Malta’s leading bank resumes operations after cyberheist-induced shutdown

Malta’s leading bank resumes operations after cyberheist-induced shutdown

Source: We Live Security Magazine On:

Read On

Bank of Valetta, which went dark for a day after the fraudulent transfers of €13 million, is now looking to get the money back

Things are getting back to normal for Bank of Valetta (BOV) and its customers following a cyberattack that caused Malta’s largest bank to take the unprecedented step of temporarily shutting down all its services.

On Wednesday morning, BOV found out that unknown attackers had made fraudulent transactions from the bank to financial services providers in the United States, the United Kingdom, the Czech Republic, and Hong Kong. The heist, of around €13 million (US$14.6 million), even prompted a reaction from Malta’s Prime Minister Joseph Muscat, who said that customer funds were not touched and, indeed, were never in danger.

The theft came to light “during reconciliation of international transactions when discrepancies in eleven payments were noticed”, wrote The Times of Malta. Shortly thereafter, BOV was alerted by the country’s Security Service that the bank had been targeted by a cyberattack originating from outside the Mediterranean island.

It has been reported that, within 30 minutes after learning that something was amiss, the bank suspended its services and began to work on retrieving the funds. Naturally, the incident also prompted what the bank has called “rigorous overnight testing” of its IT systems. With the tests deemed successful, the bank restored most of its systems and services on Thursday, as well as its website and mobile app, and re-opened office branches and ATMs.

According to Reuters, the bank has also yet to determine where the intrusion came from and how it happened. Besides other unknowns surrounding the attack, another question has yet to be answered: Where’s the money and, indeed, will it be retrieved?

In their latest coverage, local media quote the bank’s chief business development officer Kenneth Farrugia as implying that while the money has been traced, its recovery is a different thing altogether.

“We know where the money went and into which banks but what happened at that touchpoint we do not have the visibility to know,” said Farrugia for The Times of Malta. “It’s not simply a matter of asking the banks for the money to be reversed. It does not work like that and there are banking procedures that have to be implemented,” he added, without shedding light on whether all the money will, or even can, actually be retrieved.

Per Reuters, BOV accounts for nearly one-half of Malta’s banking transactions. Most shares in the financial services provider, which is also Malta’s oldest, are held by the country’s government.

Bank jobs

Cyberheists are nothing new, of course, and we have previously written about thefts targeting banks in Bangladesh, India and Russia, and Mexico. In 2016, ESET researchers Anton Cherepanov and Jean-Ian Boutin wrote a paper about attacks at Russian financial institutions while, in 2018, ESET researcher Miguel Ángel Mendoza weighed in on the theft in Mexico.

We also wrote last year about how US banks are preparing for a scenario involving a particularly devastating cyber-intrusion.

15 Feb 2019 – 02:29PM

Navigating the murky waters of Android banking malware

Navigating the murky waters of Android banking malware

Source: We Live Security Magazine On:

Read On

An interview with ESET malware researcher Lukáš Štefanko about Android banking malware, the topic of his latest white paper

Banking malware continued to plague the Android platform throughout 2018, with cybercrooks relentlessly targeting users with banking Trojans and fake banking apps, but also experimenting with new money-stealing techniques.

To help users navigate the tricky and expanding landscape of Android threats, Lukáš Štefanko, a malware researcher at ESET, sheds light on the most prevalent types, tactics and techniques of today’s Android banking malware in his white paper, “Android banking malware: Sophisticated Trojans vs. Fake banking apps”.

We sat down with Lukáš and asked him a few questions about his latest publication.

What made you focus on this topic in such detail?

I deal almost daily with malicious apps going after Android users’ banking credentials. They use many different tricks, techniques and distribution methods, but can ultimately be divided into two broad groups – as the title of the white paper suggests. The distinction might not be so clear to regular Android users, so I wanted to address that.

So, sophisticated banking Trojans and fake banking apps. Why is it important for a regular user to be familiar with the difference?

If users know what they’re up against, I believe they have a better chance of staying safe. The two categories might seek the same goal – stealing credentials for, or money from, their victims’ bank accounts – but their strategies for achieving that goal are very different. And that means that the ways to prevent or remove threats will also be different for each category.

Please explain the differing strategies to someone new to the topic?

