Silobreaker Daily Cyber Digest – 7 March 2016
The first fully functional ransomware for Mac OS X has finally appeared. KeRanger was distributed via compromised downloads of the Transmission torrent client (version 2.90). The malware is signed with a legitimate Apple certificate, which allowed it to bypass Gatekeeper protection.
Transmission has advised users to update to version 2.91. KeRanger waits three days after installation to communicate with its C&C servers, so removing the ransomware before this occurs should prevent file encryption.
Technical details available at PaloAlto Networks.
Anonymous Anon Verdict
An Anonymous subgroup known as Anon Verdict is campaigning for the indictment of officer Aaron Smith of the Montgomery, Alabama Police Department.
Aaron Smith, 23, has been charged with the murder of Gregory Gunn, a 58 year old black man who was shot while walking home from a late-night card game at a neighbour’s house. The officer claims that he was frisking Gunn, who appeared suspicious, and that Gunn resisted violently and ran away.
Anon Verdict have released the personal information of 27 Montgomery police officers and threaten to dump the rest of the department’s if an indictment is not forthcoming. The group has already leaked personnel data from the Cincinatti Police Department in response to the death of Paul Gaston.
Donald Trump’s voicemails leaked
Anonymous have allegedly leaked a selection of Trump’s 2012 voicemails to Gawker. Several of the messages are from MSNBC morning show hosts, who called to thank Trump profusely for his donations to a children’s charity.
The voicemails are not particularly juicy, but they do suggest that Trump’s relationship with the ‘liberal media’ is not quite as riven as he suggests.
Operation Transparent Tribe
Researchers at Proofpoint have identified a new cyber espionage campaign serious enough to be dubbed an Advanced Persistent Threat (APT). Named Operation Transparent Tribe, it has been targeting Indian diplomats and military personnel since February 11th.
Proofpoint’s research suggests the campaign is highly sophisticated and utilising a number of attack techniques, including multiple phishing campaigns, watering hole attacks and a complex family of malware entitled MSIL/Crimson.
The complexity of this operation and the varied attack methodology suggest the involvement of a state actor. Proofpoint researchers explained, “this is a multi-year and multi-vector campaign clearly tied to state-sponsored espionage, in the world of crimeware, you rarely see this type of complexity.”
Many of the IP addresses implicated in the attacks originate in Pakistan, and given India’s highly volatile relationship with its neighbour, it’s more than plausible that this is a state sponsored APT emanating from Pakistan.
For a more in-depth technical analysis of Operation Transparent Tribe, the Proofpoint report is available here.
MSIL/Crimson is the malware family that is primarily being used in Operation Transparent Tribe to attack Indian diplomats and military professionals. The software contains a number of useful attack features, it can create personalised fake blog posts with links to malicious payloads, as well as distribute emails loaded with weaponised documents and infected files.
MSIL/Crimson has only ever been observed as part of Operation Transparent Tribe, and therefore does not appear pose a wider threat to users outside of India.
Golem is a new variant of the infamous Ghost Push Malware that was widely distributed through third party Android apps in 2015. The new malware variant has been reported by Cheetah Mobile, and is said to contain a functionality that abuses a new Android feature called Input.
Input is a prepacked feature on Android devices that allows developers to conduct automated testing procedures. Its role is to mimic user behaviour to simulate touch interactions and keyboard input, all without assistance or direct consent from the user. Golem gains root access and exploits this feature, downloading unsolicited apps and abusing the Input tool to simulate user interaction with the app and its ads.
Over 40,000 users are already thought to be infected, largely across South East Asia.
Golem’s ability to remotely download and launch apps gives it huge scope to damage infected phones. At best it will consume large amounts of battery and mobile data, but it has the capacity to be far more destructive.
Cyber Justice Team
Cyber Justice Team are a group of self-proclaimed cyber activists and anti extremist protestors using Twitter to demonise and target a variety of extremist actors. The group is becoming increasingly prominent as it targets websites and Twitter handles that are guilty of supporting the activities of the Islamic State (IS). They hit the headlines this weekend however after using DDOS attacks to take down the website of Tommy Robinson, founder of the EDL and UK Pegida.
The Silobreaker Team