jRAT Adwind Malware

Large Phishing Campaign seen to be delivering jRAT (Adwind) Malware

Target: Global threat

Attack Vector: A phishing campaign dropping the malware

Summary: A large phishing campaign is spreading the jRAT Trojan, dubbed Adwind, under the guise of a well-crafted UPS tracking email. The unknown actors attempt to trick victims into downloading JavaScript built malware with the aim of remotely accessing their device. The malware has historically hit more than 1,500 organizations in over 100 countries.

Risk assessment summary: The threat is assessed as 3d MODERATE. It is still a live, wide reaching campaign. It is a realistic possibility that several companies will be affected. The threat from information stealers is directly financial and the loss of intellectual property is likely where an infection takes pace. The precise risk is dependent on the type of information held by the company, whether that be customer Personally Identifiable Information or that of the individual who is infected.

 

Targeting SWIFT

City Union Banks publically announced malicious actors had gained access to their systems and transferred approximately 1.3m in three transactions using the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) network. A reported 6 million was stolen by hackers using the SWIFT system. Despite enhanced security surrounding SWIFT, which launched a scanning service designed to spot fraudulent transactions in April 2017, fraudulent activity continues to make headlines.

Last week, a report by the Russian central bank made a brief mention of an attack against an unnamed Russian bank. The most likely source of this reference is the attack against Globex in December 2017, but this could also refer to a suspected attack against the MoneyTaker group, which performs similar service to SWIFT. As attacks against these networks, often dubbed cyberheists, have come back to the fore, a historical analysis of previous threat vectors demonstrates the sophistication of actors that are willing and capable of attacking such a high profile target.

It is important to note that SWIFT, the member-only organization that provides secure financial transactions information via a standardized proprietary communications platform, says its own systems have never been compromised by hackers. Although no further official commentary is made by SWIFT, and detailed accounts of individual cases are incredibly rare, there have been several known instances where the network has been used for fraudulent wire-transfer requests. In instances identified, it appears that hackers have compromised devices which are owned by the targeted bank and connected to the network.

In addition to the Russian and Indian examples depicted this week, $81m was taken from a Bangladesh bank, 43m from Taiwans Far Eastern International Bank and $3.1m from Nepals NIC Asia Bank in separate attacks during 2016 and 2017. The Bangladesh attack gained most notoriety due to both the speculation of Advanced Persistent Threat (APT) involvement, specifically North Korean actors, and the subsequent investigation that identified a typo as the reason attackers were restricted to gaining $81m, rather than $1bn.

Open Source reporting on the attacks details that sophisticated, often bespoke, malware appears to be the main threat vector used. It is, however, unclear how the malware infected the end device.

According to reports by researchers at McAfee and BAE Systems, the ransomware Hermes was used as a diversion in the Taiwanese attacks. The ransomware is thought to have originated from the Lazarus group, a threat actor known to be affiliated with North Korea, and linked to the Bangladesh attack. In a similar vein, Symantec identified the APT group, Carbanak, using the Odinaff Trojan to attack SWIFT in October 2016. If untainted, the leaking of tools from NSA-affiliated Equation Group by the Shadow Brokers raises suggestions that the group had also penetrated the SWIFT network via Middle East banks.

Open source trends show that over the last 4 years a SWIFT network attack is reported on average every 10 months. This is skewed by the difference in the time of attack to the time of reporting, which is incredible varied. The frequency and publicity surrounding the public disclosures of an attack, however, is increasing. This means that in the mid to long-term, SWIFT attacks are highly likely to dominate headlines and cybersecurity attention.

Ransomware

Ransomware is software that encrypts all the contents of a hard drive and then extorts payment, usually in bitcoins, in order to get the unlock code. When the ransom is paid, the decryption key is given to the victim who can then recover the encrypted data. Some ransomware can even encrypt any attached backup drives. Ransomware can and has been used against many individuals and was recently used against several hospitals. The use of ransomware is a very lucrative area for the bad actors—the offensive team. Some bad actors have capitalized even more on their investments by running ransomware help desks. To pay or not to pay, that will be the dilemma when ransomware strikes you or your company.

