Home Blog Page 17

New Crossrider variant installs configuration profiles on Macs – Hackers University

New Crossrider variant installs configuration profiles on Macs - Malwarebytes Labs

A new variant of the Crossrider adware has been spotted that is infecting Macs in a unique way. For the most part, this variant is still quite ordinary, doing some of the same old things that we’ve been seeing for years in Mac adware. However, the use of a configuration profile introduces a unique new method for maintaining persistence.

Persistence is the goal of most malware. After all, what good is it to infect a machine if the malware stops running as soon as the computer restarts? There are some cases where that can still be useful (ransomware, for example), but in most cases, that’s not desired behavior. So malware creators are often stuck using the same old methods of persistence that are easy to spot. Sometimes, though, they get creative.

Infection method

This new Crossrider variant doesn’t look like much on the surface. It’s yet another fake Adobe Flash Player installer, looking like the thousands of others we’ve seen over the years.

Opening the installer results in a familiar install process, with nothing unique about it. In the course of installation, it dumps a copy of Advanced Mac Cleaner, which commences to announce that it has found problems with your system using Siri’s voice. (No such problems actually exist, of course.) Safari also pops open and then closes again suspiciously. This is all very blasé, as far as malware goes.

But something interesting has happened behind the scenes. After removing Advanced Mac Cleaner, and removing all the various components of Crossrider that have been littered around the system, there’s still a problem. Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed.

Malicious configuration profile

It turns out that this is caused by a configuration profile installed on the system by the adware. Configuration profiles provide a means for IT admins in businesses to control the behavior of their Macs. These profiles can configure a Mac to do many different things, some of which are not otherwise possible.

In the case of this Crossrider variant, the configuration profile that is installed forces both Safari and Chrome to always open to a page on chumsearch[dot]com. This also prevents the user from changing that behavior in the browser’s settings.

The profile can be found by opening System Preferences, then clicking the Profiles icon. (If there isn’t a Profiles icon, you don’t have any profiles installed, which is normal.)

This profile installs with an identifier of com.myshopcoupon.www, which is not visible in System Preferences. However, the profile can definitely be identified by scrolling through the details and looking for references to chumsearch[dot]com. This malicious profile can be removed by selecting it and clicking the minus (-) button in the bottom left corner of the window.


The chumsearch[dot]com domain is one that has been linked to a number of different adware programs, which can all be traced back to Crossrider. It is affiliated with one of the most widespread adware campaigns on the Mac, with only the infamous Genieo adware having a higher number of detections by Malwarebytes for Mac among all detected adware families.

The chumsearch[dot]com website contains an ad for MacKeeper (the most widely-distributed potentially unwanted program on macOS, made by Kromtech). Advertising money from Kromtech is undoubtedly one of the ways this site pays for itself. Ironically, this adware is also installed alongside another infamous Mac PUP called Advanced Mac Cleaner, by PCVARK, a program similar to and competing with MacKeeper.

Obviously, not all parts of this chain are affiliated with Crossrider, but the chumsearch domain imposed by the configuration profile definitely is.

If you’re an IT admin

For those readers who are managing fleets of Macs and need to check for and/or remove these profiles remotely, that’s pretty easy using a few simple shell scripts.

On macOS 10.12 and earlier, you can use a command like this:

sudo profiles -L

This works on macOS 10.13 as well, but there is an updated syntax that would be best to use in the future:

sudo profiles list

Either way, if you see an unfamiliar profile, particularly one with a profileIdentifier of com.myshopcoupon.www, that profile should be removed. This can be done with the following command on macOS 10.12 and earlier:

sudo profiles -R -p com.myshopcoupon.www

Or, for macOS 10.13:

sudo profiles remove -identifier com.myshopcoupon.www

Gone in a Flash

The good news is that there was nothing particularly sneaky about the method of infection. Fake Adobe Flash Player installers are nothing new, and are easy to avoid. Still, people do continue to fall for such scams.

If you see a message in your web browser telling you that Adobe Flash Player needs to be updated, it’s almost certainly a scam. Do not follow any of the directions provided by these messages, and especially don’t download and install whatever they tell you to.

If you do have Flash installed on your Mac, and you believe that it needs an update, you can check for and install updates from the Update tab in the Flash Player pane in System Preferences.

If you want to install Flash for the first time on your Mac, the first thing you should do is think twice. Flash is a dying technology, and is a constant source of security vulnerabilities. Few sites these days truly require Flash. However, if you really do insist on installing it, you should download it only from Adobe’s website.

Mobile Menace Monday: FakeGift is the gift that keeps on frustrating – Hackers University

Mobile Menace Monday: FakeGift is the gift that keeps on frustrating - Malwarebytes Labs

Last spring, we found yet another piece of riskware on Google Play we call Android/PUP.Riskware.FakeGift. Based on Hindi characters found in the code, we can assume it originates from India. With over 50,000 installs before being removed from Google Play, FakeGift apparently kept on giving—frustration to its users, that is.

This slideshow requires JavaScript.

Gift cash money

As the name implies, FakeGift offers just that—fake gifts. Admittedly, it does so in a kind of fun way.  Here’s how it works: Every day you are given 10 free “gifts.”  As shown below, after the opening splash screen, the home page displays a gift box.

This slideshow requires JavaScript.

Press the gift box and you’ll receive a “gift” in rupees. The amount of rupees gifted is random. The gifted amount is then added to a balance found in the upper right part of the screen.

