Search This Blog

Showing posts with label Avast. Show all posts

Microsoft IIS Servers Targeted by SessionManager Backdoor

Since March 2021, threats on Microsoft IIS Servers have used a new backdoor called "SessionManager," according to Kaspersky Lab researchers. 

Victims of the backdoor

SessionManager, the malicious software that takes advantage of one of the ProxyLogon vulnerabilities in Exchange servers, poses as a module for Internet Information Services (IIS), a virtual server application for Windows systems. 

The 24 different targets were spread over the continents of Africa, South America, Asia, Europe, Russia, and the Middle East. They also included political, military, and industrial institutions. To date, a SessionManager variation has compromised 34 servers in total.

Due to the comparable victims and a widely used OwlProxy variation, the researchers describe the attack as the GELSEMIUM malicious attacker.

Features  supported by SessionManager:
  • On the hacked server, reading, writing to, and deleting arbitrary files is possible.
  • Remote command execution also runs on arbitrary programs from the compromised server.
  • Creating connections to any network endpoints that the hacked server is capable of accessing, as well as reading and writing in those connections.
The backdoor also might serve as a post-deployment tool, enabling operators to spy on the intended environment, collect in-memory passwords, and introduce new malicious payloads.

Elements of  command and control code

Since its initial discovery in March 2021, ProxyLogon has drawn the interest of numerous malicious actors, and the most recent attack chain is no exception. The Gelsemium team took use of the flaws to drop SessionManager, a backdoor designed in C++ to handle HTTP requests submitted to the server.

Once the malicious code receives the carefully constructed HTTP requests from the threat actors, it runs the instructions concealed in the requests before sending them to the server to be handled like any other request.

Additionally, the malware serves as a covert route for spying, collects passwords stored in memory, and distributes other tools like Mimikatz and an Avast memory export application.

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected


Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites


Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

This Malware Generated $2 Million After Abusing 222,000 Windows Systems


Avast researchers published a report on Thursday regarding the discovery of a cryptocurrency mining malware that abuses Windows Safe mode and has likely generated more than 9,000 Monero coins (estimated today at around $2 million) after exploiting more than 222,000 Windows systems since 2018.

The latest version of Crackonosh, as Avast dubbed it, spreads through illegal and cracked copies of popular software also known as “warez” which is distributed on various torrent sites and forums.

The malware continues to infect systems worldwide, affecting 222,000 unique devices in more than a dozen countries since December 2020. As of May, the malware was still getting about 1,000 hits a day. The researchers already spotted 30 different versions of the malware, with the latest one that was published in November 2020. 

According to Daniel Beneš, a malware analyst for antivirus maker Avast, the worst-hit region is the Philippines, with 18,448 victims; followed by Brazil (16,584); India (13,779); Poland (12,727); the United States (11,856); and the United Kingdom (8,946).

The researchers started investigating the threat after they received reports that Crackonosh was disabling and uninstalling its antivirus from infected devices. The company later discovered that Crackonosh was also disabling many other popular antivirus vendors, including Windows Defender and Windows Update as part of an advanced set of anti-detection and anti-forensics tactics that were meant to allow the malware to remain undetected on infected hosts.

Once Crackonosh weakened infected hosts, it will run XMRig, a cryptocurrency miner that enables attackers to mine Monero using the victim’s hardware download, to earn a profit from infected computers. Earlier this month, the company identified another crypto-miner named DirtyMoe which infected more than 100,000 systems. The difference between the two was that DirtyMoe was primarily being spread using an SMB worm and that its developer appears to be based in China rather than Europe.

“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you,” Beneš said.

DirtyMoe Botnet has Infected over 100,000 Windows Systems


More than 100,000 Windows systems have been infected with the DirtyMoe malware. According to cyber-security firm Avast, a Windows malware botnet thought to be managed out of China has surged this year, increasing from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. The malware, which goes by the names DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, has been circulating since late 2017. 

