New Tycoon Ransomware Targets Windows and Linux Systems

Security experts have recently come across a new ransomware that targets Linux and Windows systems. The ransomware called Tycoon ransomware, targets systems across a number of industries. Researchers up at BlackBerry Research and Intelligence Team and KPMG’s UK cyber response services have given the name Tycoon ransomware after discovering it. According to them, this particular strain of malware is affecting SMBs in the software industry and educational institutions alike. What makes this malware even more potent is that it affects not only one system but two- Linux as well as Windows. These are the two commonly used systems across the globe.

More on Tycoon ransomware: 

The team further discovered that the malware has to be manually deployed with the malignant persons targeting individual systems as well as connecting to an RDP server. After this, the said person infiltrates using local credentials. After securing access to the system, the person then begins to uninstall any antivirus that may be on the system. Shortly afterwards, a application called ProcessHacker is installed.

What does Tycoon ransomware do? 

Once Tycoon Ransomware has been installed onto a system, it begins to encrypt files from the server. Then a ransom is sort from the said victim. According to experts the ransomware targets both Linux and Windows meaning the attack is quite widespread.

The experts up at BlackBerry have also said that it is common for malware writers to use obscure coding and languages to fly under the radar. That is why the use of Java and Go is common with malware writers. But this is the first time they have encountered a malware that takes advantage of Java JIMAGE format to create a JRE build.

The JRE Build: 

Tycoon ransomware comes in the format of a trojanized Java Runtime Environment or JRE for short. This helps the ransomware to avoid detection by piggy backing on a Java Image format. The settings for this java Image are deliberately put in settings to give developers the option of debugging their software. To do this they would first have to install a debugging application. This is how malware writers gain access to a particular system.

How far has Tycoon ransomware reached? 

Experts in the field have said that the malware has been in existence for six months now. But the number of attacks have been small. This shows that the attacks are specifically targeted. Besides this it also shows that the malware writers are working on different ways of targeting a host system, in order to see which method works the best.

Why the Name Tycoon? 

The ransomware was called “Tycoon” after discovering various references in the coding to the word Tycoon. The ransomware has been in existence since 2019 and has specific targets in mind.

The fact that malware writers have used Java and JRE to piggy back onto systems is very unusual. Experts have seldom seen such a method. Besides gaining access to a system, malware writers also seek to remove any existing antivirus on the system.

Fruitfly Mac Malware: How to Protect Yourself from Undetected Malware

credit:NJCCIC

Do you know that from past 15 years there is an undetected malware hovering over your Mac systems? The Fruitfly mac malware is the one that has been undetected since a very long time.

So, if you are not updated with that fruitfly story then here is the brief and latest news for you.

Fruitfly Latest Update: 

FBI has finally solved the 15 years undetected fruitfly mac malware mystery. The Mysterious mac malware was created by an Ohio man just to take control of the malware victims & Mac computers.

The hacker has stoled flies, keyboard strokes, and also watched victims via their webcam secretly and had listened to their private conversations as well. According to the latest FBI report the man has created this fruitfly mac malware in 2003 itself when he was at the age of just 14 years. Since then he is using this malware until his arrest 2017.

The crazy think about this malware is the mac upgraded versions of antivirus programs never detected this “Fruitfly” malware on any of the victim's computers. Even the experts couldn't figure out the working process of a fruit fly and how its creator has spread that virus around the Mac computers.

According to the FBI, the accused used a port scanner to find the internet macs with weak passwords and he logged into these weak systems remotely via the open service ports and he installed and hid the “fruitfly on the user's computers without their notice.

Now, if you are really new this term “fruitfly mac malware” means you will be banging your heads and thinking about what is fruitfly and whats the relation between mac and that fruitfly etc.

If you are one of them then don’t worry here I am going to cover everything about the Fruitfly mac malware.

What is Fruitfly Malware? 

The fruitfly malware is a stealthy but very highly-invasive malware on Macs. As said above this particular malware has been around the Macs for almost 15 years. Even Mac Antivirus programmes and other anti-malware software hasn't found that virus.

Fruitfly Mac malware Discover: 

This highly-invasive malware was first discovered back in January 2017 with a normal blog post from the Malware bytes and it has highlighted its existence.

In that post, the author has explained how fruitfly infects mac computers and he also stated that it has an ability to capture screenshots, view keystrokes and control webcams etc on the Mac. In that post, he also stated that the creator of the malware will have full access to all affected victims.

At that point of discovery, they suspected that the malware has been around 2014 since the OS X Yosemite update but it recently it has been relieved that it was first created in 2003 itself by a 14 years old kid. You will know more about him below.

In that blog post, they have said that this malware is targeting biomedical research centers. And they also said that the first version of this fruit fly is really unsophisticated and it is just using a hidden file and a launch agent to keep the mac infected.

New updated Varients of Fruitfly Emerge: 

After first discover of this fruitfly malware most of the experts tried to resolve this malware but they couldn't crack it. At some stage, all thought the new update from Apple has patched the issues.

But the new variants of fruit fly have emerged and they have infected a large number of computers. The new version has also been undetected by all antivirus. That has made this malware spread even more.

In the July of 2018, a former NSA hacker has done a in-depth analysis of the latest variant and told some interesting facts about the malware. He stated that despite the virus is relatively simple but the malware has full control over the system as there will be no speed in processing and other factors it has been undetected.

In that wardly research somehow he could crack the malware and found the malware creator ip address, the name of the users and other necessary information. And he also found that there are more than 400 infected macs connected to the registered services as he was unable to view the IP addresses and users of those devices he didn't speak a word about them.

He later tried to do further research but said that there’s no way to know how the malware infects computers. However, he said one information that this whole virus has been spread through a tedious and malicious email attachment.

Who’s the mysterious man behind the Fruitfly? 

At that point of time even though he collected all the information but he couldn't do anything because he skipped from his network. But, wardly has discovered that he is a single hacker rather than the team of a hacker. However, he recently got caught in the FBI investigation and he is behind bars.

Although we can't share enough information about him as we only know some information we can say that person is from Ohio State and he has found that malware in 2003.

Who is affected by fruitfly: 

As said, in the above statement the fruitfly has affected more than 400 plus mac computers in a single server but to be frank the list could be increased as well. Although you don't have to worry about these because you can protect yourself from these kinds of attacks. In this article, I am going to disclose how you can protect from fruit fly and other types of malware.

How to protect yourself from fruitfly: 

Apple has released all the security patches for fruitfly earlier this year. But as the newer version comes into the place you have to be very careful in dealing with email attachments and spam emails.
You should not open any kind of spam or unknown emails. Apart from that, you have to keep your password much stronger than ever because he has remotely accessed weak password-protected accounts. So, you have to take care of your password as well.

As of now, the mystery has been relived so all the antivirus has updated their core algorithm according to it and you can quickly find these type of malware with Anti-malware or Antivirus programs.

How that fruitfly malware looks like: 

If you are a techie who is striving to see the malware code means you can see that in this posts. This code was first published in the “ malware bytes” Blog post only. We are just using this as a reference to show you how the fruitfly mac malware looks like.

The malware was extremely simplistic on the surface, consisting of only two files:

~/.client
SHA256:
ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044

~/Library/LaunchAgents/com.client.client.plist
SHA256: 
83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3

You can see full code in the malware bytes post. This is all about the fruitfly mac malware.

Conclusion: 

As this fruitfly malware can be detected by some of the antimalware tools you can stay protected from it. Along with that keep, a secure and robust password will always keep you safe from most of the malicious programs.

I hope I have covered every aspect of the fruitfly mac malware. Now it's up to you if you have any queries you can let us know in comments section below.

How to find out if your Mac is infected with Backdoor.MAC.Eleanor

Malware – Backdoor MAC Eleanor

Bitfender had recently announced that its researchers had found new malware which tends to target Macs. The malware is referred as Backdoor MAC Eleanor and has the potential of compromising your system completely. While the malware exists, attackers can steal files, execute code, and control the webcam and much more. Hackers regularly check for exploits with the slightest resistance and in several cases its users seem to be taken unaware.

It tends to come packaged inside what seems to be a legitimate file converter application known as EasyDoc Converter. But the application does not tend to work essentially.Once it is installed, it seems to run a malevolent script that installs a Tor hidden service enabling attackers to access remotely and control the infected machine.

The script tends to set up a web service giving attackers the capability of manipulating files, access a list of running processes and application, execute commands and scripts as well as send emails together with attachments. The malware also tends to utilise a tool known as `wacaw’ which enables an attacker to seize videos as well as images by utilising the built-in webcam.

Packaged in EasyDoc Converter Application

On utilising this software, Bitdefender cautions that an attacker could `lock you out of one’s laptop and threaten to blackmail in restoring your private files or transform your laptop into a botnet in order to attack other devices. Observing that the malware has only been discovered packaged in the EasyDoc Converter application the user needs to download the application, install and run it for the machine to have been affected by it.

An extra security measure by Macs known as Gatekeeper located in System Preferences under Security & Privacy could be helpful. It stops unsigned applications from unidentified developers by default, from running. If an unsigned application, outside the Mac App Store is downloaded and tried to run it, you would come across a prompt stating the application can’t be opened.

If you tend to download the application presuming that you do not have Gatekeeper disabled, a prompt would appear while attempting to run the application. In order to open the app, you will have to intentionally supersede the security settings for running the application the first time.

Malwarebytes/Sophos – Detect Backdoor MAC Eleanor

Your Mac will not be infected with the Backdoor MAC Eleanor malware, if you have not downloaded the application or did not bypass the Gatekeeper setting in order to run it. On the contrary, if you did it either, your Mac could have likely been infected. If one still has access to your Mac, there is Malwarebytes and Sophos which have already been updated in detecting Backdoor MAC Eleanor and any anti-virus software which tends to scan for malware would soon come up.

 In order to free your Mac of the malware, you could download Malwarebytes Anti-Malware application for Mac or Sophos Home and run a scan instantly, deleting any related files. To evade such situations in the future, one should ensure that Gatekeeper settings are set only to permit applications from Mac App Store and identified developers. If it is essential to install an application from an unidentified developer, ensure that it is from a trusted source.

Chinese iPhone Users Hit by 'KeyRaider' Malware

iPhone had commanded a safe and sound to be true a secure history in its eight years of history. It happens to be the most secure smartphone till now. Most of the people resort to jailbreak the iPhone in order to download mobile apps from other online play stores. This seriously limits the security level by removing the system security features, which are made available on the iPhone by Apple. A malicious software had been successful in stealing a wide number of login names and passwords from more than 225,000 Apple accounts in China.

A security firm finds a rogue malware in iPhone devices

A security firm named Palto Alto Networks was investigating the suspicious activity found a wide number of Apple devices. During the investigation, it came across a malicious software family, which was specifically targeting the Jailbroken Apple iPhones devices for some time.

This malicious software is being KeyRaider and it has affected a large number of iPhone users in China along with 17 other nations.

How KeyRaider affected the iPhone users?

Once an iPhone user downloads and install the malware which remains hidden in the packages of codes and it offers a number of tweaks to the iPhone’s operating system. The Keyraider is designed in s such a way wherein it can easily intercept the user’s iTune’s login details and then store the same data on a remote server.

After stealing the user’s iTunes payment information and other details, attackers use it to install paid apps on other iOS devices. Palo Alto Networks had even found a separate app, which allows the users to install paid apps from the Apple app store of cost and till now this app has been downloaded more than 20,000 times. The payment from this free app is being done by the KeyRaider’s victims.

How serious is this attack?

For most of the iPhone users KeyRaider is not a big issue as long as they install only those apps, which are approved by the Apple’s app store. It should be noted that most of the iPhones are not Jailbroken but users who had already jailbroken their devices should certainly worry about the KeyRaider as it can easily steal their lognames and passwords and other things.

People who had already suffered from the damage of KeyRaider will find themselves being charged for someone else’s stolen iPhones apps. The security firm had even stated that in some cases it found evidence wherein malware was used in locking up the phone and asking for ransom.

Beware of third-party app stores

Apple devices are third most popular brand in China after the Huawei and Xiamoi as per the reports by IDC. Apple app store has a wide number security checks in place, which helps in thwarting the malicious apps from listing in the store and helps in safeguarding the iPhone users. But the third party app store doesn’t offer similar kind of security checks and controls in place which results in the distribution of malicious software.

A security expert creates undetectable malware on Mac OS X

Macs are no longer the island of security that wanted to believe as they were. Malware exist on Mac OS X and start being more numerous. One researcher even found a "simple" way to make them undetectable. In April 2012, the Flashback botnet began to hurt the feeling of invulnerability of the Mac community, which for years had felt safe from viruses and other malware.

Sign of changing times, as related to an increase in market share to Apple’s professional cybercriminals. Cyber attacks seeking the best return on investment or, indeed, the apple computers often tend to be chosen by the target value. Since new malware for Mac OS X have succeeded without causing much damage as Flashback, but demonstrating every time the fortress "breathtaking" was no longer or had never been.

There are some days, Daniel Pistelli, a security researcher for Cerbero German company, announced that they had obtained a proof of concept with important consequences. It would be possible of creating undetectable malware on Mac OS X, as well as the system for any security solutions.

 To do this, they used one of the tools that Apple has built into Mac OS X and is used to encrypt the executable houses like Dock.app or Finder.app to protect. However, this encryption can equally well be used to "protect" the executable malware, he said in a post on his company blog. Security software is then unable to detect because it is encrypted - even if they were able to recognize before.

To provide a solution to the proof of concept that has unveiled Daniel Pistelli advanced in his post several tracks. The first implies that the virus include a decryption mechanism in order to recognize new malware. The second that these security systems try to find numerical code segments, and if they are, do not trust only executables that are signed by Apple itself. Finally, the third solution in the event of a discovery of encrypted code, antivirus allow only executable whose cryptographic signature matches a trusted key

Interview: Flashback and the mechanics of a malware

The recent return of the malware in the news Flashback handed in before the security issues around the Mac. 

But there are other interesting aspects in this issue: how to operate this type of software, what are the methods used by publishers to analyze them and how can we explain some variation in the numbers of reported infections. 

Questions were answered Philip Devallois, Senior Security Analyst at Intego, and as such responsible for their laboratory.