After pressing the gift box 10 times, it will let you know you’re done for the day—even after closing and reopening.

This slideshow requires JavaScript.

You can also accumulate rupees by pressing “Share,” which redirects you to WhatsApp. Note that if you don’t have Whatsapp, it just gives an error message stating, “Whatsapp not installed on this device.”  Once in Whatsapp, simply pick a victim…er…friend to send a message. In Hindi, the message says:

सभी स्मार्टफोन यूजर ध्यान दे 📱📱📱ऑनलाइन पैसे 💰कमाने का एक बहुत ही सुनहरा अवसर हैं आपके पास, “इसे एक बार जरूर पढ़े”| 👇👇👇👇👇 🎁🎁🎁 गिफ्ट मनी में आपका स्वागत हैं🎁🎁🎁गिफ्ट मनी दे रहा हैं पैसे कमाने का एक सुनहरा मौका गिफ्ट खोले और पैसा कमाए | गिफ्ट मनी अप्प में आप रोजाना 400-500 रूपए आसानी से कमा सकते हो | महीने के 15000 से 20000 रूपए आपकी इनकम हो सकती हैं | दोस्तों आपको 1 दिन में 10 गिफ्ट मिलेंगे उन गिफ्ट को आपको खोलना हैं आपके लक के अनुसार गिफ्ट में कितने भी रूपए निकल सकते हैं और गिफ्ट मनी आपको फ्री में गिफ्ट नहीं दे रहा हैं आपको रोजाना अप्प में 10 मिनट का वर्क करना हैं उसी के पैसे आपको दे रहा हैं तो दोस्तों पैसे कमाने के इस अच्छे मोके को गवांये नहीं और अभी डाउनलोड करे और वर्क स्टार्ट कर दे| Download this link

Rough translation using Google Translate:

All Smartphone users pay attention 📱📱📱 Online money is a great opportunity to make money, “You must read it once.” 👇👇👇👇👇 में Welcome to Gift MoneyGift Money is giving you a golden opportunity to earn money, open gifts and earn money. You can easily earn 400-500 rupees per day in the Gift Money App. You can earn from 15,000 to 20000 rupees a month. Friends, you will get 10 gifts in 1 day, you have to open those gifts according to your luck, how many rupees can get in the gift and gift gift is not giving you a free gift. You have to work 10 minutes daily in the work of the money If you are giving it, then guys do not miss this good thing to earn money and download it now and start work. Download this link

Every WhatsApp message sent is an additional 10 rupees.

FakeGift, the gift that keeps on giving…absolutely nothing

After accumulating some rupees, you can then press “Payment” from the home screen to redeem.  As shown below, you have three payment options.

Picking PayPal, it pops up this message.

Translation: For Balance Transfer in Paypel First Time should be 5000 rupees. After that you can transfer the balance daily. Thank you.

Here’s where it gets shady. After you accumulate the required 5,000 rupees, you still can’t transfer the money. Angry Google Play reviews show the disappointment.

One review (very) roughly translates to, “The money has to be 5000 every time you are cutting money and not being added, this is a fake app. Friends, do not waste your time.”

The fun ends

Although fun at first, the realization that there’s no award at the end turns fun into frustration. For many, this comes only after sharing with multiple friends via WhatsApp. Using this method, the app was able to gain over 50,000 installs. Also, another variant was found using a different name, but playing the same game. It also received around 50,000 installs. The good news is the only damage done is wasted time and nothing worse. Stay safe out there!

PUP Friday: Nikoff Security – Hackers University

PUP Friday: Nikoff Security - Malwarebytes Labs

My attention was drawn a few weeks ago to a group of 6 apps in the Mac App Store, all made by someone named Nicholas Ebner. Part of what drew my attention was the name of one of the apps: Adware WebMedic Pro, suspiciously similar to the name of my old AdwareMedic app. This would not be the first time someone has tried using that name with a junk app, so I was immediately suspicious.

I downloaded the app and ran it through its paces, and quickly my suspicions were confirmed. The first thing I did was run its malware scan against 83 different adware and malware files, all installed into the right places in the user folder (which is the only place this app can scan).

The app came up with a number of detections… but when I reviewed them, it turned out that they were all components of the flashmall app installed into the user Applications folder. Odd components, too, in some cases… it detected things like the logo file inside the app as malicious. (It is not.)

Everything else was missed. Interestingly, though, a check afterwards showed that there were only 53 threat files remaining. Where had those other things, which hadn’t been detected, gone? Some investigation showed that the app simply deleted the LaunchAgents folder and Firefox’s searchplugins folder, regardless of what was inside them.

Its “web protection” feature simply does things like blow away browser settings, caches, etc, as well as zapping all browser extensions – regardless of whether they are legit or not.

It’s also worth noting that the app will pester you to either rate the app or go to the company’s website… with no option to do anything else.


Click “Yes” and you’ll be taken to the App Store. Click “No” and you’ll be taken to the Nikoff Security website and prompted to contact them. There is no other way to close that window, or even quit the app, without clicking one of those buttons.

A couple of the other apps made by this company – Adware Scanner & Remover and Adware Browser Cleaner Pro – appear to simply duplicate subsets of the functionality of Adware WebMedic Pro. Adware Scanner & Remover performs the same “malware scan” function, while Adware Browser Cleaner Pro does the “web protection” part.

