Flame Malware – I’m Back

stuxnet-flame-malware-back-for-good-crimeshop

Stuxnet, Flame Malware Making a Comeback

Cristal M Clark

Flame malware, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware that attacked computers running the Microsoft Windows operating system. The program was used for targeted cyber espionage in Middle Eastern countries. It was once what researchers referred to as a sophisticated little gem of malware, created as nation-state spy tools, once outed by Kaspersky Labs, it was quickly and quietly shuttered and forgotten about, until now.

flame-malware-crimeshop.jpg

It is believed to have been created by Israel, Flame was the first modular spy platform discovered in the wild, it came with multiple plug-ins that could be swapped out according to whatever tools were needed for each victim.

It had a lot of capability that was unique at the time it was discovered, and also used a highly sophisticated technique for spreading.

The attackers tricked Microsoft into issuing them a legitimate Microsoft certificate, which they then used to sign their malicious files. Then they subverted the trusted Windows Update mechanism, through which Microsoft distributes patches and software upgrades to customers, to deliver those malicious files to targeted victims instead, doing so in a way that made it look like they came from Microsoft’s server.

The attackers also managed a fleet of 80 command-and-control domains to communicate with infected machines then they faked Flame’s death back in May 2012, pushing out a kill module to infected machines and closing shop on the command-and-control servers.

Most researchers thought that the creators in a panic just shut things down but are not realizing that it may never have been truly shut down, just ehhh more or less running in the background unbeknownst to virtually everyone in the security world.

The original Flame attacked systems in Iran as well as other parts of the Middle East it would do things such as turn on the internal microphone of an infected machine to record conversations the user conducted near the computer or over Skype or, using the infected computer’s Bluetooth functionality, scan for other Bluetooth-enabled devices in the vicinity, such as a mobile phone, and siphon the contacts folder from it.

Great little piece of spyware honestly.

The attackers appear to have re-tooled their little spy kit and added strong encryption to make it harder to detect and reverse engineer according to researchers at Alphabet’s Chronicle Security labs who discovered that a new version of Flame appeared in 2014 (the original was back in 2012), and likely remained active until 2016 and beyond, giving them just enough time to steal and deploy whatever they would like.

Juan-Andres Guerrero-Saade, one of the Chronicle security researchers who made the discovery; “Nobody ever expected to see Flame again. We figured it was too old and expensive for the attackers to waste time retooling rather than just build a whole new platform.”

stuxnet-crimeshop

Juan-Andres did not just stop with that either, he went on to explain that he and his team also found evidence that Stuxnet, you know the virus/worm created by the US and Israel to sabotage Iran’s nuclear program in 2007, but ended up infecting virtually every PC in the US as well as globaly, has connections to another malware family known as Flowershop.

Oh Flowershop, Flowershop was operating as early as 2002, several years before Stuxnet was developed, and it appears that some of Flowershop’s code made it into a Stuxnet component, which if true means that a fourth team or group of individuals were part of America’s first Cyberwar campaign, the development of Stuxnet. What’s more is that researchers have in fact, previously found connections between Stuxnet and Flame and between Stuxnet and two other malware families known as Duqu and the Equation Group, the latter a group of tools attributed to the NSA.

The new discovery has baffled researchers who still do not have a full understanding into the full capabilities of Stuxnet and Flame, so it’s anyone’s guess as to what the creators of Flame might be up to these days, one thing is for certain, they do not plan on stopping anytime soon.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

https://www.instagram.com/crimeshop.cc/?hl=en

And https://gab.ai/thecrimeshop

 

Tax Season Headaches and Malware Campaigns

malware_crimeshop

Cybercriminals Aim to Spoof Accounting & Payroll Firms This Tax Season

Cristal M Clark

This should not come as a total surprise to anyone, cybercriminals are aiming high this tax season by going after some pretty major accounting and payroll firms along with your hard-earned cash or tax return.

IRS-crimeshop

The deadline for filing taxes in the US is April 15 but as luck would have it, tax season just so happens to start for some well before that and well beyond that despised date here in the US. For many businesses, they actually prepare employee tax information i.e. 1099’s and W-2’s back in January of each year. Which in turn gives cybercriminals a wee jump start on launching campaigns in the hopes of robbing individuals and businesses in their tax fraud, financial fraud and identity theft schemes.

