Home Blog

Collection 1 data breach: what you need to know – Hackers University

Collection 1 data breach: what you need to know - Malwarebytes Labs

Yesterday, news broke that the largest data dump in history had been discovered, with more than 770 million people’s Personally Identifiable Information (PII) decrypted, catalogued, and up for grabs on the Internet. The files, which are being dubbed Collection 1, were originally found on cloud service MEGA, and later posted to a popular hacking forum.

The Collection 1 folder contains more than 12,000 files and is a whopping 87 gigabytes large.

While on paper this sounds beyond alarming, the truth is much more nuanced. The collection is composed of data pulled together from multiple breaches and leaks, many of which contain email addresses and passwords that are at least two to three years old. Security researcher Brian Krebs cautioned folks on assigning too much significance to the find because the data is rather stale, and not particularly useful for threat actors.

However, as we saw in summer 2018, stale data can be used successfully in phishing and extortion campaigns. The mere mention of a correct password, even if it’s outdated, could coax unsuspecting users into giving up fresh PII or paying ransoms.

Every time an organization announces that it’s been breached, customers wait with bated breath to see if they’ve been impacted. But after a time, if an identity theft crisis, credit card tampering, or straight-up hack doesn’t take place, many users breathe a sigh of relief and imagine they’ve weathered the storm. Yet, as evidenced by Collection 1 and other such treasure troves of data that are offered for sale online, that may not be the end of it. If users don’t take steps to protect or change their credentials after a breach, they are at risk of being targeted again and again.

Our advice to users: Take a look to see if your information is caught up in this latest data dump. You can easily check to see if you’ve been compromised by using researcher Troy Hunt’s website Have I Been Pwned. Once there, enter your email address and scroll to the bottom of the page to see if you are part of Collection 1 or any other breaches. In addition, you can check if your password was compromised using a new feature of Hunt’s site called Pwned Passwords.

If you are on any of these lists, go forth and change your passwords immediately. We also recommend using a password manager and following other password best practices, such as avoiding using the same password across multiple sites and using long phrases that do not contain obvious dates, names, or other easily identifiable (and thus crackable) information.

No, this may not have been the breach to end all breaches. But that doesn’t mean it should be taken lightly. In fact, this is an opportunity for 770 million people to shore up their defenses by making a simple, yet effective, change.

As always: Stay safe, everyone!

Hosting malicious sites on legitimate servers: How do threat actors get away with it? – Hackers University

Hosting malicious sites on legitimate servers: How do threat actors get away with it? - Malwarebytes Labs

How do threat actors manage to get their sites and files hosted on legitimate providers’ servers? I have asked myself this question many times, and many times thought, “The threat actors pay for it, and for some companies, money is all that matters.”

But is it really that simple? I decided to find out.

I asked some companies, as well as some of my co-workers who are involved with site takedowns on a regular basis, about their experiences.

I conversed with William Tsing who is, among others, responsible for infringements on the Malwarebytes brand; Steven Burn, our Website Protection Team Lead; and with a spokesperson of International Card Services B.V. (ICS), the company behind the well-known Visa and Mastercard credit cards. I also sent inquiries to some international banks, but as of presstime, they have not replied. On the receiving end of takedown requests, I queried providers about their methods and motives.

Background for the investigation

To give you some background on why we are involved in take-downs: Even though we protect our customers by adding malicious domains and IPs to our block lists, we also report those sites and try to get them taken offline. This does not always result in a successful takedown, but if there is a chance to protect everyone against malicious sites (and not just our clients), we will always grab the opportunity.

Let’s look at this problem from a few angles, starting with the initiators of takedowns.

Protecting your brand and your customers

Imposters can give your company an undeserved bad reputation and cause financial damages. Many financial companies are held responsible for losses due to phishing mails and fake copies of their websites. So they are generally well organized when it comes to dealing with abuse complaints. In the financial sector, one of the biggest problems is phishing mails linking to imitation sites. These imitations can be convincing, complete with green padlocks and ironic warnings about phishing.

Financial corporations in general and banks in particular are well prepared for abuse cases. Most of them have the following in place:

  • Educational pages on their site about how to recognize and deal with phishing attempts.
  • Help yourself instructions about what to do if you clicked on a link or entered your credentials on a fake site.
  • An abuse email address where customers and researchers can forward phishing mails and where you can report fake sites.
  • An abuse department that is constantly fighting to get sites taken offline that are targeting their brand(s).

The spokesperson for ICS let us know that they always attempt to take down malicious sites and are successful in about 300 cases per month, globally. In their experience, most providers are quick to take action, but sometimes differing time zones and office hours drag on the process longer than necessary.

At Malwarebytes, we also have to deal with imposters, some of which are selling our free product and others who are tech support scammers pretending to be our support department. William Tsing has had a few of these guys for breakfast, but there are some cases where it is frustrating to have fraudulent content removed. Some of our grievances are:

  • Dealing with automated bots that are impossible to convince there is something fraudulent going on.
  • No response from the provider at all.
  • A culture that would rather receives complaint about the content than from disgruntled customers who had their content removed—no matter what that content is.

This provider apparently knows what should be removed.

Hosting and other providers

As mentioned earlier, we also sent some inquiries to hosting companies and, this may not come as a surprise: the companies that actually do act upon takedown requests were the only ones that responded. The rest decided to deal with my request for information in the same way they would with a takedown request—they ignored it.

According to Steven Burn, who is responsible for the Malwarebytes block lists, this is typical behavior. In his experience, however, Western European and North American hosting companies are usually a lot more cooperative than Russian and Chinese providers.