Another pair of apps popped up a week or so later: AntiKeylogger Doctor and AntiRansomware Doctor, each one $4.99 at the time of this writing. Some quick testing showed that they are junk as well.

AntiRansomware Doctor was trivial to test, since there’s only been one ransomware app (KeRanger) for the Mac to-date. I copied a KeRanger-infected copy of Transmission onto the desktop, and also installed the malicious kernel_service file that KeRanger copies into the user’s Library folder. AntiRansomware Doctor did not detect any part of it.


Similarly, I installed several different common Mac keyloggers and then ran AntiKeylogger Doctor, and it also reported that the system was clean, failing to detect any of the installed components.

The sixth and final app is called Antivirus Spartan Pro, and it is promoted by each of the other five apps, all of which feature a very prominent ad for this app at the bottom of their main windows. So, what does that app look like?

Antivirus Spartan Pro was originally a paid app, but has recently been made free, “for limited time only” according to its App Store page. (Which made it cheaper to analyze it!)

Antivirus Spartan Pro functionality encompasses all the functionality of the other apps – which is to say little to none. However, since it specifically markets itself as an anti-virus app, I threw one additional test at it. I installed all the major Mac malware from this year: KeRanger, Eleanor, Keydnap, AdwindRAT, and Mokes. All install files in the user folder, so all should be detectable even to an App Store app. Antivirus Spartan Pro detected none of them, telling me that the system was clean.

Once it was established that these apps were all junk, I got interested in tracking down the creator. According to the App Store, the developer is someone named “Nicholas Ebner.” The apps themselves direct the user to a Nikoff Security website, which is based in Romania. Unfortunately, the site’s ownership is hidden behind a privacy service, so that’s the extent of what was known.

There was one tantalizing – but completely unsubstantiated – hint that suggested that “Nicholas Ebner” may be a pseudonym. On two separate websites, Antivirus Spartan Pro was listed as being developed by a Nicolae Popescu:


Interestingly, there is a Nicolae Popescu, from Romania, who is wanted by the FBI for fraudulent online auctions. It is possible that Popescu has moved on to creating scam apps, and has failed to entirely cover up his involvement with these apps. And then again, this could very easily be a different Nicolae Popescu, or even an error made by one of these two sites and picked up by the other. We can’t know for sure, because that’s where the trail ran cold.

In any event, these apps are all PUPs, and will be detected by Malwarebytes Anti-Malware for Mac as PUP.NikoffSecurity.

Mobile Menace Monday: top five scariest mobile threats – Hackers University

Mobile Menace Monday: top five scariest mobile threats - Malwarebytes Labs

In the spirit of this upcoming Halloween season, we thought we’d provide you with a list of the top five scariest mobile threats in our book.

The list is organized from least to most haunting, based on my own humble opinion gathered from several years as a mobile threat researcher. Of course, my opinion has also been formed by the data we’ve collected within the last few months that shows which threats have been terrorizing customers the most. Without further ado, these are the top threats that haunt my dreams.

5) The clinking of locks and chains

Although not the most prevalent mobile malware (thank goodness), mobile ransomware’s nastiness will give you the chills. It starts by tricking users into giving away their device administrator rights.  Afterwards, the ransomware offers a treat of locking the device from any use unless you pay a ransom.

Even scarier, some mobile ransomware threatens prosecution by law enforcement, claiming illegal activities have been conducted on the device. This is all a hoax, as law enforcement would never request paying a fine through payment methods like Bitcoin or gift cards. The most popular mobile ransomware family is detected by Malwarebytes as Android/Ransom.SLocker.

4) Guerrilla warfare

As a mobile researcher, it sometimes feels like a war out there. This is especially true with the mobile malware Android/Trojan.Guerrilla. Guerrilla warfare can be described as irregular, which sums up this Guerrilla’s tactics of obfuscating malware scanners. Infections usually come with multiple variants of Guerrilla running on the device. However, for every move they make, we have a counter move. The war is never-ending.


3) Dashing from ghosts?  No, to the top of detections list!

Android/Adware.MobiDash will make your skin crawl! It’s one most highly-detected threats we’ve seen on customers’ Android devices! As if possessed, MobiDash goes above and beyond the typical low-level adware. It starts by sneaking its way into getting device administration rights.  Once given, the user will be doomed with ads on his lock screen.

Good luck uninstalling, as some versions are especially good at hiding themselves in plain sight!

2) Lurking in the shadows…of code!

Another high-ranking threat found on customer’s Android devices, Android/Trojan.HiddenAds, is a smooth criminal. Also known as Android/Trojan.Hiddad, its haunting ability to effectively hide its malicious code is terrifying! In fact, it often bypasses Google Play Protect‘s verification system.  Thus, apps infected with HiddenAds make it onto the Play Store. After installing on a device, periodic full-screen ads will haunt you!

1) The one that keeps me up at night: Adups

Seriously, I have lost sleep over this one. Adups and I have a long history:

Mobile Menace Monday: Adups, old and new

Mobile Menace Monday: upping the ante on Adups

Adups comes in many forms, but the most prevalent is Android/PUP.Riskware.Autoins.Fota. This variant can potentially auto install malware like Android/Trojan.Guerrilla, and Android/Trojan.HiddenAds. As addressed in the blogs linked above, it’s a preinstalled system app(s). Thus, it cannot be uninstalled through the device’s information page, only disabled.  However, the nightmare gets worse—Adups can’t even be disabled. Not even a mobile scanner can remove or disable it.

