North Korea’s Lazarus APT targets Russian Entities

Security researchers at Check Point have uncovered a cyber espionage campaign conducted by Lazarus APT group aimed at Russian targets.

Security experts at Check Point have uncovered a cyber espionage campaign carried out by Lazarus aimed at Russian targets,

If the attribution is correct, this is the first time that North Korean cyber spies were targeting Russian entities.

“For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain threat group or another is problematic, the analysis below reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group – Lazarus.” reads the analysis published by CheckPoint.

The experts believe the attacks were carried out by the Bluenoroff threat actor, a division of the dreaded Lazarus APT group, that was financially motivated.

Bluenoroffis one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions and trading companies in Bangladesh in 2014 and the now famous $81million Cyber-Heist of the Bangladesh central bank’s account at the Federal Reserve Bank of New York.

The final payload used in this campaign is the KEYMARBLE backdoor that is downloaded from a compromised server in the form of a CAB file disguised as a JPEG image. (http://37.238.135[.]70/img/anan.jpg).

The compromised server used by threat actors is an unconvincing website for the “Information Department” of the “South Oil Company”. The server is hosted by EarthLink Ltd. Communications&Internet Services and located in Iraq.

The infection chain used in this campaign comprises three primary steps:

  • The first is an attached ZIP file containing a benign decoy PDF and a weaponized Word document containing malicious macros. One of the decoy documents observed in this campaign contains an NDA for StarForce Technologies, a Russia-based firm that provides copy-protection solutions.
  • The macros in the Word document download a VBS script from a Drobox URL and execute a VBS script.
  • The VBS scrip downloads and execute a CAB file from a compromised server, extracts the payload and executes it.
Lazarus targets Russia

At some point during the campaign, the attackers changed tactic and started to skip the second stage using Word macros that downloads and executes the backdoor directly.

Why should North Korea spy on Russian entities?

It is difficult to say, considering the good relationship between the two countries, anyway, we cannot exclude that a third-party actor user false flags to disguise itself.

Pierluigi Paganini

(SecurityAffairs – Lazarus, hacking)

The post North Korea’s Lazarus APT targets Russian Entities appeared first on Security Affairs.

Security breach at North Country PoS firm hits hundreds of US restaurants and Hotels

North Country Business Products POS (point-of-sale) and security solutions provider announced a data breach that affected hundreds of U.S. restaurants and hotels.

North Country Business Products point-of-sale and security solutions provider announced a data breach, the company is currently used by 6500 customers around the Midwest.

“North Country Business Products, Inc. (“North Country”), today announced that a recent data security incident may have resulted in unauthorized access to payment information of some consumers who used credit and debit cards at its business partner restaurants between January 3, 2019, and January 24, 2019. North Country engaged professionals who have corrected the issue.” reads the data breach notification published by the company.

The security breach exposed payment information for clients who used their credit and debit cards at 137 restaurants.

Most of the affected locations are in Arizona and Minnesota, other were in Louisiana, Iowa, Missouri, North Dakota, South Dakota, Texas, Wisconsin, Tennessee, Oregon, and Ohio.

The PoS firm learned of suspicious activity in certain customer networks on January 4 and immediately launched an investigation with the help of cyber forensics firm. The investigators found a piece of malware in the systems of some of its customers, the infections occurred between January 3 and January 24, 2019.

The malware used by crooks to siphon payment card data (cardholder names, card numbers, expiration dates, and CVV codes) belonging to individuals who used their payment cards at one of the impacted North Country customers.

The list of affected locations is available in a website published by
North Country.

“North Country takes this incident and the security of our customers’ information very seriously. The company has updated processes to further strengthen its systems to protect its business partners’ customer debit or credit card information and will continue to work with third-party experts to help ensure the highest levels of security,” continues the data breach notification.

The company set up a specific assistance line to support impacted consumers.

Pierluigi Paganini

(SecurityAffairs – cybercrime, data breach)

The post Security breach at North Country PoS firm hits hundreds of US restaurants and Hotels appeared first on Security Affairs.

Experts found a Remote Code Execution flaw in WordPress 5.0.0

Security experts disclosed a critical remote code execution vulnerability in versions of WordPress prior 5.0.3, that remained uncovered for 6 years.

