Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Information Security News - SANS Internet Storm Center Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

3 hours ago Atlanta Ransomware Attack Freezes City Business

InfoRiskToday View Synopsis+1
Damage Assessment is Underway, But Backups Are in Place, Officials SayRansomware has struck the city of Atlanta and frozen internal and customer-facing applications, hampering residents from paying bills or accessing court information. But the city says it has working backups and expects to pay employees on time.

2 hours ago It's Never Too Early To Pick Your First Username

Forbes View Synopsis+1
Just keep in mind that using the same username for everything can put you at a significant online security risk.

4 hours ago Microsoft to re-enforce March patch that owns Windows over RDP

The Register View Synopsis+1
Firm that found flaw says un-patched RDP clients face lockout

Black Hat Asia Microsoft will soon prevent Windows from authenticating un-patched RDP clients to cap a March patch addressed a flaw that can allow lateral movement across a network from a compromised remote desktop protocol session.…

2 hours ago Operator In Uber Self-Driving Crash Is A Felon. That's Not Why Elaine Herzberg Is Dead

Forbes View Synopsis+1
There are tens of thousands of traffic fatalities every year in the U.S., and each is uniquely terrible. This one was historic,. And a terrible irony as technology is being developed in hopes of bringing dramatic reductions in on-road fatalities.

1 hour ago How companies like Accenture are creating AI tools that lighten your workload

TechRepublic View Synopsis+1
Artificial intelligence and machine learning are beginning to make business processes more efficient. Here's how.

Top News

25 minutes ago TrickBot Gets Computer Locking Capabilities

SecurityWeek View Synopsis+1

A recently observed variant of the TrickBot banking Trojan has added a new module that can lock a victim's computer for extortion purposes, Webroot reports.

First observed in late 2016 and said to be the work of cybercriminals behind the notorious Dyre Trojan, TrickBot has seen numerous updates that expanded not only its capabilities, but also its target list.

Last year, the malware received an update that added worm-like capabilities, allowing it to spread locally via Server Message Block (SMB).

Webroot now says that the malware attempts to leverage NSA-linked exploits released by Shadow Brokers last year in order to move laterally within compromised networks.

The new TrickBot variant installs itself into the %APPDATA%\TeamViewer\ directory, and once up and running, creates a "Modules" folder to store encrypted plug and play modules and configuration files.

While many of the modules have been already documented, the new Trojan variant also includes a module internally called spreader_x86.dll that Webroot hasn't seen before. Featuring a large rdata section that contains two additional files, the spreader module contains an executable called SsExecutor_x86.exe and an additional module named screenLocker_x86.dll.

Spreader_x86.dll, the security researchers have discovered, was clearly designed to allow the malware to spread laterally through an infected network by leveraging the NSA-linked exploits.

"This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub," Webroot notes.

The SsExecutor_x86.exe part of the new module is meant to be executed after exploitation, to achieve persistence by modifying registry to add a link to the copied binary to the start-up path of each user account.

Written in Delphi, ScreenLocker_x86.dll represents TrickBot's first ever attempt at "locking" the victim's machine. The module exports two functions: a reflective DLL loading function and MyFunction, which appears to be the work in progress.

Should TrickBot indeed gain the locking functionality, it would mean that its developers have decided to switch to a new business model, similar to that employed by ransomware operators.

Locking the computer before stealing the victim's banking credentials would prevent the credit card or bank theft, which suggests that the cybercriminals might be planning to extort victims to unlock their computers.

The security researchers suggest that, in corporate networks where users are unlikely to be regularly visiting targeted banking URLs, TrickBot would find it difficult to steal banking credentials. Thus, the potential of locking hundreds of machines could prove a more successful money-making model.

"It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them," Webroot points out.

8 hours ago ?Australian Taxation Office happy to go it alone with cybersecurity

ZDNet View Synopsis+1
Despite the Australian Signals Directorate last week stating that those not seeking its help with security aren't taking the matter seriously, the Australian Taxation Office has backed its in-house approach.

Latest News

6 hours ago 'R2D2' stops disk-wipe malware before it executes evil commands

The Register View Synopsis+1
'Reactive Redundancy for Data Destruction Protection' stops the likes of Shamoon and Stonedrill before they hit 'erase'

Purdue University researchers reckon they've cracked how to protect data against "disk-wipe" malware.…

7 hours ago Mozilla pulls ads from Facebook after spat over privacy controls

The Register View Synopsis+1
UK advertisers's society has also fired a warning shot

The Mozilla Foundation has expressed its discomfort at the Cambridge Analytica revelations by pulling its ads from Facebook.…

8 hours ago Mark Zuckerberg's Data-Mining Apology Offers A Big Opportunity For Facebook

Forbes View Synopsis+1
fter many years of privacy concerns, Facebook and other social media companies are finally facing the realistic possibility that they will face actual government regulation to protect consumers' privacy. But can a leopard really change its spots?

3 hours ago #DeleteFacebook Highlights The Benefits Of Blockchain

Forbes View Synopsis+1
Distributed ledgers and the uprise in blockchain technology challenge the concept of the trust held by centralized authorities, such as banks and governments as well as data-collecting mega corporations looking to make a quick buck from analytics firms or third-party app developers.

5 hours ago Your code is RUBBISH, says GitHub. Good thing we're here to save you

The Register View Synopsis+1
Dependency scanner turned up FOUR MEEELLION vulns from October to December 2017

Last year, GitHub added security scanning to its dependency graph and flicked the lid off a can absolutely crawling with bugs.…