Not all that uncommon of a practice for cybercriminals, this year they just decided to go after accounting and payroll firms, thus branching out from businesses and individual tax payers. IBM X-Force researchers found 3 campaigns were attempting to deceive recipients into believing they were emailed by large accounting, tax and/or payroll services firm which carried malicious Microsoft Excel attachments with a payload familiar to us as one of the most common and effective banking Trojans: TrickBot.

trickbot_server_crimeshop

TrickBot for those who unfamiliar, is financial malware that silently infects devices for the primary purpose of stealing valuable data such as banking credentials, then follows up with wire fraud from the device owner’s account. Should your computer become infected with TrickBot, the cybercriminals operating it would then have complete control and could do virtually anything that they wish on your device, including spreading to other computers on your network and emptying your company’s bank accounts, potentially costing millions of dollars to an employer and to any firms that they are working with.

cybercriminals_crimeshop

Cybercriminals are becoming more and more brazen in their efforts to rob just about anyone and everyone that they can and legally, catching them is more difficult as each year passes because these guys learn from the mistakes of others and often times step up efforts to mask who and where they are operating from.

From an end user perspective, it’s often difficult to tell what’s real and what is not in terms of what emails are coming through, I usually advise everyone to not click on things from anyone you do not know and even if what might be sitting in your email appears to be from a known sender, if they do not email you or send links, invoices, etc, don’t click on it and report the suspicious email to the known senders company, keep your security software up to date, and report anything suspicious, ask questions, look it up online the point is, educate yourself.

Gone are the days that we can rely on the news or the government to keep us informed about every malware campaign coming at us simply because of the sheer volume of them.

Stay vigilant my friends.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

https://www.instagram.com/crimeshop.cc/?hl=en

And https://gab.ai/thecrimeshop

 

 

 

Google Play Store Takes Users on Yet Another Misadventure

Google_PlayStore_crimeshop

New Adware Ready to Infect Your Android Devices

Cristal M Clark

Well it’s not like we didn’t expect this right? Researchers have found a plethora of new adware ready and waiting to infect your Android device, and it’s all available at the Google Play Store.

CHecK-PoiNT-SFTWRE-crimeshop

Yesterday, Israeli security firm Check Point said applications known to contain this particular adware strain known as “SimBad” had been downloaded almost 150 million times, mostly by gamers. The adware can be found in over 200 applications by the way, which Google finally got rid of, after users installed it all over the world.

simbad-malware-play-store-in-android-devices-crimeshop

According to Check Point; “We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer. The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

Check Point said the adware resides inside a pretty widely used advertising software development kit (SDK) provided by ‘addroider[.]com’. Once it is installed, SimBad receives instructions from a command and control server, such as an order to make its icon disappear in an effort to make the app harder to remove and old one but a good one. Then, it begins to display background ads and can open any URL in the phone’s or devices browser, which is a joy for end users I am sure.

“With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user, the actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”

android-malware-crimeshop

And worst yet, the researchers said that while SimBad appears geared toward serving ads for now, it has the infrastructure to evolve into “a much larger threat.”

Of course it does, I mean why wouldn’t it?

Check Point was kind enough to put together a complete list of infected applications: https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/

Google by the way does have some pretty robust scanners in order to weed out and get rid of malware, however what’s been happening of late is the apps the malware infects are downloaded by users so fast that Google’s scanners simply cannot detect the problems fast enough to eradicate it before users have already installed the affected application.

Case in point, a couple of months ago Google’s detection systems had been neatly bypassed by a batch of 85 apps that, by the time Google was able to delete them, and the malware had infected around 9 million users.

In the days leading up to that, users in 196 countries had been infected by several apps that were capable of accessing contact lists and SMS messages and recording audio. Many are wondering if Google simply can’t keep up or if they loosened the rules and became careless with new aps and developers.

End users are beginning to become very concerned over privacy, leaks, and malware that eventually steal sensitive user data.

Google is one of the top tech companies in the world, but continue to allow for mishaps like this to happen and someone will eventually come along and knock them promptly off of that very throne.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

And https://gab.ai/thecrimeshop

NSA – To Finally Help Improve Security?

NSA Administration building

Releasing Free Tool for Reverse Engineering Malware

By: Cristal M Clark 

The NSA generally undermines security rather than do anything useful so as to help.

malware-crimeshop.jpeg

Now the NSA is taking a stand against malware in a pretty significant way it would seem, they are going to release a helpful tool for free in an effort to help, for a change.

On March 5th, the agency plans to release a free reverse engineering tool, GHIDRA. The software reportedly dissects binaries for Android, iOS, macOS and Windows, turning them into assembly code that can help analyze malware or pinpoint questionable activity in otherwise innocent-looking software.

GHIDRA entered the spotlight with the Vault 7 leak, so it’s not a secret nor is it really new, it is unusual however, for the NSA to release it.

Other similar tools to exist in fact however they are terribly expensive.