Security experts at RIPS Technologies GmbH disclosed a critical remote code execution vulnerability in versions of WordPress prior
5.0.3, that remained uncovered for 6 years.

The experts discovered that the flaw could be exploited by an attacker who gains access to an account with at least ‘author‘ privileges on a WordPress install to execute arbitrary PHP code on the underlying server.

The flaw is the chain of a Path Traversal and Local File Inclusion vulnerability that lead to Remote Code Execution in the WordPress core and full remote takeover.

The experts reported the issue to WordPress developers, but the bug is still unpatched.

“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover,” reads the analysis published by the researchers.

“We sent the WordPress security team details about another vulnerability in the WordPress core that can give attackers exactly such access to any WordPress site, which is currently unfixed. “

According to the download page of WordPress, 33%1 of all websites online uses the vulnerable software.

The attack relies on the way WordPress image management system handles Post Meta entries that stores information like description, size, creator, and other meta information of uploaded images.


Experts also published a video PoC of the attack:

The experts discovered that an attacker with at least ‘author‘ privileges on a WordPress install can modify entries associated with an image to trigger the Path Traversal vulnerability.

“The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to a HTTP request being made to the following URL: This request would return a valid image file, since everything after the ? is ignored in this context. The resulting filename would be evil.jpg?shell.php.” continues the analysis.

“However, it is still possible to plant the resulting image into any directory by using a payload such as evil.jpg?/../../evil.jpg.”

Chaining The Path Traversal vulnerability with a local file inclusion flaw in theme directory could allow the attacker to execute arbitrary code on the targeted server.

The implementation of a security measure in WordPress versions 5.0.1 and 4.9.9 prevented the exploitation of the flaw because it made impossible for unauthorized users to set arbitrary Post Meta entries.

Experts pointed out that the Path Traversal issue is still unpatched even in the latest WordPress version, it can also be exploited in presence of installed 3rd-party plugins that incorrectly handles Post Meta entries.

“However, the Path Traversal is still possible and can be exploited if a plugin is installed that still allows overwriting of arbitrary Post Data. Since certain authentication to a target WordPress site is needed for exploitation, we decided to make the vulnerability public after 4 months of initially reporting the vulnerabilities.” concludes the experts.

WordPress would address the vulnerability with the next release.

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress 5.0.0.)

The post Experts found a Remote Code Execution flaw in WordPress 5.0.0 appeared first on Security Affairs.

Exposed MongoDB revealed facial recognition abuse for tracking the Uyghur Muslim minority in China.

Security expert discovered an exposed MongoDB that reveals facial recognition abuse for tracking the Uyghur Muslim minority in China.Exposed MongoDB revealed facial recognition abuse for tracking the Uyghur Muslim minority in China.

We have debated for a long time the surveillance campaigns conducted by the Chinese government, now the news of the day is the discovery of a misconfigured database containing data from facial recognition allegedly carried out by China.

The database was discovered by the popular Dutch security researcher
Victor Gevers, it contained details about surveillance activities conducted by the Chinese government and that was aimed at tracking people of the Uyghur Muslim minority in China.

The archive is a MongoDB operated by the Chinese firm SenseNets that also provides facial recognition solutions.

facial recognition

The government of Beijing Chinese is utilizing facial recognition databases for months to monitor Uyghur people in the Xinjiang region.

According to Gevers, the exposed archive contains data of about 2,565,724 users, including names, ID card numbers, sex, nationality, ID card’s issue and expiration dates, home addresses, photographs, date-of-birth, and employment information as well as GPS coordinates.

The expert also found GPS coordinates associated with the people under surveillance and a list of trackers for locations of public cameras from which the footages were obtained.

facial recognition 2

The surveillance cameras are located in public locations like mosque,
hotel, police station, internet café, and restaurant. Gevers also revealed that the database was regularly being updated, in 24-hours he noticed that 6.7 million GPS coordinates were added to the archive.

Gevers’s discovery confirmed the concerns about the abuse of facial recognition for surveillance purposes, even if Chinese authorities always denied the accusation for the violation of minority rights.

Pierluigi Paganini

(SecurityAffairs – China, facial recognition)

The post Exposed MongoDB revealed facial recognition abuse for tracking the Uyghur Muslim minority in China. appeared first on Security Affairs.

Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years

Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately. Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with The Hacker News, revealing the existence of a critical remote code execution vulnerability that

The Muncy malware is on the rise

Over the last few days, a phishing campaign from DHL and entitled “DHL Shipment Notification” has been targeted users worldwide distribution the Muncy malware.

Muncy is the name dubbed by SI-LAB that analyzed this threat. Now, the malware is targeting user’s worldwide and has been spread via phishing campaigns.

Malicious actors are using SMTP servers leveraging bad server’s configuration. Email spoofing technique is used to impersonate the giant DHL; a popular distribution firm; sending a shipment notification to the user’s email inbox.

The email used to carry out this campaign is: <support@dhl[.]com>.

This technique is not novel and many web servers available online don’t have the right security configurations to prevent attacks this line.


Users who access the email need to extract the malicious attachment. The malware is an .exe file that scans users’ computers and collects information, including FTP data.

The process flow diagram below shown how the malware works.


The malware is packed, and after the initial execution, a new process is created and executed (the unpacked malware). That process executes a mass scan in user’s C:\ drive obtaining sensitive information that is sent to a domain managed by crooks and available at sameerd[.]net.

No persistence was identified in the user’s devices during malware infection life-cycle.

Users who receive emails this nature should be aware if they are part of a social engineering campaignIf you do not expect any orders, then ignores that.

SI-LAB has already notified DHL firm but no public comments were observed at this moment.

For more details, see below.

Technical Analysis

Threat name: DHL Original Receipt_PDF.exe
Original name: Muncy.exe
MD5: 4df6d097671e0f12b74e8db080b66519
SHA-1: 568035f0e96b9e065049491004ccee5a4cd180c7
Imphash: 8a6e3bc29ee49f829483143f1dc39442

During the last week, Segurança Informática (SI) Lab identified infection attempts aimed to install Muncy malware directed to the DHL shipment notifications. The malicious email messages contained a particular trojan spreading via phishing campaigns tailored to lure victims.

The phishing campaign trying to impersonate DHL

Leveraging bad SMTP server’s configuration, malicious actors are sending phishing emails trying to impersonate DHL (see Figure 1).


Figure 1: Email body and malicious attachment.

A preliminary analysis of the malicious email shows a domain ( used to say EHL to the target SMTP server. SMTP servers with bad configurations are a majestic vector to spread malicious campaigns.


Figure 2: Email spoofing and DHL impersonation.

In detail, the first wave observed was on February 12th, 2019. This is an important indicator to remember later.

The email body is not a plain-text message, instead, a PNG image was embedded on it — we can observe the email has attached from the local path: C:/Users/Administrator/Desktop/DHL.png.


Figure 3: Email message body.

Muncy malware – The recent threat is on the rise

Muncy malware is one of the most active trojans now. SI-LAB dubbed it Muncy due to its original name hardcoded in the executable file. Step-by-step of Muncy malware is presented in Figure 4.

Figure 4: How Muncy malware works.

The malware is packed, and during the malware analysis, we cannot unpack it. After the first execution, it is unpacked to the PE File .data section that was empty at start. The threat executes a scan to all C:\ drive trying to find sensitive data and files (mainly FTP files) and that will be send to a final endpoint managed by crooks (

Diving a little more

At first glance, it appears as a PDF file — an old technique to deceive the most careless users.


Figure 5: Muncy is masked with a PDF icon.

Muncy is the name attributed this threat due to its original name. Note that English is the principal language detected and used by crooks to develop this malware.

Other interesting strings are CompanyName: Somers2 and ProductName: HARPALUS8.

Well, in fact, very interesting. Let’s investigate.


Somers2: nothing interesting.
HarpalusHarpalus luteicornis is a species of ground beetle native to the Palearctic. Nice finding 


Let’s look at the next figure where the information discussed above can be found.


Figure 6: Muncy origin.

The FileVersion is also interesting (1.01.0005) — this threat seems to be something still in development.

Let’s look closer. The file has high entropy, and two offsets (0x71000 and 0x7F400) with rising entropy can be noted.


Figure 7: Muncy entropy offsets.

It’s interesting to observe the offsets where entropy increases. In order to confirm our findings, let’s look at the entropy curve depicted in Figure 8.


Figure 8: File entropy curve.

In detail, it’s important to highlight two interesting points:

  • .text section entropy (7.47): some is packed here.
  • .data section size (zero). This section will be used to unpack something.

