New MysteryBot Android Malware

In response to the news that cybercriminals are currently developing a new strain of malware, named MysteryBot, which is targeting Android devices and blends the features of a banking trojan, keylogger and mobile ransomware, Mark James, Security Specialist at ESET commented below.

Is My Mac Secure from Malware and Viruses?

Do you own a Mac? If so, you might have the common perception that they’re more secure from internet threats than Windows PCs. Unfortunately, this isn’t the case. The truth is that Macs have historically not been targeted by hackers as frequently as Windows systems, simply because there were fewer to attack, so it didn’t make financial sense for the bad guys.

The ‘World’s Worst’ Smart Padlock Is Even Worse Than Previously Thought

Last week, cybersecurity company PenTest Partners managed to unlock TappLock’s smart padlock within two seconds. They “found that the actual code and digital authentication methods for the lock were basically nonexistent,” reports The Verge. “All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts.” The company also managed to snap the lock with a pair of 12-inch bolt cutters.

Today, Naked Security reports that it gets much worse: “Tapplock’s cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly.” From the report: Stykas found that once you’d logged into one Tapplock account, you were effectively authenticated to access anyone else’s Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base — but you didn’t really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else’s lock, but also read out personal information from that person’s account, including the last location (if known) where the Tapplock was opened.

Bet money on yourself with Proveit, the 1-vs-1 trivia app

Pick a category, wager a few dollars and double your money in 60 seconds if you’re smarter and faster than your opponent. Proveit offers a fresh take on trivia and game show apps by letting you win or lose cash on quick 10-question, multiple choice quizzes. Sick of waiting to battle a million people on HQ for a chance at a fraction of the jackpot? Play one-on-one anytime you want or enter into scheduled tournaments with $1,000 or more in prize money, while Proveit takes around 10 percent to 15 percent of the stakes.

SamSam ransomware: controlled distribution for an elusive malware

Disclaimer: This is only a partial analysis, as there are manual steps in deploying this ransomware. The artifacts we worked with did not include the actual ransomware payload— that can only be launched using correct parameters, most likely entered manually by the threat actor.

SamSam ransomware has been involved in some high profile attacks recently, and remains a somewhat elusive malware. In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix. These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.

When comparing early samples to more recent samples, one thing remains constant: the ransomware payload (the code that actually does disk encryption) is run-time decrypted. This is the most distinguishing trait about this ransomware, the single feature that makes it unique. This encrypted payload scheme explains why it is extremely difficult to find a sample of the actual payload code.

The main differences between the new and old versions of SamSam (which we will cover moving forward) are simply:

  1. The modules used
  2. Their interactions with one another

Rather than covering the old version and then talking about the new one, we will go through the newer SamSam code, and draw some comparisons to the older versions so we can understand its evolution.

Recent SamSam analysis

SamSam’s attacks have five main components to it in order for the compromise to take place. Four of them are actual files, and the fifth is the direct human involvement aspect.

Component one is a batch file that contains some settings for the ransomware and is the only portion that the actor is actually executing manually. It runs a .NET exe, which eventually decrypts an encrypted stub file. The attacker executes the bat file on the compromised computer with a password as its command-line parameter. This is the password that gets passed down the chain until the .NET file uses it for decryption. On older versions, it seems that this bat file was not in the chain. The attacker possibly executed the .NET component directly.

Details on each portion below:

In this case, mswinupdate is the “runner,” as they call it here.  Basically, the “runner” is the loader file. It is a .NET exe that looks in the current folder for the ransomware payload to decrypt.

Next, you see the SET password line, which receives the password via command-line parameter as we spoke about above.

This is the whole reason there is so much difficulty in getting an analysis on the main payload. This password is entered without the use of a file. We may have trouble reconstructing the full manual attack scenario because some files and logs are wiped afterward by the attacker. Because of this, the only way we can theoretically get the password is if it’s intercepted at the time of the attack.

Moving forward to the rest of the contents of the bat file, the remaining parameters are self-explanatory. The next line of interest executes the “runner” and then deletes itself, the runner, and the encryption DLL.

Above is component two, the “runner,” aka the payload decryptor and launcher. This file is not obfuscated and is quite simple in functionality. It searches directories for a file with an extension of .stubbin that will have been placed there by the attacker. The stubbin file is the encrypted ransomware. It immediately reads the bytes from the file and then deletes the file from the disk. The contents of the file are AES encrypted so even having the stubbin file does not help us in analysis unless we obtain the password manually entered by the attacker.

The stubbin file calls the assembly.Load function, which loads up a .NET file dynamically. The function receives a parameter, which is the output of the decryptor method. This means that it decrypts the stub file, turning it into a proper PE, and then loads it dynamically. The password turned in from the bat file is args[0], while Arg_4E_0 is the encrypted byte stream. It then initiates the decrypted file for execution.

On to component three. In the recent versions of SamSam, the decryption code is contained in a separate DLL, while in the older versions, it was all contained within the runner EXE. The older versions therefore had only three components, rather than four.

Here is a screenshot of the decryption code:

Throughout the program code you will see the following:

This is something that was also added in the recent version. These arrays are unused, perhaps just garbage code inserted for obfuscation or to throw off signatures.

And finally, component four, the contents of the encrypted malware payload, *.stubbin

The goal of SamSam: targeted attacks

In this analysis, we spoke a lot about the password and the fact that it was entered manually by the attacker. This is the most important point about this ransomware campaign. As analysts, without knowing the password, we cannot analyze the ransomware code. But what is more important to note is that we cannot even execute the ransomware on a victim or test machine. This means that only the author, (or someone who has intercepted the author’s password) can run this attack.

This is a major difference from the vast majority of ransomware, or even malware, out there. SamSam is not the type of ransomware that spreads like wildfire. In fact, this ransomware quite literally cannot spread automatically and naturally.

A victim who accidentally downloads and executes this malware will not be harmed at all because a password is required for the payload to run.  It requires the human involvement of the creator, which means it was developed for a single purpose: targeted attacks. The author attacks victims he has specifically chosen. And this is what makes this ransomware so interesting. The author is not just after a quick buck; instead, he prefers to have his payload remain a secret so he can continue to take down only the people he chooses.

Indicators of compromise

BAT file


Elon Musk Is Creating His Own Reality

What planet does Elon Musk live on?

Over the past month, the “real-life Iron Man” has, tweet-by-tweet, constructed a picture of reality that increasingly looks less like the world most of us interact with every day. He’s actually a socialist, he claimed on Twitter recently, although he believes corporations should provide for most of society’s needs and doesn’t think his Tesla factory should unionize. Later that same day, Musk claimed to be a “utopian anarchist” a la the futuristic civilization depicted in science fiction writer Iain M. Banks’ Culture series. This view seems to ignore the fact that in a 1994 essay titled “A Few Notes on the Culture,” Banks himself laid out a “personal conviction” that “a planned economy can be more productive—and more morally desirable—than one left to market forces.” This socialist outlook doesn’t jibe with the worldview Musk has espoused in his recent tweets.

Game Developers Dump ‘Redshell’ Tracking Program After Privacy Backlash

Across Reddit and Steam forums, a few people are getting up in arms about Redshell, a tracking program that game developers use to see how well their advertising is working. To customers, Redshell represents yet another uninvited invasion of digital privacy. And while people on gaming forums being upset isn’t unusual—and Redshell itself seems to be mostly harmless—developers are dumping Redshell with unusual speed.

Cyber Attack Aims to Manipulate Mexican Election

On Wednesday June 13, in the run-up to Mexico’s July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.