Google Solves Update Issue for Android Apps Installed from Unknown Sources

If you are wondering how to receive latest updates for an Android app—installed via a 3rd party source or peer-to-peer app sharing—directly from Google Play Store. For security reasons, until now apps installed from third-party sources cannot be updated automatically over-the-air, as Google does not recognize them as Play Store apps and they do not show up in your Google account app list as well

Building a malware distribution network is too easy with Kardon Loader

Researchers at Netscout Arbor have discovered a malware downloader advertised on underground forums as a paid open beta product, its name is Kardon Loader.

Researchers from Netscout Arbor have discovered a downloader advertised on underground forums dubbed Kardon Loader, it allows customers to build a malware distribution network or a botshop.

Advs for Kardon Loader were first discovered on April 21, 2018, the author who goes online with the moniker Yattaze asks $50 for the application program and offers it as a standalone build, charging users for each additional rebuild.

“Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product.” reads a blog post published by Netscout Arbor.

“The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.”

Downloader malware and botshops are essential components for the creation of botnets that could be used to distribute a broad range of malware such as ransomware, banking Trojans, and cryptocurrency miners.

Crooks use to offer the access to distribution networks as a service in cybercrime underground markets.

Experts believe the Kardon Loader represents a rebrand of the ZeroCool botnet that was built by the same actor.

The advertisement for the Kardon Loader appears very professional, the actor created its own logo and provides a disclaimer claiming that the software should not be used for malicious purposes. He also published a YouTube video that shows the admin panel of the platform.

Below the bot functionalities advertised by the actor:

  • Bot Functionality
  • Download and Execute Task
  • Update Task
  • Uninstall Task
  • Usermode Rootkit
  • RC4 Encryption (Not Yet Implemented)
  • Debug and Analysis Protection
  • TOR Support
  • Domain Generation Algorithm (DGA)

Researchers from ASERT analyzed some samples of the malicious code and noticed that some features were not implemented, for example, all samples were using hard-coded command and control (C&C) URLs instead of DGA, both the “usermode rootkit” and Tor support were not implemented.

The experts determine that the malware downloader checks for the handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and halts its process if any of the handles are returned.

To avoid the execution in a virtualized environment,  the Kardon Loader also enumerate the CPUID Vendor ID value and compare it against the following strings:

  • KVMKVMKVM
  • Microsoft Hv
  • VMwareVMware
  • XenVMMXenVMM
  • prl hyperv
  • VBoxVBoxVBox

These are known CPUID Vendor ID values associated with virtualized machines. If one of these values are detected the malware will also exit

Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against a list of known values associated with virtual machines (KVMKVMKVM, Microsoft Hv, VMwareVMware, XenVMMXenVMM, prl hyperv, VBoxVBoxVBox).

The malicious code uses a HTTP-based C&C infrastructure with URL parameters that are base64 encoded.

“Upon execution Kardon Loader will send HTTP POSTs to the C2 with the following fields:

  • ID = Identification Number
  • OS = Operating System
  • PV = User Privilege
  • IP = Initial Payload (Full Path)
  • CN = Computer Name
  • UN = User Name
  • CA = Processor Architecture” 

In turn, the server provides instructions to the malware, such as download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.

The administration panel is very simple, it implements a dashboard that provides information about the bot distribution and statistics about the installations.

kardon loader panel1-1024x512

A notable feature of this panel is the bot store functionality allowing the bot admin to generate access keys to customers that would give them the ability to execute tasks based on the predefined parameters” continues the analysis,

“Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,” 

The analysis includes the IoCs that could be used by organizations to block malicious activity associated with Kardon Loader.

Pierluigi Paganini

(Security Affairs – Kardon Loader, botnet)

The post Building a malware distribution network is too easy with Kardon Loader appeared first on Security Affairs.

Chronicle launches VirusTotal Monitor to reduce false positives

Alphabet owned cybersecurity firm Chronicle announced the launch of a new VirusTotal service that promises to reduce false positives. 

