Proton malware spreading through supply-chain attack, victims should wipe their Macs

The dreaded Proton malware was spreading through a new supply-chain attack that involved the Elmedia apps, victims should wipe their Macs

Bad news for Mac users, a new malware is threatening them of a complete system wipe and reinstall.

Crooks are distributing the malware in legitimate applications, the popular Elmedia Player and download manager Folx developed by the Elmedia Player who confirmed the threat. The latest versions of both apps came with the OSX.Proton malware.

The Proton malware is a remote access tool (RAT) available for sale on some cybercrime forums, it first appeared in the threat landscape last year. The malicious code includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims’ information such as credit card numbers, login credentials, and others.

The Proton malware can hack into a victim’s iCloud account, even if two-factor authentication is used, and in March it was offered for sale at $50,000.

Experts at security firm ESET discovered that the Proton malware is spreading through supply chain attacks, hackers injected the malicious code into downloads of the applications.

“During the last hours, ESET researchers noticed that Eltima, the makers of the Elmedia Player software, have been distributing a version of their application trojanized with the OSX/Proton malware on their official website. ESET contacted Eltima as soon as the situation was confirmed. Eltima was very responsive and maintained an excellent communication with us throughout the incident.” reported ESET.

ESET promptly alerted Elmedia, hackers compromised the developer’s servers and implanted the Proton malware into the download files.

Below the timeline of the attack:

  • 2017-10-19 : Trojanized package confirmed
  • 2017-10-19 10:35am EDT: Eltima informed via email
  • 2017-10-19 2:25pm EDT: Eltima acknowledged the issue and initiated remediation efforts
  • 2017-10-19 3:10pm EDT: Eltima confirms their infrastructure is cleaned up and serving the legitimate applications again
  • 2017-10-19 10:12am EDT: Eltima publishes an announcement about the event
  • 2017-10-20 12:15pm EDT: Added references to Folx that was also distributed with the Proton malware

If you want to check your installation do a scan for the following file and directories:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

“The presence of any of the files above is an indication that your system may have been infected by the trojanized Elmedia Player or Folx application which means your OSX/Proton is most likely running. If you downloaded Elmedia Player or Folx on the 19th of October 2017, your system is likely affected.” reads the security advisory published by Eltima.

The Proton malware has already infected a computer if any of those files and directories exist. Even if the malware is recognized by antivirus software, it’s difficult to remove.

“If you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised.” states ESET.

“As with any compromission with a administrator account, a full OS reinstall is the only sure way to get rid of the malware. Victims should also assume at least all the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them.”

Proton malware Elmedia-Player-application

The company Eltima is also suggesting a total system OS reinstall to rid the infected systems of this malware.

“A total system OS reinstall is the only guaranteed way to totally rid your system of this Malware,” it warned. “This is a standard procedure for any system compromise with the affection of administrator account.”

Pierluigi Paganini

(Security Affairs – supply chain attack, Proton malware)

The post Proton malware spreading through supply-chain attack, victims should wipe their Macs appeared first on Security Affairs.

Assemblyline – Canada’s CSE intelligence Agency releases its malware analysis tool

Canada’s Communications Security Establishment (CSE) intel agency has released the source code for one of its malware analysis tools dubbed Assemblyline.

The Canada’s Communications Security Establishment (CSE) intelligence agency has released the source code for one of its malware detection and analysis tools dubbed Assemblyline.

The Assemblyline tool is written in Python and was developed under the CSE’s Cyber Defence program.

“This tool was developed within CSE’s Cyber Defence program to detect and analyse malicious files as they are received. As the Government of Canada’s centre of excellence in cybersecurity, CSE protects and defends the computer networks and electronic information of greatest importance to the Government of Canada.” states the Communications Security Establishment.”Our highly skilled staff works every day to protect Canada and Canadians from the most advanced cyber threats. Assemblyline is one of the tools we use.”

