Reportedly, over a million accounts on the Supercell community forum have been compromised after a data breach occurred in 2016.

The firm Supercell, the authors of the notorious “The Clash of Clans” mobile game admitted that accounts on Supercell community forum have been hacked. Supercell is the creator of popular games such as Clash of Clans, Hay Day, Clash Royale, and Boom Beach.

According to an official statement issued by the company, hackers compromised more than 1 million accounts in a data breach occurred in September 2016.

LeakBase confirmed that the number of affected user account is 1 million.

The cyber attack affected the Supercell community forum said in an official statement that the breach happened in September 2016 and that the site’s forums were affected. According to the company,  hackers exploited a vulnerability in the Vbulletin CMS used by Supercell for its forums.

The company confirmed that game accounts weren’t affected by the data breach.

“As we’ve said before, to provide our forum service we use software from vbulletin.com. We’re currently looking into report that a vulnerability allowed third-party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords.” reads the official statement from the company. “Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed. ” 

Supercell

Supercell urges users to change the password they are using on the affected forum as soon as possible. You can reset your password here:

Users can reset their password here: https://forum.supercell.com/login.php?do=lostpw

As usual, let me suggest users change the password in any other web service they are using with the same login credentials. As a general guideline, matching credentials should not be used on multiple sites.

“We take any such breaches very seriously and we follow very strict policies when it comes to security. Please note that this breach only affects our Forum service. Game accounts have not been affected.” the company added.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Clash of Clans, Data breach)

The post Supercell, Clash of Clans authors, hacked. 1 Million accounts compromised appeared first on Security Affairs.

Source: securityaffairs

The popular investigator Brian Krebs published the details of his investigation on the identity of the Mirai author Anna-Senpai.

In the last months, the Mirai bot monopolized the attention of the media, it was used to power the massive DDoS attack against the Dyn DNS service causing an extended Internet outage.

A large portion of Internet users was not able to reach most important web services, many websites like including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

The same IoT botnet was used to launch a massive Distributed Denial of Service (DDoS) attack against the website of the popular cyber security investigator Brian Krebs who decided to investigate about the author of the dangerous malware.

In October a hacker released the source code of the Mirai malware, a reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”

“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.

mirai author botnet

The Mirai malware was specifically designed to infect Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.

Brian Krebs believes to have discovered the real identity of the mysterious Anna-senpai, his name is Paras Jha, the owner of a distributed denial-of-service (DDoS) attack mitigation company ProTraf Solutions.

“After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.

Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks. Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers.” wrote Krebs.

“He was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him,” Zuberi recalled.  “He didn’t really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks.””

The man alleged created the Mirai botnet and spread it to recruit the largest number of IoT devices.

Krebs reported that in 2014, an earlier variant of the Mirai botnet was used to launch DDoS attacks against Minecraft servers which can generate up to US$50,000 a month.

Krebs discovered that Jha along with other players developed the Mirai bot and used it to power an attack against the Minecraft servers to lure disgruntled customers. The providers that ignored Jha’s requests were hit by massive DDoS attacks.

Krebs explained that Jha contacted upstream providers to request the shutdown of rival IoT firms, then he developed the Mirai bot to attack rival Qbot botnets.

Krebs cited a Webinar presented on December 16, by the experts at the firm Digital Shadows that exposed the findings on the investigation about the Mirai author’s real life identity. According to Digital Shadows, the person behind the Anna-Senpai moniker also used the nickname “Ogmemes123123” and the email address ogmemes123123@gmail.com. He also discovered that the Mirai author has used another nickname, “OG_Richard_Stallman,” a clear reference to the founder of the Free Software Foundation. The ogmemes123123@gmail.com account was also used to register a Facebook account in the name of OG_Richard Stallman.

That Facebook account reports that OG_Richard_Stallman began studying computer engineering at New Brunswick, NJ-based Rutgers University in 2015., the same University attended by Paras Jha. The Rutgers University suffered a series of DDoS attacks on its systems since 2015, the attacker suggested the school purchase a DDoS mitigation service.

Krebs also highlighted that the skills listed on Jha’s LinkedIn page are the same of the Mirai author Anna-senpai ‘s HackForums.

The Krebs’s analysis is very intriguing and full of details … enjoy it!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Anna-senpai, Mirai Author)

The post Which is the real identity of the Mirai Author Anna-Senpai? appeared first on Security Affairs.

Source: securityaffairs

The popular encrypted email provider ProtonMail has launched the Tor Hidden Service to provide further protection to its users.

ProtonMail is the world’s largest encrypted email provider with over 2 million users worldwide. Its popularity exploded just after the US presidential election, its users include journalists, activists, businesses, and normal people that want to protect their security and privacy. The service is a free and open source, featuring strong end-to-end encryption and protected by Swiss privacy laws.

Implementing a Tor hidden service for ProtonMail Tor has numerous advantages for end-users, communications are protected by supplementary layers of encryption, user’ IP address is masqueraded by the anonymizing network, and such kind of service is able to bypass government censorship.

“There are several reasons why you might want to use ProtonMail over Tor. First, routing your traffic to ProtonMail through the Tor network makes it difficult for an adversary wiretapping your internet connection to know that you are using ProtonMail. Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail.”  a onion site,” ProtonMail explained in a blog post.

“Tor can also help with ProtonMail accessibility. If ProtonMail becomes blocked in your country, it may be possible to reach ProtonMail by going to our onion site. Furthermore, onion sites are “hidden” services in the sense that an adversary cannot easily determine their physical location. Thus, while protonmail.com could be attacked by DDoS attacks, protonirockerxow.onion cannot be attacked in the same way because an attacker will not be able to find a public IP address.”

The onion address for the ProtonMail Tor service:

https://protonirockerxow.onion

Just for curiosity, the above address was generated by the company used spare CPU capacity to generate millions of encryption keys and then hashed them aiming to generate a more human readable hash. The address it can be easily remembered as:

proton i rocker xow

ProtonMail

ProtonMail published detailed instructions on how to setup Tor and how to access the service over Tor. For example, in order to use the ProtonMail hidden service is it necessary to enable Javascript.Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”:

“Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”” reads the ProtonMail page.

The ProtonMail hidden service only accepts HTTPS connections, it uses a digital certificate issued by Digicert, the same CA used by Facebook for its Tor hidden service.

The ProtonMail hidden service could be reached via a desktop web browser and both iOS and Android apps.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – ProtonMail, Tor)

The post ProtonMail announced that its Tor Hidden Service is online appeared first on Security Affairs.

Source: securityaffairs

The independent malware research @Xylit0l discovered the Satan ransomware, a malware belonging to the Gen:Trojan.Heur2.FU family.

Yesterday the independent malware research @Xylit0l discovered the Satan ransomware, a malware belonging to the Gen:Trojan.Heur2.FU family. Satan is provided as a RaaS (Ransomware-as-a-Service).

The Satan ransomware used RSA-2048 and AES-256 cryptography, it appends the names of encrypted files with the “.stn” extension.

Satan

“As mentioned above, Satan’s developers provide a service allowing prospective cyber criminals to make money by distributing this ransomware. In exchange, developers receive 30% of revenues generated by users.” Reads the analysis published on pcrisk.com.

“The Satan platform has a user-friendly interface, it is really simple to use to create your own ransomware. Users just need to have a Bitcoin wallet to use for ransom payment. Wannabe criminals must specify the ransom amount in Bitcoin and furthermore they can decide to increase the amount of money to pay after a specific deadline.”

“Now, the most important part: the bitcoin paid by the victim will be credited to your account. We will keep a 30% fee of the income, so, if you specified a 1 BTC ransom, you will get 0.7 BTC and we will get 0.3 BTC. The fee will become lower depending on the number of infections and payments you have.” Reads the adv for the Satan Platform.

The Satan platform implements multiple services, including a dropper builder that is able to obfuscate malware code to avoid detection by virus scanners.

Satan

The RaaS solutions also allows used to choose a language different from English or Portuguese. The platform also allows crooks to update their ransomware.

Satan

Satan, while crypt,  changes files’ extension in .stn for example myfile.txt in myfile.txt.stn.

Satan, once encrypted the files, creates an HTML file (HELP_DECRYPT_FILES.html) on desktop containing the ransomware note and instructions for the payment.

Crooks encourage victims to pay ransom to receive the private key for decrypt files. But never pay any ransom or attempt to contact these cyber criminals, because there is no guarantee that your files will be decrypted!.

Satan uses several anti-evasion and anti-debugging techniques, for example, it doesn’t run on a virtual machine making it difficult to analyze.

In a couple of days, crooks already released two version of the Satan platform.

Written by: @GranetMan

Granet is a young and Junior IT Security Researcher, he is passionate in Linux, Arduino, Digital Forensics, Cyber Security, Free software and Malware Analysis

 

 

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Satan ransomware, RaaS)

The post Satan, the ransomware-as-a-service surfaced in the dark web appeared first on Security Affairs.

Source: securityaffairs

Ukrenergo confirmed that preliminary results of its investigation showed that the Ukraine power outage occurred in December was caused by hackers.

In December 2016, the Government Ukraine energy company Ukrenergo suffered a severe power outage that affected the ”North” substation at Pivnichna. The incident caused blackouts in the city of Kiev and neighboring regions.

The head of the NEC “Ukrenergo” Vsevolod Kovalchuk explained in a message posted on Facebook that experts at the company were able to restore power in 30 minutes with a manual procedure. According to Kovalchuk, the operations were fully restored after just over an hour.

Kovalchuk pointed out that an equipment malfunction or a cyber attack can be the cause of the problem. According to Kovalchuk, an “external interference through the data network” could have caused the power outage.

Ukraine power outage

 

In a statement sent via email to SecurityWeek on this, Ukrenergo confirmed that preliminary results of its investigation showed that the normal operation of workstations and SCADA systems had been disrupted due to “external influences.”

Once broken in the target network, attackers used a malware to gain a remote control of systems at the power plant. Experts are still investigating to establish a timeline of events and identify the entry point of the hackers. They don’t exclude that the threat could still be inside the target network in a dormant state.

The company is working to secure its system by implementing organizational and technological measures that would make its systems resilient to further attacks.

“The cyber-security company Information Systems Security Partners (ISSP) has linked the incident to a hack and blackout in 2015 that affected 225,000.” reported the BBC. “ISSP, a Ukrainian company investigating the incidents on behalf of Ukrenergo, now appears to be suggesting a firmer link.

It said that both the 2015 and 2016 attacks were connected, along with a series of hacks on other state institutions this December, including the national railway system, several government ministries and a national pension fund.

Oleksii Yasnskiy, head of ISSP labs, said: “The attacks in 2016 and 2015 were not much different – the only distinction was that the attacks of 2016 became more complex and were much better organised.“”

Who is behind the power outage?

Intelligence experts suspect blames the Russia one again.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Ukrenergo, hacking)

The post 2016 Christmas Ukraine power outage was caused by hackers appeared first on Security Affairs.

Source: securityaffairs

A simple sequence of three character-long text message containing Emoji can cause the block and the reboot os iPhones and iPads running iOS 10.1 or below.

A new Apple’s iOS bug was discovered in the community of mobile tech experts, it can be exploited to crash iPhone or iPad devices by just sending an Emoji text message.

Several users are already reporting the issue and the popular YouTube EverythingApplePro published a video proof-of-concept for the bug. In the video is reported an example of the sequence of characters that temporarily freeze an iPhone causing the device restarting.

The sequence is composed of a white Flag emoji, the digit “0” and a Rainbow emoji. The issue is linked to the way that iOS creates the rainbow flag emoji that is not an official emoji, Apple creates the rainbow flag Emoji by combining the code behind the two white flag and rainbow emoji. Apple iOS joins them by using a hidden character known as a VS16. The iPhone attempts to combine the two emoji, but is unable to because of the zero in the middle.

Emoji Text message crash

Source http://www.magazine49.com/archives/48106

There are also other ways to crash the Apple mobile device, another hack leverages the same characters used in a contact file that is sent to an iMessage contact via the iCloud’s sharing feature.

“Both the methods mentioned above will crash and iPhone or iPad to varying degrees, although the simple text string sent via a standard iMessage appears to affect iPhones and iPads running iOS 10.1 or below.” reported The Hacker News. “However, the boobytrapped contact card affects all versions of iOS 10, including Apple’s latest iOS 10.2 operating system.”

Users have to upgrade their version to the last one in order to prevent such kind of attacks.

Emoji text iPhone-freezing video

In November the EverythingApplePro reported that most of the Apple devices were crashing when the owners play a video. An iPhone-freezing video circulated online, when users played it in the Safari browser the iPhones slow down until they stop working altogether.

The iPhone-freezing video was first discovered by EverythingApplePro, it is a short .mp4 clip of someone standing by a bed with the words “Honey” written across the screen.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – iPhone-freezing Emoji text message, hacking)

The post Crashing iPhone Or iPad with a simple Emoji text message appeared first on Security Affairs.

Source: securityaffairs

The US-CERT has issued a warning after the Shadow Brokers hackers have offered to sell what it claims to be an SMB Zero-Day exploit.

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning after the Shadow Brokers hacker group has offered to sell what it claims to be an SMB Zero-Day exploit.

The Shadow Brokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a database containing hacking tools and exploits.

A few days ago the notorious hacker group Shadow Brokers announced the sale of an archive of  Windows exploits and hacking tools stolen from the Equation group.

The mysterious hacking group has apparently decided to put an end to their failed attempts to sell exploits and hacking tools they claimed to have stolen from the NSA-linked Equation Group.

While the group claims to have decided to retire, the stolen exploits are still up for sale for the price of 10,000 bitcoins (roughly $8.7 million at the current exchange).

The precious archive seems to include also a zero-day exploit targeting the Server Message Block (SMB) network file sharing protocol.

“In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems,” US-CERT said.

Giving a close look at the list published by Shadow Brokers team it is possible to note a tool that claims to be an SMB Zero-Day exploit that goes for 250 bitcoins. The hackers describe the exploit as a remote code execution zero-day targeting SMB. The group is offering it under the name “SMB cloaked backdoor” for 50 bitcoins, but the complete package includes IIS, RDP RPC and SMB exploits for 250 bitcoins.

SMB Zero-Day Shadow Brokers

The US-CERT has advised users and administrators to consider disabling SMB v1, and block all versions of SMB at the network boundary. SMB typically uses port 445 (TCP/UDP), ports 137 and 138 (UDP), and port 139 (TCP).

The US-CERT provided the following recommendations to users and administrators:

  • disabling SMB v1 and
  • blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

Anyway, it is important to consider that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices.

“The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547(link is external) and 204279(link is external).” continues the advisory.

The US-CERT has already issued in the past an alert following a Shadow Brokers initiative, in September it warned organizations after the hacker crew leaked exploitation tools flaws affecting Cisco ASA solutions.

“In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366).”

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – SMB Zero-Day, ShadowBrokers)

The post US-CERT – Warning, Shadow Brokers Hackers are offering an SMB Zero-Day exploit appeared first on Security Affairs.

Source: securityaffairs

Researchers at Malwarebytes have discovered the first Mac malware of 2017, dubbed Quimitchin, that was used against  biomedical research institutions.

Security experts have spotted the first Mac malware of 2017, dubbed Quimitchin,  and it is considered a malicious code not particularly sophisticated and includes some antiquated code.

According to the researchers from Malwarebytes, the code has been in the wild for several years and was used in targeted attacks against biomedical research institutions.

The Quimitchin spyware was discovered by an IT admin who noticed an anomalous traffic from a certain Mac in his network.

The malicious code is composed of two only two files:

  • A .plist file that simply keeps the .client running at all times.
  • A .client file containing the malicious payload, a minified and obfuscated Perl script.

The main features implemented by the payload are the screen captures and webcam access.

“The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.” reads the analysis published by MalwareBytes.

The ability of the malware to exfiltrate data from anything it can access, and the nature of the targets, biomedical facilities, suggest that threat actors behind the attacks were conducting a cyber espionage campaign.

Quimitchin

The Quimitchin uses antique system calls, and the analysis of its code revealed the use of the open source libjpeg code, which was last updated in 1998.

“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” continues the analysis.

“The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of rudimentary remote control functionality.”

Experts from Malwarebytes suspect that there is also a specific Linux variant in the wild because they have found Linux shell commands in the code of the scripts.

The security firm also found two Windows executable file that communicated with the same C&C server, in one case the Windows code used the same libjpeg library.

Despite the Quimitchin is not so complex, it continues to properly work avoiding the detection, something similar to the EyePyramid code.

Why a code like Quimitchin wasn’t detected for so long time?

