This Android Monero miner demands admin privileges

/in /by

Description

Crypto miners have been rampant on Android devices for the last few months. Compared to ransomwares, crypto miners are believed to be more lucrative in terms of the quick revenue they generate. Sonicwall Capture Labs Threats Research Team observed yet another malicious crypto Monero miner threat for Android devices that mines Monero coins in the background without the victim’s knowledge.

Infection Cycle:

The app uses the following permissions:

  • Internet
  • Read phone state
  • Access network state
  • Receive boot completed
  • Wake lock
  • Write external storage

The app does not show an icon in the app drawer upon installation. Once the app starts it requests for device administrator privileges:

If the privileges are not granted, the malware repeatedly pops the screen requesting admin access until they are granted:

Upon getting the desired privileges the app starts mining Monero coins in the background. No indications of this activity are shown to the victim, meanwhile CPU usage almost reaches 100% utilization:

The miner components can be seen in the lib folder:

Smartphones typically heat up if CPU intensive tasks are continuously performed for a longer duration. One such CPU intensive task is mining, recently we observed a number of Android malware that use the processing power of the infected device for mining cryptocurrency. We have covered miner malware for Android in our blogs in the recent past:

This malware is difficult to get rid of if administrator rights are granted to it upon infection:

We found the below hardcoded mining addresses in the samples we analyzed:

  • 49Bq2bFsvJFAe11SgAZQZjZRn6rE2CXHz4tkoomgx4pZhkJVSUmUHT4ixRWdGX8z2cgJeftiyTEK1U1DW7mEZS8E4dF5hkn
  • 43QGgipcHvNLBX3nunZLwVQpF6VbobmGcQKzXzQ5xMfJgzfRBzfXcJHX1tUHcKPm9bcjubrzKqTm69JbQSL4B3f6E3mNCbU

More details for the above wallets can be seen on supportxmr.com, few snippets are as below:

    • 49Bq2bFsvJFAe11SgAZQZjZRn6rE2CXHz4tkoomgx4pZhkJVSUmUHT4ixRWdGX8z2cgJeftiyTEK1U1DW7mEZS8E4dF5hkn

 

  • 43QGgipcHvNLBX3nunZLwVQpF6VbobmGcQKzXzQ5xMfJgzfRBzfXcJHX1tUHcKPm9bcjubrzKqTm69JbQSL4B3f6E3mNCbU

Currently Monero (XMR) trades for $167.05 per XMR as of April 10, 2018.

Any kind of malware on a mobile device is dangerous but miners are more so than others for a simple reason – they can break the device. Smartphones in today’s age compact a lot of technology in a small package, this does not leave enough room for it to cool down under heavy load. Crypto miners are dangerous for the same reason, they put a huge processing load on the device. Crypto miners with device admin privileges can potentially lock-out the user while mining coins until the phone breaks. We urge our readers to be vigilant while installing apps on their devices.


Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: AndroidOS.Monerominer.MNR_2 (Trojan)

Following are MD5’s few samples from this threat:

  • 1efa8e98f208a44a6f310c790e112b7e
  • 5177d220030ddf813b5bb05928c86585
  • 73415fbf16952894e0620b40766d9e2f
  • ef161923c7a6f99d134467ca21e34410
  • 530bd6c95c3a79c04f49880a44c348db
  • a765d2829b80d812b321c663d8d8320e
  • 642bef4824d549ac56520657a1868913
  • a13126ed31b3a7982133ff57e6f9676d
  • e24a0d6b17a9dbf0456bbf4bb93adb25
  • a0f776e61cf4ddc55c28051583fbb28e
  • ef161923c7a6f99d134467ca21e34410
  • c18f39c4b09e542926d728195b88e418
  • 659909c20269c630372eac4878e679ca
  • fffb8d51838af6bb742e84b8b16239bb

 

SonicWall Capture Cloud Platform Ushers in New Era of Threat Intelligence, Connectivity and Automation

/0 Comments/in , , /by

SonicWall’s mission is to help organizations protect themselves from the growing number of cyber attacks in the fast-moving threat landscape.

There are many schools of thought on how this is best accomplished. And much of this depends on the wares of a particular vendor. But I’ve made it a priority that SonicWall helps defend networks and data in a manner that is automated, layered, intelligent, easy to use and cost-effective.

Today marks a monumental milestone in that focused effort.

This morning we proudly introduced the SonicWall Capture Cloud Platform, which tightly integrates security, management, analytics and real-time threat intelligence across our full portfolio of network, email, mobile and cloud security products. This launch includes:

  • New SonicWall Network Security Virtual (NSv) Firewalls
  • New SonicWall Web Application Firewall (WAF)
  • New SonicWall Capture Client Endpoint Protection
  • Updated SonicWall Network Security Appliance (NSa) Firewalls
  • Updated SonicOS 6.5.1

The significance of the unified and connected Capture Cloud Platform is highlighted by the escalating threat landscape. In the first quarter of 2018 alone, the average SonicWall customer faced 7,739 malware attacks, a year-over-year increase of 151 percent; 335 of these attacks were hidden using SSL/TLS encryption.

The SonicWall Capture Cloud Platform also identified more than 49,800 new attack variants in the first quarter, with the new SonicWall Real-Time Deep Memory InspectionTM (RTDMI) identifying 3,500 never-before-seen variants.Capture Cloud PlatformThe numbers are alarming. The threats continue to grow. And it’s the reason I promise that SonicWall teams around the world are dedicated to ensure our customers are protected from today’s most malicious cyber threats — both known and unknown.

Here’s a helpful rundown of the new products we are proud to announce today under the SonicWall Capture Cloud Platform:

New NSv Virtual Firewalls

SonicWall Network Security virtual (NSv) firewalls protect all critical components of private and public cloud environments. SonicWall NSv virtual firewalls deliver the security advantages of a physical firewall with the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management and cost reduction.

> Go to NSv Virtual Firewalls

New Web Application Firewalls

The new SonicWall Web Application Firewall (WAF) delivers defense-in-depth capabilities to protect web applications running in private, public or hybrid cloud environments.

The SonicWall WAF behavior-based detection engine learns, interrogates and baselines regular web application usage behaviors and identifies anomalies that may be indicative of attempts to compromise the application, steal data and/or cause a denial-of-service.

> Go to SonicWall WAFs

New SonicWall Capture Client

The new SonicWall Capture Client extends an organization’s ability to defend endpoint devices that connect and interact with its networks, applications and data.

Capture Client is a unified client platform that delivers multiple endpoint protection capabilities, including next-generation malware protection and support for visibility into encrypted traffic. It leverages layered protection technologies, comprehensive reporting and enforcement for endpoint protection, and also offers critical ‘rollback’ capabilities via SentinelOne integration.

> Go to Capture Client

New SonicWall NSa Firewalls

The new SonicWall NSa 3650, 4650 and 5650 next-generation firewalls continue the evolution of SonicWall’s vision for a deeper level of network security without a performance penalty.

Built on a multi-core hardware architecture featuring 10-GbE and 2.5-GbE interfaces, the NSa series scales to meet the performance demands of mid-sized networks, branch offices and distributed enterprises.

> Go to NSa Firewalls

Each day this week we’ll do an in-depth review of the above and how each can be leveraged to better protection your organization, networks, data and customers.

RTDMI Expanded to Protect Organizations from Malicious PDFs, Office Files

Complementing the major Capture Cloud Platform announcement, we also announced new Real-Time Deep Memory InspectionTM capabilities that protect businesses and users from memory-based attacks and zero-day malware, including malicious PDFs and Microsoft Office documents.

Since January 1, 2018, RTDMITM has identified more than 3,500 never-before-seen attack variants. First announced in February 2018, RTDMI technology is used by the SonicWall Capture Cloud Platform to identify and mitigate even the most insidious cyber threats, including memory-based attacks.

RTDMI is already operational for SonicWall customers with active subscriptions to SonicWall Capture ATP sandbox service and SonicWall Email Security solutions.

> Read the Press Release

ee Real-Time Threat Intelligence

Did you know you can improve your security posture by knowing what attacks are most likely to target your organization? Visit the SonicWall Security Center to see the latest attack trends, types and volume across the world.

VISIT THE SECURITY CENTER

SonicWall Named 85th Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA)

/0 Comments/in /by

SonicWall has recently been named the 85th Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) by the MITRE Corporation, an international not-for-profit security institute.

What does this mean for SonicWall and the cyber security world at large? SonicWall has a new way to contribute to cyber security education and defense. The purpose of the CVE program is to provide a method and consortium for identifying vulnerabilities in a standardized manner.

SonicWall now has the authority to identify unique vulnerabilities within its products by issuing CVE IDs, publicly disclose vulnerabilities that have been newly identified, assign an ID, release vulnerability information without pre-publishing, and notify customers of other product vulnerabilities within the CNA’s program.

“This program takes us one step closer to reaching the transparency security administrators need in order to make swift and educated decisions when it comes to threat protection,” said SonicWall Chief Operating Officer Atul Dhablania in an official announcement. “SonicWall looks forward to working with MITRE in a collaborative effort to expand the arsenal of information needed to properly equip those who are being targeted or looking to strengthen their security posture.”

On a larger scale, the program is effective because an entire network of certified organizations works together, with the backing of numerous researchers and support personnel, to identify and stay ahead of emerging threats.

CVE Numbering Authorities (CNAs) are organizations that operate under the auspices of the CVE program to assign new CVE IDs to emerging vulnerabilities that affect devices and products within their scope.

The program is voluntary but the benefits are substantial, among them the opportunity to disclose a vulnerability with an already assigned CVE ID, the ability to control disclosure of vulnerability info without pre-publishing, and the notification of vulnerabilities for products within a CNAs scope by researchers who request a CVE ID from the CNA.

Becoming a part of the CVE program is a chance to not only connect to a vast network of organizations working to identify cyber threats, but also to contribute to the effort as a whole.

Samba spoolss Service DoS

/in /by
Description
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients. A Null pointer Denial of Service vulnerability exists on Samba print service for Samba Team Samba 4.0.0 to 4.4.x, 4.5.x to 4.5.16, 4.6.x to 4.6.14 and 4.7.x to 4.7.6, which may cause a remote Denial of Service.When Samba’s deamon application, smbd, handling the printer server name, the 3 functions will be called: RpcEnumPrinterDrivers() -> _spoolss_EnumPrinterDrivers() -> canon_servername(). The RpcEnumPrinterDrivers request will be forwarded to the _spoolss_EnumPrinterDrivers() function to handle.


Figure 1: pname in the request

Afterwards, the canon_servername will be called to parse the pName – print server name. However because the _spoolss_EnumPrinterDrivers fails to check if the input variable is NULL, this will potentially cause a NULL pointer reference, causing the service to crash. As is shown in figure 2. An attacker could send such a request remotely, and cause Denial of Service on the remote service.


Figure 2: NULL reference that causes DoS

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13280: Samba spoolss Service DoS

 

LockCrypt ransomware spotted in the wild

/in /by

Description

The SonicWall Capture Labs Threat Research Team receives reports of new strains and versions of ransomwares daily. This week we analyzed this ransomware called Lockcrypt.

Infection Cycle:

Upon execution, it opens a window titled “crypt” showing its progress so far.

It sends some data over to a remote server, which then responds with more encrypted communication.

It creates and executes a batch file which kills all running processes not in the whitelist.

In turn it disables running AVs and throws off the windows security center.

Encrypted files get an encrypted file name along with a “.lock” file extension.

It also adds the ransom note text file in every directory where files were encrypted.

It adds the following in the registry to ensure that notepad opens this text file upon reboot:

  • HKLM/Software/Microsoft/Windows/CurrentVersion\Run unlock “c:\Windows
    otepad.exe” c:\ReadMe.TxT

A message box also appears with a warning before the user can log on to Windows. The user must click OK in the message box to continue logging on.

This was done by adding LegalNoticeCaption and LegalNoticeText data in the registry.

But forget about rebooting and logging on to Windows; an infected computer will render useless upon reboot, since some system files were also encrypted by LockCrypt.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Capture Labs provide protection against this threat with the following signature:

  • GAV: LockCrypt.RSM (Trojan)

Cyber Security News & Trends – 04-06-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

Special Section: 2018 SonicWall Cyber Threat Report

‘Malware-cocktail’ cyber attacks double in one year, shocking report warns — London Evening Standard

The News: The popular UK news publication highlights the shifting behavior of malware authors examined in the 2018 SonicWall Cyber Threat Report.

Quotable: SonicWall CEO Bill Conner described the attacks as a “cyber arms race affecting every government, business, organization and individual.”

Malware Attacks Up, Ransomware Attacks Down in 2017, SonicWall Reports — eWeek

The News: eWeek offers a slideshow that visually explores findings of this year’s SonicWall Cyber Threat Report.

Quotable: “There were a lot of mixed signals in the cyber security attack landscape in 2017 …”

Ransomware decreasing in quantity but increasing in potency — SecurityBrief

The News: SecurityBrief reporter Ashton Young outlines the increase in ransomware variants.

Quotable: “The risks to business, privacy and related data grow by the day — so much so that cybersecurity is outranking some of the more traditional business risks and concerns,” says SonicWall CEO Bill Conner.

Cyber Security News

A New Mira-style Botnet is Targeting the Financial Sector  ZDNet

  • Three financial sector institutions have become the latest victims of distributed denial-of-service (DDoS) attacks in recent months in what looks like an attack by the IoTroop botnet known to target financial firms.

Cyberattack Shows Vulnerability of Gas Pipeline Network The New York Times

  • Last week’s attack on four of the nation’s natural-gas pipeline operators that temporarily shut down computer communications with customers shines a light on the potential vulnerability of the nation’s energy system.

Iranian Hackers Breach Singapore Universities to Access Research Data — ZDNET

  • Believed to be part of last month’s attacks against global education institutions, the hackers breached 52 accounts across four Singapore universities, including NTU and NUS, to gain access to research articles.

Equifax Taps Mark Begor as CEO Following Cyber Attack That Exposed Data for 148M Consumers — USA Today

  • New Equifax CEO named. Mark Begor to lead the credit reporting giant’s bid to recover from a cyber breach that exposed the personal data of 148 million consumers.

20 suspect hackers arrested over online banking fraud ZDNet

  • On March 28, a series of arrests took place across Europe. In total, the raids resulted in the arrest of nine individuals from Romania and 11 in Italy, all of which are remanded in custody.

In Case You Missed It

Upcoming Events & Webinars

April 25
Webinar
11 A.M. PDT
Stop Fileless Malware with SonicWall Capture Client
Register Now

April 16-20
RSA Conference
San Francisco
Moscone Center
Booth 4115, North Hall

Hackers Attack Websites with Ransomware – April 2018

/in /by
Description
SonicWALL Threat Research Labs recently received reports of attackers targeting websites with ransomware. Attackers are uploading malicious PHP files onto the websites. These PHP files allow the attacker to encrypt the website’s files and then extort money from the site’s owner.Once uploaded, the attacker then connects to the ransomware via a web browser, as follows:The attacker can then submit a complex encryption key to encrypt the site’s content. This results to:

The malware overwrites the .htaccess file with the following contents:

#Bug7sec Team
DirectoryIndex shor7cut.php
ErrorDocument 404 /shor7cut.php

This redirects the website to the file shor7cut.php.

In addition, the ransomware traverses the directory searching for files to encrypt. The file contents are then encrypted using PHP’s mcrypt function. And then it is renamed with the .shor7cut extension name.

Once the malware is done encrypting, it sends an email to the attacker containing the encryption key used:

Once the site owner pays the ransom, the attacker then goes back to the ransomware PHP and choose the “DeInfection” option:

Entering the appropriate key, the ransomware then restores the files:

SonicWALL Threat Research Team has the following signature to protect their customers from this type of attack:

  • GAV 17970: Ronggolawe.RSM
  • WAF 1669: Ronggolawe.RSM

 

 

SonicWall at RSA Conference 2018

/0 Comments/in /by

The annual trek to the wind-swept hills of San Francisco is a long-standing tradition for many cyber security vendors and the packs of security pros who descend on the bay en masse. Yes, it’s already time for RSA Conference 2018.

SonicWall at RSA
April 16-19Booth 4115, North Hall
Moscone Center
San Francisco

Not a group to break convention, SonicWall will once again be present at the Moscone Center, April 16-19, to actively discuss today’s cyber security challenges and how cyber attacks impact businesses and organizations of all  sizes.

We encourage you to visit us at Booth 4115 in the North Expo Hall to explore the latest in security trends, threat intelligence and powerful cyber security solutions that help protect organizations in a fast-moving cyber arms race.

The booth will also feature the new SonicWall Security Center. We’ll show cyber attacks as they happen and illustrate the importance of real-time cyber threat intelligence and how it should empower the modern cyber security strategy.

Featured Presentation — Tuesday, April 17

This year’s conference will be highlighted by a presentation from John Gordineer, SonicWall’s Direct of Product Marketing. His cornerstone session, “The 2018 Threat Landscape: What We Learned in 2017 and What You Need to Know,” will go inside SonicWall Capture Labs telemetry data from millions of sensors around the globe to provide insight into the advances being made by both security professionals and cyber criminals.

Be sure to stop into the presentation on Tuesday, April 17, at 3 p.m. PDT, in the North Hall Briefing Center.

Fake bitcoin?

What would RSA Conference be without some sort of spectacle on the expo floor? Each day at Booth 4115 we’ll have exclusive demos (more on those later), giveaways and even a magician. Yes, a magician. And he’s magnificent.

As is custom, we’ll also have SonicWall swag like power banks, webcam covers, pens, notebooks and even fake bitcoin. They do exist.

Expo Hours

Moscone Center, North Expo Hall | Booth 4115

Monday, April 16 5 p.m. – 7 p.m.
Tuesday, April 17 10 a.m. – 6 p.m.
Wednesday, April 18 10 a.m. – 6 p.m.
Thursday, April 19 10 a.m. – 3 p.m.

All Times PDT

Need help finding us? Just head to the North Hall and look for our awe-inspiring orange and black creatures. You can’t miss ‘em.

Helpful resources

Attend RSA Conference 2018 for Free

Want to experience the sights and sounds of RSA Conference 2018 but are short on cash? Use guest promo code X8SSONIC for free admission to the expo — compliments of SonicWall.

USE CODE NOW