Beware: Fake “The Interview” movie download app is in the wild

“The Interview” is undeniably the hottest movie of the year, which is a comedy about a plan to kill North Korea’s leader, Kim Jong-un. It has also been the most controversial, backed by disputes with hackers threatening theaters who will play the said movie with physical action, and also by demands to pull the film, delaying its release. The movie did reach theaters, albeit limited, and the internet, via YouTube, Xbox Video and other similar video streaming websites.

With all the racket and commotion, the Rogen-Franco movie has also been a big hit on torrent websites, downloaded tons of times illegally. Apparently, this has been a cue for the cyber evildoers to trick innocent minds again into infecting their smartphones and tablets with malware.

In a recent blog post by Graham Cluley, a security blogger, an Android app claiming to be a client to download the movie is swarming the internet today. Quoting Irfan Asrar, a McAfee security expert, the app is part of a torrent, exclusive to South Korea. Cluley states:

“Researchers at McAfee – in a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), has identified that a threat campaign has been active in South Korea in the last few days, attempting to exploit the media frenzy surrounding The Interview‘s release,”

The app looks like an innocent application that will help you pirate the movie. But in reality, it contains an Android Trojan named “Android/Badaccents”, which was hosted on Amazon Web Services. It is a banking Trojan which affects a number of Korean banks, including Citi Bank, and is out to steal your personal information and wipe the money off your bank cards. The collected data then apparently goes to a Chinese mail server. He has mentioned in his blog that at least 20,000 devices have been infected by the Trojan.

One peculiar thing was observed by Cluley though, the malware checks for the device’s manufacturing information; if the device is set to “Samjiyon” or “Arirang,” which means the handset has been purchased in North Korea, the malware will not infect the host device, and instead display an error message stating “an attempt to connect to the server failed.”

Pondering on whether this was a politics related attack, Cluley quotes Asrar:

“Asrar says that he does not currently believe the limiting of infections to non-North Korean made devices was politically motivated, but instead a commercial decision not to waste bandwidth on users who were outside the targeted region (as North Koreans were unlikely to be customers of the targeted banks),”

Cluley has mentioned that McAfee has notified Amazon of the issue, so further infections can be prevented. Also, he has warned people that there is a possibility of the Trojan being hosted on other websites, wearing different disguises.

via Beware: Fake “The Interview” movie download app is in the wild – Neowin.

Facebook users targeted by iBanking Android trojan app

Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.

Security researchers from antivirus vendor ESET have identified a new variant of a computer banking Trojan called Qadars that injects rogue JavaScript code into Facebook pages when opened in a browser from an infected system. The injected code generates a message instructing users to download and install Android malware that can steal authentication codes sent to their phones via SMS.

These man-in-the-browser attacks are known as webinjects and have long been used by computer Trojans to display rogue Web forms on online banking websites with the goal of collecting log-in credentials and other sensitive financial information from users.

Webinjects are also commonly used to display messages that instruct users to download and install malicious applications on their mobile phones by presenting them as security apps required by financial institutions. In reality those rogue mobile apps are designed to steal mobile transaction authorization numbers (mTANs) and other one-time passwords sent by banks via SMS.

In February security researchers from RSA, the security division of EMC, reported that the source code for an advanced Android Trojan called iBanking was released on an underground forum and warned that this development will allow more cybercriminals to incorporate this mobile threat in their future operations.

Once installed on an Android phone, iBanking can capture incoming and outgoing text messages; can redirect calls to a pre-defined phone number; can capture audio from the surrounding environment using the device’s microphone and can steal the call history log and the phone book.

The authors of the Qadars computer Trojan were quick to adopt iBanking, according to a new report by researchers from ESET, but instead of using it against online banking users they appear to be targeting accounts on Facebook.

“Through our monitoring of the banking Trojan Win32/Qadars […] we have witnessed a type of webinject that was totally new for us: it uses JavaScript, meant to be injected into Facebook webpages, which tries to lure the user into installing an Android application,” ESET malware researcher Jean-Ian Boutin said Wednesday in a blog post.

What to expect if you’re infected

When users log into Facebook from a computer infected with Qadars they will see a rogue message informing them that “due to a rising number of attempts in order to gain unlawful access to the personal information of our users and to prevent corrupted page data to spread Facebook administration introduces new extra safety protection system.”

This alleged protection system is presented as a mobile application that generates unique authentication codes that can be used instead of regular passwords. In order to obtain the application, users are asked to specify the OS of their mobile phone and their phone number. They are then directed to a page with a download link and a corresponding QR code.

The application being offered to Android device owners is a version of the iBanking Trojan app that has been modified to look as a Facebook application for generating one-time passwords. During installation, users are instructed to enable the Android setting allowing the installation of apps obtained from unknown sources and are asked to give the app device administrator permissions.

