Catch of the Day


Here’s my catch of the day for you: Friday Jan 6 2017

There’s a New APT in town: BaneChant or “MM Core,” was discovered in April 2013 by FireEye researchers who then noticed some of its interesting features. The Trojan was designed to collect information about the infected computer and set up a backdoor for remote access. New versions have been identified recently in the Middle east, Asia, Africa and US. Targets are media, government, telecommunications and energy. Keynotes: this malware evades sandboxing by detecting mouse clicks. As well, it has a shortened URL to avoid blacklisting. To be expected it has shared certificates, likely stolen. According to Forcepoint’s Nicholas Griffin, “Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered”. What’s also interesting – the name Bane comes from, yes, Bane from Batman, because of where the URL is supposedly tied to.Per Fireeye, the malware attempts to:

  1. Evade sandbox by detecting human behaviors (multiple mouse clicks);
  2. Evade network binary extraction technology by performing multi-byte XOR encryption on executable file;
  3. Social engineer user into thinking that the malware is legitimate;
  4. Avoid forensic and incidence response by using fileless malicious codes; and
  5. Prevent automated domain blacklisting by using redirection via URL shortening and Dynamic DNS services.

FireCrypt Ransomware:  Would you like a side of DDoS with that? This is another recent discovery as ransomware continues to evolve.  This variant launches a DDoS attack against a URL hardcoded in the source code by continuously connecting to the URL and downloading junk from it to fills up the machine’s %Temp% folder.  Features: this code can be disguised under PDF or DOC icons; attackers can slightly modify the binary for a different hash; this can create polymorphic malware that evades AV.  Note that this is very similar to the “deadly with a good purpose” ransomware released in Oct 2016.  The opinion is that this is that variety just rebranded.  DDoS activities appear to currently target Pakistan’s Telco Authority. However, the attack is relatively ineffective in this configuration as DDoS requires massive mobilization.

Ransomware on Android Smart TVs: You can’t change the channel
This is not the added feature you were looking for. Ransomware has been on Android phones for a few years, so this is the extension, and was discovered a year ago in the wild. This Christmas, it was reported when someone downloaded ransomware with a movie-watching app on a three year old TV. And the screen locker does not work the same on TVs as it does on phones and computers. So any attempt to click and comply to free the screen doesn’t work. In this story, LG was able to give the victim a solution that worked, and the ransomware only was a screenlocker, not a file encrypter.  But Smart tv’s have USB ports so folks can load pics and personally valuable files. These can become infected through that connection.

FTC files suit against D-Link – Strike 1 IoT:  There has been much talk about trying to regulate the lack of security released with the ever-growing Internet of Things. Now, we may have a precedent. The US FTC has filed a lawsuit against well-known manufacturer D-Link, whose SOHO devices are in many homes. The charge is that D-Link put “thousands of customers at risk of unauthorized access by failing to secure its IP cameras and routers”. And there have been plenty of security issues written up for their products. The suit claims the company “repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws”.

1 thought on “Catch of the Day

  1. Pingback: Week 1 – 2017 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s