New types of malware

Date : December 08, 2015

New malware discovered last month remind us that malware evolve and perfect.
When we analyze them we see new techniques used in cyber attacks.

 

A JavaScript ransomware

The Emsisoft Company has announced in December the discovery of a new type of ransomware, entirely developed in JavaScript.

Named Random32, it uses the NW.js development framework (Node-Webkit), for based on Node.js and Chromium. This framework has two interesting features for a malware:

  • it allows to create desktop applications that run outside the browser sandbox, and thus have access to all the resources of the machine,
  • it offers a multi platforms technology allowing the ransomware to target both Windows, Mac OS X and Linux systems.

Ransom 32 is distributed in a self-extracting WinRAR archive via phishing campaigns.

This malware is offered to cybercriminals by using a "Ransomware as a Service" model, through a hidden server in the Tor network. This service allows an attacker to configure its customized version of Ransom32, through a web interface. Authors of the ransomware pockets a 25% commission on the generated profits.

 

An Android malware that uses a firewall to block security applications

In December 2015, Symantec researchers found Android.Spywaller, a spyware with interesting technical features.

This spyware targets users of Android systems in China.
Its initial behavior is similar to the behavior of many other mobile malwares. It spreads through unofficial Android app stores, and when it is launched, it hides its icon, loads its payload into memory, and tries to impersonate an imaginary Google app by displaying a "Google Services" icon on the impacted device.
This malware then attempts to collect sensitive data, and send them to a remote server.

The analysis of this malware code has revealed an interesting technique.
Android.Spywaller uses a method called "Network disable 360 ()" to control if "Qihoo 360", a very popular security application in China, is installed on the compromised device. If this is the case, it uses DroidWall, the Android systems firewall, to block the security application "Qihoo 360".

This threat highlights the double-edged nature of some security software capabilities found in legitimate products, when they are re-used by malwares.

 

A malware that turns the systems it infects into Internet proxies

Another interesting discovery last month, the ProxyBack malware by Palo Alto Company researchers.
This malware attacks home computers and turn them into Internet proxies.
Infected computers use HTTP tunnels allowing them to pass through firewalls.
They are no longer used to hide the location of attackers, but they are advertised as reliable proxies in an online proxy service operated from Russia.
According to Palo Alto, on December 23, 2015, more than 11,000 computers were infected by ProxyBack.

 

Conclusion

The discovery and analysis of these malwares remind us that cyber-attackers are very imaginative and that we must not relax our vigilance.

We must especially remain cautious when loading mobile applications, and remember that the best way to protect against ransomwares is to make regular backups.

Previous Previous Next Next Print Print