The popular investigator Brian Krebs published the details of his investigation on the identity of the Mirai author Anna-Senpai.

In the last months, the Mirai bot monopolized the attention of the media, it was used to power the massive DDoS attack against the Dyn DNS service causing an extended Internet outage.

A large portion of Internet users was not able to reach most important web services, many websites like including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

The same IoT botnet was used to launch a massive Distributed Denial of Service (DDoS) attack against the website of the popular cyber security investigator Brian Krebs who decided to investigate about the author of the dangerous malware.

In October a hacker released the source code of the Mirai malware, a reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”

“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.

mirai author botnet

The Mirai malware was specifically designed to infect Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.

Brian Krebs believes to have discovered the real identity of the mysterious Anna-senpai, his name is Paras Jha, the owner of a distributed denial-of-service (DDoS) attack mitigation company ProTraf Solutions.

“After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.

Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks. Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers.” wrote Krebs.

“He was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him,” Zuberi recalled.  “He didn’t really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks.””

The man alleged created the Mirai botnet and spread it to recruit the largest number of IoT devices.

Krebs reported that in 2014, an earlier variant of the Mirai botnet was used to launch DDoS attacks against Minecraft servers which can generate up to US$50,000 a month.

Krebs discovered that Jha along with other players developed the Mirai bot and used it to power an attack against the Minecraft servers to lure disgruntled customers. The providers that ignored Jha’s requests were hit by massive DDoS attacks.

Krebs explained that Jha contacted upstream providers to request the shutdown of rival IoT firms, then he developed the Mirai bot to attack rival Qbot botnets.

Krebs cited a Webinar presented on December 16, by the experts at the firm Digital Shadows that exposed the findings on the investigation about the Mirai author’s real life identity. According to Digital Shadows, the person behind the Anna-Senpai moniker also used the nickname “Ogmemes123123” and the email address He also discovered that the Mirai author has used another nickname, “OG_Richard_Stallman,” a clear reference to the founder of the Free Software Foundation. The account was also used to register a Facebook account in the name of OG_Richard Stallman.

That Facebook account reports that OG_Richard_Stallman began studying computer engineering at New Brunswick, NJ-based Rutgers University in 2015., the same University attended by Paras Jha. The Rutgers University suffered a series of DDoS attacks on its systems since 2015, the attacker suggested the school purchase a DDoS mitigation service.

Krebs also highlighted that the skills listed on Jha’s LinkedIn page are the same of the Mirai author Anna-senpai ‘s HackForums.

The Krebs’s analysis is very intriguing and full of details … enjoy it!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Anna-senpai, Mirai Author)

The post Which is the real identity of the Mirai Author Anna-Senpai? appeared first on Security Affairs.

Source: securityaffairs

Western Union has agreed to forfeit $586 million and enter into agreements with the Federal Trade Commission, the Justice Department, and several U.S. Attorneys’ Offices. Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud. “As this case shows, wiring money can be the fastest way to send it – directly into the pockets of criminals and scam artists,” said Acting Assistant Attorney … More
Source: helpnetsecurity

A new ransomware campaign has targeted the not-for-profit cancer services organisation “Little Red Door” requesting a US$44,000 ransom.

A new ransomware campaign has targeted a not-for-profit cancer services organisation, the Little Red Door. The organization provides a number of cancer support services, including diagnostics and treatment.

The system at the agency was infected by a ransomware last Wednesday, January 11, 2017, at around 10:00 PM.

According to the Associated Press a ransomware infected its server and demanded a 50 bitcoin ransom (roughly US$44,000) in order to decrypt the files.


“A ransomware group has infected the computers of an Indiana-based cancer agency and have asked for a large payment of 50 Bitcoin ($44,800).” reported

“The victim is Cancer Services of East Central Indiana-Little Red Door, an organization that helps “reduce the financial and emotional burdens of those dealing with a cancer diagnosis.“”

The Little Red Door Executive director, Aimee Fant, confirmed that data of the organization was stored in unspecified cloud storage.

The singularity of this specific ransomware attack it the fact crooks demanding the ransom directly to the cancer agency’s staff via phone and email.