Banking Trojans are devious – they try to make users install them by pretending they are something fun or useful, but definitely totally harmless. Think games, battery managers and power boosters, weather apps, video players, and so on. They try to keep users in the dark while they collect the rights and permissions needed for their grand finale. Then, when users least expect it, they slide a fake login screen over a legitimate banking app and steal the entered data. Victims might not be aware of anything happening until they find out that money has disappeared from their accounts.

Fake banking apps are much simpler – they go all in trying to convince users they are legitimate banking apps. Once installed and launched, they lead with a login form, just like a real banking app would. And, as you probably already guessed, the credentials submitted into the form are harvested. Victims usually realize immediately what happened as the app reveals itself by having no further banking app functionality.

What are the chances of users falling for a fake banking app?

I’d say the chances are lower than with banking Trojans, but nowadays some apps can look pretty trustworthy despite being fake. What’s maybe more important than how many users install malware is how many of them actually fall victim – and the odds are high with fake banking apps. This is because users install those apps believing they are installing an actual banking app, which makes them willing to enter their credentials upon seeing a login screen.

Is one of these categories considered more dangerous than the other?

From the technical point of view, yes – banking Trojans are more robust and increasingly hybrid-like. That means their capabilities go beyond just phishing for banking credentials, they could for example have some spying functions or ransomware-like capabilities. But if we’re talking about the danger of getting one’s banking credentials stolen, I think fake banking apps are just as dangerous.

What advice would you pick out of your white paper as most useful?

I see three main principles in steering clear of Android banking malware.

First, stay away from unofficial app stores, if possible, and always keep “installation of apps from unknown sources” disabled on your device.

Second, pay close attention to the app’s reputation on Google Play, and continue paying attention to its behavior after it’s installed. Negative reviews and permissions that aren’t connected to the app’s function are the biggest red flags.

And finally, only ever download banking and other finance apps if they are linked on the official website of the bank or financial service.

Actually, this approach – specifically looking for apps you need rather than installing apps you “happen to stumble upon” – may be the way to avoid malware altogether.

Lukáš Štefanko will provide an overview of the latest Android malware and also discuss poorly secured legitimate apps focused solely on ad revenue at Mobile World Congress (MWC) – taking place February 25 – 28, 2018 in Barcelona.

15 Feb 2019 – 11:28AM

Attack at email provider wipes out almost two decades’ worth of data

Attack at email provider wipes out almost two decades’ worth of data

Source: We Live Security Magazine On:

Read On

Instead of financial gain or other, more usual, goals, the attacker leaves ‘scorched digital earth’ behind

An unknown attacker has wrought rare havoc on email service provider VFEmail, wiping out all of the company’s data stored in the United States, according to an announcement on the firm’s website.

Describing the incident as “catastrophic”, the company said that the intruder had destroyed not only the primary data on the firm’s US servers, but also all backups. The onslaught trashed 18 years’ worth of user data and backups of a company that has provided both free and paid email services for businesses and end users alike. That, of course, means countless email messages sent and received by its users over the years.

The attack on the Wisconsin-based company is believed to have unfolded over several hours on Monday. Shortly after users began to complain that something was amiss, VFEmail acknowledged the attack at its entire US-based infrastructure.

“At this time, the attacker has formatted all the disks on every server. Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost,” VFEmail tweeted later, assessing the damage.

In addition, the attacker zoomed in on the company’s resources in the Netherlands. There, as reported by security journalist Brian Krebs, VFEmail “caught a hacker in the act of formatting one of the company’s mail servers”.

The primary data in the Netherlands was also destroyed but, as per CNET, at least some of the backups were salvaged. However, “[i]t’s nowhere near a full restore,” wrote the site, quoting VFEmail owner Rick Romero.

In the meantime, the site is said to have restored the ability to deliver and send email at least for a portion of its users. VFEmail wrote that they continue to work on recovering whatever user data can be recovered.

That said, Romero painted a grim picture on his personal Twitter account: “Yes, @VFEmail is effectively gone. It will likely not return,” he intimated.

Krebs noted the service’s past troubles with cybercriminals. Over the years, VFEmail has mainly faced multiple debilitating distributed denial-of-service (DDoS) attacks, including those involving extortion attempts. However, none of those or other attacks has resulted in what is apparently an irretrievable data loss.