Its main goal has been to infect Windows systems and mine cryptocurrency behind the users' backs, although the functionality to execute DDoS assaults was discovered in 2018. The botnet was a small-scale operation for the majority of its existence. Its authors mostly used email spam to get people to malicious websites that hosted the PurpleFox exploit kit. 

This web-based attack tool took use of browser vulnerabilities, most commonly in Internet Explorer, to install a rootkit component on unpatched Windows computers, giving the malware complete control over the affected host, which is then used for crypto-mining. This rootkit, also known as DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, was well-known in the cyber-security field, but it was only considered a minor threat. 

According to Avast, the DirtyMoe botnet had an annual average of a few hundred to a few thousand infected systems for the majority of its life from 2017 to 2020. Things changed dramatically near the end of 2021 when the DirtyMoe gang released an update to their operation that included a worm module that allowed the malware to spread across the internet to other Windows systems. “Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise” reads the analysis published by Avast. This module scoured the internet for distant Windows machines that had left their SMB port exposed online and launched password brute-force attacks against them. 

The malware's SMB propagation module allowed it to explode in terms of infections on a logarithmic scale, with over 100,000 systems affected this year alone, according to Avast. However, this figure is based solely on Avast's visibility—that is, PCs with the antivirus software installed. The true magnitude of the DirtyMoe botnet is thought to be far larger. 

A report from Tencent, a Chinese security firm, detected an increase in DirtyMoe/PurpleFox infections in China over the course of 2021, reflecting the comparable explosion in infection numbers reported by Avast in Europe, Asia, and America at the start of the month.

100 Italian Banks Hit by Ursnif Trojan


The Trojan Ursnif was tracked back to threats on at least 100 Italian banks. In Avast's view, malware operator has a strong interest in Italian objectives, which has resulted in a loss of credentials and financial information through attacks against these banks. 

Avast researchers have discovered username, passwords, and credit card details, bank, and payment data which the Ursnif Banking Trojan operators seem to have seized from banking customers. They did not pinpoint the source of the details. However, details on payment cards are also sold on the dark web. In just one instance, over 1,700 credentials were stolen from an undisclosed payment processor. 

Ursnif is malware that was originally discovered in 2007 as a banking trojan but has developed over the years. In several countries across the world, Ursnif has targeted consumers over the years, mostly using native-language e-mail lures. Ursnif is typically distributed via phishing emails, such as invoice demands and attempts to steal financial details and credentials of the account. Italy has been a major factor among Ursnif countries, a fact which is demonstrated in the information obtained from the researchers. 

Referring to the Italian Financial CERT Avast says, "Our research teams have taken this information and shared it with the payment processors and banks we could identify. We've also shared this with financial services information sharing groups such as CERTFin Italy.” 

The Italian project of Ursnif used a phishing campaign to email malicious attachments that get downloaded when opened, according to Fortinet. The malware Ursnif is sometimes sent using the malware loader says the company.

Username, device name, and system uptime, Ursnif gathers confidential information. According to Avast security researchers, these data are configured into packets and forwarded to the gang's command and control server. The Ursnif Trojan is spyware that controls traffic by taking screenshots and keylogging and obtains login credentials saved on browsers and mail applications. 

Researchers from Datktrace have reported the 2020 malware campaign in a US bank attack. An employee who opened a malicious link unintentionally and inadvertently installed an executable file claiming to be a .cab extension received a phishing email. This file called for command-and-control servers (C2) registered in Russia just one day before the campaign launch and, thus, at the time of infection, the IPs weren't banned. 

“With this information, these companies and institutions are taking steps to protect their customers and help them recover from the impact of Ursnif,” concludes AVAST.

Avast Antivirus Harvested Users' Data and Sold it Google, Microsoft, IBM and Others

Avast, a popular maker of free anti-virus software being employed by almost 435 million mobiles, Windows and Mac harvested its users' sensitive data via browser plugins and sold it to third parties such as Microsoft, Google, Pepsi, IBM, Home Depot, and many others, according to the findings of an investigation jointly carried out by PCMag and Motherboard.