Furthermore, the digital certificate presents within this executable also contribute to the high entropy in the .text section. We can easily observe that in the file overlay offsets presented below.


Figure 9: Executable overlay, digital certificate creation date, name, and organization.

In addition, we need to observe the following three important points:

  1. The phishing email has been received on February, 12th.
  2. The certificate creation date is February, 11th (one day before).
  3. We will discuss this point later 


Note that the phishing campaign was noticed on February 12th, and the certificate associated with malware was created on 11th, the day before.

Let’s continue with Muncy analysis

The PE file has three sections: .text, .data and .rsrc; and two of them are suspicious. Why? Pay attention.

The .text section is packed and has high entropy. It’s common to find no data correlation with high entropy. An encrypted snippet of code, for instance, has high entropy associated.

The second note: .data section; it has a size equal to zero (it’s empty), and a virtual size associated (0xbb4). The malware will be injected here after unpacking. It’s a runtime packer!


Figure 10: Malware entropy and suspicious sections.

The next image confirms that a great part of the binary data is packed (see the entropy – middle).


Figure 11: Binary data overview.

Muncy malware was developed in VisualBasic 6.0  and is compiled in p-code as shown below.


Figure 12: Compiler used to develop Muncy malware.

Bonus: Why VB 5.0/6.0 is used by malware?

Performing analysis on a Visual Basic (VB) script is hard. Unfortunately when Visual Basic is compiled to a Windows Portable Executable (PE) file it can become a nightmare for many malware analysts and reverse engineers.

Visual Basic binaries have a reputation for making an analysts job difficult due to the many aspects of its compilation that differ from standard C/C binaries. To analyze a VB PE binary it helps to be familiar with the VB scripting syntax and semantics since their constructs will appear throughout the binary’s disassembly. VB binaries have their own API interpreted by Microsoft’s VB virtual machine (VB 6.0 uses msvbvm60.dll). Many of the APIs are wrappers for more commonly used Win32 APIs leveraged from other system DLLs.

Reverse engineering VB binaries will often involve reverse engineering VB internals for various VB APIs, a task dreaded by many. 

VB5/6 can be compiled to either native or pcode. Even when native the program flow is not linear from the entry point but is based on form, module and class structures passed into the vb runtime at startup.

In detail, the malware imports the MSVBM60.DLL (Microsoft Visual Basic Machine, like JVM – Java Virtual Machine). Another important DLL present in IAT is shell.dll, that will be used to perform several actions such as open, create and delete files, open a Windows powershell, etc.


Figure 13: Malware IAT.

Many imported functions from MSVBM60.DLL are now classified as malicious by AV engines (see figure 14).

Figure 14: Malware IAT blacklisted.

But keep in mind that a benign software also can use that blacklisted functions in the right way. In this sense, the information extracted from Figure 14 would be false positive.

Muncy – Malware decompiling

By analyzing the malware, it’s possible to disassemble the malware p-code. That seems the right way to dissecting this threat.

We can view that four sub-routines are declared in API declarations, namely the inconforming5, farfel3 and ondascop9 that are imported from shell32.dll, and, finally, the sub-routine waterbed that is imported from the kernel32 DLL.


Figure 15: API declarations in source-code.

In detail, the malware has a form with some objects declared (passagang). Nonetheless, all the disassembled code did not add much detail to our analysis as the source-code from the sub-routines presented in Figure 15 and discussed above are not loaded (API sub-routines). That happens because the malware is packed and is evading reverse engineering.


Figure 16: Malware decompiling.

Of course, in case of a program compiled to p-code (this case), the decompilation success rate will be lower, and no additional input is noted.

The code is very hard, and it is packed.


Figure 17: Packed malware.

However, some strings hardcoded in the malware were found — they are used to compare the result of one of the packed APIs from Figure 15. We can not get more detail about that, but we suspect that they are used to perform brute-force attacks on FTP services.


Figure 18: Strings hardcoded in the malware.

Increasing suspicions, we perform a memory dump during the malware execution. As shown, other strings were found — probably, are hidden at the start and hardcoded in the packed malware.


Figure 19: Strings extracted from memory and malicious endpoint detected.

Here, an interesting point needs to be analyzed. The endpoint managed by crooks were found (http://sameerd[.]net/grace/panelnew/gate.php). Additional analysis on it is delivered later.

