Infected MS Office files abound and a tiny Chinese chip at the center of massive new conspiracy
After making its presence felt in Australia and European banks, Danabot, a modular Trojan horse has made its way to the States. Written in Delphi, the perpetual beta modular malware can take screenshots, log keys and stealing form data from infected computers.
The Trojan starts out by pretending to be a digital fax from eFax. Upon clicking the download button, the user will receive a malicious Word document with instructions to “Enable Content” within it. Doing so will start downloading the malware. Actors are also known to use web-injects, the Fallout Exploit Kit and malspam campaigns to trick users into installing the Trojan.
Various campaigns from 9 different actors have been discovered so far, leading experts to believe the Trojan may be marketed as an affiliate system with a profit-sharing MO. The latest campaign seem to be targeting Wells Fargo, Bank of America, TD Bank, Royal Bank and JP Morgan Chase.
“A Banking Trojan is one of the oldest forms of cybercrime, and it remains one of the most popular,” explains Avast Security Evangelist Luis Corrons. “Ninety-nine point nine percent of the time, the motivation for the crime is plain and simple – money. And being able to steal credentials to siphon victims’ bank accounts makes this a very profitable business.”
More bad news for MS Office users as another malware has been seen using infected .doc files to get past security measures. Betabot is certainly moving up in the (criminal) world. The malware started its career as a password stealer but quickly learnt how to distribute ransomware among other malicious tools, too.
In its latest version, Betabot uses a sophisticated multi-stage approach and is packed with features to avoid detection. Leveraging an 18 year old zero-day security vulnerability in MS Office’s Equation Edition, Betabot uses a RTF file with an OLE object to execute commands on a user’s machine. The malware is spread via phishing and social engineering campaigns that convince users to download infected Word documents.
Researchers discovered that the creators have designed the latest BetaBot to operate in “paranoid mode” where it can automatically shutdown should it detect security products or if its running in a sandbox environment. It should be noted that Avast antivirus products protect you against Betabot malware.
In what seems like a plot straight out of a thriller novel, an investigation by major American companies has discovered a small chip in servers that could be part of a massive spy operation run by the Chinese government. No bigger than a grain of rice, the chip creates stealthy backdoors that allows threat actors to listen to network activity involving the infected server. Systems belonging to Apple, Amazon, a major bank and several US government contractors seem to be the targets.
At the heart of this debacle is Supermicro, one of the largest servers, workstation storage and graphics units suppliers worldwide. A regular investigation by Amazon while evaluating Elemental Technologies, which owns advanced compression technologies, revealed a troubling pattern. As part of their core products, customers of Elemental Technologies have to install advanced servers which were provided by SuperMicro Inc. Investigators discovered a small chip on the server’s mainboard that was not part of its original design. It is believed the chips were installed by manufacturing subcontractors in China.
The discovery has understandably sent a shockwave throughout the US business and intelligence communities. Hardware hacking is more sophisticated than its software counterpart as it requires a thorough understanding of the systems being infiltrated. As China makes 90% of the world’s computer hardware, Chinese companies will certainly have the expertise required to pull off such an elaborate hack. The investigation is currently ongoing.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.
Information belonging to over 100 Italian banks breached by the Ursnif banking trojan was obtained by Avast Threat Labs, which then shared the data with as many of the victims as could be identified.
Avast researchers obtained information that the Ursnif banking Trojan has targeted 100 Italian banks and may have thousands of victims.