BREAKING NEWS!
In this Breaking News! Edition, we take a look at two potential threats.
Cryptowall ransomware makes a comeback
Yes, this advisory has talked about Cryptowall, an advance version of Cryptolocker, in previous editions. The cyber crooks have found another way to spread this ransomware – through spam. How are they doing it this time? They have resorted to spreading the ransomware with a malicious .chm attachment.
Cyrptowall is known for disguising its payload as a non-threatening application or file. It will encrypt the files of infected computers and demand money in return for a decryption key.
Bitdefender Labs found that these malicious emails targeted users from around the world, including UK, US, Netherlands, Denmark and Australia. From their analysis, Bitdefender Labs found that the spam originated from servers In Vietnam, India, Australia, US, Romania and Spain.
Chm extension is an extension for the Compiled HTML file format. This type of file is used to deliver user manuals along with software applications. CHM files are highly interactive and run a series of technologies including JavaScript. It will redirect a user toward an external URL after opening the CHM. Cybercriminals then exploit CHM files to automatically run malicious payloads.
In this case the fake email report claim to be from a machine in the users’ domain. Once the content of the .chm file is accessed, the malicious code is downloaded and saved. It then executes the malware. In the process, a command prompt window is opened.
Whatever you do, it is always good practice to not open any attachment until you are sure of its contents. It is always best to verify with the sender (if the sender is known to you) or delete the email if it unsolicited.
Password-stealing Trojan
If the Crytowall isn’t enough to threaten us, now there is a password-stealing Trojan (see Definition) in the guise of Flash Player Pro update. This new malware delivery campaign is aimed at spreading Fareit, a Trojan that steals password, but download additional malware.
The target: users whose DNS server settings have been changed to redirect them to malicious sites without their knowledge. The change could have possibly come about as a result of a previous compromise of their routers via malware.
F-Secure reported that when the DNS server settings have been changed to point to a malicious server used by Fareit, the unsuspecting user visiting a common websites will get a warning, “WARNING! Your Flash Player may be out of date. Please update to continue”.
The legitimate-looking image below appears, but is actually a malicious download page. For your information, Flash Player Pro doesn’t exist. For those who are unaware of this fact, could be tricked into downloading and running the setup.exe file.
Users are advised to restore the router’s DNS server settings to what it should be or face the prospect of being hit with infection attempts in the future.
You are advice to take the carry out the following: disconnect the router from the internet & resetting it; changing the router password; disable its remote administration feature; updating its firmware (see Definition); rebooting the computer the DNS cache; scanning the computer with an up-to-date antivirus solution.
Definition
Trojan – a type of malware containing malicious code, that when executed, performs illicit activity such locating password information, make the system more vulnerable or cause theft or loss.
Firmware – a software program or a set of instructions programmed on a hardware device. It provides the necessary information on how the device communicates with other computer hardware. It’s typically stored in the flash ROM of the device and thought of ‘semi-permanent).
Source
Help Net Security