Category : Spyware/Malware

Undetected Hacker Group Spying Since 2011…


Strider hackers reference the all-seeing eye of Sauron in their ‘nation-state level’ malware, which has been used to steal files from organisations across the globe. Unknown hacker group, ‘Strider’, has just been discovered by cyber-security researchers at Symantec. Strider hackers are referencing the all-seeing eye of Sauron in the groups ‘nation-state level’ malware in use currently to steal files from organisations all over the world. Apparently the group has aimed their malware at those that would be of potential interest to a nation state’s intelligence services.  The Remsec malware is mainly targeting organisations in Russia, however the group has infected airline systems in China, an embassy in Belgium, and a large organisation in Sweden, who’s name could not be confirmed. The malware in use is designed to infect a system and open a backdoor where it logs keystrokes and steals files.


The malware has been in operation since October 2011, but avoided detection by the majority of antivirus systems for nearly five years. Only 36 infections have been reported in these five years, but the nature and capability of the malware in terms of stealth and detection is rather unsettling. Components that make up Remsec are built as “BLOBs”, which stands for Binary Large Object, collections of binary data which are often difficult for antivirus security software to detect. The malware is deployed across a network rather than stored on a disk, which makes it increasingly had to detect.

A deeper look in the modules of the malware found the modules are written in the Lua programming language. This embedded scripting language is used to perform various functions and processes. In the case of Remsec, these functions include key logging and the code that contains references to the all-seeing eye of Sauron from the Lord of the Rings. The use of Lua modules leads security researchers to believe that Strider may have connections to the Flamer hacking group, known for using this type of programming in it’s malware. Another lead could be the connection the the infamous Regin malware. One of the victims of the Remsec malware had also been the victim of Regin malware. That poor machine!


The nature of the malware, combined with the coding and programming, leads security researcher to believe that the Strider group are highly proficient technically in the development of malicious software, and very well could escalate to a nation-state level attacker.






If you would like to educate yourself in more detail about the information presented in this blog post please visit :

Ransomware – Never too late to negotiate


Researchers claim that ransomware campaigns are usually willing to negotiate these days.

“Cybersecurity firm F-Secure released a new report, “Evaluating the Customer Journey of Crypto-Ransomware and the Paradox Behind It,” which claims that three out of four ransomware criminal gangs were willing to negotiate the ransom fee.” – Charlie Osborne, writer for ZDNet.

By creating a fake account, researchers were able to negotiate with hackers and even receive up to 30 percent “discounted” from their ransom. This changes what we already know about ransomware. Many times when ransomware takes hold, a deadline for payment is put into place, creating a sense of urgency and stress for the victim. Hackers want you to pay as quickly as possible, and often place a lingering threat of further file deletion if payment is not met in a timely fashion. F-secure states that this is not exactly true, and that ransomware deadlines are more flexible than the average victim is aware of. As proven to be true with the fake account, each cyber attacker contacted by fake victims offered deadline extensions for payment. Remember this is for payment, not for letting victims off without file deletion.

F-Secure believes hackers are interested in establishing trust between victim and hacker to ensure they receive payment in some form. Hackers don’t necessarily care about the files lost, but are willing to work with you, purely for payment purposes. Begging and pleading still won’t get you much more than that.

As always, taking steps to stay secure is the best practice to avoiding ransomware. Negotiating is now on the table, but the reward is small in comparison to avoiding the malware altogether.



If you would like to educate yourself in more detail about the information presented in this blog post please visit : 

Webcam Malware aimed at company employees


Attacks face many working employees as the newest form of malware has been aimed at webcams in the workplace. The new malware is used to record employee’s private moment sin order to extort information out of them later. Sounds like everyone’s worst nightmare. The malware is called Delilah, a sweet sounding name for something so morally compromising. Delilah is the world’s first insider threat Trojan. It allows operators to capture sensitive and compromising footage of victims, which is then used to pressure victims into leaking important company secrets. The malware is being delivered via multiple popular adult and gaming sites. Thus far it is not clear if any engineering or software vulnerabilities are the source of the installed malware. The bot comes with a social engineering plug in that connects to the webcam operations so you never know you are being filmed. The attackers are using encrypted channels to communicate with victims. The bot itself needs a high level of management from a human to know who to recruit, choosing who to scam effectively. The bot, once installed, seeks to gather as much personal information about the candidate as possible, in order to bully the victim into complying with attacker requests. This can span to family and friend information as well. At the moment, not much has been accomplished as to checking for the malware. All that is known is that the bot is still buggy, and that because of the number of screenshots it is taking, often makes the screen freeze momentarily.

As security researchers look into this type of malware, more preventative information should follow.



