McAfee Raises the Stakes Against Cyberespionage

Tags : , Install McAfee , McAfee Internet Security , ActivateMcAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

As with the first Shamoon assault five years ago, the target was Saudi Arabia. But while earlier attacks focused on critical oil and gas infrastructure, last fall’s campaigns targeted Saudi government institutions, financial services, and other sectors. The objective was to gather information on individuals and organizations and wipe critical systems clean. With aggressive assaults across such a broad scope of attack surfaces, the latest Shamoon campaigns were nothing short of attempts to disrupt an entire nation.

Such an effort isn’t audacious given other events over the last several months. We’ve heard the revelations about the breach at Yahoo, watched the Mirai DDoS attack disrupt huge swaths of the Internet, and tried to come to terms with a DNC hack that many say influenced the American democratic process. The re-emergence of Shamoon is just the latest reminder that life and liberty can be imperiled by cyber-attacks.

It’s time—once again—for all of us to raise the stakes in our cybersecurity fight. We must match the audacious efforts of our adversaries with our own.

On the heels of the “new” McAfee launch, we are taking an important step in this effort by increasing investments and resources to fight and win with cyber threat research. Those investments are already starting to pay off, and last week we released new research on the evolution of the Shamoon cyberespionage campaigns that have ravaged the Middle East for half a decade.

The report identifies overlapping technology, tactics, and infrastructure among disparate Shamoon cyber campaigns in Saudi Arabia, and suggests there is one actor behind all the campaigns, rather than numerous independent cyber gangs. We further uncover that the actor has dramatically improved the sophistication of their attacks since 2012.

The research is the work of our Strategic Intelligence group, which works closely with our services organization’s Advanced Programs Group (APG). Led by Chief Scientist and McAfee Fellow Raj Samani, the group complements McAfee Labs’ threat intelligence analysis and Advanced Threat Research’s vulnerability research with an investigative specialization across several essential areas. These include advanced malware, ransomware, cyber campaigns and networks, financial fraud, cyber espionage, cyberwarfare, and protection of industrial controls.

Last week’s report reveals the first of many insights the group will provide our customers, partners, and law enforcement. The work is just one example of the “new” McAfee’s audacious effort to raise the stakes in the fight against our adversaries.

Attacks by cyber criminals, rogue states, or stateless actors, wherever they are targeted, are a threat to us all. Please join me in elevating our commitment to putting malicious actors where they belong—out of business.

 Be sure to check out the Strategic Intelligence team’s executive summary and technical blogs for more information on what they found.

Source : : Blog

PayPal Users: Here’s What You Need to Know About the New Phishing Scam

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

It’s the season of giving, which means internet scams are practically everywhere, as cybercriminals are trying to trick eager holiday shoppers. So, it’s unsurprising that yet another scam has emerged, this time targeting millions of PayPal users with manipulative phishing emails. The emails, which are intended to look like they’re from customer support, are trying to convince users to validate fake transactions.

How it works

This phishing scam does a pretty good job at seeming believable. The email leverages the PayPal logo and the sender’s address appears to be Additionally, an order number is referenced and the message claims that the user needs to click a link in order to verify the transaction. The order number is entirely fake, and the link actually leads users to

From there, victims are lead through an authentication process that asks for name, date of birth, address, mother’s maiden name, and a credit card number. What’s more — the site has a valid SSL certificate, which is the green lock icon in the corner of your browser that indicates that you are connected to the address shown in the address bar.

How to stay protected

Fortunately, there are a few key indicators that reveal the scam’s true colors. First off, the header bar on is missing a “help” link. There’s also no alarm bell for notifications or a gear icon that you can use to update your settings. Plus, normal verification procedures don’t typically involve an additional form like the one from So be sure to keep an eye out for all these red flags.

However, beyond staying aware of these indicators, there’s a few other things users can do to stay protected from this malicious phishing scam:

  • Go directly to the source. This scam could be easily avoided if users simply go directly to the PayPal website. It’s a good security rule of thumb: when an email comes through requesting personal info, always go directly to the company’s website to be sure you’re working with the real deal.
  • Be careful what you click on. Be sure to only click on emails that you are sure came from a trusted source. If you don’t know the sender, or the email’s content doesn’t seem familiar, remain wary and avoid interacting with the message.
  • Place a fraud alert. If you know your data has been compromised by this attack, be sure to place a fraud alert on your credit so that any new or recent requests undergo scrutiny. It’s important to note that this also entitles you to extra copies of your credit report so you can check for anything sketchy. And if you find an account you did not open, make sure you report it to the police or Federal Trade Commission, as well as the creditor involved so you can put an end to the fraudulent account.
  • Stay secure while you browse. Sometimes it’s hard to identify whether a website, such as, is full of malicious activity or is being operated by a cybercriminal. So, add an extra layer of security to your browser, and surf the web safely by utilizing McAfee WebAdvisor.

Source : : Blog

McAfee and Amazon Web Services: A Secure Relationship

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

As enterprises continue their journey to the cloud, many are using a hybrid model that engages both the private and public cloud.  McAfee has embraced this “hybrid cloud” strategy to enable companies to migrate to the public cloud, and we are investing in the tools and relationships to enable the transition. Working with Amazon Web Services (AWS) is an important part of bringing enterprise-level security to public cloud deployments, and I’m happy to announce two new partner relationships with AWS. Also, McAfee will be joining AWS at the AWS re:Invent Expo in Las Vegas in late November, where we will demonstrate products that customers can use in their hybrid cloud strategy.

McAfee is Now an APN Advanced Technology Partner

For enterprise engagements, McAfee has become an Amazon Partner Network (APN) Advanced Technology Partner. To become an APN Advanced Technology Partner we have demonstrated that our products, customer relationships, expertise and overall business investments on AWS have grown and are meaningful to AWS.

McAfee builds tools that automate the rollout of security controls and security operations consistently across organizations. Our solutions — such as Virtual Network Security Platform, Cloud Workload Security, and Web Gateway — can play significant roles in helping companies adopt AWS securely:

McAfee Virtual Network Security Platform (vNSP): Designed specifically for fully virtualized public and private clouds, vNSP delivers an elastic security control that provides comprehensive network inline intrusion prevention, application protection, zero-day threat detection and visibility into lateral attack movement. The scalable and highly distributed architecture has been certified as “Well Architected” by Amazon. Integration with orchestration and automation frameworks makes this an ideal solution for adoption in DevSecOps environments.

McAfee Cloud Workload Security (CWS): As data center parameters get redefined, the ability to navigate current datacenter workload assets and plot the journey to the cloud requires a map that will safely show the way. Cloud Workload Security provides visibility and protection for your workloads in the cloud with agility and confidence through an integrated suite of security technologies, ensuring control of new parameters.

McAfee Web Gateway (MWG)With its best-in-class malware protection efficacy and policy flexibility, we now have the ability to deploy MWG directly in AWS. This is in addition to the appliance model and SaaS deployment model. MWG boasts the most flexible options in the industry for Web security. With an AWS deployment, customers can not only offload workload from on-premise appliances through hybrid policy enforcement, they can also provide advanced in-line malware detection for SaaS-based apps. This is the same value proposition that McAfee has historically offered for endpoint protection, but we are now able to offer it for SaaS-based applications as well.

To learn more about our solutions that keep you better protected on AWS, visit

McAfee Accepted into the AWS Public Sector Partner Program

In addition to the commercial sector, McAfee knows that Government, Education and Nonprofit customers need quality security in the cloud. AWS has accepted McAfee into its AWS Public Sector Partner Program. This designation reflects McAfee’s strong commitment to support public sector customers in their transition to the cloud. As our presence in the AWS Public Sector Partner Program grows, so too will the value of our solutions specifically targeted for the public sector.

McAfee is a Sponsor at AWS re:Invent

Join us the week of November 27th at the AWS re:Invent event in Las Vegas. Visit the McAfee (Booth 1238) at the Venetian. McAfee experts will share strategies and best practices to help customers secure and manage data on AWS. Plus, you can see live how McAfee vNSP expands network protection across virtualized environments.

Source : : Blog

Macro Malware Employs Advanced Sandbox-Evasion Techniques

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default, Microsoft Windows enables protected view, preventing malicious macros from running unless users enable them.)

Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection.


At first glance, it is difficult to guess the intentions of this macro malware. We further deobfuscated the code and found more readable strings. The obfuscated macro looks like this:


In a previous blog, we described how the macro in the document file used the MaxMind service to gather IP-based location data. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. We observed several new checks last week.

Use of painted event

The first major change is that the new variant no longer uses the AutoOpen() or DocumentOpen() function to automatically execute the macro. Instead this variant uses a painted event. This fudging technique bypasses some scanners that expect a payload to be executed with AutoOpen().


Checking the filename

Another change is checking the filename. This move is both simple and smart. In most of cases, files submitted to sandboxes contain only hexadecimal characters using SHA256 or MD5 hashes as the filename. If a filename contains only hexadecimal characters, it will not infect the victim’s machine further. In the following code snippet, the malware verifies the filename “TestMacro” for hexadecimal characters.




Number of running processes

The malware also checks for the number of running processes. If count is smaller than 50, then the malware terminates. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment with fewer than 50 running processes. The code snippet:



Blacklist of processes

Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have made the effort to infiltrate perimeter devices such as email scanners and gateway products. The malware checks for the presence of processes that may be found running in a sandboxed environment. The checklist is expanded in new variant:


Blacklist of networks

We also blogged about how threat actors use the MaxMind service to gather IP-based location data. This variant checks the region Oceania. It has also expanded the list of strings it checks using MaxMind. The list of strings are highly obfuscated and tough to understand. The obfuscated strings looks like the following snippet:


The obfuscation algorithm changes frequently. For this variant we deobfuscated the content using a small Python script.


The malware checks for the network provider’s name on the victim’s machine. The machine will not be affected by this malware if it verifies that the document file is opened on any of these listed vendors’ networks:


Malware authors continue to advance their sandbox-evasion techniques and make security efforts difficult for antimalware products.

McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M/Downloader.

Source : : Blog

IoT Devices: The Gift that Keeps on Giving… to Hackers

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

McAfee Advanced Threat Research on Most Hackable Gifts

You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the market and maybe even showing up in your own home. The sale of these “Internet-of-Things” (IoT) devices is expected to reach 600 million units this year and, unfortunately, security has sometimes become a casualty of the race among manufacturers to be the first to sell these smart gadgets into millions of homes. This has provided potentially millions of opportunities for hackers to see what devices they can compromise and possible even control. In the past year hackers and security researchers were able to bypass the security of a range of these IoT devices.


It was discovered early this year the Cayla doll could allow hackers to take control of the toy and record video and audio without the user’s consent. A demonstration by the National Cyber Security Centre in London also shows the doll could be used to unlock smart locks allowing criminals to compromise your home through the front door. The flaw is so serious Germany’s Federal Network Agency required retailers to pull the dolls off shelves, banning them throughout the country. In the United States, the Federal Bureau of Investigation (FBI) also released a public service announcement alerting the public to the potential risk Internet connected toys pose. The defect in the Cayla doll lies in the insecure Bluetooth connection, allowing anyone to listen and converse through the doll using an ordinary mobile phone.

Similar security flaws were recently found in multiple children’s watches being sold across Europe and the UK. Security experts commissioned by the Norwegian Consumer Council found the smart watches could allow outsiders to track the child through the GPS signal, access personal data on the device, disable the emergency SOS function, and remotely listen to the youngster without the knowledge of a parent or guardian. On a positive note, the manufacturers behind the watches have responded responsibly and either have or are in the process of correcting the defects.


