Exploit Brokers

Malware Textbooks, Marriott Data breach, COVID-19 IRS Scams, And Mage-cart Malware Anatomy Lesson

Podcasts / by / Leave a Comment

Hey Guys It’s your host Lauro with Exploit Brokers. I’m happy to say the Show Will Go On!

So let’s start with a quick intro! Malware is being disguised as Textbooks, the Marriott Hotels had a data breach which means more than just a mint on your pillow, we discuss the top 10 application vulnerabilities for 2019, and we wrap up this episode by going over the anatomy of Magecart malware. Some of you may remember Magecart as previously mentioned in another episode. This time we’ll be covering a general anatomy of it, so let’s login.

 

Malware Ridden Textbooks and Educational Related Content

So in an article by kaspersky.com titled as “Student surprise: Malware masked as textbooks and essays”, Kaspersky shares their findings of Malware being disguised as educational content such as essays, books, and more. So let’s break that down here.

So the article opens up by pointing out that malware can come as TV Shows, and game sheets. Now for some of my listeners who have come across malicious file hidden as some other file, I would like to give a quick explanation as to why. Windows will generally identify a file not by the contents but by the ending file type, the dot jpg for example. Windows by default doesn’t show the file type ending so you may see something.jpg but you won’t see it’s really something.jpg.exe and the .exe means windows will try to execute it. So with this in mind let’s keep going.

Here is a breakdown of the numbers. It’s important to note the numbers and articles only represent the individuals who used Kaspersky as their AntiVirus. The numbers reflect data gathered by Kaspersky using their Anti Virus Software.

Kaspersky noted 356,000 attacks on users. 74,000 users attempted to downloaded 233,000 malware ridden essays but the malware was blocked by kaspersky. If these numbers reflect the users correctly  then each user on average attempted to download a malware disguised as an essay roughly 3 times.

Furthermore, 30,000 users attempted to download malware disguised as textbooks about 122,000 times. Which comes out roughly to 4 malicious textbook download attempts per user.

So now that we know the textbook attempts we can break down the textbook subjects. The highest infection attempts were primarily English textbooks at around 2,000 attempted downloads. This is followed by around 1,200 attempted downloads of Math textbooks. Lastly Literature is the 3rd highest download attempt at around 870 attacks. There were also 18 Natural Science and an undisclosed amount in foreign language textbooks.

We’ve covered the numbers but we haven’t covered the types of malware that was found in Kaspersky’s finding. Let’s go over that.

So the 4th most found malware in their study is the MediaGet torrent application. This download a torrent client instead of the file they were originally looking for. You can find this on download sites usually hidden as another Download button.

Next, the 3rd most found malware is WinLNK.Agen.gen. The malware hides itself in a compressed file like a RAR or ZIP Archive. When you unzip the malware and open it then the malware displays the document and begins executing the malicious code that came with the payload. This is sometimes accomplished with a LNK, Shortcut, file that pretends to be another file like an image or pdf but is really just code to display and execute malicious actions. The trojan can download various malicious software like Adware, cryptominers, botnet software, you name it.

Furthermore, the second most found malware is Win32.Agent.ifdx. This malware acts very similarly to WinLink.Agen.gen and is primarily a downloader for other malware such as cryptominers. This malware does spoof itself as a PDF, DOC, or DOCX document but is just a trojan to download other malware.

Lastly, the most found malware was the Stalk worm. The stalk worm, also known as Worm.Win32 Stalk.a, has the highest number of victims and is primarily used to infect educational related users and networks. The Stalk worm infects devices and distributes itself via email found on the victim computer.

So if any system, network, or admin of any kind is listening remember to keep your network and devices as up to date as possible.

src: https://www.kaspersky.com/blog/back-to-school-malware-2019/28316/

Magecart Attack Toolkit: Anatomy of Skimming-as-a-Service

So some of you may remember Magecart from a previous episode. For those of you who don’t let me explain. MageCart is a hacker group that creates malicious software to infect checkout carts and skim, also known as stealing the information by sniffing it during a transaction, credit cards from victims. The PerimeterX research team published an article titled as “Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit”, that goes into their findings, dissects part of how the Inter toolkit works,  and their conversation with one of the Toolkit developers.

So let’s dive into the toolkit first. The Inter toolkit was originally found in 2018 and was being marketed as an easier way for hackers, who had access to compromised shopping carts, to steal credit cards. At the time in 2018, paying $1,300 meant you had a way to take data from your compromised sites, no coding skills needed. The PerimeterX research later found a post in another public forum that hinted the Inter developers were still building and maintaining the toolkit.

So what did the researchers actually find?

The Inter toolkit has an easy to recognize control panel login with a logo of a red square in a blue circle. The PerimeterX team note this made it easier to track the control panels as they found them in the wild. The server they came upon showed not the panel but the directory tree of the app. This essentially means when they went to the site they could see how everything was organized and access the files of the app instead of the actual app contents. This is very useful because you can see the source files instead of the output generated when you go to a URL.

The PerimeterX team found what appeared to be a staging site with open login and found a text file that the developer left on by accident used for debugging.

The Inter toolkit has functionality as follows:

  • An admin panel with CAPTCHA
  • A Command and Control drop zone url, used to collection the stolen card data
  • A Pipeline for the stolen credit card numbers to add geolocation data of the victim IP and adjusting names for an easy way to aggregate the data
  • Filter and export functions for the credit card data
  • Creation of a loader and a skimmer script (great for non-developer oriented hackers)
  • The skimmer fields can be adjusted to customize for the need of every checkout page.
  • The loader has Obfuscation to evade Anti-Malware scanners.