Deep inside Muncy – Dynamic Analysis 

An important aspect of VB6 is related to the fact that VB6 internals lack any sort of official documentation. The inner workings of the VB6 virtual machine and the functionality of its exported functions are literally a mystery to anyone who has not taken an in-depth look atmsvbvm60.dll.

Loading the malware into the debugger, we can see the following.

Figure 19: Muncy initial entry-point.

We are sitting at the very first instruction for the executable which is pushing an address to the stack (arg1) before calling MSVBVM60.ThunRTMain.

Looking up the ThunRTMain function, we find that it takes a single argument (The address 0x4763BC being pushed to the stack) and that argument is a pointer to a VBHeader Structure that tells the application how to start. This VBHeader Structure appears in memory, like so (Figure 20):

Figure 20: Muncy VBHeader Structure.

Of these values, the address assigned to aSubMain (0x00000000) is the most important as it is the address for the main function that will be called once the executable’s environment has been set up.

Nonetheless, as shown in Figure 20 below, that address is empty. If the aSubMain value is 0000 0000 then it’s a load form call.


Figure 21: Muncy — Original entry point (OEP); it’s a load form call.

During the malware analysis, the OEP was not found. When the malware is executed inside a debugger it crashes and an EXCEPTION_ACCESS_VIOLATION is triggered. Thus, the debugger is a useless piece of analysis to this threat.

Figure 22: EXCEPTION_ACCESS_VIOLATION happens when the malware is debugged.

According to the literature, If the EXCEPTION_ACCESS_VIOLATION (0xC0000005) or EXCEPTION_GUARD_PAGE (0x80000001) exception is seen and is not within the bounds of a memory breakpoint, then the hook returns a status that the event was not handled. This hides debuggers from the guard page detection method.

Next, several anti-VM and anti-debug techniques were used in order to unpack the malware but they were not shown efficient.

Keep going

Returning to the dynamic analysis, when the malware is executed, it spikes the CPU; in fact, the unpacking process is initiated.


Figure 23: CPU spikes when malware is unpacked.

As shown in the malware main process illustred in Figure 4, two processes are created during the malware life-cycle.

The first one (PID 580) concerning the unpacking task, and the second one (PID 1256) is related to the malware behavior itself. All malicious activity is made here.


Figure 24: Two processes created during the malware execution.

One of the things that malware does after unpacking (second process, PID 1256) is a mass scan in the machine trying to collect sensitive information from FTP files.

Figure 25: Malware trying to collect information from FTP files.

In addition, the malware creates a temporary file (DFF90D.tmp) in the Windows Tempfolder. No sensitive information was possible to extract from that file.

Figure 26: Malware creates a file in the Windows temp folder.

More, a .bat file is also created in the temporary files, and which is then executed via a Windows powershell (PID 2552).


Figure 27: .bat file created by malware.

That file is created by malware (parent PID=1256) and it receives a parameter in the argv vector — a target file. That file is deleted. More, all the files created during malware execution are deleted. This powershell process is running the code inside the .bat file.

The .bat file deletes itself and the other ones passed via argv array. Look’s at source-code present within the file.

  1. :ktk
  2. del %1
  3. if exist %1
  4. goto ktk
  5. del %0

All the network traffic on the machine has now been monitored, but no connections to the Internet has been performed.

The next stage — Install target software 

To get more details on malware, we run the malware again on a new machine. That machine has the Firefox browser, CutePDF and Filezilla installed and executing.

In this stage, we find that the malware found some target folders and files! 

Figure 27: Some target files were found.

At this moment, and after the malware execution, communications to a specific domain were observed.

The malware tries to resolve the DNS:

Figure 28: Malware invokes the domain:

Beforehand, we simulate a fake Internet, and the malicious request was received.


Figure 29: POST request performed by Muncy malware.

The malware is trying to send a POST request to /grace/panelnew/gate.php, on port 80.

Figure 30: POST request content.

The POST content is encoded in binary and was not possible decode its content. The decompression process performed by Wireshark has generated an error as well.

In order to validate whether the domain reply on port 80, a telnet connection has been performed. As shown, the DNS has not been resolved.

