Home Blog Page 2

‘Hidden Bee’ miner delivered via improved drive-by download toolkit – Hackers University

‘Hidden Bee’ miner delivered via improved drive-by download toolkit

This blog post was authored by @hasherezade and Jérôme Segura.

We recently detected a drive-by download attack trying to exploit CVE-2018-4878, a vulnerability in Flash Player, in a sequence that was not matching any of the exploit kit patterns that we currently track. Upon investigation, we discovered something that was new to us, but is part of an existing exploitation framework referenced in late 2017 by Chinese security firm Qihoo360. At the time, the payload appeared to be a Trojan pushing adware. (Note: On July 26, our colleagues from TrendMicro published a blog post calling it the Underminer exploit kit).

Since it was last documented, there have been changes to the exploits being used, although the distribution method is similar. One interesting aspect that we don’t see much of these days is the use of encryption to package exploits on-the-fly, which requires a key from the backend server to decrypt and execute them.

The payload served in this campaign is also out of the ordinary because it is not a standard PE file. Instead, it is a multiple-stage custom executable format, acting also as a downloader to retrieve LUA scripts used by the threat actors behind the Hidden Bee miner botnet. This was perhaps the first case of a bootkit being used to enslave machines mining cryptocurrencies.

Campaign overview

The attackers are leveraging malvertising via adult sites to redirect their victims to the exploit kit landing page. We believe this campaign is primarily targeting Asian countries based on the ads that are served and our own telemetry data. A server purporting to be an online dating service contains a malicious iframe responsible for the exploitation and infection phases.

Traffic play-by-play

IE exploit

With a few exceptions, exploit kits typically obfuscate their landing page and exploits. But here the threat actors go beyond by using encryption and requiring a key exchange with the backend server in order to decrypt and execute the exploit. In the past, Angler, Nuclear and Astrum exploit kits have abused the Diffie-Hellman key exchange protocol in similar ways to prevents analysts from replaying malicious traffic.

The execution of the malicious code starts from a webpage with an embedded encrypted block. This block is Base64 encoded and encrypted with one of two algorithms: RC4 or Rabbit.

After being decrypted, the block is executed. You can find the decoded version of the Java Script that is being run here. As you can see in the script, it generates a random session key, then encrypts it with the attacker’s public RSA key:

The encrypted key is being passed onto the next function and converted into JSON format to perform a POST request to the hardcoded URL:

This is what we can see if we look at the traffic between the client and the server (the client sends the encrypted “key” and the server responds with the “value”):


  • With the attackers’ private RSA key, the server decrypts the passed session key.
  • It uses it to encrypt the exploit content with a chosen symmetric algorithm (Rabbit or RC4).
  • It returns the encrypted content back to the client.

Thanks to the fact that the client still has an unencrypted version of the key in memory, it is able to decrypt and execute the exploit. However, researchers who just have the traffic captured cannot retrieve the original session key, and replaying the exploit is impossible. Thankfully, we managed to capture the exploit during dynamic analysis.

We believe that the decrypted exploit is CVE-2018-8174, as one of our test machines patched against CVE-2016-0189 got exploited successfully.

Flash exploit

This newer Flash exploit (CVE-2018-4878) was not part of the exploit toolkit at the time Qihoo documented it, and seems to be a more recent addition to boost its capabilities. The shellcode embedded in the exploit is a downloader for the next stage.

Upon successful exploitation, it will retrieve its payload at the following URL:

This file, given the extension .wasm, pretends to be a Web Assembler module. But in fact, it is something entirely different, appearing to be a custom executable format, or a modified, header-less PE file.

It starts from the names of the DLLs that are going to be needed during the execution:

As you can see, it loads Cabinet.dll that is used for unpacking cabinet files. In later sections, we saw the APIs and strings that are used for the communication over HTTP protocol. We also found references to “dllhost.exe” and “bin/i386/core.sdb”.

It is easy to guess that this module will be downloading something and running via dllhost.exe.

Another interesting string is a Base64-encoded content:

The decoded content points to more URLs:

Looking at the traffic captured by Fiddler, we found that, indeed, those URLs are being queried:

The requests are coming from dllhost.exe, so that means the above executable was injected there.

The file glfw.wasm has nothing in common with Web Assembly. It is, in fact, a Cabinet file, containing packed content under the internal path: bin/i386/core.sdb. Looking inside, we found the same custom executable format, starting from DLL names:

Then, HTTP traffic stops. This was another interesting aspect of this threa,t because the threat actors are perhaps trying to hide the traffic by pretending to use the SLTP protocol to retrieve the actual payload, which can be seen in the strings extracted from the Cabinet file inside of core.sdb:


That hostname resolves to 67.198.208[.]110:

Pinging setup.gohub.online [] with 32 bytes of data:
Reply from bytes=32 time=76ms TTL=51

Encrypted TCP network traffic from our sandboxed machine shows how the binary payload is retrieved:

This whole exploitation and payload retrieval process is rather complex, especially in light of the intended purpose behind this drive-by campaign. Infected hosts are instructed to mine for cryptocurrencies:

What is unique about this miner is that it achieves persistence by using a bootkit, as described here. Infected hosts will have their Master Boot Record altered to start the miner every time the operating system boots.