So how do we deal with this Freddy Krueger of a mobile threat? Well, you’re going to have to defeat it in a different realm: the realm of ADB command line tools, a part of Google’s Android Studio. Luckily, we found a wake to wake up from the nightmare, as we recently updated a guide on how to fully uninstall (not just disable) Adups. Beware, though, this tutorial is not for the faint of heart, and only recommended for advanced users.

Safe room

When the boogie men of mobile threats try to break through the walls, we have a safe room for you: Malwarebytes for Android keeps the scariest mobile threats at bay! Stay safe out there!

Process Doppelgänging meets Process Hollowing in Osiris dropper – Hackers University

Process Doppelgänging meets Process Hollowing in Osiris dropper - Malwarebytes Labs

One of the Holy Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.

Process Doppelgänging, a new technique of impersonating a process, was published last year at the Black Hat conference. After some time, a ransomware named SynAck was found adopting that technique for malicious purposes. Even though Process Doppelgänging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan (a new version of the infamous Kronos). After closer examination, we found out that the original technique was further customized.

Indeed, the malware authors have merged elements from both Process Doppelgänging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.


Osiris is loaded in three steps as pictured in the diagram below:

The first stage loader is the one that was inspired by the Process Doppelgänging technique but with an unexpected twist. Finally, Osiris proper is delivered thanks to a second stage loader.

Loading additional NTDLL

When ran, the initial dropper creates a new suspended process, wermgr.exe.

Looking into the modules loaded within the injector’s process space, we can see this additional copy of NTDLL:

This is a well-known technique that some malware authors use in order to evade monitoring applications and hide the API calls that they use. When we closely examine what functions are called from that additional NTDLL, we find more interesting details. It calls several APIs related to NTFS transactions. It was easy to guess that the technique of Process Doppelgänging, which relies on this mechanism, was applied here.

NTDLL is a special, low-level DLL. Basically, it is just a wrapper around syscalls. It does not have any dependencies from other DLLs in the system. Thanks to this, it can be loaded conveniently, without the need to fill its import table.

Other system DLLs, such as Kernel32, rely heavily on functions exported from NTDLL. This is why many user-land monitoring tools hook and intercept the functions exported by NTDLL: to watch what functions are being called and check if the process does not display any suspicious activity.

Of course malware authors know about this, so sometimes, in order to fool this mechanism, they load their own, fresh and unhooked copy of NTDLL from disk. There are several ways to implement this. Let’s have a look how the authors of the Osiris dropper did it.

Looking at the memory mapping, we see that the additional NTDLL is loaded as an image, just like other DLLs. This type of mapping is typical for DLLs loaded by LoadLibrary function or its low-level version from NTDLL, LdrLoadDll. But NTDLL is loaded by default in every executable, and loading the same DLL twice is impossible by the official API.

Usually, malware authors decide to map the second copy manually, but that gives a different mapping type and stands out from the normally-loaded DLLs. Here, the authors made a workaround: they loaded the file as a section, using the following functions:

  • ntdll.NtCreateFile – to open the ntdll.dll file
  • ntdll.NtCreateSection – to create a section out of this file
  • ntdll.ZwMapViewOfSection – to map this section into the process address space

This was a smart move because the DLL is mapped as an image, so it looks like it was loaded in a typical way.

This DLL was further used to make the payload injection more stealthy. Having their fresh copy of NTDLL, they were sure that the functions used from there are not hooked by security products.

Comparison with Process Doppelgänging and Process Hollowing

The way in which the loader injects the payload into a new process displays some significant similarities with Process Dopplegänging. However, if we analyze it very carefully, we can see also differences from the classic implementation proposed last year at Black Hat. The differing elements are closer to Process Hollowing.

Classic Process Doppelgänging:

Process Hollowing:

Osiris Loader:

Creating a new process

The Osiris loader starts by creating the process into which it is going to inject. The process is created by a function from Kernel32: CreateProcessInternalW:

The new process (wermgr.exe) is created in a suspended state from the original file. So far, it reminds us of Process Hollowing, a much older technique of process impersonation.

In the Process Dopplegänging algorithm, the step of creating the new process is taken much later and uses a different, undocumented API: NtCreateProcessEx:

This difference is significant, because in Process Doppelgänging, the new process is created not from the original file, but from a special buffer (section). This section was supposed to be created earlier, using an “invisible” file created within the NTFS transaction. In the Osiris loader, this part also occurs, but the order is turned upside down, making us question if we can call it the same algorithm.

After the process is created, the same image (wermgr.exe) is mapped into the context of the loader, just like it was previously done with NTDLL.

As it later turns out, the loader will patch the remote process. The local copy of the wermgr.exe will be used to gather information about where the patches should be applied.

Usage of NTFS transactions

Let’s start from having a brief look at what are the NTFS transactions. This mechanism is commonly used while operating on databases—in a similar way, they exist in the NTFS file system. The NTFS transactions encapsulate a series of operations into a single unit. When the file is created inside the transaction, nothing from outside can have access to it until the transaction is committed. Process Doppelgänging uses them in order to create invisible files where the payload is dropped.

