, it may be time to invest in a patch management tool.

Follow the trail of crumbs

If the worst comes to pass and efforts of prevention are undermined, it’s time to move into the location and removal phases. However, RATs can only be removed once they have first been detected. Therefore it’s vital to know and recognise what signs to look for, the trail of crumbs left by the RAT.

One of the less obvious signs is a slower network connection. Being a symptom related to many ailments, even seasoned IT professionals can be forgiven for experiencing connection issues and not immediately accusing invisible RATs. However, chances are that given a slower operating speed an autopsy is carried out, likely resulting in the inspector coming across an unexpectedly open IP port. This is a clear giveaway that there could be a RAT lurking in the shadows. Also look out for altered or deleted files, and unknown programs installed onto the device.

When suspicions are raised, it’s them time to install security software from a trusted and reliable source - here, exercise caution. Ideally, the computer would be disconnected from the internet to ensure the security probe can itself work undetected. After a full security scan, follow the recommended steps listed by the security software to remove the threat. Once the infection has been successfully removed, all details should be considered compromised. Passwords should be changed and accounts explored to scope out the damage.

Trojan removal tools

Ordinary antivirus scanners aren’t likely to detect encrypted RATs, proven by their ability to live undetected in computers for years. Utilising reputable antivirus and anti-malware solutions do help ensure RATs are unable to properly function, and assist in mitigating any data-collection activities, however the best way to target and remove RATs is through investing in an intrusion detection tool.

Intrusion detection tools are efficient and able to automate much of the removal process. They can contain signatures that can detect trojan packets within network traffic, and if properly configured, can even reliably detect encrypted traffic. Security administrators continue to rely on trojan-specific scanners as they are the only pieces of software that can consistently stamp out a RAT.

Here, the saving grace is that RATs take a lot of time to construct. Typically those employed by hackers are acquired rather than built, meaning that trojan scanners or even more general anti-virus software is able to pull them up. As they are a time-consuming method of attack, they are also generally saved for larger corporations where they provide hackers with a decent ROI. However, since any computer is a target, there’s pay in being prepared.

For the corporations, government agencies and other organisations around the world who continue to be the targets of Advanced Persistent Threat (APT) groups, recent years could aptly be described as the Decade of the RATs - remote access trojans.

This whitepaper examines the activities of five adversarial groups who have spent the better part of the last decade successfully targeting organisations in cross-platform attacks while operating relatively, if not entirely, undetected in multiple strategic and economic espionage operations.

Download it now for a threat intelligence assessment of the strategic and tactical use of novel malware and attack techniques employed by threat actors.

Threat groups are increasingly relying on trojanized apps posing as legitimate versions. Instead of getting the app you’re looking for, your device gets a dose of surveillanceware. In an interview with Threatpost, Apurva Kumar, a security intelligence engineer at Lookout, shared how surveillanceware group Monokle is already employing this tactic.

Kumar first spoke about Monokle at this year’s RSA Conference. During the session, he gave attendees an inside look at the highly targeted Monokle surveillanceware and tied it to nation-states.

Kumar explained in the Threatpost interview, “We found after quite a bit of investigation, and after looking at Monokle for a couple of times, we found that the developer of Monokle is almost certainly a Russian defense contractor by the name of Special Technology Center or STC. And this developer appears to have a very good or very advanced Android development pipeline, they are most likely producing a number of different applications, Android apps, both on the defensive side and the offensive side. So they produce some defensive security solutions that are like basically an antivirus, as well, as a surveillanceware which we found called Monokle.”

Kumar continued, detailing how Monokle distributes its surveillanceware. By mimicking well-known applications, such as Skype or Signal, Monokle convinces users to trust the trojanized app enough to install it. Once installed, Monokle distributes malware across the unsuspecting users’ devices.

While it’s concerning that threat groups are using booby-trapped versions of popular apps to distribute surveillanceware, Kumar noted, “Threats are starting to move away from [the] simple installation of applications and starting to move more onto the device and device exploitation side. So definitely, as always, there will always be an increase in sophistication and complexity of these actors as they try to find new and novel ways of getting onto their targets’ device.”

A website that sold hacking tools responsible for infecting thousands of machines has been seized following an internationally coordinated effort from law enforcement agencies.

Imminent Methods was a 'clearnet' site that provided hackers with tools such as the Imminent Monitor Remote Access Trojan (IM-RAT) for as little as $25 (£19), according to the National Crime Agency (NCA).

Search warrants were drafted across nine different countries, resulting in the search and seizure of articles related to the running of the website. Out of the 85 total warrants, 21 were executed in cities and regions across the UK, including London, Manchester, Leeds, Somerset, Essex and Merseyside.

Nine arrests were made in the UK, 14 globally, and more than 400 items were seized in total.

"The IM-RAT was used by individuals and organised crime groups in the UK to commit a range of offences beyond just the Computer Misuse Act, including fraud, theft and voyeurism," said Phil Larratt, NCA's National Cyber Crime Unit.

"Cyber criminals who bought this tool for as little as US$25 were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data".

RATs are a type of malware that are often downloaded invisibly and usually include a backdoor that can be later exploited by the author to gain unauthorised access to a machine. Once installed, RATs can spread between machines, gradually forming a botnet to increase the amount of data the malware's distributor has access to.

Notable victims of IM-RAT include Russia-based IT service providers and an assortment of West African banks.

The total number of victims is unknown, however, it's believed at least tens of thousands of machines may have been exposed to the malware. Evidence suggests that personal details, passwords, private photographs, video footage and other sensitive data have been harvested as a result.

Law enforcement agencies were originally tipped off by the FBI which was working alongside cyber security outfit Unit 42 from Palo Alto Networks in 2017.

It's important to note that simply owning a license for the malware isn't illegal, and there are uses for it beyond criminal activity. Only when it's used it to break into computers and violate computer safety laws does it become a criminal offence.

"The offences enabled by IM-RAT are often a precursor to more insidious forms of data theft and victim manipulation, which can have far-reaching privacy and safety consequences for those affected. These are real crimes with real victims," said Chris Goldsmid, acting commander cybercrime operations at the AFP.

"We now live in a world where, for just US$25, a cybercriminal halfway across the world can, with just a click of the mouse, access your personal details or photographs of loved ones or even spy on you," said Steven Wilson, head of the European Cybercrime Centre.

Unusually, Imminent Methods operated in the 'clearnet', which means it could be freely accessed by anyone using normal search engines. It's more common for cyber criminals to head to the dark web to buy and sell malware such as RATs where the seizure of the site is less likely to take place.

Interpol has long maintained that the hacking tools available to buy on the dark web are fuelling cyber crime, being one of the primary contributors to the rise of 'as a service' models.

More recently, the trend of ransomware as a service (RaaS) has been the tool of choice for cyber criminals due to the inexpensive price and high chance of profit.

Windows Background Intelligent Transfer Service (BITS) is being exploited again, with a malware strain is using it to spread between computers.

Windows BITS is the default mechanism the operating system (OS) uses to send Windows updates to systems all over the world, and attackers are now using it to hide traffic to and from their command and control (C&C) server, sent by the backdoor.

Slovakian cyber security outfit ESET discovered the trojan and named it Win32/StealthFalcon, eponymic of the group to which it's attributed.

The StealthFalcon group has been around since 2012, according to the limited reports there are on the organisation, and is believed to be a state-sponsored group which originally targeted United Arab Emirates (UAE) dissidents.

Instead of sending HTTP or HTTPS traffic back to the C&C server, the trojan masks this traffic by routing it through BITS, a method the researchers believe will more easily evade firewalls.

This is because BITS isn't just used for Windows updates, other programs use it to distribute their own updates and even Mozilla is working on pushing Firefox's improvements through BITS.

Because BITS is known by firewalls to carry traffic from legitimate sources, such as necessary updates, it often doesn't search it when scanning for cyber threats, making it a perfect fit to carry malicious code.

The researchers said the method of the trojan's delivery was "beyond the scope of this investigation" but targets have been observed in UAE Saudi Arabia, Thailand and the Netherlands.

Links have been made between StealthFalcon and Project Raven, two groups previously thought to be independent of one another, after pieces from reports such as their file naming structure were found to be too similar to be different parties.

Amnesty International's Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the same group.

Details of Project Raven were unearthed in a January Reuters investigation which allegedly found evidence that former NSA experts were helping UAE authorities track and hack dissidents, journalists and human rights activists.

Although leveraging BITS to hide malicious traffic is an unusual method, it has certainly been done before. Chinese state-sponsored hacking groups Periscope and Tropic Trooper are both believed to have launched similar attacks.