A notable feature is that the Obfuscation provided includes the Caesar obfuscator which is worth around $100 on it’s own but is included as part of the toolkit.

Cleverly, the toolkit generates loaders with obfuscation and anti-forensic features such as preventing loading of the skimmer if the loader detects a debugger is open.If you have devtools or firebug the loader won’t fetch the skimmer so you won’t see it execute the skimming code.

Now we have spoken about the technical aspect of this skimmer but onto why the article refers to it as Skimming-as-a-service. The developers treat this as a commercial software, albeit a malicious software. At the time of the article’s writing the toolkit retails for $1000 and includes 24/7 support. If you need help setting it up the developers offer malicious clients a 30/70 split of revenue. This bring software as a service model to the criminal side as malicious developers bring their skillsets to the blackhat side.The PerimeterX team indicate this article is part of a series so I do encourage you to go check them out. Link is in the shownotes at https://exploitbrokers/podcasts/hn07 .

I can’t agree with the developers writing software for nefarious purposes but as a developer I can understand how code can fill a need, again a malicious need. So it’s interesting that a team of security researchers not only talked to the developers of this malware but shared their research and part of their conversation with the security community and the world.

src: https://www.perimeterx.com/resources/blog/2020/skimming-as-a-service-anatomy-of-a-magecart-attack-toolkit/

COVID-19 IRS Scam

So we’ve gone over Malware Textbooks and Skimming-As-A-Service, but time to give out some good security info on social engineering. In an article by Sophos.com’s NakedSecurity titled “Watch out for the new wave of COVID-19 scams, warns IRS”, Sophos describes a new wave of COVID-19 Scams.

Many American listeners are probably aware that a stimulus bill was passed where most American adults will receive $1,200 , there are conditions of-course.

The article outlies the following IRS warned red flags:

  • If someone emphasizes the words “Stimulus Check” or “Stimulus Payment”, run. Economic Impact Payment is the proper term being used.
  • If someone says they can get your tax refund or economic payment faster by working on your behalf, run.
  • If someone asks for personal banking info or any Personal Identifiable Information (PII) and they say it’s to help receive or speed up the economic payment or stimulus, you guessed it RUN!
  • If you get a check in an odd amount and there are instructions to call a number to verify information online to cash it, run.
  • Lastly, if they ask you to sign over your economic impact payment to them, run.

The IRS will not call, email, or contact you to get information to process your payment faster, that’s just not how they operate.

Although the IRS Criminal Investigation Division is hard at work trying to shut down these scammers there will be many scammers who fall through the cracks.

Here are some important highlights to note.

  • If you have direct deposit setup for your 2019 and/or your 2019 tax return the IRS should be using that.
  • If you don’t have direct deposit they will mail it to you and anyone offering to submit your direct deposit or banking info is not to be believed.
  • Retirees will be receiving their payment automatically and the IRS won’t be reaching out to them. If someone reaches out to a retiree claiming to be IRS and wants to help them, RUN.

There are two things I hope my listeners will do.

  1. Share this information with loved ones and anyone in older age they know. At times like this many non-security oriented people are most vulnerable and it’s important security oriented or security interested people help those they can.
  2. If you or someone you know gets swindled, report it so the IRS can try to stop the scammers in their tracks. If you get any text messages, social media messages, unsolicited emails that seem to be from the IRS or systems like the Electronic Federal Tax Payment System (EFTPS) then forward as much of the info as you can to [email protected].

I know some people like to mess with scammers but I feel I also have to share that it appears the IRS does not want anyone interacting with the potential scammers and prefers people report the scammers to them.

src: https://nakedsecurity.sophos.com/2020/04/03/watch-out-for-the-new-wave-of-covid-19-scams-warns-irs/

Marriott data breach

Moving on, our show is has discussed breaches in the past and this is another breach. This time it appears the large hotel chain Marriott has informed the public that 5.2 million hotel guest’s information has been hacked in a recent data breach. Zdnet.com’s article titled “Marriott discloses new data breach impacting 5.2 million hotel guests”, shares some of the details.

The 5.2 million users affected are hotel guests who used the company’s loyalty app. The hotel discovered the breach late February. Login credentials from two employees from a franchine property had access to the app’s backend system. It’s thought the breach can be dated from mid-January but nothing has been released on how the credentials were swiped.

Here is the information believed to have been pulled:

  • Contact details such as Name, Mailing Address, Email Address, and Phone number.
  • Loyalty Info such as Account Number and Point Balance
  • Personal Details such as Company, Gender, Birth-day, and Birth-month
  • Affiliations such as any linked accounts including airline loyalty programs and their respective account numbers
  • Personal Preferences such as language and room preferences.

Now it does state that Marriott does not believe passwords, pins, payment info, passport info, national id, nor driver’s license info was pulled from their system.

It’s also interesting to note this is the second breach Marriott has had in the past year or so. Back in November they had their Starwood Hotels reservation system compromised and 383 million guest details stolen as well.

We will see how much further this goes and how many more details are disclosed by Marriott

src: https://www.zdnet.com/article/marriott-discloses-new-data-breach-impacting-5-2-million-hotel-guests/

Wrap-Up

So guy’s thank you for tuning in. Remember to stay safe and secure and always keep learning. This has been your host Lauro, signing off!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *