Security Weekly 40

Security Weekly 40 Main Logo

Security Weekly 40: Dubious Banking News, Killer Of Miners, Imitation Of Banks

Security weekly 40 photo 1

But a curious fresh find of our colleagues. Some enterprising comrades decided to provide the public with the unusual news. However, the news was so-so: not very new IE exploit and the Trojan Buhtrap, known since 2014. And all this kindness was posted on a number of Russian news sites, from where they were handed out to readers. Imperceptibly, of course.

  • Exploit for Internet Explorer (CVE-2016-0189), also known as VBScript Godmode, the attackers did not write themselves – they got out of the open source. Troyan, in fact, also only slightly modified. By the way, it was always used to steal money from accounts of legal entities. So, apparently, there was an attempt to get to the computers of financiers.

Some doubt causes the effectiveness of this whole event. How many people read the news not on mobile devices, but from stationary computers? How many of them still use Internet Explorer, which has not been patched since 2016? And among them, there were many financiers? Well, however, let the analysis of the authors of this calvary campaign.

Miner versus Miners

Security weekly 40 photo 2

A kind of attacker developed almost the first of its kind “black miner”, went to the task responsibly and meticulously … and for three weeks the campaign earned nothing, two hundred dollars. But his code unexpectedly helped create an instrument against other miners.

In order to successfully function without having to have a file on the infected system, this malware uses PowerShell. For the ability not to leave traces, the find was called GhostMiner.

As the autopsy showed, malware is potentially capable of infecting servers running MSSQL, phpMyAdmin, and OracleWebLogic. However, captured in the wild nature of the search for the network only random WebLogic servers, penetrating them through the vulnerability described in last October.

  • Once in the desired feeder, maliciously launched two PowerShell scripts, which loaded into memory two components. One of them, slightly modified by XMRig, was engaged in the actual production of Monero, the other was responsible for multiplying the infection by budding. But the most interesting thing: the miner began to work only after maliciously eliminated potential competitors – all other receivers of crypto-currencies that could be on the server.

At the same time, the creators of GhostMiner displayed exceptional knowledge of their business: they included in the script not only the ability to delete mining processes using blacklists of known threats but also taught their child to look for competitors by command line arguments and TCP ports to which suspicious processes were connected.

The solution really turned out to be so simple and successful that researchers from Minerva Labs even decided to turn it into a tool that they called MinerKiller and laid out on GitHub with minimal changes. A kind of recognition of the unwitting merits of the authors of the malicious person in the field of cybersecurity.

Do not call, we will call you

Security weekly 40 photo 3


For a long time known to security experts malicious FakeBank, which spreads through social networks and third-party application stores (not Google Play), has become even more malicious. Previously, he only stole financial and near-financial data, and also intercepted SMS coming from banks and prevented to open legitimate banking applications.

Now FakeBank has learned to redirect calls to the bank to other numbers and, conversely, to mask the phone number of scammers during incoming calls, so that the user gets the impression that he is called from the bank. This is done at the expense of a mutter with a user interface.

  • Pretending to be employees of the bank, criminals lure valuable information: card details and even CVV-code. Fortunately, in Android 8.0 Oreo applications are no longer allowed to control the interface, and therefore the owners of phones with this OS a new version of the malware is not dangerous.

While all FakeBank 2.0 attacks took place only in South Korea, we also should not relax: the first version of FakeBank aimed specifically at Russian banks.