VirusTotal Monitor service allows developers to upload their application files to a private cloud store where they are scanned every day using anti-malware solutions from antivirus vendors in VirusTotal.

Every time the service flags the file as malicious, VirusTotal notifies it to antivirus vendor and to the developer.

Of course, files analyzed by the VirusTotal Monitor service will remain private and are not shared by the company with third-parties.

The service implements a Google-drive like interface to allow developers to upload their files and a dashboard to display the scan results. Both developers and AV companies could access the dashboard, the service also provided APIs to integrate Monitor with their tools implemented by developers and antivirus vendors.

Enter VirusTotal Monitor. VirusTotal already runs a multi-antivirus service that aggregates the verdicts of over 70 antivirus engines to give users a second opinion about the maliciousness of the files that they check.” reads the announcement published by VirusTotal.

“For antivirus vendors this is a big win, as they can now have context about a file: who is the company behind it? when was it released? in which software suites is it found? What are the main file names with which it is distributed? For software developers it is an equally big win, as they can upload their creations to Monitor at pre-publish stage, to ensure a release without issues.”

VirusTotal Monitor

VirusTotal pointed out that Monitor service is not a free pass to get any file whitelisted.

“Sometimes vendors will indeed decide to keep detections for certain software, however, by having contextual information about the author behind a given file, they can prioritize work and take better decisions, hopefully leading to a world with less false positives,” continues the announcement.

“The idea is to have a collection of known source software, then each antivirus can decide what kind of trust-based relationship they have with each software publisher.”

Are you interested in this service? Now you can request a trial period for VirusTotal Monitor.

Pierluigi Paganini

(Security Affairs – VirusTotal Monitor, malware)

The post Chronicle launches VirusTotal Monitor to reduce false positives appeared first on Security Affairs.

Beginner’s guide to Pentesting IoT Architecture/Network and Setting up IoT Pentesting Lab – Part 2

This is the 2nd part in Pentesting and Setting up our own IoT Lab. I hope you have gone through the first part. If not, please go through it. Pentesting and Setting up our own Lab – Instead of creating two separate sections (one for pentesting and other for Lab) I will cover both the […]

The post Beginner’s guide to Pentesting IoT Architecture/Network and Setting up IoT Pentesting Lab – Part 2 appeared first on InfoSec Resources.


Beginner’s guide to Pentesting IoT Architecture/Network and Setting up IoT Pentesting Lab – Part 2 was first posted on June 20, 2018 at 9:00 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Beginner’s Guide to Pentesting IoT Architecture/Network and Setting Up IoT Pentesting Lab – Part 1

In this post, I will explain how to pentest an IoT Network/Architecture. Also, I will explain how to set up an IoT Pentesting lab for getting started with IoT Pentesting. Since the post is too long, to make it digestible, it will be split into two parts. Let’ start…. Before setting up an IoT lab […]

The post Beginner’s Guide to Pentesting IoT Architecture/Network and Setting Up IoT Pentesting Lab – Part 1 appeared first on InfoSec Resources.


Beginner’s Guide to Pentesting IoT Architecture/Network and Setting Up IoT Pentesting Lab – Part 1 was first posted on June 20, 2018 at 7:41 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Flight tracking service Flightradar24 suffered a data breach

The popular flight tracking service Flightradar24 has discovered a data breach that affected one of its servers.

The company notified the incident to its users via email and asked them to change their passwords, affected users’ passwords have been reset.

FlightRadar24 promptly reported the incident to the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).

According to Flightradar24, hackers may have accessed email addresses and password hashes associated with accounts registered prior to March 16, 2016.

At the time there is no information about the hashing algorithm that was used to protect the passwords,

Initially many users that received the message believed that the data breach notification was the result of a phishing campaign because there was no official news from Flightradar24, but later the company admitted the incident and confirmed that the emails were legitimate.

A moderator of the Flightradar24.com forum confirmed that no personal and financial information was exposed.

