954-866-1600    Get SUPPORT

Evolution Networks Blog

Evolution Networks has been serving the South Florida area since 2003, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Has your browser been targeted by recent Malware attack?

web-browser-800x600

Chrome, Firefox, Edge, and Yandex are all affected in widespread ad-injection campaign.

 

Adrozek, as the software maker has dubbed the malware family, relies on a sprawling distribution network comprising 159 unique domains with each one hosting an average of 17,300 unique URLs. The URLs, in turn, host an average of 15,300 unique malware samples. The campaign began no later than May and hit a peak in August, when the malware was observed on 30,000 devices per day.

Not your father’s affiliate scam

The attack works against the Chrome, Firefox, Edge, and Yandex browsers, and it remains ongoing. The end goal for now is to inject ads into search results so the attackers can collect fees from affiliates. While these types of campaigns are common and represent less of a threat than many types of malware, Adrozek stands out because of malicious modifications it makes to security settings and other malicious actions it performs.

“Cybercriminals abusing affiliate programs is not new—browser modifiers are some of the oldest types of threats,” researchers from the Microsoft 365 Defender Research Team wrote in a blog post. “However, the fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated. In addition, the malware maintains persistence and exfiltrates website credentials, exposing affected devices to additional risks.”

The post said that Adrozek is installed “through drive-by download.” Installer file names use the format of setup__.exe. Attackers drop a file in the Windows temporary folder, and this file in turn drops the main payload in the program files directory. This payload uses a file name that makes the malware appear to be legitimate audio-related software, with names such as Audiolava.exe, QuickAudio.exe, and converter.exe. The malware is installed the way legitimate software is and can be accessed through Settings>Apps & Features and is registered as a Windows service with the same file name.

The graphic below shows the Adrozek attack chain:

 

 

Once installed, Adrozek makes several changes to the browser and the system it runs on. On Chrome, for instance, the malware often makes changes to the Chrome Media Router service. The purpose is to install extensions that masquerade as legitimate ones by using IDs such as “Radioplayer.”

Bad extensions!

The extensions connect to the attacker’s server to fetch additional code that injects ads into search results. The extensions also send the attackers information about the infected computer, and on Firefox, it also attempts to steal credentials. The malware goes on to tamper with certain DLL files. On Edge, for instance, the malware modifies MsEdge.dll so that it turns off security controls that help detect unauthorized changes to the Secure Preferences file.

This technique, and similar ones for other affected browsers, has potentially serious consequences. Among other things, the Preferences File checks the integrity of values of various files and settings. By nullifying this check, Adrozek opens browsers up to other attacks. The malware also adds new permissions to the file.

Below is a screenshot showing those added to Edge:

 

The malware then makes changes to the system settings to ensure it runs each time the browser is restarted or the computer is rebooted. From that point on, Adrozek will inject ads that either accompany ads served by a search engine or are placed on top of them.

Thursday’s post doesn’t explicitly say what, if any, user interaction is required for infections to occur. It’s also not clear what effect defenses like User Account Control have. Microsoft makes no mention of the attack hitting browsers running macOS or Linux, so it's likely this campaign affects only Windows users. Microsoft representatives didn’t respond to an email asking for details.

The campaign uses a technique called polymorphism to blast out hundreds of thousands of unique samples. That makes signature-based antivirus protection ineffective. Many AV offerings—Microsoft Defender included—have behavior-based, machine-learning-powered detections that are more effective against such malware.

Source: ARS Technica

0 Comments
Continue reading

Hit Back Hard Against Malware

Hit Back Hard Against Malware

The threat landscape is filled with more types of malware than ever. To keep your business’ network running effectively, it’s important to have a strategy to keep malware out. Today, we’ll talk about a few basics you should know to keep your cybersecurity strategy working properly.

0 Comments
Continue reading

Smartphone Malware Is a Serious Threat

Smartphone Malware Is a Serious Threat

We all know how important it is to protect your desktop and laptop computers from malicious threats. Installing antivirus and security software is one of the first steps you take when you get a new computer, and for good reason. An unprotected device is at great risk. With that said, a lot of users don’t think about the threats that target their most-used devices, their smartphones.

0 Comments
Continue reading

65 Bitcoin Ransom Paid by Florida City

65 Bitcoin Ransom Paid by Florida City

65 of any currency doesn’t seem like a lot of money, but when you are dealing in the cryptocurrency Bitcoin, it adds up quick. One city on Florida’s Atlantic coast is finding that out the hard way after getting hit with a ransomware that stymied the city of 35,000 government’s ability to function. Let’s take a look at the situation that made the city’s leaders agree to pay hundreds of thousands of dollars to scammers.

