Categories
Competitive research

Gutstuff malware targets Whatsapp, PayPal and Skype Users!!!

Add Your Heading Text Here

Share it:

Group-IB’s Threat Intelligence system first discovered Gustuff on hacker forums in April 2018. According to its developer, nicknamed Bestoffer, Gustuff became the new, updated version of the AndyBot malware, which since November 2017 has been attacking Android phones and stealing money using web fakes disguised as mobile apps of prominent international banks and payment systems. The price for leasing the «Gustuff Bot» was $800 per month.

The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of mobile Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India.

Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets, which now includes, besides banking, crypto services and fintech companies’ Android programs, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.

Gustuff infects Android smartphones through SMS with links to malicious Android Package (APK) file, the package file format used by the Android operating system for distribution and installation of applications. When an Android device is infected with Gustuff, at the server’s command Trojan spreads further through the infected device’s contact list or the server database. Gustuff’s features are aimed at mass infections and maximum profit for its operators — it has a unique feature — ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts.

The analysis of the Trojan revealed that the ATS function is implemented with the help of the Accessibility Service, which is intended for people with disabilities. Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service. That being said, the use of the Accessibility Service to perform ATS has so far been a relatively rare occurrence.

After being uploaded to the victim’s phone, the Gustuff uses the Accessibility Service to interact with elements of other apps’ windows including crypto wallets, online banking apps, messengers etc. The Trojan can perform a number of actions, for example, at the server’s command, Gustuff is able to change the values of the text fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70% of cases.

Gustuff is also able to display fake push notifications with legitimate icons of the apps mentioned above. Clicking on fake push notifications has two possible outcomes: either a web fake downloaded from the server pops up and the user enters the requested personal or payment (card/wallet) details; or the legitimate app that purportedly displayed the push notification opens — and Gustuff at the server’s command and with the help of the Accessibility Service, can automatically fill payment fields for illicit transactions.

The malware is also capable of sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.

You can check out in-depth technical analysis of Getstuff

Source: Group-IB(Singapore)

Categories
Competitive research

Silence 2.0 takes over Banking Institutions worldwide.

Add Your Heading Text Here

Share it:

Silence APT, a Russian-speaking cybercriminal group, known for targeting financial organizations primarily in former Soviet states and neighboring countries is now aggressively targeting banks in more than 30 countries across America, Europe, Africa, and Asia.

Active since at least September 2016, Silence APT group’s most recent successful campaign was against Bangladesh-based Dutch-Bangla Bank, which lost over $3 million during a string of ATM cash withdrawals over a span of several days

According to a new report Singapore-based cybersecurity firm Group-IB shared with The Hacker News, the hacking group has significantly expanded their geography in recent months, increased the frequency of their attack campaigns, as well as enhanced its arsenal.

The report also describes the evolution of the Silence hacking group from “young and highly motivated hackers” to one of the most sophisticated advanced persistent threat (APT) group that is now posing threats to banks worldwide.

Silence APT hacking group has updated their unique TTP (tactics, techniques, and procedures) and changed their encryption alphabets, string encryption, and commands for the bot and the main module to evade detection by security tools.

EDA is a PowerShell agent, designed to control compromised systems by performing tasks through the command shell and tunneling traffic using the DNS protocol, and is based on the Empire and dnscat2 projects.

Just like most hacking groups, Silence gang also relies on spear-phishing emails with macros Docs or exploits, CHM files, and .LNK shortcuts as malicious attachments to initially compromise their victims.

Once in a victim organization, the group leverages more sophisticated TTPs and deploy additional malware, either TrueBot or a new fileless PowerShell loader called Ivoke, both designed to collect information about an infected system and send it to an intermediate CnC server.

To choose their targets, the group first create an up-to-date “target list” of active email addresses by sending “recon emails,” which usually contain a picture or a link without a malicious payload.

Group-IB has published more detailed findings about Silence APT in its new report titled, “Silence 2.0: Going Global.” You can head on to its report for more information.

Source: TheHackerNews

Categories
Internet Security

Introduction to Linux Malware Analysis (PART 2) : Object File and Executable/Binary file

Add Your Heading Text Here

Share it:

In our previous article, we looked at the different phases of gcc compilation and different type of output generated by gcc compiler .

In this article we will examine the contents of both object and binary/executable file and the difference between static and dynamic libraries.

Object File:

Object file contains machine code/instructions that are executable by the processor.

However there is a bit of work to do before it can be executed by the processor.

One main difference between object and binary file is that reference to both static and dynamic links are resolved or not known.

These references are not resolved because files are compiled independently(by the assembler) from each other.

We can view different sections of on object file using objdump tool.

Usage: objdump<option(s)> <file(s)>
 Display information from object <file(s)>.
Objdump tool can be used to disassemble a binary/executable file as well as extract section from an object file.

This command simply instruct the objdump tool to show read-only section from the object file(in ELF format).

objdump -sj .rodata example.o

example.o:  file format elf64-x86-64
Contents of section .rodata: 

0000 48656c6c 6f2c2077 6f726c64 2100  Hello, world!.

The .rodata section stores only constant values. Inside the .rodata section, we have the string value "Hello, World!"

We can also use the objdump tool to disassemble all the code in an object file in Intel syntax as shown below

objdump -M intel -d example.o

compilation_example.o:  file format elf64-x86-64

Disassembly of section .text:

00 0000 000 000 0000

 

0:55 push rdp 1:48 89 e5 mov rdp, rsp 4:48 83 ec sub rsp, 0x10 8:89 7d fc mov DWORD PTR [rbp-0x4],edi b:48 89 75 mov QWORD PTR [rbp-0x10],rsi f:bf 00 00 mov edi,0x0 14:e8 00 00 call 19<main+0x19> 19:b8 00 00 mov eax,0x0 1e:c9 ret 1f:c3 leave

 

As you can see, it has only one main function. You can check on wikipedia for in-depth information on assembly language.

Binary File:
Linker or the link editor is responsible for relocating or linking all object files to a particular/specific memory address. This process creates a binary executable file.

In a binary file, symbolic references to static libraries are resolved. Whilst references to dynamic libraries are resolved during runtime or when the binary file is loaded into memory.

The following command disassembles a binary file with objdump tool:

objdump -M intel -d a.out

a.out:     file format elf64-x86-64

Disassembly of section .init:

Disassembly of section .init:

0000000000001000 <_init>:

1000:   48 83 ec 08             sub    rsp,0x8
1004:   48 8b 05 dd 2f 00 00    mov    rax,QWORD PTR [rip+0x2fdd]        # 3fe8 <__gmon_start__>
100b:   48 85 c0                test   rax,rax
100e:   74 02                   je     1012 <_init+0x12>
 1010:  ff d0                   call   rax
 1012:  48 83 c4 08             add    rsp,0x8
 1016:  c3                      ret  

Disassembly of section .fini:

0000000011c4 <_fini>:
11c4:   48 83 ec 08             sub    rsp,0x8
11c8:   48 83 c4 08             add    rsp,0x8
11cc:   c3                      ret  

This not the complete content of a disassembled binary file. As you can see there are more sections in a binary file than in an object file.

We will need these sections to do a static analysis of an infection file.

In our next article, we will learn how to examine an infectious file via the static analysis method. 

Categories
Privacy

How malware steals autofill data from browsers

Add Your Heading Text Here

Share it:

Most browsers kindly offer to save your data: account credentials, bank card details for online stores, billing address, name, and passport number for travel sites, and so on. It’s convenient and saves having to fill out the same forms all over again or worry about forgotten passwords. However, there is a catch: All of this autofill data can be scooped up by cybercriminals if your computer gets infected by a stealer — a piece of malware that steals information, including from browsers.

Such programs are becoming increasingly popular with online scammers: In the first half of this year alone, Kaspersky’s security products detected more than 940,000 stealer attacks. That is a one-third increase from the same period of 2018.

Strictly speaking, stealers are interested in more than just browsers’ autofill data — they are also looking for cryptocurrency wallets and gaming data, and they steal files from the desktop as well (we hope you don’t store valuable information there, such as password lists).

