Glupteba has been first spotted in 2018. Now after almost 2 years, malware is still a serious threat. This is not just a malware – it’s also a rootkit, security suppressor, virus, router attack tool, browser stealer, and cryptojacker…
Glupteba, a highly self-defending malware uses about every trick you’ve heard of
Glupteba is a threat that offers an easy means of distributing other malware. But there is much more. The malware also uses the Bitcoin blockchain as a communication channel for receiving updated configuration information. Neat.
Glupteba is what’s known a zombie or bot (software robot) that can be controlled from afar by the cybercriminals who wrote it. A backdoor providing full access to compromised Windows PC, while adding them to a growing botnet, has developed some unusual measures for staying undetected.
It’s distributed through a pirated software, including cracked versions of commercial applications, as well as illegal video games. The malware is gradually dropped, bit-by-bit onto the system to avoid detection by any anti-virus software. The malware also uses the EternalBlue SMB vulnerability to help it spread across networks.
Glupteba uses a number of software exploits are for privilege escalation, primarily so it can install a kernel driver the bot uses as a rootkit, and make other changes that weaken the security posture of an infected host. The rootkit renders filesystem behaviour invisible to the computer’s end-user and also protects any other file the malware decides to store in its application directory. A watcher process then monitors the rootkit and other components for any sign of failure or a crash and can reinitialize the rootkit driver or restart a buggy component. Attackers also covered up updates to command-and-control server addresses neatly. They are sent as encrypted data tied to transactions in the bitcoin blockchain.
The way in which operators regularly fix any bugs also indicates that we are dealing with a malware-delivery-as-a-service provider, who is still growing. How users can avoid vailing victim to Glupteba? First, by ensuring all critical security updates – especially against the EternalBlue exploit. And secondly, users should be extremely wary of downloading cracked and pirated applications.
Hackers use Google Analytics to steal credit cards data
Hackers are using Google’s servers and the Google Analytics platform to steal credit card information submitted by customers of e-commerce sites.
A new tactic allows to bypass a Content Security Policy (CSP) using the Google Analytics API. Attackers take advantage of the fact that many online stores which use Google’s web analytics service for tracking visitors are whitelisting Google Analytics domains in their CSP configuration.
Vulnerability in the core functionality of CSP
The CSP rule system isn’t granular enough. Attackers inject a web skimmer script that is specifically designed to encode stolen data and deliver it to the attacker’s GA dashboard in an encrypted form. The attackers only have to use their own Account / Tag ID number e.g. UA-#######-#. Script once loaded allows to monitor the compromised site for user input and it will grab any entered credit card information, encrypt it, and automatically deliver it to its attackers’ GA dashboard. They can decrypt stolen data using an XOR encryption key next.
There is also a very similar campaign active since March 17 (info: Sansec’s Threat Research Team). Attackers are abusing the exact issue to bypass CSP on several dozen e-commerce sites. But the threat actors went a step further by making sure that all the campaign components are using Google Firebase servers. Another smart move? Yes. Typically, the Magecart Group uses dodgy servers in tax havens. Such suspicious locations reveal their nefarious intent. But when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘dangerous’.
WastedLocker Ransomware uses fake update notifications to infect new victims
After the indictment of some prominent members, Evil Corp started working on a new tactic which means no more no less… new cyberthreat. The newest ransomware called WastedLocker is used in targeted attacks against businesses. The Group has been always selective in terms of the infrastructure they targeted. Typically, they hit file servers, database services, virtual machines and cloud environments.
To deliver the new ransomware, Evil Corp is hacking into sites to insert malicious code that displays fake software update alerts from the SocGholish fake update framework.
One of the payloads sent in these attacks is the Cobalt Strike penetration testing and post-exploitation toolkit, which Evil Corp uses to gain access to the infected device. The threat actors then use this access to compromise the network further and deploy the WastedLocker Ransomware. Once executed, the ransomware will attempt to encrypt all drives on the computer, skipping files in specific folders or containing certain extensions. Files with a size less than 10 bytes are ignored and in case of large files, the ransomware encrypts them in blocks of 64MB.
For every file that is encrypted, ransomware will also create an accompanying ransom note ending with _info. What’s interesting, WastedLocker does not appear to steal data before encrypting files. And the ransom? BleepingComputer reported that the ransom demands range from $500,000 to millions of dollars.
Malware from hell: Lucifer targets Windows Systems
Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.
The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.
The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).
After successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device. These commands include performing a TCP, UDP or HTTP DoS attack. Other commands allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2. The malware is also capable of self-propagation through various methods. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.
Lucifer has been discovered in a series of recent attacks that are still ongoing.
How to protect a company? Enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. 80,000 printers are exposing their IPP port online (ZDNet)
2. REvil ransomware scans victim’s network for Point of Sale systems (Bleeping Computer)
3. BlueLeaks Exposes Police Files Dating Back 24 Years (InfoSecurity)
4. XORDDoS, Kaiji DDoS Botnets Target Docker Servers (Security Week)
5. Scam uses Elon Musk’s name to trick people out of US$2 million in bitcoin (WeLiveSecurity)
6. Office 365 now checks docs for known threats before editing (Bleeping Computer)
7. IndigoDrop spreads via military-themed lures to deliver Cobalt Strike (Talos Intelligence)
8. European victims refuse to bow to Thanos ransomware (Bleeping Computer).
9. Three words do you not want to hear regarding a ‘secure browser’ called SafePay: Remote. Code. Execution (The Register)
10. NVIDIA warns Windows Gamers of serious graphic bugs (ThreatPost)