We have asked these hosting companies what they consider malicious content, and the ones that responded agreed on the following reasons for taking sites offline:

  • Phishing content
  • Hacking content
  • Malware (as downloads)
  • Spamming

Some others also specified:

  • Illegal software and cracks
  • Inappropriate content

These providers all estimated the time between receiving a complaint and fixing the problem to be well under eight working hours. I know from experience that most are even faster. We also know that the ones that didn’t respond are more likely to deal with requests from big companies faster than those of researchers, or as they put it,” unrelated third parties.” And some may not respond at all, or worse, have an automated bot send you responses that drive you up the wall or into despair.


There are other providers at play when it comes to malicious sites. Take, for example, URL-shorteners. URL shortening services are often used by cybercriminals to obfuscate redirects to malicious destinations. So, if you’re unable to get the website itself removed because the hosting provider is unresponsive, you can try to get the URL-shortener to remove the shortened link from their redirections list. In some cases where the threat actor spread the link only in the shortened form, this could be just as effective. Most of these URL-shortening services provide excellent support, as well as detailed instructions on their site on how to proceed.

bitly abuse


A domain name registrar is a company that manages the reservation of Internet domain names. In the chain of hosting malicious websites, they are at least as important as the company providing the physical server. A registrar can stop DNS requests for a domain to end up at the correct server. A registrar is also the player that has to enable threat actors when they use techniques like Domain Generating Algorithms (DGA). If the threat actor is unable to automatically register the domains generated by the algorithm, the entire setup of the DGA fails. Sometimes the registrar and the hosting company are the same, but this is not always the case.

Server scans

Another question I asked the providers is whether they perform scans of their servers for inactive malware or for malicious sites. Inactive malware on a server could indicate that a website is hosting malware for download. Hosted malware can be used as a payload for downloader Trojans, or it could be offered for download under the smokescreen of pretending to be a legitimate file. The providers responded that their servers are protected, but not by security software that scans for inactive malware. One provider, however, indicated that they scan newly-created sites for signs that the site could be used for malicious purposes in order to proactively set them offline.

Security researchers

Many security researchers will report their findings to interested parties. How effective they are seems to depend on how well they are connected. This is unfortunate, as requests from relatively unknown researchers can be just as legitimate as those from longtime players. Our belief is that every complaint should be taken seriously, whether it was sent to the general abuse email address or to the head of the department; whether it comes from a finance company, an antivirus vendor, or an independent botnet researcher.

Our experience with providers varies so widely that it’s hard to give general guidance. There is a provider that lets Steven Burn take sites offline himself and asks questions later. There was a provider that kept getting abused by tech support scammers, but when I pointed it out to them, they sought and found a common property in all the accounts that the threat actors registered with them. By doing so, they were able to root out all the scammers’ sites, even the ones that hadn’t been published yet. These are some examples of the ways in which we could work together to make the Internet a safer place.

But if you are a researcher or work in an abuse department, you also know the other end of the spectrum. I’m talking about the providers that would sell their grandfather for a buck or the social media giants that get so many complaints, it takes months just to get past the automated responses.

The answer to my question

In an ideal world, threat actors would have to use their own servers to host malicious sites. This would make it a lot easier for law enforcement to find out who they are and put them where they belong. Talking to some of the people that have to deal with this problem on a daily basis has more or less confirmed what I already suspected: the underlying problem for the hosting of malicious sites is about money. However, it’s perhaps a bit more nuanced than I originally believed. My revision to my original answer, then would be that two issues are at play:

  • The provider does not care where the money comes from, or how the site will be used to make more money.
  • The provider has not prioritized spending money on a functioning abuse department.

Is there anything we can do to change these attitudes? There is one way to get providers to sit up and listen. When we host our own sites, we can ask ourselves which type of provider we would rather do business with: one that takes abuse seriously, or one that turns a blind eye to cybercrime? If negligent practices turn into profit losses, it’s likely these hosting companies will take takedown requests more seriously.

Waiting for legislation that holds providers partly responsible for the content they are hosting could take a long time—or it may not even happen in some countries. It’s best, then, to take matters into your own hands. If you see something, say something. And if you own your own website now or plan to launch one in the future, look into the business practices of those hosting companies and invest in those that are taking Internet safety seriously.

Do you have takedown experiences of your own to share? Have you ever reported a malicious site to a provider? Sound off in the comments section.

Improved Fallout EK comes back after short hiatus – Hackers University

Improved Fallout EK comes back after short hiatus

After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During its absence, we noticed an increase in RIG campaigns, perhaps to fill that temporary void.

Fallout EK is distributed via malvertising chains (one of them we track under the name HookAds), especially through adult traffic. Since January 15, Fallout EK activity has been picking up pace again to deliver the GandCrab ransomware.

The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.

Fallout EK 2019 highlights:

  • HTTPS support
  • New landing page format
  • New Flash exploit (CVE-2018-15982)
  • Powershell to run payload

One aspect that caught our attention was how Fallout was delivering its payload via Powershell rather than using iexplore.exe. This was also mentioned in the EK developer’s advert reposted by Kafeine on his site.

The Base64 encoded Powershell command calls out the payload URL and loads it in its own way:

This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.

What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proof of concepts. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage.

Malwarebytes users are already protected against this updated Fallout EK.

Indicators of Compromise

185.56.233[.]186,advancedfeed[.]pro,HookAds Campaign

51.15.35[.]154,payformyattention[.]site,Fallout EK

The Advanced Persistent Threat files: APT10 – Hackers University

The Advanced Persistent Threat files: APT10 - Malwarebytes Labs

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re beginning with APT10. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT10?

First observed in 2009, APT10 is most commonly attributed via open source research to the Chinese Ministry of State Security (MSS). MSS attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets overseas. As an example of a trade negotiation op, Fidelis Security observed a watering hole attack in February 2017 targeting members of the National Foreign Trade Council, a US trade lobby group.

A commonly-used tool of APT10 is Scanbox, which is a form of malware that can offer insights into their targeting priorities. Scanbox has been observed on assorted industrial sector targets in the US and Japan, but also on Uighur dissidents overseas. While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs.

Malware commonly deployed

APT10 is known for deploying the following malware:

Note: PlugX and Poison Ivy were originally developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone.

Should you be worried?

That depends on the type of organization you run. APT10 has been observed to most commonly target construction, engineering, aerospace, and regional telecoms, as well as traditional government targets. If your company exists outside these verticals, it’s unlikely that APT10 would expend the time and resources to target you. For companies outside the targeting profile, it’s much more cost effective to spend defense budgets on common vulnerabilities that are most leveraged by common attackers.

What might they do next?

Like most APTs, APT10 has traditionally targeted at scale when attacking commercial enterprise. However, a more recent report by Price Waterhouse Cooper and BAE Systems suggests that they’ve begin devoting a portion of their operations to targeting Managed Service Providers (MSPs), most likely in an attempt to exfiltrate sensitive client data. Given that there’s been increasing awareness of advanced threats by high-value targets, continuing to target MSPs in this way is a plausible means of obtaining the same desired data at a lesser cost.

Further resources

If you’d like to do some additional reading on APTs, and specifically APT10, take a look at the following resources:

FireEye’s APT10 profile

Dark Reading article: China-based threat actor APT10 ramps up cyber espionage activity

PwC’s brief on Operation Cloud Hopper (APT10 campaign)

Luas data ransom: the hacker who cried wolf? – Hackers University

Luas data ransom: the hacker who cried wolf? - Malwarebytes Labs

In a terrible start to the year for Irish tram firm Luas, their site was compromised a week ago and adorned with a stark ransom warning:

Click to enlarge

You are hacked. Some time ago I wrote that you have serious security holes.

You didn’t reply.

The next time someone talks to you, press the reply button.

You must pay one bitcoin in five days. Otherwise I will publish all data and send emails to your users.

The message came with a Bitcoin address, and the defacement was quickly taken down.

Real threat or a blast of bluster?

Many observers questioned the legitimacy of this ransom threat. One Bitcoin is currently around 3,100 Euros. Luas aren’t exactly short of cash, so it wouldn’t be an issue for them to pay (not that we’d advise it). The general feeling was that either 3,100 Euros was a large sum of money to the attacker, or they just wanted the company to address the problem facing them without fuss.

As soon as the hack was announced, nervous customers wondered exactly what might be dumped into the ether should the ransom go unpaid. Names and addresses? Emails? Perhaps even payment data? However, this is where the hacker’s version of events starts to unravel. I’m not personally familiar with the website in question, and it’s currently still down, so I looked on Internet Archive.

A trip down memory lane

The site doesn’t appear to have any form of registration or login; it seems to be more of an information portal. Additionally, the one section that references payment—“Pay your standard fare notice”—leads to the payments site, which Luas pointed out hadn’t been compromised. The site read as follows:

The Luas website is undergoing restoration following a cyber-attack.

We wish to advise customers that the Tax Saver and Standard Fare Notice sites have NOT been compromised.

It’s worth noting the payments section hasn’t been taken offline, either.

The hacker who cried wolf?

We waited with baited breath as the ransom timer ticked down. Would we see a large blast of customer data popping up online? Or would the whole thing fall flat? If essential information such as logins and payment data hadn’t been grabbed, what exactly were we talking about here? Basic website metrics such as visitor stats or website referrers? What could this attacker possibly have grabbed while achieving what appears to have been a perfectly standard webpage defacement in all other respects?

The answer is, of course, “Nobody knows.”

The deadline has come, gone, and is now on vacation somewhere. Occasionally, it lets you know the weather is lovely and reminds you to put the bins out.

Absolutely none of which helps anybody who suspects they may have been caught up in this. Even more slightly surreal is the fact Luas said they’d contact anyone they thought may be affected, but there’s zero example of said contact on social media that I can find.

Customers: An update on the Luas cyberattack.

Luas technicians are still investigating it and are working to restore the site.

Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised.

This is absolutely not what normally happens, and at this point I’d usually be linking to a deluge of “you got me” posts. That’s the theory. The reality, currently, is nothing but a wave of silence.

This number is no longer available

Our suspicion here is that nothing customer related was taken and it was all a ransom-themed bluff to either grab some Bitcoin cash or attention, or perhaps both. If you’ve used any Luas site for any type of registration or payment, you’re probably fine.

Unless the site compromiser had a sudden change of heart, they were going to dump the data in public fashion instead of some hidden underground forum, but it hasn’t happened. People may call them “underground,” but the reality is data dumps don’t remain private for long.

No further updates are forthcoming from Luas, so it doesn’t appear they’ve been told their number is up either. All in all, we’d say cross some fingers and hope everything is coming up Milhouse.

While I try to remember if things coming up Milhouse is good or bad, here’s what you can do if you’re still worried you may be affected.

Data dump fallout tips

This isn’t just good advice for the Luas attack, but for any potential breach situation.

If you’re on Twitter, simply follow haveibeenpwned, a service maintained by security pro Troy Hunt. It will usually be one of the first places you’ll hear about any breach where data has been taken. After that, head over to the haveibeenpwned website and check if your emails have been included in any attacks. If they have, you’ll see a short summary of when it happened and what was taken. Note that you won’t see the stolen data.

Finally, you can register for alerts when any new breaches are added.

There’s really no need to go spelunking into the murky pools of hacker forums, looking in vain for a breach you may be on. Rest assured that if it’s happened, you’ll find out eventually—one way or another. At that point, it’s a case of changing your logins and applying whatever security steps are required to fix things up. Ransoms are always a major issue, whether from threats or infection files. If this story has any additional developments, we will of course update this post as to what anyone affected should do next.

Social Security Number scammers are at it again – Hackers University

Social Security Number scammers are at it again - Malwarebytes Labs

The Federal Trade Commission (FTC) once again sounded the alarm in mid-December about the latest Social Security Number (SSN) scam that continues to affect thousands of Americans.

While most of us were only able to read about this type of scam in the past, the FTC now has an audio recording of an SSN scam robocall, which they released two weeks after the warning.

Play the audio below and familiarize yourselves with what an SSN scam sounds like. Take note of the sentence phrasing and the mild threat at the near end of the automated recording directed to those who aren’t motivated enough to call back the number it provided.



law enforcement agencies to suspend your Social Security number on an immediate basis, as we have received suspicious trails of information in your name. The moment you receive this message, I need you to get back to me on my department division toll-free number that is 1-888-952-5554. I repeat 1-888-952-5554. Verify the last four digits of your Social Security number when you call to better assist you with this issue. Now, if I don’t hear a call from you, we will have to issue an arrest warrant under your name and get you arrested. So, get back to me as soon as possible. Thank you.

This particular recording wasn’t specific about the “suspicious trails of information” they were referring to, but there have been reports to the FTC of scammers linking their target’s SSN to certain crimes they claim are taking place in Texas, such as illegally sending money outside of the country.

The FTC noted that the threat of individuals or groups pretending to be from the Social Security Administration (SSA) are growing at an exponential rate. In fact, there was a 994 percent increase in SSN scams reported to FTC—from 3,200 in 2017 to 35,000 in 2018.

Not just a numb3rs g4m3

One attribute that makes SSN scams successful (and makes one likely to be more accepting of calls) is the scammers’ use of technology to mimic the legitimate contact number of the Social Security Administration (SSA) so that appears in the caller ID when contacting targets. In this case, the scammers used 1-800-772-1213, the SSA’s national customer service number. Yet, SSN scams are more than just a numbers game.

Seeing red

To help clue you in on other tactics used by SSN scammers, below is a list of red flags or tactics these scammers practice that anyone with a Social Security Number should at least be familiar with:

  • The call comes out of nowhere—especially if you haven’t contacted the SSA first or you have no ongoing business with them, such as a pending Social Security Disability (SSD) application. If you do have a pending application with the SSA, an agent may call if the information in the application isn’t complete, answers on the form aren’t legible, or the agent has found some discrepancies between the information you provided in the application and the information they got from other Federal agencies. An SSA agent will only ask for your SSN if the one you provided is invalid or incorrect.
  • The purported SSA agent makes untruthful or worrying requests or claims, such as:
    • Your SSN is suspended because of crime-related links (such as what the robocaller claims in the recording above). Fact: Social Security numbers do not get suspended.
    • You need to “reactivate” your suspended SSN. Then, scammers either ask for more information or a fee to do this.
    • You need to pay for something immediately, like a debt (and they won’t allow you to appeal the amount you owe).
    • You need to send over your payment via a means they specify, such as the agent requiring you to pay using your prepaid debit card.
    • You need to provide a bank routing number or card details over the phone.
    • Your SSN is linked to malicious activities that will lead to your arrest or deportation.
    • The SSA system is down, so you need to provide the purported agent with your personal information, such as SSN, date of birth, mother’s maiden name, and bank information.

“SSA employees do contact citizens by telephone for customer-service purposes, and in some situations, an SSA employee may request the citizen confirm personal information over the phone,” writes Andrew Cannarsa, communications director for the Office of the Inspector General (OIG). “However, SSA employees will never threaten you for information or promise a Social Security benefit approval or increase in exchange for information. In those cases, the call is fraudulent.”

Just hang up

Hanging up is the best course of action when you deliberately or accidentally answered a call that you realized, at some point, appears scammy. When in doubt, assume it’s a scam. Besides, no one, not even the legitimate SSA, will penalize you for hanging up on them. Remember that when it comes to nipping scams in the bud, you are in control. End it before they can say another word.

Prevention, of course, is still key. Being able to catch the known red flags we have identified above and knowing what to do should you see a legitimate SSA number flash in the caller ID screen—whether you do or don’t have outstanding business with them—can minimize the risk.

Is the SSA calling? Don’t pick up the phone. Instead, call SSA via their consumer service number and ask if they have been trying to reach you.

Other scams related to SSN

Unfortunately, children and the deceased aren’t safe from fraudsters and identity thieves, either. Parents, make sure you find the time to check your kids’ credit scores to make sure that they remains untouched and are not being built up by someone else. If you see something’s wrong, or if you see signs of potential identity theft, go to this FTC page to read more.

Relatives of deceased loved ones should do credit checks every now and then as well. The Identity Theft Resource Center has useful material on how one can protect the deceased’s identity and other tips.

When it comes to scams, the following is always true: Does it seems suspicious or “off” in any way? If so, it probably is. Proceed with caution and guard your Social Security Number well.

Ryuk ransomware attacks businesses over the holidays – Hackers University

Ryuk ransomware attacks businesses over the holidays - Malwarebytes Labs

While families gathered for food and merriment on Christmas Eve, most businesses slumbered. Nothing was stirring, not even a mouse—or so they thought.

For those at Tribune Publishing and Data Resolution, however, a silent attack was slowly spreading through their networks, encrypting data and halting operations. And this attack was from a fairly new ransomware family called Ryuk.

Ryuk, which made its debut in August 2018, is different from many other ransomware families we’ve analyzed, not because of its capabilities, but because of the novel way it infects systems.

So let’s take a look at this elusive new threat. What is Ryuk? What makes it different from other ransomware attacks? And how can businesses stop it and similar threats in the future?

What is Ryuk?

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.

Despite a successful infection run, Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.

Ryuk “polite” ransom note

One interesting aspect of this ransomware is that it drops more than one note on the system. The second note is written in a polite tone, similar to notes dropped by BitPaymer ransomware, which adds to the mystery.

Ryuk “not-so-polite” ransom note

Similarities with Hermes

Researchers at Checkpoint have already conducted deep analysis of this threat, and one of their findings was that Ryuk shares many similarities with another ransomware family: Hermes.

Inside of both Ryuk and Hermes, there are numerous instances of similar or identical code segments. In addition, several strings within Ryuk have been discovered that refer to Hermes—in two separate cases.

When launched, Ryuk will first look for the Hermes marker that is inserted into each encrypted file. This is a means to identify if the file or system has already been attacked and/or encrypted.

The other case involves whitelisted folders, and while not as damning as the first, the fact that both ransomware families whitelist certain folder names is another clue that the two families might share originators. For example, both Ryuk and Hermes whitelist a folder named “Ahnlab”, which is the name of a popular South Korean security software.

If you know your malware, you might remember that Hermes was attributed to the Lazarus group, who are associated with suspected North Korean nation-state operations. This has led many analysts and journalists to speculate that North Korea was behind this attack.

We’re not so sure about that.

Notable attacks

Multiple notable Ryuk attacks have occurred over the last few months primarily in the United States, in which the ransomware infected large numbers of endpoints and demanded higher ransoms than what we typically see (15 to 50 Bitcoins).

One such attack was on the Onslow Water and Sewer Authority (OWASA) on October 15, 2018, which kept the organization from being able to use their computers for a time. While water and sewage services, as well as customer data, were untouched by the ransomware attack, it still caused significant damage to the organization’s network and resulted in numerous databases and systems being rebuilt from the ground up.

Infection method

According to Checkpoint and multiple other analysts and researchers, Ryuk is spread as a secondary payload through botnets, such as TrickBot and Emotet.

Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own malspam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.

From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.

Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.

At some point, for reasons we will explore later in this post, TrickBot will download and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom. Since we don’t see even a fraction of the number of Ryuk detections as we see of Emotet and TrickBot through our product telemetry, we can assume that it’s not the default standard operation to infect systems with Ryuk after a time, but rather something that is triggered by a human attacker behind the scenes.


Let’s take a look at the stats for Emotet, Ryuk, and TrickBot from August until present-day and see if we can’t identify a trend.

Malwarebytes’ detections from August 1, 2018 – January 2, 2019

The blue line represents Emotet, 2018’s biggest information-stealing Trojan. While this chart only shows us August onward, rest assured that for much of the year, Emotet was on the map. However, as we sailed into Q4 2018, it became a much bigger problem.

The orange line represents TrickBot. These detections are expected to be lower than Emotet, since Emotet is usually the primary payload. This means that in order for TrickBot to be detected, it must have either been delivered directly to an endpoint or dropped by an Emotet infection that was undetected by security software or deployed on a system without it. In addition, TrickBot hasn’t been the default payload for Emotet for the entire year, as the Trojan has continuously swapped payloads, depending on time of year and opportunity.

Based on this, to get hit with Ryuk (at least until we figure out the real intention here) you would need to have either disabled, not installed, or not updated your security software. You would need to refrain from conducting regular scans to identify TrickBot or Emotet. You would need to either have unpatched endpoints or weak credentials for TrickBot and Emotet to move laterally throughout the network and then, finally, you would need to be a target.

That being said, while our detections of Ryuk are small compared to the other families on this chart, that’s likely because we caught the infection during an earlier stage of the attack, and the circumstances for a Ryuk attack need to be just right—like Goldilocks’ porridge. Surprisingly enough, organizations have created the perfect environment for these threats to thrive. This may also be the reason behind the huge ransom payment, as fewer infections lead to fewer payouts.

Christmas campaign

While active earlier in the year, Ryuk didn’t make as many headlines as when it launched its “holiday campaign,” or rather the two largest sets of Ryuk infections, which happened around Christmastime.

The chart below shows our detection stats for Ryuk from the beginning of December until now, with the two infection spikes noted with stars.

Malwarebytes’ Ryuk detections December 5, 2018 – January 2, 2019

These spikes show that significant attacks occurred on December 24 and December 27.

Data Resolution attack

The first attack was on Dataresolution.net, a Cloud hosting provider, on Christmas Eve. As you can see from above, it was the most Ryuk we had detected in a single day over the last month.

According to Data Resolution, Ryuk was able to infect systems by using a compromised login account. From there, the malware gave control of the organization’s data center domain to the attackers until the whole network was shut down by Data Resolution.

The company assures customers that no user data was compromised, and the intent of the attack was to hijack, not steal. Although, knowing how this malware finds its way onto an endpoint in the first place is a good sign that they’ve probably lost at least some information.

Tribune Publishing attack

Our second star represents the December 27 attack, when multiple newsprint organizations under the Tribute Publishing umbrella (now or in the recent past) were hit with Ryuk ransomware, essentially disabling these organizations’ ability to print their own papers.

The attack was discovered late Thursday night, when one of the editors at the San Diego Union-Tribune was unable to send finished pages to the printing press. These issues have since been resolved.


