Android Installer Hijacking Vulnerability Could Expose Android Users to Malware

Posted on by Zhi Xu

Executive Summary

We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users. In detail:

  • Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores.
  • The malicious application can gain full access to a compromised device, including usernames, passwords, and sensitive data.
  • Palo Alto Networks worked with Google and major manufacturers such as Samsung and Amazon to inform them of the vulnerability and issue patches for their devices.

Introduction

Continue reading "Android Installer Hijacking Vulnerability Could Expose Android Users to Malware"

FindPOS: New POS Malware Family Discovered

Posted on by Josh Grunzweig

Unit 42 has discovered a new Point of Sale (POS) malware family, which includes multiple variants created as early as November 2014. Over the past few weeks we have been analyzing this malware family, which we have dubbed ‘FindPOS’ due to strings consistently found in each variant.

While this malware doesn’t show strong sophistication, the large number of variants shows prevalence similar to families such as Alina and Backoff. It is clear that FindPOS should be considered a strong threat to Microsoft Windows POS vendors, and measures should be taken to ensure protection.

Workflow

Continue reading "FindPOS: New POS Malware Family Discovered"

Palo Alto Networks Researcher Identifies Critical Internet Explorer Vulnerability

Posted on by Ryan Olson

Palo Alto Networks researcher Bo Qu discovered a new critical Internet Explorer (IE) vulnerability affecting IE versions 8, 9, 10 and 11. This is included in Microsoft’s March 2015 Security Bulletin MS15-018 and MS15-019, and documented in Microsoft Security Bulletin MS15-MAR. Continue reading "Palo Alto Networks Researcher Identifies Critical Internet Explorer Vulnerability"

Have You Seen the Latest Threat Intelligence Research from Unit 42?

Posted on by Palo Alto Networks

Unit 42, the Palo Alto Networks threat intelligence team, gathers, researches and analyzes up-to-the-minute threat data, sharing insights with Palo Alto Networks customers, partners and and the broader community to better protect enterprises and governments from advanced threats.

blog-title-unit42 Continue reading "Have You Seen the Latest Threat Intelligence Research from Unit 42?"

Examining the Cybercrime Underground, Part 1: Crypters

Posted on by Tomer Bar

This post is the first in a new series titled Examining the Cybercrime Underground. Each post will delve into different aspects of how cybercriminals operate, using current examples of tools and techniques. What are their tools of the trade? How do they get them? How do they overcome challenges posed by security and anti-fraud systems? How do criminals profit from scams and turn stolen data into cash? Answering these questions will help readers better understand one of their primary cyberadversaries and use that knowledge to better protect their networks.

What is a crypter?

Crypters are software tools that use a combination of encryption, obfuscation, and code manipulation of malware to make them FUD (Fully Undetectable) by legacy security products. Continue reading "Examining the Cybercrime Underground, Part 1: Crypters"

Palo Alto Networks Researcher Identifies 3 Critical Internet Explorer Vulnerabilities

Posted on by Ryan Olson

Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 9, 10 and 11. All three are included in Microsoft's February 2015 Security Bulletin MS15-009 and documented in Microsoft Security Bulletin MS15-FEB. Continue reading "Palo Alto Networks Researcher Identifies 3 Critical Internet Explorer Vulnerabilities"

Watch Our Researchers Cover Predicting Malicious Domains at VB2014

Posted on by Palo Alto Networks

Malicious domains are commonly used by cyberattackers for command and control communication, hosting malware and phishing attacks. Palo Alto Networks researchers Wei Xu, Kyle Sanders and Yanxin Zhang recently explored ways to predict malicious domains so they can be added to blacklists before they go live. To hear how they went about this, and to see the results they achieved, take a look at this video from their paper presentation at VB2014: Continue reading "Watch Our Researchers Cover Predicting Malicious Domains at VB2014"

Filmkan: Mysterious Turkish Botnet Grows Through Facebook

Posted on by Ryan Olson

On January 31, a security researcher named Mohammad Faghani posted an analysis of malware that was being distributed through Facebook posts. Based on the number of “likes” the malware had generated, Faghani estimated that over 100,000 users had been infected with the malware. We have not been able to identify a common name for this malware and have given it the designation “Filmkan” based on domains it uses for command and control.

Based on our analysis, this malware was most likely created by a Turkish actor. The malware contains many comments written in Turkish, the domains used for command and control were registered through a Turkish company and the social network profiles involved in the attack belong to Turkish speakers.  Filmkan is very flexible, giving it more capability than simple interaction with social networks. The overall motivation of this attack is not clear at this time, but the author of Filmkan has successfully assembled a large botnet in a short amount of time.

Filmkan Functionality

While the initial report only contained sparse details, Faghani followed up with additional analysis on February 2, exposing more functionality related to the malware. Our WildFire analysis cloud first picked up samples of this malware on January 22 and thus far we’ve collected 44 distinct samples the display the behavior described by Faghani.

