At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store

At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store

A security researcher has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.

The security researcher Andrey Meshkov, co-founder of Adguard, has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.

The fake Ad blockers are

  • AdRemover for Google Chrome™ (10 million+ users)
  • uBlock Plus (8 million+ users)
  • [Fake] Adblock Pro (2 million+ users)
  • HD for YouTube™ (400,000+ users)
  • Webutation (30,000+ users)

The five extensions are clone versions of well-known Ad Blockers, searching for Ad Blockers in Google Chrome Store we can notice that crooks used popular keywords in the extension description in the attempt to display them in the top search results.

t’s been a while since different “authors” started spamming Chrome WebStore with lazy clones of popular ad blockers (with a few lines of their code on top of them).” wrote Meshkov.

“Just look at the search results. All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the “authors”. Instead of using tricky names they now spam keywords in the extension description trying to make to the top search results.”

malicious ad blockers

The analysis of the code of the Ad Blockers revealed that the developers just added a few lines of code and some analytics code to the code of the legitimate extension.

Meshkov reported his discovery to Google that immediately removed all from the Chrome Store.

The malicious code includes a modified version of jQuery library that hides the code to load the coupons.txt a strange image from a third-party domain http://www[.]hanstrackr[.]com.

The jQuery library includes a script that is able to send information about some websites visited by the users back to a remote server.

“This hidden script was listening to every request made by your browser and compared md5(url + “%Ujy%BNY0O”) with the list of signatures loaded from coupons.txt. When the said signature was hit, it loaded an iframe from the domain passing information about the visited page, and then re-initialized the extension.” continues the expert.

The expert noticed that the default image/script does nothing malicious, but it can be changed at any time to perform malicious activity. It is executed in the privileged context (extension’s background page), in this way it has full control of the browser.

The remote server sends commands to the malicious extension, which are executed in the extension ‘background page’ and can change your browser’s behavior in any way.

“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov added. “The browser will do whatever the command center server owner orders it to do.”

Meshkov has scanned other extensions on the Chrome WebStore and found four more extensions developed with a very same approach.

Be careful of what you install, install only necessary extensions from trusted developers and company.



Security experts at CSE CybSec ZLab malware Lab have conducted an interesting analysis of the principal Ransomware-as-a-Service platforms available on the dark web.

Over the years, the diffusion of has created new illegal business models. Along with classic illegal goods such as drugs and payment card data, other services appeared in the criminal underground, including hacking services and malware development. New platforms allow crooks without any technical skills to create their own ransomware and spread it.

Ransomware is malicious code that infects the victims’ machines and blocks or encrypts their files, requesting the payment of a ransom. When ransomware is installed on a victim machine, it searches for and targets sensitive files and data, including financial data, databases and personal files. Ransomware is developed to make the victim’ machine unusable. The user has only two options: pay the ransom without having the guarantee of getting back the original files or format the PC disconnecting it from the Internet.


The rise of the RaaS business model is giving wannabe criminals an effortless way to launch a cyber-extortion campaign without having technical expertise, and it is the cause of flooding the market with new ransomware strains.

Ransomware-as-a-Service is a profitable model for both malware sellers and their customers. Malware sellers, using this approach, can acquire new infection vectors and could potentially reach new victims that they are not able to reach through a conventional approach, such as email spamming or compromised website. RaaS customers can easily obtain ransomware via Ransomware-as-a-Service portals, just by configuring a few features and distributing the malware to unwitting victims.


Naturally, RaaS platforms cannot be found on the Clearnet, so they are hidden into the dark side of the Internet, the Dark Web.

Surfing the dark web through unconventional search engines, you can find several websites that offer RaaS. Each one provides different features for their ransomware allowing users to select the file extensions considered by the encrypting phase; the ransom demanded to the victim and other technical functionality that the malware will implement.

Furthermore, beyond the usage of Ransomware-as-a-Service platforms, the purchase of custom malicious software can be made through crime forums or websites where one can hire a hacker for the creation of one’s personal malware. Historically, this commerce has always existed, but it was specialized into cyber-attacks, such as espionage, hack of accounts and website defacement. Only when hackers understood it could be profitable, they started to provide this specific service.

Security experts at CSE CybSec ZLab malware Lab have conducted an interesting analysis of the principal Ransomware-as-a-Service platforms available on the dark web, including

  • RaaSberry
  • Ranion
  • EarthRansomware
  • Redfox ransomware
  • Createyourownransomware
  • Datakeeper

Technical details of the above services are reported in the report titled:


Enjoy it!

KevDroid Android RAT can steal private data and record phone calls

KevDroid Android RAT can steal private data and record phone calls

Security researchers discovered a new Android Remote Access Trojan (RAT) dubbed KevDroid that can steal private data and record phone calls.

Security researchers at South Korean cybersecurity firm ESTsecurity have discovered a new strain of Android Trojan KevDroid that is being distributed disguised as a fake anti-virus application, dubbed “Naver Defender.”

“Spear phishing attacks targeting Android mobile devices have recently emerged.  Portal site Naver sends emails related to personal information leakage prevention to induce malicious apps to be installed.” reads the analysis published by ESTsecurity.

“This malicious app impersonates Naver with the Naver logo and the app name “Naver Defender” and takes away sensitive information such as address book, call log, and text messages.”