A sophisticated attack for a simple payload

This attack is interesting on many levels for its use of different technologies both in the exploit delivery part as well as how the payload is packaged. According to our telemetry, we believe it is also focused on a select few Asian countries, which makes sense when taking its payload into consideration.

It also shows that threat actors haven’t completely given up on exploit kits, despite a noted downward trend over the last couple of years.


Malwarebytes detects both the IE and Flash exploits, resulting in the infection chain being stopped early on.

Indicators of compromise

Injected dating site


Exploit toolkit






Payload URL and IP


Miner Proxy


Huge breach affects 9 million Cathay Pacific customers – Hackers University

Huge breach affects 9 million Cathay Pacific customers - Malwarebytes Labs

Airlines aren’t having a good time of things at the moment. Even if you managed to dodge the recent British Airways fallout, you may well be caught up in the latest breach affecting no fewer than 9 million customers of Cathay Pacific.

So what was taken? The impact this time around isn’t so much where payment information is concerned, as the 403 credit card numbers the hackers grabbed had all expired, and the 27 live ones had no CVV stored. It isn’t even passwords, as the airline claims none of those were grabbed. The issue is that the hackers took 860,000 passport numbers, 240 Hong Kong identity cards, and all personal data that goes with it.

What Personally Identifiable Information (PII) was compromised?

Here’s what the criminals ran away with in the Cathay Pacific breach: PII. Namely: nationality, date of birth, name, address, email, telephone numbers, frequent flyer membership numbers, customer service remarks, and “historical travel information.” The data accessed from passenger to passenger varies, so there’ll be some with almost nothing to worry about and others wondering how they drew several short straws simultaneously.

If you’re wondering why breachers continue to steal PII, this data is incredibly useful for anybody planning a targeted attack, be it phishing, social engineering, or plain old convincing malware. Some of the scams could easily become real-world issues, as opposed staying firmly behind the computer screen.

At this point, we’d typically advise anyone affected by the breach to be extremely cautious of any missive sent their way from those claiming to be Cathay Pacific. Don’t hand over payment information to random phone callers, avoid clickable links in emails persuading you that your password has expired, and so on.

There’s only one slight problem with this: the breach apparently took place in March 2018, or at least that’s when they discovered a breach had taken place. It then took until May for them to confirm data had been accessed without permission.

As a result, it may not be much use at this point to say “Watch out for this” when it’s already happened. If the airline is correct in its thinking that no data has been abused yet, then what you can do is visit the website set up in the wake of the breach (called a “Data security event”) and use the relevant link for US and non-US customers to get things moving.

Note that Cathay Pacific points out they’ll never ask for personal/financial information related to this breach, and they also list a sole email point of contact for any further communications. Should you receive a note from an address other than the one mentioned, you can safely ignore it.

To ease the fears of worried customers, Cathay Pacific are offering ID monitoring services. And if you’re not sure if you’ve been affected, you can send them a message and they’ll get back to you.

Airlines are increasingly coming under attack from individuals with an eye for large pots of valuable customer data, and even their apps are considered fair game. Whether large fines or other consequences for Cathay Pacific emerge remains to be seen, but taking to the skies is anxiety-filled enough without having to worry about the safety of your data back on terra firma. One would hope this is the last major airline breach we’ll see for a while, but on the evidence we’ve seen so far, they’ll be a prime slice of hacker real estate for some time to come.

Can search extensions keep your searches private? – Hackers University

Can search extensions keep your searches private? - Malwarebytes Labs

One of the most common things most of us do on the Internet is search, whether we are looking up the price of the latest gadget or we need to find the address of that great restaurant recommended by a friend. The dizzying number of Google search queries per second (more than 40,000, on average) tells us there is plenty of money to be made by advertising in search results.

It’s not just big names in the search industry who are aware of this fact. Others want a piece of the pie, too. But what can they hope to accomplish when their budget is nowhere near that of the marquee players, and one of their prospective competitors has managed to turn its brand name into a verb?

The only thing that makes sense in this scenario is to offer something that others don’t. And with recent data breaches, online tracking, targeted advertising, and other privacy-threatening events all leaving us worried about our online privacy, some smart developers have created browser extensions that promise to keep prying eyes away from our searches.

We have noticed quite a few new names in this fledgling industry. In fact, some of them are so similar in their advertising, wording, coding, and use of images, that there is no other explanation besides their developers deciding power lies in numbers—of extensions, brand names, and domain names. And they’re all doing, or rather not doing, the same thing in an attempt to make the cash register ring.

In case you were wondering whether any of these are worth the time it takes to install them, the short answer is no.


To investigate this trend that we’ve been watching since summer 2017, we looked at 25 extensions that advertise that they offer more privacy during searches. One of the first things we noticed was that over half of these extensions were so alike, we classified them as a single family.

Our generic detection name for smaller variants belonging to this family is PUP.Optional.SearchAlgo.Generic. It’s named after the domain this family uses to route its searches. As far as I can tell, they all end up displaying Yahoo Search results, but this isn’t hardcoded into the extension, so the redirect is probably decided on-the-fly by the code on the searchalgo.com servers. That would make it easier for them to switch in case they get a better offer than the one from Yahoo Search.


