Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
In the first few weeks of 2018, cybercriminals targeted five universities, 23 private companies and several government organizations. Despite the new, sophisticated types of malware the attackers used, they were unable to penetrate Comodo defenses.
The cybercriminals tried to build a complicated chain to bypass technical security means and deceive human vigilance.
Analysts at Comodo’s Threat Research Labs noted that the hackers did not send the malware via the usual route as an email attachment, but tried to camouflage it in several layers. First, the phishing email was disguised as a message from FedEx. As the screenshot shows, the message utilized cunning social engineering tricks to generate user clicks on the malicious link. Second, the malicious link itself is also well disguised – as a link on Google Drive. These tricks were able to deceive many users.
When a user clicks on the link, the attackers’ site opens in their browser, with malicious file “Lebal copy.exe” to download. Pay special attention to the address bar: as you can see, “secure,” “https” and “drive.google.com” are present there, so even a security vigilant user may not notice anything suspicious and take it for a trustworthy site. Actually, how can anyone know not to trust something with “google.com” in the address bar? But… the reality stings. For many, it’s hard to believe, but skilled cybercriminals use drive.google.com for placing their phishing malware. And this case is not an isolated incident, so Google –as well as many other cloud storage services – definitely should take urgent steps to solve this problem. At minimum, they should provide constant real-time checks for malware. This would help to cut back malicious activity this type.
Also to note, the malicious file is also trickily disguised — as an Adobe Acrobat document. It not only has an icon similar to .pdf files, but even the file’s version information:
Of course, all of the above is deceitful: “Lebal copy” is dangerous malware sought to pull out your secrets.
What exactly can ‘lebal_copy.exe” do to your computer?
Comodo analysts defined the type of the file as Trojan (TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI, to be precise) – malware created to steal information.
But what kind of information?
Downloaded, the malware finds out the version of OS and applications running on a victim machine. Then it steals private data from the user’s browsers, including cookies and credentials, and looks for information about e-mail and instant messenger clients. It then Pulls out credentials from FTP clients like FileZilla or WinSCP and attempts to locate and access cryptocurrency wallets like Bitcoin or Electrum. In short, it grabs everything it can extract from a victim machine. Finally, it makes a connection with cybercriminals’ command-and-control server and passes all the gathered information to the attackers. It also tries to turn off OS defense means and hide itself from antimalware tools in various sophisticated ways.
As Comodo analysts revealed, this attack, aimed at 30 mail servers, was provided from one IP address 177.154.128.114 and domain dpsp.com.br from Sao Paolo, Brazil. All 328 phishing emails were sent during one day — Jan. 8.
“Phishing emails become more sophisticated and refined,” commented Fatih Orhan, the head of Comodo Threat Research Labs. “Cybercriminals actively invent new methods to trick users into clicking on a bait link. As we can see from the example above, it is not so easy to distinguish a malicious file or link, even for a cybersecurity aware user. That’s why for ensuring security today, companies need to not only train people for the cybersecurity vigilance skills but use reliable technical protection means as well. Objects of this attack were not impacted. only because they had prepared in advance: by protecting their networks with Comodo intelligence. And that was the right decision, because it’s much easier to prevent an attack than to overcome its consequences.” Live secure with Comodo!
Technical analysis
File name: Lebal copy.exe
Sample SHA1: e26e12ed8a5944b1dbefa3dbe3e5fc98c264ba49
Date: 11 January 2018
1. Summary
The file is an 814 KB Portable Executable trying to impersonate an Adobe Acrobat document in order to trick the user into running it. For more plausibility, it disguised with the icon of a .pdf file and faked file’s version information:
2. Behavior analysis
After running, it drops tmp.exe (SHA1: 0e9f43124e27fd471df3cf2832487f62eb30e1c) and copies MSBuild.exe executable from Windows as .exe.
The purpose of copying MSBuild.exe is to run and inject it with the malware own instructions. As it is digitally signed with “Microsoft Corporation” certificate, some security applications might allow its actions, thus letting the malware to get access to the internet and local resources at its will.
After performing the injection, the malware downloads kensho-au.tk/file/payload.bin file, moves it to WinNtBackend-1751449698485799.tmp.exe (SHA1: 5245079fe71977c89915f5c00eaa4d1d6c36375c) in the system’s temporary folder and then executes it.
It allows the attacker to provide the malware with continuous updates and new components or installing additional malware on the compromised host.
The main purpose of the malware is to steal sensitive information. It tries to collect the following data:
— private data from web browsers, including cookies and login credentials;
— cryptocurrency wallets like Bitcoin or Electrum;
— credentials from known (s)ftp clients like FileZilla or WinSCP;
— instant messengers accounts;
— email clients accounts (Thunderbird and Outlook):
Collected data is sent to http://datacntrsecured.com/securityfilesdoc/gate.php
3. Conclusion
The malware is created to extract as much private information as possible for variety of malicious purposes, for instance: –stolen email accounts can be used to send spam messages; –ftp credentials give access to websites to compromise them; –cryptocurrency accounts can be immediately cashed out.
Any stolen information can be utilized by the cybercriminals if affected users won’t take appropriate counter steps in time.
4. Indicators of compromise
– the presence of .exe file in %temp% folder – the presence of tmp.exe file in %temp% folder – the presence of WinNtBackend-2955724792077800.tmp.exe file in %temp% folder
5. Detection
Malware is detected by Comodo products with name TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI
____________________________________________________________________________________________________________
Related Resources:
Tags: comodo news,malware
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Rapid technological growth and increasing digitalization in all aspects of life around the world have increased the value of ensuring cyber-security at all levels. This is increasingly true for EU member states and the organizations that are based in or operate from these countries. The number of cyber-attacks targeting EU member states has risen. The…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats