Category: Endpoint Protection

Dec 06 2017

Emotet Downloader Trojan Returns in Force

During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload.

We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, Pinkslipbot, and other banking Trojans.

During a wave of attacks in early December we discovered a campaign spreading the ransomware family HydraCrypt. The sample we received had a compilation date of December 5.

The initial Word documents were downloaded from a number of URLs; some examples follow:

  • hxxp://URL/DOC/Invoice/
  • hxxp://URL/scan/New-invoice-[Number]/
  • hxxp://URL /scan/New-invoice- Number]/
  • hxxp://URL /LLC/New-invoice- Number]/

The document topics are crafted to entice users to open them because they appear to impact our finances or official documentation.

  • Invoice
  • Paypal
  • Rechnung (with or without a number)
  • Dokumente vom Notar

The documents have typical characteristics used by Emotet attackers. When a user opens the document, it claims the file is protected and asks the victim to enable the content, which launches the code hidden in the macros.

In analyzing the macros, we see heavily obfuscated code to make detection difficult and cover up the real purpose of the document:

The macro code uses a mix of command, wmic, and PowerShell to copy itself to disk, create a service, and contact its control server for a download URL.

Emotet collects information about the victim’s computer, for example running processes, and sends encrypted data to the control server using a POST request:

The specific user-agent strings used in these requests:

  • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
  • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
  • Mozilla/5.0(WindowsNT6.1;WOW64;rv:39.0)Gecko/20100101Firefox/38.0•Mozilla/5.0

The payload samples are downloaded to %Windir%\System32 using a random name, either in GUID format or a five-digit random name.

The control servers and URLs hosting the malicious documents are covered within McAfee Global Threat Intelligence, with which we provide coverage for the samples detected. The McAfee Advanced Threat Research team proactively monitors any new developments regarding Emotet.


The new variants of Emotet are detected by McAfee DAT files as Emotet-FEJ!<Partial Hash> since December 3. Real Protection technology within McAfee Endpoint Security Adaptive Threat Protection provides zero-day detection of these new variants as Real Protect-SS!<Partial Hash>.

The post Emotet Downloader Trojan Returns in Force appeared first on McAfee Blogs.

Nov 29 2017

‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends

This report was written by members of McAfee Labs and the Office of the CTO.

Welcome to the McAfee Labs 2018 Threats Predictions Report. We find ourselves in a highly volatile stage of cybersecurity, with new devices, new risks, and new threats appearing every day. In this edition, we have polled thought leaders from McAfee Labs and the Office of the CTO. They offer their views on a wide range of threats, including machine learning, ransomware, serverless apps, and privacy issues.

The Adversarial Machine Learning Arms Race Revs Up
The rapid growth and damaging effects of new cyberthreats demand defenses that can detect new threats at machine speeds, increasing the emphasis on machine learning as a valuable security component. Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers. Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.

Ransomware Pivots to New Targets, New Objectives
The profitability of traditional ransomware campaigns will decline as vendor defenses, user education, and industry strategies improve to counter them. Attackers will target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses. This pivot from the traditional will see ransomware technologies applied beyond the objective of extorting individuals, to cyber sabotage and disruption of organizations. The drive among adversaries for greater damage, disruption, and the threat of greater financial impact will not only spawn new variations of cybercrime “business models,” but also begin to seriously drive the expansion of the cyber insurance market.

Serverless Apps: New Opportunities for Friend and Foe
Serverless apps can save time and reduce costs, but they can also increase the attack surface by introducing privilege escalation, application dependencies, and the vulnerable transfer of data across networks. Serverless apps enable greater granularity, such as faster billing for services. But they are vulnerable to attacks exploiting privilege escalation and application dependencies. They are also vulnerable to attacks on data in transit across a network. Function development and deployment processes must include the necessary security processes, and traffic that is appropriately protected by VPNs or encryption.

When Your Home Becomes the Ultimate Storefront
As connected devices fill your house, companies will have powerful incentives to observe what you are doing in your home, and probably learn more than you want to share. In 2018, McAfee predicts more examples of corporations exploring new ways to capture that data. They will consider the fines of getting caught to be the cost of doing business, and change the terms and conditions on your product or service to cover their lapses and liabilities. It is more difficult to protect yourself from these issues, and the next year will see a significant increase in breaches and discoveries of corporate malfeasance.

Inside Your Child’s Digital Backpack
Perhaps the most vulnerable in this changing world are our children. Although they face an amazing future of gadgets, services, and experiences, they also face tremendous risks to their privacy. We need to teach them how to pack their digital backpacks so that they can make the most of this future. The world is becoming very public, and though many of us seem to be OK with that, the consequences of an ill-considered post or thoughtless online activity can be life altering for years to come.

The Adversarial Machine Learning Arms Race Revs Up

Attackers and defenders work to out-innovate each other in AI

Human-machine teaming is becoming an essential part of cybersecurity, augmenting human judgment and decision making with machine speed and pattern recognition. Machine learning is already making significant contributions to security, helping to detect and correct vulnerabilities, identify suspicious behavior, and contain zero-day attacks.

During the next year, we predict an arms race. Adversaries will increase their use of machine learning to create attacks, experiment with combinations of machine learning and artificial intelligence (AI), and expand their efforts to discover and disrupt the machine learning models used by defenders. At some point during the year, we expect that researchers will reverse engineer an attack and show that it was driven by some form of machine learning. We already see black-box attacks that search for vulnerabilities and do not follow any previous model, making them difficult to detect. Attackers will increase their use of these tools, combining them in novel ways with each other and with their attack methods. Machine learning could help improve their social engineering—making phishing attacks more difficult to recognize—by harvesting and synthesizing more data than a human can. Or increase the effectiveness of using weak or stolen credentials on the growing number of connected devices. Or help attackers scan for vulnerabilities, boosting the speed of attacks and shortening the time from discovery to exploitation.

Whenever defenders come out with something new, the attackers try to learn as much about it as possible. Adversaries have been doing this for years with malware signatures and reputation systems, for example, and we expect them to do the same with the machine learning models. This will be a combination of probing from the outside to map the model, reading published research and public domain material, or trying to exploit an insider. The goal is evasion or poisoning. Once attackers think they have a reasonable recreation of a model, they will work to get past it, or to damage the model so that either their malware gets through or nothing gets through and the model is worthless.

On the defenders’ side, we will also combine machine learning, AI, and game theory to probe for vulnerabilities in both our software and the systems we protect, to plug holes before criminals can exploit them. Think of this as the next step beyond penetration testing, using the vast capacity and unique insights of machines to seek bugs and other exploitable weaknesses.

Because adversaries will attack the models, defenders will respond with layers of models—operating independently—at the endpoint, in the cloud, and in the data center. Each model has access to different inputs and is trained on different data sets, providing overlapping protections. Speaking of data, one of the biggest challenges in creating machine learning models is gathering data that is relevant and representative of the rapidly changing malware environment. We expect to see more progress in this area in the coming year, as researchers gain more experience with data sets and learn the effects of old or bad data, resulting in improved training methods and sensitivity testing.

The machines are rising. They will work with whoever feeds them data, connectivity, and electricity. Our job is to advance their capabilities faster than the attackers, and to protect our models from discovery and disruption. Working together, human-machine teaming shows great potential to swing the advantage back to the defenders.

Ransomware Pivots to New Targets, New Objectives

Swings from the traditional to new targets, technologies, tactics, and business models

McAfee sees an evolution in the nature and application of ransomware, one that we expect to continue through 2018 and beyond.

The good news about traditional ransomware. McAfee Labs saw total ransomware grow 56% over the past four quarters, but evidence from McAfee Advanced Threat Research indicates that the number of ransomware payments has declined over the last year.

Our researchers assert that the trend suggests a greater degree of success during the last 12 months by improved system backup efforts, free decryption tools, greater user and organizational awareness, and the collaborative actions of industry alliances such as and the Cyber Threat Alliance.

How cybercriminals are adjusting. These successes are forcing attackers to pivot to high-value ransomware targets, such as victims with the capacity to pay greater sums, and new devices lacking comparable vendor, industry, and educational action.

Targeting higher net-worth victims will continue the trend toward attacks that are more personal, using more sophisticated exploitation of social engineering techniques that deliver ransomware via spear phishing messages. These high-value targets will be attacked at their high-value endpoints, such as their increasingly expensive personal devices, including the latest generation of smart phones. Cloud backups on these devices have made them relatively free from traditional ransomware attacks. McAfee predicts that attackers will instead try to “brick” the phones, making them unusable unless a ransom payment is sent to restore them.

McAfee believes this pivot from the traditional is reflected in the slight decline in the number of overall ransomware families, as criminals shift to a smaller number of higher-value technologies and tactics, more talented purveyors of techniques, and more specialized, more capable ransomware-as-a-service providers.

New ransomware families discovered in 2017. On average, 20%‒30% per month of new samples are based on Hidden Tear ransomware code. Source: McAfee Labs.

The less sophisticated, mostly well-known, mostly predictable, one-to-many technology, tactics, and providers are simply failing to deliver the rewards to justify the investments, even modest ones.

If well-understood ransomware families survive and thrive, McAfee believes they will do so in the hands of trusted service providers that continue to establish themselves with more established, sophisticated backends, as is currently the case with the Locky family.

Where the digital impacts the physical. Every year, we read predictions about threats to our physical safety from security breaches of industrial systems in transportation, water, and power. We are also perennially entertained with creative depictions of physical threats brought about by the imminent hacking rampage of consumer devices, from the car to the coffeemaker.

McAfee resists the temptation to join the cybersecurity-vendor chorus line to warn you of the danger that lurks within your vacuum cleaner. But our researchers do foresee digital attacks impacting the physical world. Cybercriminals have an incentive to place ransomware on connected devices providing a high-value service or function to high-value individuals and organizations.

Rather than seize control of your grandmother’s automobile brakes as she drives along a winding mountain road, our researchers believe it more likely and more profitable for cybercriminals to apply ransomware to an important business executive’s car, preventing them from driving to work. We believe it more likely and more profitable for cybercriminals to place ransomware on a wealthy family’s thermostat in the dead of winter, than to set the homes of millions ablaze through their coffeemakers.

In these and other ways, we believe cybercriminals will see greater return in orchestrating digital attacks that physically impact individuals for profit, rather than fatal damage.

Beyond extortion to disruption and destruction. The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage.

The WannaCry and NotPetya campaigns quickly infected large numbers of systems with ransomware, but without the payment or decryption capabilities necessary to unlock impacted systems. Although the exact objectives are still unclear, McAfee believes the attackers could have sought to blatantly disrupt or destroy huge networks of computers, or disrupt and distract IT security teams from identifying other attacks, in much the same way DDoS attacks have been used to obscure other real aspects of attacks. It is also possible that they represented spectacular proofs of concept, demonstrating their disruptive and destructive power, intending to engage large organizations with mega-extortion demands in the future.

In 2018, McAfee expects to see ransomware used in the manner of WannaCry and NotPetya. Ransomware-as-a-service providers will make such attacks available to countries, corporations, and other nonstate actors seeking to paralyze national, political, and business rivals in much the same way that NotPetya attackers knocked global IT systems out of commission at corporations around the world. We expect an increase in attacks intended to cause damage, whether by unscrupulous competitors or by criminals trying to mimic a mafia-style protection racket in cyber form.

Although this weaponization of ransomware at first seems to stretch the definition of the technology and tactical concept, consider the incentive of avoiding a WannaCry or NotPetya specific to your organization, complete with rapid, wormlike propagation and a demonstration of material disruption and damage, but with a demand for payment to make it all stop.

Of course, this raises the biggest, unavoidable ransomware question of 2017: Were WannaCry and NotPetya actually ransomware campaigns that failed in their objectives to make significant revenue? Or perhaps incredibly successful wiper campaigns?

Finally, McAfee predicts that these shifts in the nature and objectives of ransomware attacks, and their potential for real material financial impacts, will create an opportunity for insurance companies to extend their digital offerings with a range of ransomware insurance.

Serverless Apps: New Opportunities for Friend and Foe

Serverless apps attempt to match the security of a container or virtual machine

“Serverless” apps, the latest aspect of virtual computing, enable a new degree of granularity in computing functions. Some providers have recently reduced the billing iteration to seconds, which will have a substantial impact on growth. Billing for functions in seconds, instead of using containers or virtual machines that require minutes or hours, can reduce costs by a factor of 10 for some operations.

But what about the security of these function calls? They are vulnerable in traditional ways, such as privilege escalation and application dependencies, but also in new ways, such as traffic in transit and an increased attack surface.

Let’s start with the traditional vulnerabilities. Serverless apps that are quickly implemented or rapidly deployed can use an inappropriate privilege level, leaving the environment open to a privilege escalation attack. Similarly, the speed of deployment can result in a function depending on packages pulled from external repositories that are not under the organization’s control and have not been properly evaluated.

Then there are the new risks. By looking at the URL, we can tell if the request is going to a serverless environment. As a result, it might be possible for an attacker to disrupt or disable the infrastructure from the outside, affecting a large number of organizations.

Another risk is the data included in the function call. Because the data is not on the same server that executes the function, it must transit some network and may be at risk of interception or manipulation.

We predict the increased granularity of serverless apps will lead to a comparable increase in the attack surface. More functions, transiting to one or more providers, means more area for an attacker to exploit or disrupt. Make sure your function development and deployment process includes the necessary security steps, and that traffic is appropriately protected by VPNs or encryption.

When Your Home Becomes the Ultimate Storefront

Without controls, you might surrender your privacy to corporate marketers

Corporate marketers have powerful incentives to observe and understand the buying needs and preferences of connected home device owners. Networked devices already transmit a significant amount of information without the knowledge of the overwhelming majority of consumers. Customers rarely read privacy agreements, and, knowing this, corporations are likely to be tempted to frequently change them after the devices and services are deployed to capture more information and monetize it.

In 2018, connected home device manufacturers and service providers will seek to overcome thin operating margins by gathering more of our personal data—with or without our agreement—as we practically surrender the home to become a corporate virtual store front.

With such dynamics in play, and with the technical capabilities already available to device makers, corporations could offer discounts on devices and services in return for the ability to monitor consumer behavior at the most personal level.

Rooms, devices, and apps are easily equipped with sensors and controls capable enough to inform corporate partners of the condition of home appliances, and bombard consumers with special upgrade and replacement offers.

It is already possible for children’s toys to monitor their behavior and suggest new toys and games for them, including upgrades for brand-name content subscriptions and online educational programs.

It is already possible for car manufacturers and their service centers to know the location of specific cars, and coordinate with owners calendars and personal assistants to manage and assist in the planning of their commutes. Coffee, food, and shopping stops could automatically be integrated into their schedules, based on their preferences and special offers from favorite food and beverage brands.

Whether this strikes you as a utopia for consumers and marketers, or a dystopian nightmare for privacy advocates, many aspects of these scenarios are close to reality.

Data collection from the current wide range of consumer devices and services is running far ahead of what most people believe.

Although there is certainly a legal argument that consumers have agreed to the collection of their data, even those of us technically knowledgeable to know this is taking place do not read the contracts that we agree to, and some corporations might change them after the fact or go beyond what they promise.

We have seen numerous examples of corporate malfeasance in recent years. A flashlight app developer’s license agreement did not disclose that the app gathered geolocation data. Three years ago, a video game hardware company pushed an update with no option to refuse; users had to agree to new terms or stop using the product they had purchased. In many agreements, users “agree” to all future changes that the company makes unilaterally to the terms: “Continued use of the service after any such changes shall constitute your consent to such changes.”

In July, the US Federal Bureau of Investigation warned parents to be wary of connected children’s toys that could be capable of collecting their children’s personally identifiable information.

Businesses will continue to seek to understand what and how consumers consume in the privacy of their homes, certainly requiring more user data than consumers will likely be comfortable sharing. McAfee asserts that a substantial number of corporations will break privacy laws, pay fines, and still continue such practices, thinking they can do so profitably. But the FBI’s recent toy warning to parents might suggest that such approaches could result in regulatory and even criminal legal consequences.

Next year will provide new examples of how well, and how badly, corporations are able to navigate the temptations and opportunities presented by connected homes.

We thank the Electronic Frontier Foundation for their assistance with this article.

Inside Your Child’s Digital Backpack

Protecting your children from corporate abuse of their user-generated content

It seems that every product, service, or experience we interact with today creates some type of digital record, whether or not we like it. As adults, we are gradually coming to terms with this effect and learning to manage our digital lives, but what about our children? Employers are already making hiring decisions influenced by search results. Could this extend to schools, health care, and governments? Will children be denied entry to a school because of how much time they spent binge-watching videos, or find it difficult to run for office because of a video made when they were seven?