  1. [ptavares@ ~]$ telnet 80
  2. telnet: could not resolve Name or service not known

The domain seems to be offline, but it was possible to get some indicators on it on Shodan and with the last update on 2019-02-12.

Figure 31: Available ports of the malicious DNS.

According to VirusTotal, it’s possible to validate that this domain is associated with three detections in the last days —  the malware under analysis.

The malware was submitted first time by SI-LAB on February 12th (its first occurrence on VT).

Figure 32: VT malware detections.

As shown, the domain was created on February 12th.

Figure 33: Domain creation date.

Do you remember that?

In addition, we need to observe the following three points:

  1. The phishing email has been received on February, 12th.
  2. The creation date of malware certificate is February, 11th (one day before).
  3. We will discuss this point later 
    => Yes, domain created on February, 12th — the same day that users have been targeted with the phishing campaign.

More, there are other passive DNS replications also created between February, 04th – 12th (complete list at the end of the article).

Figure 3: Passive DNS replication.


Muncy malware shows how malicious actors may quickly vary attack techniques and artifact characteristics. Due to that, detect its intent is very difficult and that makes much harder the malware analyst work!

As shown, static code analysis and even the use of a debugger became inefficient, and when a debugger is running, the malware simply triggered an error evading its analysis.

Despite these details, indicators about this threat were collected via a dynamic analysis. Some interesting behaviors, such as a scanning finding FTP files were observed.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published by Pedro Tavares.

About the author Pedro Tavares 

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog

Pierluigi Paganini

(SecurityAffairs – Muncy malware, hacking)

The post The Muncy malware is on the rise appeared first on Security Affairs.

These Are the Countries With the Best and Worst Cybersecurity

Cybersecurity is a growing concern among governments, businesses and individuals around the world. Cyberattacks can have severe impacts on everyone.

A recent report from researchers at the University of Oxford identified 57 different impacts that cyber incidents can have. They ranged from regulatory fines to depression to damaged relationships with customers. According to a report by Cisco, more than half of organizations face public scrutiny after a cyberattack and 22 percent lose customers.

Like with any threat, some countries are better at dealing with cyberattacks than others. A recent study from technology research company Comparitech looked at cybersecurity around the world and scored 60 countries on their cybersecurity practices.

The study found significant differences in how well nations are protecting themselves. The results revealed that every country had room for improvement, however.

The Study’s Methodology

The study looked at seven criteria, giving each equal weight. The criteria were:

  • The percentage of mobile devices affected by malware
  • The percentage of computers affected by malware
  • The number of financial attacks using malware
  • The percentage of telnet attacks on IoT devices by originating country
  • The percentage of cryptomining attacks
  • The countries best prepared for cyberattacks
  • The countries with the best legislation

The researchers based scores for all but the last two items on the percentage of attacks that occurred during 2018. To determine the best-prepared countries, researchers used the Global Cybersecurity Index (GCI) scores.

The researchers also looked at existing and drafted legislation related to privacy, content, national strategy, critical infrastructure, commerce, crime and military. Countries received one point for each piece of existing legislation and half a point for each draft.

The study’s authors then ranked each country for each criterion. Nations with the least secure scores received 100 points, while those with the best scores received zero points. Those in between received a score on a percentile basis. The researchers then averaged the rating for each country across all seven categories.

Comparitech noted that it used the most recent available data for all the countries and only included those that had data available for all the criteria.


The Least Secure Countries

So, which countries received the worst rankings? The 10 worst-performing nations were Algeria, Indonesia, Vietnam, Tanzania, Uzbekistan, Bangladesh, Pakistan, Belarus, Iran and Ukraine. Let’s take a closer look at the first three.


Algeria was the overall worst-ranked nation. It received these marks for legislation and computer malware, and it also scored poorly for mobile malware and cyberattack preparation. Here are its score breakdowns:

  • Overall score: 55.75
  • Percentage of mobile devices infected by malware: 22.88
  • Percentage of users impacted by financial malware attacks: 0.9
  • Percentage of computers infected by malware: 32.41
  • Percentage of telnet attacks on IoT devices: 0.01
  • Percentage of cryptomining attacks: 5.14
  • Preparation for cyberattacks: 0.432
  • Up-to-date legislation: 1


Indonesia scored across the seven criteria as follows:

  • Overall score: 54.89
  • Percentage of mobile devices infected by malware: 25.02
  • Percentage of users impacted by financial malware attacks: 1.8
  • Percentage of computers infected by malware: 24.7
  • Percentage of telnet attacks on IoT devices: 1.51
  • Percentage of cryptomining attacks: 8.8
  • Preparation for cyberattacks: 0.424
  • Up-to-date legislation: 4


Vietnam was ranked as the least prepared for cyberattacks. Here’s how it ranked across all categories:

  • Overall score: 52.44
  • Percentage of mobile devices infected by malware: 9.62
  • Percentage of users impacted by financial malware attacks: 1.2
  • Percentage of computers infected by malware: 21.5
  • Percentage of telnet attacks on IoT devices: 1.73
  • Percentage of cryptomining attacks: 8.96
  • Preparation for cyberattacks: 0.245
  • Up-to-date legislation: 2

The Most Secure Countries

Which of the 60 studied scored the best? The 10 top-performing countries were Japan, France, Canada, Denmark, the United States, Ireland, Sweden, the United Kingdom, the Netherlands and Singapore. The top three countries ranked as follows across all seven categories.


Japan scored extremely well across most criteria. It has the most room for improvement in the cyberattack preparation and legislation areas. It received the best score for mobile device malware infection.

  • Overall score: 8.81
  • Percentage of mobile devices infected by malware: 1.34
  • Percentage of users impacted by financial malware attacks: 0.5
  • Percentage of computers infected by malware: 8.3
  • Percentage of telnet attacks on IoT devices: 1.23
  • Percentage of cryptomining attacks: 1.1
  • Preparation for cyberattacks: 0.786
  • Up-to-date legislation: 6


Here’s how France, the second best-performing country, scored across all seven categories.

  • Overall score: 10.58
  • Percentage of mobile devices infected by malware: 4.72
  • Percentage of users impacted by financial malware attacks: 0.4
  • Percentage of computers infected by malware: 16.2
  • Percentage of telnet attacks on IoT devices: 0.67
  • Percentage of cryptomining attacks: 1.12
  • Preparation for cyberattacks: 0.819
  • Up-to-date legislation: 7


Canada was number three. Here’s how it scored:

  • Overall score: 11.19
  • Percentage of mobile devices infected by malware: 3.91
  • Percentage of users impacted by financial malware attacks: 0.4
  • Percentage of computers infected by malware: 14.3
  • Percentage of telnet attacks on IoT devices: 0.47
  • Percentage of cyptomining attacks: 0.81
  • Preparation for cyberattacks: 0.818
  • Up-to-date legislation: 6

Cyberattacks are a serious issue that impacts countries around the world. Some nations, though, are better protected from cyber threats than others. Every country, businesses and individual can do more, however, to protect themselves and should take a look at their cyber

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her re

Pierluigi Paganini

Security Affairs – Cybersecurity)

The post These Are the Countries With the Best and Worst Cybersecurity appeared first on Security Affairs.

Quick and Dirty BurpSuite Tutorial (2019 Update)

Introduction In this article we look at BurpSuite, a framework of tools that can be used during penetration testing. We’ll cover the latest release of BurpSuite, version 2.0, getting our hands dirty with the OWASP Juice Shop vulnerable Web application. Overview This article is intended for penetration testers and bug bounty hunters as well as […]

The post Quick and Dirty BurpSuite Tutorial (2019 Update) appeared first on InfoSec Resources.

Quick and Dirty BurpSuite Tutorial (2019 Update) was first posted on February 19, 2019 at 10:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at

The Long Run of Shade Ransomware

Since the beginning of the year, security firms observed a new intense ransomware campaign spreading the Shade ransomware.

Between January and February, a new, intense, ransomware campaign has been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. As stated in a recent Eset report, the Shade infection had an increase during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size (shown in Figure 1).

Figure 1. Trend of malicious JavaScript downloading Shade ransomware (source: ESET).

The last attack waves was pretty interesting because the criminals tried to impersonate Russian Oil and Gas companies, in particular  the Russian’s “PAO NGK Slavneft”, probably to hit a portion of this industry segment. Cybaze-Yoroi ZLab analyzed some recent samples spreading during the last week.