14 Feb 2019 – 02:55PM

When love becomes a nightmare: Online dating scams

When love becomes a nightmare: Online dating scams

Source: We Live Security Magazine On:

Read On

Roses are red, violets are blue, watch out for these scams or it may happen to you

The embrace of online dating services, such as dating apps or virtual places to meet people, is a phenomenon that has occurred worldwide. According to GlobalWebindex, in Latin America and the Asia-Pacific region, apps and dating sites are accepted between about 45%, while in the United States and Europe the figure is about 28%.

Currently, more than 40% of single men used an app or a dating site in the last month, says GlobalWebIndex. There are dozens of dating apps available; some operate globally, while others only work in some countries that have greater acceptance of them.  But without a doubt, two of the most popular applications among the extensive great offerings that exist are Tinder and Happn, which claim more than 50 million users each.

Although these apps and sites have the potential to bring great happiness into the lives of their customers, there is a darker side as well: scammers abuse these services to their own nefarious ends, leading to heartbreak both emotionally and financially for the scammers’ victims.

Multiple forms of deception

Although they come in different flavors, in most cases the criminals committing romance scams study the profiles of their victims and collect personal information, such as their work activity, their level of income, and their lifestyle, because the mismanagement of our personal information in the digital age allows a criminal to build a fairly detailed profile of a future victim.

One of the most common methods is the scammer who emotionally manipulates the victim to send them money, gifts or personal information. Another type of common deception is sextortion, which usually begins as a normal relationship between two people who begin to know each other until the scammer tries to take the conversation off the dating platform, such as, for example, to WhatsApp. Here, the criminal will try to convince the victim to send some risqué photos or intimate videos … and then use that salacious materiel to blackmail the victim.

Last month, for example, in the United States a man who was the victim of this type of scam – he related an attack strategy similar to that in a case reported in Chile in 2018 – after having met the person through an online dating site and gained his trust, the scammer requested the sending of intimate photos. Shortly after they were sent, the victim received a message from a man claiming to be the father of a minor and who threatened to file charges against him for sending a child an explicit image, unless he sent him two prepaid ‘money cards’ with US$300 each. The victim was informed that it was a hoax after he had contacted the police.

Another scam is known as ‘catfishing’, which is luring the victim into a relationship based on the attacker’s fictitious online persona.

Scams related to online dating: A global phenomenon

In Australia in 2018 there were a reported 3,981 cases of scams related to online dating through social networks, and dating apps or websites, which represented losses of more than AU$24 million; and so far in 2019, 349 cases have already been recorded, with losses equivalent to more than AU$1 million, the Australian Competition and Consumer Commission reports.

In the United Kingdom, the National Fraud Intelligence Bureau (NFIB) stated that in 2017, on average, every three hours a case of fraud related to online dating was reported, while more recent figures from Action Fraud revealed that in all of 2018 more than 4,500 complaints of online romance fraud were filed and it estimated that 63% of the victims were women, the BBC reported.

Cases from around the world

A case in Spain occupied the headlines of several media outlets when a man nicknamed the King of Tinder, was arrested in 2018. Using techniques similar to other fruadsters, this criminal knew his victims through dating apps like Tinder or Meetic, he gained their trust to the point that his victims sent him money after he fed them stories of bogus problems relating to his ‘family’.

Recently, in Canada, the story of a senior who spent his life savings and then borrowed against his house as a result of a “romantic scam” came to light. The 67-year-old widower who met a scammer claiming to be someone called Sophia Goldstein whom  he met through the online dating site Match. Soon after establishing a relationship, the miscreant, who claimed to also be from Canada, began asking for financial help to solve various non-existent problems that the scammer invented. Over a period of eight months before he died, the victim made a total of 19 bank transfers of more than CA$730 thousand dollars to an account in Malaysia.

Latin America is no stranger to such scams; in 2017, the Argentine media published a scam using Tinder.  After investigating several cases, they reported that victims were contacted by a person apparently seeking a serious relationship, but living far away.

These reports explained that the same MO was used in these cases: the scammer presented as an attractive woman, sent alluring pictures of herself to the victim, and eventually gained the victim’s trust.  The scammer requested and received the victim’s phone number, then once trust was established, convinced the victim to send money with a promise to return the ‘loan’ once they finally met in person. 

