Vote for Naked Security in the European Blogger Awards 2020!

We’ve excited to say that we’re short-listed in nine different categories in this year’s European Cybersecurity Blogger Awards.

If you like our content, please vote for us!

We’re up for awards for our website, our podcast, our social media feeds on Twitter and Instagram, our cybersecurity videos, and for the Grand Prix for Best Overall Security Blog.

Voting is open to everyone. You don’t have to be a blogger or podcaster yourself, and you don’t have to be from Europe. You don’t have to vote in every category – you can leave an item blank if you want – but you are only allowed to submit one voting form.

If you enjoy what you read, hear and see from the Naked Security team, please vote for us – it means a lot to us, and it reminds our bosses that our work is worth it so we get to keep the content coming!

And don’ t forget that you, our Naked Security community, mean a lot to us, too.

Naked Security would be nothing without you – so to everyone who reads, listens, watches, comments, votes, likes, and shares our material, thank you so much.


Latest Naked Security podcast

More crypto-stealing Chrome extensions swatted by Google

Malicious extensions for the Chrome browser continue to spring up just as quickly as the search giant cuts them down. This month, another batch appeared.

Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.

Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store.

Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive, according to Denley, who said:

Yeah, they have been, for the majority. Actioned my reports within 24 hours.

New rules

Google has acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store. It said:

We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.

The rules forbid developers from publishing multiple extensions that do the same thing, and prohibits misleading metadata, including anonymous user testimonials in app descriptions. Developers can’t upload extensions that exist solely to launch another app or extension, and they shouldn’t send spam notifications, the company added.

It said that developers must comply with the policy after 27 August 2020. After that point, apps violating the rules “may be taken down and disabled”.

The problem, according to Dan Finlay, the lead developer at crypto wallet company MetaMask, is that Google allows phishing ads that point to fake extensions. Initially talking about shortcomings in the company’s manual extension review process, he said:

Finlay said that he reported the problem, sending trademark notices and bug reports, but that Google didn’t reply. What he’d really like to see is the ability to block other extensions or ads from using MetaMask’s name.

Denley agreed. He told us:

The official MetaMask extension has over 1,000,000 users – you’d assume Google would have some sort of plan to tackle any potential fake extensions with the Metamask branding.

Weirdly, while Google has been quick to take down most fake cryptocurrency wallet extensions, at the time of writing (7am BST) one of the fake MetaMask extensions was still up. Its listing reports 380 users.

The best advice:

  • Install as few extensions as possible and, despite the above, only from official web stores.
  • Check the reviews and feedback from others who’ve installed the extension.
  • Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
  • Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

Latest Naked Security podcast

Vcrypt ransomware brings along a buddy to do the encryption

Here’s a ransomware story with a difference.

The sample we studied in this article is detected by Sophos products as Troj/Ransom-FXO, but you’ll also hear it called Vcrypt after the filename extension used by the malware.

Neither of those monikers is how it describes itself, of course – it installs itself with the harmless-looking name video_driver.exe and claims to be just that, a video driver:

The bad news is that whoever wrote this malware decided to be doubly destructive: it scrambles the files on your C: drive using a secret decryption key, but it wipes out the files on all your other drives, looping through all the letters A: to Z: except C:, issuing commands to delete all the files and directories it can find.

The good news is that the programmer of Ransom-FXO didn’t take much care over the encryption part, and used a hardcoded cryptographic key that can fairly easily be extracted from the malware file.

Actually, that bit of good news is just as well, because there’s no way to buy back the unscrambling key.

Unusually, the criminal behind this attack didn’t use Tor or the dark web to host the “buy page” where you find out how much it’s going to cost and where to send the bitcoins…

…they used a regular web page on a free hosting service that has now removed the offending content, so you couldn’t negotiate for the password even if you wanted to.

Ransom-FXO is unusual because although the ransomware itself is written in C, it doesn’t use its own C code to do the encryption.

