Tag: malware as a service

Tech

Never Going Trip Again

Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

Scriptingthewhy, what do you mean I’ll never vacation again? I can’t do it now.
Photo by Robert Nagy, please support by following @pexel.com

After reading this, you just may never trust writing a review ever again. And you know what, we don’t blame you. It’s getting pricey just to exist. We all enjoy traveling to new places, especially with our partners.

You may have seen or shared some photos of yourself or others on their romantic getaways from the kids, job, or life just in general on social media. But let’s say you visited a vacation spot, and it left a sour taste in your mouth, clearly, your next course of action is to fire up your computer and write a review.

However, you may want to hold your horses before letting that Sandals resort owner know how you really feel because not all websites are created equal or with good intentions.

We’re going to be going over what kind of attack this is, who is using it, the functionality and effects upon release, and what are some ways you can prevent this from being the beginning to the end of your vacations.

Oh, would you look at that, someone else filed another complaint. That would hurt my business…if they were complaining on the real website.
Photo by Mikhail Nilov, please support by following @pexel.com

The Attack

We as humans have a common tendency to seek out others who align with our current or pending point of view. Sometimes when we can’t find this we may resort to posting online as a signal for someone to agree or just be wrong in their thought.

But given the current growing threat in the landscape of the internet, it seems like those days are about to be numbered due to malicious actors making use of the complaint form of TripAdvisor as an attack vector for cyber-attacks. This may sound absurd, but like Spandau Ballet, this much is true.

We revamped the malware and made it better. Don’t call it a comeback.
Photo by Cleber wendder Nascimento, please support by following @pexel.com

Who Can It Be Now

So, an old menace brings an onset of new challenges. The group operating behind the Cyclops campaign back in May 2023 had revamped and offered Knight ransomware as RaaS (Ransomware-as-a-Service)—this is the act of offering the use of ransomware with different payment plans to interested parties, on the RAMP hacking forum.

This was done with the intent to invite affiliates to join their scheme and share the profits from extorting victims. We’re not sure as to how many partake in this invite but it’s something to keep an eye out for.

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

I didn’t download a file, did I? How would I remember? I was just trying to get off the computer. 36 hours a day at work is driving me mad.
Photo by Mikhail Nilov, please support by following @pexel.com

That Sinking Feeling

So, how does something like this work, well, we’re glad you asked. This campaign was spotted by Bleeping Computer and after analyzing they found an HTML (Hypertext Markup Language) file, “TripAdvisor-Complaint-[random].PDF, htm”. When opening the file, a fake browser window is launched within the real one. This window displays a TripAdvisor website however, this is a spoofed domain name and URL (Uniform Resource Locator). This technique is called browser-in-the-browser (BitB).

This aims to trick users into thinking they’re on a trusted site but in reality, the stealing of your credentials is pending. What makes BitB attacks more dangerous is, unlike normal phishing attacks where the user is redirected to a malicious website, BitB attack does not require the victim to click on any link or download a file because the fake browser window is embedded in the HTML attachment itself. The user may not notice the difference between the real and fake browser windows, this is unless they pay close attention to the details or have security tools in place for detecting phishing attempts.

However, the fun doesn’t stop there, when interacting with this particular BitB, it pretends to be a complaint submitted, asking for the user to review it. When clicking on the “Read Complaint” button, an Excel XLL file is downloaded named “TripAdvisor_Complaint-Possible-Suspension.xll”.  This file delivers the malware payload to encrypt files appending the “.knight_l” extension to encrypted files’ names, where ‘l’ portion likely stands for ‘lite’.

Once this process is complete a ransom note will be created named “How to Restore Your Files.txt” in all the folders of the computer. The note will demand a payment of $5,000 to be sent to a listed Bitcoin address. Trust us, even if you find the means to pay the ransom, there will be no restoration of your files.

They said they revamped it and made it better, but it still looks the same to me.
Photo by Pixabay, please support by following @pexel.com

The Prevention

While reading this you probably think it’s the end of the world and that you may never go on vacation again. We’re here to tell you, that is not the case. A few ways of protecting yourself is familiarizing yourself with the actual website. When visiting a website make sure you look for “https” and a lock image in your search bar as this will ensure that not only the site is secure, but your personal information is encrypted.

Some fake websites will be harder to spot since scammers are kind of clever, so they’ll be sure to come as close to mimicking the real website as possible, but a bit of mindfulness and staying up to date with your operating system and rising threat trends could safeguard you for your next vacation.

Always remember it’s better to file a complaint with the real TripAdvisor. Sure, they might not listen to you and take your money but it’s better than the alternative of scammers holding your data hostage with the intent to sell at a cost way lower than that Sandals resort owner had charged you.

They charged me an “existence fee”. How do you someone for just being in the area!?
Photo by Mikhail Nilov, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like there is something I may have missed on Knight ransomware? Script a comment below.

Security, Tech

Googles Banking on More Than Apps

Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

Gina: Why does it seem like I never have any money?
Z-Daddy: Inflation. Politics and inflation will cause that.
Photo by Andrea Piacquadio, please support by following @pexel.com

You know, it seems like everyone wants to be like Capital One and find out what’s in your wallet, and with the recent threat on the Google Play Store, they may have found just that.

Trojans are clearly not a new problem seeing as though they’ve been around since it seemed like stuffing a wooden horse full of sweaty men ready to murder was a good idea, but as of late they have been on the rise, and this is especially when it comes to applications for Android devices. Yes, Android community, again in danger you are.

In an effort to sort this banking madness out, we’re going to look at what kind of attack this is, who used it, its functions and effects upon release, and what are some ways you can protect your bank account from decreasing due to the threat actor inflation.

You ever get that feeling like your wallet is getting fisted?
Photo by Pixabay, please support by following @pexel.com

The Attack

The Google Play Store is getting hit with banking trojans but the latest one is racking up some numbers under its belt. Banking trojans for those who may not be familiar are malware that tries to steal your credentials to gain access to your financial institution.

This one has been around since 2021 and has gone by other names such as TeaBot and Toddler but its current name is Anatsa. What makes Anatsa interesting is that it was spotted hiding among utility apps like PDF (Portable Document Format) readers and QR (Quick Response) code scanners.

The use of these allows for credentials to be siphoned from its users. Anatsa is proving to be a large threat by targeting over 400 financial institutions across the world, making it the most prolific banking malware to date.

The best never get caught, kid. Never meet your heroes.
Photo by Connor Danylenko, please support by following @pexel.com

Who Can It Be Now

As with all good threat actors who use malicious software and evade detection, no one person or group has been appointed for using the Anatsa malware.

But it has been noted that threat actors are hiding the malware among applications for people to download in hopes of collecting their information.

This was pointed out by ThreatFabric which is a firm that provides expertise and security tools to mitigate fraud to banks.

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

From the sewers to the main street and now into your wallet. We’re all floating to the big time Georgie.
Photo by Wilson Vitorino, please support by following @pexel.com

The Sinking Feeling

Anatsa can perform overlay attacks—this is the act of having what looks like a legitimate window (i.e., a fake Google webpage) when really it is tricking the user to give sensitive information, stealing credentials as well as logging activities, it does this by abusing the permissions to Android’s accessibility services API (Application programming interfaces).

In the latest activity, it has seen the dropper apps (trojan apps) after being installed, perform a pull request from GitHub page that is pointing to another GitHub URL (Uniform Resource Locator) housing the malicious payload. This aims to trick the victim by posing itself as application add-ons.

This is thought to be done by using sketchy advertisements. Another thing that the droppers make use of is the restricted “REQUEST_INSTALL_PACKAGES” permission. This is commonly exploited by most rogue apps hosted on the Google Play Store.

If you find you have any of the apps listed below, then you may have been infected.

  • All Document Reader & Editor (com.mikjaki.documentspdfreader.xlsx.csv.ppt.docs)
  • All Document Reader and Viewer (com.muchlensoka.pdfcreator)
  • PDF Reader – Edit & View PDF (lsstudio.pdfreder.powerfultool.allinonepdf.goodpdftools)
  • PDF Reader & Editor (com.proderstarler.pdfsignature) / (moh.filemanagerrespdf)

These five apps have been updated since the first publication, this is most likely in a sneaky attempt to cargo the malicious functionality after passing the app review process during the first submission.

Google Play Store dropper apps have grossed over 30,000 installations to date which indicates there is an official storefront app for distribution of Anatsa. There is a list of countries that are of interest to Anatsa based on the number of financial applications that have been targeted.

This latest campaign shows the threat landscape that banks and financial institutions face in today’s digital world is shaping to be a bit of a problem. Imagine what would happen if we switched to an all-digital currency.

Oh god, I have to edit and raffle through apps too. I HATE THE INTERNET!
Photo by energepic.com, please support by following @pexel.com

The Prevention

The interesting problem is since transactions are being made from the same device, it’s proving to be very challenging for anti-fraud systems to find. Some ways that may help in securing your information are reading comments, reviews, and fishing through past user reviews before opting to download and install.

Be mindful that when it comes to downloading from third parties who require downloading from an unknown source you are to exercise extreme caution and scan before choosing to complete the installation.

Running scans and digging through comments can be a bit of a hassle but trying to quickly recover from having people leave with everything in your wallet could be more of a hassle.

Tish: Okay, so Scriptingthewhy is somewhat informative.
Dave: It’s more than you knew yesterday, I’d say they’re pretty informative.
Photo by Edmond Dantes, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like there is something I may have missed on Anatsa Trojan? Script a comment below.