Internet connected cameras and baby monitors have been around for a few years, but manufactures are still shipping insecure devices. A quick search on the IoT search engine Shodan for the word “IPCamera” shows more than 39,000 in total. This year saw multiple stories surface involving hackers able to remotely control cameras, record video and audio, and even speak to children. We often see consumers configure cameras with remote access, but fail to put in place the correct security controls. Failure to change default passwords or use of weak passwords is a common offense among users. In other instances, the manufacturer of the device uses outdated third party software or leaves ports open by default.


Controlling your smart devices with digital assistants from Apple, Amazon, Google, and others are a neat way to control lights, appliances, and the home’s A/C unit. Researchers from Zheijiang University in China released a report in August showing it’s possible to interact with the assistant using inaudible ultrasound commands. The scientists dubbed their findings the “DolphinAttack” and could issue commands to the device at a very high frequency that is too high for humans to hear but was still understood by a range of assistants, including Siri, Google Now, Cortana, and Alexa. The researchers demonstrated it’s possible for someone to issue a range of commands from a distance without anyone near the device realizing the assistant was being controlled remotely. Although no real-world hacks are known at this time it’s safe to say hackers are well aware of the vulnerability.


Drones will most certainly be at the top of many a Christmas list this year. The market has exploded and the sale of drones for personal use are expected to be over $2 billion globally in 2017. With that many drones in the sky, and ample evidence that the devices can be hijacked, the security world has taken serious notice.  Security researcher Jonathan Andersson demonstrated how he was able take control of a drone mid-flight, resulting in the owner losing complete control. The flaw lies in the wireless transmission control protocol DSMx, which is used in the communication between radio controllers and many remote-control devices, including drones. The researcher created a hardware device which takes advantage of the DSMx protocol flaw, and allows him to make the hijacked drone perform a range of movements, including stopping, starting, and steering. The good news is the hacking device was not made public, but that won’t stop hackers from attempting to make their own similar gadget to take control of drones from unsuspecting users.

It’s not uncommon for hackers to prey on the latest popular Internet connected devices. Millions of IoT devices will be purchased this holiday season, and consumers will be well-served to do their homework. You don’t need to become an expert, but reading the user’s manual before connecting a device to the Internet is a good practice to make sure the gadget is setup properly. Make sure to also keep the device’s firmware up to date, downloading any manufacturer updates to safely fix any newly discovered vulnerability flaws. If you’re purchasing an IoT device as a gift, make sure to research it first for known vulnerabilities to make sure you don’t get caught giving a gift that could turn out to be security risk. It only takes one hacked device that is connected to your home’s Wifi to allow personal data to be stolen, devices to be hijacked, or your connected gadgets themselves becoming part of a botnet of infected systems that hackers use to launch attacks on other home and business systems.

Source : : Blog

The Cyber Threat Alliance Steps Up to Boost Protection

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

With each new cyber threat report, we learn about the increasing volume of new, complex threats appearing across a myriad of server systems, networking equipment, personal computing platforms, and IoT devices. We also read about the real-world challenges that information security professionals face when attempting to identify, scope, and prioritize security events generated by their security systems.

In some environments, this volume can be measured in the millions or tens of millions of events per day. Security practitioners need help identifying the under-the-radar, high-risk incident and breach events from the huge volume of legitimate but less critical security events, and they need help automating and coordinating their security protection actions across multiple technologies and vendors so they can decrease the time to protect.

Enter the Cyber Threat Alliance. The CTA has grown from a research collaboration between McAfee, Palo Alto Networks, Symantec, and Fortinet into a newly incorporated “not for profit” organization that combines the threat intelligence capabilities of some of the top companies in the cybersecurity industry to tackle the problem of isolated knowledge, which limits each company’s ability to protect its customers as quickly as possible. Also announced this week is the addition of Cisco and Check Point as founding members.

CTA member executives Chris Young, Senior VP and General Manager, McAfee, Intel Corporation; Michael Daniel, president, Cyber Threat Alliance; Mark McLaughlin, chairman and CEO, Palo Alto Networks; Amnon Bar-Lev, President, Check Point; Marty Roesch, Chief Architect, Cisco Security; Greg Clark, CEO Symantec; Ken Xie, founder, chairman of the board and CEO, Fortinet.

