mobile malware Daily update ⋅ March 15, 2018

	NEWS
	Cybercriminals pivot to cryptomining, fileless malware – McAfee Rappler McAfee said new ransomware grew 35%, and 2017 ended with a 59% growth of ransomware attacks year over year. While new mobile malware decreased by 35%, most notably in terms of Android screenlocking ransomware, the cybersecurity firm added new Mac OS malware samples increased 24% ... Flag as irrelevant
	APAC security chiefs expect imminent attack on critical systems ComputerWeekly.com Cyber criminals will ramp up efforts to mine cryptocurrencies, while mobile malware will rear its ugly head across the APAC region in 2018. The computer networks of two universities in Singapore were breached in April 2017 by hackers looking to steal information related to government or research. Flag as irrelevant
	Eight new cyber threat samples emerging per second Technology Decisions In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters. 97% of spam botnet traffic in Q4 was driven by Necurs — recent purveyor of 'lonely ... Flag as irrelevant
	Asia Pacific countries are a melting pot of cyber threats SecurityBrief NZ Asia Pacific (APAC) countries remain a popular melting pot for cyber threats of all kinds, including online banking malware, ransomware, malicious mobile app downloads and exploit kit attacks. APAC accounted for almost 40% of the 1.7 billion ransomware attacks between 2016-2017, according to ... Flag as irrelevant
	Cyberattacks to increase in 2018 on IoT and mobile devices: SonicWall Cyber Threat Report Wire19 (press release) (blog) Malware attacks increased from 7.87 billion in 2016 to 9.32 billion in 2017, while ransomware attacks decreased from 638 million to 184 million, according to SonicWall Cyber Threat Report. SonicWall, the cybersecurity solutions provider, revealed the findings, intelligence, analysis, and research about ... Flag as irrelevant
	Mobile Anti-Malware Market Analysis, Overview, Growth, Demand And Forecast Research Report ... MilTech Mobile Anti-Malware Market report provides key statistics on the market status of the Mobile Anti-MalwareManufacturers and is a valuable source of guidance and direction for companies and individuals interested in the Mobile Anti-Malware Industry. The Mobile Anti-Malware industry report firstly ... Flag as irrelevant
	Mining Malware was used by Hackers for 400,00 Computers Canadian Homesteading However, the antivirus program managed to recognize all these attempts. The miner was supposed to mine Electroneum, which is a less known coin that also uses mobile mining that is app based. Malware also generated traffic that was really suspicious, and the command and control server were ... Flag as irrelevant

Read more »

New code injection method avoids malware detection on all versions of Windows

Presented at Black Hat Europe, a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman. Dubbed Process Doppelgänging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code.

The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code.

Unlike the outdated hollowing technique, Process Doppelgänging takes advantage of how Windows loads processes into memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then.

To attempt the exploit, a normal executable is handed to the NTFS transaction and then overwritten by a malicious file. The NTFS transaction is a sandboxed location that returns only a success or failure result preventing partial operations. A piece of memory in the target file is modified. After modification, the NTFS transaction is intentionally failed so that the original file appears to be unmodified. Finally, the Windows process loader is used to invoke the modified section of memory that was never removed.

The following table shows the antivirus software tested by the researchers that is unable to block the exploit discovered.

Product	Operating System	Result
Windows Defender	Windows 10	Success
AVG Internet Security	Windows 10	Success
Bitdefender	Windows 10	Success
ESET NOD 32	Windows 7 SP1	Success
Symantec Endpoint Protection	Windows 7 SP1	Success
McAfee VSE 8.8 Patch 6	Windows 7 SP1	Success
Kaspersky Endpoint Security 10	Windows 7 SP1	Success
Kasperksy Antivirus 18	Windows 7 SP1	Success
Symantec Endpoint Protection 14	Windows 7 SP1	Success
Panda	Windows 8.1	Success
Avast	Windows 8.1	Success

It should be noted that Windows 10 Fall Creators Update originally appeared to fix the issue since the duo presenting were unable to perform the exploit on the latest version. When attempting the exploit, a stop error otherwise known as the blue screen of death occurs. Not a desirable effect, but better than ending up with an infected machine.

However, later updates apparently allowed for the exploit to work again even on the latest patches of Windows 10. Due to the nature of the exploit, Microsoft will have its work cut out to update a core feature that helps preserve software compatibility. Antivirus vendors should be able to push out updates to detect and prevent Process Doppelgänging within the coming weeks.

via Techspot

Read more »