“First, they sent text messages to the agency’s Executive Director, President, and Vice President phones, and then they sent a standardized “form letter” via email. The emails contained detailed payment instructions, but also several threats.” added

According to the cancer agency’s Executive Director Aimee Fant, the group threatened to contact family members of living and deceased cancer clients, donors and community partners.

The organization, of course, will not pay the ransom because its money has to be used to provide the necessary services to cancer patients and their families.

“The agency will not raise money to pay the criminals’ ransom,” Fant said.

This is really a sad story, the organization has no choice, it has to replace the infected server and store the old one in the hope a security firm or law enforcement will find decryption keys during their operations.

The agency plans to replace the server with a “secure cloud-based” platform and hopes to be restored operations within the week.

The attack was reported by the organization to the FBI.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  ransomware, cybercrime)

The post US cancer agency targeted by a singular ransomware attack appeared first on Security Affairs.

Source: securityaffairs

The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes.

The dreaded Carbanak cybercrime gang is back and is adopting a new tactic for its attacks, it is leveraging Google services for command-and-control of its malware.

The criminal organization is named Carbanak cybergang because of the name of the malware they used to compromise computers at banks and other financial institutions, experts estimated that the hackers swiped over $1 Billion from their victims.

 The majority of financial institutions victims of the gang are located in Russia, but many other attacks have been detected in other countries, including Japan, Europe and in the United States.

Carbanak targets

Figure 1 – Map of Infections, 2015 Attacks against financial Institutions (Kaspersky Lab)

The investigators discovered that the “Carbanak cybergang” hit more than 100 financial institutions in 30 countries, it has been active at least since 2013 and there are strong indications that it may still be ongoing.

Now researchers from Forcepoint Security Labs have spotted a new campaign conducted by the Carbanak gang that exploits Google’s Apps Script, Sheets, and Forms cloud-based services to control their malicious code.

The attack vector is a trojanized RTF document with an encoded Visual Basic script that is spread via email.

Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.” reads the analysis published by Forcepoint.

“For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight,” Forcepoint wrote in a blog post today.




The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

“The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.” states the report.

The following diagram describes the way the Carbanak cybercrime gang exploited the Google Services as C&C.


Once infected the victim’s machine, the malware first attempt to contact the hard-coded Google Apps Script URL with the user’s unique infection ID. Because no spreadsheet currently exists for the specific victim, the malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim.

The second time the Google Apps Script is requested by the malicious code, the C&C will return the unique Google Sheet and Google Form ID values.

“The “entry” value is also a unique ID which is sent with each subsequent Google Forms C&C request.” 

Let me suggest to read the report that also includes the IoCs for this specific threat.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  bank hacking, Carbanak cybergang)

The post The Carbanak gang is with a new modus operandi, Google services as C&C appeared first on Security Affairs.

Source: securityaffairs

Malware researchers from the MalwareHunterTeam have discovered a new strain of ransomware dubbed Popcorn Time on the Dark Web.

Malware researchers from MalwareHunterTeam have spotted a new ransomware, dubbed Popcorn Time, that appears to be still under development.

The researchers at MalwareHunterTeam found the Popcorn Time ransomware code on the Dark Web.

This ransomware comes with a singular feature, it allows victims to either pay up or they can opt to infect two others using a referral link. Then is the two other potential victims pay the ransom the original target receives a free key to unlock his encrypted files.

“Time that intends to give victim‘s a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.” wrote Lawrence Abrams from

The researchers noticed that the ransom note offers two options, pay up the ransom or spread the infections.

“We are sorry to say that your computer and your files have been encrypted, but wait, don’t worry. There is a way you can restore your computer and all of your files… Send the link below to other people, if two or more people will install the file and pay, we will decrypt your files for free.” states the ransom note.

Popcorn Time ransomware

Lawrence explained that it is the first ransomware ever seen with this characteristic.

Abrams, who analyzed the code of the ransomware, said it is incomplete, some of the command and control servers are not working and there are many features that still have to be developed.

The ransom note demands 1 bitcoin, victims have a limited number of attempts to provide a decryption key.

“To make matters worse, there is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key 4 times, the ransomware will start deleting files.” added Abrams.

The Popcorn Time ransomware is able to encrypt more than 500 file types using AES-256 encryption. The malware appends the .filock extension to the encrypted files.

The ransom note reveals that the authors of the Popcorn Time ransomware developers claim to be “a group of computer science students from Syria.”

Another interesting aspect of this ransomware is the content of the note who promises that ransomware proceeds will go to food, medicine, and shelter for the victims of the civil war in Syria.

“We are extremely sorry that we are forcing you to pay,” states the note.

More info on the threat are available on

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Popcorn Time ransomware, cybercrime)

The post Popcorn Time ransomware, pay up the ransom or spread it to decrypt the files appeared first on Security Affairs.

Source: securityaffairs

Cyber criminals are exploiting the capability of the Mirai botnet to use the STOMP Protocol to launch massive DDoS attacks.

The Linux Mirai IoT malware is one of the most popular cyber threats in the moment, its botnet was used to power the massive attacks against the Dyn DNS service, OVH, Brian Krebs’ blog, and likely against the Liberia.

The source code of the Mirai botnet was leaked online on the Hackforum by the user with moniker “Anna-senpai.”

Experts from FlashPoint spotted more than 500,000 vulnerable devices in the wild, the countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000) and Turkey (40,000).


The Mirai botnet implements various attack vectors, including the STOMP flooding method.

STOMP is a simple application layer, text-based protocol that allows clients communicate with other message brokers. It implements a communication method among for applications developed using different programming languages.

According to experts from Imperva firm , the bot is able to flood the targets with junk STOMP packets.

“In our analysis of Mirai, the malware that recently brought down KrebsOnSecurity and the Dyn DNS service, we described different attack vectors its botnet is programmed to use. Of these, STOMP (Simple Text Oriented Messaging Protocol) floods stood out, largely because this protocol isn’t often used in DDoS assaults.” reads the analysis published by Imperva.

“We decided we should further explain how Mirai uses floods of junk STOMP packets to bring down targeted websites.”

A typical STOMP request is data structure composed of a command, followed by headers in the form <key>: <value> (one per line), and of course a body content ending in a null character.

“A typical STOMP request is a “frame” consisting of a number of lines. The first line contains a command, followed by headers in the form <key>: <value> (one per line). This is followed by body content ending in a null character.” states the analysis.

“Servers use a similar format of headers and body content to respond to the client through a MESSAGE, RECEIPT or ERROR frame.”

Experts from Imperva explained that a TCP STOMP flood is a variation of the common ACK flood attack.

Below the steps of the DDoS STOMP attack:

  • A botnet device uses STOMP to open an authenticated TCP handshake with a targeted application.
  • Once authenticated, junk data disguised as a STOMP TCP request is sent to the target.
  • The flood of fake STOMP requests leads to network saturation.
  • If the target is programmed to parse STOMP requests, the attack may also exhaust server resources. Even if the system drops the junk packets, resources are still used to determine if the message is corrupted.

“Interestingly, the recent attacks shared some similarities with the TCP POST flood we warned about several months ago. Both are attempts at targeting an architectural soft spot in hybrid mitigation deployments.” continues the analysis.

“In these setups, network layer attacks are filtered off-premise, while application layer assaults are mitigated on-premise. This creates a bottleneck that application layer instances can exploit to clog network pipes (explained in more detail here).”

The analysis of the botnet source code reveals that each STOMP attack request is set by default at 768 bytes. Attackers can leverage on a botnet composed of over 100,000 devices that is able to shut down target networks with a 5–10Gbps burst uplink.

A method to mitigate TCP STOMP attack consists in the identification and filtering of malicious requests and filtering them out before they’re able to travel through the network.

Identifying requests is quite simple, the real problem is to discover where such requests are dropped.

“Currently, STOMP assaults are rare. But as the use of Mirai malware becomes increasingly more common, it’s likely we’ll see more of them in the near future. Their existence highlights the importance of off-prem filtering,” Imperva concludes.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  Mirai botnet , STOMP)

The post Mirai botnet leverages STOMP Protocol to power DDoS attacks appeared first on Security Affairs.

Source: securityaffairs

Three UK, a telecom and ISP operating in the United Kingdom, has suffered a data breach. According to Three’s status report on the investigation, the attackers were able to access the company’s customer upgrade system by using login credentials of an employee, and their goal was to steal high-end smartphones. “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of … More
Source: helpnetsecurity

The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1. PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months: Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity. Ransomware encryption: The proportion of … More
Source: helpnetsecurity