As per the sources, the investigation basically relied on leaked data; documents used to further the investigation belonged to Jumpshot which is a subsidiary of Avast. The data was extracted by the Avast anti-virus software itself and then repackaged by Jumpshot into various products which were sold to big companies as the report specified, "Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others."

"The sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it," other company documents found.

Allegedly, Avast has been keeping a track of personal details such as exact time and date when a user starts surfing a website, the digital content being viewed by him and his browsing and search history. As per the findings, the information sold by Jumpshot includes Google Maps searches, Google search engine searches, YouTube videos viewed by users, activity that took place on companies' LinkedIn handles and porn websites visited by people. The data contained no traces of personal information of people like their names or email addresses, however, the investigators at Vice pointed out how the access to such precise browsing data can potentially lead back to the identification of the user anyway.

When the investigation reports were made public, Jumpshot stopped receiving any browsing-related data harvested by extensions as Avast terminated the operations, however, currently, the popular anti-virus maker is being investigated for collecting user data asides from browser plug-ins.

While Google denied commenting on the matter, IBM told Vice that they have no record of dealing with Avast's subsidiary, Jumpshot. Meanwhile, Microsoft made it clear that at present they are not having any relationship with Jumpshot.

40.8% Smart Homes vulnerable to attacks

Security researchers have found nearly 40.8% of smart homes have at least one device that could be easily breached by hackers as one-third of them have outdated software with unpatched security issues, while two-thirds of them are exposed due to their weak credentials.

The team of researchers at Avast said that all these vulnerable devices are connected to the internet directly, and routers are the ones most targeted.

"59.7% of routers have weak credentials or some vulnerabilities" and "59.1% of users worldwide have never logged into their router or have never updated its firmware," says Avast.

In their report, Avast says that "a router that is vulnerable to attack poses a risk for the whole home, much like leaving your front door unlocked. Cybercriminals can redirect compromised routers to access exactly what they want, including phones, computers or any other connected device."

Printers lead the list of types of devices which are most vulnerable to attacks. In the US,  the printer's vulnerability percentage is 43.8%, while other devices like NAS devices and security cameras are on the second and third place with 17.7% and 14.7% respectively.

"It only takes one weak device to let in a bad hacker and once they are on the network, they can access other devices, and the personal data they stream or store, including live videos and voice recordings," said Avast President Ondrej Vlcek. "Simple security steps like setting strong, unique passwords and two-factor authentication for all device access, and ensuring software patches and firmware updates are applied when available, will significantly improve digital home integrity."

The Avast's 2019  Smart Home Security Report includes data from 16 million different home from all over the world, the total of 56 million devices having been scanned to gather the data.  

Users Making Themselves Vulnerable To Hackers; Keeping Outdated Versions of Popular Applications on Their Pcs

The users and their own personal information are rapidly becoming to be vulnerable against security risks proves yet another research from the global security company Avast as it discharged its PC Trends Report 2019.

As per the said report the users are making 'themselves' defenseless against hackers by not implementing the security patches and keeping out-dated versions of well-known applications on their PCs, these include Adobe Shockwave, VLC Media Player and Skype.

This is a matter of grave concern as out-dated software's are turning into the greatest dangers of cyber-attack , as they give hackers unapproved access to the framework as well as the known vulnerabilities with which they can easily exploit the user in question.

 “While most of us replace our smartphone regularly, but the same cannot be said for our PCs. With the average age of a PC now reaching six years, we need to be doing more to ensure our devices are not putting us at unnecessary risk, but with the right amount of care, such as cleaning our hardware's insides using cleaners, optimisation and security products, PCs will be safe and reliable for even longer," says Ondrej Vlcek, President, Avast.

The report is said to have accumulated information from approximately 163 million devices over the globe, and has even covered the most popular PCs, software, hardware equipment utilized today in on a worldwide basis. Among the applications installed 55% of them are not their latest versions, those applications utilizing the structures and tools, contain vulnerabilities and for security reasons ought to be updated as soon as possible.

