Too many Websites hacked, ransom demanded

Today is a very sunny day, but cloudy online. After the hack of the webpage of the  Ukranian ministry of Energy as shown in figure 1 below.

329f9cc2-82e8-4ff9-9bfd-b3a14d8089c9-original
Figure 1

http://www.mev.gov.ua was displaying this ransomware message before, but later the site was taken down now displaying that it is running an Apache HTTP server on a CentOS server as in the figure 2 below. Meaning the administrator took it offline.

apache
Figure 2

As an investigator, I decided to run a secure search with the terms ”ooops, your website have been encrypted ” using DuckDuckgo as a search engine, and all the sites hacked were indexed as show in figure 3 below.

website encrypted
Figure 3

Too many websites , victims as of today of the ransomware attack. All those live websites displaying the same  message, the attackers even included music this time. The clock showing the time left to pay the ransom.The currency accepted is Bitcoin because it wont be possible to know who received the money.

The only way to bypass this it to make sure that the vulnerability used by the software and third party applications have been patched.

Stay Secured.

 

Advertisements

Searching inside a PDF document

I have received a PDF document from a fake Paypal address. The PDF name is Paypal_EmailID_JK… To be sure whether  the document is malicious or not I used the pdfid.py tool as in the screenshot below .

PDFid1

It is clear that there are 25 objects and 4 URLs in the document, /JS pointing to 0 meaning there is no javascript in this document. Also /OpenAction is 0 meaning there is no malicious action.But let use the pdfid.py with -e option for more information as in the figure below

Pdfid2

We see the nothing apended After last %%EOF and the Total entropy.Finally I use

pdf-parser.py to extract those URLs as in the picture below

pdf-parder1

The PDF appears to be from Paypal but in fact will redirect the victim to the

https://www.hasanacademy.com/buy.php

Happy Hunting.

Bitcoin Phishing Ring CoinHoarder

Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on blockchalna.info and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.

Reference

https://blog.talosintelligence.com/2018/02/coinhoarder.html

https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2017/02/26230545/BTC_IOCs.pdf

https://umbrella.cisco.com/blog/2016/12/22/protecting-bank-pocket-rise-criminal-activity-correlates-bitcoin-price-surge-holidays/

5000 websites hacked to serve cryptomining malware

Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection  is coming from browseraloud.com , a site that serves Javascript to your website to convert the page into voice reading to assist blind people. Of course, governments sites are meant to help out visitors even those who are not good at reading English. The browseraloud.com server was hacked , obfuscated javascript was added to download the code from coinhive.com and start mining cryptocurrency.

The only way to bypass this is to shut down your browser.

References

Sophos

Skynews

Cryptominer RubyMiner Targets web servers

According to a Check Point Research finding, a new malware package designed to mine cryptocurrency is attacking web servers in an effort to infect them. The malware uses a variation of an open-source Monero miner (XMRig), possibly because the software required does not require an extremely powerful server to operate. According to the article, the attack uses vulnerabilities from 2012 and 2013. Systems targeted included those running PHP, Ruby on Rails, and Microsoft IIS. The vulnerability in Ruby on Rails is CVE-2013-0156. This vulnerability provides the attacker a means to inject objects into the system that can execute arbitrary code. The malware flushes the crontab (on a Unix system) and then installs its own crontab entry. This entry runs one minute past the hour, every hour. The command downloads a robots.txt file from a web server under the control of the attackers. This downloaded file is then executed each time crontab executes the command. The article postulates this could be so that the attackers could execute a kill switch if desired or possibly to update the malware. The open-source package XMRig normally donates five percent of the earnings to XMRig’s author. Apparently, the individual(s) behind this attack were not inclined to lose any potential gains and removed the donating code from the version used in the infection.

Indicators of Compromise:

  • 761f5cfd0a3cddb48c73bc341a4d07a9
  • 91d31ed8e569c0089fa070ed125e1fc5
  • a6a57e6a216dff346a22f51639c4b99c
  • 203.24.188.242
  • Internetresearch.is
  • dgnfd564sdf.com
  • lochjol.com

It is recommended to patch the operating system,patch the applications and check crontab for unusual entry.

References 

https://research.checkpoint.com/rubyminer-cryptominer-affects-30-ww-networks/

 

A look at Redline from Mandiant

Redline is a nice tool to investigate a particular host for signs of compromises. It works on Windows and is freely available on the FireEye site .

redline1
Redline Interface

At a glance, we have options to collect data from the host or Analyse an existing data collected file. In our case , I am going to create  a Standard Collector for the sake of this demo.

Redline2
Redline Review Script Configuration

It is clear that the script will run the Collector and save it to a folder named ‘Sessions\AnalysisSession2´ in our case because we run the script twice as in the figure below

redline5
AnalysisSession2.mans file to import in Redline

As said in the Readme.txt file, AnalysisSession2.mans has to be openend in Redline to continue with the investigation. We can go through the System Information,Processes,…

The tool is worth a try.

Happy investigations

redline6
Investigative options after opening the AnalysisSession2.mans file