At a high level, this malware consists of four components: Continue reading "Filmkan: Mysterious Turkish Botnet Grows Through Facebook"

Analysis: CryptoWall 3.0, Dyre and I2P

Posted on by Ryan Olson

For a moment, put yourself in the shoes of a cyber criminal. You’ve collected an array of tools (malware), built up your infrastructure (command and control (C2) servers) and you have a process to make money off your hard work. You wake up on Monday morning and the domains your carefully built malware uses for command and control are shut down. Some security researcher has taken control of them, completely halting your operation. This would certainly be good news to anyone reading this blog, but for the criminal it’s a big setback and source of frustration. These kinds of takedowns are the impetus for some of the most impressive developments in malware technology over the last decade.

Takedown-Resistant Command and Control

Once attackers have infected a PC through some exploit or social engineering, one of their major challenges is keeping control of that system. Antivirus programs running on the PC are trying eradicate the threat, the command and control domains and IPs are being added to denylist and blocked by networks around the world. Many malware authors have taken to building complex mechanisms to ensure that their malware is resistant to these kind of blocks and takedowns. Some of the more innovative mechanisms include: Continue reading "Analysis: CryptoWall 3.0, Dyre and I2P"

How To Protect Yourself From the Latest CTB-Locker Campaign

Posted on by Tomer Bar

CTB-Locker is a well-known ransomware Trojan used by crimeware groups to encrypt files on the victim’s endpoints and demand ransom payment to decrypt the files back to their original state.  Earlier this week we detailed a new CTB-Locker campaign and why legacy security products won’t protect enterprise networks.

In this blog post we will detail how to protect yourself from CTB-Locker, even if you aren’t protected by Palo Alto Networks next-generation enterprise security.

Since our first blog post on the campaign, here are some updates: Continue reading "How To Protect Yourself From the Latest CTB-Locker Campaign"

Newest CTB-Locker Campaign Bypasses Legacy Security Products

Posted on by Tomer Bar

Introduction

CTB-Locker is a well-known ransomware Trojan used by crimeware groups to encrypt files on the victim's endpoints and demand ransom payment to decrypt the files back to their original state, but most antiviruses detect it by mistake as CryptoLocker (only one vendor correctly detects it as CTB-Locker). The attack vector is very basic and repeats itself: It begins with a spear phishing email sent with SCR attachments (double zipped). Once executed by the user the first stage malware downloads and executes the ransomware from a fixed hardcoded server list.

CTB

The Origins

The first known campaign was launched by Crimeware on November 2014. The first stage downloaded the ransomware from these sites:

  • pubbliemme.com (5.134.122.150)
  • agatecom.fr (213.186.33.19)
  • n23.fr (213.186.33.4)
  • baselineproduction.fr (213.186.33.4)

Continue reading "Newest CTB-Locker Campaign Bypasses Legacy Security Products"

Scareware App Downloaded Over a Million Times from Google Play

Posted on by Claud Xiao

We have recently been investigating an antivirus app in the Google Play store that was displaying fake virus detection results to scare users into purchasing a premium service. According to the Google Play store statistics, users have downloaded “AntiVirus for Android™” more than one million times and the app was listed in Top 100 free apps in Tools category. Our Wildfire analysis cloud captured the initial app and identified it as Scareware.

On January 20, we reported this issue to Google and two days later, they removed the app from Google Play.  Continue reading "Scareware App Downloaded Over a Million Times from Google Play"

Our Favorite Presentations from ShmooCon 2015

Posted on by phildasilva

We were fortunate enough to attend this year’s ShmooCon, an annual hacker conference held in Washington, DC. It is organized by The Shmoo Group, which was founded in the late 1990s as an international non-profit security think tank. It invariably sells out every year, with tickets from each of three rounds of sales gone in under a minute. In addition, the maximum number of tickets that can be purchased at one time is limited to two to help more people get tickets. The tickets are highly sought after as the conference:

  1. Remains affordable (just $150 person; a bargain compared to most industry events)
  2. Limits attendance to what the facility can comfortably hold (we’re looking at you, Defcon)
  3. Focuses on new research or speakers that have not yet been presented at other conferences.

Shmoocon Continue reading "Our Favorite Presentations from ShmooCon 2015"

Dridex Banking Trojan Begins 2015 with a Bang

Posted on by Ryan Olson

In October, we called out a series of attacks installing the Dridex Trojan using macros in Microsoft Word documents. Those attacks continued over the last few months and in first two weeks of the new calendar year we’ve seen another new campaign.

To refresh your memory, Dridex is the latest version of the Bugat/Feodo/Cridex banking Trojan. Its core functionality is to steal credentials of online banking websites and allow a criminal to use those credentials to initiate transfers and steal funds. Dridex is currently being distributed through an e-mail campaign that carries a Word Document attachment, which uses built-in macro code to download and execute a copy of the Trojan.

Continue reading "Dridex Banking Trojan Begins 2015 with a Bang"

Don’t Miss A Single Threat Intelligence Update from Unit 42!

Posted on by Chad Berndtson

Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments.

blog-title-unit42

You can now have up-to-the-minute threat intelligence updates from Unit 42 delivered right to your inbox, as they’re posted. Click here to subscribe.

Regular research analysis is posted to the Unit 42 threat intelligence blog. Unit 42 also publishes whitepapers examining, in detail, threats to mobile device ecosystems, APTs, malware attack patterns and other subjects crucial to any security practitioner or business executive’s understanding of the current cyber threat landscape.

Recent Unit 42 whitepapers include: Continue reading "Don’t Miss A Single Threat Intelligence Update from Unit 42!"

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow