Security Weekly 31: Telegram and Rat King, Regular Miners, Large-Scale Of Brute Force Attack On The WordPress Platform
A new malware was identified, which is part of the Remote Access Trojan family, which the experts who found it called Telegram-RAT. From the similar rat population, it differs in that it actively uses public cloud services: the API for Telegram bots as an HTTPS connection and Dropbox for storage of combat load.
However, the animal, in general, fell astonishingly quick and smart. Live proof that even from ready-made bricks one can collect something witty. It spreads quite standardly – the authors use the banal phishing and the ever-memorable vulnerability of CVE-2017-11882, the one that Microsoft patched up in November. But then the events develop more interesting: the Trojan downloads the “combat load” from Dropbox by a link disguised with a shortening URL service, shortening links. The file (by the way, Dropbox’s administrators have already deleted it) is a 16-megabyte binary, where the code itself, all the libraries necessary for its execution, and even the Python interpreter will be inserted. A large file size lulls the suspicion of some antiviruses, and they let it pass without complaint.
And then begins to work rat magic. To turn a respectable computer into a Nutcracker, the attacker used the publicly accessible malicious code RAT-via-Telegram with minor changes. Before the attack began, the hacker created his own Telegram beforehand and built his token into the RAT configuration file. After the deployment of the TelegramRAT client, you can play the rat king, communicating with the infected machines on the bot channel and sending them your august will in the format of simple commands. As the transmission of malicious traffic goes, thanks to Telegram, over SSL, most anti-virus means are not taken by the rodent.
The commands allow an attacker to bite into different parts of the system: take screenshots, execute malicious files, record audio from a microphone, turn off the computer … In general, a strong witchcraft.
New malware spread through the Facebook
Telegram is not the only instant messaging service that can be put into the service of cybercriminals: Facebook Messenger again became the bearer of the contagion.
The Trojan is unoriginal hidden in an archive called video_xxxx.zip, where xxx is not a hint of adult content, but a four-digit number. If the user distraction starts the file stored in the archive, then Diamine is croaked on his computer – a rather primitive malware that can only talk to the command server and follow its instructions. So far, C & C is sending a Diamine package to install the Monero cryptocurrency miner and a malicious extension for Chrome.
- Once installed, the extension sends private messages to the victim’s contacts with the same infected archive. True, the attack does not work if the user does not store Facebook credentials in the browser. The epidemic is safe for users of any other browser, including mobile versions of the same Chrome. Users of platforms besides Windows are also, of course, safe.
As soon as the researchers who found the malware contacted Facebook, the administrators removed the malicious links from all user messages – however, nothing prevents hackers from changing the link and starting a new one. In addition, Facebook offered everyone who suspects that their computer was infected, free scan for viruses. Sad, but still a gift for the New Year.
Large-Scale Of Brute Force Attack On The WordPress Platform
The target this time was the WordPress sites: from last Monday, they are turned into miners one after another, hacking with a simple search of admin passwords. Apparently, the attack is conducted from a single botnet, but large and toothed: more than 10 thousand IP-addresses, more than 14 million attempts to enter the password per hour on more than 190 thousand target sites.
The cracked WordPress-sites are filled with a variation on the theme of the malicious Kaiten, it’s Tsunami, which hides on the servers, creating their own copies with the names taken from an arbitrary file on the server.
Commands get malicious through unencrypted IRC channels. As a rule, they do not shine with a variety: download a script from somewhere, then perform it as one of the background processes. “High authorities,” tells infected computers to either join the brute force or to the crypt with the help of some version of XMRV.
- From time to time, the workload is redistributed, but not one server brute-force or minimize at the same time. This means that the botnet is in fact much more than 10,000 computers involved in the attack. When retrieving passwords, publicly accessible login-password lists are used, as well as heuristic algorithms that take into account the domain name and content of the attacking site.
The guys from Wordfence spotted eight command servers (four of them with IP addresses belonging to the French provider of cloud services OVH). They also managed to get out on two cryptos cools containing Monero for more than 100 thousand dollars. Almost certainly this is not all: in most cases, wallets have been encrypted.
Brute force attacks on WordPress are historically not too successful, but here, apparently, the stars converged: on the one hand, the Monero rate soared twice, on the other – on December 1, a fresh database c 1.4 billion combinations of usernames and passwords in the form of plaintext was published.