An Old Trick with a New Twist: Cryptomining Through Disguised URL Shorteners

An Old Trick with a New Twist: Cryptomining Through Disguised URL ShortenersAs we have previously discussed on this blog, surreptitious cryptomining continues to be a problem as new methods emerge to both evade and hasten the ease of mining at the expense of system administrators, website owners, and their visitors.

Another Way Hackers are Tricking Website Visitors into Stealth Cryptomining

The latest of these new techniques is actually more of a twist on the old method by disguising a malicious website through the  malicious URL shorteners.

Continue reading An Old Trick with a New Twist: Cryptomining Through Disguised URL Shorteners at Sucuri Blog.

Source: Scuri check

Referral Program Update – Now Offering Agency Plan

Referral Program Update – Now Offering Agency PlanSucuri’s main objective is to make the internet a safer place for everyone. With that in mind, we created a Referral Program, which gives you the opportunity to advocate for website security and profit from it.

Our referral partners use their custom link to recommend Sucuri products and receive a starting commission of 25% off the total net purchase when a customer signs up for our Platform and Firewall plans.

Continue reading Referral Program Update – Now Offering Agency Plan at Sucuri Blog.

Source: Scuri check

The Impacts of a Data Breach

The Impacts of a Data BreachHave you ever wondered what happens if your e-commerce site is breached?

Usually, when you think about data breaches, you think about big enterprise websites. Does that mean that big brands are the ones who suffer the most from data breaches? Actually not.

Recently, Trustwave put out a report that states approximately 90% of breaches impact small merchants.

Here are the top 3 compromised industries:

  • 1- Retail – 45%
  • 2- Food and Beverage – 24%
  • 3 – Hospitality – 9%

This graph shows the top 3 compromised industries due to vulnerabilities that allow attackers to steal data; however, bear in mind that any website could become a victim.

Continue reading The Impacts of a Data Breach at Sucuri Blog.

Source: Scuri check

What is PCI Compliance?

What is PCI Compliance?Sucuri aims at keeping the internet safe. That is why we are so keen on informing our customers of potential threats. We have posted many articles regarding ecommerce security breaches that steal credit card information, as well as the risks for ecommerce site owners.

There can be many dangers when purchasing through a website, and with so many cyber threats attacking ecommerce platforms and payment gateways, it’s more important than ever to reassure your customers by implementing and maintaining Payment Card Industry (PCI) Compliance.

Continue reading What is PCI Compliance? at Sucuri Blog.

Source: Scuri check

Abuse System Update

On May 9th we updated our abuse system to shutdown unauthorized and excessive access to our site and improve service to our free and paying customers.  During the update of the abuse management system all access to the site was shutdown for approximately 10 minutes instead of the shorter planned outage.

As of Noon Central US time all access has been restored.  We apologize for the inconvenience.

Source: MXtoolbox

Massive localstorage[.]tk Drupal Infection

Massive localstorage[.]tk Drupal InfectionAfter a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one:

Massive #Drupal infection that redirects to "Tech Support" scam via "js.localstorage[.]tk" https://t.co/30ZeLIyfza pic.twitter.com/ZCPMepM74k

— Denis (@unmaskparasites) April 24, 2018

… with over a thousand compromised sites that redirect visitors to “Tech support” scam pages.

Malicious Injections

The infected pages contain the following JavaScript code, which is injected into various .tpl.php, .html.twig and .js files.

Continue reading Massive localstorage[.]tk Drupal Infection at Sucuri Blog.

Source: Scuri check

A Puzzling Backdoor Upload

A Puzzling Backdoor UploadAfter a successful compromise, backdoors are frequently left behind and function as a point of re-entry into the website environment. These malicious pieces of code are a valuable tool for attackers and allow them to bypass any existing access controls into the web server environment.

To demonstrate just how common this malware is, in 2017 we identified that 71% of all compromises seen by Sucuri had a PHP-based backdoor hidden within the site.

Continue reading A Puzzling Backdoor Upload at Sucuri Blog.

Source: Scuri check

New Firefox Quantum-compatible VirusTotal Browser Extension

In November 2017 Mozilla released a new and improved version of their browser. This version is called Firefox Quantum. Following that step forward, VirusTotal is releasing major revamp of its browser extension! You may install it at:


Historically VirusTotal had a very simple but popular firefox extension called VTZilla. It allowed users to send files to scan by adding an option in the Download window and to submit URLs via an input box. We had not updated it since 2012.




At the end of 2017 Firefox decided to discontinue support for old extensions and encourage everyone to update their extensions to the new WebExtensions APIs, a common set of APIs designed to be the new standard in browser extensions. As a result our existing VTZilla v1.0 extension no longer worked. At VirusTotal we decided to face this as an opportunity instead of an inconvenience and we started working on a new and improved version of VTZilla.


VTZilla 2.0 has been designed with various goals in mind. We wanted this new version to be easy to use, transparent to users and as customizable as possible. The first thing users will see when installing the extension is the VirusTotal icon. If you click on it you will see the different configuration options:



This will allow users to customize how files and URLs are sent to VirusTotal and what level of contribution to the security community they want.


Users can then navigate as usual. When the extension detects a download it will show a bubble where you can see the upload progress and the links to file or URL reports.



These reports will help users to determine if the file or URL in use is safe, allowing them to complement their risk assessment of the resource. This is a great improvement with respect to the former v1.0 version of VTZilla where we would only scan the pertinent URL tied to the file download. Then you would then have to jump to the file report via the URL report, and this would only be possible if VirusTotal servers had been able to download the pertinent file, leaving room for cloaking and other deception mechanisms.


VTZilla also has functionality to send any other URL or hash to VirusTotal. With a right button click users have access to other VirusTotal functionality:



This is the basis for all future functionality. Feel free to send us any feedback and suggestions. We will be working to improve and add functionality to the extension. Thanks to WebExtensions we will also be able to make this extension compatible with other browsers that support the WebExtensions standard.


Soon after this major revamp we will be announcing new VTZilla features whereby users may further help the security industry in its fight against malware. Even non-techies will be able to contribute, the same way that random individuals can contribute to search for extraterrestrial life with SETI@home or help cure diseases with BOINC, stay tuned and help give good the advantage.

Source: VirusTotal

PCI for SMB: Requirement 3 & 4 – Secure Cardholder Data

PCI for SMB: Requirement 3 & 4 – Secure Cardholder DataThis is the third post in a series of articles on understanding the Payment Card Industry Data Security Standard – PCI DSS. We want to show how PCI DSS affects small, medium, and large businesses that are going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires). In the previous articles we have written about PCI, we covered requirements 1 and 2:

  • Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.

Continue reading PCI for SMB: Requirement 3 & 4 – Secure Cardholder Data at Sucuri Blog.

Source: Scuri check

Analysis of a Malicious Blackhat SEO Script

Analysis of a Malicious Blackhat SEO ScriptAn enormous number of SEO spam infections are handled by us here at Sucuri. In our most recent hacked website trend report, we analyzed over 34,000+ websites and identified that 44% of all website infection cases were misused for SEO spam campaigns.

Once a website has been compromised, attackers often use it to distribute malware, host phishing content, send spam emails, and a variety of other nefarious purposes. This can be significantly devastating to a website’s reputation, user experience, and credibility.

Continue reading Analysis of a Malicious Blackhat SEO Script at Sucuri Blog.

Source: Scuri check

Steps to Keep Your Site Clean: Updates

Steps to Keep Your Site Clean: UpdatesThis is the second post of a series about Steps to Keep Your Site Clean. In the first post, we talked about Access Points; here we are going to offer more insight on Updates.

Updates

Repeatedly we see websites being infected or reinfected when important security updates are not taken seriously. Most software updates are created due to a security breach that has been fixed. Updating to the new version keeps your site safe from vulnerabilities that are very likely to affect your site.

Continue reading Steps to Keep Your Site Clean: Updates at Sucuri Blog.

Source: Scuri check

NoSolicitado False Positives

Blacklists operate using DNS system where a blacklist publishes a set of IP addresses that are blacklisted. We query these lists in real-time to give you a consolidated report of the blacklist reputation of and IP address. Sometimes a DNS server at a blacklist operator may get out of sync with the entire pool or the pool may get out of sync with the database. Regardless of the root cause, we always display what we receive when we query the blacklist providers’ DNS servers.

Currently, we are noticing some issues where the Blacklist NoSolicitado is showing some IP addresses blacklisted and then quickly delisting them. These bounces are affecting customers with blacklist monitors and those searching IP addresses. We will update when there is more information.

Source: MXtoolbox

From Baidu to Google’s Open Redirects

From Baidu to Google’s Open RedirectsLast week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages.

It didn’t last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google’s goo.gl URL shortening service.

This is a snippet from their decoded script:

The Redirect Chain

If you check Google’s own information about that shortened URL, it shows that the URL redirects to another Google owned URL maps.app.goo.gl which looks quite benign.

Continue reading From Baidu to Google’s Open Redirects at Sucuri Blog.

Source: Scuri check

Malicious Activities with Google Tag Manager

Malicious Activities with Google Tag ManagerIf I were to ask if you could trust a script from Google that is loading on your website, the majority of users would say “yes” or even “absolutely”. But when malicious behavior ensues, everything should be double-checked and suspected, even assets that come from “trusted sources” like Google, Facebook, and Youtube.

In the past, we saw how adsense was abused with a malvertising campaign. Even more recently, we saw how attackers injected malware that called Google AdSense ads to generate revenue for the attackers, however, there’s an even more troublesome part of the toolkit that Google offers to webmasters – Google Tag Manager.

Continue reading Malicious Activities with Google Tag Manager at Sucuri Blog.

Source: Scuri check

Multisandbox project welcomes Cyber adAPT ApkRecon

Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.


These are some example reports displaying the data contributed by Cyber adAPT:

It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:

Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:

These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.
Source: VirusTotal

Content Security Policy

Content Security PolicyAs a website owner, it’s a good idea to be aware of the security issues that might affect your site. For example, Cross-site Scripting (XSS) attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.

You probably know too that client-side scripts can be programmed to do pretty much anything. They can be as simple as showing an alert message in your website, to animating images, mining cryptocurrencies or showing pop-ups that contain NSFW pharma products.

Continue reading Content Security Policy at Sucuri Blog.

Source: Scuri check

Unwanted Ads via Baidu Links

Unwanted Ads via Baidu LinksThe malware attack that began as an installation of malicious Injectbody/Injectscr WordPress plugins back in February has evolved since then.

Some of the changes were documented asUpdates at the bottom of the original blog post, however, every week we see minor modifications in the way they obfuscate the scripts or the files they inject them into.

Encrypted WordPress JavaScript Files

At this moment, the most common injection targets are core WordPress JavaScript files:

wp-includes/js/jquery/jquery-migrate.min.js
wp-includes/js/jquery/jquery.js
wp-includes/js/wp-embed.min.js

Hackers add the malicious code and then obfuscate the entire file contents along with the original legitimate code so that the only way to clean the files without breaking the site functionality is to replace them with their original clean copies.

Continue reading Unwanted Ads via Baidu Links at Sucuri Blog.

Source: Scuri check

Hacked Website Trend Report – 2017

Hacked Website Trend Report – 2017We are proud to be releasing our latest Hacked Website Trend Report for 2017.

This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT).

The data presented stems from the analysis of 34,371 infected websites summarizing the latest trends by bad actors. In this report, we build from data points seen in the 2016/Q3 report to identify the latest tactics, techniques, and procedures (TTPs) detected by the Remediation Group.

Continue reading Hacked Website Trend Report – 2017 at Sucuri Blog.

Source: Scuri check

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.
This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 
You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):
Don’t forget to also check the detailed report:
This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:
The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.
To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:
At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.
Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.
Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  



Source: VirusTotal

Obfuscation Through Legitimate Appearances

Obfuscation Through Legitimate AppearancesRecently, I analyzed a malware sample provided by our analyst Edward C. Woelke and noticed that it had been placed in a core WordPress folder. This seemed suspicious, since no such core WP file like it exists: ./wp-includes/init.php

Deceiving Appearances

I started with a standard analysis and my first thought was, this has to be a legitimate file! Nicely structured, with very legit-looking function names. It even used Object Oriented PHP, which doesn’t happen very often in the case of malware.

Continue reading Obfuscation Through Legitimate Appearances at Sucuri Blog.

Source: Scuri check