Information Security News (Sep-22-2016)
--RAUM weaponizes torrents to deliver malware --(Sep-21-2016)
A new and sophisticated tool dubbed RAUM has been uncovered that targets naïve torrent users who download popular software or media content and then replaces the desired content with malware.
The internet security company InforArmor reported that RAUM has been used to essentially “weaponize” torrents to spread a variety of ransomware types including, CryptXXX, CTB-Locker and Cerber, the online-banking Trojan Dridex and password stealing spyware Pony. It does this through a two-prong attack.
“RAUM is a special system developed by the owners of the identified underground malicious network, used for two things - analysis of trending torrent files on torrent trackers with high number of downloads, and further repacking of this files with malware for further distribution. The system uploads final weaponized torrent file to the same trackers under various stolen user accounts, having good reputation there,” Andrew Komarov, InfoArmor's CIO, told SCMagazine.com in an email.
Once the torrent tracker identifies the most popular content being downloaded at that time, say a pirated version of Microsoft Windows or Office, the legit files are extracted and replaced with malware. The Pirate Bay and Extra Torrent are among the torrents being used, InfoArmor said.
“Later, they upload them to the same trackers, and other trackers, using stolen credentials of ‘seeders', having good reputations on them, as it helps their files to be distributed better. In such way, they infect big number of users systematically,” Komrarov added.
RAUM stands out as a malicious tool as it goes after those least likely to understand the dangers of using torrents.
“This is a pretty unique, but very efficient, model of ransomware and malware delivery, as the people downloading torrents are not very experienced from security perspective, and it is really big. The bad actors optimize costs on malware delivery, and in such cases they don't need to spend resources on new exploits acquisition and "loads" services,” he said.
RAUM, and similar tools, also pose a threat to corporations as their employees may use personal devices to access torrent content, which are then connected to the company network.
“It bypasses firewalls and perimeter defenses, entering via BYOD and corporate assets used offline (off of the corporate domain) for downloading, etc.; completely blocking all software downloads on corporate assets is no longer pragmatic for many companies. This underscores that organizational security defenses must include the ability to identify malware by the behaviors it exhibits within the network and at endpoints. Signature solutions are wholly insufficient,” said Lastline CMO Bert Rankin to SCMagazine.com in an email.
There is no direct defense against RAUM other than not using torrent services, Komarov said.
--Nullbyte ransomware going after Pokemon Go players--(Sep-02-2016)
Two very disparate pieces of news focused on the popular mobile game Pokemon Go broke today, a new version of ransomware leveraging the game has been discovered and Sen. Al Franken (D-Minn.) plans to continue investigating privacy issues with the game.
Bleeping Computer is reporting that a variant of DetoxCrypto ransomware called Nullbyte is on the loose pulling in victims by pretending to be a the NecroBot Pokemon Go bot app. Bleeping Computer is crediting a researcher who goes by the Twitter name xXToffeeXx, with the initial discovery of Nullbyte.
“This ransomware is distributed from a Github project that pretends to be a rebuilt version of the NecroBot application in the hopes that people will download it thinking it was the legitimate application,” wrote Bleeping Computer's Lawrence Adams.
Once the ransomware is downloaded and the files are encrypted, the screen is locked with a ransom note demanding .1 bitcoins, or about $57, being displayed. Adams said a decryptor is available from cyber security researcher Michael Gillespie.
On the privacy front, Franken and Pokemon Go creator Niantic exchanged letters with the senator stating in a written response dated September 1 that he appreciates Niantic's response, but added “I intend to work further with the company in the future to ensure that we're doing everything possible to protect the privacy of Americans—particularly American children—who play Pokémon GO.”
Niantic's seven-page letter, dated August 26, gave Franken a quick primer on the game's genesis, how it is played and what permissions are asked of its players. In the letter Niantic's General Counsel Courtney Greene-Power attempts to answer several questions posed by Franken in a letter he sent to the company on July 12. This included an explanation of why cookies and beacons are collected, how younger children are protected.
--Pokemon GO CEO linked to Google 'Wi-Spy' privacy scandal--(Aug-10-2016)
Even after quelling the initial privacy issues that arose with the launch of Pokemon Go, Niantic Labs CEO John Hanke has a spotted history when it comes to privacy that may leave some users uneasy.
Hanke was the head of Google's Geo division during the “Wi-Spy” scandal which found Google illegally collected digital traffic from unencrypted home networks including passwords, email messages, medical records, financial information, audio and video files, according to The Intercept.
The division was in charge of the vehicles used to collect the data for what would become Google's Street View feature.
When Niantic broke away from Google, it reportedly brought with it a patent that discusses how a game such as Pokemon Go could be used to collect real-world data from a user without their knowledge, the publication said.
Last month, the Electronic Privacy Information Center wrote a letter to the FTC to investigate the privacy risks of the game citing the games collection of detailed location history and camera access.
--Incomplete version of 'Hitler-Ransonware' discovered--(Aug-10-2016)
A security analyst discovered an unfinished version of a new strain of ransomware. The malware, dubbed Hitler-Ransomware – or actually “Hitler-Ransonware” – appears to be under development.
The malware does not encrypt any files and is likely a test variant, according to BleepingComputer's founder, Lawrence Abrams. In a blog post, Abrams noted that the batch file removes all extensions for files under common computer folders, including Pictures, Documents, Downloads, Music, Videos, Contacts, Links, Desktop, Sample Pictures, Sample Music, and Sample Videos.
“While the ransomware is running it will constantly look for any processes that have the names taskmgr, utilman, sethc, or cmd,” Abrams wrote. “If one of these processes is detected, it will terminate them.”
The ransomware lock screen displays a photo of Adolph Hitler gesturing the Nazi salute and accompanied by the message “Your Files was encrypted!” AVG malware analyst Jakub Kroustek announced his discovery with a snarky tweet mocking the developer's grammar: *sigh* #Hitler #Ransomware. #GrammarNazi.
Plixer Director of IT and Services Thomas Pore said in email correspondence with SCMagazine.com that the string of German text in the batch file as well as other indicators suggested that “we will likely see a more mature version popping up shortly.”