Comodo protects five universities from new malware that steals data

Advanced Threat Protection

In the first few weeks of 2018, cybercriminals targeted five universities, 23 private companies and several government organizations. Despite the new, sophisticated types of malware the attackers used, they were unable to penetrate Comodo defenses.

The cybercriminals tried to build a complicated chain to bypass technical security means and deceive human vigilance.

Analysts at Comodo’s Threat Research Labs noted that the hackers did not send the malware via the usual route as an email attachment, but tried to camouflage it in several layers. First, the phishing email was disguised as a message from FedEx. As the screenshot shows, the message utilized cunning social engineering tricks to generate user clicks on the malicious link. Second, the malicious link itself is also well disguised – as a link on Google Drive. These tricks were able to deceive many users.


When a user clicks on the link, the attackers’ site opens in their browser, with malicious file “Lebal copy.exe” to download. Pay special attention to the address bar: as you can see, “secure,” “https” and “” are present there, so even a security vigilant user may not notice anything suspicious and take it for a trustworthy site. Actually, how can anyone know not to trust something with “” in the address bar? But… the reality stings. For many, it’s hard to believe, but skilled cybercriminals use for placing their phishing malware. And this case is not an isolated incident, so Google –as well as many other cloud storage services – definitely should take urgent steps to solve this problem. At minimum, they should provide constant real-time checks for malware. This would help to cut back malicious activity this type.


Also to note, the malicious file is also trickily disguised — as an Adobe Acrobat document. It not only has an icon similar to .pdf files, but even the file’s version information:

Of course, all of the above is deceitful: “Lebal copy” is dangerous malware sought to pull out your secrets.

What exactly can ‘lebal_copy.exe” do to your computer?

Comodo analysts defined the type of the file as Trojan (TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI, to be precise) – malware created to steal information.

But what kind of information?

Downloaded, the malware finds out the version of OS and applications running on a victim machine. Then it steals private data from the user’s browsers, including cookies and credentials, and looks for information about e-mail and instant messenger clients. It then Pulls out credentials from FTP clients like FileZilla or WinSCP and attempts to locate and access cryptocurrency wallets like Bitcoin or Electrum. In short, it grabs everything it can extract from a victim machine. Finally, it makes a connection with cybercriminals’ command-and-control server and passes all the gathered information to the attackers. It also tries to turn off OS defense means and hide itself from antimalware tools in various sophisticated ways.

As Comodo analysts revealed, this attack, aimed at 30 mail servers, was provided from one IP address and domain from Sao Paolo, Brazil. All 328 phishing emails were sent during one day — Jan. 8.

“Phishing emails become more sophisticated and refined,” commented Fatih Orhan, the head of Comodo Threat Research Labs. “Cybercriminals actively invent new methods to trick users into clicking on a bait link. As we can see from the example above, it is not so easy to distinguish a malicious file or link, even for a cybersecurity aware user. That’s why for ensuring security today, companies need to not only train people for the cybersecurity vigilance skills but use reliable technical protection means as well. Objects of this attack were not impacted. only because they had prepared in advance: by protecting their networks with Comodo intelligence. And that was the right decision, because it’s much easier to prevent an attack than to overcome its consequences.”
Live secure with Comodo!

Technical analysis

File name: Lebal copy.exe

Sample SHA1: e26e12ed8a5944b1dbefa3dbe3e5fc98c264ba49

Date: 11 January 2018

1. Summary

The file is an 814 KB Portable Executable trying to impersonate an Adobe Acrobat document in order to trick the user into running it. For more plausibility, it disguised with the icon of a .pdf file and faked file’s version information:

2. Behavior analysis

After running, it drops tmp.exe (SHA1: 0e9f43124e27fd471df3cf2832487f62eb30e1c) and copies MSBuild.exe
executable from Windows as .exe.


The purpose of copying MSBuild.exe is to run and inject it with the malware own instructions. As it is digitally signed with “Microsoft Corporation” certificate, some security applications might allow its actions, thus letting the malware to get access to the internet and local resources at its will.

