Fake Evernote Extension found in Google chrome store

Security researchers at Malwarebytes are alerting of a new evernote fake application that infect users and install trojan on the operating system. the plugin will add a web extension on Google chrome , Torch, and Comodo Dragon browsers. usually any user can search for extensions in the chrome store and he will find the application he needs for adding more functionality on the web browser.

The plugin claims to be the legitimate  Evernote.com but it is called “Evernote Web,” to make it similar to the real extension. clicking on the plugin will not take user to the login page of evernote but instead it will run malicious java script that makes user get several annoying advertisements and take victim to install malicious programs.

fake_evernote_chrome_storeFake evernote extension at chrome store sourced Malwarebytes

37  out of 54 security programs identify the extension to be an adware but the problem is not only in the advertisement because many malicious plugin are used to spy on users navigation to have victim browser history and then can be sold in the black market. The best way for protecting your system is by installing all security patches that will fix vulnerabilities on your system, Use security software with up to date signature definition and make sure that the security software scans your web navigation to stop any threat at an early stage.

VT image

New release YARA 3.0

Over this week a new version of Yara have been released. YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

The new features include the following:

  • Support for modules
  • PE module
  • Cuckoo module
  • Some improvements in the C API
  • More comprehensive documentation
  • BUGFIX: Start anchor (^) not working properly with the “matches” operator
  • BUGFIX: False negative with certain regular expressions
  • BUGFIX: Improper handling of nested includes with relative pathes
  • BUGFIX: \s character class not recognizing \n, \r, \v and \f as spaces
  • BUGFIX: YARA for Win64 scanning only the first 4GB of files.
  • BUGFIX: Segmentation fault when using nested loops
  • BUGFIX: Segmentation fault caused by invalid characters in regular expressions
  • BUGFIX: Segmentation fault while scanning some processes in Windows
  • BUGFIX: Segmentation fault caused by regexp code spanning over non-contiguous memory pages

YARA is used by VirusTotal Malware Intelligence Services and you can install Yara by following this link: https://github.com/plusvic/yara/releases/tag/v3.0.0


“Suspicious sign in prevented” Spam That Links to Malware

New spoofed email has been spotted over this week by TrendMicro that claims to be sourced from Gmail and alert users about a suspicious activity been detected on their email accounts. The email claims a login to gmail account from an unrecognized device with the time of login and source to be from Chicago and invite user to follow a malicious link.

The spam include links pointing to Google Drive a cloud service that is hosting html file used to gather information on victim machine including type of browser and operating system. this to classify victims machine so cybercriminal will leverage the malicious payload associated with the system in use.

Malicious payload will install a backdoor which steals email credentials and user names and passwords. it will also allow attacker to have a key-logger installed on victim machine to have all activities on infected system. According to the blog post attackers are changing hosted files on Google drive within several days. this makes it updated according to their need and to avoid detection by security programs.

login3Spoofed email screenshot by Trendmicro

Cloud hostage have been a good way for distributing malwares because they are not going to be black listed by spam filters which makes the link arrive to targeted users and it can be changed at any time without tracking the source of attackers. If you receive a similar message make sure to ignore and delete the spam and it is possible to report the case to Google so they remove the malicious files.


Viproy – VoIP Penetration Testing Kit

VoIP security testing is important to verify the quality of your system before it is moved into production. One of the tool that you can consider for pentest VoIP is Viproy.  This tool have been presented on DefCON and include the following:

  1. Finding and Identifying SIP Services
  2. Identifying SIP Software and Vulnerabilities
  3. Identifying Valid Target Numbers, Users, Realm
  4. Unauthenticated Registration (Trunk, VAS, Gateway)
  5. Brute Forcing Valid Accounts and Passwords
  6. Invite Without Registration
  7. Invite Spoofing (After or Before Registration, Via Trunk)
  8. Testing DDoS attack to verify is the system resilient

You can use the tool with Kali with an installation script that you can find with the package or to copy “lib” and “modules” folders’ content to Metasploit root directory. to find more information about this tool follow this link http://www.viproy.com/


Phishing spam targeting AmericanExpress Accounts

New email phishing have been spotted by Dynamoo’s blog that is targeting American express customers,  the fake message notify user that they have a security problem with their account and invite them to decline a new charges by opening the phishing web page which is http://**-**.com/americanexpress/ and logon with their credentials.

American Express Credit Cards, Rewards, Travel and Business Services - Mozilla F_2014-08-10_15-01-14Phishing website screenshot for  American express

The page is similar to the American express official website and each time the victim will type his credential it will display that the User ID and password is incorrect. At the moment there are several similar phishing website while the IPs are belonging to ISPs in Ukrain and Romania.

If you receive a similar fake message make sure to delete/ignore the email and report it to your bank. Usually the bank will never send email to make account changes but they will call customer to make any update.


“Payroll Received by Intuit” A spam that brings Cryptowall to Your System

New spamming message have been spotted by Dynamo’s Blog that attach Cryptowall malware. the virus is a Trojan horse that infect windows operating system and uses RSA2048 encryption to encrypt victims data. this to prevent users from opening their files and provide cyber criminal a control on infected system. If the victim will not make an online payment files are going to be destroyed.

The email claims to be about a successful payment that users made while attaching a copy of victims Remittance. Obviously this email is attaching a zipped copy of Cryptowall that takes executable form. only 9 antivirus on Virus total identify the file to be malicious.

Analysis Results Title Remittance___CopyDecrypt instruction by Cyber criminal for Cryptowall

Within the decrypt instruction attackers are asking victims to use Tor network and Bitcoins for better protecting compromised systems , money and encryption keys from law enforcement. Tor  will complicate tracking cybercriminals while Bitcoins makes it hard to track money transfer.

To protect your system be sure to never open attachments/emails from untrusted sources, update your security software and make sure to have a backup for your important files that will be stored in a safe place.


Nasty Snifula Trojan starts targeting users in Japan

New Snifula Trojan variant have been spotted by Symantec Security Response team in Japan. the malware have compromised more than 30 financial entities with 12 regional agencies across the country. the malware was firstly discovered in 2006 and were used to steal victims financial accounts using man-in-the-browser (MITB) techniques.

According to Symantec the configuration file in the malware is listing 20 credit card sites with 17 online banking service in Japan, 20% of the malicious activity monitored are coming from hosts in Japan to make it on the second place with Germany while UK have the highest number of infected hosts with 24% of the global infected systems.

Graph for snifulaChart for Snifula distribution sourced Symantec

This type of threats is hard to detect because it is customizable to make it adapted to certain regions, easy to distribute over internet with infected web server and strong authentication will not help because the infected user will perform a covered transaction using the same steps and validation required without detecting the actions performed by the malware.

To protect your system make sure to have the latest update for your antivirus and use only hardened software that provide the protection against the MITB attacks.