We have looked into a few of the top results found while searching for private search extensions, and found several nefarious or questionable similarities. It may come as no surprise that all of these extensions, not just the one from the “searchalgo” family, have been added to our detections as potentially unwanted programs (PUPs). Here’s a breakdown of what we found:

Protocol: While a few of the extensions actually use the https protocol to conduct their searches, most of them do not. This leaves us immediately wanting for more privacy when we hit the search button. Using the https protocol would at least make eavesdropping harder.

Results: The division rate of those that display their results on a site of their own and those that simply redirect us to Yahoo Search is about fifty-fifty.

Code: We looked at the code of the extensions to see if developers were paying attention to the privacy of the search or search results. We found no trace of any such code.

Browsers: Most of the extensions we found were only available for Chrome. A few were intended for Firefox. This is probably due to the much bigger market share for Chrome at the moment.

The technical details

Looking at the code of one of the major families, we can see that this is the main search routine:


search routine

In case you got your hopes up when you spotted the word “encode,” the encodeURIComponent() function encodes a Uniform Resource Identifier (URI) component by replacing each instance of certain characters by one, two, three, or four escape sequences representing the UTF-8 encoding of the character. This is only used to ensure that certain special characters, like backslashes, don’t get read as code. So, no privacy enhancement there.

As mentioned before, one of the larger families in this category uses its own domain to redirect searches through to the most profitable established search engine.

user guided specialized search

The most profitable for the extension authors must be Yahoo Search by the look of the results. Others fetch results from a popular search engine and add their own header and a “few” advertisements to earn money.

header plus advertisements

Extra functionality

Some of these search extensions also promise extra functionality. We have seen variants that promise to be specialized in:

  • Music
  • Movies
  • Games
  • Downloads

And usually, when you visit the domains that are listed as the origin of the extension in the web store, you will find that they advertise these specialized search extensions, but not their privacy enhancing extensions.


spcialized search extensions

We did find that some of these extensions pre-date the rise of the privacy search extensions, but they still use the same code, images, and search domains. For example, WowMovix.com has been around since late 2015 and to date still uses the searchalgo search domain.

2016 internet archive wowmovix.com

Is it possible that they just changed the marketing scheme and not the underlying code?

Online privacy

Of course, we appreciate people’s desire for more online privacy. But for those tempted by the promise of enhanced privacy during online searches, we have some better alternatives:

  • First of all, you should have a look at this blogpost about interest-based advertising and what you can do about it.
  • Also, we recommend using a less limited tool to block tracking. There are many that block tracking on every site you visit, not just during searches.
  • Or, you can anonymize your Internet traffic by using a VPN.

Stopping advertisements

One of the side-effects of all the “privacy search” extensions we looked at was the extra influx of advertisements. If you want to put a stop to those, whether they are targeted or not, you really should have a look at this post on blocking ads, as well as this one about which ad blockers you might want to use and how to install them.

The long answer

Even though the publisher(s) of these extensions are trying to tell us that there is privacy to be gained during your online searches, we are of the opinion that there are many better ways to achieve that level of privacy than to install these extensions. We didn’t have time to find and examine every extension that promises to keep your searches private, but we have reasons to believe that the majority of them are more interested in their personal revenue than your privacy. We would advise you to consider one of the other options with a more wide-reaching impact on your privacy like VPNs, anti-tracking tools, taking other measures against interest-based advertising.

Vidar and GandCrab: stealer and ransomware combo observed in the wild – Hackers University

Vidar and GandCrab: stealer and ransomware combo observed in the wild

We have been tracking a prolific malvertising campaign for several weeks and captured a variety of payloads, including several stealers. One that we initially identified as Arkei turned out to be Vidar, a new piece of malware recently analyzed in detail by Fumik0_ in his post: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis).

In Norse Mythology, Víðarr is a god and son of Odin, whose death it is foretold he will avenge. Being referred to as “The Silent One” seems to be fitting for this stealer that can loot from browser histories (including Tor Browser) and cryptocurrency wallets, capture instant messages, and much more.

We witnessed a threat actor using the Fallout exploit kit to distribute Vidar. But victims won’t notice that as much, as the secondary and noisier payload being pushed is GandCrab ransomware.


A malvertising chain leads us to the Fallout exploit kit followed by what we thought was an Arkei stealer. Upon closer look, while the sample did share a lot of similarities with Arkei (including network events), it was actually a newer and, at the time, not yet publicly described piece of malware now identified as Vidar.

Beyond Vidar’s stealer capabilities, we also noticed a secondary payload that was retrieved from Vidar’s own command and control (C2) server. The infection timeline showed that victims were first infected with Vidar, which tried to extract confidential information, before eventually being compromised with the GandCrab ransomware.

Malvertising and Fallout exploit kit

Torrent and streaming video sites drive a lot of traffic, and their advertising is often aggressive and poorly-regulated. A malicious actor using a rogue advertising domain is redirecting these site visitors according to their geolocation and provenance to at least two different exploit kits (Fallout EK and GrandSoft EK), although the former is the most active.

Stealers such as AZORult seem to be the a favorite payload here, but we also noticed that Arkei/Vidar was quite common. In this particular instance, we saw Vidar being pushed via the Fallout exploit kit.


It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.

Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.

Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.

This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.

GandCrab as a loader

Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Server: Pro-Managed
Content-Length: 51


Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper hijacked to display the note for GandCrab version 5.04.