The most installed softwares of 2018 include, Google Chrome, Adobe Reader, WinRAR, Microsoft Office, and Mozilla Firefox.

Android Devices with Pre-Installed Malware

The Avast threat Labs have recently discovered pre-installed adware  on a few hundred diverse Android gadget models and versions, also incorporating gadgets from makers like ZTE and Archos.
The adware, analyzed has previously been portrayed by Dr. Web and has been given the name "Cosiloon."

The adware has been on the move for no less than three years, and is hard to remove as it is introduced on the firmware level and utilizes solid obfuscation. Thousands of users are said to have been affected , and in the previous month alone it has been observed that the most recent adaptation of the adware on around 18,000 devices having a place with Avast users situated in excess of 100 nations which includes Russia, Italy, Germany, the UK, and as well as a few users in the U.S.

The adware makes an overlay to display an advertisement over a webpage within the users' browser, it can be observed in the screenshots given below:

Google is taking a shot at fixing the malware's application variations on Android smartphones utilizing internally created strategies and techniques. Despite the fact that there is Google Play Protect, the malware comes pre-installed which makes it harder to address. Google is as of now, contacting various firmware engineers and developers to bring awareness to these concerns and energize in making effective steps likewise.

Anyway it is misty in the matter of how the adware got onto the gadgets, and the malware creators continued updating the control server with new payloads. Then again, Producers likewise kept on delivering new gadgets with the pre-installed dropper.

The payload was updated again on April eighth, 2018 and the name in application launcher changed to "Google Download," and some class names in the code changed likely trying to keep away from discovery.Since the malware is a part of the chipset platform bundle which is reused on different brands also and the chipset being referred to happens to be from MediaTek running different Android variants going from 4.2 to 6.0.

Avast says that some anti-virus applications report the payloads, however the dropper will install them back again immediately, and the dropper itself can't be expelled in that way the gadget will always host a strategy permitting an obscure party to install any application they need on it.

Avast announced the acquisition of Mobile Virtualization Company ‘Remotium”

Avast Software, maker of the most trusted mobile and PC security products in the world, on July 8 announced the acquisition of Remotium, a leader in virtual enterprise mobility which technology enables enterprises to extend access securely, simply, and cost-effectively to business-critical applications in a bring-your-own-device (BYOD) environment.

According to a press statement posted by the company, the acquisition of the Silicon-Valley-based start-up will allow Avast to expand its offering of mobile security applications to the enterprise space.

The entire Remotium team has joined the global organization of more than 600 Avast employees.

Like Avast, Remotium, which won "Most Innovative Company" at RSA Conference 2013, solves the challenges of delivering corporate applications to employees’ mobile devices by creating a smooth user experience, while assuring data security and compliance.

The company said that its product, Virtual Mobile Platform (VMP), which enables access to enterprise applications from any mobile or desktop device, allows users to work from anywhere in the office, remotely from their home office or while on business trips.

It is said that the users can connect to their VMP from any device they are using smartphones, tablets, and desktops in order to get access to their corporate tools, apps and data.

Vince Steckler, CEO at Avast, said that the Remotium‘s mobile solutions address the needs of modern enterprises.

"As more and more companies support BYOD policies, the question of how to implement these policies efficiently and securely is top of mind for everyone. With Remotium’s technology, 
companies have visibility and security needed to ensure data integrity and corporate compliance. At the same time, users enjoy increased privacy, as well as apps that look and feel consistent across mobile and desktop platforms. We are pleased to add the Remotium staff to our team together we will further accelerate Remotium’s growth and expand its capabilities across enterprise mobility platforms," he added.

Stephanie Fohn, CEO at Remotium, said, "The Remotium team and I are very excited about joining Avast Software. Avast has a long history in creating innovative, best-in-class security for personal and commercial use. We look forward to extending our technology leadership position and continuing to deliver groundbreaking enterprise mobility solutions to meet the needs of the enterprise.”