However, browsers have become a hub of work and play, including shopping, banking and more, and are often a source of far more confidential information than other programs. Let’s take a look at how stealers get their thieving hands-on browser data.

How malware steals data from Chrome

Google Chrome and other browsers based on the Chromium engine (such as Opera and Yandex.Browser) always store user data in the same place, so stealers have no problem finding it. In theory at least, this data is stored in encrypted form. However, if the malware has already penetrated the system, then its actions are done in your name.

Therefore, the malware simply puts in a polite request to the browser’s data encryption tool to decrypt information stored on your computer. With requests seemingly from the user considered safe by default, in response the stealer gets all your passwords and credit card details.

What happens to data stolen by the stealer?

Once the malware has the autofill data in plain text, it sends them back to cybercriminals. From there, either of two scenarios may unfold. The malware’s handlers can use it themselves or, more likely, sell it to other malefactors on the black market, where such products are always highly prized.

Either way, if usernames and passwords were among the stored information, the crooks will likely steal a couple of your accounts and try to finagle money out of your friends. If you saved bank card data in the browser, the losses could be more direct; your money will either be spent or transferred elsewhere

Stolen accounts can be used for many other purposes too, from spamming and promotion of websites or apps, to sending viruses and laundering money stolen from others (and if the police get involved, they may come knocking on your door).

How to protect data from stealers

  • Do not entrust important information such as bank card details to your browser for safekeeping. Instead, enter them manually each time — it takes longer but is safer. You can also store passwords in a password manager.

  • Most important: The best way to safeguard data is to prevent malware from getting onto your computer in the first place. To do so, install a reliable security solution that will keep infections at bay. No malware, no problem!

Source: Kaspersky Lab

Categories
Innovation

Introduction to Linux Malware Analysis

Add Your Heading Text Here

Share it:

In today\\’s era where malware otherwise known as malicious software have affected (and it is still affecting) companies all over the world, it is recommended to have the ability to analysis malware residing on both windows and linux platforms.

However we will focus only on how to analysis malware on linux platforms. You can make use of the same methods discussed here to analysis malware on Windows.

It is necessary as a malware analyst to understand how compilers such as gcc compiles a progam.

So We will look at the following sub-topics:

  • The four stages of binary compilation
  • Difference between an object file and executable file

Prerequisites:

  • gcc compiler
  • linux debian/kali
  • a simple C program to compile

Four Stages of Binary Compilation:

The four stages of c program compilation are as follows:

  • Preprocessing
  • Compilation
  • Assembly
  • Linking

By default, gcc compiler compiles a group of files/files as execuatble program as shown below:

gcc hello.c

The above command emits the following output:

a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2ae6a46529ec896b291cd7671dc19ee578abf8bf, not stripped

The gcc compiler automatically compiled our simple c program to an executable file.

Preprocessing stage:

In this stage, the c preprocessor which is a a separate program from the compiler reads the content of the system file header and insert it into a file with the .i suffix.

Execute the command below to read the system file headers

cpp hello.c > hello.i

Open the hello.i file to see the output. This is not the complete output.

hello.c # 1 \ # 1 \ # 31 \ # 1 /usr/include/stdc-predef.h 1 3 4 # 32 \ 2 # 1 hello.c # 1 /usr/include/stdio.h 1 3 4 # 27 /usr/include/stdio.h 3 4 # 1 /usr/include/x86_64-linux-gnu/bits/libc-header-start.h 1 3 4 # 33 /usr/include/x86_64-linux-gnu/bits/libc-header-start.h 3 4 # 1 /usr/include/features.h 1 3 4 # 424 /usr/include/features.h 3 4 # 1 /usr/include/x86_64-linux-gnu/sys/cdefs.h 1 3 4 # 442 /usr/include/x86_64-linux-gnu/sys/cdefs.h 3 4 # 1 /usr/include/x86_64-linux-gnu/bits/wordsize.h 1 3 4 # 443 /usr/include/x86_64-linux-gnu/sys/cdefs.h 2 3 4 # 1 /usr/include/x86_64-linux-gnu/bits/long-double.h 1 3 4 # 444 /usr/include/x86_64-linux-gnu/sys/cdefs.h 2 3 4 # 425 /usr/include/features.h 2 3 4 # 448 /usr/include/features.h 3 4 # 1 /usr/include/x86_64-linux-gnu/gnu/stubs.h 1 3 4 # 10 /usr/include/x86_64-linux-gnu/gnu/stubs.h 3 4 typedef unsigned char __u_char; typedef unsigned short int __u_short; typedef unsigned int __u_int; typedef unsigned long int __u_long; typedef signed char __int8_t; typedef unsigned char __uint8_t; typedef signed short int __int16_t; typedef unsigned short int __uint16_t; typedef signed int __int32_t; typedef unsigned int __uint32_t; typedef signed long int __int64_t; typedef unsigned long int __uint64_t;