Not everything is what it seems in computing; sometimes a simple download can actually be malware in disguise - a hacking method known as 'Trojan'.

This is the digital version of the famous tactic the Greek army used to infiltrate the city of Troy. The payload for the modern equivalent is your data, be it personal or financial, which might be found in your hard drive.

Once it is downloaded, a Trojan virus will lay low, simply gathering information for its creator - often people have no idea their machine is compromised. It has been known to block access to data and even drain resources while hiding in a victims machine.

Trojan's are widely available and relatively inexpensive, often used in DDoS attacks and also as vehicles for other viruses, such as ransomware. A 2019 NCA investigation found that remote access Trojans - known as 'RATs' - were available for as little as $25 (£19), which is part of the reason they're so popular.

Aside from price and availability, Trojans are also seen as some of the most effective tools available for hacking, especially considering that in most cases, victims only realise one is on their machine at the last minute.

How Trojans work

Unlike computer viruses and worms, Trojans cannot self-replicate to spread across computers on their own. Instead, leverage social engineering tactics and prey on people with poor cyber awareness to make their Trojan campaigns successful. These typically trick users into downloading what appear to be legitimate applications or files, which in fact contain malicious code.

Such apps are particularly potent in third-party application stores, where they can sit among other legitimate software. In fact, cyber security researchers at Zscaler ThreatLabz recently found 90 malicious apps on the Google Play Store, which had collectively amassed more than 5.5 million downloads. Hackers also spread trojans by attaching them to emails and spamming large numbers of people. Trojans may appear in pop-up adverts, too.

As soon as a victim installs a malicious app, opens a spam email attachment or clicks an unwanted advert containing a Trojan, the malware will download onto their computer from the cyber criminal’s server. The Trojan then runs in the background whenever the device is on.

Although Trojans don’t have the ability to manifest by themselves, cyber criminals can remotely control an infected computer to spread the Trojan to other devices. Once a cybercriminal has successfully installed their Trojan on a victim’s device, they can conduct a range of nefarious activities. Hackers may steal personal data, delete or modify files, create backdoors for remotely controlling devices, and take screenshots or access webcams to spy on victims, explains Jake Moore, global cyber security advisor at ESET.

Trojan types

What is important to remember is that the term “Trojan” is actually just an umbrella term for a wide variety of malware types, from RATs to cryptocurrency miners. In fact, Trojans are usually named after the way they behave once they gain access to a system.

Backdoor Trojans, sometimes referred to as remote access Trojans (RATs), are built with the intention to allow cyber criminals to grasp full control over a system. They achieve this by creating a so-called backdoor that lets them come and go as they please for as long as the Trojan goes undetected, and can be used for an array of illegal activities, from spying on users to implementing larger cyber attacks.

Download Trojans, as their name suggests, are capable of downloading other malicious programmes once they gain access to a system. The most common tools are keyloggers, which harvest any usernames and passwords entered into the system, or cryptocurrency miners, which take advantage of a system’s processing power in order to subtly mine for Bitcoin as well as other digital tokens.

Banking Trojans, otherwise known as 'Trojan bankers', focus primarily on financial gain. They are able to conceal themselves within a system, waiting for the moment when the user decides to access a financial service such as an online bank account. They then intercept this traffic and redirect their victim to a fraudulent website which usually contains data capture forms used to steal the victim’s information.

Banking Trojans have enjoyed considerable success in the past, with some famous examples including Zeus, Dridex, and Kronos. However, with today's heightened security measures as well as proactive efforts to prevent this style of attacks, banking Trojans aren't as common as they used to be.

How to remove a Trojan

It isn’t easy removing Trojans from an infected device. Typically, they hide in files and can be hard for users to spot. But that doesn’t mean removing them is impossible.

The first step in eradicating a Trojan infection is downloading a competent antivirus app onto your device. A trusted antivirus solution should enable you to conduct a system scam to identify malicious software and may also provide other features for dealing with Trojans.

Once you know the malicious file's identity, you can then remove it from your system. When doing so, it’s generally advisable to disable the device's Wi-Fi connection and put it into its recovery mode so that the Trojan cannot interfere with the removal process.

How to protect against Trojans

While Trojans can cause significant damage if loaded on someone's system, there are ways to prevent malware from causing problems.

Simple steps such as avoiding unsafe websites and keeping accounts safe with secure passwords and firewalls can help prevent malware attacks. Updating a device's operating system as soon as possible will also help prevent Trojans from causing damage as malware tends to exploit the problems in outdated software.

It's also advisable to back up your files regularly, as if a Trojan infects your computer, this will help you to easily restore your data.

However, perhaps the most effective way of preventing this kind of malware attack is by installing anti-malware software on devices and running diagnostic scans with this software periodically.

The Trickbot malware, which has conventionally sought banking details, is now using a Microsoft Excel file ridden with malicious code to steal user credentials from web browsers.

Its new module dubbed pwgrab32 is attempting to steal autofill data, web history as well as usernames and passwords from browsers and several applications through a malicious Microsoft Excel file, researchers claim.

The attackers are spreading a file (named Sep_report.xls) via malicious code written in the Macro VBS programming language, executed when victims open the document. When Sep_report is opened users are then prompted to "enable content" on the embedded Macro, which activates and runs the malicious script.

After the malware downloads and runs the pwgrab32 module, it launches three threads to grab credentials from Internet Explorer, Firefox and Chrome, said a Fortinet security researcher Xiaopeng Zhang. In Zhang's version, a fourth thread for Edge was present but disabled.

Pwgrab32 then executes functions to steal autofill information from the web browser, credit card information, as well as credentials such as email address, country, company, street address, full name and phone number.

It steals stored usernames and passwords, internet cookies, browsing history, and HTTP posts. It is not capable of stealing passwords from third-party password manager applications such as Dashlane or LastPass, however, according to Trend Micro's security researchers Noel Anthony Llimos and Carl Maverick Pascual, who also analysed Trickbot.

Once the malware has completed this process, it moves on to harvest passwords from mail client Outlook, as well as File Transfer Protocol apps FileZilla and WinSCP.

The malware's new functionality came to researchers' attention last month, with Fortinet's Zhang capturing his sample on 19 October.

"Malware authors continue to cash in on Trickbot's modular structure - its ability to continually update itself by downloading new modules from a C&C server and change its configuration make for a malware that's ripe for updating," said Trend Micro's Noel Anthony Llimos and Carl Maverick Pascual.

"Users and enterprises can benefit from protection that use a multi-layered approach to mitigate the risks brought by threats like banking trojans."

Conventionally targeting victims' financial details, Trickbot has been alive and active since 2016 and is believed to be the reincarnation of the 'Dyre' attacks earlier this decade.

The modular nature of the malware means the attackers behind it have been able to expand into several areas beyond its original narrow focus as a banking trojan.

Other notable modules it has developed in the last couple of years include systeminfo32, which gathers data on a victim's OS, CPU and memory information, and networkDll32, an encrypted module which scans a network and steals network information.

Trickbot has even pivoted to Bitcoin wallet theft in recent months, with a Trickbot variant spotted last year that targets the Coinbase cryptocurrency exchange platform to steal user credentials, and funds.

Researchers have discovered a set of malicious apps on the Google Play Store that are reappearing after being removed by simply changing their names.

Malware identified as Android.Reputation.1, a Trojan first encountered in 2014, has been found in new iterations of at least seven apps on the Play Store after Google was previously alerted to them.

These new apps, featuring under a different publisher, carry the same code but are listed under an altered name, according to researchers from security company Symantec. The apps offer an array of features including emoji keyboard add-ons, calculators, call recorders, and storage space cleaners.

"The Google Play app store has a reputation as the safest place online to get Android apps," wrote Symantec's Martin Zhang, principle software engineer, and Shaun Aimoto, technical product owner, in a blogpost, adding: "And Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.

"We've encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed."

The apps, once installed, take measures to stay on the device, disappear and wipe their tracks, including waiting for hours before launching malicious activity to avoid arousing suspicion and requesting admin privileges - using the Google Play icon when doing so to feign legitimacy.

The apps also retain the ability to change the launcher icon and their "running apps" icon in the system settings once installed, again using well-known icons such as Google Play or Google Maps to avoid suspicion, as well as pushing content such as ads or scams to the device.

Earlier this month Symantec discovered 38 malicious apps carrying the Android.Reputation.1 Trojan on the Play Store disguised as game and education apps - hiding their existence from users by removing their icons from the home screen.