AssemblyLine malware tool

The Canadian intelligence agency described the analysis process as a conveyor belt, the files arrive in the system and are triaged in a sequence composed of the following phases:

  • Assemblyline generates information about each file and assigns a unique identifier that travels with the file as it flows through the system.
  • Users can add their own analytics, which we refer to as services, to Assemblyline. The services selected by the user in Assemblyline then analyze the files, looking for an indication of maliciousness and/or extracting features for further analysis.
  • The system can generate alerts about a malicious file at any point during the analysis and assigns the file a score.
  • The system can also trigger automated defensive systems to kick in. Malicious indicators generated by the system can be distributed to other defence systems.
  • Assemblyline recognizes when a file has been previously analysed.

The CSE decided of releasing the Assemblyline tool allowing anyone to customize the tools and deploy their own analytics into it.

The tool allows users to focus their efforts on the most harmful files, reducing the number of non-malicious files that experts have to inspect.

“The strength of Assemblyline is the ability of users to scale the system to their needs and the way that Assemblyline automatically rebalances its workload depending on the volume of files.” CSE added.” It reduces the number of non-malicious files that security analysts have to inspect, and permits users to focus their time and attention on the most harmful files, allowing them to spend time researching new cyber defence techniques,” CSE added.

The Assemblyline source code is available on BitBucket, users can modify it according to their needs.

Other intelligence agencies also released open source tools in the past, In November 2016, peers at the GCHQ released the CyberChef tool to analyze encryption, compression and decompression, and data formats.

Pierluigi Paganini

(Security Affairs – Assemblyline, malware analysis tool)

The post Assemblyline – Canada’s CSE intelligence Agency releases its malware analysis tool appeared first on Security Affairs.

New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet

Just a year after Mirai—biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks—completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet. Dubbed 'IoT_reaper,' first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits

Necurs botnet now spreading the Locky Ransomware via DDE Attacks

Operators behind Locky ransomware campaigns have switched to new attack techniques to evade detection leveraging the DDE protocol.

Security experts are continuing to observe the Locky ransomware spreading via spam campaigns that rely on the Necurs botnet. Now operators behind Locky ransomware campaigns have switched to new attack techniques to evade detection.

One of the new techniques adopted by the crooks is the use of the Dynamic Data Exchange (DDE) protocol designed to allow data transferring between applications.

“The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.” states Microsoft.

Lock ransomware DDE attack

According to experts at the security firm Sensepost, attackers have devised a method to achieve the execution of malicious code embedded in Office documents without user’s interaction by using DDE.

The DDE protocol allows an Office application to load data from another Office application, it was replaced by Microsoft with Object Linking and Embedding (OLE), but it is still supported.

The technique was implemented by several threat actors such as the FIN7 APT group in DNSMessenger malware attacks, and the operators behind the Hancitor malware campaign spotted earlier this week and detailed by Internet Storm Center (ISC) handler Brad Duncan.

According to Duncan, the recent Locky campaign used spam messages with Office documents posing as invoices. The threat actors delivered the spam messages through the Necurs botnet.

The Necurs Botnet malspam pushes Locky using DDE technique, in a first-stage of the attack the malware achieved persistence on the compromised system, in the second stage the Locky ransomware infects the system.

“I opened one of the Word documents in my lab environment and found a 1st stage malware (presumably a downloader) and a 2nd stage malware (Locky) during the infection.  Today’s diary reviews the traffic and malware.” wrote Duncan.

According to the experts at Trend Micro, The Locky ransomware was also spread by the Necurs botnet through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

Some of the recent lures observed by the experts at Trend Micro are:

  • Fake voice message notifications (vishing, or the use of voice-related systems in phishingattacks)
  • HTML attachments posing as invoices
  • Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
  • Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts

Pierluigi Paganini 

(Security Affairs – Locky ransomware, malware)

The post Necurs botnet now spreading the Locky Ransomware via DDE Attacks appeared first on Security Affairs.