In the analyzed case, the usage of NTFS transactions is exactly the same. We can spot only small differences in the APIs used. The loader creates a new transaction, within which a new file is created. The original implementation used CreateTransaction and CreateFileTransacted from Kernel32. Here, they were substituted by low-level equivalents.

First, a function ZwCreateTransaction from a NTDLL is called. Then, instead of CreateFileTransacted, the authors open the transacted file by RtlSetCurrentTransaction along with ZwCreateFile (the created file is %TEMP%Liebert.bmp). Then, the dropper writes a buffer into to the file. Analogically, RtlSetCurrentTransaction with ZwWriteFile is used.

We can see that the buffer that is being written contains the new PE file: the second stage payload. Typically for this technique, the file is visible only within the transaction and cannot be opened by other processes, such as AV scanners.

This transacted file is then used to create a section. The function that can do it is available only via low-level API: ZwCreateSection/NtCreateSection.

After the section is created, that file is no longer needed. The transaction gets rolled back (by ZwRollbackTransaction), and the changes to the file are never saved on the disk.

So, the part described above is identical to the analogical part of Process Doppelgänging. Authors of the dropper made it even more stealthy by using low-level equivalents of the functions, called from a custom copy of NTDLL.

From a section to a process

At this point, the Osiris dropper creates two completely unrelated elements:

  • A process (at this moment containing a mapped, legitimate executable wermgr.exe)
  • A section (created from the transacted file) and containing the malicious payload

If this were typical Process Doppelgänging, this situation would never occur, and we would have the process created directly based on the section with the mapped payload. So, the question arises, how did the author of the dropper decide to merge the elements together at this point?

If we trace the execution, we can see following function being called, just after the transaction is rolled back (format: RVA;function):


So, it looks like the newly created section is just mapped into the new process as an additional module. After writing the payload into memory and setting the necessary patches, such as Entry Point redirection, the process is resumed:

The way in which the execution was redirected looks similar to variants of Process Hollowing. The PEB of the remote process is patched, and the new module base is set to the added section. (Thanks to this, imports will get loaded automatically when the process resumes.)

The Entry Point redirection is, however, done just by a patch at the Entry Point address of the original module. A single jump redirects to the Entry Point of the injected module:

In case patching the Entry Point has failed, the loader contains a second variant of Entry Point redirection, by setting the new address in the thread context (ZwGetThreadContext -> ZwSetThreadContext), which is a classic technique used in Process Hollowing:

Best of both worlds

As we can see, the author merged some elements of Process Doppelgänging with some elements of Process Hollowing. This choice was not accidental. Both of those techniques have strong and weak points, but by merging them together, we get a power combo.

The weakest point of Process Hollowing is about the protection rights set on the memory space where the payload is injected (more info here). Process Hollowing allocates memory pages in the remote process by VirtualAllocEx, then writes the payload there. It gives one undesirable effect: the access rights (MEM_PRIVATE) were different than in the executable that is normally loaded (MEM_IMAGE).

Example of a payload loaded using Process Hollowing:

The major obstacle in loading the payload as an image is that, to do so, it has to be first dropped on the disk. Of course we cannot do this, because once dropped, it would easily be picked by an antivirus.

Process Doppelgänging on the other hand provides a solution: invisible transacted files, where the payload can be safely dropped without being noticed. This technique assumes that the transacted file will be used to create a section (MEM_IMAGE), and then this section will become a base of the new process (using NtCreateProcessEx).

Example of a payload loaded using Process Doppelgänging:

This solution works well, but requires that all the process parameters have to be also loaded manually: first creating them by RtlCreateProcessParametersEx and then setting them into the remote PEB. It was making it difficult to run a 32-bit process on 64-bit system, because in case of WoW64 processes, there are 2 PEBs to be filled.

Those problems of Process Doppelgänging can be solved easily if we create the process just like Process Hollowing does it. Rather than using low-level API, which was the only way to create a new process out of a section, the authors created a process out of the legitimate file, using a documented API from Kernel32. Yet, the section carrying the payload, loaded with proper access rights (MEM_IMAGE), can be added later, and the execution can get redirected to it.

Second stage loader

The next layer (8d58c731f61afe74e9f450cc1c7987be) is not the core yet, but the next stage of the loader. It imports only one DLL, Kernel32.

Its only role is to load the final payload. At this stage, we can hardly find something innovative. The Osiris core is unpacked piece by piece and manually loaded along with its dependencies into a newly-allocated memory area within the loader process.

After this self-injection, the loader jumps into the payload’s entry point:

The interesting thing is that the application’s entry point is different than the entry point saved in the header. So, if we dump the payload and try to run it interdependently, we will not get the same code executed. This is an interesting technique used to misguide researchers.

This is the entry point that was set in the headers is at RVA 0x26840:

The call leads to a function that makes the application go in an infinite sleep loop:

The real entry point, from which the execution of the malware should start, is at 0x25386, and it is known only to the loader.

The second stage versus Kronos loader

A similar trick using a hidden entry point was used by the original Kronos (2a550956263a22991c34f076f3160b49). In Kronos’ case, the final payload is injected into svchost. The execution is redirected to the core by patching the entry point in svchost:

In this case, the entry point within the payload is at RVA 0x13B90, while the entry point saved in the payload’s header (d8425578fc2d84513f1f22d3d518e3c3) is at 0x15002.