Expert believe that is was using in a limited number of targeted attack so he was not spotted before.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Quimitchin spyware, cyber espionage)

The post Quimitchin, a Mac backdoor that includes antiquated code appeared first on Security Affairs.

Source: securityaffairs

A new ransomware campaign has targeted the not-for-profit cancer services organisation “Little Red Door” requesting a US$44,000 ransom.

A new ransomware campaign has targeted a not-for-profit cancer services organisation, the Little Red Door. The organization provides a number of cancer support services, including diagnostics and treatment.

The system at the agency was infected by a ransomware last Wednesday, January 11, 2017, at around 10:00 PM.

According to the Associated Press a ransomware infected its server and demanded a 50 bitcoin ransom (roughly US$44,000) in order to decrypt the files.

ransomware

“A ransomware group has infected the computers of an Indiana-based cancer agency and have asked for a large payment of 50 Bitcoin ($44,800).” reported Bleepingcomputer.com.

“The victim is Cancer Services of East Central Indiana-Little Red Door, an organization that helps “reduce the financial and emotional burdens of those dealing with a cancer diagnosis.“”

The Little Red Door Executive director, Aimee Fant, confirmed that data of the organization was stored in unspecified cloud storage.

The singularity of this specific ransomware attack it the fact crooks demanding the ransom directly to the cancer agency’s staff via phone and email.

“First, they sent text messages to the agency’s Executive Director, President, and Vice President phones, and then they sent a standardized “form letter” via email. The emails contained detailed payment instructions, but also several threats.” added bleepingcomputer.com.

According to the cancer agency’s Executive Director Aimee Fant, the group threatened to contact family members of living and deceased cancer clients, donors and community partners.

The organization, of course, will not pay the ransom because its money has to be used to provide the necessary services to cancer patients and their families.

“The agency will not raise money to pay the criminals’ ransom,” Fant said.

This is really a sad story, the organization has no choice, it has to replace the infected server and store the old one in the hope a security firm or law enforcement will find decryption keys during their operations.

The agency plans to replace the server with a “secure cloud-based” platform and hopes to be restored operations within the week.

The attack was reported by the organization to the FBI.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  ransomware, cybercrime)

The post US cancer agency targeted by a singular ransomware attack appeared first on Security Affairs.

Source: securityaffairs

The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes.

The dreaded Carbanak cybercrime gang is back and is adopting a new tactic for its attacks, it is leveraging Google services for command-and-control of its malware.

The criminal organization is named Carbanak cybergang because of the name of the malware they used to compromise computers at banks and other financial institutions, experts estimated that the hackers swiped over $1 Billion from their victims.

 The majority of financial institutions victims of the gang are located in Russia, but many other attacks have been detected in other countries, including Japan, Europe and in the United States.

Carbanak targets

Figure 1 – Map of Infections, 2015 Attacks against financial Institutions (Kaspersky Lab)

The investigators discovered that the “Carbanak cybergang” hit more than 100 financial institutions in 30 countries, it has been active at least since 2013 and there are strong indications that it may still be ongoing.

Now researchers from Forcepoint Security Labs have spotted a new campaign conducted by the Carbanak gang that exploits Google’s Apps Script, Sheets, and Forms cloud-based services to control their malicious code.

The attack vector is a trojanized RTF document with an encoded Visual Basic script that is spread via email.

Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.” reads the analysis published by Forcepoint.

“For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight,” Forcepoint wrote in a blog post today.

 Carbanak

 

 

The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

“The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.” states the report.

The following diagram describes the way the Carbanak cybercrime gang exploited the Google Services as C&C.

 

Once infected the victim’s machine, the malware first attempt to contact the hard-coded Google Apps Script URL with the user’s unique infection ID. Because no spreadsheet currently exists for the specific victim, the malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim.

The second time the Google Apps Script is requested by the malicious code, the C&C will return the unique Google Sheet and Google Form ID values.

“The “entry” value is also a unique ID which is sent with each subsequent Google Forms C&C request.” 

Let me suggest to read the report that also includes the IoCs for this specific threat.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  bank hacking, Carbanak cybergang)

The post The Carbanak gang is with a new modus operandi, Google services as C&C appeared first on Security Affairs.

Source: securityaffairs