“We can confirm that the email some of our users received in regards to a security breach has been sent by us. The security breach may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016).

We would like to apologize that this breach occurred and for the inconvenience this may cause. We would also like to stress that we have no indication any of personal information was compromised.” wrote a company spokesman on the official forum.

“The security breach was limited to one server and it was promptly shut down once the intrusion attempt had been ascertained. An email has been sent to users with affected accounts. Please note that no payment information has been compromised. Flightradar24 neither handles nor stores payment information.”

FlightRadar24

The company added that it has contained the incident, just after it discovered one of its servers was compromised it shut down the machine.

The bad news is that the company admitted that passwords were protected by an old hashing algorithm that allows attackers to crack the hashes, Flightradar24 introduced a more secure hashing algorithm only since 2016.

At the time it is not clear how many users have been affected, the company reported that the incident involved only “small subset” of users.

FlightRadar24 claims to have over than 40 million users per month, this means that the number of affected users could be anyway important.

FlightRadar24 promptly reported the incident to the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).

Pierluigi Paganini

(Security Affairs – hacking, data breach)

The post Flight tracking service Flightradar24 suffered a data breach appeared first on Security Affairs.

Google Developer Discovers a Critical Bug in Modern Web Browsers

Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser. Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and

SCADA Hacking – Industrial Systems Woefully Insecure

SCADA Hacking – Industrial Systems Woefully Insecure

It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants, refineries and all kinds of other powerful and dangerous things.

The latest talk given on the subject shows with just 4 lines of code and a small hardware drop device a SCADA based facility can be effectively DoSed by sending repeated shutdown commands to suscpetible systems.

Read the rest of SCADA Hacking – Industrial Systems Woefully Insecure now! Only available at Darknet.

China-linked Thrip APT group target defense and satellite firms

Symantec tracked a new APT group named Thrip that targeted0 satellite operators, telco companies and defense contractors in the US and Southeast Asia.

Chinese APT groups are always very active, experts at Symantec have tracked a new APT group named Thrip that has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.

The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.

“We’ve been monitoring Thrip since 2013 when we uncovered a spying campaign being orchestrated from systems based in China. Since our initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. ” reads the analysis published by Symantec.

Thrip APT

Thrip APT used a combination of custom malware and legitimate tools in its attacks, the list of victims is long and include a satellite communications operator.

The hackers targeted devices involved in operations and infected computers running software that monitors and controls satellites, this circumstance suggests the attackers may also interested in sabotage.

Another victim of the group is a company specializing in geospatial imaging and mapping.

“[Thrip] targeted computers running MapXtreme GIS (Geographic Information System) software which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.” continues the analysis.

“The satellite operator wasn’t the only communications target Thrip was interested in. The group had also targeted three different telecoms operators, all based in Southeast Asia.”

The group also targeted three telecoms firms in Southeast Asia and a defense contractor.

The arsenal of the group includes the data stealer Trojan.Rikamanu and its evolution Infostealer.Catchamas that implements more sophisticated data strealing features and evasion capabilities.

The APT group also used the Trojan.Mycicil, a keylogger that is available for sale on Chinese underground marketplaces, and the Backdoor.Spedear and Trojan.Syndicasec malware.

The Thrip APT also many legitimate tools, including the Windows SysInternals utility PSExec, PowerShell, Mimikatz, and the LogMeIn remote access software.

Further details, including IoCs are reported in the analysis published by Symantec.

Pierluigi Paganini

(Security Affairs – Thrip APT, cyberespionage)

The post China-linked Thrip APT group target defense and satellite firms appeared first on Security Affairs.

Popular Flight Tracker Flightradar24 Suffers Data Breach

One of the world's most popular flight tracking services Flightradar24, which shows real-time aircraft flight information on a map, has suffered a massive data breach that may have compromised email addresses and hashed passwords for more than 230,000 customers. Without revealing any information about the breach publically via their blog or social media accounts, Flightradar24 started sending