now browsing by tag


#cybersecurity | #hackerspace | BlackBerry Cylance vs. IcedID Banking Trojan

Source: National Cyber Security – Produced By Gregory Evans

BlackBerry Cylance vs. IcedID Banking Trojan

IcedID, originally known as BokBot, is a banking Trojan featuring modular malicious code and infostealing capabilities. It was first identified in the wild in September 2017 by IBM X-Force researchers.[1]

IcedID gathers financial information and credentials from infected hosts through sophisticated web injection and redirection attacks. The infostealer targets banking portals, webmail clients, payment card providers, mobile services providers, payroll portals, and online retail websites.

IcedID may be connected to past activity by the threat actor Neverquest. Neverquest was a Russian Cybercrime-as-a-Service group which disbanded in 2017 following the arrest of one of its members, Stanislav Lisov.[2],[3]

Technical Analysis

IcedID was initially delivered by another Trojan – Emotet.[4] Developed as a banking Trojan, Emotet has been repurposed to become one of the most successful threat distributors via its established botnet.[5] Emotet is generally delivered through spam carrying infected Microsoft Word document attachments. The Word document is often password-protected with the password appearing in the email body.[6]

The Word documents contain malicious macros which, if enabled by the user, invoke PowerShell to download the Emotet payload. Once successfully installed, Emotet downloads IcedID. IcedID uses Emotet’s geotargeting capabilities to focus its attacks primarily on North America and the UK. Variants of IcedID were observed being distributed by Ursnif/Dreambot7, another Trojan similar to Emotet, early in 2018.

Threat actors traditionally work in competition with each other, often removing existing infections before installing their own malicious binaries on systems. There appears to be a recent shift towards threat actors using a more collaborative approach.

Analysts at Flashpoint identified host machines infected with both IcedID and Trickbot8 and highlighted a potential partnership between the two. IcedID’s Command and Control (C&C) servers were observed sending commands instructing victim systems to download Trickbot and vice versa. Also, modifications to updated IcedID variants show indications they may have been influenced by Trickbot’s modules.

Static analysis of this specific IcedID sample file shows a compile date of April 3rd, 2016 – over a year before IcedID was discovered in the wild. The binary contains a section named .ndata with a raw data size of 0 bytes. This indicates the executable was created with Nullsoft Scriptable Install System (NSIS). Extracting the Nullsoft archive reveals it contains several benign files and a malicious DLL file – aerometers.dll, SHA256:


Figure 1: Extract from [NSIS].nsi file

A distinguishing feature of the IcedID infostealer is how it executes its process injection. It implements an alternative method that does not require the target process to be started in a suspended state. This approach has not been previously observed being used by malware authors.

When executed, the sample first launches a copy of itself. The sub process then starts the legitimate Windows process svchost.exe, where its malicious code is injected:

Figure 2: Spawned processes

It is not concerning to see multiple instances of svchost.exe running on a system as the process is used to load services run from Dynamic Link Libraries (SvcHost DLLs). Injecting IcedID’s main payload into an svchost.exe process is an attempt by the attackers to conceal their activities on the victim machine.

The following functions allow IcedID to avoid starting the svchost.exe in a suspended state:

  • kernel32!CreateProcessA
  • ntdll!ZwProtectVirtualMemory
  • ntdll!ZwAllocateVirtualMemory
  • ntdll!ZwWriteVirtualMemory

The function ntdll!ZwCreateUserProcess is hooked within the memory space of the IcedID sample process. The kernel32!CreateProcessA function is then called to launch svchost.exe. Although svchost.exe has launched, its main thread has not been executed. The call to kernel32!CreateProcessA then hits the hook on ntdll!ZwCreateUserProcess which initiates a function call to ZwCreateUserProcess.

Next, ntdll!ZwCreateUserProcess returns the process handle for svchost.exe. With this process handle the ntdll!NtAllocateVirtualMemory and ntdll!ZwWriteVirtualMemory functions can write malicious code into the memory space of svchost.exe.

Calling svchost.exe without any arguments means it has no service to run and will result in the process terminating. Before svchost.exe shuts down the function ntdll!RtlExitUserProcess is called. The malware authors exploit this call to ntdll!RtlExitUserProcess by inserting a jump to the malicious code. The main thread of svchost.exe is then run and the original executable is terminated.

This minimalist approach to process injection is significant as the execution of malicious code is less likely to be detected by process hollowing countermeasures. It succeeds without creating the svchost.exe process in a suspended state or creating new threads in svchost.exe.

The IcedID sample dropped the malicious aerometers.dll file into the user Temp folder. The original IcedID executable is modified slightly before being copied (with a unique generated name) to the %ProgramData% directory, e.g. C:ProgramData{5D189AD3-A8D3-4093-881B-7E03AAE7B040}pdkdkdkqg.exe. Each infection of this copied file has a unique hash.

IcedID requires a system reboot to complete its infection. The reboot requirement represents an effort to hinder sandbox analysis:

Figure 3: Files dropped to the system during dynamic analysis

Figure 4: Additional benign associated artifacts found in the user’s Temp directory

A Windows scheduled task is created to launch the copied IcedID file located under the %ProgramData% directory (e.g. pdkdkdkqg.exe) for every user logon. This allows IcedID to achieve persistence and ensures the infostealer will continue to run following system reboots:

Figure 5: Windows Scheduled Task to launch IcedID with log on

IcedID gathers basic information about the host system to provide to the C&C server. This information is useful for identifying the specific infection bot. All communication between a victim and the C&C server is sent over HTTPS using POST- and GET-requests. Responses from the C&C are encrypted using RC4 and occasionally compressed using LZMAT.

IcedID includes a network spreading module that facilitates infecting other endpoints within an organization. The malware queries the Lightweight Directory Access Protocol (LDAP) to find other users and then attempts to brute-force passwords with a dictionary attack.

IcedID uses web injection to steal login information for targeted banking portals and online retailers. The infostealer downloads a configuration file from its C&C that includes a list of targets for the web injection attacks. It sets up a local proxy, listening on port 49157, to redirect the victim’s Internet activity. This acts as a man-in-the-middle (MITM) style attack which can monitor all outbound traffic:

Figure 6: Process listening on localhost, port 49157

When the user attempts to navigate to a targeted URL the web injection attack will present fake content over the legitimate page. To an unsuspecting user, nothing will immediately appear out of the normal. The bank’s genuine URL and SSL certificate still appear in the address bar. The local proxy intercepts the user’s traffic and the login credentials are exfiltrated to the C&C server. All communications to the C&C server are encrypted and sent by SSL to avoid alerting Intrusion Detections Systems.

IcedID targets webmail accounts and payment card websites with redirection attacks. The local proxy redirects users to fake, nearly identical websites hosted by the attacker’s server. The website will look legitimate by displaying the authentic URL and SSL certificate. Credentials submitted to the fake website are redirected to the attacker’s server.

Blackberry Cylance Prevents IcedID

Blackberry® Cylance®, which offers a predictive advantage over zero-day threats, is also effective against malware like IcedID. Blackberry Cylance trains artificial intelligence (AI) agents for threat detection using millions of both safe and unsafe files.

Blackberry Cylance prevents IcedID and its variants from executing based on the detection of several malicious file attributes, not a specific file signature. This approach allows our customers to implement a prevention-first security posture effective against unknown, emerging, and polymorphic threats as well as traditional threats.

Indicators of Compromise (IOCs)

  • SHA256 F476342981C639D55CE2F5471C3E9962FD2D5162890E55D2B4E45DDC641F207F delivered to the system by Emotet
  • Aerometers.dll, SHA256 19591882B072D3DA133E1C6106FDC0A4413DFB86CA5605F94ACBC4EB6968B693

File Information     




Malware Infostealer


157,816 bytes


2016-04-03 21:20:55

ITW names

IcedID, BokBot



Source link

The post #cybersecurity | #hackerspace |<p> BlackBerry Cylance vs. IcedID Banking Trojan <p> appeared first on National Cyber Security.

View full post on National Cyber Security

BlackBerry #Mobile site the #latest #target of #cryptocurrency mining #hackers

Source: National Cyber Security – Produced By Gregory Evans

TCL Communication Technology Holding Ltd., the operator of the BlackBerry Mobile site, is the latest victim of cryptocurrency-loving hackers in the latest of a rash of cryptomining hijacking cases.

The website for BlackBerry Mobile was discovered by a Reddit user last week to be serving up code to visitors from Coinhive, the notorious Monero mining script service. The same person who discovered the code did note that it was only the global TCL- owned site that was affected, not country-specific sites or those owned by BlackBerry Ltd.

Coinhive itself chimed in on Reddit, saying that one of its users had hacked the Blackberry Mobile website using a vulnerability in the Magento webshop software. “We’re sorry to hear that our service has been misused,” the company said. “This specific user seems to have exploited a security issue in the Magento webshop software (and possibly others) and hacked a number of different sites. We have terminated the account in question for violating our terms of service now.”

TCL is far from the first company to be targeted by cryptomining code, and it won’t be the last. The first outbreaks of cryptomining-related hacking occurred in September, when The Pirate Bay and then Showtime were exposed as using the method. As cryptocurrencies boomed, so instances of hackers and site owners trying to cash in on Monero mining. A RiskIQ report Sept. 26 found that more than 1,000 sites were now hijacking the computing power of site visitors to mine for cryptocurrencies.

By October, leading content delivery network Cloudflare Inc. was the first major provider to crack down on the method, banning all sites from its network that have cryptocurrency mining code installed.

The method spread to apps later the same month, when the first reports emerged of Coinhive scripts appearing in Android apps, and the new attack vector has seemingly continued to grow. Only this weekend, a security researcher discovered 291 apps across third-party Android stores that included the miming code, although they appear to be the same app and code with 291 different names.

Commenting on the Android outbreak, HackRead noted that though the biggest victims of cryptocurrency miners were previously website owners and unsuspecting visitors, now Android users are also at risk. The advice, as always, is to practice safe internet: Do not download unknown apps from Android stores, make sure they have up-to-date antivirus software installed and keep an eye on their processor usage because cryptocurrency miners trigger high usage.

The post BlackBerry #Mobile site the #latest #target of #cryptocurrency mining #hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Blackberry #CEO: Why there’s no “magic pill” for #cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

Blackberry #CEO: Why there’s no “magic pill” for #cybersecurity

John Chen tells ITProPortal that simple steps, plus discipline, can be the key to keeping your business safe and secure.

The CEO of BlackBerry has warned businesses that they need to act on the basics of cybersecurity protection if they want to ensure they stay protected.

Speaking at a media roundtable at this week’s BlackBerry Security Summit in London, John Chen warned companies not to get caught up in the “cat-and-mouse game” with hackers looking to exploit weaknesses in unpatched systems.

Asked by ITProPortal what single piece of advice he would recommend to companies looking to stay protected, Chen replied that cybersecurity needs to be a company-wide initiative, with all departments becoming involved.

“If I have any advice…you need to have a cyber security process or mindset that is company-wide, not just department by department,” he told ITProPortal.

“I think this is a physical process…that determines how safe (a company) can get to. This is more than just technology,” he said.

“It’s amazing how some of the big cybersecurity breaches that we’ve seen around this year (always) have to do with companies not being up to date with patches…because the problem is already known, by the good guys and the bad guys …but the good guys never take the precaution to patch quickly!”

Chen noted that BlackBerry “forces” its own internal systems to be patched and updated on a rolling basis – which can be annoying if a download interrupts you in the middle of doing some work.

“But this discipline, and the completeness of this discipline…it’s about discipline, it’s about processes, it’s about completeness – it’s just never about technology, it’s not like there’s a ‘magic pill’ you can take and everything will be fine.”

BlackBerry has reinvented itself as a software power player in the last few years, following the decline of its phone hardware line, with Chen now keen to promote the company’s wide range of services and mobile tools.

Last month, the company’s most recent financial reports revealed that BlackBerry’s software and services revenue hit a record $196 million in the quarter, resulting in a company profit of $19 million for that time.

Chen was keen to highlight BlackBerry’s strength in business and endpoint security during the session, noting that, “we are the best mobile security solution…we know mobility.”

“Competition is a given when the market is big,” he notes, “(but) we have such a unique area that we’re number one on, it makes us a good partner to be with.”

The post Blackberry #CEO: Why there’s no “magic pill” for #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

BlackBerry DTek 50: Is It Good for Business?


Source: National Cyber Security – Produced By Gregory Evans

BlackBerry DTek 50: Is It Good for Business?

