Some Russian campaign running
over leaked email spreads different kind of malware. Today on Yahoo mail
has come some fresh Ursnif with 0 detections. | The domain used for my email was inactive and there was no file for download, but I found it somewhere else. In the pictures below will find the research steps: Was easy to find a sample of malware using the SHA256 (d6c0ca87f712c0633eab5ac020ceaad2e256cd3251808ce7c7b45faf4042123e) on Google. The
.zip file is detected and this may be an advantage for the users IF
they are using the Antivirus that have on his database this sample… but
this is another discussion… At this moment the VirusTotal says 18/57.. so is going to be better in a few hours. Now.. extracting them one by one we have a good
encrypted malware named Ursnif (GOZI/ ISFB). This malware is trying to
steal baking credentials from his victims and the hacker may have access
to the system. I will not explain the whole process at this time but the way to do that you will find it on the recent post I’ve made: https://www.prodefence.org/malware-analysis-gozi-ifsb-bank-trojan-aka-ursnif/
Useful links: Urlscan with samples VirusTotal .zip VirusTotal .js VirusTotal .bin
A new phishing campaign targeting fans of free Iphone. The campaign targets the victims’ credit cards with a wonderful promise to win a Iphone. Everything is visually prepared and it only remains for the victims to add their personal data.
Domains involted:
uploadocean.com/ – Adverts campaing
adminlady.info – Redirection
awarded.pw – Promoter
radiuniverse.com – hacked domain hosting the phishing page (or just owned by the hacker)
A new software test.
Something announced as free … but it’s not really for free. Today I wanted to see what level of browser hijacking is running out there. Browses hijack: “A
program changes your home page, redirects browser typos to a search
engine you have never heard of or to other sites. This is annoying,
popping up ads and displaying unwanted site”
So.
I
have seen alot of ”good” things like: a java ”update”, winning iphones,
free apps, cassino offers, games, some redirections… etc.
This code was injected in my browser.
”xxxx.rsc.cdn77.org
install malicious extensions, plug-ins, ads, banner ads, pop-up ads,
etc and creates mess on your browsers. Even if mistakenly you click on
any ads or link then also it redirects you to some other websites. It
also uses cookie and keep spy on your online activities like browsing
history, mostly visited websites, login, password details, etc. The
redirect virus has the ability to disable the anti-virus and other
security program without your knowledge.” Source: removemalwarevirus.com
Here you can see some of the domains i visited in this journey:
People still want to believe that the money are made easy with some application and without doing anything.
Click a button and you get money.
This weakness is exploited every day.
Here is a program that promises to double the profit by pressing that magic button.
To become credible, a demonstration video is a good way. To become super credible, you make some false accounts and comment on your post. This is a part of social engineering and works.
At one point, he changed his name, seeing he had potential victims in many countries.
Let’s see the application.
MD5: 19d6d6f312ec00998d379eec9fe21aa9
SHA-1: a5d27b1cf43cb5dcd7feeea279b70588c5910e12
*the -1 is mine! lol
It has a certain detection but insignificant.
The application does not steal, has no backdoor … It is created by: …looks like it’s his real name.. (his first name in the account is another … it seems to start with an M.) As
the application configuration looks like, it seems that the users who
use it,are sending the bitcoin to an address added by the programmer.
After sending, they still expect someone to send them the double amount, but they will wait a lot and without success. And let’s not forget … this is version 6.1!?! We could continue because he still has some programs with such schemes, but time is limited! In conclusion … I hope that Internet users will be more careful, donot believe in the wonders promised by the unknown!
Remember: When something is free, you are not the customer but the product!
Hello.
Today we will be investigating a phishing case.
Usually the attack of this type comes by email.
An email in which there is a text, a problem or a win and a link.
The text is made to make you go to the prepared website.
The link is usually hidden so you can not figure out where you are going and the hoax is easier. Let’s start with the email I received so you can understand how you can protect yourself.
Re: to what? Is this a response to an email that I sent to Apple? NO! … It’s a trick used to make you open the email believing it’s a response to an email sent by you.
Apple support…. He caught your attention.
Yandex?!? Yandex Browser is a freeware web browser. But
it is still important. The Apple CEO sent you an email after he hired
Yandex … that’s why he’s CEO .. to send email to users…
A link is hidden behind the button.
t.co is a Twitter shortener URL and behind this link is the true address we reach.
The good part is that when you are redirected …Twitter and Firefox warn you about the link you want to reach.
Let’s ignore everything this time …
What you see is a clone of the Apple website.
I’m not on some cyber unit… yet….
Data entered on the fake page will be stored in the server.
So the hacker will know I’ve been around here.
Even if you log in with real data you will receive the same message to move on.
It will ask you to enter bank details to unlock your account and a identification document.
After all, it redirects you to the real Apple website and you’ll sign in to your unlocked account.
At this point you will be glad you did not lose your account, but in
reality you gave to the hacker all your banking data + identification
documents. Still let’s see what’s in the main domain. h**ps://rin5de.center Index of/ … apple.com.confirmation.account.centre here it’s the clone page created( old and still online 24.02.2017).
A cpanel and a hint for recover the password. 153.92.209.145:2083 Username: admin Password: ? Email: m—d@m—v.com Name Servers: ns7.wixdns.net ns6.wixdns.net
And today…after 10 months online…
The Cpanel(153.92.209.145:2083)
I think the data I’ve entered was also convincing (Insider, cyberunit)
Hello. I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked
Woooow!!!(just kidding)
We have 3 important files. Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.
It is noticed that it is the latest file created. Also, the installation method requires using this file.
OK.Let’s scan this time! Virus Total Report 20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.
OK.
It’s normal to be seen by antivirus. It’s just a crack, a patch, etc.
You have to disable the antivirus to install it, it’s just a pirated software.
Let’s get started It looks like this .exe is actually a .rar archive After opening, he has a lot of work in the background. We let him do the job to find out what he is doing! When everything is quiet, we see that something is left to work.