Viruses

Introduction to Virus

Computer viruses are perceived as a threat to both business and personal. Virus is a self-replicating program that produces its own code by attacking copies of itself into other executable codes. Operates without the knowledge or desire of the computer user.

Characteristics of a Virus

Virus resides in the memory and replicates itself while the program where it is attached is running. It does not reside in the memory after the execution of the program. It can transform themselves by the changing code to appear different.

It hides itself from detection by three ways.

  • It encrypts itself into the cryptic symbols.
  • It alters the disk directory data to compensate the addition virus bytes.
  • It uses stealth algorithms to redirect disk data.

Working of virus

Triggers evens and direct attack are the common mode which cause a virus to “go off” on a target machine.

Most viruses are operate in two phases

 1. Infection phase

  • Virus developers decided when to infect the host system’s program.
  • Some infect each time they are run and executed completely ex direct virus
  • Some virus code infect only when users trigger them which includes a day, time or a particular event ex TSR virus.

2. Attack phase

  • Some virus have trigger events to activate and corrupt systems
  • Some virus have bug that replicate and perform activities like file and deletion and increasing the session time.
  • They corrupt the targets only after spreading completely as intended by their developers.

Bitcoin Cryptocurrency

What is Bitcoin?

Bitcoin is a so-called virtual currency that has been devised for anonymous payments made entirely independently of governments and banks. In recent years, Bitcoin has generated a great deal of attention on several fronts. Bitcoin payments are based on a new interesting technical solution and function differently to traditional payments. In certain payment situations, Bitcoin can bring advantages in the form of lower costs, rapidity, anonymity, etc. over traditional payment methods. However, usage can also be more risky because Bitcoin is not directly covered by the laws that govern other payment mediation. Weak consumer protection is also a reason for why it may be difficult for Bitcoin to become generally accepted and viable as a means of payment. Use of Bitcoin for payments is low today, and although Bitcoin’s future is uncertain, it is an interesting innovation worthy of description. This article explains what a virtual currency is, and how Bitcoin works. Bitcoin use in Sweden – which is very limited – is also described. Finally, the future of Bitcoin and other virtual currencies is discussed.

Virtual currency

Bitcoin is what is known as a virtual currency. A virtual currency is a means of payment; that is, units of the virtual currency represent a value. It is intended for use in payments within a specific virtual community, such as a particular website, or in a network of users with special software for managing the virtual currency and making payments. This type of virtual community can thus be said to resemble a voluntary agreement to use a specific item as a means of payment. This is an important difference to national currencies, such as the Swedish krona. For the latter, it has been established in law that the monetary unit in Sweden shall be called the Swedish krona. The virtual currency thus has a different unit of account than national currencies. For Bitcoin, the unit of account is the Bitcoin itself. The issuer of the virtual currency can be a non-financial company or even a private individual, but such an issuer is not under the supervision of a government authority. The issuance of virtual currency is thus not a government-regulated activity. However, each virtual currency has some type of rules of its own governing where and how it may be used, and some form of technical infrastructure in which the payments are carried out. The virtual currency, the own set of rules and the technical infrastructure combined form a small payment system, hereinafter referred to as a virtual currency scheme. There are a large number of virtual currency schemes that have been built up, and function, in different ways. They can be broken down into different categories depending on the extent to which it is possible to buy and sell the virtual currency. Here, we divide them into virtual currency schemes that are closed, with unidirectional flow and bidirectional flows. In closed virtual currency schemes, the virtual currency can be neither bought nor sold, but only earned and used on certain websites (such as World-of-Warcraft Gold). If the virtual currency can be bought for national currency but not exchanged back, the scheme has a unidirectional flow (such as Amazon coins). When the virtual currency can both be bought and sold and used outside of a certain website, the scheme has bidirectional flows. As explained below, Bitcoin is an example of a scheme with bidirectional flows. However, these categories can overlap.