If you would like to learn more about the information presented in this blog post please visit :

Mac Malware blocked if you fix this simple Setting

mac malware

In the last week two different types of OS X malware made their debut and it has Mac users biting their nails about the possibility of an unprotected Mac. Backdoor.MAC.Eleanor and OSX/Keydnap, the two newest Mac malware, are both blocked from execution if managed with the appropriate Mac settings.

As MacWorld points out to us, with some malware there is little that can be blamed on the user. The software that leverages vulnerabilities in the operating system to install without verification or that has the ability to mask itself as an application that it is really not, is usually to blame. But how easy is it to really spot this in the act? Most of us can’t, and have to rely on an operating system, or researchers  in order to find out about the malware and by that time who knows whats happening on the device.

The Backdoor.MAC.Eleanor is a Trojan horse distributed under the name EasyDoc Converter. Masking itself as a file converter application through reputable websites that offer Mac software, users think they are downloading valuable Mac software when really, they are in for a big surprise. This is the time when I advise you the user, to be careful when downloading software from sites that are not the direct developer. Nowadays many download sites package software inside of installers that also install adware or other unwanted apps. The OSX/Keydnap  malware vector distribution is unknown. We do know that it arrives in the form of a ZIP archive that has to be extracted, with the file inside double clicked.

OK the goods. Unsigned apps can only launch by either right-clicking the app after it is downloaded, selecting Open from the contextual menu, and agreeing to launch the app even though it is unsigned. OR If the Security & Privacy system preference pane’s General tab has Allow Apps Downloaded From set to Anywhere. This should be changed to Mac App Store and Identified Developers.  In the new macOS Sierra, this won’t be a problem as the Anywhere option has been removed for this very reason. Remember, Backdoor.MAC.Eleanor and OSX/Keydnap will be blocked if these settings are in place, so even if you mess up and don’t take any of my advice to heart, your Mac will still be safe.



If you would like to educate yourself in more detail about the information presented in this post, please visit :

D-Link Security Flaw Leaves 414, 949 Devices Totally Exposed


A security vulnerability has come to light in D-link networked products. This vulnerability allows someone with hacking knowledge to easily overwrite administrator passwords in home Wi-Fi cameras. The remote execution flaw makes it easy to access devices and add new users with admin access to the interface as well as download malicious firmware or reconfigure products. Basically losing all control without ever knowing it.

The Senrio research team reported the vulnerability lies within the latest firmware update issued to the D-Link DCS-930L Network Cloud Camera. The flaw is by a stack overflow problem located in DCP service which listens to commands on Port 5978.

“The vulnerable function copies data from an incoming string to a stack buffer, overwriting the return address of the function,” Senrio says.

“This vulnerability can be exploited with a single command which contains custom assembly code and a string crafted to exercise the overflow. The function first copies the assembly code to a hard-set, executable, address. Next, the command triggers the stack overflow and sets the value of the function’s return address to the address of the attacker’s assembly code.”

At the moment 5 of the cameras in the D-Link product line are vulnerable to this flaw. Using the Internet of Things search engine it is estimated that 414,949 devices are open to attack. Over 120 products are recorded as open, which includes routers, modems, access points, and storage products.  According to Senrio, the vulnerability points toward a larger issue of poorly written firmware components used in cheap Systems on Chips (SoCs).

Senrio goes on to say.. “Adoption [of IoT devices] is driven by business rationale but the security exposure is often overlooked. The techniques used to find the WiFi Camera vulnerability are also used to identify vulnerabilities in medical and industrial devices used in hospitals, nuclear power plants, and factories. And often those devices receive just as little security scrutiny as this webcam.”

D-Link said it will be coming up with a patch soon, and that older D-Link models will need to be pulled from the Internet altogether or the owners of said devices will need to accept the risk..


If you would like to educate yourself in more detail about the information presented in this blog post please visit :

Mobile Ransomware Targeting Androids



Mobile ransomware is somewhat less common than ransomware on networks or machines, but the numbers are starting to climb. Security firm, Kaspersky Lab, reports four times as many users infected with mobile ransomware this year compared to last. In April 2015,  35,413 users we affected while in March 2016 that number increased dramatically to 136,532 users affected. The largest mobile ransomware detected is called Fusob, and has been responsible for 56 percent of the attacks during this past year, targeting Android users.  

Fusob hides itself as a multimedia player called xxxPlayer…you can guess where this lies on the internet… and once downloaded Fusob blocks all user access to the device. Users are asked to pay in iTunes giftcards ranging between $100 and $200. Compared to the high demands of ransomware in the enterprise, these amounts sound like pennies. But to the user, that’s a hefty price to pay to get control of a device you should have never lost control of in the first place.

Interestingly, Kaspersky notes that much of the mobile ransomware out there right now does not actually encrypt any information on the users device. As most smartphone users usually backup to the cloud, there is no real point for hackers to actual encrypt the device. Instead hackers will encrypt applications so that users are blocked from the apps and will not be able to use the phone until paying the hackers.

Android users, be extra careful out there!!



To learn more about the information presented in this blog post, please visit :

Millions of stolen health records up for sale….


The seller of these ten million health records goes by ‘thedarkoverlord’ and began listing the data last weekend. The seller claims the data to reveal over 9.2 million health insurance records from US patients and is on sale for 750 bitcoins. A rate of $486,000 when released Monday. The data also supposedly entails addresses, names, emails, phone numbers, date of birth, and most unnerving, social security numbers.

A little bit of research by ZDNet reports that the seller’s ad could not be authenticated because the seller did not have any points assigned to his name on the site in which he is selling the $486,000 worth of data. This means that this seller has just popped on the scene, most certainly new to the website. Another site, Motherboard, has contacted some of the users who were able to confirm that the data in a received sample was in fact theirs. The hacker revealed how the data was uncovered, attributing exploitation of a disclosed zero-day flaw in the remote desktop protocol (RDP) as the means for stealing the information. This flaw allows a user to remotely view another user’s desktop, which opens a host of security problems, as you can see, most likely due to poor configuration of remote desktop software. The hacker even said in one of his listings that the data was stored on an “accessible internal network”, in plaintext, which if this is true, would be a direct violation of federal healthcare privacy rules. Healthcare providers and hospitals have been repeatedly the target of attack this year, so it is no surprise that the influx of data up for sale by hackers is patient data.



If you would like to learn more about the information presented in this post, please visit :



5 Ways to Spy a Hacker in Your Network


1. Search for the telltale signs of a breach. 

Port Scans? Excessive failed log-ins? When a hacker infiltrates an unfamiliar network they need to learn the topology of the network, looking for vulnerable points of access in servers. From this point they can pinpoint administrative users and data stores.

2. Look for a “normal” user performing administrative tasks. 

By using native tools on computers and servers, hackers can stay under the radar for much longer than if they were to use known attack tools. Anti-virus software should pick up on malware and attack tools, but not normal administrative tools. Determining who the admins with the organization are can significantly lessen the worry. Active Directory aids in establishing user roles and privileges with which you can then use to see the applications and devices used by administrators or that are managed by administrators. Awareness about what the administrators within the organization are using, should make it easier to spot when an attacker is looming in the background.  If a hacker takes control of a administrator machine and begins performing tasks, you’ll be able to identify if this is normal or suspect activity.

3. Look for a device using multiple accounts and credentials to access network resources. 

Hackers, both internally and externally, generally steal user account information or generate fake accounts in order to gain access to the network. In order to spy indicative markers of of attack activity, analyze credential usage. Make sure to monitor network traffic and analyze log from the authentication and authorization infrastructure in your network. Extract data and look carefully to see how many systems each user interacts with, and monitor abnormalities.

4. Look for an attacker trying to find valuable data in file servers. 

By figuring out what Windows file shares are accessible, attackers hunt for important data such as intellectual property and banking information, or once they find important data they will encrypt it and the rest is history. A valuable signal would be to spot abnormalities in file share access. This is a preventative measure for spotting both hackers and employees considering insider theft.

5. Look for the command and control activity or persistent access mechanisms. 

Keep an eye on outbound communication. Attackers need to be able to communicate between the Internet and endpoints they control within your network. There could be malware and Remote Access Trojans in your network, so be mindful of indications of malicious software phoning home.




If you would like to educate yourself in more detail about the information presented in this blog post please visit:Five signs an attacker is already in your network

U.S. alone has lost $960 million to CEO Fraud

CEO Fraud


Over the past three years, victims in the United States alone have lost over $960 million to fraudulent email scams. That is nearly a billion dollars! Actually, closer to 3 billion, as FBI figures that include global data from international law enforcement and financial groups  show a loss totaling $3.1 billion. Even worse, if you think about the 22,143 victims, that is a pretty hefty chunk of cash demanded of each victim.

Scammers “pretend” to be a business executive at a firm, company, or trusted supplier, and easily fool members of the organization into thinking that the claims are legitimate. I use the word pretend loosely, as not much is needed for hackers to get into character and slide by any suspicion. By hacking into email accounts within an organization, scammers are able to gain control of email, and send off as many fake emails as they wish. The email may contain something mentioning a wire transfer of money. We call this type of cybercrime “CEO Fraud” and “The Supplier Swindle”.  This type of crime is not limiting to only internal email access, some hackers choose to create fake email accounts that may resemble those of the CEO or suppliers. In other cases scammers pretend to be lawyers that are handling confidential matters and therefore force the victim into giving up the cash. So far such scams have requested wire transfers to over 79 countries, and according to the FBI, mostly going to banks located in China and Hong Kong.

