Author Archives: Hacker Medic

Apple IDs Compromised: iPhones, iPads, and Macs Locked, Held for Ransom

      No Comments on Apple IDs Compromised: iPhones, iPads, and Macs Locked, Held for Ransom

Many users in Australia and New Zealand have had their Apple IDs compromised. We are seeing reports on Apple’s support community and social networks that their Apple devices are being remotely locked and held for ransom by someone claiming to be Oleg Pliss, a software engineer at Oracle, who the attackers randomly chose to pin this attack on.

Apple ID 1 edit.png

Figure 1. Locked iPhone ransom message

What happened to my Apple device?

Based on initial feedback, a number of Apple IDs have been compromised and used to lock iPhones, iPads, and Macs. It remains unclear exactly how the Apple IDs were compromised, but possible explanations include phishing attempts, weak passwords, or password reuse. A separate breach involving emails and passwords used to login to Apple and iCloud could have facilitated the compromise of the Apple IDs.

Once an Apple ID is compromised, attackers can access the Find My iPhone feature in iCloud. This feature is used to locate your devices if they have an internet connection and turn on the Lost Mode feature. Once Lost Mode is turned on, the attacker can remotely play a sound, lock the device, and display a ransom message.

Whatever you do, do NOT pay the ransom. There is no guarantee that the criminals responsible will unlock your device.

How to deal with a compromised Apple ID

While your devices have been locked, the root issue is the compromise of your Apple ID. First, you should login to your Apple ID account and confirm that your password has not been changed. If it has not, you should immediately secure the account by changing your password. Once changed, make sure you login to your iCloud account and sign out of all browsers just to be safe.

How to deal with a locked device

If you had set a passcode on your device prior to the compromise, you can simply unlock it by inputting your passcode.

However, if you did not set a passcode on your device, then your phone will remain locked. This is because the attacker is required to set a passcode for your device when enabling the Lost Mode feature. In this scenario, you should call Apple support for further assistance. However, most users are reporting that the only option to recover the device is to wipe the device and restore it from a backup.

How to secure your Apple ID and devices

Even if this did not impact you directly, it is a good time to review and implement the following security measures to protect your Apple ID and devices.

  1. Set a passcode on your phone or tablet. We cannot stress this one enough. Although it may be annoying to have to input a passcode to unlock your device, it is a basic security measure to prevent unauthorized physical access to your device. And in this case, it could save you the trouble of having to perform a factory reset on your device.
  2. Use a strong, unique password for your Apple ID. If you need help creating a strong password, use a password generator and consider using a password manager, such as LastPass, 1Pass, KePass, or Norton Identity Safe.
  3. Set up two step verification for your Apple ID. While it is labeled as an optional security feature, enabling two step verification will make it that much harder for an attacker to access your account without having physical access to your phone or other trusted device.
  4. Back up your devices. In the event that you have to perform a factory reset, having a backup will ensure you do not lose your settings, messages, photos and documents.

Spam Campaign Spreading Malware Disguised as HeartBleed Bug Virus Removal Tool

      No Comments on Spam Campaign Spreading Malware Disguised as HeartBleed Bug Virus Removal Tool

At the beginning of April, a vulnerability in the OpenSSL cryptography library, also known as the Heartbleed bug, made headlines around the world. If you haven’t heard of the Heartbleed Bug, Symantec has published a security advisory and a blog detailing how the Heartbleed bug works.

As with any major news, it is only a matter of time before cybercriminals take advantage of the public’s interest in the story. Symantec recently uncovered a spam campaign using Heartbleed as a way to scare users into installing malware onto their computers. The email warns users that while they may have done what they can by changing their passwords on the websites they use, their computer may still be “infected” with the Heartbleed bug. The spam requests that the user run the Heartbleed bug removal tool that is attached to the email in order to “clean” their computer from the infection.

This type of social engineering targets users who may not have enough technical knowledge to know that the Heartbleed bug is not malware and that there is no possibility of it infecting computers. The email uses social and scare tactics to lure users into opening the attached file.

One warning sign that should raise suspicion is that the subject line, “Looking for Investment Opportunities from Syria,” is totally unrelated to the body of the email.  

Heartbleed Bug 1.png

Figure 1. Heartbleed bug removal tool spam email

The email tries to gain credibility by pretending to come from a well-known password management company. The email provides details on how to run the removal tool and what to do if antivirus software blocks it. The attached file is a docx file which may seem safer than an executable file to users. However, once the docx file is opened the user is presented with an encrypted zip file. Once the user extracts the zip file, they will find the malicious heartbleedbugremovaltool.exe file inside.

Heartbleed Bug 2.png

Figure 2. Encrypted zip file

Once heartbleedbugremovaltool.exe is executed, it downloads a keylogger in the background while a popup message appears on the screen with a progress bar. Once the progress bar completes, a message states that the Heartbleed bug was not found and that the computer is clean.

Heartbleed Bug 3.png

Figure 3. Popup message

After the fake removal tool gives a clean bill of health users may feel relieved that their computers are not infected; however, this couldn’t be further from the truth as they now have a keylogger recording keystrokes and taking screen shots and sending confidential information to a free hosted email provider.

As detailed in the official Symantec Heartbleed Advisory, Symantec warns users to be cautious of any email that requests new or updated personal information, and emails asking users to run files to remove the Heartbleed bug. Users should also avoid clicking on links in suspicious messages.

Symantec detects this malware as Trojan.Dropper and detects the downloaded malicious file as Infostealer.

Symantec.cloud Skeptic heuristics engine is blocking this campaign and detecting it as Trojan.Gen.

Blackshades – ?????????????

      No Comments on Blackshades – ?????????????

FBI、欧州警察組織、その他複数の法執行機関は、Blackshades(別名 W32.Shadesrat)として知られるクリープウェアに関連するサイバー犯罪活動の疑いで数十名を逮捕しました。今回の一斉摘発において、シマンテックは FBI と緊密に連携し、関与した容疑者たちを追跡するための情報を提供しました。今回の摘発作戦により、Blackshades を販売する Web サイトが閉鎖されたため、このマルウェアに関連する活動は大幅に減少すると予想されます。

Blackshades は、初心者レベルのハッカーから高度なサイバー犯罪グループにいたるまで、さまざまな攻撃者によって使用されている有名かつ強力なリモートアクセス型のトロイの木馬(RAT)です。Blackshades は、専用の Web サイト bshades.eu 上で 40 ~ 50 米ドルで販売されていました。手頃な価格で豊富な機能を備えており、攻撃者はこれを使って、侵入先のコンピュータを完全に制御することができます。クリックするだけの簡単なインターフェースから、データを盗み取る、ファイルシステムを閲覧する、スクリーンショットを撮影する、動画を録画する、インスタントメッセージアプリケーションやソーシャルネットワークを操作する、といった処理を実行することができます。

shadesrat_screenshot-650px.png
1. Blackshades のコマンド & コントロールパネル

今回の逮捕の数日前、FBI は、米国市民を標的とするサイバー犯罪に厳しく対処していくことを宣言し、近日中に捜索、逮捕、起訴を行うという約束を発表したところでした。

 blackshades_figure1.png
2. Blackshades の感染件数(2013 年~2014 年)

blackshades_figure2.png
3. Blackshades による被害の上位 5 カ国(2013 年~2014 年)

今回のおとり捜査の一環として、販売元である bshades.eu が閉鎖されたことで、Blackshades の販売と流通には大きな影響があるでしょう。2014 年の Blackshades の活動は大幅に減少すると予想されます。クラック版のビルダーやソースコードは Web 上のいくつかのフォーラムに残ってはいますが、サイバー犯罪者は他のトロイの木馬に移行し始めると予想されます。

