Archives for 

Microsoft Malware

PLATINUM malware steals data using Intel’s Active Management Technology ( AMT) bpassing Windows Firewall

Microsoft published an article about the exploitation of Intel’s AMT tools stealing government data for espionage purposes. The hack works independently of the Operating system which can bypass any windows firewall at the moment.

The malware has been active since at least 2009 primarily responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.

The malware is known has been exploiting hot patching feature which allows the installation of updates from Microsoft without system reboot. As per Microsoft Malware protection Center, this is the first time they discovered the exploitation of this vulnerability injecting a backdoor to svchost process which makes it almost invisible.

“As this embedded processor is separate from the primary Intel processor, it can execute even when the main processor is powered off and is, therefore, able to provide out-of-band (OOB) remote administration capabilities such as remote power-cycling and keyboard, video, and mouse control (KVM),” as stated by Microsoft

 

Highlights mentioned in Microsoft Release as follows :

  1. Platinum malware focuses on a small number of campaigns per year, which reduces the risk of detection and helps the group stay unnoticed and focused for a longer period of time.
  2. Platinum malware has focused on targets associated with governments and related organizations in South and Southeast Asia.
  3. Platinum malware has used multiple unpatched vulnerabilities in zeroday exploits against its victims.
    Spear phishing is the group’s main method of infecting targeted users’ computers.
  4. Platinum malware makes a concerted effort to hide their infection tracks, by self-deleting malicious components, or by using server side logic in ‘one shot mode’ where remotely hosted malicious components are only allowed to load once
  5. Platinum malware often spear phishes its targets at their non-official or private email accounts, to use as a stepping stone into the intended organization’s network
  6. Platinum malware uses custom-developed malicious tools and has the resources to update these applications often to avoid being detected.
  7. Platinum malware configures its backdoor malware to restrict its activities to victims’ working hours, in an attempt to disguise post-infection network activity within normal user traffic.
  8. Platinum malware does not conduct its espionage activity to engage in direct financial gain, but instead uses stolen information for indirect economic advantages.
  9. In some cases, the combination of these mechanisms—use of undisclosed zero-day exploits,custom malware that is not used elsewhere, PLATINUM’s skill in covering its tracks, and others—has enabled the group to compromise targets for several years without being detected

Details can be available on the paper published from Microsoft

Share Button

“Doxware”- Evolution of Ransomware, a new form of malware threat for 2017

As security controls and defense measures for computer systems become more sophisticated, cyber criminals have taken one step ahead in the world of Ransomware. The most profitable ransomware attacks has taken a leap with doxing. What is Doxware ? “Ransomware is the art of encrypting data on a network, users PC or Mac and asking for […]
Share Button
Continue reading →

Two new Point of Sale malware targeted on Small and Medium Business in the United States

Two new malwares that affect point of sale (PoS) machines have been detected by the researchers at Trend Micro. The malware have been affecting small and medium sized businesses or SMBs, primarily in the United States. These two malwares have been named Katrina and CenterPoS by their developers. Trend Micro researchers had earlier reported PoS […]
Share Button
Continue reading →

3 Key Take Away’s from RSA Conference 2014 – San Francisco for CISOs and Security Enthusiasts

Author : Arun Hegde , Security Architect @arun25 Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month  Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions  and lot of new […]
Share Button
Continue reading →

Dendroid – Next Generation Crime-ware toolkit targeting Android

Dendroid, the next generation Crimeware toolkit which can  convert apps to malware , is available in underground market for only $300. It also comes with a 24 hour support if you are stuck up on your way.  Symantec mentioned that this is evolution of AndroRAT( first ever malware APK binder). Dendroid is a HTTP RAT that […]
Share Button
Continue reading →

EC-Council, Security Certification Group website hacked and defaced

“Although EC-Council has been respected by corporations and governments, many in the in the security community don’t agree the way they certify and considered it as useless certification ”  Analysts predict that Passports of more than 60,000 US military and government IT professionals at risk Hacker went by the name of Eugene Belford, claims to […]
Share Button
Continue reading →

Syrian Electronic Army hacks Forbes, steals user information

This time Syrian Electronic Army has targeted Forbes for the big hack day. SEA published the hack on Friday, showing several screenshots of the WordPress admin panel backend of the Forbes.com website.                       SEA  said in a tweet that more than one million user e-mails and passwords […]
Share Button
Continue reading →

Mass Exploitation of Linksys routers – E1000 & E1200 by “TheMoon”

Johannes B, a security researcher from the SANS has posted a warning for useres about  a self-replicating malware named “The Moon”has been exploiting authentication bypass and code-execution vulnerabilities on Linksys routers – E1000 & E1200 wireless routers. How does it work ? The malware remotely calls Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices.  Malware […]
Share Button
Continue reading →

More than 2000 TESCO customers account hacked and posted online

              TESCO has been targeted by hackers this time and account information of more than 2000 customers have been posted online on pastebin. Tesco.com internet shopping accounts, personal details and Tesco club card details  were  posted last Thursday online by the hackers. As a result ,  Tesco was forced […]
Share Button
Continue reading →

US Veterans of Foreign Wars website compromised by IE Zero day Exploit (CVE-2014-0322)

Recently  a zero day vulnerability in Internet Explorer was discovered(CVE-2014-0322)). Researchers from Fireeye has identified that hackers are using this vulnerability in targeting US military personals. Furthermore they also suspect that this may be a very strategic campaign (Operation Snowman) during the President’s day weekend. FireEye researchers observed  drive-by-download attack which  alters HTML code of the […]
Share Button
Continue reading →