The code at the real Kronos entry point displays similarities with the analogical point in Osiris. Yet, we can see they are not identical:

A precision implementation

The first stage loader is strongly inspired by Process Dopplegänging and is implemented in a clean and professional way. The author adopted elements from a relatively new technique and made the best out of it by composing it with other known tricks. The precision used here reminds us of the code used in the original Kronos. However, we can’t be sure if the first layer is written by the same author as the core bot. Malware distributors often use third-party crypters to pack their malware. The second stage is more tightly coupled with the payload, and here we can say with more confidence that this layer was prepared along with the core.

Malwarebytes can protect against this threat early on by breaking its distribution chains that includes malicious documents sent in spam campaigns and drive-by downloads, thanks to our anti-exploit module. Additionally, our anti-malware engine detects both the dropper and Osiris core.

Indicators of Compromise (IOCs)

Stage 1 (original sample)


Stage 2 (second stage loader)


Osiris (core bot)


10 easy ways to prevent malware infection – Hackers University

10 easy ways to prevent malware infection

We told you how to tell if you’re infected with malware. We told you how to clean up the infection if you were affected. But how about we prevent malware infection from happening in the first place!

Yes, it’s possible to clean up an infected computer and fully remove malware from your system. But the damage from some forms of malware, like ransomware, cannot be undone. If they’ve encrypted your files and you haven’t backed them up, the jig is up. So your best defense is to beat the bad guys at their own game.

While no single method is ever 100 percent fool-proof, there are some tried and true cybersecurity techniques for keeping malware infections at bay that, if put into practice, will shield you from most of the garbage of the Internet.

Without further ado:

Protect vulnerabilities

One of the most ingenious delivery methods for malware today is by exploit kit. Exploit kits are sneaky little suckers that rummage around in your computer and look for weaknesses in the system, whether that’s an unprotected operating system, a software program that hasn’t been updated in months, or a browser whose security protocols aren’t up to snuff (we’re looking at you, Internet Explorer).

Here are some ways you can protect against exploits and shield your vulnerabilities:

  1. Update your operating system, browsers, and plugins. If there’s an update to your computer waiting in queue, don’t let it linger. Updates to operating systems, browsers, and plugins are often released to patch any security vulnerabilities discovered. So while you leave those programs alone, cybercriminals can find their way in through the vulnerabilities.

    Bonus mobile phone tip: To protect against security flaws in mobile phones, be sure your mobile phone software is updated regularly. Don’t ignore those “New software update” pop-ups, even if your storage is full or your battery is low.

  1. Enable click-to-play plugins. One of the more devious ways that exploit kits (EKs) are delivered to your computer is through malvertising, or malicious ads. You needn’t even click on the ad to become infected, and these malicious ads can live on prestigious, well-known sites. Besides keeping your software patched so that exploit kits can’t do their dirty work, you can help to block the exploit from ever being delivered by enabling click-to-play plugins.Click-to-play plugins keep Flash or Java from running unless you specifically tell them to (by clicking on the ad). The bulk of malvertising relies on exploiting these plugins, so enabling this feature in your browser settings will help keep the EKs at bay.
  1. Remove software you don’t use (especially legacy programs). So, you’re still running Windows XP or Windows 7/8.1? Microsoft discontinued releasing software patches for Windows XP in 2015, and Windows 7 and 8 are only under extended support. Using them without support or the ability to patch will leave you wide open to exploit attacks. Take a look at other legacy apps on your computer, such as Adobe Reader or older versions of media players. If you’re not using them, best to remove.

Watch out for social engineering

Another top method for infection is to scam users through social engineering. Whether that’s an email that looks like it’s coming from your bank, a tech support scam, or a fishy social media campaign, cybercriminals have gotten rather deft at tricking even tech-savvy surfers. By being aware of the following top tactics, you can fend off uninvited malware guests:

  1. Read emails with an eagle eye. Phishing is a cybercrime mainstay, and it’s successful only when readers don’t pay attention or know what to look for. Check the sender’s address. Is it from the actual company he or she claims? Hover over links provided in the body of the email. Is the URL legit? Read the language of the email carefully. Are there weird line breaks? Awkwardly-constructed sentences that sound foreign? And finally, know the typical methods of communication for important organizations. For example, the IRS will never contact you via email. When in doubt, call your healthcare, bank, or other potentially-spoofed organization directly.

    Bonus mobile phone tip: Cybercriminals love spoofing banks via SMS/text message or fake bank apps. Do not confirm personal data via text, especially social security numbers. Again, when in doubt, contact your bank directly.

  2. Do not call fake tech support numbers. Ahhh, tech support scams. The bane of our existence. These often involve pop-ups from fake companies offering to help you with a malware infection. How do you know if they’re fake? A real security company would never market to you via pop-up saying they believe your computer is infected. They would especially not serve up a (bogus) 1-800 number and charge money to fix it. If you have security software that detects malware, it will show such a detection in your scan, and it will not encourage you to call and shell out money to remove the infection. That’s a scam trying to infect you. Don’t take the bait.
  3. Do not believe the cold callers. On the flip side, there are those who may pick up the phone and try to bamboozle you the good old-fashioned way. Tech support scammers love to call up and pretend to be from Microsoft. They’ve detected an infection, they say. Don’t believe it. Others may claim to have found credit card fraud or a loan overdue. Ask questions if something feels sketchy. Does the person have info on you that seems outdated, such as old addresses or maiden names? Don’t confirm or update the info provided by these callers. Ask about where that person is calling from, if you can call back, and then hang up and check in with credit agencies, loan companies, and banks directly to be sure there isn’t a problem.