After performing the injection, the malware downloads file, moves it to WinNtBackend-1751449698485799.tmp.exe (SHA1: 5245079fe71977c89915f5c00eaa4d1d6c36375c) in the system’s temporary folder and then executes it.

It allows the attacker to provide the malware with continuous updates and new components or installing additional malware on the compromised host.

The main purpose of the malware is to steal sensitive information. It tries to collect the following data:

— private data from web browsers, including cookies and login credentials;

— cryptocurrency wallets like Bitcoin or Electrum;

— credentials from known (s)ftp clients like FileZilla or WinSCP;

— instant messengers accounts;

— email clients accounts (Thunderbird and Outlook):

Collected data is sent to

3. Conclusion

The malware is created to extract as much private information as possible for variety of malicious purposes, for instance:
–stolen email accounts can be used to send spam messages;
–ftp credentials give access to websites to compromise them;
–cryptocurrency accounts can be immediately cashed out.

Any stolen information can be utilized by the cybercriminals if affected users won’t take appropriate counter steps in time.

4. Indicators of compromise

– the presence of .exe file in %temp% folder
– the presence of tmp.exe file in %temp% folder
– the presence of WinNtBackend-2955724792077800.tmp.exe file in %temp% folder

5. Detection

Malware is detected by Comodo products with name TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI


Related Resources:

Best Antivirus Software

Antivirus Software for PC

Best Malware Removal Tools

Antivirus for Linux (PC)


Website Security for cPanel sites | Remove Malware easily

cPanel Malware Removal

How to Remove Malware on cPanel Websites and Servers

Malware can attack and infect cPanel Websites and Servers. Sophisticated present-day malware is able to slip past website protection software and compromise the websites and hardware to steal sensitive information. In many cases, website administrators and system administrators get to know about the compromise only after the malware has successfully infected and damaged the website and cPanel servers. There are numerous website protection tools that offer cPanel malware removal. And cPanel has in-built security measures to detect malware.

Top cybers security experts state that it is difficult to ensure a 100% secure website. Reasons being the plenty of avenues for a possible breach – vulnerabilities in hardware, or software, user carelessness, weak credentials, and the effectiveness of the web security solution. It would be time well spent to obtain and install a robust website protection solution.

How to Check for Malware on Website

There are numerous tools with the most popular being Google’s Google Safe Browsing Site Status diagnostic tool and Comodo cWatch Web Security Solution with website malware scanner. Google’s Safe Browsing technology continuously examines URLs for unsafe websites. It reports that many legitimate websites do get compromised. Google then displays warnings about dangerous, unsafe websites.

The scanner feature in the cWatch Web Security Solution scans the website and checks for blacklisting, phishing, malware downloads, drive-by-downloads, worms, backdoors, trojans, suspicious iframes, heuristic viruses, suspicious code, suspicious connections, suspicious activity, and for transaction protection. This provides details of infection/compromise in the cPanel websites and servers.

cPanel has numerous inbuilt security features including ModSecurity, Leech Protect, HotLink Protection, brute force protection, and potential spammer notification. These are good tools, however, intrusive malware does penetrate these defenses.

cPanel Malware Removal

Your first mitigation measure on malware detection should be to change ALL the passwords associated with your cPanel Websites and Servers. Follow the recommended password policies regarding – the length of password of more than 8 or 14 characters, a mix of characters, upper case and lower case, special characters, not using dictionary words, and not using the same password for multiple logins.

Manual removal of malware is near impossible. You must employ robust website security solutions such as Comodo cWatch Web Security for removal of malware. While there are many many tools, choose a reputed tool that does serve some purpose. The cWatch solution offers instant malware removal, where cyber security experts at its 24×7 cyber security operations analyze your website and remove all the malware.

Continuous Protection for cPanel Websites and Servers

Now that malware has been removed your website is clean of infection. However, you must now protect your website from further intrusions and malware attacks. An infected website loses reputation, and an episode of compromise will lead to loss of visitors and business. You must ensure the security of your website.

