Connect with us

Technology

A New Strain Of ‘Houdini’ Malware Is On Sale For $50 Per Month In The Black Market

The new Houdini malware targets financial institutions and their customers.

Published

on

A new strain of the Houdini malware known as Hworm has been discovered and it is now on sale in blackmarkets for $50 per month subscription.
A new strain of the Houdini malware known as Hworm has been discovered. Photo: Christoph Scholz | Flickr | CC BY-SA 2.0

When someone mentions Houdini, it is almost instantly recalled to the world’s greatest magician and escape artist. But, cybercriminals have found a way to transform the man’s legacy into something feared and unwanted. A new strain of the Houdini worm has been detected by security researchers and has launched a new series of campaigns against financial institutions and their customers.

A few days ago, a report from cybersecurity researchers from Cofense confirmed that a new strain of the Houdini malware – also known as Hworm – was released by its creators on June 2, 2019.

The new Houdini malware only took five days to start wreaking havoc and seek out victims via malicious phishing campaigns. According to the report, the main goal of the malware is to steal online banking credentials which the culprits could later use to make fraudulent online purchases. It uses a tool dubbed as WSH Remote Access Tool (RAT).

“Houdini Worm (HWorm) – a misleading name because it has more in common with a bot or RAT than a worm – has existed since at least 2013 and shares extreme similarities with what is undoubtedly its malignant siblings: njRAT and njWorm. This new iteration comes ported to JavaScript (JS) from HWorm’s original codebase of Visual Basic. WSH is likely a reference to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines,” wrote the researchers in a blog post.

How does it work?

The cybercriminals masqueraded the phishing campaign as legitimate emails from various financial institutions and banks. One particular bank used by hackers is HSBC. The fraudulent emails contain .MHT web archive files which act the same way as HTML files.

The phishing email delivering WSH RAT within an attachment . Photo: Cofense

“The email attachment contained an MHT file that is used by threat operators in the same way as HTML files. In this case, the MHT file contained an href link which when opened, directed victims to a .zip archive containing a version of WSH RAT,” they added.

When the MHT file, which contains a web address link, was executed, it directs the victims towards a .zip archive containing the WSH RAT payload. WSH RAT uses the same configuration structure that Hworm uses for this process.

WSH RAT is a version of HWorm which has been ported to Javascript from HWorm’s original Visual Basic setup but acts in the same manner as the original malware. The Trojan not only uses the same Base64 encoded data — which Cofense describes as “mangled” — but also the same configuration strings, with default variables named and organized in the same way for both types of malicious code.

The Trojan first communicates with a command and control server, controlled by the cybercriminal, request three additional .tar.gz files. These files, however, are PE32 executables which provide the Trojan with a Windows keylogger, a mail credential viewer, and a browser credential viewer module.

It is also noteworthy that these modules were developed by other third parties and cannot be attributed to the original creator of the Houdini worm. Furthermore, reports reveal that the malware is being actively sold in underground forums and the black market. The price point for the infection is said to be at $50 per month subscription basis. Sellers are marketing their product by waxing eloquent about WSH Rat’s Windows XP and Windows 10 compatibility, evasion techniques, credentials-stealing capabilities, among others.

New malware variants are sprouting

Only recently, researchers from Google has discovered a Linux-based strain of another prevalent malware, Winnti, which was attributed to the high-value attack against a Vietnamese gaming company a few years back by some Chinese hackers.

Researchers made the discovery from the Chronicle, Alphabet’s cybersecurity department. The researchers revealed that they found a Linux variant of the Winnti malware that works as a backdoor on infected hosts, granting attackers access to compromised systems.

According to the Chronicle, the malware that they have discovered comes in two parts: a rootkit to disguise the malware in the infected host and the actual backdoor Trojan. Further analysis the discovered Linux variant of the Winnti malware bears a lot of similarities to the malware’s Windows version. Other connections with the Windows version also included the similar way in which the Linux variant handled outbound communications with its command-and-control (C&C) server — which was a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).

A consumer tech and cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama.

Technology

Google Hits Back: ‘We Do Not Work With The Chinese Military’

Google denies all allegation made by Peter Thiel.

Published

on

Photo: Travis Wise | Flickr | CC BY 2.0

When White House Adviser and Facebook Board Member Peter Thiel suggested that Google should be investigated for its “treasonous” behavior, and for working with the Chinese military, President Donald Trump agreed.

But now, Google hits back to the allegations that the San Francisco-based tech superpower is working with China and its army. “As we have said before, we do not work with the Chinese military,” Google said in a statement shared with The Independent.

Earlier today, President Trump affirmatively responded to Thiel’s suggestion that the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency (CIA) should investigate Google for its refusal to work with the US Department of Defense, and over the accusation that the company has a relationship with its Asian counterpart.

In a Twitter storm, President Trump praised Peter Thiel, saying that he is a “great and brilliant guy who knows this subject better than anyone.” The American chief-of-staff also echoed the sentiments of Thiel and pronounced that the “Trump Administration will investigate.”

The allegations made by Thiel stems from a previous deal that Google backed out from. In 2018, Google decided to withdraw from a contract between the tech superpower and the U.S. Department of Defense for the development of artificial intelligence (AI) technology citing that the projects have specific ethical issues that they cannot be involved in.

Thiel questions “how many foreign intelligence agencies have infiltrated your Manhattan Project for AI.” Furthermore, he also asked whether or not Google’s senior executives consider the possibility that the company has been infiltrated by foreign intelligence.

The “billionaire and tech businessman,” Thiel further questions if Google chose to work with the Chinese military instead of the US Department of Defense since “they are making the sort of bad, short-term rationalistic [decision] that if the technology doesn’t go out the front door, it gets stolen out the backdoor anyway?”

According to Axios’ report, there are no public documents that stipulate any infiltration by foreign intelligence of Google. However, they said that Thiel owns a company called Palantir, which works with the Trump Administration, and has access to millions worth of government data, including American private information. Nonetheless, it is still unclear if Thiel’s assertions are motivated by any personal and classified knowledge he drew from his relationship with the White House.

Trump vs. Google

Google and the White House having a beef against each other is not new. In fact, only recently, an exposé by the independent investigative journalist group, Project Veritas, alleges that several Google executives and senior employees have a political bias against President Trump and his administration.

A video released by Project Veritas, which has since been removed from the platform by Youtube, shows a senior employee at the company appearing to admit that the company plans to interfere in the next presidential election to stop Donald Trump.

The video is still available in the Project Veritas website and featured undercover footage of a top Google employee, Jen Gennai, who preaches that the company, Google, should not be broken up since they still need to stop the re-election of the President and only them can prevent the “next Trump situation.”

“Elizabeth Warren is saying we should break up Google. And like, I love her but she’s very misguided, like that will not make it better it will make it worse, because all these smaller companies who don’t have the same resources that we do will be charged with preventing the next Trump situation, it’s like a small company cannot do that,” the video revealed appearing to be said by Gennai.

In the same video, Gennai also appears to declare that Trump’s victory in the 2016 elections “screwed us (Google).”

“We all got screwed over in 2016; again it wasn’t just us, it was, the people got screwed over, the news media got screwed over, like, everybody got screwed over, so we’re rapidly like, happened there and how do we prevent it from happening again,” she added.

“We’re also training our algorithms, like, if 2016 happened again, would we have, would the outcome be different?”

Continue Reading

Technology

FCC Comm Geoffrey Starks Is Disappointed With How Carriers Move To Block Robocall By Default

Published

on

Photo: FCC Website

A month after the Federal Communication Commission voted to allow telecom carriers and service providers to block spam calls and other forms of robocalls by default, the regulating body seems to be very disappointed with how telecom companies responded to the regulation.

In June, FCC Commissioner Geoffrey Starks sent letters to major telecom providers in the US to expedite their implementation of the new ruling and to come up with policies and features that would, once and for all, address the growing problem of robocalls in the U.S.

Today, the disappointed Commission published the responses of major telecom carriers to his letter and his public reply to how slow the said companies are implementing necessary improvements in their system.

“I appreciate the timely responses to my letters. Transparency is critical to good policymaking, so I am publicly releasing the complete responses of the carriers – so that everyone can read their responses in their own words. Despite historically clamoring for new tools, it does not appear that all providers have acted with haste to deploy opt-out robocall blocking services,” said Commissioner Geoffrey Starks.

“The Commission spoke clearly: we expect opt-out call blocking services to be offered to consumers for free. Reviewing the substance of these responses, by and large, carriers’ plans for these services are far from clear,” he lamented.

In June 2019, Commissioner Starks voted on a Declaratory Ruling and Third Further Notice of Proposed Rulemaking that clarified that voice service providers could, without violating Commission rules, deploy call blocking offered to consumers by default on an informed opt-out basis. The action expressed the Commission’s expectation that these services would be offered to consumers for free and, at Commissioner Starks’ request, directed Commission staff to prepare reports on the state of deployment of robocall blocking tools, including whether fees are being charged for the services.

“The reports will be submitted to the Commission no later than 12 months, for the first report, and 24 months, for the second report, after the publication of the item in the Federal Register. Following the delivery of the first report, the Commission will assess whether consumers are being charged and if so, will seek comment on rules requiring providers that offer these services to do so for free,” says the statement from Commissioner Starks.

Furthermore, the Further Notice of Proposed Rulemaking would propose a safe harbor for providers that implement network-wide blocking of calls that fail caller authentication under the SHAKEN/STIR framework once it is implemented.