The company previously discovered a set of eight apps hiding a "highly prevalent" type of malware, dubbed Android.Sockbot, in late 2017, which operated by adding compromised devices into a botnet to potentially perform DDoS attacks. The apps boasted an install base of between 600,000 and 2.6 million devices.

"Of course, the most foolproof way to identify malware involves a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behaviour," Symantec's post continued.

The researchers provided the standard recommendations for users to avoid falling foul to sophisticated malware such as this, including keeping software up-to-date, avoiding downloading apps from unfamiliar sites, only installing apps from trusted publishers, reviewing permission requests, and installing a mobile security app.

IT Pro contacted Symantec and Google but neither were able to comment at the time of writing.

Due to the growing popularity and market value (at the time of writing!) of cryptocurrencies, it is no surprise that there has been a surge in the number of malicious attacks using cryptominers.

In its latest report into Cybercrime tactics and techniques: 2017 state of malware', Malwarebytes claims to have blocked an average of 8 million drive-by mining attempts from websites and visitors all over the world.

Drive-by mining is a revival of an old concept of browser-based mining using JavaScript. A new venture called Coinhive revived this method late last year, providing a simple API for webmasters to add to their website, which would turn any visitor into a miner for the Monero digital currency.

Predictably, this technology was immediately abused by webmasters that ran it silently, therefore exploiting the visitor's CPU for their own gain. Eventually, criminals also took note and started compromising websites with cryptomining code. This means that the system resources of unsuspecting victims can be harnessed without authorisation in order to mine cryptocurrency.

The most popular currency for drive-by mining in 2017 is Monero, most likely due to the higher speed with which transactions are processed, even of small amounts. Criminals also benefit from the anonymity automatically incorporated into the Monero blockchain, and the fact that the mining algorithm doesn't favour specialised chips.

Popular attack methods

PUP wrappers: Several bundlers and PUP wrappers have been found to install miners, and they appear to be replacing adware as a payment method. IStartSurf, a PUP well known for its browser hijackers, has started to include miners in its silent installs.

Exploit kits and malvertising: The payload of the RIG exploit kit now includes cryptominers. Even the EternalBlue exploit (of WannaCry fame) was used to spread a miner that used Windows Management Instrumentation for a fileless, persistent infection.

Malicious spam: Cryptocurrencies are easy pickings for spammers. They often use Bitcoin value fluctuations as a means for phishing, while sending out cryptominers or installers for these miners as malspam.

Social engineering: This is an increasingly popular method of attack used for drive-by mining. Some campaigns are run by convincing people they need to install a new font, when in fact they are being served a cryptominer. Some miners are also being offered as cracked versions of popular software.

Bitcoin wallet theft: Banking Trojans have expanded their working field into stealing cryptocurrencies right out of people's virtual wallets. Coinbase is a cryptowallet that trades in several cryptocurrencies, including Bitcoin. A Trickbot variant was spotted that includes the Coinbase exchange to steal credentials from the sites it monitors.

Other Trojans have been spotted that steal cryptocurrencies on the fly, including one that monitors a user's clipboard. As soon as it spots the address of a cryptocurrency wallet on the clipboard, it replaces the address with that of the threat actor.

Attacks like this can be virtually impossible to detect, and few people would expect something they had just copied to change before being pasted into an address bar.

It is likely that as cryptocurrency fever continues, drive-by mining will evolve as new mining platforms are utilised - such as Android and IoT devices - and new forms of malware are developed to mine and steal cryptocurrency.

Picture: Shutterstock

A total 87% of local government organisations have experienced a phishing attack in the past 12 months, closely followed by 76% who have experienced a malware, virus or Trojan attack, according to research into threats and opportunities across local government by Malwarebytes.

Half of respondents also reported being the victim of a ransomware attack in the past year, further underlining the scale of the challenge faced by local government.

Several organisations have experienced repeated ransomware attacks, including Barnsley Metropolitan Borough Council, which suffered 13 incidents over the last three years, and Stockport NHS Foundation Trust, which saw six attacks between 2014 and 2016.

The research surveyed senior professionals in a wide range of roles across local government. Public sector organisations in the UK are prime targets for cyber-criminals, due to the wide array of personal data they hold.

Many still use legacy IT and software solutions, meaning they can be infiltrated more easily by criminal gangs than similar-sized private sector companies.

Confidence in security is lacking

Many senior figures have admitted a lack of understanding about how to combat the rise in attacks. They are also unsure what technology is best suited to them and what exactly it's designed to counteract.

This in turn has led to a lack of confidence in a number of the solutions currently employed by local government. One-third of all respondents said they lacked confidence in their current solution's ability to protect against zero-day threats, as well as identify and remove suspicious activity.

42% of the organisations surveyed expect their current security budget to increase in 2018, indicating how seriously risk mitigation is being taken.

Although all of the organisations surveyed stated no data was stolen and no ransoms were paid, it's vital that local government seeks to adopt robust solutions to mitigate cyber security risks both before and after impact.

A free remote hacking trojan currently circulating on the dark web has been found to contain a backdoor that allows other criminals to spy on its operators.

Security researchers at Zscaler discovered a remote access Trojan (RAT) family known as Cobian RAT in February, and have since been monitoring its activity. It first caught their eye because the RAT, a type of malware that is normally bought and sold, was being advertised for free on hacking forums.

On the surface it appeared to be a standard Trojan kit, including a keylogger, camera hijacker, voice recorder, install and uninstall functions, and the ability to run bespoke code.

However, upon inspection it was found that the builder kit behind the RAT is injected with a backdoor, an access route that allows its author to retrieve information on its users, and remotely control any systems that criminals have targeted with the Trojan.

Essentially, the original author is relying on other criminals to unknowingly hack into computer systems using exploits, and then once in, use a similar exploit to wrestle control away from the hacker.

"It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author," the Zscaler research team explained.

"The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet."

A demonstration of the RAT kit in action showed an executable payload hidden inside a zip file masquerading as a Microsoft Excel spreadsheet. Once the malware is delivered to an infected system, the RAT silently communicates with a Pastebin address to get the most recent command and control (C&C) server details of the original writer.

What's more, in order to operate undetected by a hacker, the kit will check to see if the second level operator is currently online before communicating with the original author.

The research goes some way to explain the ease at which botnets can be created and controlled under a single command server, and highlight the impossible task of identifying those behind them.

Security researchers have discovered a remote access Trojan that used malicious Excel macros to download and run the malware.

Called Cardinal RAT, the malware was found by researchers at Palo Alto Networks. The Trojan has been lying low with 27 samples collected over a two-year period.

According to a blog post, the malware is delivered via a downloader, dubbed Carp, that uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family.

The Excel files sport a variety of lures to entice victims into running the malware. The downloader is used to evade detection as it compiles and executes C# source code using Microsoft Windows built-in csc.exe utility.

This download pulls the malware from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and decrypts it using AES-128 and then executes it. While the downloader is not required to download this particular malware, researchers said that it has exclusively done so.

According to Josh Grunzweig, malware researcher with Unit 42, Palo Alto Networks, the majority of these lures are financial-related, describing various fake customer lists for various organisations. "Based on the similarities witnessed in some of these lures, it appears that the attackers use some sort of template, where they simply swap specific cells with the pertinent images or information," he said.

He added the name Cardinal RAT comes from internal names used by the author within the observed Microsoft .NET Framework executables.

"To date, 27 unique samples of Cardinal RAT have been observed, dating back to December 2015. It is likely that the low volume of samples seen in the wild is partly responsible for the fact that this malware family has remained under the radar for so long," he said.

When the Trojan is initially executed, the malware will check its current working directory. Should it not match the expected path, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in the specified directory. It will then compile and execute embedded source code that contains watchdog functionality.

"This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively," said Grunzweig.

The malware then send to a command and control server such information as username, hostname, Windows version, and processor architecture. It can also find passwords, log key strokes and capture screen shots.

A Trojan posing as a number of Android apps has been discovered in the wild, capable of hacking Wi-Fi routers and hijacking DNS requests, according to security firm Kaspersky.

Disguised as legitimate Android apps, the Switcher Trojan is able to trick users into submitting personal details by displaying fake webpages masquerading as regular sites.

This new technique involves intercepting daily internet navigation requests by targeting vulnerable Wi-Fi routers, instead of hacking a device directly.

Once a malicious app is downloaded to a device, the Trojan can redirect users to malicious websites by intervening in the process of typing a website's domain name, and the domain name server returning the actual address.