The CTA is focused on tackling the problem of fractured intelligence in the cybersecurity market, and so the organization has created a dynamic real-time trust exchange for threat indicator sharing, validation, and monitoring. Gathering, contextualizing, and sharing knowledge among CTA members using this automated exchange will enable us to protect customers in real time and prioritize resources based on collective knowledge.

At McAfee, we believe in the power of together—the power of sharing intelligence to strengthen critical infrastructure and protect our customers. We are very excited about the potential for the Cyber Threat Alliance. To learn more, visit To learn more about threat intelligence sharing and McAfee’s part in that effort, visit If you are part of the security vendor community and want to learn more about becoming a member of the CTA.

Source : : Blog

Android Click-Fraud Apps Briefly Return to Google Play


The McAfee Mobile Malware Research Team recently found on Google Play a group of Android/Clickers published by the developer “TubeMate 2.2.9 SnapTube YouTube Downloader J.” Five apps were updated on Google Play on August 4 and were removed a few days later, along with the developer profile.


By checking “” on GooglePlay we saw something suspicious in this application: a nonsense name, no description, and poorly reviewed. Of course, those traits do not guarantee an app is malicious, but this lineup should serve as a warning for Android users looking for new apps.


Analyzing and reverse engineering this sample shows us a DeviceAdminReceiver class that connects to a hardcoded URL to obtain parameters that indicate how and where to perform click-fraud activities:

This function is part of a service initiated by a receiver related to DeviceAdmin.

Once the URL is requested, the control server returns an HTML page with the parameters in an uncommon way—inside the title tag, as we see in the following:

All the parameters are in one line, but the malware interprets them using the string “eindoejy” to separate them, obtaining the target URL, JavaScript functions to perform clicks, HTTP headers used in the fraudulent HTTP request, and another Google Play package to monetize the clicks in the abused ad network. We thought that string “eindoejy” could be an anagram of “I enjoyed” or “die enjoy,” but we found other variants in which the word used to split the parameters is different.

Once installed, Android/Clicker.BN adds an icon to the main menu that is not related to the downloaded app from Google Play. The new icon appears to be a system utility. Some examples of the icons loaded by the malware:

When Android/Clicker.BN executes, it requests device administration privileges:

Some of the apps can access YouTube inside a Web View and list trending channels, others lock and blacken the screen, and others crash the UI while in the background running click fraud—which not only harms advertisers and publishers, but also generates malicious traffic on infected devices, impacts battery and overall usage performance, and opens the door to new malicious payloads.

McAfee Mobile Security detects this threat as Android/Clicker.BN!Gen and prevents its execution. To further protect yourself against malicious apps, use only legitimate app stores, and pay attention to suspicious traits such as nonsense names, missing descriptions, and poor reviews. Also verify that the app’s request for permissions are related to its functionality. Be wary when apps request device administration API access, which is usually requested only by security apps, antimalware, mobile device management, or corporate email clients. Most apps and games will never ask for device admin rights.

Source : : Blog

Emotet Downloader Trojan Returns in Force

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload.

We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, Pinkslipbot, and other banking Trojans.

During a wave of attacks in early December we discovered a campaign spreading the ransomware family HydraCrypt. The sample we received had a compilation date of December 5.

The initial Word documents were downloaded from a number of URLs; some examples follow:

  • hxxp://URL/DOC/Invoice/
  • hxxp://URL/scan/New-invoice-[Number]/
  • hxxp://URL /scan/New-invoice- Number]/
  • hxxp://URL /LLC/New-invoice- Number]/

The document topics are crafted to entice users to open them because they appear to impact our finances or official documentation.

  • Invoice
  • Paypal
  • Rechnung (with or without a number)
  • Dokumente vom Notar

The documents have typical characteristics used by Emotet attackers. When a user opens the document, it claims the file is protected and asks the victim to enable the content, which launches the code hidden in the macros.