The FBI also noted that occasionally and without warning, hackers will follow up this CEO Fraud with an attack via ransomware. In these cases victims have received emails that contain links or attachments that when clicked, begin the installation of malware on the host. If opened, data becomes unavailable and the hacker has all the power until the ransom is met, if they even decide to let up once that ransom is met.

The FBI has provided a little insight into avoiding such attacks, letting us know that these scams are planned carefully and not every company is a target. Company employees are advised to be extra careful when posting to social media, or otherwise broadcasting information. As we have all heard before, spam should not be opened and any unfamiliar emails/attachments should not be opened. The FBI also warns that any and all wire transfers should be verified with phone calls between parties. Not a

There are ways to ward off the danger, although the advice doesn’t leave us feeling totally secure. The FBI said the scammers study their targets carefully, so company employees should be careful about what professional details they post to social media. Spam should never be opened, and any wire transfers should be verified with telephone calls between the subjects. It has been shown that at least 31 percent of the time the scammers use an account pretending to be the CEO, so keep that in mind.



If you would like to educate yourself in more detail about the information presented in this blog post please visit: Companies pay out billions to fake-CEO email scams

Windows 10 – Taking Tricks from Malware

Windows 10


Microsoft has been long pushing its users to jump aboard the Windows 10 train. But have they crossed the line?

Tech writer for Computer World, Preston Gralla, explains how Windows 10 took over his wife’s computer, installing the Windows 10 update without her permission. Gralla was understandably skeptical when his wife came into his office frustrated with Microsoft and complaining about the new update. How could the largest software platform, installed on PCs and Laptops alike, just blatantly ignore a users preferences and install new software without permission?

Microsoft has been aggressive in it’s attempts to get users to upgrade to Windows 10 before July 29th. Pop-ups began to appear on user computers urging them to update, but the action could be easily blocked with a quick click of the X in the pop-up window. Sounds just like any other pop-up, easy enough to understand. It started when Microsoft began quietly downloading the bits needed for the Windows 10 upgrade without telling users. Then this spring, Microsoft took it one step further. Changing everything we users know to be true about the X button in the upper right corner of any pop-up, Microsoft flipped the script. When the upgrade app appeared on user screens, and a user decided to click the X in the top right corner to avoid the installation, Microsoft did the exact opposite of what the user intended, taking a NO for a YES and installing Windows 10 on the user’s PC. Extremely frustrating to anyone thinking they had just avoided that action.

As Computer World’s Gregg Keizer points out, Microsoft violated it’s own recommended policy by changing this action on their upgrade app. Microsoft advises developers to maintain the action of clicking the X to close a dialog box to halt any action the box might take. Microsoft writes on it’s website for design guidelines, “The Close button on the title bar should have the same effect as the Cancel or Close button within the dialog box. Never give it the same effect as OK.”. Well, What the bleep Microsoft. You did exactly what you advise others not to do, giving the action of clicking X the same effect as OK.

Preston Gralla points out the painful resemblance of Microsoft’s shady acts to that of malware. Microsoft’s document  “How to prevent and remove viruses and other malware.” warns, to never click agree or OK to close a window suspected to be spyware. Instead Microsoft advises to click the red X in the corner of the window or press Alt+F4 to close the window. Hm. Even more ironic, Microsoft defines Spyware, “Spyware can install on your computer without your knowledge. These programs can change your computer’s configuration or collect advertising data and personal information.”

Well Microsoft, let’s make a list.

  • The Windows 10 upgrade downloads bits onto a user’s PC without permission or knowledge.
  • Changes a user’s computer configuration to meet the agenda of Microsoft.
  • By default, Windows 10 collects advertising data and personal information.
  • If a user tries to stop the Windows 10 upgrade, by doing exactly what Microsoft advises users to do with any other application, click the X in the right corner of the dialog box if you do not wish to receive the upgrade, the upgrade installs anyway!

If these tricks were tried by any other company, especially with malicious intent, I would be writing a blog post about a new form of Malware. It appears Microsoft has taken notice to the aggressive push of malware and tailored a few of these features to benefit the push of the latest Windows 10. Not even Microsoft can advise users and developers to do one thing and then employ the complete opposite when it is to their benefit, eventually one of us is going to realize something fishy is going on. Windows 10 is not malware, and upgrading isn’t going to crash your computer or hold your data hostage. However, being upgraded to a new operating system is a lengthy installation that can have significant consequences for the user. Some applications may no longer work with the new OS, the length installation means time taken away from the work day, and learning a new OS is not particularly thrilling to most of the population. Not to mention the violated feeling most will endure when they find out Microsoft ignored their preferences and installed the upgrade anyway.

Take your own advice Microsoft.



If you would like to educate yourself in more detail about the information presented in this blog post please visit:How Windows 10 Became Malware