Tag Archives: Malware and Virus Protection

Posted on Author Atlantic Computer Services Categories Blog

Financial Organizations Beware Of Documents Asking To Enable Content

If you work in the financial sector, be advised that there’s a large scale botnet-driven malware campaign underway. It has been targeting firms in both the US and the UK.

The malware at the heart of the campaign is Emotet, which began life as a banking trojan, but it has morphed into something quite different in recent times.

It’s now a full-fledged botnet and its creators are leasing it out to anyone who can pay.

Make no mistake, the latest configuration of Emotet isn’t a threat to be taken lightly. Last year, it accounted for almost two thirds of malicious payloads delivered via phishing attack. The malware was heavily used throughout much of 2019, suffered a marked decline during December, and then came roaring back to the fore in January of 2020.

While the major thrust of this latest campaign is aimed at financial institutions, a small number of attacks have been made against companies in the media, transportation, and food industries.

The campaign is being conducted largely by phishing emails that contain a Microsoft Word Document that pretends to be an invoice for a service recently rendered. The email subject line varies but in all cases it mirrors the invoice and/or bank details.

Naturally, if a recipient attempts to open the invoice, he or she will get a popup box indicating that Macros must be enabled in order to properly view it. If the recipient clicks the button to enable macros, the malicious payload will be installed.

This is time tested and a reliable method of getting malicious code onto target machines. It’s been around for years, but it’s still in use because it’s so effective. Make sure your employees are aware of the threat and stay vigilant. If the early indications mean anything, 2020 is going to be a very trying year.

0
Posted on Author Atlantic Computer Services Categories Blog

New Malware Uses This Year’s Top Movies To Get Clicks

It’s easy to get caught up in the hype of popular movies. Hackers know this and are beginning to incorporate Oscar Nominated movies into their strategies. They’re using enticing images to bait unsuspecting users to install malware and lure them to phishing sites designed to steal credit card and other sensitive information. After all, wouldn’t you be willing to pay a small sum to get a sneak preview at the next blockbuster hit? There are a lot of people who would.

Researchers at Kaspersky Lab have tracked the rise of this trend over the last several months. They have discovered more than twenty different phishing sites and nearly a thousand malicious files presented as free ‘sneak peek’ versions of popular movies. These fake movies are actually malware in disguise.

The Kaspersky researchers said:

The uncovered phishing websites and Twitter accounts gather users’ data and prompt them to carry out a variety of tasks in order to gain access to the desired film.

These can vary from taking a survey and sharing personal details, to installing adware or even giving up credit card details. Needless to say, at the end of the process, the user does not get the content.”

If you’re a movie buff and relatively more likely to be taken in by such scams, there are a few basic things you can do to minimize your risk. First, if it sounds too good to be true, then it probably is. Don’t get sucked in based on hype alone.

Second, pay attention to the release dates of the film in question. Hackers often don’t pay much attention to that and they’re hoping you won’t either. It may be the case that you’re being offered an ‘exclusive sneak peek’ at a movie that’s already out.

Pay attention to the URL and the extension of the file you’re downloading if you get that far. Both of those are often giveaways if something is amiss. Be careful and be safe!

0
Posted on Author Atlantic Computer Services Categories Blog

Active DirectoryBeing Targeted By Malware Called TrickBot

The malware named TrickBot has some new tricks up its sleeves. Recently, a new strain of the malware was spotted in the wild with new capabilities that allow it to target the Active Directory database stored on compromised Windows domain controllers.

While TrickBot has never been seen as one of the most dire threats in the malware universe, this new functionality does make it dangerous.

Domain administrators need to be aware of the dangers associated with hackers gaining access to and exploiting Active Directory. The directory stores user names, password hashes, computer names, groups, and a variety of other sensitive data.

To understand how TrickBot manages this feat, it’s important to dig into a few technical details. For example, when a server is promoted as a domain controller, the Active Directory database is created and saved on that machine in the c:WindowsNTDS folder. One of the files contained in this folder is ntds.dit, which is the specific file that contains all of the Active Directory services information.

Given the sensitivity of this information, Windows encrypts the data using a BootKey, which is stored in the System hive of the Registry. Since ntds.dit is opened by the domain controller, it’s not possible for any external process to access the data it contains. Although Windows Domain Controllers have a tool called ntdsutil that allows administrators to perform maintenance on the database.

TrickBot gets around this by taking advantage of the “Install from Media” command into the %Temp% folder, where it can be compressed and sent to a command and control server controlled by the hackers. Once they’ve got their hands on the file itself, it’s easy enough to crack it open to get what’s inside. That of course, spells trouble for the organization that owns the server.

All that to say, if TrickBot isn’t currently on your radar, it deserves a spot there. Its new capabilities make the malware significantly more dangerous.

0
Posted on Author Atlantic Computer Services Categories Blog

New Malware Sends Offensive Texts From Your Phone

Malware tends to be at its most effective when it exists in secret. Under the radar. This is what allows malicious code to burrow deep into an infected system and capture a wide range of data. It’s what allows cryptojacking software to quietly siphon off computer power to mine for various forms of cryptocurrency. That makes money for the malicious code’s owners. Secrecy is typically seen as a very big deal.

Then there’s the malware called Faketoken, which has recently been upgraded with enhanced capabilities that throws all that out the window. The latest version of the malware adds insult to injury by sending out offensive, expensive, or overseas text messages after milking as much money out of an infected system as it can. It’s such a departure from hacking norms that it caught researchers at Kaspersky Lab by surprise when they saw it.

Researchers have been tracking Faketoken’s ongoing development since it first made the “Top 20 Most Dangerous Banking Trojans” list in 2014.

Since that time, the code’s owners have added a raft of capabilities to the malware, including:

  • The ability to steal funds directly, rather than relying on other Trojans bundled with it to do the heavy lifting
  • Using phishing login screens and overlaid windows designed to dupe mobile users into entering their account credentials, handing them straight to the hackers
  • The ability to act as ransomware, encrypting files and demanding payment

Sending out offensive texts is an oddly amusing addition to malicious code like this. However, there may be a method to the apparent madness of the people behind the code. It is, after all, a fantastic way to advertise the code’s effectiveness.

Ultimately, the only people who know the true purpose behind this new functionality are the hackers themselves, but we may well be looking at the leading edge of a new trend in malware. Stay tuned.

0
Posted on Author Atlantic Computer Services Categories Blog

New Updates To This Malware Made It More Dangerous

If you haven’t yet heard of a malware strain called ‘Predator the Thief’, it’s something that belongs on your radar.

It first emerged as a threat in July of 2018, when it was used in conjunction with an extensive phishing campaign.

In its original incarnation, it proved more than capable of stealing passwords, browser data, user names and the contents of cryptocurrency wallets. In addition, it was able to access the infected victim’s webcam and take pictures with it, sending everything to a command and control server.

Unfortunately, the group behind the malware has been busy updating it. It’s recently been spotted in the wild with a new set of enhanced capabilities that make it more difficult for antivirus programs to detect its presence.

In addition to that, the hackers have upped their game on the phishing campaign front. This included adding new documents to use as lures to hook the victim into inadvertently installing the malicious code.

The new and improved version of the malware was discovered by Fortiguard Labs, and apparently version 3.3.4 was released on Christmas Eve, 2019.

Although there’s no clear indication as to who is behind the code, a forensic analysis reveals it to be Russian in origin. Fortiguard’s researchers reached this conclusion based on the fact that the malware is specifically designed not to operate in Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine or Uzbekistan. Those are countries that Russian hackers tend not to target as a rule.

In terms of minimizing the threat that Predator the Thief poses, Fortiguard’s researchers recommend ensuring that macros are disabled by default and that all software (including OS software) is fully patched and up to date. These are, of course, sensible precautions to take when protecting against any threat, so it makes for good advice in general. Stay on your guard. It’s dangerous out there.

0
1 37 38 39 40 41 43