Kaspersky explains: "When you enter google.com, the respective DNS server returns the IP address 87.245.200.153 that is where you are effectively being directed. The thing is, malefactors can create their own DNS server that returns another IP address (say, 6.6.6.6) in response to your "google.com" request, and that address might host a malicious website. This method is called DNS hijacking."

Here's how a normal DNS request would work:

And this is what a DNS request looks like after a Switcher hijack:

So how does it get onto your device in the first place? Switcher's developers created a couple of Android apps, one of which imitates Chinese web search app Baidu, while another pretends to be a public Wi-Fi password search app; both are popular in China.

Anybody downloading these apps installs the Switcher Trojan, which then confirms its installation to a command and control server, before brute forcing the victim's Wi-Fi router.

Gaining access to a router allows the Trojan to change the default DNS settings to a malicious address, meaning users searching for Google will instead be directed to a rogue site.

As a final flourish, a legitimate secondary default DNS address is set so that if the rogue server goes down, users will have no idea that any settings were changed.

Kaspersky security experts were able to access Switcher Trojan statistics, which were accidently left open on a public section of the server website. If correct, the Trojan has infected 1,280 networks in less than four months, granting snoopers access to all user traffic and any details entered into malicious websites.

The security firm recommends that, as always, changing the default settings of routers is the most reliable way of preventing these kinds of attacks. Default credentials supplied with every network router are often left unchanged by the user, something that has been exploited by hackers creating IoT botnets for massive DDoS attacks in 2016.

Kaspersky has also warned users to stay clear of suspicious apps on mobile devices and install reputable antivirus software for added protection.

Pictures courtesy of Kaspersky Lab

A malware intelligence analyst has uncovered a sophisticated Android Trojan dropper that can install malware onto devices, bypassing any traditional defences.

Malwarebytes senior malware intelligence analyst Nathan Collier said the dropper can install malicious files into either the raw or the assets folder in the Android Application Package (APK) of a device.

"Trojan.Dropper.RealShell uses several files stored in the Assets folder to build another APK. It accomplishes this by reading from the files found in the Assets folder and then writing them into a single file with the extension .lock," Collier wrote on his blog.

"The .lock file is an Android RandomAccessFile which means it has the ability to read lines from one file, and then write them in a random or manually assigned sequence to another file."

When the process is complete, a new APK file is produced. But this new file is different to a normal APK file because it doesn't have a manifest file or anything else that helps it run. It uses the manifest file and resources from the parent APK that built it to run, with the help of DexClassLoader so it can work without using code installed on the device.

This newly built app then creates another APK containing PUP.RiskPay.Skymobi, an untrustworthy SMS payment SDK which is dropped into libraries stored in the parent API so it can build a new PUP.RiskPay.Skymobi app, complete with its own manifest files and resources to make it run.

Collier said: "Obfuscation in mobile malware is nothing new, but the tactics are becoming more complex. This just shows that there is becoming more of a focus on mobile in the malware industry.

"As more people replace PCs with tablets, smartphones, and other Android devices we fully expect this trend of more complex obfuscation on mobile malware to continue."

A Trojan is targeting firms in the energy industry, infiltrating systems in a bid to gather information about a company's operations.

The malware, discovered by researchers working at Symantec, found that most of the attacks involved victims in the petroleum, gas and helium industries, especially those based in the United Arab Emirates, which accounted for one in four attacks.

According to a blog post by Christian Tripputi, security response manager at Symantec, Saudi Arabia, Kuwait, and Pakistan each accounted for 10 per cent of the attacks, while firms in the UK and US accounted for five per cent each.

Tripputi said the attacks were detected in the first couple of months this year and the Trojan looks to create a beachhead on energy firms before sending in further malware to gather further information about the victims.

The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server, according to Tripputi.

"These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158)," he said. "This vulnerability has been exploited in many different attack campaigns in the past, such as Red October."

Tripputi added that the stolen data "enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack".

If the victim organisation is deemed to be interesting, additional Trojans and backdoors would then be installed.

"The attackers distributed customised copies of Backdoor.Cyberat and Trojan.Zbot which are specifically tailored for the compromised computer's profile," said Tripputi.

He said that threats were downloaded from a few servers operating in the US, UK, and Bulgaria.

The security researcher said the group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market.

"However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind. From the attacker's perspective, they don't always need to have the latest tools at their disposal to succeed," he said. "All they need is a bit of help from the user and a lapse in security operations through the failure to patch."

Symantec fears the Regin malware it's uncovered could have been created by an overseas government for the purpose of carrying out state-sponsored attacks against infrastructure providers and large enterprises.

The Regin malware has been picked up attacking firms across the globe and is described as one of the most sophisticated examples of malicious software ever seen.

At present, the majority of attacks are said to have taken place in Russia, Saudi Arabia and Mexico against telecommunications, energy and health companies, with Symantec describing the malware in a blog post as a backdoor-type Trojan with "a degree of technical competence rarely seen".

It added Regin has been used against a range of international targets since 2008, and can be used to spy on governments, infrastructure providers, businesses, research teams and individuals.

"It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber-espionage tools used by a nation state," the firm said.

Symantec did not name the likely geographical source of the attacks, but the victim nations suggest the source could a Western country with sufficient development resources.

Around half the total attacks were aimed at Russian and Saudi firms at 28 per cent and 24 per cent, respectively. Mexico and Ireland accounted for nine per cent each.

"Its design makes it highly suited for persistent, long term surveillance operations against targets," the researchers said.

In 2011 early versions of the malware were abruptly removed before it reappeared in a new form in 2013. This indicates an adversary had detected the software or was beginning analysis, causing its effectiveness to be reduced.

Symantec said "many components of Regin remain undiscovered and additional functionality and versions may exist." The firm said its investigations will continue and will provide updates as discoveries about the malware are made.

An IT security company has uncovered a malware-laden email that claims to come from the World Health Organisation that is designed to prey on fears over the Ebola virus.

According to researchers at Trustwave, the malware threat disguises itself in an email from the World Health Organization (WHO), complete with an attached file.

The message reads that it has information on how to prevent the Ebola spread in the file. However, the file is in fact an executable that installs the DarkComet Remote Access Trojan (RAT).

The Trojan makes use of its heavily obfuscated script to run undetected by antivirus software. This then creates a randomly named folder in the Windows Application Data drive and copies all of its component files into that folder.

As well as keylogging, the Trojan can capture webcam images and sounds. It can remotely access the desktop as well as uploading and executing other files.

The malware also gathers system information, modifies system host files, executes shell commands, steals passwords and torrent files, lists processes and runs remote scripts.

The Trojan then sends all this information to a remote server. At present, researchers said they have only seen one sample from the campaign so far.

"At this time we don't have reason to believe it is a widespread campaign. The address it was sent to was an old honeypot address, so it's not exactly targeted either," the researchers said in a blog post.

"These facts taken together suggest a low volume campaign (sent to whatever address list the spammer is using) in an attempt to infect random users in the hope of gaining some data that can be used or sold."

The firm said another campaign pretended to be from the Mexican Government with an advisory of the Ebola situation in Mexico. Trustwave said just last week the United States Computer Readiness Team (US-CERT) published an advisory warning users of scams and spam campaigns using the Ebola virus as a social engineering theme.

A new Trojan that targets Android devices while pretending to be a game of noughts and crosses has been uncovered by security researchers.

According to Anton Kivva, antivirus analyst at Kaspersky Lab, the Gomal Trojan sports all of the usual spyware functionality, including the ability to record sounds, process calls and steal SMS messages.

The Tic-Tac-Toe malware also uses tools that provide access to various Linux services by attacking the Android operating system and can also read the device's process memory, which, according to Kivva, can jeopardise many communication applications.

Gomal also steals data from logcat the logging service built into Android that is used for application debugging. "Developers very often have their applications outputting critically important data to Logcat even after the apps have been released. This enables the Trojan to steal even more confidential data from other programs," said the security researcher.

The malware is capable of stealing emails from Good for Enterprise, a secure email client for corporate use, the researcher added. Data theft in this situation could lead to serious issues for the company where the device owner works.

"In order to attack Good for Enterprise, the Trojan uses the console to get the ID of the relevant process (ps command) and reads virtual file /proc//maps. The file contains information about memory blocks allocated to the application," said Kivva in a blog post.

The techniques used by Gomal were originally implemented in Windows Trojans, but have now progressed to Android malware.

"What's more alarming is that this technique can adapt to steal data from other applications as well as Good for Enterprise it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programs will appear in the near future," he said.

The Selfmite worm that attacks Android phones and sends out text messages has made a reappearance, prompting security researchers to warn the new version is more dangerous and widespread this time.