KevDroid is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices and spy on its owners by recording phone calls.

After the initial discovery made by cybersecurity firm ESTsecurity, experts at Talos published a detailed analysis of two variants of RAT detected in the wild.


“Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls.” reads the analysis published by Talos.

One of the variants exploits a known Android exploit (CVE-2015-3636) to get root access on the compromised device, this variant was dubbed KevDroid. Both variants sent data to the same command and control (C2) server through an HTTP POST.

Talos experts explained that the malicious code implemented the feature to record calls based on an open-source project available on GitHub.

The investigation about the infection vector revealed that attackers used a RTF file attempting to exploit the CVE-2017-11882 vulnerability in Office using an embedded Microsoft Equation object.

The bait document used by hackers is written in Korean and contains information on Bitcoin and China.

The second RAT is targeting Windows systems it specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). This malware uses the PubNub API in order to publish orders to the compromised systems, expert dubbed it “PubNubRAT.”

The most recent variant of KevDroid malware, detected a few weeks ago, implements the following capabilities:

  • record phone calls & audio
  • steal web history and files
  • gain root access
  • steal call logs, SMS, emails
  • collect device’ location at every 10 seconds
  • collect a list of installed applications
“If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim.” continues Talos. “Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid.”

South Korean media associated the KevDroid RAT with North Korea APT Group 123.

“We do not have a strong link between the two malware samples and Group 123. The TTP overlaps are tenuous — using public cloud infrastructure as a C2 server is something other malware has used before as a technique, not just Group 123. Additionally, the C2 server is hosted in Korea, and this malware has been known to target Korean users. However, this information cannot lead us to a strong link,” Talos concluded.
The analysis published by Talos also included indicators of compromise (IoCs).
HiddenMiner Android Cryptocurrency miner can brick your device

HiddenMiner Android Cryptocurrency miner can brick your device

Researchers at Trend Micro recently discovered a new strain of Android miner dubbed ANDROIDOS HIDDENMINER that can brick infected devices

Crooks are looking with increasing interest cryptocurrency mining malware developed for mobile devices.

Researchers at Trend Micro recently discovered a new strain of Android malware dubbed ANDROIDOS HIDDENMINER that abuse device CPU to mine Monero cryptocurrency.

HiddenMiner also implements evasion techniques, it is able to bypass automated analysis by checking if it’s running in a virtualized environment by abusing an Android emulator detector found on Github.

“We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER.” reads the analysis published by Trend Micro.

“This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”

The experts were able to find the Monero mining pools and wallets connected to the HiddenMiner malware, they learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This information suggests that the operators are currently active.

hiddenminer wallet activities

HiddenMiner abuse the device’s CPU power to mine Monero, unfortunately, the computational effort is so important that the CPU can overheat causing the device to lock, fail, and be permanently damaged.

“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted.” continues the analysis.

“Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”

This behavior was already observed in the past, the Loapi Monero-mining malware caused a device’s battery to bloat.

HiddenMiner, like Loapi, uses to lock the device screen after revoking device administration permissions.

The ANDROIDOS HIDDENMINER is currently being delivered through a fake Google Play update app, experts found it on third-party app marketplaces.

The miner is mainly affecting users in India and China, but experts fear it could rapidly target other countries.

Malware developers are abusing Device Administration Permission, experts pointed out that users can’t uninstall an active system admin package until device administrator privileges are removed first.

Victims of the HiddenMiner’s cannot remove the miner from device administrator as it employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. Experts explained that it exploits a vulnerability found in Android operating systems except for Nougat and later versions.

“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave.” concluded Trend Micro. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”

MITRE is evaluaMITRE is evaluating a service dubbed ATT&CK for APT detectionting a service dubbed ATT&CK for APT detection

MITRE is evaluaMITRE is evaluating a service dubbed ATT&CK for APT detectionting a service dubbed ATT&CK for APT detection

MITRE is evaluating a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) for APT detection.

MITRE is going to offer a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) to evaluate products based on their ability in detecting advanced persistent threats.

“MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.” reads the MITRE’s official page. “ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.”


The MITRE ATT&CK service will evaluate endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE will adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

In my opinion, sharing information about attackers’ TTPs is essential and such kind of initiative is very important for cyber security community.

Jessica Payne from Microsoft Windows Defender praised the MITRE ATT&CK service.

The knowledge base was initially collected as a tool to allow red team members to communicate more easily with blue team members and corporate executives, it comes from publicly available sources.

“ATT&CK provides a common framework for evaluating post-breach capabilities,” said Duff. “We believe that objective and open testing based on ATT&CK will advance capabilities and help drive the entire endpoint detection and response market forward.”

According to Duff, internal MITRE information doesn’t contaminate the knowledge base.

In this phase, MITRE intends to evaluate its service and its efficiency, the first case study will be based on APT3/Gothic Panda and will evaluate the ability of products in detecting this threat.

“As part of their participation in MITRE’s impartial cyber evaluation, cybersecurity vendors will be provided clear articulation of their capabilities, as well as access to MITRE’s cyber experts’ feedback for improving their products.” reads the statement published by MITRE. “Details captured will include the ATT&CK technique tested, specific actions the assessors took to execute, and details on the product’s ability to detect the emulated adversary behavior.”

MITRE, for this first round, call for vendors to contribute until April 13, 2018.