Online information, or digital baggage, can be positive, negative, or neutral. As our children go on their increasingly digital journey through life, what are they packing for their trip? Likely, it will be a combination of mostly innocuous and trivial things, some positive and amazing ones that will help them on their journey, and some negative items that could weigh them down. Unfortunately, we predict that many future adults will suffer from negative digital baggage, even if it comes about without their intention.

As parents, our challenge is to help our children navigate this new world, in which they can be tracked almost from the moment of conception. Remember that story from 2012 about a girl who received coupons from a retailer for pregnancy-related items before she acknowledged that she was pregnant?

To help our children, we need to understand the kinds of digital artifacts that are being captured and stored. There are generally three types: explicit, implicit, and inadvertent.

Explicit content is all of those things that happen after you click the “I Agree” button on the terms and conditions or end user license agreement. Given recent breaches, it seems that anything stored online will at some point be hacked, so why not assume that from the beginning? If they really want to, a prospective employer may be able to find out what content you created, your social habits, and a host of other data points. This is an area that parents (at least initially) have a lot of control and influence over, and can teach and model good habits. Are you buying “M”-rated games for your 10-year-old, or letting your teens post videos without some oversight? Sadly, what happens online is not private, and there could eventually be consequences.

Implicit content is anything you do or say in an otherwise public place, which could be photographed, recorded, or somehow documented. This ranges from acting silly to drinking or taking drugs, but also includes what people say, post, tweet, etc. in public or online. We do not think that childlike behavior (by children) is going to be frequently or successfully used against people in the future, so we can still let our kids be kids.

Inadvertent content is the danger area. These are items that were intended to remain private, or were never expected to be captured. Unfortunately, inadvertent content is becoming increasingly common, as organizations of all types (accidentally or on purpose) bend and break their own privacy agreements in a quest to capture more about us. Whether with a toy, a tablet, a TV, a home speaker, or some other device, someone is capturing your child’s words and actions and sending them to the cloud. This is the most challenging part of the digital journey, and one that we must manage vigilantly. Pay attention to what you buy and install, turn off unnecessary features, and change the default passwords to something much stronger!

Our children face an amazing potential future, full of wonderful gadgets, supportive services, and amazing experiences. Let’s teach them at home to pack their digital backpacks so that they can make the most of it.

In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come. The new regulatory regime impacts companies that either have a business presence in EU countries, or process the personal data of EU residents, meaning that companies from around the world will be compelled to adjust the way in which they process, store, and protect customers’ personal data. Forward-looking businesses can leverage this to set best practices that benefit customers using consumer appliances, content-generating app platforms, and the online cloud-based services behind them.

In this regard, the year 2018 may well best be remembered for whether consumers truly have the right to be forgotten.

To find out more about the data protection opportunity for businesses, visit McAfee’s GDPR site.

For more on how to protect your children from potential user-generated content abuse and other digital threats, please see McAfee’s blogs for guidance on parenting in the digital age.


  • Christiaan Beek
  • Lisa Depew
  • Magi Diego
  • Daren Dunkel
  • Celeste Fralick
  • Paula Greve
  • Lynda Grindstaff
  • Steve Grobman
  • Kenneth Howard
  • Abhishek Karnik
  • Sherin Mathews
  • Jesse Michael
  • Raj Samani
  • Mickey Shkatov
  • Dan Sommer
  • Vincent Weafer
  • Eric Wuehler


About McAfee Labs

McAfee Labs is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. With data from millions of sensors across key threats vectors—file, web, message, and network—McAfee Labs delivers real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks.

The post ‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends appeared first on McAfee Blogs.

Nov 28 2017

Should I Worry About AVGater, Which Exploits Some Security Products?

On November 10, a researcher reported the vulnerability AVGater, which affects some antimalware products. The vulnerability allows a user without administrative privileges to restore a quarantined file in a user’s defined location.

After internal reviews and with confirmation from the author of the blog, McAfee believes no McAfee products are affected by the privilege escalation vulnerability described in the AVGater blog.

The mechanism that allows users to restore files from quarantine in McAfee products is either locked by default or is available only to users with administrative privileges, providing an additional layer of protection to our customers.

AVGater, as described by blog author Florian Bogner, is based upon antimalware products use of a permanent storage area (folder or directory) to contain software that the antimalware program has “convicted”—executables believed to be malicious. Once convicted, the malicious software must be placed somewhere where it cannot execute and cause (further) harm.