When you choose website security solutions, ensure that they offer – website security as a service, website hack repair, blacklist removal, regular malware scans, vulnerability scans, DDoS protection, bot protection, vulnerability removal, instant malware removal, managed web application firewall, website performance improvement with acceleration, and continuous support. Robust solutions such as the Comodo cWatch Web Security not only remove malware on cPanel Websites and Servers, but provide website protection along with one-of-a-kind SIEM threat detection, and a “caching” real content delivery network.

Comodo cWatch Web

Related Resources:

Best Malware Removal Software

Online Website Vulnerability Scanner

Meltdown and Spectre – Serious Vulnerabilities Which Affect Nearly Every Computer and Device

Meltdown and Spectre

Unless you’ve been living under a rock for the past few days, you’ll have heard that there are a couple of new computer security vulnerabilities that are causing panic in the technology world. But what are Meltdown and Spectre? How serious are they, do they affect you and do you need to do anything? This short post summarizes the information have so far on both flaws and provides an update on Comodo’s progress in patching its systems against them.

Spectre and Meltdown are two security flaws in computer processors which can be exploited to steal passwords and other sensitive user data. The flaws affect virtually all processors made by Intel, AMD and ARM in the past 20 years, meaning Windows PCs, Android and iOS devices and MAC are all vulnerable.

Meltdown affects Intel processors and allows an attacker to read information from application memory at the kernel level. The kernel is the part of an operating system that manages system calls and resources on a system, giving it carte-blanche control over everything on a computer. Because Intel has an 87% share of the processor market, the Meltdown flaw is bad news for pretty much everybody. A successful exploit would give an attacker access to virtually everything on your computer, including passwords, personal information, photos, emails and documents.

So far, researchers have provided only a proof of concept that the attack works if an attacker has access to the local computer. However, although there is no recorded evidence of the flaws being exploited yet, the fact that they are now public means hackers will begin working on real-world attacks. Accordingly, major software and cloud service companies such as Google, Microsoft, Amazon and Apple have rushed to push out updates to fix the exploits.

One snag with Microsoft’s Windows update is that tests have shown it to be incompatible with antivirus products from some 3rd party vendors. Microsoft has decided to not push the update out to users with offending antivirus products, until the vendor has updated their software to remove the incompatibility. Regardless, all users should implement the latest security updates to their systems as a highest priority when it becomes available.

Spectre also affects Intel processors and also those by AMD and ARM, expanding its reach to virtually every device in the world. It is more difficult to for an attacker to exploit but, unfortunately, is also harder to mitigate. Whereas patches have been made widely available for Meltdown, responses to Spectre have been much slower.

Comodo, like all major security vendors, was very concerned to learn of these flaws and immediately set about testing the scope of the impact on our systems:

Comodo Client Security
A vital component of Comodo’s IT and Security Manager platform, Comodo Client Security is the endpoint agent which provides antivirus, firewall and threat containment for Windows and MAC OS devices. It is fully compatible with Microsoft’s latest patch, so our customers should go ahead and deploy the patch as soon as it is available. Microsoft already started distributing patches for Windows 10 devices and we believe other OS versions will follow soon. While Comodo Client Security is not going to be officially vetted by Windows as compatible until our major release planned to be on 27th of Jan, our tests shows no issues that might lead to crash or BSOD on patched devices. We recommend everyone to patch their devices at their convenience. You can use the Patch Management functionality in ITSM to deploy the patches to all managed devices.

Comodo One cloud platform
Comodo One uses Amazon cloud servers to host part of its services. Those servers, like much of the internet, are powered by Intel chips, meaning Amazon must address these flaws in order to protect the data of our enterprise customers. The good news is that Amazon has already implemented patches on its systems and we’re pleased to announce our evaluation of our cloud platform shows no direct issue or risk for our applications. As is usual in situations like this, we are working closely with Amazon to ensure continued security and availability for our customers.

Comodo would like to remind our customers that your security, satisfaction and reliability are of paramount important to us. If you have further questions or need support regarding this issue, please contact us via or +1-973-396-1235 (enterprise) / +1-973-396-1232 (MSP).

Related Resources:

Free Virus Scan

Antivirus Software

7 Website Security Improvement Tips

Advanced Threat Protection

Website Security Tips

Creating websites is pretty easy these days. A task which no longer requires coding skills. Thanks to Content Management Systems (CMS) like WordPress, Joomla, Drupal and others, your business website is just a few clicks away. No doubt many online businesses are benefitting from these CMS(es) as they no longer are required to invest in web development teams. But this process is not without its drawbacks.

The drawback? CMS(es) have given rise to half-baked webmasters who may have trouble securing your business websites when it is targeted by hackers and their security threats.

Website Security Tips 2018

  • Update Your Website Regularly
  • Modify Default CMS Settings
  • Update Extensions As Well
  • Perform Regular Website Backups
  • Provide Sensible User Access
  • Don’t Forget The Passwords!
  • Subscribe To Website Security Software

Therefore in this blog, we take it upon ourselves to enlighten business website owners like you and those half-baked webmasters who may have set up your business website, by offering some website security tips.

1.Update Your Website Regularly: Just like operating systems and software applications, websites (and web applications) too need to be patched regularly to protect them against the emerging security threats. This is usually done through a process called virtual patching (included in cWatch – our website security software) which ensure your websites are strong enough to handle zero-day exploits and other security vulnerabilities your CMS might contain.

2.Modify Default CMS Settings: Resist your urge of taking the easy way out by going ahead with the default CMS settings used while setting up your website. This would be a really stupid thing to do, as it will give the hacking community an easy chance to hack into your websites. So modify them at all costs.To give a simple example, modify the default CMS settings such that the user should seek permission from a higher authority before installing a particular extension (plugin or addon) to the website. This kind of modification to the default settings can improve your website security greatly.

3.Update Extensions As Well: Of course, your business website is going to have extensions (plugins or add-ons). And it’s your job as the website owner or webmaster not to forget to update them as well while updating your website. Because ‘extensions’ are highly favored target amongst the hacking community and literally serves as an entry point for them into your website.

4.Perform Regular Website Backups: Always be prepared for the worst. What will you do if that catastrophic event befalls your business? To save face and get your business back on track, you need to have a proper website backup strategy in place. Think of ways using which you can safely back up your website data.

5.Provide Sensible User Access: Make sure not all website users get the same level of access. Ensure access permissions are granted based on some hierarchical level. For example, never provide guest bloggers access to your entire website. Instead, grant them only the rights which they need. That is, the ability to create (and maybe edit) their posts.

6.Don’t Forget The Passwords! Yes, we know, this sounds like an oft-repeated (and perhaps trivial?) piece of advice. But it is not. Because we often make the gravest mistake of missing out on the simplest things. And setting up strong passwords is one of them. Therefore ensure passwords to your websites are strong. And by strong, we mean the usual mix of alphabets, numbers, symbols, special characters etc.

7.Subscribe To Website Security Software: No matter how careful website owners might be, their business websites will always remain prone to hacking, partly because of the sophisticated attacks hackers employ these days, and partly because of the vulnerable CMS platform they may be built upon. Therefore the only way to truly secure your websites (be it e-commerce or any other form of business website) is by subscribing to the services of website security software like Comodo cWatch.

Why Use Comodo cWatch?

Comodo cWatch comes equipped with an impressive security stack of features which ensure your business websites stay protected against various forms of security threats – be it a zero-day exploit or any other form of vulnerability. Be it Brute Force, DDoS, SQL Injection or any other form of popular website attacks, your website will be easily secured against them.

Moreover, our website security application can also optimize your website’s performance – so that they easily achieve faster speeds and operate successfully 24/7 – with the help of Content Delivery Networks (CDN). Subscribers also get to avail the services of a dedicated Cyber Security Operations Center (CSOC) who can fix your website security related issues within seconds.

So what are you waiting for? Subscribe to Comodo cWatch Now! Comodo cWatch is available in 3 different packs: Pro, Premium, and Enterprise.

website security

Related Resources:

Best Free Online Website Scanner