0 Comments
Continue reading

The SamSam Ransomware Is Absolutely No Joke

The SamSam Ransomware Is Absolutely No Joke

The funny thing about ransomware is that they give them very strange names: Bad Rabbit sounds like the name of a villainous bunny who gets his comeuppance in some type of modern nursery rhyme, not malware that would ravage hundreds of European businesses. Locky seems like the son of Candado de seguridad, a character Medeco would come up with to educate kids on proper physical security. The latest in a long line of funny-named ransomware, SamSam, isn’t a pet name for your pet ferret you perplexingly named Sam, it is one of the worst ransomware strains ever, and it has caught the attention of U.S. Federal law enforcement.

0 Comments
Continue reading

Here is How Antivirus Keeps a Business Safe

Here is How Antivirus Keeps a Business Safe

A lot is made about antivirus as a part of a comprehensive network security platform, but how does the system really work to eliminate threats? Today, we will take a look at an antivirus solution to show you how it goes about removing unwanted files and other code.

0 Comments
Continue reading

Looking Back at This Year’s Cybersecurity Issues

Looking Back at This Year’s Cybersecurity Issues

Every business in operation today needs to have some kind of comprehensive network security. Simply put, there are too many threats that can come in through an Internet connection for them to continue doing otherwise. The past year provides plenty of anecdotal proof of this fact, as a quick glance back can show.

0 Comments
Continue reading

Data Security Issues of 2018

Data Security Issues of 2018

Each year there are changes that need to be made in the way that organizations manage their IT security. In 2017, ransomware burst on the scene in full force, and cyber security strategies reacted, coming up with fully managed security platform that remediate issues better, and cost organizations far more than they would have spent on IT security just a short time ago. In 2018, the same problems persist, while other developing technologies threaten the natural order of things. Today, we will look at how cybersecurity is being approached in 2018.

0 Comments
Continue reading

Security Threats and Defensive Measures You Can Take

Security Threats and Defensive Measures You Can Take

Network security for small businesses is far from simple. There are countless threats out there that want to see your business fall, and it only takes one to see this come to fruition. Unless you take action now to protect your organization, you risk the future of your business. But what is it that businesses need to protect from, and what measures are out there that can accomplish this feat?

0 Comments
Continue reading

Reexamining Meltdown and Spectre

Reexamining Meltdown and Spectre

It’s been about a year and a half since the Meltdown and Spectre exploits became publicly known. While patches and updates were administered to reduce their threat, they continue to linger on in a less serious capacity. Of course, this doesn’t mean that the threat has entirely been neutered--you still want to know what these threats do and whether or not you’re safe from them.

0 Comments
Continue reading

A Ransomware Cyberattack Struck Atlanta, Georgia

A Ransomware Cyberattack Struck Atlanta, Georgia

Ransomware doesn’t discriminate with its targets, as the city of Atlanta, Georgia now knows so painfully well. The city became the target of a ransomware attack that crippled many of its critical system workflows. The municipal government suffered from one of the most advanced and sustained attacks in recent memory.

0 Comments
Continue reading

A New Perspective on Ransomware

A New Perspective on Ransomware

We are going to switch things up a bit and walk you through a retelling of a ransomware attack through the eyes of a business owner. Usually when we talk about these types of threats, we approach it from our perspective and talk about what you should do to prepare and what the threats are, but we wanted to try to show you what an event like this could feel like, for you, in your position, and in your own eyes. We hope that this will raise awareness of how crippling an event like this can be on your company, and we hope you let us know if this perspective helps you, your colleagues, and your staff get a more personal sense of what ransomware can do. Enjoy!

0 Comments
Continue reading

What the Future Holds for Ransomware

What the Future Holds for Ransomware

Ransomware is a growing problem for businesses, being one of the most difficult threats to remove from an infrastructure. Not only is it easy to spread, but difficult to avoid as a whole. How can your organization prepare for this threat? It starts by being mindful of how ransomware is spread and how your employees react to it, both now and in the future.

0 Comments
Continue reading

Targeted Ransomware Checks for Particular Attributes

Targeted Ransomware Checks for Particular Attributes

Put yourself in the shoes of a cybercriminal. If you were to launch a ransomware attack, who would be your target? Would you launch an indiscriminate attack to try to snare as many as you could, or would you narrow your focus to be more selective? As it happens, real-life cybercriminals have largely made the shift to targeted, relatively tiny, ransomware attacks.

0 Comments
Continue reading

Why ROBOT is a Risk After Nearly 20 Years

Why ROBOT is a Risk After Nearly 20 Years

The Internet is rife with potential threats. Some are situational, but most are deliberate actions made by malicious entities who are trying to obtain any semblance of value from you or your company. Some of these exploits have been around longer than you’d imagine possible. This has been made evident by huge Internet-based companies such as PayPal and Facebook testing positive for a 19-year-old vulnerability that once allowed hackers to decrypt encrypted data.

0 Comments
Continue reading

Is Your Security Prepared to Stop a DDoS Attack?

Is Your Security Prepared to Stop a DDoS Attack?

If your business were to be struck by a Distributed Denial of Services (DDoS) attack, would it be able to recover in a timely manner? Do you have measures put into place to keep them from hampering your operations? While most organizations claim to have sufficient protection against these dangerous attacks, over half of them have simply proven to be ineffective against DDoS.

0 Comments
Continue reading

Your Computer's Infected... What Do You Do Next?

Your Computer's Infected... What Do You Do Next?

It’s one of the most commonly-known computer issues: infection. There are plenty of threats out there that could potentially take hold of your PC. The question is, do you know how to proceed if one does? This blog will go into just that.

0 Comments
Continue reading

What We Can Learn From IT Statistics

What We Can Learn From IT Statistics

Technology plays a pivotal role in the way modern businesses function, and as a result it carries some element of risk. An example of this is how companies store electronic records. While the implementation of measures that are designed to provide greater ease of use and organization for a business’ employees make business move faster, it also makes it that much easier for a hacker to locate and steal data. Small and medium-sized businesses, in particular, are vulnerable, as they may not have dedicated IT security.

0 Comments
Continue reading

Would You Share Your Browser History? This Ransomware Will

mobile_ransomware_400

Ransomware is a tricky piece of malware that locks down the precious files located on a victim’s computer, then (in theory) will return access to them when a ransom has been paid. Depending on the files stored on a victim’s computer, they might simply blow it off and not worry too much about losing access to a couple of pictures or videos--but what if this ransomware threatened to expose your web browsing history?

0 Comments
Continue reading

Latest Ransomware Attack is Brutal Reminder of Cyber Security Importance

Alert

A new malware swept across the globe not long ago, incorporating facets of many ransomwares that have made headlines recently. While it originally appeared to be a variant of the Petya ransomware, it has been determined that it shares more in common with WannaCry. However, “NotPetya,” as it has been named, has a few additional features that experts say make it worse than either of its predecessors.


Why NotPetya Isn’t Really a Ransomware
The first clue that researchers had that NotPetya had a different motivation was the fact that the ransom only demanded the Bitcoin equivalent of $300. Secondly, the only means of getting the decryption key was to send an email to an address hosted by German email provider Posteo. Despite the lack of preparation the payment method appeared to have, NotPetya itself was clearly designed to be able to infiltrate as many networks as possible and do maximum damage once inside.

A Hybrid Hacking Attack
Since the attack commenced, researchers have ascertained that despite its initial similarities with Petya, NotPetya shares many traits with other malicious programs. Like WannaCry, the attack that affected much of Europe, NotPetya leverages EternalBlue. EternalBlue is a National Security Agency hacking tool that targets unpatched systems and steals the passwords that allow administrator access. In addition to EternalBlue, NotPetya also utilizes EternalRomance, another code that was stolen from the NSA.

Once NotPetya has infected one computer, it extracts passwords from its memory or the local filesystem to allow itself to spread--including onto updated and patched Windows 10 systems.

How To Protect Your Files
First off, don’t expect that you can retrieve your files just by paying the ransom. Even if those responsible for NotPetya intended to keep their word and return them once paid, Posteo has shut down the provided email account victims were to receive their keys from. As a result, unless a victim was already following certain best practices, their files are as of yet unrecoverable.

However, this does not mean that everyone is vulnerable to this attack. Before the EternalBlue and EternalRomance exploits were distributed on the dark web, Microsoft had already released patches for the vulnerabilities. However, if these patches were not applied, a user’s systems were (and are) still vulnerable.

The best method to avoid infection from this kind of attack is to ensure your users understand the importance of cyber security efforts, and that all of your business’ systems are reinforced against the latest threats by keeping your defenses up-to-date.

Furthermore, even an infected user is not without hope if they have been backing up their files. If they have done so, all they have to do is disconnect their computer from the Internet, reformat their hard drive and restore their data from their backup solution. However, for this to work, you have to also be sure that your backups are up-to-date, and that your backup is stored in an isolated location, separate from your network.

Evolution Networks has the experience and expertise to help prevent you from becoming a victim of a malware like this, whether we help you manage your backups or help educate your users to avoid attacks like these in the first place. Give us a call at 954-866-1600 today.

0 Comments
Continue reading