Technical analysis

The chosen infection vector is the email one, usual and effective. The phishing email contains a .zip file named “”, which means something like “slavneft order” in English, showing a direct reference to “Slavneft”. It contains a russian speaking JavaScript file named “«ПАО «НГК «Славнефть» подробности заказа”, corresponding another time to “PAO NGK Slavneft order details”. 

Figure 2. References to an Oil-Gas company

This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection.

Figure 3. JavaScript decryption routine

A few round of debugging and decryption reveals its inner, cleartext code:

Figure 4. Main of the JS script.

The figure above highlights some interesting details: if the first HTTP request fails, the second one is not sent, but the variable “qF” is initialized with the other malicious URL. It runs several times the payload only if the first server could be reached. 

Probably the JavaScript is under maintenance yet, so the attacker could insert other code lines next, in order to retrieve the sample from other sources.

All the resources loaded by the JavaScript downloader points to compromised websites, mostly running WordPress and Joomla CMSs. According to other firms, Treshold is able to leverage a “worm” module designed to search and brute-force the login pages of several known CMS applications, such as WordPress and Joomla; an odd coincidence.

Once it gets in the websites, it uploads a copy of the executable code: using this approach the malware keeps creating backup copies to increase its resiliency to takeovers. However, the sample delivered in the last intercepted campaign is not configured to exploit this feature.

ThreatShade ransomware
DescriptionFake image containing shade ransomware malware

Table 1: shade ransomware informations.

Despite its popularity, the Shade payload, at the analysis time, did not show high detection rates: only a third of antimalware detected it (24/69), even if the behaviour of the threat is such harassing as recognizable. Shade encrypts all the user files using an AES encryption scheme. Then, it appends’em the “.crypted000007” suffix and creates the ransom note in each system’s folder, the text is written in both English and Russian language.

Figure 5. VirusTotal view reporting the malware’s detection rate.
Figure 6. Background of the infected machine, after encryption phase.
Figure 7. Content of README.txt file.

Navigating on the specified darknet website, it is shown a page containing a form to get in touch with the attacker, specifying the code extracted from ransom note and an email:

Figure 8. Ransomware Onion website.

Analyzing other 2017’s threat reports, we noticed the address did not changed over time, different story for the email address.

Figure 9. Comparison between the ransom note of Shade 2019 (up) and Shade 2017 (down, source: SonicWall).

Shade connects to its C2 server using embedded TOR libraries and downloads additional modules, such as the aforementioned “CMSBrute” or the “ZCash miner” one. The behavioural analysis session recorded the executions of the ZCash miner, stored in the  “C:\ProgramData\SoftwareDistribution\” folder. 

Figure 10. Information about miner executable.

A quick review of the launching parameters shows interesting information:

  • the type and the version of the mining client used by the attacker,  a “NHEQ Miner” developed by Nicehash;
  • the mining pool abused by the criminal;
  • and the wallet ID (t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep)

Despite this important information, it’s difficult to identify the real cashed out amount because attackers typically use mixing techniques to divert the investigations. However, the mining pool dashboard provides a clue of the current number of infected machines.

Figure 11. Flypool dashboard reporting info about attacker’s wallet.


The  OSINT information available places the origin of the Treshold threat in the mid of the 2017, showing the attackers didn’t change too much their modus operandi and infrastructure, the same wallet ID has been maintained over the year, propagation techniques and patterns are quite constant too.

Moreover, the huge list of compromised sites, reported in the IoC section, demonstrates once again how the usage of weak credentials is leveraged by such kind of threat actors to enable profitable, years-long malicious campaign without deep and costly changes in their TTPs.

Further technical details, including IoCs are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Shade Ransomware, malware)

The post The Long Run of Shade Ransomware appeared first on Security Affairs.

Top 5 Free Learning Resources for Cyber-Security Beginners [Updated 2019]

Today, the obligation of strong cyber-security measures is self-evident. A large number of cyber-attacks are causing escalating damage to companies, governments, and individuals. Yahoo’s disclosure of a massive breach is still making headlines. Organizations need to respond to this increased threat by adopting strict cyber-security measures. To overcome this devastating gap in cyber-security skills in […]

The post Top 5 Free Learning Resources for Cyber-Security Beginners [Updated 2019] appeared first on InfoSec Resources.

Top 5 Free Learning Resources for Cyber-Security Beginners [Updated 2019] was first posted on February 19, 2019 at 8:33 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at