According to IT security firm AdaptiveMobile, the worm first surfaced in June. This latest version, Selfmite.b, has infected many more users, uses several techniques to extract money from victims and is "difficult to stop".

Around 150,000 messages have been tracked as being sent by the worm over the last ten days in 16 countries a hundred times the number of messages generated by the previous version of the malware.

As in the previous version, Selfmite infects a user's phone if they click on a link in a text message reading "Hi buddy, try this, its amazing u know," and "Hey, try it, its very fine." Following the link download installs an APK file, which is a trojanised Google Plus app infected with the worm.

The worm then connects with a remote server and downloads a configuration file containing data that is used to spread the infection.

Whereas the previous version just spammed 20 contacts in a user's address book, this latest version sends a message to all contacts in a loop until the mobile operator detects a problem and blocks messages.

The worm uses multiple "touch points" to encourage the victim to do things that make money for the hacker.

Users are either directed to an application in Google Play after clicking on the installed worm icon, or they click on icons that Selfmite.b has placed on their desktops and are therefore redirected to unsolicited subscription websites. The worm also varies content according to IP addresses, meaning users in different countries will be redirected to different websites.

While iPhone users aren't at risk of infection, clicking on the link will redirect them to a fitness app in the Apple App Store.

"This is Selfmite returning on steroids," said Denis Maslennikov, security analyst at AdaptiveMobile.

"It's more aggressive self-propagating capabilities means more victims. In addition, it uses multiple links to engage with users, increasing its monetisation potential. This additional level of complexity makes Selfmite.b a real concern for both mobile carriers and users."

Malware researchers at security vendor ESET claim to have uncovered the first example of a malicious file-encrypting piece of ransomware aimed at Android users.

In a blog post, announcing the finding, the company said the Android/Simplocker malware works by scanning a user's smartphone or tablet for files to encrypt, before demanding a ransom to unlock them.

The file types targeted by the malware include jpegs, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp and MP4.

Affected users are usually notified about the fact their device has come under attack by a ransom message that's written in Russian and demands payment in Ukrainian hryvnias.

Robert Lipovsky, an ESET malware researcher, wrote in the blog: "It's fair to assume that the threat is targeted against this region.

"This is not surprising, the very first Android SMS Trojans back in 2010 also originated in Russia and Ukraine," he added.

The message accuses the device user of accessing and distributing child abuse images, as well as information about "other perversions", before issuing instructions about how to pay the ransom.

"After payment your device will be unlocked within 24 hours," the message states.

"In case of no payment, you will lose all data on your devices."

The researchers also discovered the malware keeps in contact with a Command & Control server, and sends identifiable information from the device back to it.

This server is also thought to notify the device once payment has been received, so that it can be unlocked.

"Our analysis of the Android/Simplock... revealed that we are most likely dealing with a proof-of-concept or a work in progress for example," Lipovsky continued.

"Nevertheless, the malware is fully capable of encrypting the user's files, which may be lost if the encryption key is not retrieved.

"While the malware does contain functionality to decrypt the files, we strongly recommend against paying up not only because that will only motivate other malware authors to continue these kind of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them," he added.

Security software vendor Malwarebytes has issued an alert over the emergence of a new certified Trojan'.

The malware is a Brazilian banking and password stealer that has been signed with a valid digital certificate issued by DigiCert.

Clearly, if digital certificates can be abused so easily, we have a big problem on our hands

"The purpose of a digital signature is to guarantee the authenticity of a file from a particular vendor and is provided by one of a few certificate authorities," said senior security researcher Jerome Segura in a blog post.

"[However], this certificate is issued to a company called Buster Paper Comercial Ltda', a Brazilian company that actually does not exist and was registered with bogus data," Segura added.

The malware is disguised as a PDF and when opened appears to show a genuine invoice. However, in the background, it downloads a banking Trojan.

As Segura points out, the theft or mis-signing of digital certificates is not new and this particular banking Trojan has used this method of infection before.

"What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people.

"Clearly, if digital certificates can be abused so easily, we have a big problem on our hands," said Segura.

Malwarebytes said, even in the face of more sophisticated and underhand threats such as this, "the same old tips still hold very true".

The company advises users not to open an attachment, even from someone they know, without first doing a thorough check on it.

It added, even if a file is digitally signed, it does not guarantee it is safe to use.

"A lot of potentially unwanted applications can use a digital certificate and, of course, malware can too," said Segura.

"Always check the file extension... [and] never trust file icons. Just because it looks like a Word document or PDF file does not mean it is. With that in mind, stay safe," Segura concluded.

A research team from IT security consultancy itrust have created a proof-of-concept malware that lets attackers gain access to smartcard readers attached to infected Windows PCs via the internet.

The attack happens when a smartcard reader is connected to the affected computer via USB.

The malware installs a driver onto the USB device that allows the attacker to access information on the victim's smartcard as if it were attached to their own PC.

The researchers, led by IT security consultant Paul Rascagneres, used the Belgian eID national electronic identity card and a selection of smartcards used by Belgian banks to test drive the malware prototype.

As with the British Chip and PIN credit and debit cards, most smartcards use a PIN or password as a secondary authentication method to enhance security.

However, the malware developed by the itrust team also contains a keylogger that can steal these credentials as unwitting users type them on their keyboard.

Victims are unlikely to be unaware they have been attacked until they suffer some kind of identity or financial fraud.

Rascagneres claims the attack is completely transparent to the user as they will not be prevented from using their card reader in the usual way.

Marcin Kleczynski, CEO of Malwarebytes told IT Pro: "The research is another clear indicator of the fact that intelligent malware can breach even the most seemingly watertight counter-measure."

"There has been a massive increase in the value of sensitive business data amongst the criminal underground, so breaches such as this, using new attack vectors, will only increase," Kleczynski added.

A full exposition of the development of the prototype and the threat this kind of malware poses will be delivered in a presentation by Rascagneres, entitled Smartcards Reloaded Remotely! at the upcoming MalCon security conference in New Dehli on 24 November.

Security vendor Trusteer has uncovered a type of financial malware that it claims is capable of avoiding detection by most types of anti-virus software.

The Trojan, dubbed Tilon, uses the so-called Man in the Browser' (MitB) technique: the malware injects itself into the software and is then in full control of the traffic travelling between the browser and the web server.

"[Tilon] has an impressive list of supported browsers Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others," said Amit Klein, chief technology officer at Trusteer.

According to Klein, Tilon, which is related to the Silon malware Trusteer detected in 2009, is specifically targeted at online banking customers protected by two factor authentication systems.

It is able to gain access to all login credentials and transactions, the company said, by capturing all form submissions and sending them to its command and control server.

What is most impressive about Tilon is the breadth of evasion techniques it employs

"More interestingly perhaps, it controls the traffic (web pages) from the web server to the browser, and through a sophisticated search and replace' mechanism it targets specific URLs and replaces parts (small and large) of the pages with its own text," Klein added.

The firms claims Tilon shares similarities with other financial malware, such as Zeus, SpyEye and Shylock, but it is its evasion mechanisms that make it stand out.

"What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny and to survive attacks' by security products," Klein said.

Evasion techniques detected so far by Trusteer include starting a watchdog' thread that prevents its removal by many security products, and the installation of two executable files, one with a genuine-looking name and the other with a random name, also designed to prevent detection.

The malware will also not install properly on a virtual machine, making it hard for researchers to study. Additionally, if an installation on a virtual machine is attempted, Tilon will deploy fake system tool' scamware as a decoy, which will cause researchers to overlook the real threat.

The company discovered Tilon in July and, according to Klein, it has already mutated once.

Security and fraud professionals from the banking industry who want to know if their bank has been targeted are encouraged to contact the company using this link.

Apple has been hauled over the coals by the security industry and accused of being slow to eradicate malware that left upwards of 600,000 Macs infected with the Flashback Trojan.

While the iPhone maker has released two specific patches to deal with a flaw in the OS X Java Virtual Machine it is still working on a tool to remove existing infections present on victims' machines. Security experts have attacked the iPad manufacturer's complacency.

The threat to Apple machines first surface in September last year, giving cyber criminals time to amass infected Macs into a huge botnet capable of causing massive damage to networks worldwide.

Kaspersky Lab's chief security expert, Alexander Gostev, blamed Apple for not taking action sooner.

Gostev said Apple knew about the threat "for months" but did little to protect OS X users from the Java flaw. The same flaw in Windows and Linux machines had been patched months ago.

The infection makes it one of the largest in Apple's history. Kaspersky said around 98 per cent of the 600,000 machines infected with the Flashback malware run OS X. Of those, around 47,000 are based in the UK.