“Allowing call blocking by default could be a big benefit for consumers who are sick and tired of robocalls. By making it clear that such call blocking is allowed, the FCC will give voice service providers the legal certainty they need to block unwanted calls from the outset so that consumers never have to get them,” said Chairman Pai. “And, if this decision is adopted, I strongly encourage carriers to begin providing these services by default—for free—to their current and future customers. I hope my colleagues will join me in supporting this latest attack on unwanted robocalls and spoofing.”

In response to that order, Commissioner Starks asked 14 telecoms to inform the Commission of their plans to offer free robocall-blocking services by default.

Unwanted calls, including illegal robocalls, are the top consumer complaint at the FCC, with more than 200,000 received annually. Some private analyses estimate that U.S. consumers received approximately 2.4 billion robocalls per month in 2016. Advancements in technology make it cheap and easy to make robocalls and to “spoof” Caller ID information to hide the caller’s true identity.

Last week, telecom giant AT&T announced that they are blocking fraud robocalls by default with no extra charge. However, succeeding and more accurate blocking features comes with a $4 monthly price tag.

The new anti-robocalling feature is an expansion of the already existing AT&T program called Call Protect and will start rolling out for new AT&T Mobility consumer lines will come with the anti-robocall service. Millions of existing AT&T customers also will have it automatically added to their accounts over the coming months.

Other telecom companies also said they have made progress in relation to the FCC order but Commissioner Sparks’ message tells us that they are not doing the best that they can.

Continue Reading

Technology

Meet ‘Agent Smith’: The New Wave Of Android Malware

It has already affected 25 million Android users globally.

Published

on

Photo: rick | Flickr | CC BY 2.0

Android OS is known to be one of the most vulnerable. With its customization feature and its wide array of compatible apps, malware and other malicious codes can run through Android devices with relative ease. And this is highlighted by reports claiming that a new wave of Android malware is creeping through Android devices through malicious apps.

The malware, known as Agent Smith, has already affected more than 25 million Android users around the world. The sneaky malware, as explained by IT security company Check Point, “disguised as a Google-related application, and exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions without users’ knowledge or interaction.”

While the researchers said that there is no evidence found that Agent Smith collects unauthorized data, the persistence of malware in a device is enough for some threat actors to exploit the Android vulnerability it creates.

According to the researchers, Android users will go unaware that Agent Smith malware has already infected their devices because there is no direct download for it. Instead, the malware code comes after downloading games and other apps from a third-party marketplace.

The comprehensive research on Agent Smith Malware was conducted by Aviran Hazum, Feixiang He, Inbal Marom, Bogdan Melnykov, and Andrey Polkovnichenko from CheckPoint. According to the researchers, the malware strain works in three different phases.

Agent Smith attack flow. Photo: Check Point

The first phase involves a dropper app that lures victims to install itself voluntarily. The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files. Dropper variants are usually barely functioning photo utility, games, or sex-related apps. “The dropper automatically decrypts and installs its core malware APK, which later conducts malicious patching and app updates. The core malware is usually disguised as Google Updater, Google Update for U, or “com.google.vending.” The core malware’s icon is hidden,” they said.

“The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update,” they added.

The “core” module contacts the C&C server, trying to get a fresh list of applications to search for, or if that fails, use a default app list:

  • WhatsApp
  • lenovo.anyshare.gps
  • mxtech.videoplayer.ad
  • jio.jioplay.tv
  • jio.media.jiobeats
  • jiochat.jiochatapp
  • jio.join
  • good.gamecollection
  • opera.mini.native
  • startv.hotstar
  • meitu.beautyplusme
  • domobile.applock
  • touchtype.swiftkey
  • flipkart.android
  • cn.xender
  • eterno
  • truecaller

According to researchers, the dropper app can be downloaded and is proliferated by a third-party app marketplace called 9Apps”, a UC team backed store, targeted mostly at Indian (Hindi), Arabic, and Indonesian users.

They also revealed that the malware seems to target mainly Indian users. However, reports from the US, Australia, and other regions show that the persistence of the malware is rather global.

“Agent Smith” droppers show a very greedy infection tactic. It’s not enough for this malware family to swap just one innocent application with an infected double. It does so for every app on the device as long as the package names are on its prey list,” the researchers explained.

“Over time, this campaign will also infect the same device, repeatedly, with the latest malicious patches. This leads us to estimate there to be over 2.8 billion infections in total, on around 25 Million unique devices, meaning that on average, each victim would have suffered roughly 112 swaps of innocent applications.”

The researchers said that while Agent Smith primarily exploits users by using financial ads, it has a plethora of implications, especially on how users are not usually aware that their devices are already infected. In the end, they said that fighting malicious actors in the Android ecosystem is a community effort.

“The “Agent Smith” campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system. It requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time,” the researchers concluded.

Continue Reading

Trending