This does leave some to wonder what the NSA’s true motives are given it’s prior history and part in the Zero Days worldwide malware release.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

And https://gab.ai/thecrimeshop

 

Russia’s Infamous Election Hackers Are at it Again

vladirmir_putin_crimeshop

Russia Election Meddling

idiot-Donald-Trump-CrimeShop

 

Yesterday, Trump went on and on with accusations that are completely baseless against China, claiming that they are attempting to meddle in our latest round of elections.

fancy-bear-crimeshop

What’s really true however is that reports are beginning to surface implying that Russia’s GRU, better known as Fancy Bear (U.S. intelligence agencies have identified Fancy Bear as two units within Russia’s military intelligence directorate), has secretly developed and deployed new malware that seems to be impossible to eradicate, capable of surviving a complete wipe of a target computer’s hard drive, and will allow the hackers to return as many times as they would like.

The European security company ESET discovered the new malware and reported that It works by rewriting the code that is flashed into a computer’s UEFI chip that controls the boot and reboot process.

The code is designed to maintain access to a high-value target in the event the operating system gets reinstalled or the hard drive replaced, which under normal circumstances would eradicate the malware.

This not the first code to hide in the UEFI chip and Russia’s new malware works only on PCs with security weaknesses in the existing UEFI configuration.

Not in this case, the new malware does seem to prove that Fancy Bear is more robust, powerful and potentially dangerous than the world previously thought.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

And https://gab.ai/thecrimeshop

 

 

 

 

Law Enforcement Officer Purchases FlexiSpy –  Intercepts WhatsApp & Emails?

new-iphone-features-instagram-story-capture-and-push-command-flexispy-crimeshop

Malware that intercepts social media messages, emails & so much more

Well, if it’s not the bad guys it’s law enforcement these days using malware to intercept your private data, messages and the like.

Or at least that is what some suspect.

FDLE-CrimeShop.jpeg

Motherboard obtained data that seemed to indicate that a Florida law enforcement officer purchased FlexiSpy, a malware that is used to intercept private data such as messages sent through email, WhatsApp, social media communications…

FlexiSpy-malware-crimeshop

Jim Born, just so happens to be the former DEA Agent and Special Agent at the Florida Department of Law Enforcement (FDLE) who purchased the malware and, the now retired agent claims that he simply made the purchase to better understand it and not to actually use it on someone without a court order.

Of course.

According to Motherboard it is truly unclear as to why the former agent really made the purchase.

flexispy-catch-cheaters-crimeshop

FlexiSpy was originally marketed to those who wanted to or felt the need to spy on a spouse or lover whom they suspected of cheating, it’s changed a bit over the last year and now the marketing targets employees and children.

record-phone-calls-and-surroundings-flexispy-crimeshop

The spyware is available to purchase on the open market by the way, it is said that to deploy it, you would need physical access to one’s device.

Just remember, law enforcement could have a device stored as ‘evidence’ where they could if they could get into the device load the malware.

Not to mention, YouTube has a video or two on how to install the malware without having to actually have the victims device in hand.

Lovely.

WhatsApp-crimeshop.jpeg

What is truly frightening about this lovely little gem of malware is that, FlexiSpy has added features that make it a truly powerful way of spying on the ones you love, including the ability to siphon WhatsApp messages, remotely turn on the phone’s camera and microphone, rip files stored on the device, and of course the ability to hide itself from its victim.

As for FDLE, well they have absolutely no record of Agent Born ever making the purchase so he made the purchase as a private citizen which either makes his story a complete lie or makes him a jealous spouse, lover or nosy parent.

infant-social-security-numbers-for-sale-on-dark-web-crimeshop

I don’t know, when it comes to ones interpersonal relationships even those with our children, I personally feel that it’s never okay to install malware onto a loved ones device for the sole purpose of spying on that individual.

If you feel that your loved one is lying to you, cheating on you, or whatever, perhaps rather than invade the individual’s privacy by installing malware onto that individuals device, which is a tit for a tat sort of move, you should just ask them.

If you don’t find that you are getting the answer you want or suspect, then maybe you should assess the relationship you have with said individual and make a decision, one that would make you happy, because confirming suspicions, never makes someone happy, it simply and only vindicates what you already know deep down.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

And https://gab.ai/thecrimeshop

Ohio Hacker Charged with Child Pornography

 

fruitfluy-malware-crimeshop

 

MacOS Malware Used for Child Porn, Computer Fraud and Wiretapping

phillip-durachinsky-CrimeShop

28 year old Phillip Durachinsky has been accused of and charged with computer fraud, wiretapping and child pornography after authorities learned the man had hacked cameras and microphones to both spy on and recorded things that he should not have.

computerhacking_crimeshop

Aside from spying on both people and companies, Phillip was so brazen that he hacked into schools and a U.S. Department of Energy subsidiary and he even spied on a police department.

Where the story takes on a pretty sick twist is where Phillip recorded individuals engaging in sex, some which where underage individuals.