While Oracle, which develops Java, issued a patch for Windows and Linux machines around three months ago, Apple patches the Java implementation on OS X itself and only issued a fix earlier this month. This meant Mac users were left exposed to the infection for much longer than users of other operating systems.

"The three-month delay in sending a security update was a bad decision on Apple's part," said Gostev. "Apple knew about this Java vulnerability for three months, and yet neglected to push through an update in all that time."

He added that the problem was exacerbated by the "myth" of Apple computers being "malware free".

"Too many users are unaware that their computers have been infected, or that there is a real threat to Mac security," said Gostev.

Apple said that while the vulnerability had been patched, it is still "developing software that will detect and remove the Flashback malware". At the time of writing the Cupertino-based company was yet to release the malware removal tool.

In the meantime, Apple has advised user to disable Java in their browser preferences and is said to be liasing with ISPs around the world to deactivate the botnet's command and control network.

A mutated version of a Trojan designed to incapacitate Mac OS X Lion anti-malware has been found, F-Secure Security Labs revealed yesterday.

Its recent analysis found Trojan-Downloader:OSX/Flashback.C can disable the automatic updater component of XProtect, the built-in OS X anti-malware application Apple provides in its operating system.

The research lab first discovered Trojan-Downloader:OSX/Flashback.A in September, posing as a Flash Player installer.

But the latest iteration of the Trojan also targets the update facility of XProtect that enables the automatic update of malware definitions, rendering it useless and the OS vulnerable to new, undefined attack vectors.

"Attempting to disable system defences is a very common tactic for malware and built-in defences are naturally going to be the first target on any computing platform," wrote F-Secure researchers in a blog post.

Flashback.C works by decrypting the .plist file and binary paths of XProtectUpdater hardcoded in its body. The malware then drops the XProtectUpdater daemon, enabling the malware to overwrite both files with a specified character.

F-Secure found these actions wipe out certain key files required by XProtect to automatically receive future updates.

The security firm advised users to run virus and malware scans to find the particular infected files and eliminate Flasback.C. It also detailed the way to remove a specific entry from two files located within Safari and Firefox .plist files.

Flashback.B, discovered last week, performs a "vmcheck" and aborts itself if virtualised instances of OS X are found. Apple introduced its virtual client capability with the release of Lion earlier this year.

The security firm said at the time that the move was designed to anticipate and hamper researchers' efforts to use virtualised environments during analysis as the number of Mac-targeted threats continues to grow.

ANALYSIS A number of developments this week have not only confirmed scams on social sites are massively widespread, they've established the cyber criminals behind them are getting awfully clever.

As almost every security expert under the sun predicted towards the end of last year, social networks are getting cluttered with scammers looking to make an easy buck.

Trojan.FakeAV.LVT takes social engineering to a whole new level by presenting the user with extremely convincing scenarios at each stage of the process.

Those experts may not have banked on such sophistication, however. Today, BitDefender released info on what may be the smartest piece of social engineering seen yet.

It leverages two Web 2.0 services YouTube and Facebook to trick users into downloading malware.

Known as Trojan.FakeAV.LVT, it attempts to trick Facebook users into believing a video about them has been posted on YouTube.

Simple, no? But here's where the cyber criminals get cunning, as they've managed to add comments to supplement the video which appear to be from the target's Facebook buddies.

The video itself even has the target's full name in the title, as spelt on their Facebook profile.

Once the target tries to watch the video, they are prompted to install what is purportedly an updated version' of Flash. Of course, the download contains nothing of the sort it carries fake anti-virus software containing both a malware downloader and botnet capabilities to further the propagation of the threat.

The criminals' guile doesn't stop there. The fake anti-virus can impersonate the look and feel of 16 different legitimate security solutions currently on the market. Once installed the fake AV removes the real product and the victim is infected. Cunning stuff.

"Trojan.FakeAV.LVT takes social engineering to a whole new level by presenting the user with extremely convincing scenarios at each stage of the process," said Catalin Cosoi, head of the BitDefender Online Threats Lab.

"Trojan.FakeAV.LVT is deceptively clever as it is capable of replicating almost any anti-virus or online security software on the market today. To guard against these cunning new threats, BitDefender recommends downloading Flash-related updates through the Adobe website, instead of through a redirect link. If you're unsure whether the video is legitimate, it's best to go directly to YouTube and search for the video's existence."

Facebook phishing frenzy and terrible tweets

Malicious hackers have been filling Facebook with their illicit ideas as well.

There was a significant rise in phishing attacks on Facebook in June, with a 4.07 per cent increase, Kaspersky pointed out this week. Facebook is now the third most phished website.

Twitter, meanwhile, has seen thousands of users compromised, with hackers trying to spread the word about a weight loss supplement. The old Acai Berry diet scam is still doing the rounds, it seems, with typical tweets reading: "Get the beach body you've always wanted, now you can with this weight loss supplement."

Sophos said it was unclear how the accounts had actually been compromised, but nonetheless advised affected users to change their passwords immediately.

Google+ looks set to be yet another playground for hackers too.

"We expect an increase in unsolicited emails exploiting the new Google social network," said Maria Namestnikova, senior spam analyst at Kaspersky Lab.

"They will most likely contain both phishing links and malicious code."

If cyber criminals continue to get ever more convincing in their scams, as in the YouTube fake AV exploit above, a lot of users could be in trouble.

How should users counter these threats? The only real answer at the minute is to have decent levels of security, not just rely on heuristics-based anti-virus products, and to be aware of the kinds of tricks online crooks are capable of. There's little else that can help.

Former Prime Minister Gordon Brown claimed yesterday the News of the World not only hacked phones, but used malware to steal information too.

During a House of Commons debate, Brown said the News of the World had committed "new crimes with new names," including using "Trojans to break into computers and not just phones."

"It was not the misconduct of a few rogues or a few freelancers but, I have to say, lawbreaking often on an industrial scale - at its worst dependent on links with the British criminal underworld," Brown claimed.

"Amassed against these guiltless victims and against a succession of other victims of crime, whose names I know about and have seen and have yet to be made public, was the systematic use of base and unlawful methods."

Prime Minister David Cameron confirmed the criminal investigation into the News of the World phone hacking was fully underway, with a different team to the one which carried out the original investigation.

The police probe is being led by Deputy Assistant Commissioner Sue Akers, whose team is looking through 11,000 pages containing 3,870 names, and around 4,000 mobile and 5,000 landline phone numbers, Cameron said. There was no mention of investigations into computer hacking.

Eight arrests have been made so far, with "numerous interviews" undertaken as well.

"Clearly there are two pieces of work that have to be done. First, we need a full investigation into wrongdoing in the press and the police, including the failure of the first police investigation," the Prime Minister added.

"Secondly, we need a review of regulation of the press. We would like to get on with both those elements as quickly as possible, while being mindful of the ongoing criminal investigations."

A single inquiry into the hacking scandal will consist of two strands, Cameron confirmed.

Lord Justice Leveson will lead that inquiry, reporting to both the Home Secretary, Theresa May, and the Secretary of State for Culture, Media and Sport, Jeremy Hunt.

The Serious Organised Crime Agency (SOCA) has joined forces with Virgin Media to help stop the spread of the dangerous SpyEye Trojan.

As part of the campaign, SOCA has identified around 1,500 Virgin Media customers infected with the SpyEye Trojan, which could place them at risk of identity theft or bank fraud.

Virgin has written to affected customers, offering them advice on how to remove the Trojan and help if they feel unable to take care of SpyEye themselves.

"SOCA works with a range of private sector partners to help prevent cyber criminals from exploiting legitimate businesses and their customers," said Lee Miles, SOCA head of cyber.

"We welcome steps taken within industry to utilise the information and resources provided by law enforcement and raise awareness of online safety."

SpyEye in the sky

Trusteer today revealed it had uncovered a SpyEye variant which targeted two leading European airline travel websites Air Berlin and Airplus.

The former is the second biggest airline in Germany, the latter a business travel service.

"In the case of the Air Berlin attack, SpyEye is attempting to harvest confidential user information including username and password, and other data that is entered in the targeted web page," said Amit Klein, chief technology officer of Trusteer, in a blog post.

"The injection code of SpyEye captures the information on username and password details."

In the AirPlus case, SpyEye targets users of the Lufthansa Miles & More Visa credit card, which offers travel bonuses.

"In this instance, SpyEye injects code into the users' web browser that claims to be an anti-fraud enhancement to the online," Klein added.

