Hacked in Translation – from Subtitles to Complete Takeover

 
Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.     What is it? Perpetrators use various ...

Email from PayPal? Don’t Get Attached!

 
Introduction Phishing scams are fraudulent email messages that appear to come from legitimate enterprises such as your university, your Internet service provider, or your bank. These messages usually direct you to a spoofed website, have a malicious attachment, or otherwise get you to divulge private information. The perpetrators then use this information to commit identity theft.   Why is PayPal fraud so special? According to “OpenPhish”, a zero-day phishing site feed, PayPal is one of the top 10 targeted brands https://openphish.com/phishing_activity.html. PayPal is very popular and contains sensitive user information, which makes it very attractive for phishing ...

Check Point Threat Alert: CryptXXX Ransomware

 
CryptXXX ransomware has been observed in the wild as of March 2016, delivered via the Angler Exploit Kit and spread through the Bedep trojan. The ransomware is demanding a $500 ransom to be paid in order to recover the encrypted files on a machine, and provides the victim the possibility to decrypt one file for free. If the victim does not pay the ransom after a few days the demand is doubled. It appears that the new ransomware is operated by the same threat actors behind the Reveton ransomware, and due to similarities in the infection vector and in the code, it is suspected that there is a connection between the actors and the operators of the Angler exploit kit. On April 26, Kaspersky ...

Check Point Threat Alert: SamSam and Maktub Ransomware Evolution

 
Executive Summary New and evolving ransomware campaigns, dubbed ‘SamSam’ and ‘Maktub’, use techniques not commonly observed in previously known ransomware. SamSam spreads by targeting and infecting servers that contain unpatched vulnerabilities. Maktub and Samsam do not communicate with a C&C server to encrypt files on an infected computer. SamSam’s primary target is the healthcare industry.   Description SamSam ransomware has an unusual infection method. Instead of spreading by spam/phishing emails, it scans for vulnerable servers with unpatched software. Unlike other ransomware campaigns, there is no need for any user action such as clicking on a certain link ...

Threat Alert – KeRanger MAC OSX Ransomware

 
Overview A new ransomware dubbed ‘KeRanger’ was discovered on March 4, 2016. The malware is distributed via the Transmission BitTorrent installer version 2.90 for OSX. Unlike most ransomwares, the targeted operating system is Mac OSX, which makes KeRanger the first active ransomware to target this operating system. The compromised Transmission installer includes an executable disguised as an .rtf file. When the application is launched, the malware is copied to a file in the user Library folder. The process runs silently on the machine for three days, after which the malware begins encrypting files. KeRanger encrypts not only all files in the /Users folder, but also files ...

Check Point Threat Alert: Exploit Kits

 
An exploit kit is a malicious toolkit whose purpose is to identify vulnerabilities in client machines. These vulnerabilities are then exploited in order to upload and execute malicious code on the client. Exploit kits also provide a user interface for an attacker to gain information on success rates and other statistics, as well control the client’s settings. According to Check Point’s analysis and reports, there was a notable spike in exploit kit usage as of January 14th 2016.   Description Exploit kits are a type of malicious toolkit used to exploit security holes in software applications and spread malware. These kits come with pre-written exploit code and target users ...

Something is Cooking in Brazil

 
Looking at the global cyber landscape, we can see many campaigns and persistent threats occurring at different locations around the world. One example that has not drawn much attention is Brazil’s nationwide fraud campaigns. These come in different forms, beginning with simple phishing scams whose aim is to intercept and harvest credentials from unsuspecting users. As Brazil is the fifth largest country in the world, it may come as no surprise that these attacks are widespread and occurred very often in the past several years. We had the opportunity to observe a live demonstration of one such campaign, currently taking place, which has implications of large scale activity. On October ...

Check Point Threat Alert: Cryptowall 4

 
Executive Summary Ransomware is a type of malware that restricts access to an infected computer system and demands a ransom payment to remove the restriction. Some ransomware encrypt the files on the system's hard drive, while others may simply lock the system and display threatening messages to force the user to pay. Cryptowall is a ransomware Trojan which targets Windows. It first appeared in early 2014. The latest version, Cryptowall 4.0, appeared in November 2015 and it is considered a very prevalent ransomware.     Description Cryptowall 4.0 is the fourth version of the popular ransomware. It recently emerged with improved encryption tactics and better ...

Check Point Threat Alert: BlackEnergy Trojan

 
Executive Summary BlackEnergy malware has been around since 2007, first appearing as a simple DDoS tool. In 2014, it made a comeback as a highly sophisticated and customized malware, featuring support for proxy servers and a wide range of system operations. Observed targets on 2014 are mostly Ukrainian governmental institutes but also include those from multiple other countries including Poland and Germany. Attacks against Georgia in 2008 which used the malware, the recent Russo-Georgian confrontation, and the current political situation between Russia and Ukraine, lead researchers to believe that the ‘Quedagh’ group is the APT behind the malware. On Wednesday, December 23, ...

Check Point Threat Alert: Outlook OLE Vulnerability

 
Object Linking and Embedding (OLE), developed by Microsoft, allows users to embed and link to documents and other objects. However, a Remote-Command-Execution vulnerability was found in Microsoft Office that allows remote attackers to execute arbitrary code via a crafted email message processed by Outlook. Microsoft Outlook has a sandbox bypass vulnerability which allows an attacker to bypass Outlook's security layers and exploit Office's OLE capabilities. A remote attacker can send a victim an e-mail containing a specially crafted attachment. This attachment may embed an OLE object that leverages a second vulnerability in other registered OLE software. The vulnerability was found by ...