In analyzing the macros, we see heavily obfuscated code to make detection difficult and cover up the real purpose of the document:

The macro code uses a mix of command, wmic, and PowerShell to copy itself to disk, create a service, and contact its control server for a download URL.

Emotet collects information about the victim’s computer, for example running processes, and sends encrypted data to the control server using a POST request:

The specific user-agent strings used in these requests:

  • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
  • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
  • Mozilla/5.0(WindowsNT6.1;WOW64 ; rv:39.0)Gecko/20100101 Firefox/38.0•Mozilla/5.0

The payload samples are downloaded to %Windir%\System32 using a random name, either in GUID format or a five-digit random name.

The control servers and URLs hosting the malicious documents are covered within McAfee Global Threat Intelligence, with which we provide coverage for the samples detected. The McAfee Advanced Threat Research team proactively monitors any new developments regarding Emotet.


The new variants of Emotet are detected by McAfee DAT files as Emotet-FEJ!<Partial Hash> since December 3. Real Protection technology within McAfee Endpoint Security Adaptive Threat Protection provides zero-day detection of these new variants as Real Protect-SS!<Partial Hash>.

Source : : Blog

Cerber Ransomware Evades Detection With Many Components

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Cerber is a quickly evolving type of malware called crypto-ransomware. Cerber encrypts files on an infected computer and demands a ransom to restore them. (Read more about Cerber in this post.)

Cerber ransomware first appeared in early 2016 and remains hard to detect. It uses multicomponent behavior (installing several malicious files on the victim’s machine) that shows similarities to families such as Gamarue. Recent variants have added a loader component that appears to be designed to evade detection.

Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and takes advantage of exploit kits Angler, Nuclear, and others. Recently we have seen self-extracting archives.

Cerber’s infection path.

The SFX archive contains three files: VBS script, DLL, and an X component. The SFX file runs a VBS script using wscript.exe. The script executes a DLL-export function through rundll32.exe, which further decrypts and executes the encrypted X component. The last component checks for reversing environment techniques and injects the loader component into either Regasm.exe, Csc.exe or WerFault.exe.

The extracted archive:



The opening script, N3W7MN.VBS, has the following command:

The X component is fully encrypted and looks like this:

This DLL loads the first encrypted part (see next image) of the x component in memory; a second part looks for anti-reversing techniques. The first encrypted component:

This component does following:

  • Checks for antimalware engines.

  • Checks whether WireShark, a virtual machine, or VBox is running.

  • Adds the content of the VBS file into a run entry and runs one time.
  • The malware uses run entries to add the VBS script into the startup sequence so that the malicious VBS script executes at every reboot.

  • Adds an entry to the task scheduler to reside on the system for a long time. Tasks are by default stored in %WinDir%\Tasks or %WinDir%\System32\Tasks.

  • Decrypts the second component (see next image) from the X component and injects it into Regasm.exe or WerFault.exe to hide itself.

The decrypted second component checks for the .Net framework. If found, the malware checks the available version and injects code into it. If .Net is not found, it injects code into WerFault.exe. In this way, Cerber is effective against 32-bit and 64-bit machines:

The injected component has some interesting methods to bypass user account control, a feature that prevents unauthorized changes to a computer. Via notification, UAC assures that these changes are made only with the permission of the administrator. If a standard user account is in the local admin group, then damage is limited. Installing services, writing to secure locations, etc. are denied. To make these changes, users would need to interact with the desktop, such as with a right-click and run as administrator or accepting the UAC elevation prompt. There are number of ways to bypass UAC; one of them follows:

In the preceding code the value of “pszname” is “elevation:Administrator!new:{guid}”.


Cerber uses several key techniques:

  • Multicomponents to perform its tasks.
  • Uses several anti-debugging, anti-emulation techniques.
  • Bypasses UAC to gain elevated access.

Cerber uses these techniques to try to evade machine learning defenses. Defenders cannot rely on static machine learning; the security industry must adapt with dynamic machine learning or consider multiple technologies to proactively protect systems.

McAfee advises users to always keep their antimalware signatures up to date. McAfee products detect all versions of this malware as Ransom-Cerber!, with DAT Versions 8489 and later.

Hashes used in this analysis:

  • 352f1ac1407a551e42c270a8d381ed7c2d74718356cee3c2206bb4836ea6349f: SFX
  • 4d66976a9c20c859d44ea0df2d3325d35ed4556d83d5251384dbd4b790537d11: DLL

Source : : Blog

Ransomware Variant XTBL Another Example of Popular Malware

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers have used various social engineering tricks to distribute these samples disguised as a document (.pdf, .doc, .xls, etc.) file via double-extension trick to lure users into opening the file.

A sample spam email may look like this:


We analyzed XTBL and found it does the following:

  • Encrypts and deletes all user files including executables.
  • Deletes all backup copies.
  • Adds self-copies for rerunning.
  • Demands ransom.

After its activity, XTBL sets wallpaper as below:



In our static analysis of the malware sample, we found that it holds some encrypted data in its overlay. Upon execution, it decrypts this data, an executable, and injects it into its own subprocess.


This injected component is used for further infection. It decrypts all configuration information required for its infection. The information it contains:

  • RSA key size (first 4-byte group).
  • RSA key followed by key size.


  • RSA exponent:


  • Mail ID, where all information is sent:


  • “Magic” number used:
    • 006VGL (6 bytes). We have observed that each variant uses a different magic number though the pattern remains same, for example, 00{number}[A-Z]{3}.
  • Name of mutex created:
    • Global\snc_{filename}
  • Path to exclude from encryption:
    • %windir%
  • Files to exclude from encryption:
    • Svchost.exe
    • Explorer.exe
    • Boot.ini
  • Name of dropped components:
    • How to decrypt your files.txt.
    • DECRYPT.jpg
    • %desktop%\Log.txt
  • For persistence the malware drops its copy in %windir% and %appdata% and creates a run entry:
    • Software\Microsoft\Windows\CurrentVersion\Run

It also sends 159 bytes of data to the host:


This data contains the victim’s computer name, globally unique identifier, user ID, and magic number:


This injected file creates a separate thread for each drive. Each of these threads creates a further four threads responsible for:

  • Traversing directory
  • Renaming file
  • File encryption
  • Deleting original file

This ransomware family uses the CreateFileW API in nonshare mode as an antidebugging technique.


We found several steps for encrypting files.

Key generation

20 bytes of space is allocated for creating the key, which is generated using two sources, _ftime64()and Rand(), as shown:


The key is generated:

  • Dword_42C0A4 = Dword_42C0A4 ^ (1000*ms)
  • Dword_42C0A8 = Dword_42C0A4 ^ ((1000*ms) | data)
  • Dword_42C0AC = Dword_42C0A8 ^ rand ()
  • Dword_42C0B0 = Dword_42C0B0 ^ 0 i.e. 0

The key may look like this:


The ransomware computes the MD5 hash of 20 bytes of the generated key to get 16 bytes of data.


These 16 bytes will be used to encrypt the generated key using the RC4 algorithm.

To summarize, key is generated using following pseudocode:

  • Data = ([epochs]) ([ms*1000]) ([rand()]) ([0000])
  • Key = RC4(md5(Data),Data)

The key is encrypted using an RSA key in the configuration information.


File encryption

Files are encrypted using the AES256 algorithm.


Original files will be deleted after encryption and encrypted files will be renamed as follows:

  • Filename.ID{Id}.mail_address.XTBL


Each of the encrypted files is appended with data that holds some important fields:

  • Encrypted filename
  • Magic number (6 bytes)
  • Randomly generated initial vector for each file (10 bytes)
  • Padding (10 bytes)
  • RSA block (80 bytes)


List of Domains


How to prevent this infection

We advise all users to be careful when opening unsolicited emails and clicking unknown links. We strongly advise all users to block the preceding domain names.

McAfee products detect these XTBL variants as Ransom-XTBL-FUL!<partial-md5> and Ransom-XTBL-FUM!<partial-md5>.

Source : : Blog