How to protect yourself

Users of online dating sites and apps should bear in mind that anyone can be deceived. Here are some recommendations to keep in mind.

  • Look for inconsistences; if you find any, be cautious.
  • Romance scammers tend to profess excessive romantic interest in their victims, and very quickly after “meeting” them.
  • Scammers also tend to quickly try to move the discussion off the platform or app to some other form of messaging such as email, Skype, or a secure messaging app. This prevents any fraud detection systems employed by dating services or apps from monitoring their attempts to defraud their victims.
  • It is common that after a while (weeks or months) and after having established some confidence, the person you know will tell you a very elaborate story that ends with a request for money, sending a gift or something similar. Never send money to someone you have met in an online dating scenario before getting to know them personally.
  • Suspect anyone who always has an excuse to not meet in person.
  • Never share with the person you are meeting, especially if you do not know them personally, information that may compromise you, such as photos or videos, your address, place of work or phone number.
  • If you decide to meet someone in person that you’ve met online, be sure to set up the meeting in a safe, public place.

14 Feb 2019 – 11:27AM

Why you should choose a pseudonym at Starbucks

Why you should choose a pseudonym at Starbucks

Source: We Live Security Magazine On:

Read On

Innocently providing your name at your local coffee shop is just an example of how easy it can be for miscreants to cut through the ‘privacy’ of social media accounts

When Starbucks introduced personalising the coffee shop experience by writing their customer’s names on their coffee cups people felt violated. Why on earth would a coffee chain want to know your name?

Once coffee drinkers came round to the idea that the baristas were demanding their names, then began a wave of uproar across social media for those with names spelt incorrectly. Admittedly, it would increase the queue length if each time you were asked how to spell your name  – “is that with or without an E”. There is a theory that this misspelling is actually on purpose so people will turn to social media with a photo of their branded coffee cup to complain about their barista not knowing how to spell “Bob” or whatever ‘straightforward’ name they possess.

Anyway, once you have given your name to the barista (and any prying ears in the queue), you are giving away something very personal to unknown entities. It might not feel that significant at the time as you wait for your skinny-single-shot-sugar-free-vanilla-latte but giving away anything personally identifiable could ultimately be used against you.

Starbucks don’t ask for ID so should we think of a pseudonym or a code word instead? Here is a real-life example why you should at least think about making up a new name…

Recently, whilst on the train to London, I was sat behind a man accompanied by a laptop and a personalised coffee cup. He opened his laptop and signed in (it was not full disk encrypted I hasten to add, tut tut) and I could see a company logo physically on the laptop and as the desktop background: I couldn’t read every word but I knew the company well enough to recognise it. Now, added to the fact I knew his first name, I could start my open source research on him.

Within moments of searching his company on Google, I found his full name on the firm’s ‘About’ page, complete with head shot and bio. Next, I turned to LinkedIn (using my limited second profile to reduce personal tracks which would tell him I’ve been snooping on his page and to help me bypass the first or second contact information checkpoint) and located his career history. LinkedIn also offered me his personal email, twitter handle and hobbies from his bio once I had connected with him on the site.

Switching to Twitter, I located his contacts, family connections and even children’s names. His wife’s Facebook was open and included lots of photos of their two pets. She seemed very proud of their wedding photos and dates (albeit I didn’t have the year just day and month).

Moving to Strava, a fitness activity sharing app, I was able to put in his name and locate his profile showing me his recent run and cycle routes. The thing about Strava, and other fitness logging apps, is that they show anyone recent routes so when most people start and finish their training at either their home or work address, it tells the world where they live and work!

With his daughter’s name, I moved to Instagram. Although her account was private, it took less than half an hour to befriend her from my fake account (you would be surprised how few background checks teenagers do on accounts wanting to follow them). Wading through the endless selfies and food photos, I was able to find a happy birthday photo to her Dad plus a rather significant happy anniversary message to her folks, which now gave me the year of his wedding too.

To top it off, while I was watching him work, he was noticeably having fingerprint issues with his phone so after each unsuccessful attempt to unlock his screen, he would then revert to typing in a 6-digit code which I could view. This was his first daughter’s date of birth: That would have been my second guess after his wedding anniversary.

At this point, many people are possibly thinking “who cares?” or “what can a hacker really do with my information?” This attitude is what’s getting many people into trouble with their cybersecurity. Whilst banks are reducing how often they refund such instances, the problem will only increase. Hackers can and will make your life a misery using targeted attacks.

Even if you are sitting there thinking that your security is foolproof, what information is given away via your family and how good is their security? If your partner’s email got hacked and you received an email from him or her asking a relatively normal question like “what’s our banking password again, darling?” Would you be tempted to respond or would flashing lights and alarm bells go off?

So how do we overcome this issue? And how long before the banks don’t even chase any of the money that has been unfortunately swindled?

Awareness training has limitations and e-learning rarely benefits a company, so the answer lies fundamentally in shifting culture. Making people aware is one thing but making them better is another. For example, we all know not to reuse passwords, but so many people still take that risk every single day.

People don’t change very easily and when people don’t care about the issue, it makes it harder to persuade them not to fall into potential pitfalls. If I spin the argument around I think the answer could in fact lie with the cybersecurity industry itself: companies who make it compulsory to use a unique password and authenticator app to sign in, would soon give their data and networks a stronger defence.

Inevitably, there will be an immediate outcry from and torrent of angry tweets by inconvenienced customers.  However, if people don’t change by choice, making security mandatory will soon make companies and their customers much safer, without having to worry about splashing our data on our personalised coffee cups.

13 Feb 2019 – 11:28AM

Apple to pay teenager who uncovered FaceTime bug

Apple to pay teenager who uncovered FaceTime bug

Source: We Live Security Magazine On:

Read On

The decision to award the bug has been welcomed but one security researcher has said that they need to do more to compensate those who find bugs

A US teenager has been given a rare bug bounty by Apple after he discovered a security flaw in Apple’s FaceTime video-calling service.

Grant Thompson, a 14-year-old from Arizona, uncovered how the glitch allowed any iPhone user to video-call another iPhone user via FaceTime and listen in on the audio on the other end – essentially turning another device into a live microphone.

While the bounty amount has not yet been disclosed, Apple have said that, on top of a monetary reward, it will also provide a gift that will go towards his education.

According to a report on the BBC, Thompson and his mother had warned Apple of the bug in early January with Mrs. Thompson sending several emails and messages to the company without getting any response at the beginning.

Apple accredited the teenager with discovering the flaw and also issued a software update that has fixed several other issues with the release of iOS 12.1.4, which focused mostly on fixing bugs, including the Group FaceTime issue.

Not all is rosy in the (apple) garden, however, with one disgruntled Germany-based security researcher refusing to share details of a macOS security weakness. Linus Henze stated online that he found a way to harvest passwords, private keys, along with tokens from a victim’s keychain.

He has said that he will not share the details with Apple until the company start to compensate those who uncover security flaws. Speaking to the tech news site the Register he said: “My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and researchers.

“I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program, like other big companies already have.”

To read more about bug bounties please check out:

Google pays $10,000 for student’s bug

How well can bug hunting pay?

Bugcrowd University: The free educational platform for security researchers

EU offers bug bounties on popular open source software

12 Feb 2019 – 02:42PM

First clipper malware discovered on Google Play

First clipper malware discovered on Google Play

Source: We Live Security Magazine On:

Read On

Cryptocurrency stealers that replace a wallet address in the clipboard are no longer limited to Windows or shady Android app stores

For security reasons, addresses of online cryptocurrency wallets are composed of long strings of characters. Instead of typing them, users tend to copy and paste the addresses using the clipboard. A type of malware, known as a “clipper”, takes advantage of this. It intercepts the content of the clipboard and replaces it surreptitiously with what the attacker wants to subvert. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.

This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.

Although relatively new, cryptocurrency stealers that rely on altering the clipboard’s content can be considered established malware. ESET researchers even discovered one hosted on, one of the most popular software-hosting sites in the world. In August 2018, the first Android clipper was discovered being sold on underground hacking forums and since then, this malware has been detected in several shady app stores.


The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.

Figure 1. Android/Clipper.C impersonating MetaMask on Google Play

We spotted Android/Clipper.C shortly after it had been introduced at the official Android store, which was on February 1, 2019. We reported the discovery to the Google Play security team, who removed the app from the Store.

This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app – only add-ons for desktop browsers such as Chrome and Firefox.

Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds.

Security tips

This first appearance of clipper malware on Google Play serves as another imperative for Android users to stick with the best practices for mobile security.

To stay safe from clippers and other Android malware, we advise you to:

  • Keep your Android device updated and use a reliable mobile security solution
  • Stick to the official Google Play store when downloading apps…
  • …however, always check the official website of the app developer or service provider for the link to the official app. If there is not one, consider it a red flag and be extremely cautious to any result of your Google Play search
  • Double-check every step in all transactions that involve anything valuable, from sensitive information to money. When using the clipboard, always check if what you pasted is what you intended to enter.

Indicators of Compromise (IoCs)

Package NameHash

BTC address: 17M66AG2uQ5YZLFEMKGpzbzh4F1EsFWkmA

ETH address: 0xfbbb2EF692B5101f16d3632f836461904C761965

8 Feb 2019 – 11:58AM

DanaBot updated with new C&C communication

DanaBot updated with new C&C communication

Source: We Live Security Magazine On:

Read On

ESET researchers have discovered new versions of the DanaBot Trojan, updated with a more complicated protocol for C&C communication and slight modifications to architecture and campaign IDs

The fast-evolving, modular Trojan DanaBot has undergone further changes, with the latest version featuring an entirely new communication protocol. The protocol, introduced to DanaBot at the end of January 2019, adds several layers of encryption to DanaBot’s C&C communication.

Besides the changes in communication, DanaBot’s architecture and campaign IDs have also been modified.

The evolution of DanaBot

After being discovered in May 2018 as part of Australia-targeted spam campaigns, DanaBot has had an eventful time since, appearing in malspam campaigns in Poland, Italy, Germany, Austria and Ukraine, as well as in the United States. The European campaigns have seen the Trojan expanding its capabilities with new plugins and spam-sending features.

In ESET telemetry on January 25, 2019, we noticed unusual DanaBot-related executables. Upon further inspection, these binaries were, indeed, revealed to be DanaBot variants, but using a different communication protocol to communicate with the C&C server. Starting January 26, 2019, DanaBot operators stopped building binaries with the old protocol.

At the time of writing, the new version is being distributed under two scenarios:

  • As “updates” delivered to existing DanaBot victims
  • Via malspam in Poland

The new communication protocol

In the communication protocol used before January 25, packets were not encrypted in any way, as seen in Figure 1.

Figure 1 – Packet capture showing the old protocol with data in plaintext

Following the latest changes, DanaBot uses the AES and RSA encryption algorithms in its C&C communication. The new communication protocol is complicated, with several encryption layers being used, as seen in Figure 2.

DanaBot updated with new C&C communication

Figure 2 – A diagram of DanaBot’s new communication protocol

These changes break existing network-based signatures and make it more difficult to write new rules for Intrusion Detection and Prevention Systems. Also, without access to the corresponding RSA keys, it is impossible to decode sent or received packets; thus PCAP files from cloud-based analysis systems (such as ANY.RUN) become unusable for researchers.

DanaBot updated with new C&C communication

Figure 3 – Packet capture with the new communication protocol in place

Each packet sent by the client has a 24 (0x18)-byte header:

OffsetSize (bytes)Meaning
0x00x8Size of the data after this header
0x80x8Random value
0x100x8Sum of first two fields

For each packet, the header is followed by AES-encrypted packet data, then a 4-byte value indicating AES padding size, and finally the RSA-encrypted AES key. Each packet is encrypted with a different AES key.

Server responses use the same format. Unlike in previous versions, packet data in server responses does not follow any specific layout (with some exceptions).

Packet data layout

Former packet data layout was detailed by Proofpoint in October 2018. In the latest version of DanaBot, the layout is slightly modified, as seen in Figure 4.

DanaBot updated with new C&C communication

Figure 4 – Comparison of packet data layout in DanaBot’s previous and latest version

Changes in DanaBot architecture

Besides the changed communication protocol, DanaBot has also undergone some changes in architecture. The previous versions of DanaBot included a component that downloaded and executed the main module. The main module then downloaded and executed plugins and configurations.