According to court documents, Phillip often made it a habit of recording those that he spied on, collecting thousands and thousands of images, as well as being able to access tax, medical and banking records of the unlucky individuals and organizations that he spied on from 2003-2017.

Yes, you read that right, 14 years in total.

macos-crimehop

Phillip used FruitFly, a specific malware that is used to target Mac’s, a spyware used to surveille person through mac’s, more specifically watching them through their webcam or camera.

Phillip had been installing the malware onto PC’s for years and once on an individual’s PC, the malware was able to reach out and make contact with others, like the PC’s of businesses, schools, a police department and of course a subsidiary of the U.S. Department of Energy.

Once running, FruitFly was able to steal files, passwords, turned on cameras and microphones.

In some cases, FruitFly would alert Phillip if and when an individual computer were being used to search for porn by a victim.

Court documents indicate that thousands of computers had been infected and comprised and while watching and listening to those that he spied on, this brilliant man took notes, yes he took the time to take down notes with regards to what he heard or saw. 

MacBook-Malware-FruitFly-crimeshop

I know what you are thinking, FruitFly should only be able to work on MacOS right?

Phillip, it seems was able to develop a Windows version which explains how so many PC’s were infected in the end.

As to the child porn charges, while the DOJ has not released much with regards to those charges, it appears that from Oct, 2011 – Jan 2017 Phillip recorded underage teens having sex, recordings he knew he could either share or sell, recordings he knew would be shared.

So how did the DOJ finally catch up with Phillip?

In January of last year, Phillip was accused of hacking into computers at Case Western Reserve University. Upon investigating the complaint against Phillip, the FBI had discovered that the computers had in fact been infected for several years.

This serves as a great way to open the door to some dialogue.  

It doesn’t matter what OS you might be on, just because you think you are safe, you may not be.

We can always count on one individual at the very least, who will be able to develop malware or some way so as to infect whatever OS they desire.

Developers may want to get better at patching things up, closing back-doors, creating devices and software that are smart enough to block infected software, ads and files, or at the very least, ensuring that we cannot be hacked as easily as we currently are.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

And https://gab.ai/thecrimeshop

CIA hacking air-gapped networks?

US CIA-Crime-shop

US Central Intelligence Agency – Brutal Kangaroo

wikiLeaks-CrimeShop

A newly released dump of intel by WikiLeaks details how the CIA developed a way to hack an air-gapped network using a USB and some creative malware. Technically speaking, this is not in anyway new information. It has always been known that one could hack an air-gapped network using a USB so as to either:

  1. Steal intel on the USB or;
  2. Download some type of malware so as to infect the network promoting the network to send out the requested data should the malware detect any open internet connection.

How does it work you ask?

The software consists of four specific applications:

Shattered Assurance

Drifting Deadline

Shadow

brutal-kangaroo-crime-Shop

And Finally my personal favorite, Brutal Kangaroo.

Shattered Assurance is the server-side of the code that forms the basis of the attack system and infects the USB drives that are plugged into an infected computer with the Drifting Deadline malware.

Once an infected thumb drive is plugged into a target computer that is set up to autorun its contents and is using Windows 7 as an operating system and running .Net 4.5, Drifting Deadline deploys Shadow malware onto the system.

Shadow is a much older piece of code that has both client and server versions and it is highly configurable for specific targets.

The operator can set it up to collect system data of up to 10% of the system’s memory, watermark all data it collects, and store it on an encrypted partition on the infected computer’s hard drive.

Once the infection has been achieved, Shadow will look for other connected systems and infect those too. It can be set up to put the pilfered data onto any new thumb drives that are installed in the system, or send it as a burst if it detects an open internet connection.

The final app in Brutal Kangaroo was once called Broken Promise, which is a tool used to examine the stolen data easily and quickly. Taken together, the Brutal Kangaroo suite could be very useful for defeating air-gapped machines and is certainly more feasible than more esoteric methods.

Or one can just get a job working for the NSA and walk out the door with data and intel. Take your pick right?

At any rate, this should not come as a huge surprise to anyone, you would expect the CIA an intelligence agency to have this sort of tool what does however surprise me is the vivid detail that WikiLeaks released about how the malware works, the data dump details just how each app works together in order to gain the needed or wanted access to intel.

I am all for transparency when it comes to our Governments, but at what point do we begin to question the amount of intel released to the public?

Some of the documentation released in the latest WikiLeaks dump could cause problems later down the road because it fell into the wrong hands and if someone modified one or all of the app’s capabilities making it a worldwide problem like for instance with WannaCry?

Sometimes in our effort to keep our Government’s honest, we manage to create more of a problem than we do good. Anything having to do with Cyber-Security, Cyber-Warefare, Malware and the like, being detailed and released to the world under the guise of keeping our Government’s in check, is simply not accomplishing those efforts.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

And https://gab.ai/thecrimeshop