RIP Quicktime (for Windows)TrendMicro has discovered two critical vulnerabilities in Quicktime [1] for Windows. US-CERT has issued an alert [2], noting the the only effective mitigation technique is to uninstall Quicktime, given that Apple has started deprecating use of the software and will no longer provide bug fixes.It's curious that neither Apple nor Microsoft have been more open about Quicktime's demise. The software is certainly ancient, but where would the harm have been?Blackhole Exploit Kit operators jailedA group of hackers, including the author of the infamous Blackhole Exploit Kit, were recently sentenced in Russia. Dmitry Fedotov [3] AKA "Paunch" was arrested in 2013 and sentenced to 7 years in prison on the 12th of April. He worked with a team of hackers to monetise Blackhole on a subscription basis, with fees averaging between $500 and $700 per month. The exploit kit is integrated into a malicious website and acts as an automated delivery system for malware by detecting and exploiting a variety of web and browser-based vulnerabilities. It's estimated that Fedorov was making as much as $50,000 per month selling Blackhole, in addition to optional extras such as malware obfuscation tools. Krebs [4] has argued that the $2.3 million dollars reportedly stolen by Fedorov and his associates is not a useful barometer of the damage done by Blackhole; the exploit kit has been used by several other groups, including botnet operators, to distribute malware such as Zeus and Citadel.GozNym Trojan [5]Researchers at IBM X Force have identified a highly sophisticated new trojan targeting major financial and retail institutions in the US and Canada. GozNym is a hybrid of the Nymaim ransomware and the Gozi banking trojan, and has been labelled a ‘double-headed beast’ by the researchers that discovered it.The GozNym Trojan functions with the two original source codes operating in tandem, and is reliant upon the codes cooperating successfully for the malware’s operations to be carried out.The original Gozi trojan had its source code leaked online in 2010 and 2015, whilst Nymaim’s original code is only known by the group’s authors. It can therefore be assumed that the Nymaim team obtained the leaked Gozi IFSB code and incorporated it into their own malware, probably in order to improve their capacity to attack financial institutions, which was the original Gozi’s specialty.GozNym has only been identified in the past two weeks, and is thought to only have begun operation in April. Despite being so new on the market, it is known to have attacked at least 24 US and Canadian banks, and successfully stolen millions of dollars. GozNym is currently being delivered primarily via email messages, with so-called 'poisoned macros' in a malware-infected attachment. This grants the attackers the ability manipulate the victim’s browser, steal credentials and transfer money out of their accounts.The successful hybridisation of two sophisticated and successful malware’s presents a major threat to financial institutions, large retailers and credit unions. Limor Kessem, a researcher who helped uncover the Trojan explains that ‘"GozNym is as stealthy and persistent as the Nymaim loader, while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks."A more in-depth technical study of the Trojan is available here [6].The Silobreaker Team
[1] https://my.silobreaker.com/view360old.aspx?item=11_485812
[2] https://www.us-cert.gov/ncas/alerts/TA16-105A
[3] https://my.silobreaker.com/view360old.aspx?item=11_348614338
[4] http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/
[5] https://my.silobreaker.com/view360old.aspx?item=11_996123449
[6] https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
↧