Network computer monitoring

Monthly archives for January, 2017

This phishing email uses an unexpected trick to infect PCs with keylogger malware

Rather than using macros, this malware uses Visual Basic Script to avoid detect

Cybercriminals are targeting a US major financial services provider with malicious emails containing the tools required to install information collecting keylogging software onto the infected systems.

Keylogging enables hackers to see everything that’s typed using the keyboard of an infected machine, something which can be exploited to steal information, personal information, and login credentials.

Cybersecurity researchers at Proofpoint note that the attack is very narrow in scope, targeting users in just a single US-based financial services and insurance organisation with malicious emails. Naturally, banks are a high-profile target for cybercriminals who not only see money as a lucrative target, but also view financial institutions as a treasure trove of data to exploit.

Like many phishing threats, the email contains an attachment in the form of a Microsoft Word document, designed to deliver the payload. However, unlike most phishing emails containing malicious attachments, which use macros to avoid detection, this one uses an embedded object in the form of a Visual Basic Script that acts as a downloader for the malware.

“It is a Packager Shell Object. When content like a script is packaged as a Packager Shell Object, it can be opened and executed from within the Microsoft Office file in which it is embedded,” says Kevin Epstein, VP of the threat operations center at Proofpoint.

In this instance, the emails sent in this cyberattack include a Microsoft World attachment named “info.doc”, which contains an image requesting the user clicks on it to install Microsoft Silverlight in order to view the supposed content of the document.

However, upon closer examination of the image, researchers note that it reveals itself as not a link, but rather a Visual Basic Script file which contains code for keylogging malware which will run when clicked on.

Once installed on an infected system, the malware will log the keystrokes and sends the information to two hard-coded Gmail addresses.

While researchers haven’t been able to specifically identify the keylogger being used in this attack, it’s written in the Aultolt scripting language and uses tools including Lazagne password recovery to help gather credentials.

There’s no indication of who is behind the attacks against the unnamed financial services firm, but researchers indicate the malicious software used was obtained from a public malware repository and uploaded from Estonia. According to Proofpoint, this indicates that the keylogger may have been used in attacks against similar institutions.

Researchers note that while the malware is basic compared to other exploits, the way the keylogger is being delivered to end users represents a shift from the tried and tested method of tricking them into enabling macros.

While Microsoft Office applications can block macros by default, this threat indicates that cyberattacks are very much active in developing new ways to deliver their malicious payloads.

From:http://www.zdnet.com/article/this-phishing-email-uses-an-unexpected-trick-to-infect-pcs-with-keylogger-malware/

This phishing scam poses as a charity email, delivers Ramnit banking Trojan malware

Phishing emails contain names and telephone numbers of targets.

Cybercriminals are attempting to infect people with bank data stealing Ramnit malware by using phishing emails pretending to come from a charity.

Migrant Help is a real British charity which offers support to distressed migrants arriving in the UK, but hackers are using its name in an effort to infect victims with the Ramnit banking Trojan, Action Fraud, the UK’s fraud and cybercrime centre has warned.

A phishing email with the subject ‘Thank you for choosing to donate to Migrant helpline’ is sent to the potential victim, claiming that they recently donated money to the charity.

The emails contain a fake receipt for which, as noted by My Online Security, lists the first name and second name of target as well as their actual phone number. It is not clear how the scammers obtained this information, but using the target’s real name and phone number makes the email make look more authentic.

The message contains a reference number and invites those with questions about their donation – which victims are likely to have if they’ve never given to Migrant Help – to click on a link which has been customised to contain the target’s name, in order to download a document supposedly containing more information.

Those who click on the link are taken to an online Word document which downloads the Ramnit payload onto the victim’s machine.

First appearing appeared in 2010 in the form of a self-replicating computer worm, Ramnit has evolved to become much more dangerous, reaching the point where those behind it have developed it into a banking Trojan, designed to steal bank customer login credentials for theft and fraud.

Despite being seven years old Ramnit remains dangerous, and even accounted for the largest increase in malware attacks during November last year, with the number of infections doubling since the previous month.

Advice from Action fraud on not becoming a victim of phishing scams is to not open attachments in unsolicited emails and to install the latest software security updates.

The police warning on malware distributing Migrant Help phishing email scam comes shortly after City of London police warned of a ransomware scheme targeting schools.

From:http://www.zdnet.com/article/this-phishing-scam-poses-as-a-charity-email-delivers-ramnit-banking-trojan-malware/

This ransomware targets HR departments with fake job applications

Campaign targets those who most often need to open attachments from unknown sources.

Cybercriminals are posing as job applicants as part of a new campaign to infect victims in corporate human resources departments with GoldenEye ransomware — and they’re even providing covering letters in an effort to lull targets into a false sense of security.

A variant of the Petya ransomware, GoldenEye targets human resources departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.

Cybersecurity researchers at Check Point have been monitoring the campaign, which attempts to deliver ransomware to German targets using emails and attachments claiming to be from job applicants. The initial email contains a short message from the fake applicant, directing the victim to two attachments.

The first is a covering letter within a PDF which doesn’t actually contain any malicious software, but is intended to reassure the target that they’re dealing with a standard job application. However, the second attachment is an Excel file supposedly containing an application form but which in fact contains the malicious GoldenEye payload.

Upon opening the Excel attachment, the target is presented with a document which claims to be ‘Loading’ and requires them to enable Macros to view the file. When Macros are enabled, GoldenEye executes a code and begins encrypting the users’ files before presenting them with a ransom note using yellow text — rather than the red or green used by other Petya variants.

The note demands the victim pays a ransom of 1.3 bitcoins – around $1,000 – in order to retrieve their files. Much like other increasingly professional ransomware and cybercriminal campaigns, the perpetrators detail how the victim can acquire bitcoin on the dark web and even offer the option of exchanging messages with a GoldenEye admin if they’re having trouble with the payment or decryption process.

It’s believed by researchers that the developer behind Petya ransomware is going by the alias Janus — apparently borrowing the name of a cybercrminal group in the 1995 James Bond film GoldenEye.

The cybercriminal operation behind the GoldenEye campaign has also been known to offer ransomware-as-a-service schemes which allow almost any wannabe hacker to cash-in on cyber extortion.

One way users can avoid falling victim to GoldenEye and other ransomware variants is by never enabling Macros within Microsoft Office documents and being mindful of unexpected or overly generic email messages.

From:http://www.zdnet.com/article/this-ransomware-targets-hr-departments-with-fake-job-applications/

Container management and monitoring dominate Amazon Re:Invent

Third-party solutions for monitoring, managing, and protecting containers on AWS step in to fill the gaps left by Docker or Amazon

What’s hot on AWS these days? If you guessed containers, you’d be right. However, it’s no longer simply about getting containers into Amazon’s infrastructure, but about providing management, introspection, and protection functionality that Amazon can’t — or won’t.

This week at Amazon Re:Invent, various third parties unveiled solutions for container-management issues on AWS. In many cases they’re adding deeper integration with AWS to existing third-party cloud-based monitoring services.

[ Dig into the the red-hot open source framework in InfoWorld’s beginner’s guide to Docker. Pick it up today! | Get a digest of the day’s top tech stories in the InfoWorld Daily newsletter. ]
CoreOS

CoreOS, best known for its stripped-down, container-based Linux distribution, has fused its product with Google’s Kubernetes container-management tool to create Tectonic, a full-stack product designed to be used by enterprises with a minimum of fuss. However, getting it to run on AWS hasn’t been easy, so CoreOS is now providing an AWS installer for Tectonic.

CoreOS claims to provide a consistent environment for managing containers, both in the development environment and in production — assuming you use Kubernetes or Tectonic as part of that workflow. What makes this interesting is the integration between Kubernetes and native AWS features like the Elastic Load Balancer and Auto Scaling; Tectonic makes use of what’s already in AWS rather than reinventing the wheel.

Threat Stack

Threat Stack, which offers security monitoring solutions for those applications running on AWS, is also adding integration with Docker on AWS, with monitored events logged to AWS CloudTrail. A base rule set for Docker containers is included with the product, but it can be customized as needed.

New Relic

New Relic, which makes analytic tools for applications, is also highlighting closer integration with Amazon’s native feature set. Its New Relic Software Analytics Cloud already harvests a great deal of customer data from AWS instances, but the newest version (currently in private beta) has features that enrich monitored apps with numerous AWS-specific details, such as AWS tags and metadata, or AWS’s Identity and Access Management.

Sysdig

Sysdig also announced a Docker-on-Amazon monitoring system, one of many that offer detailed information about the contents of running containers. Like Threat Stack and New Relic, Sysdig Cloud’s latest release adds support for monitoring AWS-specific metadata and tags.

As long as Docker’s features — including its security model — are seen as incomplete, third parties will step up and fill the gaps. (In CoreOS’s case, the company is offering a substitute for Docker.) And as long as Amazon keeps rolling out AWS features aimed at least-common-denominator uses, there’ll continue to be plenty of room for third parties.

