Too many Websites hacked, ransom demanded
Today is a very sunny day, but cloudy online. After the hack of the webpage of the Ukranian ministry of Energy as shown in figure 1 below.
http://www.mev.gov.ua was displaying this ransomware message before, but later the site was taken down now displaying that it is running an Apache HTTP server on a CentOS server as in the figure 2 below. Meaning the administrator took it offline.
As an investigator, I decided to run a secure search with the terms ”ooops, your website have been encrypted ” using DuckDuckgo as a search engine, and all the sites hacked were indexed as show in figure 3 below.
Too many websites , victims as of today of the ransomware attack. All those live websites displaying the same message, the attackers even included music this time. The clock showing the time left to pay the ransom.The currency accepted is Bitcoin because it wont be possible to know who received the money.
The only way to bypass this it to make sure that the vulnerability used by the software and third party applications have been patched.
Stay Secured.
Searching inside a PDF document
I have received a PDF document from a fake Paypal address. The PDF name is Paypal_EmailID_JK… To be sure whether the document is malicious or not I used the pdfid.py tool as in the screenshot below .
It is clear that there are 25 objects and 4 URLs in the document, /JS pointing to 0 meaning there is no javascript in this document. Also /OpenAction is 0 meaning there is no malicious action.But let use the pdfid.py with -e option for more information as in the figure below
We see the nothing apended After last %%EOF and the Total entropy.Finally I use
pdf-parser.py to extract those URLs as in the picture below
The PDF appears to be from Paypal but in fact will redirect the victim to the
https://www.hasanacademy.com/buy.php
Happy Hunting.
Bitcoin Phishing Ring CoinHoarder
Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on blockchalna.info and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.
Reference
5000 websites hacked to serve cryptomining malware
Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection is coming from browseraloud.com , a site that serves Javascript to your website to convert the page into voice reading to assist blind people. Of course, governments sites are meant to help out visitors even those who are not good at reading English. The browseraloud.com server was hacked , obfuscated javascript was added to download the code from coinhive.com and start mining cryptocurrency.
The only way to bypass this is to shut down your browser.
References
Underground Malware Economy
you can view the presentation here showing you how Cybercrooks are making money from malware.
Cryptominer RubyMiner Targets web servers
According to a Check Point Research finding, a new malware package designed to mine cryptocurrency is attacking web servers in an effort to infect them. The malware uses a variation of an open-source Monero miner (XMRig), possibly because the software required does not require an extremely powerful server to operate. According to the article, the attack uses vulnerabilities from 2012 and 2013. Systems targeted included those running PHP, Ruby on Rails, and Microsoft IIS. The vulnerability in Ruby on Rails is CVE-2013-0156. This vulnerability provides the attacker a means to inject objects into the system that can execute arbitrary code. The malware flushes the crontab (on a Unix system) and then installs its own crontab entry. This entry runs one minute past the hour, every hour. The command downloads a robots.txt file from a web server under the control of the attackers. This downloaded file is then executed each time crontab executes the command. The article postulates this could be so that the attackers could execute a kill switch if desired or possibly to update the malware. The open-source package XMRig normally donates five percent of the earnings to XMRig’s author. Apparently, the individual(s) behind this attack were not inclined to lose any potential gains and removed the donating code from the version used in the infection.
Indicators of Compromise:
- 761f5cfd0a3cddb48c73bc341a4d07a9
- 91d31ed8e569c0089fa070ed125e1fc5
- a6a57e6a216dff346a22f51639c4b99c
- 203.24.188.242
- Internetresearch.is
- dgnfd564sdf.com
- lochjol.com
It is recommended to patch the operating system,patch the applications and check crontab for unusual entry.
References
https://research.checkpoint.com/rubyminer-cryptominer-affects-30-ww-networks/
