Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Malware

Zeus, Cryptolocker and more, malware evolution according TrendMicro

A rapid look to last trends in malware development observed by security experts at TrendMicro, old threat including new improvements. Security experts have observed during last months an increase in the use of AutoIt coding language To Spread Malware and Toolsets. AutoIt is a very flexible scripting language used since 1999 in Windows environments. The […]

Zeus, Cryptolocker and more, malware evolution according TrendMicro

A rapid look to last trends in malware development observed by security experts at TrendMicro, old threat including new improvements.

Security experts have observed during last months an increase in the use of AutoIt coding language To Spread Malware and Toolsets. AutoIt is a very flexible scripting language used since 1999 in Windows environments. The language was used to perform simple operations like text file editing but allows also the creation of more complex scripts that perform mass downloads with complex GUIs.

AutoIt is an easy-to-learn language that allows for quick development,due this reason it was chosen by numerous malware author.

In 2013 security firm have detected an alarming increase for infostealer malware and banking trojans, there were observed new variants of the popular ZeuS designed for 64bit systems and able to exploit Tor networks to hide C&C servers.  The new variant for 64 bit architecture includes a malicious AutoIt file and garbage files, it is spread via email message and the unpacked file it recognized as as TSPY_ZBOT.SMIG.  Exactly like other ZeuS malware version it drops a configuration file that contains a list of its targets (e.g. Banks, Financial organizations).

But malware is even more complex, new instances are also able to steal data from different FTP sites and personal certificates from the infected host.

Malware analysts at Trend Micro spotted other malicious code with same packer, TSPY_CHISBURG.A and TSPY_EUPUDS.A, while the first one steals user names and passwords from Yahoo, Hotmail, Pidgin, FileZilla, and VPN/ISP credentials once is loaded in memory, the second one collect victim’s info (e.g. User ID, browser and version, OS version) and user’s credentials.

Infostealers are privileged tools for cybercriminals to collect tools information to sell in the underground cybercrime, these info are used for fraud arrangement or to organize targeted attacks.

Returning to AutoIt packer, a new code was found online to implement propagation mechanism via removable drives. The code is able to checks installed antivirus software on the system and it includes obfuscated  functions to make it harder the detection.

Thanks to improved AutoIt packer also old malware could be effective as explained by TrendMicro experts.

“With the incorporation of malware to a scripting language such as AutoIt, it makes analysis arduous especially if there is no decompiler that can aid in the analysis.  AutoIt is also used by normal applications, thus there is need for malware which are compressed to be unpacked so as to get only the malicious routines/behavior.”

Infostealers aren’t unique malware to menace user’s security, the 2013 was considere also the year of ransomware, Cryptolocker for example has infected about 250,000 PCs mainly from US, UK and Australia.

Cryptolocker malware infection data

 

Last variant of CryptoLocker detected by TrendMicro includes a new notable propagation feature, the instance WORM_CRILOCK.A has the capability to spread via removable drives.

“Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages.” states TrendMicro post.

The example provided show the continuous improvement of the cybercrime ecosystem to malicious tools like infostealer and ransomware, cybercrime menace is becoming even more insidious and sophisticated.

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  malware, TrendMicro)

[adrotate banner=”5″]

[adrotate banner=”13″]