The latest version shifts both these responsibilities to a new loader component, which is used to download all plugins along with the main module. Persistence is achieved by registering the loader component as a service.

DanaBot updated with new C&C communication

Figure 5 – Comparison of architecture in DanaBot’s previous and latest version


According to our analysis, the loader component uses the following commands:

  • 0x12C – Hello. First command sent by client to server
  • 0x12D – Download 32/64-bit launcher component
  • 0x12E – Request list of plugins and configuration files
  • 0x12F – Download plugin/configuration files

Downloaded plugins and configuration files are encrypted using an AES key derived from the Client ID. In addition to that, plugins are compressed in ZIP format using LZMA compression, whereas configuration files are compressed using zlib.

Commands with ID numbers 0x130 – 0x134 are sent by the main module:

  • 0x130 – Upload collected information to C&C server (e.g., screenshot of a victim’s computer; system information)
  • 0x131 – Upload collected information to C&C server (e.g., list of files on the victim’s hard disk)
  • 0x132 – Ask C&C server for further commands; there are around 30 available commands typical of backdoors, including launching plugins, gathering detailed system information and modifying files on client system
  • 0x133 – Update C&C server list via Tor proxy
  • 0x134 – Exact purpose unknown; most likely used for communication between plugins and C&C

Changes in campaign IDs

Previous research has suggested that DanaBot is distributed under various “affiliate” or “campaign” IDs.

In the previous version of DanaBot, almost 20 different campaign IDs were used. In the latest version, campaign IDs have changed slightly. As of February 5, 2019, we are seeing the following IDs in the wild:

  • ID=2 appears to be a test version, serving a limited number of configuration files and no webinjects
  • ID=3 is being actively spread, targeting users in both Poland and Italy, serving all configuration files and webinjects for both Polish and Italian targets
  • ID=5 serves configuration files for Australian targets
  • ID=7 is being spread only in Poland, serving webinjects for Polish targets
  • ID=9 appears to be another test version, with limited spread and no specific targeting, serving a limited number of configuration files and no webinjects


In 2018, we observed DanaBot expanding in both distribution and functionality. The beginning of 2019 has seen the Trojan undergo “internal” changes, indicating active development by its authors. The latest updates suggest the authors are making an effort to evade detection at the network level, and possibly paying attention to published research and making changes to stay ahead of defenders.

ESET systems detect and block all DanaBot components and plugins under detection names listed in the IoCs section.

This research was carried out by Kaspars Osis, Tomáš Procházka and Michal Kolář.

Indicators of Compromise (IoCs)

C&C servers used by the new version of DanaBot

  • 84.54.37[.]102
  • 89.144.25[.]243
  • 89.144.25[.]104
  • 178.209.51[.]211
  • 185.92.222[.]238
  • 192.71.249[.]51

Webinject and redirect servers

  • 47.74.249[.]106
  • 95.179.227[.]160
  • 185.158.249[.]144

Example hashes

Note that since new builds of DanaBot’s components are released regularly, we provide just a sampling of hashes.

ComponentSHA-1ESET detection name
Loader (x86), campaign ID=30DF17562844B7A0A0170C9830921C3442D59C73CWin32/Spy.Danabot.L
Loader (x64), campaign ID=3B816E90E9B71C85539EA3BB897E4F234A0422F85Win64/Spy.Danabot.G
Loader (x86), campaign ID=95F085B19657D2511A89F3172B7887CE29FC70792Win32/Spy.Danabot.I
Loader (x64), campaign ID=94075375A08273E65C223116ECD2CEF903BA97B1EWin64/Spy.Danabot.F
Main module (x86)28139782562B0E4CAB7F7885ECA75DFCA5E1D570Win32/Spy.Danabot.K
Main module (x64)B1FF7285B49F36FE8D65E7B896FCCDB1618EAA4BWin64/Spy.Danabot.C


PluginSHA-1ESET detection name
Stealer (x86)E50A03D12DDAC6EA626718286650B9BB858B2E69Win32/Spy.Danabot.C
Stealer (x64)9B0EC454401023DF6D3D4903735301BA669AADD1Win64/Spy.Danabot.E

7 Feb 2019 – 12:00PM

Google rolls out Chrome extension to warn you about compromised logins

Google rolls out Chrome extension to warn you about compromised logins

Source: We Live Security Magazine On:

Read On

The new tool aims to help in an age when billions of login credentials are floating around the internet

Google has released a new extension for Chrome that will alert you if one of your username/password combinations is known to be already out ‘in the wild’, according to the company’s blog post.

Whenever you enter your login details on a site, the extension, called Password Checkup, will compare the data against a database of four billion credentials that it knows have been compromised over the years. If a match is found, the tool will display a red alert box and suggest that you should change your password.

To dispel concerns about the security of the data being checked, Google emphasized in its Security blog that Password Checkup scrambles all credentials with hashing and encryption, thus protecting them from ne’er-do-wells. Google also gave assurances that people’s login details are never revealed to the company itself, either.


“Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure,” reads the blog post. Google also made clear that the final check to see if there’s a match takes place on the user’s machine.

There are several freely available services on the internet, including Have I Been Pawned, the Identity Leak Checker and Firefox Monitor, that offer to check if your credentials or other personal details have been compromised in one of the numerous breaches that occur every year.

For guidance about how you can create robust and unique passwords, you may want to read one of our pieces below. Needless to say, two-factor authentication is an effortless way to improve your account security.

How to create strong passwords (without driving yourself mad)

Bad password choices: don’t miss the point

No more pointless password requirements

Forget about passwords: You need a passphrase!

Recycling is a must, but why would you reuse your password?

6 Feb 2019 – 06:36PM

European Commission orders recall of children’s smartwatch over privacy concerns

European Commission orders recall of children’s smartwatch over privacy concerns

Source: We Live Security Magazine On:

Read On

The watch has been found to expose its wearers to a high level of risk of being contacted and monitored by attackers

The European Commission has issued a recall order for a smartwatch aimed at children due to concerns that it represents a serious risk for the privacy and security of its wearers.

The watch, called Safe-KID-One and marketed by German company ENOX Group, is sold as “a high-tech SIM/GPS safety and surveillance smart watch for kids”. It is fitted with a range of features, including a GPS tracker, a speaker and microphone, and calling and SMS functionalities.

According to the product sheet, parents can use the companion mobile app, available both for iPhones and Android-powered devices, to locate and follow their kids “almost to the meter”, as well as record and play back their movements over a given period of time. “You can draw up a ‘geographical fence’ around the kid, and, if it leaves this area, you will immediately be notified/warned,” reads the product sheet.

However, the European Commission has concluded that the security side of things leaves much to be desired, deeming the level of risk associated with the watch “serious”. The EU’s executive arm has found Safe-KID-One to be at odds with the EU’s Radio Equipment Directive, prompting it to enjoin public authorities across Europe to recall the product from end users.

“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. Consequently, the data such as location history, phone numbers, serial number can easily be retrieved and changed. A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,” reads the recall order in the Rapid Alert System for Non-Food Products (RAPEX), a system used by EU and European Economic Area (EEA) countries for a quick exchange of information about dangerous non-food products.

The watch as shown in the RAPEX alert

ZDNet noted that this is the first time that EU authorities have issued a recall order for a product over privacy or security issues.

In response to the decision, an ENOX representative was quoted as saying by The Register that the company’s watch had passed a test by Germany’s Federal Network Agency. “This RAPEX announcement [is based] on a test in Iceland. We think this test was excessive – not reasonable, material or fair – or, based on a misunderstanding or the wrong product (a previous version of the product, which is not in the market anymore),” said the company.

At any rate, concerns over smart tech for kids have been raised, and acted on, before. For example, Germany introduced a blanket ban on smartwatches aimed at children in late 2017 due to worries that the gear can be used as spying devices. In June 2018, security and privacy concerns prompted major online retailers to stop selling a network-connected family of toys called CloudPets.

To learn a bit more about the privacy and security implications of wearables, you may want to read, for example, How secure is your smartwatch? or Wearables: where’s the security risk?

5 Feb 2019 – 04:27PM

Do NOT follow this link or you will be banned from the site!
European Commission orders recall of children’s smartwatch over privacy concerns

This website uses cookies to ensure you get the best experience on our website.