New Malware Threat Infects Through Microsoft’s PowerPoint

In another security hack that is making the rounds, Microsoft’s PowerPoint is the target.

Image result for powerpoint malware

“Spammers are testing a new way to trick victims into installing malware that downloads after the user hovers over a link in a PowerPoint slide show,” ZDNet reports. The new infection, which was discovered by BleepingComputer, “abuses a hover action in PowerPoint slide show mode to install malware.” When a user opens the PowerPoint file and puts their cursor over the malicious hyperlink, a PowerShell command runs quietly in the background “that connects to a malicious domain and downloads malware files.”

Like other Office malware that uses macros to infect victims, the latest malware is spread via email attachments. The attached file formats are the open-source version of Microsoft PowerPoint slide show, which are only for viewing, and can’t be edited like normal files. The malware proceeds to download a banking trojan.

Image result for powerpoint malware

The PowerPoint (PPSX) examples seen so far display the hyperlinked text “Loading… Please wait”. Hovering over it will download malware automatically unless Office Protected View is enabled. Fortunately, Protected View was enabled by default in Office 2010, in which case Office displays a security warning that blocks the download.

The PowerPoint file downloads a banking trojan it calls Gootkit or Otlard. SentinalOne calls the malware Zusy.

Protecting Yourself

I wonder how much I have stated this. “Do not open attachments, or click on hyperlinks in your email unless you are 100% certain of it’s origin and that you have requested it”. Most security threats (malware – trojan horses, ransomware etc.) are spread through email. Always use caution before clicking!

Share This:

Is Our Power Grid in Danger?

Was hacking our Presidential election just the first part of an even greater cyber-problem?

Researchers from the network security firm ESET have reported that a Russian hacker group may have developed a way to take down the power grids of entire countries.

Image result for power grids cyber

The researchers described the malware, dubbed “Industroyer,” as the most dangerous hacking weapon since Stuxnet. First identified in 2010, Stuxnet is a malicious computer worm that targets industrial computer systems and was responsible for causing substantial damage to Iran’s nuclear program.

In fact, the ESET researchers said the malware was responsible for a 2016 blackout that affected Ukraine’s capital city of Kiev for an hour. The researchers also said the malware could be reconfigured to attack other key infrastructure components as well.

A Very Scary Threat Evolves

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas),” the company wrote in a blog post today.

Because Industroyer affects switches directly, the malware can inflict varying degrees of damage on a target country’s infrastructure, from simply triggering a temporary blackout, to causing cascading failures or serious damage to equipment.

The malware is able to attack infrastructure equipment so effectively because it uses the common industry protocols that were first designed decades ago, long before most systems were connected to the Internet. As a result, security had not been a major priority at the time they were implemented. In many cases, the hackers only need to learn how to program the malware to communicate with the protocols because there aren’t any security systems that they need to circumvent.

This is yet another example that our national security relies less on firearms and more on cyber-defense.

Share This:

Qakbot Attacks

Another week, another cyber-threat threatens the security of both individuals and business alike. This latest one, Qakbot has a special emphases on taking down business networks. It is just the latest cyber-threat and you can be sure that there will be many more – even more destructive ones to come. These threats will continue until our behavior changes in respect to how seriously we treat internet services. Security solutions are incredibly important, however even the best security solution cannot be 100% effective in this ever changing tech world. Cyber-criminals are continually changing their modes of attack and security solutions are often playing catch-up. The way we interact with internet services is the key to not only protecting ourselves – but each other. I touch on some of my recommendations for protecting yourself at the end of this article.

Image result for malware trojan

Introducing Qakbot

On Tuesday, researchers from Cylance said that Qakbot, an information-stealing Trojan and backdoor malware that targets the Microsoft Windows operating system and 64-bit browsers with a a target against business/enterprise users is on the loose.

Qakbot is a self-propagating kind of malware that has been circulating for several years now. The Trojan can spread not only through networks and external drives and devices but also focuses on stealing valuable credentials and taking control of the networks it has infected.