Blackshades に対する摘発活動はこれが初めてではありません。FBI は 2012 年、Blackshades プロジェクトへ関与した疑いで、他の 20 名以上と共にマイケル・ホーグ(Michael Hogue)容疑者(別名 xVisceral)を逮捕しました。しかし、その後も販売は継続され、2013 年も Blackshades の活動は増加を続けました。

サイバー犯罪グループは、高度に組織化された攻撃によって数百万ユーロを獲得し、Blackshades に感染したコンピュータを使って巨額の資金移動を行っています。Francophone と呼ばれる最近の活動では、フランスの企業を標的とする金銭の詐取を狙った攻撃で、高度なソーシャルエンジニアリングの手口の一環として Blackshades が使われました。Blackshades 活動に関連する損害の総額を正確に算出するのは困難ですが、個々の事例から推測すると莫大な損失が出ていると考えられます。また、アラブの春においては、政治的な動機による攻撃でも Blackshades が確認されています。騒乱中にリビアとシリアでは、政治活動家を標的として Blackshades の亜種(W32.Shadesrat.C)による攻撃が行われました。

シマンテックは、今回の FBI による摘発を歓迎するとともに、今後も法執行機関および民間のパートナーと協力して、ますます高度化するサイバー犯罪活動に対処いたします。

保護対策
シマンテック製品をお使いのお客様は、以下の検出定義によって Blackshades から保護されています。

ウイルス対策検出定義

侵入防止シグネチャ

シマンテック製品をお使いでない場合に Blackshades として知られるクリープウェアに感染した疑いがあるときは、無償のノートン パワーイレイサーを使ってシステムから除去することができます。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

iBanking: Exploiting the Full Potential of Android Malware

      No Comments on iBanking: Exploiting the Full Potential of Android Malware

3509155_-_mobile_device_iBanking.png

Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model. 

Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits. 

iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection. 

Its high price tag meant that use was initially confined mainly to well-resourced cybercrime gangs but, with the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking and attacks are likely to grow further in the near future.

How it works
Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices. The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure. 

iBanking_infection_diagram.png
Figure 1. How an iBanking victim is infected

The user is prompted for their phone number and the device operating system and will then be sent a download link for the fake software by SMS. If the user fails to receive the message for any reason, the attackers also provide a direct link and QR code as alternatives for installing the software. In some cases, the malware is hosted on the attackers’ servers. In other cases, it is hosted on reputable third-party marketplaces. 

iBanking can be configured to look like official software from a range of different banks and social networks. Once it is installed on the phone, the attacker has almost complete access to the handset and can intercept voice and SMS communications. 

History
iBanking has evolved from a simple SMS stealer into a powerful Android Trojan, capable of stealing a wide range of information from an infected handset, intercepting voice and text communications, and even recording audio through the phone’s microphone.

Early, pre-sale versions were seen in August 2013. They had limited functionality and could simply redirect calls and steal SMS messages. iBanking’s owner, who operates under the handle GFF, has continually refined the malware. By September 2013, it had gone on sale on a major Eastern European underground forum and was already replete with a broad range of functionality. 

iBanking can be controlled through both SMS and HTTP. This effectively provides online and offline options for command and control. By default, the malware checks for a valid Internet connection. If one is found, it can be controlled over the Web through HTTP. If no Internet connection is present, it switches to SMS.

iBanking’s main features now include:

  • Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
  • Intercepting incoming/outgoing SMS messages and uploading them to the control server 
  • Intercepting incoming/outgoing calls and uploading them to the control server in real time
  • Forwarding/redirecting calls to an attacker-controlled number 
  • Uploading contacts information to the control server
  • Recording audio on the microphone and uploading it to the control server 
  • Sending SMS messages
  • Getting the geolocation of the device 
  • Access to the file system 
  • Access to the program listing 
  • Preventing the removal of the application if administrator rights are enabled 
  • Wiping/restoring phone to the factory settings if administrator rights are enabled 
  • Obfuscated application code  

While iBanking was initially only available from GFF at a premium price of US$5,000, the source code for the malware was leaked in February. Not surprisingly, this resulted in an immediate increase in bot activity relating to iBanking. Symantec predicts that this upsurge in activity will continue as news of the leaked source code spreads through the underground. 

However, we believe that the more professional cybercrime groups will continue to pay for the product, allowing them to avail of updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.

GFF continues to develop iBanking and add new features. They have also claimed that they are developing a version for BlackBerry, although this has yet to go on sale. 

How one hacker’s search for stolen Bitcoins led to an attack on the BBC and the leak of iBanking’s source code
The source code for iBanking was leaked following a bizarre series of events in which a hacker went on an attacking spree as part of a quest to retrieve 65,000 stolen Bitcoins. 

3509155_-_ReVOLVeR_Twitter_1.png
Figure 2. ReVOLVeR uses Twitter to brag about attacking the BBC

It began in December 2013 when hacker ReVOLVeR began investigating the theft of 65,000 Bitcoins from a friend. ReVOLVeR traced the theft to the friend’s mobile phone and found an iBanking infection which they believed had leaked the username and password for their Bitcoin wallet. At the time, one Bitcoin was worth approximately US$1,000, which means that ReVOLVeR’s friend had lost over US$70 million. 

ReVOLVeR discovered that the infected phone was communicating with a C&C server, myredskins.net, which they went on to compromise. On this server, they discovered leaked FTP credentials for the BBC’s website. The credentials may have been stolen from an SMS sent to a mobile phone owned by a BBC staff member infected with iBanking. Alternatively, they may have been taken from a third party who had been given access to the server. 

ReVOLVeR then used these credentials to log into the BBC server, root the account and begin cracking additional credentials. He posted about his progress on Twitter, updating his followers with screenshots and dumps on SendSpace. 

Once finished with the BBC, ReVOLVeR then turned his attention to iBanking and attempted to sell the malware as his own on an underground forum. He did little to cover up the origin of the malware, simply reusing the post GFF had originally used to advertise iBanking on a different forum. Not surprisingly, ReVOLVeR was promptly banned from the forum. 

Not long after this, in February, another hacker who uses the handle Rome0 posted the source code to iBanking on a carding forum along with a simple script which could re-configure the iBanking application. Instead of charging for the malware, this version was made available for free. It is unclear whether Rome0 acquired the source code from ReVOLVeR or simply read about his attack on the C&C server and imitated it, but the two incidents appear to be linked. 

The release of the source code coincided with a significant uptick in iBanking activity. Despite the availability of a free version, our research suggests that most of the large cybercrime actors are continuing to opt for the paid-for version. They appear to be willing to pay a premium for the updates and support provided by GFF.

The gangs using iBanking
One of the most active iBanking users is the Neverquest crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe. 

Another threat actor utilizing iBanking is Zerafik, who also appears to operate from Eastern Europe. Zerafik operated a command-and-control (C&C) server located in the Netherlands which was subsequently hacked, with details posted publicly on ProtectYourNet. The leak revealed that iBanking installations controlled by this C&C server were configured to target customers of Dutch bank ING, with the app disguised to look like an official app from the company. The iBanking campaigns uncovered by this breach involved multiple segregated botnets that could be controlled through a single panel, allowing for the attacker to control multiple campaigns from a single user interface. 

One of the first users of iBanking was an actor known as Ctouma, who has a history of involvement with scam websites and trading in stolen credit card data. Their email address (Ctouma2@googlemail.com) had been used to set up a service which sells stolen credit card information. 

Ctouma employed one of the earliest versions of the malware, which wasn’t even for sale at the time. It was disguised as a mobile application for a Thai bank. While Thailand itself is not typically associated with financial fraud attacks, it is possible that these attacks may have served as a test bed for early versions of the malware, in order to test its effectiveness. 

Protection
Symantec detects this threat as Android.iBanking

Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. 

You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. 

Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection

Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data.