15th July – Threat Intelligence Bulletin

July 15, 2019


  • Check Point Research has exposed a new Android malware dubbed “Agent Smith”, which had infected 25M mobile devices,  generating income through malicious advertisement. After installing a seemingly innocent app from Google Play Store and the third party app store “9Apps”, the malware modifies pre-installed applications to display fraudulent ads.
    (Check Point SandBlast Mobile provides protection against this threat)
  • More than 17,000 cloud-based domains have been compromised by an attack on misconfigured AWS S3 buckets. A Magecart associated group has been modifying JavaScript files, appending skimming code designed to collect payment card data in an attack starting April 2019. (Check Point CloudGuard provides protection against this threat)
  • FinSpy espionage tool, capable of stealing SMS messages, phone call recordings, emails, contacts, pictures, files and geolocations from iOS and Android mobile platforms, has been used in a campaign targeting Myanmar users. Created by German company Gamma International, the FinSpy tool has been previously associated with human-rights abuses.
  • $10.6M worth of electronic equipment, $3.2M of which were of top secret military communication interception equipment, have been stolen from a US defense contractor based in Maryland in an international email scam operation. Scammers issued a purchase order using a Yahoo email address ending in “navy-mil.us” instead of the authentic “.mil” postfix. Investigation into the shipping address used resulted in the indictment of 8 people on a range of federal charges.
  • La Porte County and the South Band Clinic in Indiana US have both been hit by a reportedly Ryuk ransomware attack shutting down their operations. La Porte County has agreed to pay $130,000 in Bitcoin as ransom.


  • A vulnerability in the Mac Zoom Client allows any malicious website to enable users’ cameras without permission and could allow attackers to take complete control over Apple Mac computers remotely. The flaw potentially exposes 750,000 companies around the world who use Zoom to conduct day-to-day business. Both Apple and Zoom released updates addressing the issue.
    Check Point IPS blade provides protection against this threat (Zoom Client Webcam Hijacking (CVE-2019-13450))
  • Microsoft has released its monthly software security update for July, addressing 77 vulnerabilities of which 14 are rated critical and two were found exploited in the wild. The first vulnerability, tracked as CVE-2019-1132, has been exploited by the Buhtrap threat actor in targeted attacks aimed at government organizations in Eastern Europe and was the first zero-day flaw used by Buhtrap in its
    operations. The Adobe monthly patch resolves vulnerabilities in Adobe Dreamweaver, Experience manager and Bridge CC, none of which are considered critical.
    Check Point IPS blade provides protection against these threats (Microsoft Win32k Elevation of Privilege (CVE-2019-1132),
    Microsoft Browser Chakra Scripting Engine Memory Corruption (CVE-2019-1001), Microsoft Internet Explorer Scripting Engine
    Memory Corruption (CVE-2019-1004), Microsoft Edge Chakra Scripting Engine Memory Corruption (CVE-2019-1062), Microsoft
    Internet Explorer Memory Corruption (CVE-2019-1063), Microsoft Browser Memory Corruption (CVE-2019-1104))
  • Vulnerabilities found in General Electric’s (GE) anesthesia machines (GE Aestiva and GE Aespire — models 7100 and 7900) could allow attackers on the same network to send remote commands, change settings and modify gas composition thus placing patients in life threatening situations. GE responded saying these vulnerabilities can be avoided if the anesthesia machines aren’t connected to a hospital’s network.


  • Check Point Research has published a review of a new version of the Smokeloader botnet, which had entered the top 10 most wanted list last December. The new version includes anti-hooking, anti-Debug and anti-VM self-protection mechanisms and new persistence methods.
    Check Point SandBlast and Anti-Bot blades protect against this threat (Trojan-Downloader.Win32.Smokeloader)
  • Britain’s Information Commissioner’s office has released a “notice of intent” to issue record setting fines under the EU GDRP against British Airways and Marriott hotels. BA is facing a $230M fine for compromising personal data of 500,000 customers in a 2018 data breach. Marriott is to be fined $125M for exposing 339 million customer records. Also this week, the U.S. Federal Trade Commission has reached a $5 billion settlement to be paid by Facebook following the 2018 Cambridge Analytica privacy scandal.

Is ‘REvil’ the New GandCrab Ransomware?

Jul 19

Is ‘REvil’ the New GandCrab Ransomware?

The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.”

“We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.”

However, it now appears the GandCrab team had already begun preparations to re-brand under a far more private ransomware-as-a-service offering months before their official “retirement.”

In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to deploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A month later, GandCrab would announce its closure.

Meanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling more than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were meant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet unnamed ransomware-as-a-service offering.

“We are not going to hire as many people as possible,” Unknown told forum members in announcing the new RaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.”

Asked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being.

Unknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.

The prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install affiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention from local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities and extortionists in their hometowns).

But Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that affiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step.

What’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to all pictures of his deceased children after his computer got infected with GandCrab.

“They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?”

That heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a decryption key that let all GandCrab victims in Syria unlock their files for free.

But this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s because a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project released a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement offices from a number of countries and security firm Bitdefender.

The GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the entropy used by the random number generator for the ransomware’s master key to be calculated. Approximately 24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable to decrypt files.

There are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of the infection process, according a recent report from Dutch security firm Tesorion.

“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion observed.

My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.

Tags: , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Palantir’s Surveillance Service for Law Enforcement

Motherboard got its hands on Palantir’s Gotham user’s manual, which is used by the police to get information on people:

The Palantir user guide shows that police can start with almost no information about a person of interest and instantly know extremely intimate details about their lives. The capabilities are staggering, according to the guide:

  • If police have a name that’s associated with a license plate, they can use automatic license plate reader data to find out where they’ve been, and when they’ve been there. This can give a complete account of where someone has driven over any time period.
  • With a name, police can also find a person’s email address, phone numbers, current and previous addresses, bank accounts, social security number(s), business relationships, family relationships, and license information like height, weight, and eye color, as long as it’s in the agency’s database.
  • The software can map out a person’s family members and business associates of a suspect, and theoretically, find the above information about them, too.

All of this information is aggregated and synthesized in a way that gives law enforcement nearly omniscient knowledge over any suspect they decide to surveil.

Read the whole article — it has a lot of details. This seems like a commercial version of the NSA’s XKEYSCORE.

Boing Boing post.


The FBI wants to gather more information from social media. Today, it issued a call for contracts for a new social media monitoring tool. According to a request-for-proposals (RFP), it’s looking for an “early alerting tool” that would help it monitor terrorist groups, domestic threats, criminal activity and the like.

The tool would provide the FBI with access to the full social media profiles of persons-of-interest. That could include information like user IDs, emails, IP addresses and telephone numbers. The tool would also allow the FBI to track people based on location, enable persistent keyword monitoring and provide access to personal social media history. According to the RFP, “The mission-critical exploitation of social media will enable the Bureau to detect, disrupt, and investigate an ever growing diverse range of threats to U.S. National interests.”