Ransomware as a last payload

While ransomware experienced a slowdown in 2018, it is still one of the more dangerous threats. In contrast to many other types of malware, ransomware is instantly visible and requires a call to action, whether victims decide to pay the ransom or not.

However, threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.

As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data.

Malwarebytes users are protected against this threat at multiple levels. Our signatureless anti-exploit engine mitigates the Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit. We detect the dropped stealer as Spyware.Vidar and also thwart GandCrab via our anti-ransomware module.


Many thanks to Fumik0_ and @siri_urz for their inputs and Vidar payload identification.

Indicators of Compromise (IOCs)

Vidar binary


Vidar C2


Loader URL (GandCrab)


GandCrab binary


The new landscape of pre-installed mobile malware: malicious code within – Hackers University

The new landscape of pre-installed mobile malware: malicious code within - Malwarebytes Labs

Here’s a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future.

In the past, we’ve seen pre-installed malware with the notorious Adups threat, among others. “Pre-installed” means the malware comes already installed on a device at the system level, thus, it cannot be removed; only disabled. However, remediating these iterations of pre-installed malware is possible by using a work-around to uninstall apps for the current user. This method involves connecting the mobile device to a PC and using the ADB command line tool. Follow our guide, removal instructions for Adups, to find out more.

Although this method is a bit tedious, it works to remediate the malware. In contrast, remediating newer versions of pre-installed malware has become much more difficult. We are now seeing malware authors target system apps that are required for the device to function properly. By injecting malicious code within these necessary apps, threat actors have reshaped the landscape of pre-installed malware for the worse.

Types of pre-installed apps

There are two types of preinstalled apps, based on the apps’ location on the device. This location also determines the importance of the app.

The first location is /system/app/. Apps in this location are typically something you want to have, but not critical for the device to run. For example, apps that contain functionally for the camera, Bluetooth, FM radio on the device, or photo viewing are stored in this location. This location is also where device manufactures cache what some may consider bloatware. Uninstalling some of these apps may degrade the user experience, but it isn’t going to stop the device from functioning.

The other location is /system/priv-app/. This is where significantly important apps reside. For instance, apps like settings and system UI, which include the functionality for the back/home buttons on Android devices, are stored here. In other words, apps you absolutely cannot uninstall these without essentially breaking the phone. Sadly, the latest pre-installed malware is targeting this location.

The evidence

In the light of this new, frightening pre-installed malware, let’s look at two case studies.

Case study 1: Riskware auto installer within System UI

The device is a THL T9 Pro. The infection is Android/PUP.Riskware.Autoins.Fota.INS. Although the code looks similar to the well-known preinstalled malware Adups, it’s entangled within the critical system app System UI, instead of being in a standalone app like a UpgradeSys. The infection causes headaches, as it repeatedly installs variants of Android/Trojan.HiddenAds. It’s unknown if this is the doing of Adups themselves, or on the other hand, if code was taken from the Adups Auto Installer and inserted into System UI. Neither scenario is good.

Case Study 2: Monitor within settings

This time, the device is a UTOK Q55. The infection is Android/Monitor.Pipe.Settings. The category “Monitor” is a subset of Potentially Unwanted Programs (PUPs). As the name implies, Monitor apps collect and report sensitive information from the device. Furthermore, this particular Monitor app is hardcoded in the highly-important Settings app. In effect, the app used to uninstall other apps would need to be uninstalled itself to remediate—pure irony.

Attempting to remediate

Here lays the biggest problem with these infections—there is currently no good way to remediate. I have worked with several customers with these infections, but despite my attempts, I have yet to find a good work around. However, I can offer some guidance. If a clean version of the system app can be found to replace the malicious version, you might be able to replace it. You will want to look for system apps that match the current Android OS version of the device.  If found, you can try using the following method:

  • Read the disclaimer from the removal instructions for Adups.
  • Follow the steps under Restoring apps onto the device (without factory reset) in the removal instructions for Adups to save the proper of the system app to be replaced.
  • Download a clean version of the system app to your PC.
    • You can use the popular site VirusTotal to determine if it’s clean or not.
  • Move the system app from your PC to your device.
    • adb push /sdcard/Download/
  • Uninstall the old, malicious version of the system app.
    • adb shell pm uninstall -k –user 0
  • Install the new version of the system app.
    • adb shell pm install -r –user 0 /sdcard/Download/
  • See if it works.
    • Common failure errors:
    • If the new version fails to install, you can revert to the old system app.
      • adb shell pm install -r –user 0

As noted above, I have yet to find a version of any of the infections encountered that successfully installs. If you need assistance, feel free to post on our forum Mobile Malware Removal Help & Support.

What really can be done?

Currently, the best method to deal with these infections is to:

  1. Stay away from devices with these infections. Here are the manufacturers/models we have seen so far that have been impacted:
    • THL T9 Pro
    • UTOK Q55
    • BLU Studio G2 HD
  2. If you already bought one, return the device.
  3. If you already bought the device and can’t return it, contact the manufacturer.

Extreme frustration

As a mobile malware researcher, it pains me to no end to write about malware we can’t currently remediate.  However, the public needs to know that these types of infections exist in the wild. No one should have to tolerate such infections on any mobile device regardless of its price point and/or notoriety. I will continue to look for methods to deal with these infections. In the meantime, stay safe out there.

APK samples

Detection: Android/PUP.Riskware.Autoins.Fota.INS
MD5: 9E0BBF6D26B843FB8FE95FDAD582BB70
Package Name: com.android.systemui

Detection: Android/Monitor.Pipe.Settings
MD5: DC267F396FA6F06FC7F70CFE845B39D7
Package Name: com.android.settings

PUP Friday: MPlayerX – Hackers University

PUP Friday: MPlayerX - Malwarebytes Labs

MPlayerX began to be associated with malware about two years ago, or possibly even longer. Back in 2014, an emerging piece of adware that soon crossed the line to malicious behavior, called VSearch, was frequently associated with MPlayerX installers. At the time, many people assumed that MPlayerX was being used in the same manner that Adobe Flash Player often is – innocent software used to trick people into running a shady installer.

MPlayerX began to be so synonymous with the VSearch adware that Google searches for “MPlayerX” began to show prominently-featured hits for “MPlayerX removal.” Worse, it eventually became apparent that MPlayerX was not simply an innocent victim.

In early 2015, MPlayerX wasn’t being distributed with VSearch anymore. Unfortunately, this didn’t turn out to be good news, as it was soon discovered that the official MPlayerX installer, downloaded directly from the MPlayerX website, had started to include the IronCore adware.

The bad behavior didn’t stop there, however. The official MPlayerX installer began to attempt to defy analysis!

Malware will frequently exhibit analysis avoidance behavior. This means that if it feels that it is being analyzed by a security researcher or automated security software, it will act innocent, showing none of its malicious behaviors. Thus, if a researcher or tool is not aware that the program is malicious, it avoids sending up any red flags that would trigger a more thorough analysis.

The most common method of analysis avoidance that malware uses is to detect whether it is running within a virtual machine – in other words, a full system running entirely within a piece of software. For example, a researcher may install Mac OS X within a virtual machine run by a program like Parallels, VMWare, or VirtualBox. Using a virtual machine is a good way to keep the malware isolated from a real system, so that the infection is easier to contain.

The MPlayerX installer, it turned out, was doing exactly that. When run in a virtual machine, it installed nothing but MPlayerX. When opened on a “real” system, however, it would install the IronCore adware, as well as (at that time) the junk apps MacKeeper and ZipCloud.

Recently, we decided to re-evaluate MPlayerX for possible detection as a PUP (potentially unwanted program). Sure enough, although the installer had been updated, it still exhibited the same analysis avoidance behavior, this time installing IronCore, MacKeeper, and MegaBackup.

The following video shows the MPlayerX installer being downloaded from the official MPlayerX site and being installed twice. The first time, it is installed in a Parallels Virtual Machine running Mac OS X 10.11 (El Capitan), and it installs nothing but MPlayerX. (Or, more accurately, installs an MPlayerX installer that you still have to run to install MPlayerX…)

The second time shows the same process, in the same virtual machine – with some modifications to the virtual machine to defeat the technique MPlayerX uses to detect it. Thus, MPlayerX can’t detect that it’s running in a virtual machine, and thinks it’s on a real system, in the second case, at which time it dumps its nasty payload of crap.

The bundling of MPlayerX into an adware installer, alongside adware and other PUPs, is reason enough to consider it to be a PUP according to our PUP criteria. The addition of malware-like analysis avoidance behavior makes the decision to call MPlayerX a PUP a no-brainer.

Further, because we feel that this malware-like behavior shows that the developer of MPlayerX is not trustworthy, we detect the Mac App Store version of MPlayerX to be a PUP as well. Malwarebytes Anti-Malware for Mac detects any version of MPlayerX as PUP.MPlayerX.

Equifax aftermath: How to protect against identity theft – Hackers University

Equifax aftermath: How to protect against identity theft - Malwarebytes Labs

Who here is scrambling around in the aftermath of the recent breach at Equifax to figure out if you’ve been compromised? Who here is wondering what to do about it if you are? If you’re one of the 143 million Americans whose data was accessed by cybercriminals, then you probably raised your hand.

Even if you weren’t one of the 143 million, you might still want to take some precautions. You could instead be part of the millions of folks who’ve had their data stolen over the course of online history. Basically, if you have a social security number, have ever run a credit check, or have a pulse, you should listen up. Why? Two words: identity theft.

What could happen?

The Equifax breach gave criminals access to vital personal information, including names, social security numbers, birthdates, addresses, and in some cases, driver’s license IDs and credit card numbers. And here’s just a slice of what those jerks can do with that data:

  • Open financial accounts
  • Apply for credit cards, mortgages, and other financial services
  • Get medical care at your expense
  • File for a tax refund in your name
  • Get a job in your name and let you pay the taxes
  • Steal your benefits
  • All of the above (aka, identity theft)

Who is impacted?

The better question might be, who isn’t? Don’t worry about verifying if your data was stolen—assume it was stolen. This is a decent rule of thumb even before the Equifax breach, but even if that thought never crossed your mind, it’s pretty impossible to verify whether you’ve been impacted at the moment.

The Equifax verification site is currently not returning accurate information. And if you try calling the company now, you might be met with some long waiting times to receive frustratingly vague answers. So if you want to act quickly (and we recommend you do), just bypass the first four stages of grief and go directly to acceptance.

What we do know: Those affected by the breach are predominantly from the US, but there are people from Canada and the UK impacted as well. Some methods that work in one country may not work in others, so please keep in mind that this article is aimed at our US readers. International readers can find some additional information about what to do here.

Steps to protect yourself

Our recommendation is to freeze your credit immediately with all four of the major credit bureaus. By freezing your credit, you’ll prevent criminals from trying to open up new accounts in your name—all of your current credit cards will still work. You’ll only need to consider unfreezing your credit if you want to apply for a loan, open a new credit card, or make any type of purchase that requires a check on your credit.

Three things you’ll want to know before contacting the credit bureaus.

One: You’ll want to pull a credit report. You can get a free report here. It doesn’t matter if you’ve already frozen your accounts, you can still monitor using the free tool. We recommend you pull only one report now, another one in four months, and the third in another four months. It’s not foolproof, but it will allow you to see different reports throughout the year to track any potential changes.

Two: the cost is minimal. While reports have varied—Equifax is offering their credit freeze for free, but it’s pretty hard to get through to them—freezing credit usually only costs a one-time fee of $10 per bureau. That’s 20 or 30 bucks for a whole lot of peace of mind.

Three: You must set or receive PINs when freezing your credit. Save these in a secure location, whether that’s using a password manager or physically storing the printed PIN paper someplace safe and out of sight.

Where to go to freeze your credit

Additional monitoring services

The use of additional monitoring services is entirely up to you. The biggest issue is that both legitimate companies trying to help and scammer companies trying to trick will over-hype the danger of identity theft in order to make a sale. Please make sure that you do your homework and research on these companies before signing up blindly out of fear.

When looking up information about how to protect yourself in situations like these, look to sites like the Federal Trade Commission or other technology publications such as Wired, The Verge, or Vice’s Motherboard, as they won’t be trying to upsell you to credit protection you may or may not need. The wrong company might actually hurt your ability to stave off ID theft.

General best practices

We wish we could say that the above advice is going to save you from all the dangers associated with this breach. For credit theft, you are covered, but for all the other threats associated with scammers or fraudsters looking to capitalize on this situation, here are some additional guides on how to avoid their traps.


Be on the alert for credit scams or any related terms. You’ll see these in emails, ads on social sites or games, and even physical mail to your home. These attacks are part of what we refer to as social engineering, and they will run rampant for many months and years to come. Always be skeptical, and if you’re not sure about something, ask a professional.

Phone or text scams

Since your data was most likely taken, that means your numbers will be shared even more than they already are today. Calls and texts from unknown numbers, numbers with similar area codes, or numbers very similar to yours should be treated as potential scams.

You might think that the National Do Not Call Registry would protect you from this. Sadly, it does not. It offers protection from legitimate companies trying to solicit your business. It does not offer protection against scammers. (Because why would criminals follow the law, anyway?)

my Social Security account

The my Social Security account allows you to keep track of the social security funds you’ll be collecting in the future. Although it was not affected by the Equifax breach, it’s good practice to get this account set up in your name, as someone else could easily grab it and you’d be locked out of your future payments. One caveat: If you want to set up this account, you’ll need to do it before you freeze your credit. (Otherwise they can’t confirm your identity through the account.)

Passwords and two-factor authentication

Ensure you’re using smart password strategy (complex, do not repeat them, do not use the same one across multiple sites/services, etc.) and if available, enable two-factor authentication (2FA) on every account possible. You can check the 2FA availability on your sites and services here.

Enable alerts on your accounts

While your current accounts shouldn’t be impacted by this breach, it’s never a bad idea to keep an eye on your bank accounts and credit cards for larger purchases. For accounts rarely used, you could set alerts to $1 so you’re notified the second any transaction happens. For regular accounts, set the alerts to a dollar amount that would seem out of place for that card, whether it’s $20 or $500.

New phone accounts

A common attack vector with credit/personal data breaches is to purchase new phone accounts through your provider, with your account! Once criminals have your info, they’ll call up the phone company and say they want to add a new line but don’t have a PIN number. If you haven’t set up a PIN number with your phone company already, they have no way to verify your account. So guess what? BAM! There’s a new phone on your bill. In order to protect yourself from this type of attack, go ahead and set up a PIN with your provider.


File these as soon as possible next year! For multiple years we’ve heard about victims of tax return fraud, wherein a scammer using your personal information files YOUR return before you can. So don’t wait on this one.


If you’re affected by the Equifax breach, you have a heightened risk of becoming a victim of identity theft. But at this juncture, the point is moot. Since it’s difficult to discover a definitive answer, it’s best to assume you are and deal with the fallout.

We’ve given you some direction on what to do to avoid identity theft and credit fraud, and we hope you take a deep breath, crack your neck, and get to work nailing your personal info down. One new credit card created by an attacker in your name is going to cause a massive headache. Better to stay ahead of it than spend the next month trying to convince a bank that you didn’t open an account. Good luck, be vigilant and stay safe.


The Hackers University team

New strain of Mac malware Proton found after two years – Hackers University

New strain of Mac malware Proton found after two years - Malwarebytes Labs

Last week, Kaspersky reported on a new variant of the Mac malware Proton, which they have dubbed Calisto, that has been around for at least two years. Calisto is thoroughly dead at this point, but there are still potential security implications involved with these older infections.

Proton was first revealed to the world back in February 2017 via an Apple security update. It was later seen in the wild when the popular DVD ripping tool Handbrake was hacked to distribute Proton in May. It was seen again in October following a hack of the Eltima Software website that resulted in Elmedia Player and Folx being modified to drop Proton. Yet another incident was recorded when Proton was installed by a fake Symantec app, distributed from a fake Symantec blog promoted by search engine optimization tricks.

Proton has been perhaps the most high-profile pieces of malware in recent Mac history. But it appears the story began much earlier than previously believed. Kaspersky’s discovery of Calisto, which turns out to be an earlier variant of Proton, provides that evidence.

Calisto’s behavior

Calisto, which was distributed in the form of a fake Intego Mac Internet Security X9 installer, was first submitted to the malware-tracking site VirusTotal on August 2, 2016. As Intego’s X9 software was first released on June 20, 2016, that places a distinct time range on the first appearance of this malware. However, there are signs that there might have been even earlier variants of this malware.

Fortunately, this malware is truly and effectively dead at this point, as the server it attempts to call home to no longer exists.

The addition of System Integrity Protection (SIP) to Mac OS X 10.11 (El Capitan) on September 30, 2015, caused problems for this malware. Yet, Calisto relies on being able to make changes to several SIP-protected locations, and some of its functionality fails on El Capitan or later systems. This fact is interesting, as it implies that the malware may have been created prior to this release.

Despite the fact that the malware is unable to perform some of its duties on a modern system, it will still gather password-related files, just like later variants of Proton, meant for exfiltration to a malicious server (which is no longer responding). It’s these files that provide the most reason for interest in this malware, and other variants of Proton, today.

Password leaks

Earlier this month, with the discovery of OSX.Dummy, we discussed the issue of malware leaving behind sensitive data for other future attackers to find. Proton does the same thing, and the Calisto variant is no different.

Proton, just like Dummy, leaves behind a file containing the user’s password in clear text. In the case of the different variants of Proton, these files are located at the following locations:


It’s important to ensure that these files do not exist on your system—or any systems that you control.

Why? Well, suppose that you’re a bad guy, and you’ve got access to a system that you want to attack, either through malware or direct access. But, you don’t know the user’s password. If you knew it, you could significantly escalate your attack. One way to get that would be to ask the user, but that might raise suspicions.

What if you could find the password right there, and just pick it up and start using it? On systems that have previously been infected by something like Proton or Dummy, that’s exactly what you could do. A hacker has simply to look for these files, and they’ll find the username and password all wrapped up with a nice bow on it, ready to use.


It’s important to make sure these password files don’t exist on your Mac. You can check for them in the Terminal with commands like this (changing it for each path):

ls -al ~/.calisto/cred.dat

If the command complains that there is “no such file or directory,” you’re clean. If not, you’re going to need to remove that file. This gets a little tricky, since the files are all either invisible or in invisible folders. So seek help from an expert if you don’t know how to do this.

As an alternate solution, Malwarebytes for Mac will remove all of these items for you.

Compromising vital infrastructure: how voting machines and elections are vulnerable – Hackers University

Compromising vital infrastructure: how voting machines and elections are vulnerable - Malwarebytes Labs

In our first post in a series about vital infrastructure, we aim to explore how secure our voting machines—and our votes in general—are ahead of the upcoming midterm elections. Here, we ask ourselves: How can our infrastructure be compromised? What are the consequences, and how can we prevent attacks or limit the damage?

The outcome of elections has an enormous impact on the political and cultural landscape of any democratic society. It is that sort of influence which makes the organization of elections, voting machines, voting records, and everything else involved in it vital. In fact, the whole point of a democracy is to let the people decide who they want representing them. This is not a political stance but a moral one. Democrats, Republicans, Libertarians, those who are still undecided—everyone has the right to cast their vote how they see fit.

So, how do we guarantee that the people’s vote is the deciding factor in the elections?

From a methodical and logical standpoint, elections can be influenced in three different phases:

  • Before the elections
  • During the actual voting
  • Afterward, when the votes are counted and the results are determined

Before the elections

This hardly needs any explanation given the discussions we’ve seen around the 2016 presidential elections in the US or the Brexit referendum in the UK. The only boundary that needs to be set here is the one determining who is allowed to influence the opinion of the constituency and which information is acceptable to use. How do we keep foreign nations from influencing our voters when the worldwide web provides trolls, bots, and sponsored influencers with immediate communication, regardless of the distance?

And in a time where politics have become more about the politicians themselves instead of their campaign message, the effects of a smear campaign directed at aspects of a candidate’s personal history or even his appearance will have more effect then arguing about the effectivity of their plans.

From a cybersecurity standpoint, we can only hope that the regulations that have been implemented and the ones that are under construction by social media to fight fake news, remove fake accounts, and apply some sort of bot control will result in people being able to make a fair and well-informed choice. This future looks grim, however, when you think about how quickly technology is outpacing regulation. Imagine what influencer bots and trolls equipped with artificial intelligence and machine learning doing the rounds on social media could accomplish in the current climate.

There is not a lot the voters themselves can do to control the stream of information that comes at them. Of course, you can block everyone that doesn’t agree with you and live undisturbed in your echo chamber. But most people like to hear the pros and cons of a candidate before they form their own opinion.

For that, we ask that you vet your sources and turn to those that have been trusted and established. Television news has become deeply partisan and online political websites often skewer intense blue or red. However, local newspapers often offer comprehensive deconstruction of the candidates, propositions, and measures on the ballot—and many will endorse their favorite candidates in the weeks before an election, only after their policies have been held up to public scrutiny.

Voting machines

Hacking voting machines and websites is not always that hard, and that has been demonstrated many times in the past—including at the most recent Defcon. However, doing so to a degree that will impact the outcome of the election may be too difficult. Pulling off large-scale disruption that doesn’t stand out like a sore thumb would be tricky, but even doing so on a smaller scale can raise questions about the total outcome, which can put the party that benefits the most in a bad light. Also, the multitude of different types of voting machines that are in use will make it hard to force a significant change while going unnoticed.

To remove as much doubt about election results as humanly possible, there is either a need for “hack-proof” voting machines or an alternative method of voting. Do we really want to go back to using paper and pencil like some smaller countries (e.g. The Netherlands) have done? An investigation conducted by the US federal government came to the conclusion that online voting is not yet feasible. The same committee offered paper ballots as the alternative.

“Until there is a major technological breakthrough in or fundamental change to the nature of the Internet, the best method for securing elections is a tried-and-true one: mailed paper ballots. Paper ballots are not tamper-proof, but they are not vulnerable to the same wholesale fraud or manipulation associated with internet voting.”

Even using blockchain technology cannot (yet) get the investigators’ unreserved approval. In their opinion, it fails to resolve the security issues inherent with online voting.

An interesting alternative that has been brought forward is to turn voting machines into printers that print out the vote you cast, which you would then be able to check for accuracy and deposit into a sealed container. The votes in the container can be counted after closing of the votes and the poll could even be compared against the vote count calculated by the machine itself as a way to double-check the result.

After the voting is done

Depending on the method used to total the counts of the polling stations into local, regional, and state results, some type of software is used along the way, even if it is only to calculate numbers. This seems to me the point we should be worried about the most when we are looking for potential hacks. In these systems lies the opportunity to change the total outcome in a significant way without being too conspicuous.

The machines and/or software could become victims of:

  • Penetration attacks or other hacks to change data or the outcome
  • Denial of Service attacks that render the machines useless
  • Malware infections, whether they’re targeted or not

And when looking at a program or platform that gathers results, you will have a hard time imagining that it’s not connected to the Internet in one way or another, otherwise people would have to manually enter the data. Feeding such a machine data by hand is just another way to introduce human errors that may outweigh the effects of manipulation.


From the above, it should be clear that any countermeasures to reach a higher level of trustworthy election results will have to come from the body holding the election. A uniform procedure would also make it easier to get trustworthy results in a timely manner.

We could encourage candidates to contribute to fair results during the first stage of the elections by focusing on content, rather than trying to disqualify their opponents on a personal level. This would allow moderators of social media to establish a clear difference between the trolls and “official” sources. However, that seems more unlikely than an technical solution, given the current political climate.

Alternative methods for voting should be put to the test before being used to avoid “hanging chad incidents.”

Voting machines should be certified to be secure against tampering, and have software running that actively monitors for and reports any abnormal activity. In addition, they should remain air-gapped during the voting process. Even though air-gapped machines are not 100 percent safe, an attacker would require proximity to the machine to have an influence. And said influence has to be something the security software should be able to pick up.

After the vote, there are several methods that can be used to double-check the results:

  • Differences in the outcome between polling stations should be understandable. If they can’t be explained by natural causes, this should be reason for a manual recount.
  • Random samples should be taken and manually recounted to see if any structural problems can be discovered.
  • Some polling stations could be designated to use paper ballots and used as a benchmark to check other results against. If different methods produce different results, that should be reason for concern and further investigation.

By securing infrastructure such as voting apparatus, we can feel safe knowing that one of the most vital actions we take as a country is protected. Yes, we all need to vote. And we all need to make sure our vote counts.

Winning the battle against PUPs on your computer and in court – Hackers University

Why Malwarebytes detects PC Pitstop as Potentially Unwanted - Malwarebytes Labs

I know very few people, other than lawyers, that get excited about corporate court cases. But, I want to share with you a recent decision that I believe is cause for every computer user to celebrate.

This week, a United States District Court judge ruled in Malwarebytes’ favor, dismissing a lawsuit brought against us by Enigma Software Group USA LLC (“Enigma”). Essentially, they sued us because we classified two of their software programs as Potentially Unwanted Programs (PUPs).

Sounds mundane, but the reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users. This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.

Those of you that follow this blog know that for years, we have taken an aggressive stance against PUPs. We continue to monitor all known software against Malwarebytes’ PUP criteria to give our users the choice to select which programs you want to keep or remove from your computer. We strongly believe that you should be allowed to make this choice, and we will continue to defend your right to do so.

This company was founded on a real problem I experienced and a dream that everyone at Malwarebytes still affirms: that computer users have a right to choose what’s on their computers. As PUPs became more prevalent and problematic, we began offering protection against them too, a choice that is now backed by the United States District Court.

If you are interested in the brief news release we shared today, it can be found here.

A copy of the US District Court Clerk’s filing (Case 5:17-cv-02915-EJD Document 105) can be found online here.