Compilation Stage:

In this stage, we will cause the gcc compiler to emit or produce assembly file preferably Intel assembly syntax because it is more readable than AT&T syntax.

You can do by executing the following command:

gcc -S -masm=intel hello.c

It produces assembly file hello.s. You can open it and view the contents. We will look at the contents later .

vim hello.s

    .file   "hello.c"
    .intel_syntax noprefix
    .text
    .section    .rodata
.LC0:
    .string "Hello, World!"
    .text
    .globl  main
    .type   main, @function
main:
.LFB0:
    .cfi_startproc
    push    rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    mov rbp, rsp
    .cfi_def_cfa_register 6
    lea rdi, .LC0[rip]
    mov eax, 0
    call    printf@PLT
    mov eax, 0
    pop rbp
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE0:
    .size   main, .-main
    .ident  "GCC: (Debian 8.3.0-6) 8.3.0"
    .section    .note.GNU-stack,"",@progbits

As you can see, Intel’s assembly syntax is quite readable than AT&T shown below:

    .file   "hello.c"
    .text
    .section    .rodata
.LC0:
    .string "Hello, World!"
    .text
    .globl  main
    .type   main, @function
main:
.LFB0:
    .cfi_startproc
    pushq   %rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    movq    %rsp, %rbp
    .cfi_def_cfa_register 6
    leaq    .LC0(%rip), %rdi
    movl    $0, %eax
    call    printf@PLT
    movl    $0, %eax
    popq    %rbp
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE0:
    .size   main, .-main
    .ident  "GCC: (Debian 8.3.0-6) 8.3.0"
    .section    .note.GNU-stack,"",@progbits

Assembly Stage

In this stage, the gcc compiler will convert the assembly file into an object file using the command below:

gcc -c hello.c

An object file can be describe as a relocatable file because files are compiled independently from each other.

Also at the time of compilation the assembler can not detect the memory address of files(most legitimate program consist of individual files).

Therefore it is makes it possible for the linker to to bring together all files as an executable

You can check whether a file is an object file by using the file utility described here:

file hello

hello.o: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped

Again we will look at stripped and non-stripped files in our next articles because these files are essential to a malware analyst.

Linking Stage

Here we will link together all the individual files to create an executable using this command gcc followed by the name of the c program.

At this stage it is possible to resolve symbolic references to static libraries. References to dynamic libraries are not resolved till the program is loaded into memory.

We will discuss symbolic references to static and dynamic libraries in our next article.

gcc hello.c

a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2ae6a46529ec896b291cd7671dc19ee578abf8bf, not stripped

The main difference between an object file and an executable file is references made to libraries are not resolved in an object file but are resolved in an executable file(except for dynamic libraries)

Now we understand how a gcc compiler compiles a program.

In our next article, we will take a look at contents of both object and executable file, static and dynamic libraries.

Written by: Michael Aboagye

Categories
Uncategorized

Do you want to learn how to analyze binary programs to detect Malware?

Add Your Heading Text Here

Share it:

In the month of August, we will begin a practical course on Linux binary analysis to help system/security engineers  learn how to analyze and detect hidden malware in binary programs running on Linux host.

You will need the following tools and knowledge to benefit greatly. We will add more tools or utilities as we progress:

  • gcc compiler
  • debian linux  (version 9)
  • can interpret basic Intel assembly code syntax
  • Understand basic linux commands
  • Vim friendly

Source:  ISA Security Team