There has been a resurgence of the malware, according to Cylance, which had been made even more evasive and persistent with new, polymorphic features that enable the malicious code to squat in business networks for longer and “easily thwart legacy endpoint security solutions” by the use of muddying code, as well as constantly-evolving file makeup and signatures.

The Evil Tricks of Qakbot

Once a system has been infected with Qakbot through exploit kit use, phishing campaigns or malicious downloads, the malware does not lock a system in order to hold a business to ransom.

Instead, Qakbot is able to lock out Active Directories and once credentials have been stolen, use these to spam neighboring hosts and disrupt corporate activities. In turn, this may result in the compromise of additional hosts and further spread or the user accounts related to the authentication attempts being locked out.

New samples of the malware suggest that Qakbot now also targets victims globally due to the inclusion of international character sets, and a recent surge in attacks means that companies should stay on their guard against suspicious downloads or activity and keep their systems up-to-date to prevent infection.

Protecting Yourself

I do not mean to sound like a broken record each time I report on the latest security attack, but I have no choice. Protecting yourself against most security intrusions is actually quite easy, and you will find these tips throughout this fine blog. In fact what you see below is copied from my earlier post regarding the Wannacry Ransomware threat on May 15, 2017.


It is incredibly important to do the following:

  • Always make sure that you install the latest updates & patches for your operating system, especially Microsoft Windows.
  • Make sure you have an up to date anti-virus program running on your computer.
  • Do not click on links or attachments in email unless you are 100% certain it is legitimate and that you have requested it. If you are not sure about a hyperlink or attachment contact the sender directly to ask about it.
  • Do not visit questionable able websites.
  • When you are browsing website be certain to read carefully any dialog box that pops up before clicking on it.

Last but not the least, make sure that you run a backup of your system files regularly. If your PC gets infected and your important files are encrypted, you can get them later.


Thanks to ZDNet for being on top of the Qakbot story which much of this information was attained.

Share This:

New MacOS Virus Emerges

I have stated this time and time again to my Apple friends. While MacOS is historically more secure then Microsoft’s Windows it is NOT because Apple has a secret security sauce. Apple’s “lead” in the security arena can basically be found in the numbers.

Cyber Criminals want the biggest bang for their hard – cyber crime work. Writing malware, ransomware and trojan horses for Windows as opposed to MacOS simply hurts more people because many more people use Windows when compared to MacOS.

This latest story demonstrates that yes – Apple’s MacOS is indeed vulnerable – just like Windows – just not as often.

While Mac malware tends to be a rather rare occurrence, Ars Technica is now reporting that security researchers have discovered two separate, new MacOS viruses that rely on old Windows tricks to get into your laptop and steal your data.

One of the attacks, documented by software firm Objective-See, exploits an established Windows technique which hides and executes malicious code using Word document macros.

mac, macos, windows, malware, virus

The hack tricks unsuspecting users into opening infected Word documents which subsequently run malicious macros once the file has been loaded. The good thing is that it’s fairly easy to identify infected files prior to opening them.

Anytime you open a Word file containing macros, your device will ask you for permission. Denying permission on its own is enough to prevent the malware from spreading.

But if you click ‘run’, all sorts of bad things could happen: A hacker could spy on you or pull your browsing history, or they could initiate a secondary infection by downloading additional malware.

More MacOS malware

While also inspired from older Windows exploits, the other recently found malware – uncovered by researchers from Iran Threats – appears to be slightly more advanced.

Unlike the previous example, which used an infected Microsoft Word document as its attack vector, this one is merely disguised as a legitimate application.

The virus essentially prompts users to download and install a fake software update. It then proceeds to harvest the user Keychain and phish for usernames, passwords as well as any other credentials, before eventually relaying the recovered data back to the attacker.

The best way to avoid this attack is to simply refrain from downloading software from third-party or untrusted websites. The safest route is to download updates straight from the App Store or simply from the official website of the app-maker in question.

While exploits for MacOS are still mostly a rarity, Apple has dealt with a litany of bugs and glitches for iOS in recent months.

