On March 4, 2015, Palo Alto Networks researchers determined that the OS X installer for the Transmission BitTorrent client was infected with previously undetected ransomware, which the researchers are calling KeRanger.
This is only the second ransomware targeting Mac OS X to be uncovered, following Kaspersky Lab’s discovery of the FileCoder ransomware in 2014. Still, the researchers noted, “As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”
“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Palo Alto Networks threat intelligence director Ryan Olson told Reuters.
Two installers of Transmission version 2.90 were infected with KeRanger on the morning of March 4. “Transmission is an open source project,” the researchers wrote. “It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.”
The malware was signed with a valid Mac app development certificate, allowing it to bypass Apple’s Gatekeeper protection. When the app is installed, an embedded executable file is run, and the malware waits for three days before connecting with command and control servers via Tor, then begins encrypting documents and files on the infected system.
Once the encryption process is complete, the ransomware demands that victims pay one bitcoin (approximately $410) to decrypt their files. “Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their backup data,” the researchers noted.
In a blog post, Thomas Reed, director of Mac offerings at Malwarebytes, suggested it’s an extremely bad idea to pay any ransom to decrypt files. “In the Windows world, paying the ransom sometimes results in getting a key that can successfully unlock the files,” he wrote. “However, it also can result in sending money to the hackers and getting nothing in return, or receiving a key that doesn’t actually work properly because the ransomware was poorly written.”
After the researchers notified the Transmission Project and Apple, the malicious installers were removed from Transmission’s website, and Apple revoked the app development certificate.
Tripwire director of IT security and risk management Tim Erlin told eSecurity Planet by email that the malware marketplace is ultimately driven by the population of targets, making Windows much more attractive to attackers than OS X. “It may have taken a little longer for ransomware to come to the Mac, but that shouldn’t be interpreted in terms of [relative] security, but in terms of target density,” he said. “There are fewer Mac users, especially fewer corporate Mac users, available to pay the ransoms. Apple is, however, growing faster in the PC market than Windows vendors. Any increase in Apple’s user base makes the systems a more attractive target for cybercriminals.”
And LogMeOnce CEO Kevin Shahbazi suggested by email that IT departments take the following steps to protect enterprise systems from attacks like these:
“The first step is prevention, which needs to be planned in advance by deploying software and implementing security policies and procedures,” Shahbazi added. “Please keep in mind that security should be treated as a layered system, so your security posture should include defensive layers.”
By Jeff Goldman
A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.
The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.
The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.
The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.
“If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed,” the Symantec researchers said Monday in a blog post. “If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.”
Trojan.Laziok is mainly used to determine if a compromised system is worth further attention from the attackers. It collects information like the computer’s name, RAM size, hard disk size, GPU and CPU type, as well as a list of installed software, including running antivirus programs.
The information is sent back to the attackers, who then decide if they want to deploy additional malware that can provide them with remote access to the infected system. For this second stage of attack they use customized versions of Backdoor.Cyberat and Trojan.Zbot, two well known malware threats.
“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” the Symantec researchers said. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.”
In a report released earlier this month, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that almost 80 percent of the 245 cyber incidents it handled last year involved companies from the energy sector.
“Of the total number of incidents reported to ICS-CERT, roughly 55 percent involved advanced persistent threats (APT) or sophisticated actors,” the organization said. “Other actor types included hacktivists, insider threats, and criminals.”
Original Article: http://www.computerworld.com/article/2904020/new-malware-used-to-attack-energy-companies.html
Photo Source: http://albumarium.com/
Your email is a nexus point for user interaction and for potential vulnerability from scammers. It is the door to your data home and the place where many users are most likely to compromise their information.
As you know the internet is rife with scammers who are always looking for the next way to take advantage of the public. They use ever improving techniques and changing tool-sets to come up with the next way to get your information and create vulnerabilities in your network.
In most cases this is as easy as convince users to click on links and attachments that they should not.
Recently we have seen a growing malware/phishing/virus threat being spread through legitimate looking voicemail attachments in user emails.
In almost all cases email scammers convince users to click on or open attachments by including just enough information that could be perceived as correct and accurate that it may be appropriate to be receiving the attached information. In the case of the Voicemail attachment – Users may see an “Email ID” that appears to be coming from an internal email address at the recipient’s organization, as well as a “Download Message” link that appears to host the fake audio file on the recipient’s organization’s domain. All these work together to throw off recipients better judgment and convince them to trust the email enough to click on the download link.
This phishing attempt fools users by appearing to be a legitimate, automated email from Outlook. The scam targets Outlook users, who are sent official looking emails with the subject line “You have received a voice mail.” The body of the email contains the Microsoft Office Outlook logo, fake data about the voicemail and caller, and a link to download the voice message. Although the download link appears to be a .wav audio file, it’s actually an HTML link to a website that tries to install a Trojan virus. If you are current with your Antivirus Protection and Ant-malware Protection the software should stop the Trojan from installing, however we have had users who have manually overridden these protections and allowed the blocked content to install.
Another version users are seeing with more frequency is the appearance of a “voice message” which appears to come from the “admin” of your organization. This email includes a zipped attachment which when downloaded will install malware on your computer.
Deleting the email should be enough to avoid downloading any malware. but accessing, or downloading, or even opening and allowing the email to load any embedded images may be enough to confirm the validity of your email address and open your system up to potential vulnerability.
If you do click on the download link or believe that your system has been compromised as a result, You should take steps to quickly mitigate the damage.
The best strategy is to exercise additional diligence when opening email. If you cannot confirm the authenticity of an email or sender, it is always best to avoid opening it.
Sign up today for free & stay current with local IT news.