We believe Ryuk is infecting systems using Emotet and TrickBot to distribute the ransomware. However, what’s unclear is why criminals would use this ransomware after an already-successful infection.

In this case, we can actually take a page from the Hermes playbook. We witnessed Hermes being used in Taiwan as a means to cover the tracks of another malware family already on the network. Is Ryuk being used in the same way?

Since Emotet and TrickBot are not state-sponsored malware, and they are usually automatically launched to a blanket of would-be victims (rather than identifying a target and being launched manually), it seems odd that Ryuk would be used in only a few cases to hide the infection. So perhaps we can rule this theory out.

A second, more probable theory is that the purpose of Ryuk is as a last ditch effort to extort more value from an already-juicy target.

Let’s say that the attackers behind Emotet and TrickBot have their bots map out networks to to identify a target organization. If the target has a large enough infection spread of Emotet/TrickBot, and/or if its operations are critical or valuable enough that disruption would trigger an inclination to pay the ransom, then that might make them the perfect target for a Ryuk infection.

The true intention for using this malware can only be speculated at this point. However, whether it’s hiding the tracks of other malware or simply looking for ways to make more cash after stealing all the relevant data they could, businesses should be wary of writing this one off.

The fact remains that there are thousands of active Emotet and TrickBot infections all over the world right now. Any of the organizations that are dealing with these threats need to take them seriously, because an information stealer might turn into nasty ransomware at any time. This is the truth of our modern threat landscape.


As mentioned earlier, many analysts and journalists have decided that North Korea is the most likely attacker to be distributing Ryuk. While we can’t completely rule this out, we aren’t entirely sure it’s accurate.

Ryuk does match Hermes in many ways. Based on the strings found, it was likely built on top of, or is a modified version of Hermes. How the attackers got the source code is unknown, however, we have observed instances where criminals were selling versions of Hermes on hacker forums.

This introduces another potential reason the source code got into the hands of a different actor.

Identifying the attribution of this attack based on similarities between two families, one of which is associated with a known nation-state attack group (Lazarus) is a logical fallacy, as described by Robert M. Lee in a recent article, “Attribution is not Transitive – Tribute Publishing Cyber Attack as a Case Study.” The article takes a deeper dive into the errors of attribution based on flimsy evidence. We caution readers, journalists, and other analysts on drawing conclusions from correlations.


Now that we know how and potentially why Ryuk attacks businesses, how can we protect against this malware and others like it?

Let’s focus on specific technologies and operations that are proven effective against this threat.

Anti-exploit technology

The use of exploits for both infection and lateral movement has been increasing for years. The primary method of infection for Emotet at the moment is through spam with attached Office documents loaded with malicious scripts.

These malicious scripts are macros that, once the user clicks on “Enable content” (usually through some kind of social engineering trick), will launch additional scripts to cause havoc. We most commonly see scripts for JavaScript and PowerShell, with PowerShell quickly becoming the de-facto scripting language for infecting users.

While you can stop these threats by training users to recognize social engineering attempts or use an email protection platform that recognizes malicious spam, using anti-exploit technology can also block those malicious scripts from trying to install malware on the system.

In addition, using protection technologies, such as anti-ransomware add immense amounts of protection against ransomware infections, stopping them before they can do serious damage.

Regular, updated malware scans

This is a general rule that has been ignored enough times to be worth mentioning here. In order to have effective security solutions, they need to be used and updated frequently so they can recognize and block the latest threats.

In one case, the IT team of an organization didn’t even know they were lousy with Emotet infections until they had updated their security software. They had false confidence in a security solution that wasn’t fully armed with the tools to stop the threats. And because of that, they had a serious problem on their hands.


Network segmentation

This is a tactic that we have been recommending for years, especially when it comes to protecting against ransomware. To ensure that you don’t lose your mapped or networked drives and resources if a single endpoint gets infected, it’s a good idea to segment access to certain servers and files.

There are two ways to segment your network and reduce the damage from a ransomware attack. First, restrict access to certain mapped drives based on role requirements. Second, use a separate or third-party system for storing shared files and folders, such as Box or Dropbox.

Evolving threats

This last year has brought with it some novel approaches to causing disruption and devastation in the workplace. While ransomware was the deadliest malware for businesses in 2017, 2018 and beyond look to bring us multiple malware deployed in a single attack chain.

What’s more, families like Emotet and TrickBot continue to evolve their tactics, techniques, and capabilities, making them more dangerous with each new generation. While today, we might be worried about Emotet dropping Ryuk, tomorrow Emotet could simply act as ransomware itself. It’s up to businesses and security professionals to stay on top of emerging threats, however minor they may appear, as they often signal a change in the shape of things to come.

Thanks for reading and safe surfing!

Australia’s Early Warning Network compromised – Hackers University

Australia's Early Warning Network compromised - Malwarebytes Labs

An early warning network designed to notify subscribers about dangerous weather in Australia has been compromised. The hacker sent many bogus messages via phone, SMS, and email, telling users that the service had been hacked.

Early Warning Network, a service used by local governments to send notifications about weather hazards, found itself firing these rogue missives into the void late on Saturday evening. They haven’t revealed how many people received a message, but they caught the attack quickly and shut it down.

A warning from Early Warning Network

The website says:

At around 930pm EDT 5th January, the EWN Alerting system was illegally accessed with a nuisance message sent to a part of EWNs database. This was sent out via email, text message and landline. EWN staff at the time were able to quickly identify the attack and shut off the system limiting the number of messages sent out. Unfortunately, a small proportion of our database received this alert

The text sent to subscribers read as follows:

EWN has been hacked. Your personal data is not safe. Trying to fix the security issues. Email [address] if you wish to unsubscribe.