Not too long ago, numerous iOS users reported their devices had frozen after a malicious three-second video spread on the internet. In another similar case, thousands of users reported experiencing unexpected shutdowns after trolls discovered a glitch in iOS that could crash any device by just sending a short text message.

Share This:

The Evolution of the Trojan Threat

As the news about an old Trojan, known as Betabot sadly demonstrates the cyberthreat we all face from infected and malicious software seems to be evolving to another level.

Image result for Beta Bot trojan

What is Betabot?

Previously, Betabot was primarily a banking information stealing Trojan, a password stealing Trojan, and a botnet, but it appears that the old school malware is now looking to capitalize on the current ransomware trend.

The Evolution of a Trojan

Now, Betabot becomes the first known weaponized document with password stealing malware that is also calling ransomware as a second stage attack.

In a new report on the threat, Patrick Belcher, Senior Director of Threat Research, Invincea, explains that the malware packs virtual machine awareness and can check for some sandboxes, which helps it evade detection and analysis. What’s more, the Betabot was observed last week being delivered by the Neutrino exploit kit, the researcher says.

As Always Be Very Cautious With Email Attachments

The infection campaign relies on weaponized documents delivered as email attachments, and on social engineering to trick users into enabling macros. The attachments claim to be resumes, but,once the malicious macros have been enabled, malware capable of scrapping all passwords stored in local browsers is served. The email campaign attempted to infect thousands of victims, Belcher notes.

Although Betabot has no further use of the compromised machine once it manages to steal passwords, a second-stage attack was also observed. In this new stage the malware deploys the Cerber ransomware on the endpoint. By taking this approach, the malware’s operators are looking to increase their profits.

A single IP (93[.]174.91.49) is used for both Betabot and Cerber, and Belcher explains that the malware authors switched between the two sometime between August 11 and August 16. Weaponized documents called resume.doc were serving Cerber before Aug 11, but they started delivering Betabot (as bb.exe, bbcrypt.exe, and diablo.exe) on Aug. 16.

“This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack. This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques,” Belcher concludes.

Avoiding Betabot and Other Dangerous Exploits

You can avoid these dangerous exploits by doing the following:

  • Keep good and up to date security software on your PC. I recommend Kaspersky Lab.
  • Use a password manager so that you can have strong, unique and encrypted passwords. I recommend LastPass.
  • Never open unsolicited attachments in your email. If you are not sure about the attachments contact the sender and confirm it’s legitimacy before opening it.
  • Be wary of clicking on hyperlinks to websites you are not familiar with.

All of this will help protect yourself from security exploits like Betabot.

Share This:

Microsoft’s New Critical Flaw Users Printers as a Weapon

Microsoft has patched a security vulnerability found in every supported version of Windows, which if exploited could allow an attacker to take over a system.

microsoft headquarters

Microsoft reported in a bulletin posted today that as part of its monthly release of security fixes that a recently discovered “critical” flaw could let an attacker remotely install malware, which then could be used to modify or delete data, or create new accounts with full user rights.

The “critical”-rated flaw affects Windows Vista and later.

Those who are logged in as an administrator, such as some home accounts and server users, are at the greatest risk.

An attacker could exploit the flaw by conducting a man-in-the-middle attack on a system or print server and injecting malicious code. That’s possible because the print spooler service doesn’t properly validate print drivers when installing a printer.

The security flaw works like this.

Normally, User Account Controls are in place to warn or prevent a user from installing a new driver. To make printing easier, an exception was long ago created to avoid this control. This printer exception creates a mechanism that allows downloading executables (usually very bad) from a shared drive, and then run them without generating any warning on the user side. This is a dream come true for cyber criminals.

The result with this printer exception with executables was turning our printer into a “drive-by exploit kit.

Share This:

Finding & Killing HummingBad

Yesterday I reported that over 80 million Android devices could eventually be infected with the malware known as “HummingBad”. If you have an Android you are probably asking yourself, “How do I know if my phone is infected?”

