A recently discovered Android banking Trojan that features a narrow target list and two-step overlays is capable of stealing both login credentials and credit card data, ThreatFabric reports.
Dubbed Ginp and identified in October, the malware has been around since June and has seen five major updates since, with the latest bringing pieces of code copied from the Anubis banking Trojan.
Initially, Ginp was masquerading as a “Google Play Verificator” app and was focused on stealing the victim’s SMS messages. In August, it was updated with banking-specific features and started posing as fake “Adobe Flash Player” apps.
By abusing the Accessibility Service, the malware could perform overlay attacks and set itself as the default SMS app. Its generic credit card grabber targeted programs such as Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter. A third version added payload obfuscation and Snapchat and Viber to the target list.
The next version introduced code taken from Anubis — the malware’s source code was leaked earlier this year — and switched to a new overlay target list, focused on banks. It now targets 24 apps belonging to seven different Spanish banks: CaixaBank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.
Detected this month, the most recent version of the malware brings only small modifications, including a new endpoint apparently related to downloading a module, likely with new features or configurations.
Once executed on the victim device, the malware removes its icon from the app drawer, then asks for the Accessibility Service privilege. As soon as it receives these privileges, the malware grants itself additional permissions to be able to send messages and make calls.
Based on received commands, Ginp can send or harvest SMS messages, update the command and control (C&C) URL, update the target list, request admin privileges, set itself as the default SMS app, prevent the user from disabling Accessibility Services, enable overlay attacks, get installed apps or contacts, enable call forwarding, and hide itself and prevent removal, among others.
In addition to requesting the victim’s login credentials, the malware’s overlays demand credit card details, claiming they are necessary to validate the user’s identity. Once this second step has been completed, the successfully targeted application will be ignored in future attacks.
Simple but effective, Ginp is expected to evolve, likely adding some more capabilities taken from Anubis. Within 5 months, its authors have proven they can build a Trojan from scratch and pack it with powerful capabilities.
“Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank. The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language,” ThreatFabric points out.
Given that the path used in the inject requests contains the country code of the targeted institution, ThreatFabric believes that the malware author is already planning an expansion to additional countries or regions.
A recently discovered technique allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products, Nyotron security researchers warn.
Dubbed RIPlace, the technique allows malware to bypass defenses using the legacy file system “rename” operation, and the security researchers say it is effective even against systems that are timely patched and run modern antivirus solutions.
RIPlace, the researchers say, can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system.
In a detailed report covering the findings (PDF), the researchers note that most ransomware operates by opening and reading the original file, encrypting content in memory, and then destroying the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then leveraging Rename to replace it.
When a Rename request is called (IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback.
What the researchers discovered was that, if DefineDosDevice (a legacy function that creates a symlink), is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on.
The issue, they explain, is that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds.
“Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers explain.
The researchers discovered the technique in spring 2019 and have been in contact with Microsoft, security vendors, and law enforcement and regulatory authorities. Unfortunately, they say only a handful of security vendors have acknowledged a fix, despite dozens being impacted.
Nyotron published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) and also released a free tool that allows anyone to test their system and security products against RIPlace evasion technique.
An exposed Elasticsearch server was found to contain data on more than 1.2 billion people, Data Viper security researchers report.
The server was accessible without authentication and it contained 4 billion user accounts, spanning more than 4 terabytes of data, security researchers Bob Diachenko and Vinny Troia discovered last month.
Analysis of the data revealed that it pertained to over 1.2 billion unique individuals and that it included names, email addresses, phone numbers, and LinkedIn and Facebook profile information.
Further investigation led the researchers to the conclusion that the data came from two different data enrichment companies. Thus, the leak in fact represents data aggregated from various sources and kept up to date.
Most of the data was stored in 4 separate data indexes, labeled “PDL” and “OXY”, and the researchers discovered that the labels refer to two data aggregator and enrichment companies, namely People Data Labs and OxyData.
Analysis of the nearly 3 billion PDL user records found on the server revealed the presence of data on roughly 1.2 billion unique people, as well as 650 million unique email addresses.
Not only do these numbers fall in line with the statistics the company posted on their website, but the researchers were able to verify that the data on the server was nearly identical to the information returned by the People Data Labs API.
“The only difference being the data returned by the PDL also contained education histories. There was no education information in any of the data downloaded from the server. Everything else was exactly the same, including accounts with multiple email addresses and multiple phone numbers,” the researchers explain.
Vinny Troia also found in the leak information related to a landline phone number he was given roughly 10 years back as part of an AT&T TV bundle. Although the landline was never used, the information was present on the researcher’s profile, and was included in the data set PeopleDataLabs.com had on him.
The company told the researchers that the exposed server, which resided on Google Cloud, did not belong to it. The data, however, was clearly coming from People Data Labs.
Some of the information on the exposed Elasticsearch, the researchers revealed, came from OxyData, although this company too denied being the owner of that server. After receiving a copy of his own user record with the company, Troia confirmed that the leaked information came from there.
The researchers couldn’t establish who was responsible for leaving the server wide open to the Internet, but suggest that this is a customer of both People Data Labs and OxyData and that the data might have been misused rather than stolen.
“Due to the sheer amount of personal information included, combined with the complexities of identifying the data owner, this has the potential to raise questions on the effectiveness of our current privacy and breach notification laws,” the researchers conclude.
“From the perspective of the people whose information was part of this dump, this doesn’t qualify as a cut-and-dry data breach. The information ‘exposed,’ is already available on LinkedIn, Facebook, GitHub, etc. begging a larger discussion about how we feel about data aggregators who compile this information and sell it, because it’s a standard practice,” Dave Farrow, senior director of information security at Barracuda Networks, told SecurityWeek in an emailed comment.
Jason Kent, hacker at Cequence Security, also commented via email, saying, “Here we see a new and potentially dangerous correlation of data like never before. […] if an attacker has a rich set of data, they can formulate very targeted attacks. The sorts of attacks that can result in knowing password recovery information, financial data, communication patterns, social structures, this is how people in power can be targeted and eventually the attack can work.”
Phoenix Keylogger Attempts to Disable More Than 80 security Products, Exfiltrates Data Direct from Memory
The Phoenix Keylogger, operating at the cusp of keylogger and infostealer, was launched in July 2019. It is sold as malware-as-a-service (MaaS), and appears to be gaining traction in the criminal underworld.
Nocturnus, the research team from Cybereason, has researched both the Phoenix malware and its source in the dark web. It appears to have been developed by the same team that produced the short-lived Alpha keylogger, which disappeared shortly before Phoenix began to be marketed. Code similarities suggest that the two products are related.
As a MaaS product, its future in the wild will depend on its take-up by the criminal fraternity. This will depend on the efficiency of both the product and its marketing/support services. The latter seems to be progressing well. It is provided as a subscription product, with prices starting at $14.99 for a month, going up to $78.99 for a lifetime subscription.
Chatter on the dark web shows it is well received. Existing reviews include comments such as ‘extremely user friendly’, ‘the best part is the Owner is an actual human being that helps you if needed’, and ‘the best in the market right now, always giving 101% support to customers’. The combination of low cost and good support for a good product is a winning formula for any software, whether legitimate or malware.
In malware terms, Phoenix seems to be a good product. The Nocturnus researchers say it is “packed with a myriad of information-stealing features. These features extend beyond solely logging keystrokes, to the point where we are inclined to classify it as an infostealer. Its main features include a keylogger and clipboard stealer, screen capture, password theft (from various browsers, mail clients, FTP clients and chat clients), data exfiltration via SMTP, FTP or Telegram, a downloader (able to download additional malware), and anti AV, anti-debugging and anti-VM features.
Most Phoenix infections so far seen by Cybereason have been delivered through phishing using a weaponized rich text file (RTF) or Office document employing the Equation Editor vulnerability CVE-2017-11882, rather than a malicious macro. However, since the malware is provided by the developers as a stub, delivery to the targets and method of infection will vary depending on how many criminals start to use it.
If installation is successful, Phoenix gathers system information and sends it straight back to the attacker. It does not write the data to disk, but sends it direct from memory — apparently in an attempt to maintain stealth.
Stealth and self-protection appear to be important to the Phoenix developers. Most of the critical code strings are encrypted and only decrypted in memory, while the stub is obfuscated, probably via the ConfuserEx .NET obfuscator. The developer, with the handle ‘Illusion’, recommends that his criminal users employ a third-party crypter to ‘make it FUD’ (fully undetectable).
After collecting the basic system information, Phoenix checks to see if it is running in a ‘hostile’ environment. It has a set of features to disable different Windows tools within the admin panel, like disabling CMD, the registry, task manager, system restore, and others. It also attempts to disable more than 80 security products.
Interestingly, the Nocturnus researchers point out that support for a persistence feature is not currently used in the samples it has discovered. This seems reasonable for a basic infostealer — after stealing the required information, there is little need to persist. It may, however, be something to watch in the future. Phoenix has the ability to download additional malware. Since it is a new product, it is reasonable for users to employ the mainstream capabilities of stealing information. As they become more expert in its use, it is possible that they may wish to expand into leaving additional malware via the downloader — perhaps ransomware — where it will be important to persist long enough to deliver the extra payload. In other instances, the pure keylogging capability may be the primary reason for the attack — and again the malware will need to persist long enough to catch the required keyboard entry.
Information stealing occurs from several different modules that search for specific files or registry keys that contain sensitive information. It searches 18 browsers, four mail clients (Outlook, Thunderbird, Seamonkey, and Foxmail), Filezilla (FTP), and Pidgin (chat). Exfiltration is, in current samples, mostly done by email to an attacker-controlled email account using the Phoenix SMTP feature. It could alternatively be done via FTP, or — for increased stealth — via Telegram.
The method of exfiltration is not supplied as a command from a C2 server, but is predefined by the attacker in the configuration file before compilation. “At its current stage of development,” say the researchers, “Phoenix does not seem to use a standard, interactive C2 model. Specifically, it doesn’t expect to receive commands back from the C2 server. Phoenix’s various tasks like infostealing, downloading additional malware, and spreading via USB are predefined by the operators in the configuration file before compilation.”
For now, Phoenix is primarily used as a ‘set it and forget’ type of malware. However, it is an example of malware-as-a-service. One of the advantages of this business model is that continuous development is separated from any concern over existing users and existing infrastructure, and is funded by existing sales. Put simply, MaaS products can evolve with additional capabilities and intentions, dependent only upon the expertise of the developers. Less technical users can employ its basic functions, while more experienced users can already use it as a downloader.
“Moving into 2020,” says Nocturnus, “we expect a proliferation of less-technical cybercriminals to leverage MaaS to target, steal, and harm individuals, particularly as MaaS authors add additional features to their offerings.”
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.