Trojans go after MS Office vulnerabilities and China hacks US hardware
Infected MS Office files abound and a tiny Chinese chip at the center of massive new conspiracy.
Danabot opens a US account
After making its presence felt in Australia and European banks, Danabot, a modular Trojan horse has made its way to the States. Written in Delphi, the perpetual beta modular malware can take screenshots, log keys and stealing form data from infected computers.
The Trojan starts out by pretending to be a digital fax from eFax. Upon clicking the download button, the user will receive a malicious Word document with instructions to “Enable Content” within it. Doing so will start downloading the malware. Actors are also known to use web-injects, the Fallout Exploit Kit and malspam campaigns to trick users into installing the Trojan.
Various campaigns from 9 different actors have been discovered so far, leading experts to believe the Trojan may be marketed as an affiliate system with a profit-sharing MO. The latest campaign seem to be targeting Wells Fargo, Bank of America, TD Bank, Royal Bank and JP Morgan Chase.
“A Banking Trojan is one of the oldest forms of cybercrime, and it remains one of the most popular,” explains Avast Security Evangelist Luis Corrons. “Ninety-nine point nine percent of the time, the motivation for the crime is plain and simple – money. And being able to steal credentials to siphon victims’ bank accounts makes this a very profitable business.”
Betabot goes after 18 year old MS Office vulnerability
More bad news for MS Office users as another malware has been seen using infected .doc files to get past security measures. Betabot is certainly moving up in the (criminal) world. The malware started its career as a password stealer but quickly learnt how to distribute ransomware among other malicious tools, too.
In its latest version, Betabot uses a sophisticated multi-stage approach and is packed with features to avoid detection. Leveraging an 18 year old zero-day security vulnerability in MS Office’s Equation Edition, Betabot uses a RTF file with an OLE object to execute commands on a user’s machine. The malware is spread via phishing and social engineering campaigns that convince users to download infected Word documents.
Researchers discovered that the creators have designed the latest BetaBot to operate in “paranoid mode” where it can automatically shutdown should it detect security products or if its running in a sandbox environment. It should be noted that Avast antivirus products protect you against Betabot malware.
China uses tiny chip to hack major American companies
In what seems like a plot straight out of a thriller novel, an investigation by major American companies has discovered a small chip in servers that could be part of a massive spy operation run by the Chinese government. No bigger than a grain of rice, the chip creates stealthy backdoors that allows threat actors to listen to network activity involving the infected server. Systems belonging to Apple, Amazon, a major bank and several US government contractors seem to be the targets.
At the heart of this debacle is Supermicro, one of the largest servers, workstation storage and graphics units suppliers worldwide. A regular investigation by Amazon while evaluating Elemental Technologies, which owns advanced compression technologies, revealed a troubling pattern. As part of their core products, customers of Elemental Technologies have to install advanced servers which were provided by SuperMicro Inc. Investigators discovered a small chip on the server’s mainboard that was not part of its original design. It is believed the chips were installed by manufacturing subcontractors in China.
The discovery has understandably sent a shockwave throughout the US business and intelligence communities. Hardware hacking is more sophisticated than its software counterpart as it requires a thorough understanding of the systems being infiltrated. As China makes 90% of the world’s computer hardware, Chinese companies will certainly have the expertise required to pull off such an elaborate hack. The investigation is currently ongoing.