Programming, Security, Tech

Hounds & The Morris Worm

Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

man in dress shirt on the phone.
What do you mean “it’s illegal to drop a toaster onto Eric head”?
It’s not a crime if it was for science.
Photo by Andrea Piacquadio, please support by following @pexel.com

Outside of the longing to conduct social experiments, a popular one is dropping a toaster atop your co-worker’s head to test gravity and ensure it still works. You could say the internet has and can take us places we never thought possible.

We can go to many locations, stay in touch with people close and far, and have the ability to get our digital hands on anything provided we have the coin. So, with all the good, what’s the bad? Well, the bad is, again being able to get your digital hands-on certain items, most of which could be questionable, if you have the coin.

I mean, it shouldn’t be that easy but here we are. One of which is someone mails you a flash drive saying “Hot Nudes, your spouse will never know. Don’t worry.” You should worry and never put the flash drive into your system because your spouse will know when the computer starts acting wonky and a virus begins to run rampant on your machine and very soon, your network. Again, five minutes of fun could have you rooted, and I’ll go over how.

dog in greyscale.
I know that I am a cute dog. I do know what you want but I want you to know something. I have a particular set of teeth; I will find you… and I will bite you.
Photo by Sedat Ozdemir, please support by following @pexel.com

Capture and Release

Have you ever watched The Simpsons and heard the famous line from Mr. Burns, “Release the hounds”? If you haven’t here’s a brief overview, Mr. Burns is mainly an evil rich guy who employs Homer and a few of his friends, and when the mood strikes, he will tell his assistant Mr. Smithers to release the hounds to chase Homer off.

So in a sense, what every corporate boss wants to do but legal reasons stop them. I use this phrase because it’s symbolic of what happens after releasing a virus or what it is actual name is a worm. Computer worms are a subset of trojan malware that can self-replicate from one computer to another and eventually spread through a network without human intervention.

The original name was The Morris Worm, named after Robert Tappan Morris. Robert being a simple student at Cornell University created this worm with the intention to gauge the size of the precursor internet of the time “ARPANET” (Advanced Research Projects Agency Network)– the first public computer network mainly used for academics and research.

However, this testing resulted in a denial-of-service (DoS) for 60,000 machines back in 1988. But the fun doesn’t stop there, the United States v. Morris 1991, resulting Morris being the first convicted under the 1986 Computer Fraud and Abuse Act having a nice price tag of three years in prison, 400 hours of community service, and finally paying a fine of $10,000. This may have you thinking twice about trying to view spicy pictures of kittens on your family computer.

man holding 2 paint brushes
I think I caught Covid from this one last time.
Photo by Andrea Piacquadio, please support by following @pexel.com

Vectors of Infection

A worm, how is it different from a virus? Worms, as mentioned earlier, tend to be able to self-replicate and spread throughout linked computers and then onto the network.

Viruses, on the other hand, tend to be attached to files or programs and hide until transferred elsewhere unknowingly. So if you wanted this in nightclub terms, worms are crabs and viruses are herpes.

Some of the vectors used for infection are emails, file sharing, instant messaging, smartphones, flash drives, and if it’s connected to the internet in some fashion, game over man could be heard from everyone on your contact list and pretty much around the world. The six degrees of separation would no longer exist if a worm were never quarantined and dealt with.  

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

person in medieval armor
She said bring protection…girl just you wait. I got all the protection.
Photo by PhotoMIX Company, please support by following @pexel.com

Keeping safe via Updates

So, how would you be able to tell if you have a computer worm running around making its wormy babies on your PC (Personal Computer)? Some signs are files making like a deadbeat parent and just disappearing (I’m not going to single out deadbeat fathers, there are deadbeat mothers too).

Your computer begins to run slower close to sluggish, this could be caused by the worm taking up memory as it spreads leading to a large amount of free space being taken up. So at this point, you may be thinking “Wow this suck, I want to see spicy pictures of kittens, but I don’t want crabs.”

Well, you’re in luck, and don’t let your spouse know that Z-Daddy told you this. Some ways to prevent catching a worm or “crabs”, Deadliest Catch, staying away from downloading from unknown sources, verifying with your contacts if something is sent from them, keeping the operating system up to date, and having antivirus software and making sure that’s up to date as well.

Morris may have created a monster that caused a decent amount of chaos and was the first person to get freshly smacked with the Computer Fraud and Abuse Act (CFAA) but went on to cofound the online store Viaweb and later funded firm Y Combinator. So every cloud has a silver lining.

Mark: So what I got from this script is that I can create a virus open my own business.
Tina: That’s not what he meant Mark, stop skimming and actually read.
Photo by Anna Shvets, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Figure there’s some information I missed on computer worms. Scripted a comment below.