RawGit CDN is Abused by CryptoLoot Cryptominers

RawGit CDN is Abused by CryptoLoot CryptominersRecently, we came across another way to use files from GitHub repositories in malware infections.

This time the infections weren’t via GitHub.io, raw.githubusercontent.com, or github.com/<user>/<repository>/raw/ URLs. The new trick involved a third-party service called RawGit that provides a CDN for GitHub files.

This is the script that we found injected into .js and theme files on infected Drupal and WordPress sites.

Some of the infections were clearly buggy.

Continue reading RawGit CDN is Abused by CryptoLoot Cryptominers at Sucuri Blog.

Source: Scuri check

Switching to HTTPS Before It’s Too Late

Switching to HTTPS Before It’s Too LateGoogle, Mozilla, and other web authorities are pushing for website owners to adopt HTTPS. Soon, Google Chrome will start flagging sites by displaying a warning that the site is “Not secure“.

Chrome 68 is already in Beta. Before long, everyone will be able to update their browsers to Chrome 68 and see “Not Secure” warnings on websites without SSL.

Reasons Behind the HTTPS Movement

It is a fact that websites with HTTPS are ranked higher in the Google search results.

Continue reading Switching to HTTPS Before It’s Too Late at Sucuri Blog.

Source: Scuri check

Browser Extension Bug Leads to Post Injection

Browser Extension Bug Leads to Post InjectionA few years ago, we saw how a browser extension introduced a threat to serve unwanted ads. Today, the number of browser extensions available to users has grown, along with the risk for this similar behavior to occur.

We recently came across a similar case where several completely different websites contained what appeared to be a base64-encoded image, only visible from source-code view.

Base64 Encoded Images

There are a variety of approaches to displaying images on websites.

Continue reading Browser Extension Bug Leads to Post Injection at Sucuri Blog.

Source: Scuri check

Hiding Malware Inside Images on GoogleUserContent

Hiding Malware Inside Images on GoogleUserContentIf you have been following our blog for a long time, you might remember us writing about malware that used EXIF data to hide its code.

This technique is still in use. Let us show you a recent example.

Contaminated Pac-Man

This code was found at the beginning of a malicious script that steals PayPal security tokens.

As you can see, it reads “EXIF data” from a pacman.jpg image hosted on Google’s servers, probably uploaded using a Blogger or Google+ account.

Continue reading Hiding Malware Inside Images on GoogleUserContent at Sucuri Blog.

Source: Scuri check

Persistent Malicious Redirect Variants

Persistent Malicious Redirect VariantsIt’s always nice to meet an old friend or someone you used to know well. You have news to share and talk about, stories to tell, etc. But what if your “old friend” was on the criminal side of things and you are meeting him more often than you actually like? Moreover, when you see him, he keeps changing his appearance with different sunglasses, haircuts, beards, and mustaches. But you know it’s still him. And you know he’s still a criminal…

This exactly describes the case of a family of malicious injectors and redirects we have been seeing for several years.

Continue reading Persistent Malicious Redirect Variants at Sucuri Blog.

Source: Scuri check

Ask Sucuri: How Do You Find Website Backdoors?

Ask Sucuri: How Do You Find Website Backdoors?In a previous post, we have explained what website backdoors are and what they look like. Today, we want to focus on ways that we identify and remove backdoors to prevent reinfection.

Techniques to Find Backdoors

Finding a website backdoor is not an easy task because the main function of a backdoor is to keep it hidden from the website owner. However, at Sucuri we recommend the following techniques:


We know what good files look like.

Continue reading Ask Sucuri: How Do You Find Website Backdoors? at Sucuri Blog.

Source: Scuri check

WordPress Update – 4.9.7 Security & Maintenance Release

WordPress Update – 4.9.7 Security & Maintenance ReleaseThe WordPress team has just released a critical security and maintenance update to resolve a number of bugs and security issues.

Included in this release is a patch that protects against a vulnerability allowing bad actors to delete files from your site. If certain circumstances are met, this vulnerability may be enough for an attacker to completely take control of your website.

Are You at Risk?

If you don’t have automatic updates enabled or are using WordPress version 4.9.6 or earlier, your site may be vulnerable to this security issue originally reported by Slavco.

Continue reading WordPress Update – 4.9.7 Security & Maintenance Release at Sucuri Blog.

Source: Scuri check

CoinImp Cryptominer and Fully Qualified Domain Names

CoinImp Cryptominer and Fully Qualified Domain NamesWe are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period).

E.g. “www.example.com”, where “www” is a subdomain, “example” is a second level domain, and “com” is a top level domain.

However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names.

Continue reading CoinImp Cryptominer and Fully Qualified Domain Names at Sucuri Blog.

Source: Scuri check

Google and Facebook Used in Phishing Campaigns

Google and Facebook Used in Phishing CampaignsWe’ve all seen sketchy looking emails or texts with malicious links to click on. There are still people who fall for these more obvious types of scams, however, phishing scam messages are designed to be deceiving. They use methods that appear valid or of some urgent matter, encouraging its victim to hand over their data.

Phishing Campaigns

Phishing attempts happen in many ways, such as:

  • deceptive email campaigns,
  • suspicious SMS alerts (called smishing),
  • fake websites designed to look and sound authentic, and more.

Continue reading Google and Facebook Used in Phishing Campaigns at Sucuri Blog.

Source: Scuri check

Sucuri Enhances Security by Disabling TLS Version 1.0 and 1.1

Sucuri Enhances Security by Disabling TLS Version 1.0 and 1.1Protecting our users’ information and privacy is extremely important to us. As a cloud-based security service, we are fully committed to complying with the PCI Data Security Standards (PCI DSS) requirements. That is why Sucuri disabled support for TLS version 1.0 and 1.1 to our WAF/CDN edge nodes on June 28, 2018.

What Is TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to enhance the security of a communication channel by encrypting the traffic between the parties involved.

Continue reading Sucuri Enhances Security by Disabling TLS Version 1.0 and 1.1 at Sucuri Blog.

Source: Scuri check

What are Website Backdoors?

What are Website Backdoors?When a site gets compromised, the attackers will often leave some piece of malware behind to allow them access back to the site. Hackers want to leave a door open to retain control of the website and to reinfect it continuously. This type of malware is called a backdoor.

What Are Backdoors?

Backdoors are types of malware that allow for remote control of a compromised website by bypassing appropriate authentication methods.

Continue reading What are Website Backdoors? at Sucuri Blog.

Source: Scuri check

Why You Should Care about Website Security on Your Small Site

Why You Should Care about Website Security on Your Small SiteMost people assume that if their website has been compromised, there must have been an attacker evaluating their site and looking for a specific vulnerability to hack. Under most circumstances however, bad actors don’t manually hand-pick websites to attack since it’s a tedious and time consuming process. Instead, they rely on automation to identify vulnerable websites and execute their attacks. The unfortunate reality is that websites big or small are targeted daily and the majority of these attacks are automated.

Continue reading Why You Should Care about Website Security on Your Small Site at Sucuri Blog.

Source: Scuri check

Magento Credit Card Stealer Reinfector

Magento Credit Card Stealer ReinfectorIn the past few months, we have frequently seen how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials. That is why we have reported on a credit card stealer reinfector of Magento websites in one of our recent Labs Notes.

In this post, we describe one of the methods hackers use to ensure that their malicious code is added back to a website after it has been removed.

Continue reading Magento Credit Card Stealer Reinfector at Sucuri Blog.

Source: Scuri check

Launching VirusTotal Monitor, a service to mitigate false positives

One of VirusTotal’s core missions is to empower our antivirus partners. By building better tools to detect and study malware, VirusTotal gets to make a dent in the security of billions of users (all those that use the products of our partners). Until now we have focused on helping the antivirus industry flag malicious files, and now we also want to help it fix mistaken detections of legit files, i.e. false positives. At the same time, we want to fix an endemic problem for software developers.

False positives impact antivirus vendors, software developers and end-users. For example, let us imagine a popular streaming service app that allows in-app digital content purchases. We will call it Filmorrific.

Filmorrific happens to be so popular that when an antivirus vendor mistakenly flags it as malware, the AV vendor gets terrible press as major online news sites, computer magazines and blogs report on the issue. This leads to big reputation damage for the AV vendor.

The detection of Filmorrific leads to the software being quarantined and blocked from running on end-user machines. End-users are now unable to access their favourite streaming service, and they are also confused, thinking that Filmorrific has trojanized their machines.

For Filmorrific, the software publisher, this immediately translates to blacking out in the entire user base of the detecting AV vendor. Suddenly, they not only lose revenue coming from the installed base, but also trust from less technical users that do not really understand what is going on, and they get overloaded with support tickets accusing them of infecting user machines. Filmorrific in turn decides to sue the detecting antivirus company for the damage, and we have now come full circle.

Note that in this context, a software developer is not only a company creating an app or program distributed to thousands of machines and including some kind of monetisation strategy. Today, almost every organization builds internal tools that their finance, accounts payable, HR, etc. teams use. All of these tools are prone to false positives, and while this might not have a revenue impact, it certainly has a cost in terms of productivity hours lost because the workforce can’t access a given app.

What if we could kill these three birds with the same stone? Enter VirusTotal Monitor. VirusTotal already runs a multi-antivirus service that aggregates the verdicts of over 70 antivirus engines to give users a second opinion about the maliciousness of the files that they check. Why not take advantage of this setup not only to try to detect badness, but also to flag mistaken detections of legit software?

VirusTotal Monitor is a new service that allows software developers to upload their creations to a private cloud store in VirusTotal. Files in this private bucket are scanned with all 70+ antivirus vendors in VirusTotal on a daily basis, using the latest detection signature sets. Files also remain absolutely private, not shared with third-parties. It is only in the event of a detection that the file will be shared with the antivirus vendor producing the alert. As soon as the file is detected, both the software developer and the antivirus vendor are notified, the antivirus vendor then has access to the file and its metadata (company behind the file, software developer contact information, etc.) so that it can act on the detection and remediate it if it is indeed considered a false positive. The entire process is automatic.

For antivirus vendors this is a big win, as they can now have context about a file: who is the company behind it? when was it released? in which software suites is it found? What are the main file names with which it is distributed? For software developers it is an equally big win, as they can upload their creations to Monitor at pre-publish stage, to ensure a release without issues. They can also keep their files in the system, to automate notification of false positives to antivirus vendors in the future. Software developers no longer have to interact with 70 different vendors, each having its own interface and strenuous process to communicate issues.

In particular, software vendors use a Google-drive like interface where they can upload their software collections and provide details about the files:

Upon upload, the files are immediately scanned with the 70+ antivirus engines in VirusTotal, and then once a day thereafter. At any point in time you can refer to the Analyses view in order to see the health of your collection with respect to false positives:

All of this scanning activity is summarized in the dashboard where users land on subsequent accesses to the platform:

Developers are not forced to use this web interface, as the platform allows email notifications and offers a full REST API that is very useful when automating software release pipelines:

On their end, antivirus vendors also see something similar. They get access to a platform with all items that the particular engine detects and they can integrate with it programmatically via a different API endpoint. This is how certain vendors are able to quickly react and get over 200 false positives from our test bed fixed within minutes:

As previously stated, all files in this flow are private; they are not distributed to third-parties, only to antivirus vendors producing detections. This said, if one of the files in a Monitor collection happens to be uploaded to the standard public VirusTotal service, we will highlight that the file belongs to an organization in Monitor and will display the pertinent detections in orange rather than red:

VirusTotal Monitor is not a free pass to get any file whitelisted, sometimes vendors will indeed decide to keep detections for certain software, however, by having contextual information about the author behind a given file, they can prioritize work and take better decisions, hopefully leading to a world with less false positives.  The idea is to have a collection of known source software, then each antivirus can decide what kind of trust-based relationship they have with each software publisher.

As Marc Andreessen once said, “software is eating the world”, however, there is not much it can eat unless it can actually execute — let’s make sure that legit software can run.

Source: VirusTotal

The Importance of Website Backups

The Importance of Website BackupsImagine waking up in the morning to see that a couple of calls were missed and your email is overloaded with messages saying that your website is down. You go to your computer to check your server and it’s working fine – but oh no,  all your files are deleted from the database. What would you do?

Backing up everything may seem a boring task, however, website backups can be a life saver.

Continue reading The Importance of Website Backups at Sucuri Blog.

Source: Scuri check

How to Improve Website Resilience for DDoS Attacks – Part I

How to Improve Website Resilience for DDoS Attacks – Part IDenial of Service (Dos) and Distributed Denial of Service (DDoS) attacks are unforgiving. They test the limits of your web server and application resources by sending spikes of fake traffic to your website. It is also notoriously difficult to conduct forensics on a DDoS attack, making the source of the attack a mystery.

DDoS attacks are getting cheaper, more sophisticated and more readily accessible every day. As a result, they have become an instrument of war for both commercial and political purposes.

Continue reading How to Improve Website Resilience for DDoS Attacks – Part I at Sucuri Blog.

Source: Scuri check

INPS_DE Blacklist Offline

The INPS_DE blacklist, operated out of Germany recently decided to shut down their blacklist service due to changes in regulations. As such, we have temporarily removed them from our blacklist monitoring services. If they decide to reinstate their blacklist database we will re-evaluate their inclusion in our monitoring.

Notice of blacklist database termination from the blacklist operator:

For more than 10 years I, Christian Jung, have been working with passion and enthusiasm the inps.de DNSBL and the inps.de DNSWL. I wanted to work with these projects which have been very well received, making the internet a little bit better and also to be a small part of it.

The protection of data has always played a significant role in development. The entry into force of the basic data protection regulation DSGVO on 25.05.2018 succeeded for However, a massive insecurity and with the means available to me I can get one Legal advice, which would provide the necessary clarity, at the present time simply can not afford.

For this reason, I have decided with a heavy heart, the inps.de DNSBL for the time being “put on ice” and to offer it to the public only when there is clarity in this respect. From my DNS servers will be delivered an empty zone, so that all previously entered IP addresses to the outside are no longer registered. I thank from the bottom of my heart all those who have supported my projects in the past years so energetically supported. Without this support would be the hit rate far from being so good.

Source: MXtoolbox

How APIs Can Streamline Your Operations

How APIs Can Streamline Your OperationsDay-to-day operations can present many challenges. Whether you’re wearing multiple hats within the same department or a project lead managing dozens, even hundreds of web applications – time is always the concern.

How late do I need to stay up tonight?
How much longer will this take? What did I miss?

I’ve heard this communicated a number of different ways, but the one takeaway is that leveraging APIs is invaluable to your everyday workflow when working with third-party vendors.

Continue reading How APIs Can Streamline Your Operations at Sucuri Blog.

Source: Scuri check

Sectoor Exitnodes possibly shutting down

Update: We have shut down blacklist monitoring on Sectoor Exitnodes as this blacklist is in fact currently offline.

Earlier today we detected abnormal behavior from the blacklist Sectoor Exitnodes. Its domain registration expired recently and their blacklist database is now showing signs it may be going offline.

We are monitoring this situation and will update this post once more details are available.

Source: MXtoolbox

Multisandbox project welcomes Dr.Web vxCube

The multisandbox project keeps growing, short after the integration of Tencent Habo, VirusTotal Droidy and Cyber adAPT ApkRecon we are now welcoming Dr.Web vxCube. What is most exciting about this integration is that not only does it run executables, but also opens documents with potentially vulnerable software in order to spot exploits and characterize dropped malicious payloads.

In their own words:
Dr.Web vxCube was born inside Doctor Web Anti-Virus Laboratory. It is a hypervisor-based sandbox that uses agentless technology to analyze malware inside the operating system. It works incredibly fast and invisibly to the analyzed sample. Dr.Web vxCube offers comprehensive but intuitive reports containing information about sample’s behavior, created files and dumps, process graph, API log and network activity map. We are happy to bring our expertise to the VirusTotal community.

The following report examples highlight how useful this new integration is:

The following ones are particularly interesting as they exemplify how Dr.Web vxCube is able to spot exploitations triggered when opening a document, most specifically exploitation of CVE-2017-11882:

Make sure you also open the detailed report:
This will open up a far more insightful HTML capturing fine grained execution details that are presented in an aggregate fashion in the summarized behavior tab or perhaps not even included at all:
Behavior information is essential when diving into investigations because it allows analysts to pivot over certain indicators of compromise and discover other malicious files and network infrastructure that is related to the same campaign or attacker group. For instance, if we focus on the first CVE-2017-11882 file and open it up in VirusTotal Graph:

We can immediately get a sense of the file indeed being malicious (due to its connection to malicious items) but we may also easily discover the network infrastructure used by it, and most importantly, we get to see other malware served by that very same network infrastructure, without having to follow a huge amount of report links:

And this is precisely how we discover some of the deception techniques being used by the attackers behind this particular threat. The exploiting document communicates with a-dce.com, so do 3 other samples. By investigating these in VirusTotal Intelligence we get to see that some of those files were spotted as attachments in spam email files uploaded to VirusTotal, we can see the body of these messages and discover how they trick users into downloading and opening the exploiting document:

Fake purchase orders and invoices remain a common simple bait inducing users to execute malware. Having reached this point it would be a good moment to build a Yara rule to detect variants of this malware family and set them up in Malware Hunting in order to discover new threats created by the very same group and keep expanding the investigation graph.

We hope you find this new sandbox as exciting as we do. We already have more integrations in the pipeline and we are certain this will heavily contribute to identifying new threats and strengthening anti-malware defenses worldwide.

If you have a sandbox setup or develop dynamic malware analysis systems please contact us to join this effort.

Source: VirusTotal