    Bonus mobile phone tip: You can block calls until pigs fly, but there will always be a scammer ready with a new number (especially one that looks similar in area code and first three digits to yours). Many cybersecurity programs for Android and iPhone can put the bulk of those calls to rest, meaning an unidentified number needn’t stress you out as much. Of course, when in doubt, screen your calls.

Practice safe browsing

There’s such a thing as good Internet hygiene. These are the things you should be doing to protect against external and internal threats, whether you’ve lost your device and need to retrieve it or want to stay protected when you shop online.

“While many of the threats you hear about on the news make it seem like there is no way to protect yourself online these days, the reality is that by following some basic tips and maintaining good habits while online, you will evade infection from over 95 percent of the attacks targeting you,” says Adam Kujawa, Head of Intelligence for Malwarebytes. “For that last 5 percent, read articles, keep up with what the actual security people are saying, and follow their advice to protect yourself.”

So here are some of the basics to follow:

  1. Use strong passwords and/or password managers. A strong password is unique, is not written down anywhere, is changed often, and isn’t tied to easily found personal information, like a birthday. It’s also not repeated for different logins. Admittedly, that’s a tough cookie to chew on. If you don’t want to worry about remembering 5,462 different rotating passwords, you may want to look into a password manager, which collects, remembers, and encrypts passwords for your computer.
  2. Make sure you’re on a secure connection. Look for the proper padlock icon to the left of the URL. If it’s there, then that means the information passed between a website’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”
  3. Log out of websites after you’re done. Did you log into your healthcare provider’s site using your super-strong password? You could still be leaving yourself vulnerable if you don’t log out, especially if you’re using a public computer. It’s not enough to just close the browser tab or window. A person with enough technical prowess could access login information from session cookies and sign into a site as you.

Layer your security

All the safe browsing and careful vigilance in the world can’t protect you from all the threats out there. Sometimes you need a professional to catch the poo that cybermonkeys are flinging. So to keep your machine clean, invest in security software and layer it up with the following:

  1. Use firewall, anti-malware, anti-ransomware, and anti-exploit technology. Your firewall can detect and block some of the known bad guys. Meanwhile, Malwarebytes products use multiple layers of tech to fend off sophisticated attacks from unknown agents, stopping malware and ransomware infection in real time and shielding vulnerable programs from exploit attack.

Security professionals agree a multi-layer approach—using not only multiple layers of security technology but also user awareness—helps keep you protected from the bad guys and your own mistakes. Now go forth and fight malware!

All Rise! Mind these digital crimes and arm yourself against them

All Rise! Mind these digital crimes and arm yourself against them

Have you noticed that, in this year alone, headlines are inundated with words that contain “cyber”?

Cybercrime. Cyberattack. Cybersecurity. Cyberwarfare. The cyber. (Okay, that was last year.)

Frankly, with so much going on, we hardly remember a time when the term “cyber” seemed quaint and a little retro.

Indeed, cybercrime as a whole has been steadily on the increase these past few years, and not one expert has predicted it ebbing anytime soon. This is daunting, but not exactly unexpected. As we progress in adopting new technologies—with more of the world’s population online now than not—more and more people are exposed to potential threats.

Are we then to embrace the inevitable? Not really. Assuming the worst is to come—and we think you should—it’s more important than ever to arm yourself against digital crimes. This means putting security measures in place that aim to prevent or mitigate specific threats, tinkering with some habits that are actually quite dangerous, and talking about security candidly with friends, family, and peers.

So, let’s prioritize. We’ve scoured through scores of reports and identified digital crimes that are on the rise. In the list below, we’ll explain them and what you can do to protect yourself against them.

(1) Card skimming. This is a type of electronic fraud where criminals use a device called a skimmer to steal card information from users. The skimmer is usually installed onto devices where one can swipe or feed their credit or debit card, such as ATMs, point-of-sale (POS) devices, and gas pumps. Brian Krebs of KrebsOnSecurity covered card skimming extensively in a fascinating and eye-opening series of blog posts that we suggest you read through here.

How to protect yourself: There are two rules of thumb:

Always check. KrebsOnSecurity has provided ways on how one could recognize tampered devices so users can protect their bank cards from getting skimmed. “If you see something that doesn’t look right—such as an odd protrusion or off-color component on an ATM—consider going to another machine,” wrote Krebs in one article. “Also, stay away from ATMs that are not located in publicly visible and well-lit areas.”

More sophisticated setups, on the other hand, show nominal to no signs of obvious tampering. This is true for gas stations, where threat actors generally plant their skimming device within the pump’s interior. We don’t advocate consumers to start dismantling gas pumps to check if they’re clean or not; however, we do advice users to keep a close eye on their bank statements for any expenditures they don’t remember paying for.

In September of this year, an Android app called Skimmer Scanner was made available on Google Play to download and use for free. This app is supposed to detect skimmer-tainted gas pumps, which use Bluetooth technology to steal user information. If you’re interested, the developer of the app wrote a technical post that you can read in this SparkFun page.

Never let your bank card out of your sight. If you’re in a restaurant or small shop where they use a handheld payment terminal, ask the waiter or cashier to swipe the card in front of you. A lot of businesses already do this, but it won’t hurt to ask if you see that the establishment you’re in needs to catch up on this practice.

It’s also important to make sure contact details are updated for each card you own and use so you can be easily reached if the bank spots potential fraudulent transactions.

(2) Android malware. Ever since mobile usage exceeded PC and laptop usage combined, we’ve been expecting that criminals would begin targeting the mobile market. And since Android is the dominant mobile OS worldwide, they are the most targeted mobile devices. This has been and continues to be the trend, year after year. Trojans lead the mobile malware infection count, followed by potentially unwanted programs (PUPs). Meanwhile, mobile ransomware is growing at a rapid rate.

How to protect yourself: If you haven’t already, begin practicing basic computing hygiene the same way you would when you’re on a desktop or laptop. This includes regular firmware and app updates, backing up phone data, locking the device when not in use, setting up remote wipe, installing apps that help protect you from threats when you browse the web, and playing it smart on public Wi-Fi networks.

It’s also essential that users regularly audit mobile devices for apps that they no longer use—these they can uninstall—and those that, for some reason, started doing things they’re not supposed to—these they must uninstall.

We pushed out several articles about mobile security on the Labs blog. Now would be a good time to go back and review them.

(3) Mac malware. Apple has gained favor in the eyes of threat actors, but this didn’t happen overnight. Its user base has been increasing steadily over the years, and we can surmise some reasons why. For one thing, its partnerships with other tech giants like IBM and Cisco have significantly expanded Apple’s reach in the enterprise world. Not only that, human behavior and logic play a factor, too: iPhone and iPad users are known to consider buying a Mac instead of a PC to complement their devices.

There wasn’t much Mac malware out there at first, but our recent telemetry data reveals that it is becoming noticeably problematic, along with adware and PUPs. We’d be remiss not to point out that Mac OS users may encounter various malvertising and scam campaigns, too.

How to protect yourself: Our recommendations to Mac users are not that different from what we advise Windows users. Again, following safe browsing habits is a constant best practice for any platform, operating system, or device. Don’t forget to back up files and, if you can, try to avoid downloading torrent files, which are sometimes bundled with programs you wouldn’t want to be installed on your system.

Below are some posts you may want to go back to and re-read about Mac safety:

(4) Linux malware. Here’s another OS that was first deemed “immune” from digital crime but is now making headlines, thanks to the proliferation of electronic devices and appliances that use software based on the Linux kernel, such as Android phones and tablets, routers, and the Internet of Things (IoT). In the Internet Security Report Q1 [PDF] by our friends at WatchGuard, they noted the three current types of malware targeting Linux: exploits, downloaders, and flooders.

Anecdotal evidence points to a number of reasons why threat actors are now going after Linux-powered devices. First, vendors and developers didn’t take the time or effort to incorporate a patched kernel onto their products. Second, most of these devices and appliances have little to no security protections in place, and updating them over-the-air (OTA) is almost nonexistent. Last, consumers don’t use passwords—and if they do, they use poor ones—to protect such devices and appliances.

How to protect yourself:

Let’s start with passwords: Create one, now, or let a password manager do the creating for you. Make sure that the software and firmware on your IoT devices/appliances are updated.For those who have Linux servers, regularly update the OS. Implement firewall rules that block unsolicited inbound traffic and SSH access from the Internet and internal network. And finally, consider protecting devices with multiple security technologies, including anti-spam, URL filtering, anti-malware, and intrusion prevention, to name a few.

(5) Cyberbullying. The only Internet crime on this list that is aimed directly at actual people.

We’ve written about cyberbullying through the years, and we know that this act does not only involve kids and teens but also adults. And online bullying incidents are more prevalent now than ever. Why? While it’s true that the Internet has made it easier for anyone to talk to someone on the other side of the globe, let’s not remove from the equation people’s poor choices, misunderstood notions on anonymity, and the false assumption that real life is separate from digital life.

How to protect yourself: Prevention is always better than treatment, so how does one prevent cyberbullying? Consider limiting what you share online, or at least limit who sees what you share. Your social media feeds don’t have to be public, especially if you’re sharing something that is meant for close family and friends. Speaking of sharing, avoid sending intimate or private photos to anyone. This could not only lead to bullying but also revenge porn.

We have more preventive steps here, wherein we mostly touched on debunking myths surrounding cyberbullying.

Here’s more from our series during Anti-Bullying Week:

(6) Contactless card fraud. As we all know, a contactless card does not require one to enter their PIN, much less slotting it through a PoS terminal. All one has to do is wave it or keep it stationary in front of a contactless reader for a few seconds and you’re all set. Many users have opted to use contactless cards due to their ease of use. So easy, in fact, that one might correctly surmise that criminals can easily commit fraud as well.

Note that this particular digital crime is only relevant in regions of the world that use contactless cards, such as the UK and most European countries.

How to protect yourself:

Always handle your card yourself. Handing someone your card to be waved increases the risk of it getting skimmed. To keep track of spending when you use the contactless payment feature of your card, ask for a receipt. Compare these with your bank statements. Regularly check your statements for unusual transactions. And if you lose your card, report the loss to your bank immediately. Finally, consider using a digital wallet as an alternative to contactless cards.

While we focused on digital crimes that directly affect consumers here, in Part 2 of this series, we’ll be homing in on crimes that are after enterprises. See you then!

Hello world!


Welcome to WordPress. This is your first post. Edit or delete it, then start writing!