BlackBerry’s DTek 50 is a decent, affordable Android smartphone with a slew of extra security features. That could make the newly announced device — which is set to launch next month, selling for $299 — an enticing option for workers. Just don’t expect to find trademark BlackBerry features like a physical keyboard on this midrange […]

The post BlackBerry DTek 50: Is It Good for Business? appeared first on National Cyber Security.

View full post on National Cyber Security

Security, and marketing it, is the key to a Blackberry resurgence

Source: National Cyber Security – Produced By Gregory Evans

The name BlackBerry resonates with investors as the company who lead the cell-phone revolution, only to be eventually trumped by Apple as they dragged their heels when innovative smartphone technologies came to the market. This is a monkey that might actually always be on the back of BlackBerry, even as they continue to pursue extremely lucrative business opportunities, primarily in a space where they are ahead of the curve: security We do not expect nor do we suggest that BlackBerry BBRY, -0.72% change its name or rebrand itself. In fact, we believe that relationship will only solidify the future business of the company as they pursue security in the Internet of Things (IoT) space. It is our opinion that BlackBerry is in the right place at the right time, again. We know they were ahead of the curve with cell phones, and we currently believe they are ahead of the curve with security as well. Vulnerability threats now expand much further than cell-phone hacking. BlackBerry already offers the most secure cell-phone network. That is why governments use BlackBerry. Interestingly, it is this security and the inability to hack into it and read texts and emails that caused Pakistan, a country […]

For more information go to, http://www., or

The post Security, and marketing it, is the key to a Blackberry resurgence appeared first on National Cyber Security.

View full post on National Cyber Security

BlackBerry Ltd Prepares For More Cyber-Threats With Medical Hack

Source: National Cyber Security – Produced By Gregory Evans

BlackBerry Ltd (NASDAQ:BBRY) (TSE:BB) took the stage to demonstrate the way in which a terrorist could access an infusion pump inside a hospital and give patients a lethal morphine dose. The demonstration was held in New York City, during the global security forum conducted by the Canadian firm, which is keen to establish itself as a major provider of security for all kinds of equipment that connect to the internet. BlackBerry QNX, a security expert In the demonstration, the Canadian company showed how a would-be-terrorist got access to the wirelessly connected pump, which is a standard hospital item, hacked its password and issued remote commands on a computer to change the way it dispensed morphine. BlackBerry QNX is largely seen as an operating system that could apparently prevent such attacks on infusion pumps. BlackBerry bought QNX after buying QNX Software Systems in 2010. QNX is also one of the major features in BlackBerry’s latest handset operating system, BlackBerry 10. QNX has become the major platform across every walk of life from power generation systems to wind turbines, nuclear stations and hydroelectricity plans. QNX is in 50 million cars to drive computing and fuel infotainment systems, BlackBerry informed those who attended the […]

For more information go to, http://www., or

The post BlackBerry Ltd Prepares For More Cyber-Threats With Medical Hack appeared first on National Cyber Security.

View full post on National Cyber Security

Android Device Manager, Galaxy Note III leaks, BlackBerry Porsche Z10 & more – Pocketnow Daily – Missing Computer AlertMissing Computer Alert – Stories: – Google announces Android Device Manager to help you secure lost phones – Next BlackBerry fl… I too love my Galaxy Note 2 on T-Mobil…

View full post on Hi-Tech Crime Solutions Weekly

Cracking a BlackBerry Passport: Unlocking is surprisingly easy

Cracking a BlackBerry Passport: Unlocking is surprisingly easy

My new BlackBerry Passport turns out to be a great phone. But there was one minor disadvantage that had nothing to do with the phone itself. It turns out that my home in the country is in a bad spot […]

For more information go to, http://www., or

View full post on National Cyber Security

BlackBerry World Now offers IRCTC App – National Cyber Security | National Cyber Security – After being present on Windows and Android, the IRCTC App has now made its way to the BlackBerry World as well. With the help of this app, users can now make train bookings along with a host of oth…

View full post on Hi-Tech Crime Solutions Weekly

BlackBerry World Now offers IRCTC App

Source: National Cyber Security – Produced By Gregory Evans

BlackBerry World Now offers IRCTC App

After being present on Windows and Android, the IRCTC App has now made its way to the BlackBerry World as well. With the help of this app, users can now make train bookings along with a host of other services […]

For more information go to, http://www., or

The post BlackBerry World Now offers IRCTC App appeared first on National Cyber Security.

View full post on National Cyber Security