If you were on the receiving end of the email version, you would have found it to be identical:

email alert

Click to enlarge

Some people in EWN’s comments sections reported receiving phone calls simply stating “You have been hacked,” which would be a little alarming, to say the least. An Early Warning Network shouldn’t come with a warning, but this is where we’re at.

How did they do it?

The alert service has so far confirmed that the attack took place from inside Australia, and the rogue message was the result of login credentials obtained without permission. There’s no other information available at time of writing, but it does seem likely that this was a targeted spear phish.

EWN have also stated that user information wasn’t at risk:

The unauthorized alert sent on Saturday night was undertaken by an unauthorized person using illicitly gained credentials to login and post a nuisance spam-notification to some of our customers. The link used in this alert were non-harmful and your personal information was not compromised in this event. Investigations are continuing with the Police and Australian Cyber Security Centre involved

This directly contradicts the hacker’s claim that “your personal data is not safe.” It is also claimed that the links in the emails and SMS messages were not harmful.

What was the point?

Given the flat denial of user data being put at risk, it seems this is more about reputation damage. Perhaps someone has a weirdly specific grudge against a lifesaving service, or maybe it’s just a trollish prank done for cheap laughs. Either way, it’s an incredibly careless thing to do.

In the Phlippines, PHIVOLCS warn about seismic activity and volcano eruptions, while PAGASA deal with weather systems, typically via media alerts and social media. These are high-end setups, almost always government run. In the US, a variety of warnings are available under wireless emergency alerts, which can include everything from weather safety to AMBER alerts. Early warning systems can save thousands—as was evident by the lack of systems in place to warn tourists and locals about the Boxing Day tsunami in 2004, which claimed more than 200,000 lives.

That’s why alert system tampering is always a bad idea. If people unsubscribe as a result of this attack, they could potentially put their lives in danger. EWN is not a huge organisation, and this attack on their systems and reputation could have a huge impact. It’s no wonder police are quick to investigate the attack taking place on this particular network.

What can the affected organisation do now?

Given there’s no further information as to how credentials were obtained, we can only offer an educated guess. If our hunch from earlier is correct, and it is a targeted phish, then some staff training may be needed. Additionally, they shouldn’t be relying on “just” a password to keep things safe.

Even the longest password around is a chocolate fireguard if someone manages to swipe it. That’s where two-factor authentication (2FA) comes into play. If more than one person has to share a single login, there’s a number of ways to get around that, too. Some password managers let groups share logins without revealing the password. If you haven’t thought about beefing up password security, now is as good a time as ever.

Lasting ramifications

Most people have seen an article about hacked road signs at some point, and probably suppressed the odd giggle or two. There are good arguments for not doing that; there are great arguments for not messing with emergency alert systems.

It remains to be seen if the person responsible for this will be caught. This is definitely not a great situation for anyone reliant on the integrity of these networks in bad weather regions. Will anyone even believe the next message sent out? And how much trouble will the person who did this be in, should fatalities occur? Our feeling is, a slap on the wrist is not enough.

Hosts file hijacks – Hackers University

Hosts file hijacks - Malwarebytes Labs

In an earlier blog post about DNS hijacks, we briefly touched on the hosts file. The hosts file is like your speed dial directory for the internet. Some systems only have a few numbers stored and others have lots of entries. What if someone was able to change that directory and you end up calling a one dollar per second number when you wanted to call a relative? Basically, that is what we will discuss here.

Where is the hosts file located?

The actual location of the hosts file is stored in the registry under the key, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters, in the value, DataBasePath. By default, this file’s folder location is (and has been since Windows NT/2000) %systemroot%SYSTEM32DRIVERSETC, where %systemroot% is usually the C:Windows directory.

What kind of file is it?

The hosts file does not have an extension, but it can be viewed by opening it with Notepad (or something similar). To replace or alter the hosts file, you will need Administrator privileges, but every user has “Read” permissions.

Before resolving an internet request (to look up the IP that belongs to a domain name), Windows looks in the hosts file to see if there is a predefined entry for that domain name (the speed dial, remember?).

Possible reasons to change the hosts file

These predefined entries in the hosts file can exist for several reasons:

  • Blocking: some people (who are oftentimes unaware that hosts files can be installed by their security programs) use them to block unwanted sites by connecting malicious or otherwise unwanted domains to the IPs or that both point at the requesting system itself, so in effect there will be no outgoing traffic for these requests.
  • Pointing: for example, system administrators use the hosts file to map intranet addresses.

Malware uses it for their own reasons, where the two most common ones are:

  • To block detection by security software: for example, by blocking the traffic to all the download or update servers of the most well-known security vendors.
  • To redirect traffic to servers of their choice: for example, by intercepting traffic to advertisement servers and replacing the advertisements with their own.

Consider for example the Trojan.Qhost variant that blocked access to several security-related domains. Historically, the MyDoom worm was the first to block security-related sites and Windows Update.

Recent examples

One of the more blatant and ruthless methods to abuse someone else’s hard work is done by an adware that steals the hosts file that arguably is used most for ad blocking purposes and change it to redirect all the traffic to their own server.

The hosts file in question is the MVPS hosts file, and it is altered by an adware calling itself “Pakistani Girls Mobile Data”. In this screenshot, you can see the original on the left and the altered copy on the right:

The malware authors didn’t even bother to remove the header. They did replace the IP with their own 188[DOT]138[DOT]17[DOT]135 and left it at that.  Please note that the system on which this changed hosts file was installed by the malware does not have the MVPS hosts file before the infection. It is equipped with the default Windows hosts file. So, the malware did not alter a hosts file that existed on the system, but planted a hosts file that they downloaded and altered first.

Another that caught my attention is one that we have discussed before for another reason. At that point, I dubbed it Dotdo audio. This browser hijacker uses a lot of tricks and one of them are semi-randomized file-and-folder names. And, in what is most likely an attempt to stop people from checking their file in an online virus scan, they have decided to reroute the traffic to Virustotal.com.


Special mention

One hosts hijack deserves some extra attention, simply because of the complexity of the method that is used. Some variants of Shopperz have patched the Microsoft dnsapi.dll file in such a way that it points to a different hosts file. So if you look at your hosts file, you would see nothing wrong, but the system would be looking at a completely different file when it does the lookups.



The hosts file is the internet variant of a personal phonebook. We discussed a few malware variants that replace or change that phonebook, so you end up calling the wrong sites. The ones they want you to call.

File details

Pakistani-Girls-Mobile-Data.exe SHA256: 1058e4f356af5e2673bf44d2310f1901d305ae01d08aa530bc56c4dc2aecb04c

Malwarebytes Anti-Malware detects this file as Trojan.HostsHijack.


As always, stay safe out there and make sure you are protected.

Pieter Arntz

Exploit kits: summer 2018 review – Hackers University

Exploit kits: summer 2018 review

The uptick trend in cybercriminals using exploit kits that we first noticed in our spring 2018 report has continued into the summer. Indeed, not only have new kits been found, but older ones are still showing signs of life. This has made the summer quarter one of the busiest we’ve seen for exploits in a while.

Perhaps one caveat is that, apart from the RIG and GrandSoft exploit kits, we observe the majority of EK activity contained in Asia, maybe due to a greater likelihood of encountering vulnerable systems in that region. Malware distributors have complained that “loads” for the North American or European markets are too low via exploit kit, but other areas are still worthy targets.

In addition, we have witnessed many smaller and unsophisticated attackers using one or two exploits bluntly embedded in compromised websites. In this era of widely-shared exploit proof-of-concepts (PoCs), we are starting to see an increase in what we call “pseudo-exploit kits.” These are drive-by downloads that lack proper infrastructure and are typically the work of a lone author.

In this post, we will review the following exploit kits:


Two newly found vulnerabilities in 2018, Internet Explorer’s CVE-2018-8174 and Flash’s CVE-2018-4878, have been widely adopted and represent the only real attack surface at play. Nevertheless, some kits are still using older exploits in technologies that are being retired, and most likely with little efficacy.


RIG EK remains quite active in malvertising campaigns and compromised websites, and is one of the few exploit kits with a wider geographic presence. It is pictured below in what we call the HookAds campaign, delivering the AZORult stealer.

GrandSoft EK

GrandSoft is probably the second most active exploit kit with a backend infrastructure that is fairly static in comparison to RIG. Interestingly, both EKs can sometimes be seen sharing the same distribution campaigns, as pictured below:

Magnitude EK

Magnitude, the South Korean–focused EK, keeps delivering its own strain of ransomware (Magniber). We documented changes in Magniber in recent weeks with some code improvements, as well as a wider casting net among several Asian countries.

GreenFlash Sundown EK

A sophisticated but more elusive EK focusing on Flash’s CVE-2018-4878, GreenFlash Sundown is still active in parts of Asia thanks to a network of compromised OpenX ad servers. We haven’t seen any major changes since the last time we profiled it, and it is still distributing the Hermes ransomware.

KaiXin EK

KaiXin EK (also known as CK VIP) is an older exploit kit of Chinese origin, which has maintained its activity over the years. It is unique for the fact that it uses a combination of old (Java) and new vulnerabilities. When we captured it, we noted that it pushed the Gh0st RAT (Remote Access Trojan).

Underminer EK

Although this exploit kit was only identified and named recently, it has been around since at least November 2017 (perhaps with only limited distribution to the Chinese market). It is an interesting EK from a technical perspective with, for example, the use of encryption to package its exploit and prevent offline replays using traffic captures.

Another out-of-the-ordinary aspect of Underminer is its payload, which isn’t a packaged binary like others, but rather a set of libraries that install a bootkit on the compromised system. By altering the device’s Master Boot Record, this threat can launch a cryptominer every time the machine reboots.


Many exploit packs have leaked and been poached over the years, notwithstanding the availability of a large number of other dumps (i.e. HackingTeam) or proofs-of-concept. As a result, it is not surprising to see many less-skilled actors putting together their own “pseudo-exploit kits.” They are a far cry from being an EK—they are usually static in nature, their copy/paste exploits are buggy, and consequently, they are only used by the same threat actor in limited distribution. The pseudo-exploit we picture below (offensive domain name has been blurred) is one of the better ones we saw in July, in particular for its use of CVE-2018-8174.


We are continuously checking drive-by download attacks against our software. This time around, we had a more extensive test bed thanks to new and old exploit kits making it into this summer edition. Malwarebytes continues to block exploit kits with different layers of technology to protect our customers.

Don’t call it a comeback

It seems as though talking about the demise of exploit kits triggered an opposite reaction. Certainly, some digging is required to encounter the more obscure or geo-focused toolkits, but this revival of sorts continues thanks to Internet Explorer’s—and to a lesser extent Flash’s—newly found vulnerabilities.

While IE has a small and decreasing global market share (7 percent), it still has an important presence in countries like South Korea (31 percent) or Japan (18 percent), which could explain why there is still notable activity in a few select regions.

Exploit kits, even in a reduced and less impactful form, are likely to stick around for a while, at least for as long as people use a browser that wants to latch on indefinitely.