“The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud,” Boutin said.

It’s possible that the attackers are using iBanking to steal security codes sent via SMS by Facebook’s legitimate two-factor authentication system. It may be that there’s a growing number of people using this protection feature on Facebook, making accounts harder to compromise through traditional credential theft attacks, Boutin said.

However, it’s also possible that attackers have chosen to use webinjects on Facebook because it’s an efficient way to distribute the malware to a lot of users without worrying which particular banking sites they regularly interact with.

“Now that mainstream web services such as Facebook are also targeted by mobile malware, it will be interesting to see whether other types of malware will start using webinjects,” Boutin said. “Time will tell, but because of the commoditization of mobile malware and the associated code source leaks, this is a distinct possibility.”

via Facebook users targeted by iBanking Android trojan app | PCWorld.

Trojan horse malware destroys delivery files to hide its tactics

Trojan horse malware destroys delivery files to hide its tactics
Microsoft has discovered an unusually stealthy Trojan capable of deleting files it downloads in order to keep them away from forensics investigators and researchers.
The Trojan downloader, called Win32/Nemim.gen!A, is the latest example of how malware writers are using sophisticated techniques to protect their own trade secrets. The Trojan essentially makes downloaded component files irrecoverable, so they cannot be isolated and analyzed.
“During analysis of the downloader, we may not easily find any downloaded component files on the system,” Jonathan San Jose, a member of Microsoft’s Malware Protection Center, said in a blog post. “Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file.”
Microsoft managed to grab some components as they were being downloaded from a remote server. The malware’s two purposes was to infect executable files in removable drives, and to unleash a password stealer to snatch credentials from email accounts, Windows Messenger/Live Messenger, Gmail Notifier, Google Desktop, and Google Talk.,
Typically, downloaders’ only job is to deliver the core malware. In this case, the downloader delivered the malware and continued to be an integral part of the operation.
Malware gets sneaker
In general, malware has become better at remaining under the radar. Some of the stealthiest malware is used in advanced persistent threats targeted at specific organizations.
“Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today,” said Paul Henry, a forensic analyst for Lumension.
For sometime, criminals have developed malware that can sense when it is in a virtualized workstation commonly used by researchers to isolate and study malicious code. When it is in such an environment, the malware will enter a dormant state, so it cannot be easily discovered.
Other malware inserts its malicious code in system memory, never leaving a trail in the infected computer’s registry or hard drive, Henry said.
“Your grandfather’s security solutions will leave you utterly defenseless against today’s evolving threats,” he said.
via Trojan horse malware destroys delivery files to hide its tactics | PCWorld.

Sneaky malware hides behind mouse movement, experts say

Researchers from security vendor FireEye have uncovered a new advanced persistent threat (APT) that uses multiple detection evasion techniques, including the monitoring of mouse clicks, to determine active human interaction with the infected computer.
Called Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to “Islamic Jihad.doc.”
“We suspect that this weaponized document was used to target the governments of Middle East and Central Asia,” FireEye researcher Chong Rong Hwa said Monday in a blog post.
Multistage attack
The attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there’s any mouse activity before initiating the second attack stage.
Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click, Rong Hwa said. BaneChant waits for at least three mouse clicks before proceeding to decrypt a URL and download a backdoor program that masquerades as a .JPG image file, he said.
The malware also employs other detection evasion methods. For example, during the first stage of the attack, the malicious document downloads the dropper component from an ow.ly URL. Ow.ly is not a malicious domain, but is a URL shortening service.
The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network, Rong Hwa said. (See also “Spammers abuse .gov URL shortener service in work-at-home scams.”

Similarly, during the second stage of the attack, the malicious .JPG file is downloaded from a URL generated with the No-IP dynamic Domain Name System (DNS) service.
After being loaded by the first component, the .JPG file drops a copy of itself called GoogleUpdate.exe in the “C:\ProgramData\Google2\” folder. It also creates a link to the file in the user’s start-up folder in order to ensure its execution after every computer reboot.
This is an attempt to trick users into believing that the file is part of the Google update service, a legitimate program that’s normally installed under “C:\Program Files\Google\Update\”, Rong Hwa said.
The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers.
As defense technologies advance, malware also evolves, Rong Hwa said. In this instance, the malware has used a number of tricks, including evading sandbox analysis by detecting human behavior, evading network-level binary extraction technology by performing multibyte XOR encryption of executable files, masquerading as a legitimate process, evading forensic analysis by using fileless malicious code loaded directly into the memory and preventing automated domain blacklisting by using redirection via URL shortening and dynamic DNS services, he said.
via Sneaky malware hides behind mouse movement, experts say | PCWorld.