If you’re a Naked Security podcast listener (if you aren’t yet, please give it a try!), you’ll probably remember that a few episodes back we discussed a concept we wryly referred to as “malwareless ransomware“.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

In the case we discussed in the podcast (jump to 13’43” for the section on ransomware) the encryption was carried out by hand by crooks who were already able to logon to the victim’s network and run commands as if they were genuine sysadmins.

That attack saw the crooks using a free and open source full-disk encryption program called DiskCryptor, leaving you stuck at a password prompt you weren’t expecting – and for which you didn’t know the access code – when you next rebooted your computer.

In the Ransom-FXO sample, the author used the free file archiving tool 7-Zip for the encryption, so that all the video_drive.exe ransomware program has to do is call the Windows system() function to run the 7-Zip program as a operating system command, just as if you’d typed it in yourself at a Windows command prompt.

This makes the main part of the ransomware very simple, as you can see from this directory listing taken after the ransomware had installed itself in order to launch its attack:

The malware copies itself to your %TEMP% folder (which is where temporary files typically go), as you see above, and is 794KB in size.

However, 733KB of the video_driver.exe consists of a copy of the mod_01.exe file that the malware extracts into a program of its own at the start, so that it can call on it later.

The mod_01.exe file is simply a pirated copy of the 7-Zip archiving and compression program, which lets you package entire directory structures into individual archive files, optionally encrypting them using the AES algorithm.

How it works

Stripped of the copy of 7-Zip bundled into it, the video_driver.exe is incredibly simple.

Almost all it does is to start two threads of execution that run side-by-side, each running a sequence of system() commands over and over again via the built-in Windows cmd.exe program:

The first thread repeatedly does the following:

The author left out the C: drive from the list of drives to wipe because that’s where the other thread looks for files to scramble.

You can see what seem to be two fortuitous mistakes above.

The B: drive (if there is one, which is admittedly unlikely these days) doesn’t get wiped because the programmer checks for the existence of B: but then wipes the A: drive again in the second part of the line.

And the F: drive was omitted altogether – we’re assuming that was a copy-and-paste blunder rather than that the criminal had in mind to spare that particular content.

The second thread repeatedly runs a sequence of commands that are stored inside the malware like this:

As weird as that text looks, it’s actually obfuscated using a good old Caesar cipher, where all the characters are shifted back three places just before the system() command gets called.

Using the ASCII character set as the decryption table for the text above, li moved back three letters gives if, the hash sign (#) turns into a space, and XVHU comes out as USER, and so on.

So, what actually executes is:

As mentioned above, the file %TEMP%\mod_01.exe program name seen here refers to the pirated copy of the 7-Zip command brought along by the malware.

You can see the password in the command line above – it’s the text immediately following the command option -p, namely:

Oezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS

There are actually twelve variations of the above command in the malware, each having a go at scrambling one of the folders in this list:

%USERPROFILE%\Desktop\
%USERPROFILE%\Downloads\
%USERPROFILE%\Pictures\
%USERPROFILE%\Music\
%USERPROFILE%\Videos\
%USERPROFILE%\Documents\
%PUBLIC%\Desktop\
%PUBLIC%\Downloads\
%PUBLIC%\Pictures\
%PUBLIC%\Music\
%PUBLIC%\Videos\
%PUBLIC%\Documents\

If any of these folders exist and have files in them, their contents end up in encrypted 7-Zip archives with the extension .vcrypt, like this:

In the listing above, you can also see two other files created by the malware: help.html (shown below), which gives you the bad news that your files have been scrambled, and new_background.bmp, which is an all-black rectangle that gloomily replaces your desktop wallpaper for dramatic effect.

The twelve file encrypting commands actually run over and over as long for as you’re logged in, so that any files you save into one of the above folders after the malware has started running will soon get noticed, added into to the relevant .vcrypt archive, and then deleted.

What you see

The malware adds itself to the Windows registry entry as follows:

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run video_driver = "%TEMP%\video_driver.exe"

This means that every time you logon to Windows, the file-deleting-and-encrypting threads start up again in the background.

Thanks to the wallpaper change and the help.html file, you’re confronted with a dispriting, all-black Windows desktop with no file icons or shortcuts on it, like this:

Oooopppssss…

Q: Qu’ai t’il arrivé à mes fichiers ?
A: Tous vos fichiers ont étés chiffrés et placés dans une zone de sécurité.
Q: Comment récupérez mes documents !! ?
A: Suivez les instructions disponibles via cette page web. Si la page ne s’ouvre pas, veuillez vérifier votre connexion internet.

——

Oooopppssss…

Q: What happened to my files?
A: All your files were encrypted and stored in a secure area.
Q: How do I get my documents back !! ?
A: Follow the instructions [here]. If you can’t open the page, check your internet connection.

As we mentioned above, the web page that is supposed to tell you what to do has been taken down, so checking your internet connection won’t help you access it:

Erreur 404 – Document non trouvé

—–

Error 404 – Document not found

What to do?

You can use an anti-virus program to remove the malware, or stop it running yourself as follows:

  • Delete the file C:\USERS\[yourname]\AppData\Local\Temp\video_driver.exe
  • Reboot or log off and come back in.

You can recover your files by hand by installing the 7-Zip utility and then opening up the .vcrypt files in your home folder one by one.

For example, here’s what our deleted Desktop folder looked like, packaged up inside the archive created by the malware, showing the filenames, sizes, and a + sign to denote that the files themselves are encrypted:

(You can view the files without putting in the password, because 7-Zip doesn’t encrypt the file names, only their contents.)

When you ask 7-Zip to extract the files, a password prompt will pop up.

For the malware sample described here, the password was:

Oezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS

Unfortunately, there’s no quick way to get back files deleted from other drive letters than C:…

…but if you’re in the habit of making regular and frequent backups, and of keeping at least one copy offline where it can’t be deleted during an attack, you should be able to recover anyway.

Don’t delay, do a backup today!


Latest Naked Security podcast

Fake news Facebook accounts used coronavirus to attract followers

Fake accounts and fake news outlets that churn out conspiracy theories and snake-oil medical advice are doing what opportunistic shills always do: talking about what everyone else is talking about as they seek to mislead people into falling for phishing, other scams, or public-opinion influence operations.

Of course, the crisis they’re now leveraging is the COVID-19 pandemic.

On Tuesday, when Facebook released its third Coordinated Inauthentic Behavior (CIB) report, it said that every one of the eight networks it took down in April were created before the COVID-19 pandemic began. Before the gravity of the pandemic was understood worldwide, the threat actors were already doing their policy-violating work of ripping people off, spreading conspiracy theories or trying to influence political discourse. But once the disease settled into its place as the world’s foremost worry, the people behind the campaigns all pivoted to jump on the coronavirus bandwagon:

… opportunistically [using] coronavirus-related posts among many other topics to build an audience and drive people to their pages or off-platform sites.

Most of the networks Facebook took down last month were still trying to grow their audience or had a large portion of phony engagement on their pages – engagement that came from the networks’ own, fake accounts.

Nathaniel Gleicher, head of security policy at Facebook, said it’s all par for the course when it comes to exploiting the headlines:

We have seen threat actors leverage the coronavirus pandemic and discussion about the coronavirus pandemic in the same way that we’ve seen threat actors leverage other types of major events around the world.

One crisis that comes to mind was the Japanese earthquake and tsunami of 2011 – a horrific tragedy that scammers exploited with fake charity scams, spam that led to malware, and a clickjack scam about a whale getting tossed into a building.

In other words, it’s fake news, circa Year of COVID-19.

Takedowns

Last month, Facebook pulled down a total of 1,887 misleading accounts, pages and groups which it traced to eight networks. It says that two of the networks – from Russia and Iran – were coordinating their inauthentic behavior on behalf of a foreign or government actor. The remaining six networks – in the US, Georgia, Myanmar and Mauritania – were targeted at domestic audiences in their respective countries.

Facebook is constantly taking action against inauthentic behavior, including fake engagement, spam and artificial amplification. The report about CIB, however, is focused specifically on influence operations: what Facebook describes as “coordinated efforts to manipulate public debate for a strategic goal where fake accounts are central to the operation.”

In April, the platform took down a total of 732 Facebook accounts, 162 accounts on its Instagram platform, 793 pages, and 200 groups.

Biggest network: Georgia

The biggest network Facebook took down last month was one based in Georgia that’s linked to a media firm called Espersona. The platform removed 511 pages, 101 Facebook accounts, 122 groups, and 56 Instagram accounts linked to the network, which focused on domestic activity.

Facebook also removed a smaller network based in Georgia: one that consisted of 23 Facebook accounts, 80 pages, 41 groups, and 9 Instagram accounts. It linked this smaller network to individuals associated with United National Movement, a political party.

@AtlanticCouncil’s Digital Forensic Research Lab (@DFRLab) – a network of digital forensic analysts working to combat disinformation – has been tracking the Espersona network for a while. DFRLab says that accounts/pages/groups in Espersona’s coordinated network have impersonated Georgian health authorities and political opposition members and have tried to discredit pro-democracy activists and members of opposition parties.

Facebook says that people running the network also ran pages designed to look like user profiles—using phony names and stock profile images—to post and amplify their content, as well as to evade detection and removal. Some of their pages posed as independent news outlets to post content about domestic news and political issues such as elections, government policies and officials, as well as to criticize the opposition, journalists and local activists.

Most recently, the Espersona network shared content about COVID-19, including posts that violated Facebook’s policies against harmful health misinformation. In February, the company banned coronavirus miracle cure ads, including those that falsely, and dangerously, claimed that drinking bleach is a cure.

Facebook says that it found the Georgian network as part of an earlier investigation into suspected CIB that had been publicly reported by a local fact-checking organization in Georgia. The platform says that the Espersona network it took down in April has links to a Georgia-based network it took down in December 2019. It has now banned Espersona from its platforms.

Before it was booted from the platform, one of the network’s posts showed Georgia’s Prime Minister, Giorgi Gakharia, standing in front of a yellow-and-black image that says “Kill Corona Volume 1.” Fans of writer/director Quentin Tarantino will recognize it as a reference to his “Kill Bill” film series.

A “Kill Bill”-esque post from Georgia about the coronavirus features Prime Minister Giorgi Gakharia. IMAGE: Facebook

US: Anti-immigration and conspiracy theories

Facebook took down a smaller network in the US that it linked to anti-immigration sites. It removed 19 pages, 15 Facebook accounts, and 1 group that originated in the US and focused domestically. The platform’s investigation linked the network to VDARE, a website known for posting anti-immigration content, and to individuals associated with a similar website, The Unz Review.

It also ousted a US network – consisting of 5 pages, 20 Facebook accounts, and 6 groups – that it linked with the QAnon network. According to AP, QAnon is a conspiracy theory “centered on the baseless belief that Trump is waging a secret campaign against enemies in the ‘deep state’ and a child sex trafficking ring run by satanic pedophiles and cannibals.”

Facebook provided this sample of a QAnon post, which purportedly links to a video about the origins of COVID-19 that “Media Isn’t Showing.”

QAnon post touting a documentary about the origins of the coronavirus that the “media isn’t showing.” IMAGE: Facebook

These insincere operators work every angle

All of these coordinated networks of accounts originally had different goals unrelated to the coronavirus, Gleitcher said. Coronavirus is just another tool they’re using to further those goals:

If you’re trying to build an audience, then you would want to use messages from the topic that everyone’s already talking about, which is coronavirus right now.


Latest Naked Security podcast

go top