"In reality, of course, this is a cleverly-disguised attempt to phish user credentials from the unsuspecting customer of the AirPlus Web portal."

A week after Google had to remove a host of apps infected with DroidDream malware, two major security firms have spotted further issues affecting Android.

When the Lookout Security Team discovered 50 applications on the Android market infected with a "stripped down" version of DroidDream, they were delivered across five developer accounts.

Lookout estimated between 30,000 and 120,000 users were hit by DroidDreamLight when it reported on the situation in May.

Symantec said today it had found additional publisher accounts pushing out apps containing the so-called DroidDreamLight malware.

Those accounts have now been disabled, however, and Symantec said the actual threat from DroidDreamLight was not as significant as its predecessor.

"The key point to note is that even though the news of the return of Droid Dreams' has created a bit of a stir with approximate high download rates being quoted - due to the fact that the threat was available through official channels - unlike its predecessor, this threat does not carry out any system level exploits and does not require the infected user to carry out any complex steps to restore the device back to the pre-infection state," Symantec explained in a blog post.

"At its core, Android.Lightdd is a downloader Trojan, but with certain caveats. The threat is subject to the Android security model, therefore any download attempts will not work, as long as the user does not consent to the installation of the suggested app."

In March, Google promised to up its security game after over 50 DroidDream infected apps were found on the Android Market and subsequently removed.

Kung Fu Droid

But security fears surrounding Android have not subsided this week.

F-Secure discovered another piece of Android malware using a root exploit and delivered inside an application, which it detected as Trojan:Android/DroidKungFu.A.

The malware could delete specific files on infected devices, or even run certain apps on a phone or tablet, F-Secure said in a blog post today.

It could also harvest information, including users' mobile number, phone model and IMEI number.

Researchers at North Carolina University also spotted DroidKungFu on more than eight third-party Android app stores and forums based in China.

The researchers claimed the malware could avoid detection by mobile anti-virus software, whilst doing some "nasty" things.

"In Android versions 2.2 (Froyo) and earlier, DroidKungFu takes advantage of two vulnerabilities in the platform software to install a backdoor that gives hackers full control of your phone," a post on the university's website read.

"Not only do they have access to all of your user data, but they can turn your phone into a bot and basically make your smartphone do anything they want."

Trojanised apps featuring DroidKungFu have not been spotted on the official Android Market.

The French Ministry of Finance was hit by an unprecedented cyber attack in December, with over 150 computers compromised, according to reports.

Hackers got their hands on documents related to the current French presidency of the G20 and international economic affairs, Paris Match reported.

Patrick Pailloux, the executive director of l'ANSSI (Agence Nationale de la Securite des Systemes d'Information), said it was the first time the French state had been targeted by an attack of this scale.

Pailloux also revealed other French Government departments had been targeted.

The hackers used a Trojan to infiltrate systems, having sent emails to French Government workers, using what appeared to be standard social engineering tactics.

Pailloux said an operation had been carried out to improve defences at the Government department.

There have been rumblings the attack came from China, although no solid proof has emerged.

"I can say that we know of hacker groups in China specialising in this sort of attack and claiming to be funded directly or indirectly by the military and/or government," David Harley, senior research fellow at ESET, told IT PRO.

"Hopefully, the French Finance Ministry has technical measures in place to counter malicious software, whether it's AV or a more multi-layered approach."

Other experts said the hack proved targeted attacks against Government organisations have become more commonplace in recent times.

"Often designed to sneak access to sensitive files, the cyber perpetrators are often professionals seeking access to specific pieces of information," said Mark Darvill, director of security firm AEP Networks, which works with Governments, as well as the military and businesses.

"Without a scaled-up approach to cyber defence, national security is left open to compromise and sensitive information is at the mercy of those who have the technical knowledge to launch these targeted attacks," he said.

Last month, Foreign Secretary William Hague said the UK Government had been hit by the infamous Zeus Trojan.

Targets were also sent emails containing a link to the Trojan, indicating the attack techniques used against the French and UK Governments were almost identical.

Android malware is still on the rise as hidden threats become an increasing concern, according to security giant Symantec.

There are some particularly nasty new threats emerging within apps in particular a Trojan known as Android.Pjapps, which has been propagating through compromised versions of legitimate applications.

One application where the Android.Pjapps code has been seen hiding is known as Steamy Window.

"Similar to other compromised Android applications, it is difficult to differentiate the legitimate version from the malicious one once it is installed," explained Mario Ballano, a Symantec researcher, in a blog post.

In the illegitimate version, permissions included access to both SMS messages and personal data, Ballano explained.

Both the legitimate and malicious versions of the app mimic a steam effect on the Android device's screen, but the latter can install applications, navigate to websites, add bookmarks to the user's browser, send SMS messages and block text message responses.

"The aim of Android.Pjapps is to build a botnet controlled by a number of different Command and Control (C&C) servers," Ballano continued.

"The threat registers its own service to operate in the background without the user noticing. The service will be started whenever the signal strength of the infected mobile changes."

Android.Pjapps then attempts to connect to a C&C server to register the infection.

"It then awaits for a response, and if commanded it will send a message with the infected device's IMEI number to a mobile number," the researcher explained.

"This mobile number is meant to be controlled by the attacker. By using this technique the attacker hides his identity within the cloud.'"

Once an attacker has control, they can send commands to the phone. One appears to be able to force the user's phone to send text messages to premium rate numbers, whilst another carries out SMS spamming.

"Looking at the threat's capabilities we believe it has been designed to push advertisement campaigns and to reap the benefits from compromised devices using third-party, premium-rate services," Ballano added.

Towards the end of last year, research found malware aimed at Google's Android mobile operating system rose fourfold in 2010, compared to 2009.

A financial Trojan able to hijack online banking sessions has been spotted.

Trusteer named the new piece of malware OddJob, noting how it could keep banking sessions going even after customers believed they had logged off.

OddJob was used to log requests, grab full pages, terminate connections and inject data into web pages, with all activity relayed to a command and control server.

The malware was able to get hold of session ID tokens, which were used by banks to identify legitimate users, giving cyber criminals the cover they needed.

According to Trusteer, the most significant difference between OddJob and standard pieces of malicious software is that the former only requires the hacker to ride on an existing session, rather than logging into specific online banking computers.

The hackers, based in Eastern Europe, hit financial institutions in the US, Poland and Denmark.

However, the malware could easily be used to acquire funds from any country, explained Amit Klein, Trusteer's chief technology officer, who described OddJob as "fairly exceptional."

"We definitely expect it to spread across Europe, into the UK etc," he said.

Klein said the most impressive aspect of OddJob was its speed of evolution, telling IT PRO it will definitely improve as time goes on.

"The malware is still under development. [In the future] we don't expect to see what we see right now," Klein added.

OddJob has been seen spreading via drive-by downloads, where users head to a booby-trapped website and have malware installed on their systems without any knowledge of it.

Klein said Trusteer had been unable to report on OddJob until now due to ongoing investigations, although these have now come to a close.

The most well-known financial Trojan in the security industry is Zeus. Foreign Secretary William Hague recently admitted the UK Government had been targeted by the notorious malware.

There has been a spike in malware taking aim at vulnerabilities in Adobe Reader and the .pdf file format, a report has indicated.

In GFI Software rankings, two of the top 10 detections for January were aimed at exploiting holes within Adobe software.

Adobe has had to deal with a wide range of threats in recent times, although 2011 appeared to have been fairly quiet so far.

At the time of publication, Adobe had not responded to a request for comment on the findings.

Adobe pushed out an advisory earlier this month for updates covering a number of critical flaws.

The software affected included Reader X, or 10.0, for Windows and Macintosh, Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX, Adobe Acrobat X, or 10.0, for Windows and Mac, as well as Acrobat 9.4.1 and earlier versions for Windows and Macintosh.

The company said it expects to push out the updates for Windows and Mac users tomorrow the same day as Patch Tuesday.

Elsewhere in GFI's top 10 malware list, Trojans yet again dominated with seven entries, representing nearly 34 per cent of all malware detections for the month.

The security firm also spotted an increase in the prevalence of the FakeVimes family of rogue security products, of which there are around 17 different members.

The fake antivirus situation was only exacerbated by a scam that spread across Twitter in January.

Accounts started distributing messages promoting rogue software and it is unknown how many users were duped.

"Another indicator of increased rogue activity is the fact that we discovered, and blogged about, 22 new rogues on the GFI Rogue Blog in January," said Tom Kelchner, communications and research analyst for GFI Software.

"That's a lot for one month, considering we've seen an average of between 13 and 14 new iterations per month for the last three years."