From:http://www.infoworld.com/article/2990115/virtualization/container-management-and-monitoring-dominate-amazon-reinvent.html

This ransomware targets HR departments with fake job applications

Campaign targets those who most often need to open attachments from unknown sources.

Cybercriminals are posing as job applicants as part of a new campaign to infect victims in corporate human resources departments with GoldenEye ransomware — and they’re even providing covering letters in an effort to lull targets into a false sense of security.

A variant of the Petya ransomware, GoldenEye targets human resources departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.

Cybersecurity researchers at Check Point have been monitoring the campaign, which attempts to deliver ransomware to German targets using emails and attachments claiming to be from job applicants. The initial email contains a short message from the fake applicant, directing the victim to two attachments.

The first is a covering letter within a PDF which doesn’t actually contain any malicious software, but is intended to reassure the target that they’re dealing with a standard job application. However, the second attachment is an Excel file supposedly containing an application form but which in fact contains the malicious GoldenEye payload.

Upon opening the Excel attachment, the target is presented with a document which claims to be ‘Loading’ and requires them to enable Macros to view the file. When Macros are enabled, GoldenEye executes a code and begins encrypting the users’ files before presenting them with a ransom note using yellow text — rather than the red or green used by other Petya variants.

The note demands the victim pays a ransom of 1.3 bitcoins – around $1,000 – in order to retrieve their files. Much like other increasingly professional ransomware and cybercriminal campaigns, the perpetrators detail how the victim can acquire bitcoin on the dark web and even offer the option of exchanging messages with a GoldenEye admin if they’re having trouble with the payment or decryption process.

It’s believed by researchers that the developer behind Petya ransomware is going by the alias Janus — apparently borrowing the name of a cybercrminal group in the 1995 James Bond film GoldenEye.

The cybercriminal operation behind the GoldenEye campaign has also been known to offer ransomware-as-a-service schemes which allow almost any wannabe hacker to cash-in on cyber extortion.

One way users can avoid falling victim to GoldenEye and other ransomware variants is by never enabling Macros within Microsoft Office documents and being mindful of unexpected or overly generic email messages.

From:http://www.zdnet.com/article/this-ransomware-targets-hr-departments-with-fake-job-applications/

Avalanche botnet network struck down in global operation

A concerted effort between law enforcement and cybersecurity firms has resulted in the destruction of a major botnet platform.

After four years of investigation, Europol and other agencies have moved against the prominent Avalanche botnet platform which acted as a hub for malware campaigns worldwide.

Europol publicly disclosed the operation on Thursday, made possible through partnerships with the FBI, the US Department of Justice (DoJ), the German Public Prosecutor’s Office Verden Eurojust, and technology firms including Shadowserver and Symantec.

Law enforcement agencies moved November 30 in a takedown which disrupted the infrastructure of criminal operations in over 30 countries and US states across 60 registries worldwide.

Five arrests were made and 37 premises searched, resulting in the seizure of 39 servers. However, a total of 221 servers were taken offline through abuse notices.

It is estimated that Avalanche is responsible for a loss of 6 million euros in damages in Germany alone through malware campaign and money mule recruiting campaigns. It is thought that the botnet platform has facilitated the loss of hundreds of millions of euros worldwide, but Europol says “exact calculations are difficult due to the high number of malware families managed through the platform.”

In a post on Shadowserver, the company said that Avalanche is a Double Fast Flux content delivery and management platform designed for the so-called “bullet-proof management of botnets.” Sinkholing was used to destroy the botnet’s activities, which also disrupted malware families including Citadel, VMZeus, the ransomware TeslaCrypt, and Nymaim.

In total, 800,000 malicious and fraudulent domains were also seized, sinkholed, or blocked during the operation.

Avalanche has been in operation since 2009. The platform has been utilized for a variety of malware, spam, and phishing campaigns, and over one million emails have been sent as part of phishing campaigns worldwide to potential victims.

Julian King, European Commissioner for the Security Union commented:

“Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders. Cybersecurity and law enforcement authorities need to work hand in hand with the private sector to tackle continuously evolving criminal methods.

The EU helps by ensuring that the right legal frameworks are in place to enable such cooperation on a daily basis.”

From:http://www.zdnet.com/article/customer-relationships-its-all-about-the-data/

System Requirements

Both OsMonitor Server and Client can work on Windows 2000, Windows XP, Windows Server 2003/2008/2012, Windows Server 2012 R2, Vista,Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.