Security+ Domain #6: Cryptography

Cryptography falls into the sixth and last domain of CompTIA’s Security+ exam (SYO-401) and contributes 12% to the exam score. The Security+ exam tests the candidate’s knowledge of cryptography and how it relates to the security of networked and stand-alone systems in organizations. To pass the Security+ exam, the candidates must understand both symmetric and […]

The post Security+ Domain #6: Cryptography appeared first on InfoSec Resources.


Security+ Domain #6: Cryptography was first posted on October 20, 2017 at 4:04 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Security+ Domain #5: Access control and Identity Management

Introduction The “access control and identity management” domain is aimed at teaching and testing on industry-accepted practices, such as determining and implementing good password policies, mitigating issues associated with users who have multiple or shared accounts, and granting and terminating access rights when necessary, among many others. Before taking the test, it is important to […]

The post Security+ Domain #5: Access control and Identity Management appeared first on InfoSec Resources.


Security+ Domain #5: Access control and Identity Management was first posted on October 20, 2017 at 3:47 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Security+ Domain #4: Application, Data, and Host Security

Application, data, and host Security falls into the fourth domain of CompTIA’s Security+ exam (SYO-401) and contributes 15% to the exam score. To pass the Security+ exam, candidates must understand the topics under this domain, which includes the following. Importance of Application Security Controls and Techniques If an application is not correctly programmed, then a […]

The post Security+ Domain #4: Application, Data, and Host Security appeared first on InfoSec Resources.


Security+ Domain #4: Application, Data, and Host Security was first posted on October 20, 2017 at 3:10 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Security+ Domain #2: Compliance and Operational Security

Compliance and operations security falls into the second domain of CompTIA’s Security+ exam (SYO-401) and contributes 18% to the exam objectives. To pass the Security+ test and learning how to implement security, the candidates must understand the basic concepts and terminologies related to compliance and operations security as discussed below. Explain the Importance of Risk-Related […]

The post Security+ Domain #2: Compliance and Operational Security appeared first on InfoSec Resources.


Security+ Domain #2: Compliance and Operational Security was first posted on October 20, 2017 at 2:47 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

CCFE Exam Overview: What To Expect

The Certified Computer Forensics Examiner (CCFE) is the most prestigious certification for computer forensics professionals. It will test your fundamental knowledge of the computer forensics evidence recovery and analysis process, including your knowledge of both hard and soft skills. Hard skills will be tested through a practical examination, but you must first pass the online […]

The post CCFE Exam Overview: What To Expect appeared first on InfoSec Resources.


CCFE Exam Overview: What To Expect was first posted on October 20, 2017 at 1:59 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

A new Mirai-Like IoT Botnet is growing in a new mysterious campaign

Malware researchers at Check Point have uncovered a new massive IoT botnet that presented many similarities with the dreaded Mirai.

The new thing bot emerged at the end of September and appears much more sophisticated, according to the experts the malware already infected more than one million organizations worldwide.

The malicious code tries to exploit many known-vulnerabilities in various IP camera models, including GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, and Synology.

The experts speculate that the malware once compromised a device use it to spread itself.

“With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others. It soon became apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves.” reads the report published by Check Point.

IoT Botnet Trend-of-Attacking-IP-Addresses

“So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing,” continues Check Point.

While investigating the compromise of a GoAhead device the experts noticed that the attackers accessed the System.ini file. This file would contain the credentials of the user, but on the compromised IoT device it contained a ‘Netcat’ command to open a reverse shell to the attacker’s IP.

The attackers triggered the CVE-2017-8225 to hack into the IoT device. The experts verified that the botnet relies on compromise bots to sending out the infection.

“These attacks were coming from many different types of devices and many different countries, totaling approximately 60% of the corporate networks which are part of the ThreatCloud global network,” Check Point notes.

IoT botnet

The security researchers provided a list of IoT devices targeted by the malware, even if the attackers’ motivation is unclear experts speculate the botnet could be used to power DDoS attacks.

Pierluigi Paganini

(Security Affairs – IoT botnet, IoT)

The post A new Mirai-Like IoT Botnet is growing in a new mysterious campaign appeared first on Security Affairs.