The UK Government has become the latest in line to suffer from a Zeus cyber-attack, Foreign Secretary William Hague has admitted.

The attack happened in late December, according to Hague, who made his comments at the 47th Munich Security Conference. It was contained in a series of emails that allegedly came from the White House with a link that downloaded a variant of Zeus, Hague said.

"The UK Government was targeted in this attack and a large number of emails bypassed some of our filters," Hague said. "Our experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common."

Hague offered to host a cyber security conference in the summer to "explore mechanisms for giving cyber standards real political and diplomatic weight."

Although Hague praised the internet as having incredible economic potential, he also warned there was a darker side to cyber space that arose from our dependence on it.

"We believe that the time has come to seek international agreement about norms in cyberspace," Hague said.

"We believe there is a need for a more comprehensive, structured dialogue to begin to build consensus among like-minded countries and to lay the basis for agreement on a set of standards on how countries should act in cyber space."

The Foreign Secretary also detailed two other attacks the UK Government had suffered lately. One of those was an attempt to steal information concerning the UK's nuclear Trident programme, whilst the other came from a nonexistent Foreign Office employee who was really a hostile state intelligence agency.

The message, Hague said, "contained computer code embedded in the attached document that would have attacked their machine."

"Luckily, our systems identified it and stopped it from ever reaching my staff."

However, Hague couldn't say the same about the Zeus Trojan.

No further official comments have been made following Hague's words last week.

Last year saw the creation of 34 per cent of all malware which has ever existed, according to online security firm PandaLabs.

Statistics released by the company as part of its Annual Security Report 2010 also revealed the biggest threat still comes from Trojans, which comprised 55.91 per cent of the surveyed malware.

The data from PandaLabs also showed spyware made up less than one per cent of malicious software online, whilst 11.6 per cent was fake antivirus software known as 'rogueware'.

PandaLabs said email spam had still been a major problem in 2010 forming around 95 per cent of all email traffic globally. However, within the year, the figure dropped to 85 per cent.

The survey cited proactive measures such as the dismantling of botnets as helpful to the reduction, saying this had reduced the number of computers being used as zombies to send out spam remotely.

The report noted as both social networking sites and smartphones continued to grow in popularity 2010, hackers had been seen to further exploit them, using fake websites and apps.

It was also a year in which cyber-terrorism and cyber-activism or hacktivism' emerged as serious concerns. Most notably the Stuxnet worm attacking nuclear plants in Iran, the Operation Aurora Trojans launched at large multinationals and the various activities of the Anonymous hacker group.

Send it to my screen

In a series of events straight out of an episode of 24, or perhaps a dodgy Tom Clancy potboiler, the Stuxnet worm has apparently infected several computers at the Bushehr nuclear power plant in Iran. Given the sophistication of the malware attack, speculation is rampant that the infestation may have been secretly orchestrated by Israel in an attempt to derail the Islamic Republic's controversial nuclear program. Security experts worry that this attack could be the just the start of more politically-motivated government-sponsored cyber attacks between rival nations.

The bank job

British police have arrested 19 people suspected of being behind the Zeus Trojan botnet. Thousands of personal computers in the UK were apparently infected with malicious code which stole passwords and compromised online bank accounts allowing the alleged thieves to steal millions of pounds.

Aside from panicking Daily Mail readers, the Zeus incident shows just how important it is to take sensible security precautions when using your computer. These include running up-to-date anti-virus software, not clicking on clicks in dodgy looking emails, wearing tin foil hats and watching reruns of The Sweeney and The Bill while doing your online banking.

Ballmer Bonus boo-hoo

In its latest report to the US Securities and Exchange Commission, the body that regulates the American stock markets among other things, Microsoft has revealed that Steve Ballmer received a bonus of $670,000 for the fiscal year ending 30 June. Although this is equal to his basic salary, it's only half of what he could have received.

Our hearts bleed out in sorrow at the thought of what Ballmer is missing out on as a result of his puny bonus. According to the report, Ballmer missed out on the extra pocket money due to the embarrassing flop that was the Kin smartphone, consumers inexplicably dumping Windows Mobile smartphones for rival devices and the lack of a response to the success of the iPad.

Perhaps Steve could earn some extra cash with his groovy dancing skills?.

A Zeus Trojan has been created designed to acquire authentication numbers from mobile phones to complete banking transactions.

Even if hackers manage to gain access to a bank account by obtaining a username and password, in some cases they will still require an mTAN - a mobile transaction authentication number, sent via SMS.

In this case, however, a Zeus variant was seen launching a webpage during online banking processes, where the user was forced to enter information about their mobile phone, including its model and number.

Then an SMS was sent to the online banker containing a link purporting to be for a security download, when in reality it was for a malicious application.

Once installed, the app monitored all incoming text messages, including those from a bank, allowing the cyber criminals to get hold of the mTAN.

The findings were initially made public by S21sec, a digital security services company, but now F-Secure has backed the research.

The malicious application can run on BlackBerry and Symbian devices. In the latter case, the malicious file is sold as a "Nokia update" and affects S60 3rd Edition mobile phones, F-Secure said.

S21sec said it has been in contact with mobile providers to help identify infected phones.

Having analysed the Zeus variant, it appears to be the work of people with "an excellent understanding" of mobile applications and social engineering, F-Secure added.

Sean Sullivan, F-Secure's chief security advisor, said his firm believes a number of customers will have been infected in Spain, as this is where the Trojan was identified, but he is interested to see if similar attacks hit the UK and elsewhere.

"I think [S21sec has] found this actually by backtracking from banking customers," Sullivan explained to IT PRO.

"I think the goal [was to] hit a number of key accounts, target some prime accounts that actually have hundreds of thousands."

Cyber criminals have tried to dupe users into downloading rogue anti-virus software using a fake comparision service.

A new Trojan has been spotted by Sunbelt Software, offering a range of fake security products, rather than just one as is typical with such attacks.

The Trojan opened a window with the heading "Microsoft Security Essentials Alert" and four buttons to choose from, all of which led to a website offering a comparison service between different products, noted Sunbelt Software researcher Tom Kelchner.

A selection of security products appeared on the list, with legitimate ones seemingly unable to identify malware supposedly infecting the user's computer.

Four of the products, all of which were fake, managed to find malicious files and also claim to be free.

The names of the fake products included Red Cross Antivirus, Peak Protection 2010, Major Defense Kit and Pest Detector 4.1.

"You know the drill. Although the installs are free' they pop up scary warnings that your machine is infected, but don't remove the threats until you pay," Kelchner said in a blog.

The rogue products installed themselves on victims' computers as antispy.exe and tmp.exe files.

"The install reboots your computer, kills Windows Explorer (which is what displays your desktop) and leaves you with no icons on your desktop," Kelchner said

It is possible to launch Explorer and restore the icons by using Task Manager, he advised.

Rogue causing ruin

Fake anti-virus products are still a hit with hackers and Sophos issued a warning yesterday of a major attack.

The illicit initiative attempted to lure potential victims into downloading attached HTML files from a spam email.

If opened, the file would take users to a website using a malicious iFrame - a frame that allows different HTML documents to load on the same page.

This would then load scripts from other websites to help launch the fake anti-virus attack.

Malware could have played a significant part in the horrific 2008 Madrid air disaster that left 154 people dead, according to a Spanish newspaper.

An internal report by the plane's airline, Spanair, discovered a central computer which registered technical problems was not functioning correctly due to an infection, El Pais said.

This meant technical problems with the aircraft had not been picked up, the report claimed.

Other problems, which would not have been due to malware contamination, also went unnoticed, such as the plane taking off with its flaps and slats retracted.

However, if the Trojan infection had not been present, the flight may never have attempted to take off in the first place and the tragedy could have been avoided, the report suggested.

"We cannot confirm whether malware played a part, nor do we know which particular malware it could have been," Mikko Hypponen, F-Secure chief research officer, said.

"However, over the years, we have seen real-world infrastructure affected by computer problems. In most cases, this has been just a side effect; the malware behind the problem wasn't trying to take systems down, it just did," he added in a blog post.

Malware, if it was present in the airline systems, was likely to have just been a contributory factor that led to the tragedy, not the main cause, according to Sophos senior technology consultant Graham Cluley said.

"It's very probable that there will be found to be other contributing factors to what was a horrific accident beyond the malware infection by Trojan horses," Cluley added in a blog.

"However, next time someone tries to convince you that the people who write malware aren't really doing anyone any serious harm - remember this case."

The final report from crash investigators is due to be presented in December.