Čvc 05

Controversial Malware Targets MacOS Users Through Slack and Discord

Security researchers have revealed that a controversial malware is targeting MacOS users talking about cryptocurrencies on Slack and Discord.

“Dumb” MacOS Attack

The malware was first reported by Remco Verhoef of SANS. He explained that the attacks would impersonate “key people” in chats which are related to cryptocurrencies and then share malicious scripts.

The wrongdoers would try to encourage users to paste the script into the Terminal window of their Macs which would send a command to download 34MB file and execute it. In turn, this would establish a remote connection which would act as a backdoor for the hackers.

The obvious flaws in the plan of the attackers caught the attention of Patrick Wardle, a Mac malware expert. In a more detailed blog post, he noted that:

  • the infection method is dumb
  • the massive size of the binary is dumb
  • the persistence mechanism is lame (and thus also dumb)
  • the capabilities are rather limited (and thus rather dumb)
  • it’s trivial to detect at every step (that dumb)
  • … and finally, the malware saves the user’s password to dumpdummy

Common Sense is the Only Protection You Need

The binary executes a set of libraries, including those of Open SSL, which encrypt its communications back to the server. Remco Verhoef managed to establish that the bash script attempts to connect to a system which belongs to CrownCloud – a German hosting provider.

Once the binary is executed, it would provide the attacker with the ability to successfully execute command-line codes as if he is the root user of the MacOS which is infected.

In order for this to happen, however, the owner of the Mac needs to enter a password, allowing the script to go on. Ironically, the script would store said password in a temporary file which is named “dumpdummy,” as noted by Wardle.

In other words, all you have to do to prevent this malware from causing any damage is refrain from pasting a script provided to you by someone on Slack or Discord on your Terminal window.

What do you think of this malware targeting MacOS users? Don’t hesitate to let us know in the comments below.

Images courtesy of Shutterstock

Srp 20

New Malware Sneaking Onto Mac Computers, Bitcoinists Be Warned

Source: bitcoin

Mac Malware

Some tricky new malware is infecting Mac users by imitating legitimate software. The “Advanced Mac Cleaner,” professes to be an anti-malware tool in order to sneak onto Mac computers.

Also read: Mycelium May Roll out P2P Tumbling Soon

New Malware Targeting Mac Users

Bitcoinists who use Macs ought to be especially concerned, as the malware specifically targets Mac users by mimicking an anti-malware tool designed for Macs. Malware can be used to steal private keys and wallet passwords, allowing malicious actors to gain access to your funds.

The malware was discovered first by Thomas Reed, lead researcher at anti-malware firm, MalwareBytes. Its method of infection is very simple: it tricks people into visiting its website and downloading the program. This sounds like your normal phishing tactic, but the program itself does not act like normal malware once installed.

In fact, once the malware is installed, the user wouldn’t even know that anything was wrong at first. However, if one were to look deeper, they would discover a file within the software claiming ownership of different kinds of file types. Additionally, If you were to open these files, they would display that you needed new, specialized software in order to view them.

This is troubling because it looks like a normal technical problem, as the error message that appears is the same as the one that would regularly appear when trying to open an unknown file type — making it difficult for users to even realize there is something suspicious happening.

If users fall for that, then they will be led to a site that begins downloading a bunch of other useless software, like Mac Adware Remover and Mac Space Reviver. This software is unlikely to benefit the system in any way, and will pass through undetected with a Mac certificate of approval.

Considering that security breaches are the number 1 cause of bitcoin theft, this news could be significant for some. If the malware were to gain access to a Bitcoinist’s system, they could be left helpless, unable to access their wallet, or end up with their funds stolen.

The insidious nature of the malware is its ability to elude detection, thus bitcoin using Mac fans need to exercise extreme caution and avoid downloading apps that are not available on the official App Store.

What do you think of this new malware infecting Mac users? Let us know in the comments below!

Source: DigitalTrends.com

Images Courtesy of gadgets.ndtv.com, Malwarebytes

The post New Malware Sneaking Onto Mac Computers, Bitcoinists Be Warned appeared first on Bitcoinist.net.

New Malware Sneaking Onto Mac Computers, Bitcoinists Be Warned

Čvc 02

Worrisome Locky Ransomware Variant Zepto is Making The Rounds

Source: bitcoin

Zepto Ransomware

There is a now form of Bitcoin ransomware on the block, going by the name of Zepto. At its core, this is a different variant of the Locky malware, which has been making the rounds for quite some time now. Security researchers detected a spike in the distribution of this new ransomware. As one would expect, Internet criminals are using spam emails to distribute this payload.

Also read: Are the Winklevoss Twins Bringing the Bitcoin Price Back Up?

Bitcoin ransomware has proven to be a very lucrative business, assuming one can distribute the malware on a large scale. Spam emails are a preferred method of distribution, as it allows criminals to reach a lot of potential targets with little effort. Security researchers detected a spike in Zepto distribution as of June 27.

Zepto Ransomware Arrives On The Scene

What makes Zepto so interesting is how it is sharing similarities with Locky. This latter malware has been causing a lot of headaches for individuals and enterprises around the world. While there are obvious similarities between the two strains, there is something different about Zepto. Security researchers are trying to figure out how to classify this new type of malware.

On June 27, over 137,000 spam messages were sent out, all of which contain the Zepto payload. Malicious attachments in emails are an effective manner to distribute malicious code. Even though there have been plenty of warnings regarding downloading email attachments, the potential for infection remains very high.

Specific aspects of this ransomware make it appear very similar to Locky. Both types use the same type of RSA encryption keys, they leave similar file types behind, and the ransom text is nearly identical. Despite these similarities, the new kind of ransomware is far from ineffective, though.

Cisco Talos Sr Technical Leader Craig Williams explained the threat as follows:

“If Zepto sticks with this attack vector it may never become a serious threat. However, it’s very likely Zepto moves into exploit kits as time goes on. A move by Zepto to malvertising, for example, could get bad very fast. “

Ransomware developers have stepped up their game in recent months, by continuously improving their malicious software. Security researchers are concerned Zepto has the potential to infect thousands of users in the coming weeks. So far, over 3,300 unique samples of the malware have been identified, which is a rather staggering number.

What are your thoughts on yet another new form of ransomware? Let us know in the comments below!

Source: Cisco Talos

Images courtesy of Shutterstock, Cisco Talos

The post Worrisome Locky Ransomware Variant Zepto is Making The Rounds appeared first on Bitcoinist.net.

Worrisome Locky Ransomware Variant Zepto is Making The Rounds

Čvn 18

Symantec Report Indicates End of Locky Ransomware Threat

Source: bitcoin

Bitcoinist_End of Locky

Although malware threats and exploit kits are a significant threat to our society, various types are showing a decrease in activity. Angler, Locky, and Dridex are the three top categories which see less interest all of a sudden. For now, it remains unclear as to why this decrease is taking place, albeit it is possible criminals are turning toward new solutions.

Also read: Industry Report: Digital Currency Is Booming Across the Globe

Ransomware and malware have been the top two threats since 2015. Many institutions and consumers have fallen victim to these threats, but it looks like Dridex and Locky are slowing down regarding usage. Moreover, the Angler exploit kit, which is often used to deliver these two types of malicious software, is losing popularity as well.

Locky Ransomware On The Way Out

According to a recent survey by Symantec, all of these three groups have all but ceased operating. Some of the other significant threats affecting customers and enterprises are also scaling back their activity. That being said, it is not unlikely to think other types of malware and ransomware will start seeing an increase in popularity over the next few months.

The decrease in Locky activity is quite noteworthy, as the ransomware was showing significant success a few weeks ago. However, over the past two weeks, nearly no activity has been noted by Symantec. Whether This is due to a disruption in their operations, or just a business decision to scale back, is unknown at this time.

Dridex and Angler Are Losing Ground

Dridex, one of the leading types of financial fraud Trojans, has seen its presence drop to near zero over the past month. That being said, the malware is still roaming in the wild, albeit far less frequent than ever before. Moreover, some of the botnets associated with spreading the Dridex banking malware are still in operation to this very day. It also appears as if Word macro downloaders are still delivering Dridex through email spam campaigns.

But the biggest shock comes in the form of the Angler exploit kit showing a significant decrease in usage. For quite some time, this toolset has been a fan favorite among internet criminals. It is worth noting that, ever since CryptXXX started showing a decrease in activity, so did the Angler exploit kit. Other types of exploit kits are showing similar results, which may indicate internet criminals will look for different tools to wreak havoc on computers and networks.

What are your thoughts on this Symantec report? Let us know in the comments below!

Source: Symantec

Images courtesy of Symantec, Shutterstock

The post Symantec Report Indicates End of Locky Ransomware Threat appeared first on Bitcoinist.net.

Symantec Report Indicates End of Locky Ransomware Threat

Čvn 14

Cerber Bitcoin Ransomware Now Includes Malware Factory Automation

Source: bitcoin

Bitcoinist_Bitcoin Ransomware

As the summer draws ever closer, the chances of getting a computer infected with malicious software seem to increase exponentially. The latest version of Cerber ransomware is introducing new challenges for security experts. Malware factory has been introduced, which creates different versions of Cerber every 15 seconds.

Also read: Industry Report: Bitcoin Continues Breaking Boundaries

Cerber Becomes Completely Random

To this very date, Cerber is the most feared and destructive type of Bitcoin ransomware in circulation. Developers of this malware threat are becoming more crafty than ever before, and they keep updating the source code as well. In the latest version of this malware, disconcerting new features have been added.

Popular types of Bitcoin ransomware attract attention from security experts, as they want to beat the malicious code. Ever since the first version of Cerber came around, experts have been trying to remain one step ahead of this malware. But the battle is long and tough, as the ransomware developers continue to step up their game as well.

The latest iteration of Cerber included a feature called “malware factory”, which creates different versions of this ransomware every 15 seconds. Doing so effectively bypasses installed security programs by potential victims.  It is the first time such a critical feature is introduced to ransomware, and it makes the job of security experts even more challenging.

The file hash associated with Cerber binaries is being changed by the command & control service every 15 minutes.  Moreover, this process is fully automated, and it significantly increases the chances of infecting computers and networks. Evading detection is the biggest concern for security experts, and they will have to come up with a new way to remove the threat presented by Cerber.

This news is just the latest form of innovation hitting the world of Bitcoin ransomware. As if encrypting files alone is not enough to deal with, certain types of malware will execute DDoS attacks using the computers held hostage. Consumers are advised to keep backups of their filesystem at all times, and ensure their security software and operating system are up-to-date.

What are your thoughts on this new Cerber development? Let us know in the comments below!

Source: Deep Dot Web

Images courtesy of Shutterstock, IB Times

The post Cerber Bitcoin Ransomware Now Includes Malware Factory Automation appeared first on Bitcoinist.net.

Cerber Bitcoin Ransomware Now Includes Malware Factory Automation

Čvn 07

Ransomware Infections Set To Spike Due To Angler Bypassing EMET

Source: bitcoin

Bitcoinist_Ransomware Malware Angler

Ransomware remains a threat looming over every Internet user in the world today. Protecting one’s computer from this type of malware is becoming harder once again, thanks to the EMET-evading exploit. Security experts feel the number of ransomware infections will ramp up exponentially once again.

Also read: Poloniex Exchange Confirms Funds Are Safe Despite Outage

EMET protection is found on the Windows operating system, as Microsoft designed this tool to block Windows-based exploits. However, internet criminals have come up with a way to bypass this protection. Moreover, they bundled the instruments in the Angler exploit kit, which remains one of the most popular choices for hackers to this very day.

EMET Is Not Impenetrable

Up until this point, many security experts felt that EMET was the most efficient ways to prevent Windows computers from being attacked or infected. Moreover, it has never been possible to bypass this layer of protection entirely. FireEye researchers discovered the new code in the Angler exploit kit on Monday, June 6.

TeslaCrypt used to be a favorite among Internet criminals looking to execute drive-by attacks.This particular type of ransomware has caused a lot of havoc in the past, albeit the creators unveiled the master decryption key not too long ago. Spreading ransomware through an exploit kit that can evade security measures opens up a whole can of worrisome opportunities.

FireEye security experts explained the significance of this news as follows:

“The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion. These exploits do not utilize the usual return oriented programming to evade DEP. Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory. The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.”

That being said, it is important to note there are limitations as to what internet criminals can do. For the time being, it appears this method only works on Windows 7. Additionally, targeted computers need either Flash or Silverlight installed to execute the attack. But at the same time, there is nothing stopping hackers using the Angler exploit kit from installing malicious applications and ransomware.

What are your thoughts on internet criminals being able to bypass EMET on Windows machines? Let us know in the comments below!

Source: Ars Technica

Images courtesy of EMET, Shutterstock

The post Ransomware Infections Set To Spike Due To Angler Bypassing EMET appeared first on Bitcoinist.net.

Ransomware Infections Set To Spike Due To Angler Bypassing EMET

Čvn 03

Flashpoint Study Shows Spreading Ransomware Is No Cash Cow

Source: bitcoin

Bitcoinist_Flashpoint Resaearch

For the longest time, people have assumed the profits made from ransomware attacks is very lucrative. But a recent study by Flashpoint paints an entirely different picture. While there is still money to be made, the numbers are far lower than most people think they are.

Also read: Mathematics Drives Crix Bitcoin Futures Trading

Flashpoint conducted a five-month study of a Russian ransomware operation to see how lucrative this business model is. As it turns out, the operators of this service make far less money than most people anticipated. The “upper brass” makes US$90k per year, which is still a nice amount, but not that high all things considered.

Flashpoint Study Reveals Intriguing Details

The study by Flashpoint investigated a particular group of criminals offering ransomware-as-a-service. Their primary targets seem to be corporations and individual users in the Western world. Organizing these campaigns and hiring partners to ensure the malware is delivered, nets criminals US$7,500 per month.

What is noteworthy is how the Flashpoint research indicates these crime rings usually rely on personal relationships. With no central command and control infrastructure, affiliates get carte blanche as to how they distribute ransomware. Moreover, they need to keep tabs on how many and which systems have been infected successfully.

Despite the growing number of reported ransomware infections, the Russian crime group only collected thirty payments of US$300 per month. This goes to show consumers and enterprises are becoming far more vigilant when it comes to malware. Moreover, fewer people are willing to pay the fee and will take a small data loss after restoring file access from a backup.

Ransomware-as-a-service bosses take a 60% of the fee paid, whereas affiliates receive 40% for their efforts. Spreading malware is far from a glorious job, to say the last, and the pay is not all that great either. However, there are nearly no entry barriers for anyone willing to venture into the world of internet criminality.

There is also a vast distinction to be made between the widespread ransomware distribution attack, and its more sophisticated and targeted counterpart. This latter approach will net far bigger rewards, albeit it requires a lot more work. Victims have to be carefully selected and vetted before spreading the payload. However, the reward is well worth the effort.

What are your thoughts on the amount of money to be made with ransomware/? Let us know in the comments below!

Source: Dark Reading

Images courtesy of Flashpoint, Shutterstock

The post Flashpoint Study Shows Spreading Ransomware Is No Cash Cow appeared first on Bitcoinist.net.

Flashpoint Study Shows Spreading Ransomware Is No Cash Cow

Čvn 01

Six Russian Banks Lose US$25.7m To Hacker Collective

Source: bitcoin

Bitcoinist_Hacker Collective

According to Russian news sources, over US$25.7m has been stolen from Russian banks. This has nothing to do with yet another Swift network breach, though. A hacker collective is involved in the creation and distribution of malware, used to steal money from Russian bank accounts.

Also read: Sandjacking iOS Exploit Threatens Bitcoin and Ethereum Wallets

Earlier today, Russian law enforcement officials have arrested fourteen people of an undisclosed hacker collective. All of these people are suspected of being involved in the usage of malware to steal funds from Russia bank accounts. Preliminary results indicate more than US$25.7m has been taken. The Russian Federal Security Service has also confiscated a lot of computer equipment, combined with financial documents, bank cards, and cash sums.

The Rising Number of Hacker Collective Threats


A total of six banks has been affected by this hacker collective, including the Russian International Bank, Metropol, and Metallinvestbank.The attacks took place between March and April of 2016, although no specific dates were announced. All of these banks suffered from remote access attacks, which were made possible due to the distribution of malware.

Kaspersky Labs has indicated the hacker collective made use of the Lurk banking trojan. Doing so allowed the assailants to steal funds from bank accounts in both Russia and other countries. Lurk has been a powerful tool in the hands of the wrong people, as it has been used for over five years by hackers looking to sluice funds to offshore accounts.

It is not the first time these types of attacks take place in Russia, though. Damages caused by hackers and internet criminals have exceeded US$45m over the past year. Especially the number of attacks against financial institutions seems to be increasing exponentially. Since mid-2015, law enforcement has tracked 18 different incidents, resulting in over 3 billion rubles being stolen.

At the same time, several attacks have been prevented from causing even more damage. If that had not been the case, there would have been an additional US$30 million in damages, according to TASS. After thorough investigations, over 50 hackers have been arrested, and more than 80 searches have been conducted so far.

What are your thoughts on the rising number of cyber attacks against banks? Let us know in the comments below!

Source: TASS

Images courtesy of Shutterstock, Wikipedia

The post Six Russian Banks Lose US$25.7m To Hacker Collective appeared first on Bitcoinist.net.

Six Russian Banks Lose US.7m To Hacker Collective

Kvě 17

Kaspersky Labs Outsmarts CryptXXX Bitcoin Ransomware Developers Again

Source: bitcoin

Bitcoinist_Kaspersky Labs CryptXXX Bitcoin Ransomware

CryptXXX Ransomware has been on the Kaspersky radar for quite some time now, as they are doing everything they can to let victims restore file access without paying the Bitcoin fee. A similar attempt had been made earlier this year, but the CryptXXX creators quickly patched the flaw allowing for this scenario to take place.

Also read: BitHope Foundation Partners With Counterparty For HOPECOIN Token

Kaspersky Is Not Giving Up On Fighting CryptXXX

There is hardly anything more annoying than dealing with Bitcoin ransomware these days. Not only does this malware encrypt nearly every file on one’s computer or network, but it is also impossible to restore file access with a backup. This has been a thorn in the side for consumers and enterprises all over the world for several months now.

But there is a silver lining, as Kaspersky Labs is trying to outsmart the CryptXXX creators. Or to be more precise, this is the security firm’s second attempt at doing so, after pointing out how the developers made several critical errors back in April of 2016. The security firm released a decryption tool that would allow victims to restore file access without paying the Bitcoin ransom.

However, the CryptXXX ransomware developers took exception to this attempt by Kaspersky Labs and updated their code shortly afterwards. Once the new version of this malware was released, security experts were back to square one in an attempt to come up with a decryption tool for victims all over the world.

After announcing a new update to the decryption tool – called RannohDecryptor – it appears as if the team has managed to break the revamped CryptXXX encryption. Victims will no longer need a copy of an original file which has not been encrypted by the ransomware, which then allows RannohDecryptor to find a decryption key.

It will be interesting to see how long this solution will work, as it is doubtful the CryptXXX developers will give up the fight so easily. Bitcoin ransomware distribution has proven to be a very lucrative business model. Computer user all over the world need to be vigilant at all times and ensure their antivirus definitions and operating system are always up-to-date.

What are your thoughts on this new attempt by Kaspersky? Will this be the nail in the coffin for CryptXXX? Let us know in the comments below!

Source: ZDNet

Images courtesy of Kaspersky, Shutterstock

The post Kaspersky Labs Outsmarts CryptXXX Bitcoin Ransomware Developers Again appeared first on Bitcoinist.net.

Kaspersky Labs Outsmarts CryptXXX Bitcoin Ransomware Developers Again

Kvě 10

Bucbi Ransomware Resurfaces Through Targeted Attacks

Source: bitcoin


The topic of ransomware seems to be entwined with Bitcoin these days, and two-year-old malware Bucbi is jumping on the cryptocurrency bandwagon. In its new form, the Bucbi ransomware will target specific victims and demand a five-Bitcoin ransom.

Also read: Kripos Shuts Down Major Dark Web Drugs Marketplace

Bucbi Infections Are Not Random

It is not the first time this particular strain of ransomware makes an appearance on the security researchers’ radar, as Bucbi has been around for two years now. In its previous iteration, this malware seemed to infect computers randomly, with no clear plan of attack other than trying to rake in as much money as humanly possible.

To be more precise, Bucbi would be spread through large campaigns combining email attachments and malicious websites. However, that has come to a change, as the creators are now going after corporate networks running Remote Desktop Protocol servers. By using the RDP brute force utility called “RDP Brute”, attackers can gain a foothold on these servers with relative ease.

The latest iteration of Bucbi was identified by Palo Alto security researchers a week ago, as a Windows Server was infected by this malware. As part of the attack, the server owner had to pay a fee of five bitcoins to restore file access, worth US$2,320 at the time of infection. Quite a significant amount, but still a lot cheaper than shutting down critical enterprise services for an extended period.

What is even more concerning is how this method of attack can also be used to target point of sales systems in the future. However, their brute force approach is not always successful in getting the compromised devices to execute financial transactions. Going after corporate servers seems to be a more lucrative business model for these bad actors, as Bucbi can be used to sniff out sensitive information and encrypt files.

For the time being, there is a lot of speculation as to who is behind the Bucbi ransomware. Some security experts feel the Ukrainian Right Sector is behind these attacks, although that has not been confirmed by official sources at the time of writing. The ransomware business is booming, unfortunately, and the resurgence of Bucbi is a clear example of how grave this threat can be.

What are your thoughts on Bucbi and its potential? Let us know in the comments below!

Source: Threatpost

Images courtesy of Shutterstock, Sensors Tech Forum

The post Bucbi Ransomware Resurfaces Through Targeted Attacks appeared first on Bitcoinist.net.

Bucbi Ransomware Resurfaces Through Targeted Attacks