Tag Archives: Malware and Virus Protection

Posted on Author Atlantic Computer Services Categories Blog

Fake Voicemail Messages Tricking People Into Opening Malicious Content

Office 365 has been the target of an increasing number of ongoing phishing scams.

The latest scam involves using fake voicemail messages to convince targets that they need to log in to hear the full recording.

Researchers at McAfee Labs had this to say about the matter:

“Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials.  At first, we believed that only one phishing kit was being used to harvest the user’s credentials.  However, during our investigation, we found three different malicious kits and evidence of several high-profile companies being targeted.”

Recipients will receive an email message informing them that they missed a call.  A partial recording is available andembedded in the email, but the recipient gets little more than hello, so there’s no real indication of what the message might be about.

Then, if the recipient clicks the link provided to “log in and hear the message” they will, of course, be sent to a page that looks like an Office 365 login screen.  All they’re really doing at that point is handing their credentials over to whomever sent the message.

As we said at the start, Office 365 has become an increasingly popular target.  There’s another scam making the rounds that tries to get a user’s login credentials by making it seem as though the message was sent by the recipient’s employer’s HR department and talks about an upcoming raise.

Both are powerful approaches that have been yielding better results than usual for the scammers.  Be sure your IT staff and all of your employees are aware of and on their guard against these scams.

0
Posted on Author Atlantic Computer Services Categories Blog

Some iOS Apps Found To Have Clicker Trojan Malware

Recently, a survey of Apple’s App Store by Wandera Threat Lab discovered more than a dozen iOS apps that have been infected with the ‘Clicker’ Trojan malware.  As malware goes, this variant isn’t especially dangerous to those who wind up infected with it, but it’s still problematic.

A spokesman for Wandera had this to say about the recent discovery:

“The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic.  They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.”

All of the infected apps come from AppAspect Technologies, Pvt. Ltd. They are a company based in India with more than fifty different apps available on Apple’s App Store and more than two dozen available on Google’s Play Store.  What can’t be determined is whether the malicious code was injected into these apps unintentionally by making use of a compromised third-party framework, or if it was an intentional decision.

Again, from the researchers at Wandera:

“This discovery is the latest in a series of bad apps being surfaced on an official mobile app store and anther proof point that malware does impact the iOS ecosystem.  Mobile malware is still one of the less frequently seen threats in the wild, but we are seeing it used more in targeted attack scenarios.”

The Wandera researchers concluded their report with a recommendation. They suggest that all mobile users (whether they are in the Android or iOS ecosystems) make use of mobile security solutions that keep malicious apps from communicating with their command and control servers. This serves as a means of protecting their data from being stolen.  It’s good advice, and these types of threats are certainly something to keep a watchful eye out for.

0
Posted on Author Atlantic Computer Services Categories Blog

Backdoor Could Be Used On Microsoft SQL Without Detection

If you haven’t heard of Skip-2.0 yet, prepare to be dismayed.

Security researchers have recently discovered an undocumented (until now) backdoor designed for Microsoft SQL servers.

It will allow a hacker working remotely to stealthily take control of a previously compromised system.

Worse, this is not theory or conjecture.  Researchers have found malware strains in the wild that take advantage of the backdoor, allowing attackers to remotely connect to any account on the server running MSSQL version 11 or 12 by using a “magic password.”

As bad as that sounds, it gets worse.  The Skip-2.0 malware contains code that disables the compromised machine’s logging functions, audit mechanisms and event publishing every time the “magic password” is used so that it leaves no trace, which is why it’s so difficult to detect.

This gives the malware the freedom and flexibility to move seamlessly through the target system, where it can copy, change, or delete any content stored on it. That is, all while keeping the system’s owner or user blind and in the dark as to what’s happening. In their most recently published cybersecurity report, the security firm ESET attributed the Skip-2.0 backdoor to an organization known as the Winnti Group, which is a state-sponsored threat actor with Chinese backing.

As evidence in support of this conclusion, the researchers involved with drafting the report point to numerous similarities between Skip-2.0 and other tools developed and used by the Winnti Group, including PortReuse and ShadowPad.

In addition to that, Skip-2.0 utilizes an encrypted ‘VMProtected’ launcher, an ‘inner-0loader’ injector and hooking framework and a custom packer to install its payload, which again, is identical to the structure of other Winnti Group tools.

In basic terms, this is just another malware threat to emerge in the tech world. If there’s a silver lining in all of this, it is the fact that MSSQL 11 and 12 are not the most recent versions, so the fix is fairly simple.  Just upgrade to a version beyond 12 and you can avoid the risks associated with this new threat.

0
Posted on Author Atlantic Computer Services Categories Blog

New Exploit Discovered That Adds Malware To Advertisements

Hackers and scammers have a new tool in their toolbox, and they’re making rapid use of it.  Recently, researchers from Confiant have discovered a new campaign involving a Chrome for iOS exploit. They discovered  an unknown group of attackers getting around the browser’s built in pop-up blocker to deliver fake ads. This happened to half a billion users from the US and Europe in less than a week.

The group has been named ‘eGobbler’ and they’re not picky.  Since Confiant began tracking their activities, they’ve targeted iOS devices as well as Windows, Linux and macOS desktops in one of the most far-reaching malvertising attacks we’ve ever seen.

The researchers had this to say about the matter:

“This time around…we were in fact experiencing redirections on WebKit browsers upon the ‘onkeydown’ event.  The nature of the bug is that a cross-origin nested iframe is able to ‘autofocus’ which bypasses the ‘allow-top-navigation-=by-user-activation’ sandbox directive on the parent frame. Also noteworthy is that the campaign behind this payload had specifically targeted some web applications with text areas and search forms in order to maximize the chances of hijacking these keypresses.”

The long and the short of it is that this represent a new attack vector.  Hackers can now inject malware into completely innocuous ads, hijacking them for their purposes.

Both Google and Apple have taken swift, decisive action to address the issue. Google addressed it in a WebKit patch that was released on August 12. Apple addressed the matter in their release of iOS 13 on September 19, and via Safari 13.0.1 on September 24. The bad news is there’s no guarantee that the hackers won’t find yet another workaround to exploit, so this is probably not the last we’ve seen of the issue.

In any case, if it’s been a while since you updated your browser, given the above, now is a great time to do so.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Called TFlower Hacks Into Company Networks

Over the last two years, ransomware attacks have become increasingly common against businesses of all shapes and sizes.

While the attack vector saw a dip in popularity last year, this year it has come roaring back to the fore with several new strains of ransomware being developed and enjoying widespread use by hackers around the world.

One of the most recent entrants into the ransomware family is a new strain called “TFlower”, which made its first appearance in August of this year (2019).  Since that time, it has begun seeing increasingly widespread use, so if this is the first time you’re hearing about it, know that it likely won’t be the last.

TFlower is introduced into company networks when hackers take advantage of exposed Remote Desktop services.  Once the hackers have a toehold inside a company’s network, they’ll use that machine to connect to and infect as many other machines on the network as possible. Like many similar forms of malware, TFlower attempts to distract infected users while it’s encrypting their files.  In this case, it will display a PowerShell Window that makes it appear that some harmless software is being deployed.

While it’s encrypting a victim’s files, it connects to its Command and Control Server to keep the software owners apprised of its activities. Then it attempts to clear the Shadow Volume Copies and attempt to disable the Windows 10 repair environment. This makes it difficult, if not impossible to recover files via conventional means.  Note that it also attempts to terminate the Outlook.exe process so its data files can be encrypted.

When the software has done as much damage as it can do, it will litter the infected computer with a file named “!_Notice_!.txt” which explains that the computer’s files have been encrypted and in order to get them back, you’ll need to contact the malware owners at the email address provided for additional details.

Be sure your IT staff is aware, and given how this one is spread, check the security of your Remote Desktop services.

0
1 39 40 41 42 43