HummingBad has reportedly infected an astounding 10 million devices already, with over 280,000 of those infections estimated to have taken place in the US. Unfortunately, chances are that even if you’ve been hit, you won’t know about it.

So how can you find out if your Android device has HummingBad?

Although the existence of mobile malware is frustrating, mobile app developers and security groups have had time to respond, which means that there are many apps on Google Play that can detect the bad software. As CNET suggests, if you haven’t installed anything yet, look to apps like Avast, Bitdefender, AVG and Zone Alarm to keep your phone safe from unwanted intruders. Of these options AVG is my favorite for Android devices.

If your chosen app happens to detect HummingBad on your phone sadly there’s really only one way to deal with it: a factory reset. Yes, it’s a pain, but it’s almost certainly preferable to putting your data at risk.

Once you’ve removed the malware, it might be time to reexamine your downloading practices. If you’ve downloaded an app from an untrusted source in recent weeks, there’s a high probability that that’s where you installed HummingBad. In the future, try to limit your downloads to the Google Play store.

But whether or not you were unlucky enough to catch HummingBad, this issue is likely only going to get worse in the future. In Check Point’s report, they claim that a “dangerous trend will escalate as other groups learn from Yingmob [the creators] and find new ways to achieve the independence they need to launch larger and more sophisticated attack campaigns in the future.”

Share This:

Over 80 Million Androids Affected With HummingBad

A malware program created by a Chinese hacking collective has gained control of 85 million Android devices, which the group is reportedly exploiting to the tune of $300,000 a month. The group, which researchers say is responsible for developing the HummingBad malware campaign, represents a dramatic increase in the organization and capabilities of hacking groups.

Dubbed Yingmob, the hacking group is also believed to be the brains behind the iOS malware campaign known as Yispecter, which I reported on back in October 2015. The group is highly organized and unbelievably works in tandem with a legitimate Chinese advertising analytics company.

Understanding Hummingbad

The malware consists of a persistent rootkit, which the hackers install on Android devices. The group then uses that rootkit to generate fraudulent ad revenue and install additional fraudulent apps. Yingmob has 25 employees organized into four different groups who are responsible for developing HummingBad’s malicious components, according to Check Point researchers.

Yingmob’s efforts have paid off. The group has been able to achieve self-sufficiency, proving that hacking groups can now generate enough income from their illegal activities to sustain themselves indefinitely. But financial gain is only the tip of the iceberg, according to the researchers.

The hackers try to root thousands of devices every day, and are able to successfully get its malware installed on devices hundreds of times each day. Yingmob can then use those devices to create a botnet, enabling the group to launch more targeted attacks against businesses and government agencies, or even sell the access it has gained on the black market.

Avoiding Hummingbad & Other Nasty Infections

Mobile devices today are becoming more and more suspectable to malware and other security exploits. As mobile devices continue to become, for many, their primary way of communicating with the world, these devices are also going to gain in popularity as targets for cybercrime. The best way to avoid these very real security problems is to only install apps on your mobile devices from the official app store and to take a few minutes to read the reviews. If there are no reviews or bad reviews simply move on to another app.

Also just like on your PC do not visit questionable websites and so not – never ever – click on hyperlinks or attachments in your email – unless you are 100% certain that it is legitimate.

Share This:

Avoiding Email Scams with 10 Easy Tips

Recently I have been asked about a couple of suspicious email messages, which were both of course not legitimate messages but scams in which the sender, a truly bad guy was “phishing” in order to steal money from the receiver.

Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of things that you can look for.

This article lists 10 of them.

1: The message contains a mismatched URL

One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs (or website addresses). Often the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook). If the hyperlinked address is different from the address that is displayed, the message is more then likely fraudulent or malicious.

2: URLs contain a misleading domain name

People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the very telling. For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right-hand side). Conversely, brienposey.com.maliciousdomain.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name.

I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

I have found that sadly this often works because most people trust companies like “Microsoft” and “Apple” so when long standing names like this are used people often let their guard down. The lesson here is to never let your guard down when it comes to email messages.

