Security Blog

Leave blank for all. Otherwise, the first selected term will be the default instead of "Any".
Chris Larsen's picture
Written by
Chris Larsen

For part of this week, I've been poking into an attack we blocked last weekend (Saturday, 6/06), and while parts of it were pretty standard, the variety of attack vectors was interesting...

First, the "standard stuff":

Chris Larsen's picture
Written by
Chris Larsen

This is essentially Part Two of yesterday's post on phony tech support scams. (For those too lazy to click, a hat tip to @malekal_morte for his tweets yesterday about these attacks.)

Near the end of yesterday's investigation, I came across a couple of domains that appeared to be targeting Macs. In poking around a bit further afield, I found another one, and decided that these were worth a separate blog post.

The three scam domains I've found so far are as follows:

Chris Larsen's picture
Written by
Chris Larsen

This is a post to support the excellent work of another researcher (@malekal_morte), who posted several screenshots from his research today, focusing on Tech Support Scams. (His main site is here, if you read French.)

Malekal's images showed several of these sites (techsupportexpertise.com, windows-notifications.com, couponsforcart.com). If you're sharp-eyed, you may have noticed that the third domain in that list doesn't seem to have anything to do with tech support, and it doesn't; but that's because the network that it belongs to does more types of scams than just phony tech support.

Chris Larsen's picture
Written by
Chris Larsen

Earlier this month (May 17th, to be precise), a new ad site appeared in our traffic logs: waframedia1.com. This domain had been registered several weeks before it began to be used, likely in an attempt to allay suspicions. It was hosted on a variety of Google cloud service IP addresses -- either for the sake of convenience, or as a further effort to look normal.

Andrew Brandt's picture
Written by
Andrew Brandt

A few months ago, while searching for malware that uses unusual or unexpected methods of data exfiltration, I stumbled upon a relatively new group of Trojans designed to steal banking credentials for banks based in Central and South America.

The malware ends up in a wide variety of "family" definitions when scanned by various AV products, but it uses the internal name NovoKL (probably Portugese for "new keylogger") in strings dumped from the various samples we've been running in the lab since March. It shares some characteristics with other keyloggers that end up branded in the catch-all "Bancos," or slightly more specific "Broban.AQ" antivirus definitions used by a number of companies (except Symantec, which calls it Infostealer.Escelar).

Unlike most other phishing Trojans, the malware uses SQL commands sent over a connection to a database server as its command-and-control, payload delivery, and data exfiltration mechanism. It also seems to be extensible, as we've observed samples in the lab retrieve multiple, varied payloads, some of which add aditional functionality to the core malware.

All of these samples are delivered through the same database connection protocol, known as Tabular Data Streams, or TDS. The default TCP port number for TDS services is 1433; Connections from the various malware samples to a small number of machines hosted in a Brazilian IP address range all have used this standard port for C&C. While I'm familiar with a wide range of both common and weird, bespoke methods for C&C traffic, I hadn't previously seen malware interacting directly with a database server using the formal language of a SQL query.

 

Waylon Grange's picture
Written by
Waylon Grange

A team of researchers from a number of universities, including my own alma mater, recently released a paper outlining yet another cryptographic attack. This time the attack is against the Diffie-Hellmann key exchange used in many modern protocols including TLS, SSH, and many VPN servers.