3: The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality, among other things. So if a message is filled with poor grammar or spelling mistakes, it probably did not come from a major corporation’s legal department.

4: The message asks for personal information

No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank does not need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5: The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

6: You didn’t initiate the action

Just yesterday I received an email message informing me I had won the lottery! The only problem is that I have never-ever bought a lottery ticket. If you get a message informing you that you have won a contest you did not enter, you can bet that the message is a scam.

7: You’re asked to send money to cover expenses

One telltale sign of a phishing email is that you will eventually be asked for money. You might not get hit up for cash in the initial message. But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

8: The message makes unrealistic threats

Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

Just recently a workmate received an official looking email that was allegedly from a co-worker. The email went on to ask for our “account number” and “routing number”. Although it appeared to be an email from one staffer to another staffer the email originated from a hidden domain and as I mentioned in Tip #3 the spelling and grammar was poor.

Also – As I mentioned in Tip #4 – legitimate companies will not ask for sensitive information by email and you – of course should never-ever send this type of information via email.

9: The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes they will send messages claiming to have come from a law enforcement agency like the IRS, the FBI, or just about any other entity that might scare the average law-abiding citizen.

I can’t tell you how government agencies work outside the United States. But here, government agencies do not normally use email as an initial point of contact. That isn’t to say that law enforcement and other government agencies don’t use email. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion.

10: Something just doesn’t look right

In Las Vegas, casino security teams are taught to look for anything that JDLRjust doesn’t look right, as they call it. The idea is that if something looks off, there’s probably a good reason why. This same principle also applies to email messages. If you receive a message that seems suspicious, it is usually in your best interest to avoid acting on the message.

Share This:

MAC’s First Malware Threat Exposed

I have been suggesting this for years. There is no magic Apple potion that prevents security scourges such as viruses, Trojan horses and malware from infecting MAC operating systems. Their secret to avoiding these security issues was not in code but in market share. Windows has struggled with these security issues because it’s 98% market share was so enticing to cyber-criminals.

Well now it seems that MAC users need to be on alert for security threats just like Windows users.

This is because the first-ever fully functional ransomware that targets Apple’s Mac OS X operating system, dubbed “KeRanger” has recently been identified.

As its name suggests, ransomware is malicious software that holds computing assets ransom. The software blocks users from accessing computer systems until a ransom is paid, typically in digital currency, such as bitcoins, which is hard to trace.

KeRanger was first observed in two installers of the Transmission BitTorrent client, just hours after the installers were first posted. The ransomware still appears to be under active development and may change its behavior in the future, according to the researchers.

Ransomware Still Under Development

Once a user installs the infected apps, an embedded executable file is launched on the individual’s system, according to Palo Alto Networks. The ransomware then waits three days before connecting with command and control servers over the Tor network. It then begins encrypting certain types of document and data files on the user’s system. After completing the encryption process, KeRanger demands the victim pay one bitcoin (about $400) to a specific address to retrieve the files.

Apparently KeRanger is still under development due to the existence of several functions within the malicious app’s code that seem to have been finished, but are not being used in the current version of the malware.

First Active Mac Ransomware

Apple said it has since revoked the abused certificate, and Gatekeeper will now block the malicious installers. Apple has also updated its XProtect signatures to cover the family, and the signature has been automatically updated to all Mac computers. The Transmission Project removed the malicious installers from its Web site as of March 5.

Nevertheless, that still leaves plenty of users who may have inadvertently downloaded the infected files over the weekend. Palo Alto Networks is providing a list of security checks at its Web site for users to employ to ensure their systems are safe.

Although the threat seems to have been uncovered and countered relatively quickly, the appearance of ransomware targeting the Mac platform could be considered a frightening new development. KeRanger is not the first piece of OS X ransomware to be discovered — that was FileCoder, discovered by Kaspersky Lab in 2014. However, FileCoder was incomplete at the time of its discovery, making KeRanger the first fully functioning piece of ransomware to attack Macs.

Share This:

1 2 3 6