Why not just immediately delete convicted software? If files were summarily deleted, there would always be a chance the files had been incorrectly convicted and might be important to the user. Unfortunately, no software can be considered perfect.[i] False detections occasionally occur, even with the most comprehensive and accurate software. Placing files into “quarantine,” the reserved safe area, mitigates the potential for an accidental removal of users’ important files.

Because of the potential of false-positive malware conviction, nearly every endpoint protection program makes use of a “quarantine” location, where assessed bad files are placed before deletion, just in case there has been a mistake in the identification algorithms.

Researcher Bogner has uncovered a way that quarantined software can be restored to execute, potentially with a privilege escalation from user-level privileges to the Windows system user. He has named the technique AVGater.

Privilege escalation is a critical step in the path to the full compromise of an operating system. Although a user may not have permission to write executable software into directories reserved for the operating system, if an attacker can execute malware from one of Windows’ system directories, an attacker can begin to subvert or replace critical system software with malware. Full control of the operating system may be within reach by just a few, perhaps undetected, steps.

Privilege escalation to the level of the Windows’ system user is not an attacker’s ultimate exploit, but it is a significant step that provides attackers assistance toward their goals.

We live in a world in which techniques to get users to take a single step (click, save, open, view, read) is commonplace; there are thousands of spoofs, scams, confidence games, and social engineering techniques. If you live in the digital world, you have been exposed to many of these, maybe every day.

It is not hard to imagine that attackers, having gotten their software placed into AV quarantine, can execute subsequent software, perhaps through tricking users in some manner.

AVGater is not a straightforward attack. Successful quarantine removal and copying to a system directory must be proceeded by other steps for attackers to achieve their goals, whether controlling additional hosts for a botnet, gathering account information, or other ends. (See the section “AVGater technique,” below, for more information.)

Getting malware onto a Windows machine is relatively uncomplicated; it happens thousands of times every day. Tricking users to proceed is also well understood by attackers with varying levels of technical skill. Thus we believe that attacks based upon AVGater are credible, if not particularly straightforward.

AVGater has not yet been widely used by attackers. Nonetheless, it should be easy for a malware writer to drop detection defenses to force a conviction and quarantine of an attack. This step makes this attack noteworthy: Malware writers already know how to be identified by antimalware programs.

All of AVGater’s steps seem well within reasonable capabilities of competent attackers. Users whose security software is vulnerable should update to a patched version as soon as possible.

It is a poor idea to conduct day-to-day operations from the Windows administrator account. McAfee recommends that users start with a less privileged, user-level account and elevate to administrative privileges only for necessary operations and only for as long as needed to complete a task. Consumers should set up a nonadministrator account as the usual login.

McAfee® ePolicy Orchestrator® (McAfee ePO™) administrators should use the product’s capabilities to reduce the privileges that users need for common tasks, and thus reduce the privilege levels required by most users.

Always running with administrative privileges is a dangerous practice. One mistake can allow a complete compromise. Attackers do not need to go through the steps of AVGater or other privilege escalation. If attackers can execute some code as administrators, they can probably compromise Windows completely. AVGater does not lend attackers any additional advantage.

Users who recognize social engineering attacks will have an advantage in protecting themselves, because they are much less likely to accept suspicious software and fall for tricks that execute the secondary steps required in this attack.

As always, all users are advised to avoid public hotspots. If you must use one, be sure to make use of your company’s VPN services as soon as you join, or use some other VPN technology to conduct your online activities. Always disable unneeded services; do not leave file sharing on except for highly trusted networks; do not blindly accept files from untrusted sources, especially on unsecured and untrusted networks. We should always follow these safe computing practices irrespective of the latest attack technique or the state of our computing protections.

McAfee continues to investigate potential attack vectors related to AVGater. As of this writing, both McAfee and Florian Bogner have found no unmitigated paths through a McAfee product. If we discover additional information, we will update this post.

AVGater Technique

To promulgate this attack, the security software must identify an attacker-controlled program as malware, which will result in quarantine. The attacker must next switch the quarantined file for malware that will further the attack. Then the attacker must set up the necessary Windows file “junction” so that removing the file from quarantine also copies it into a directory with Windows system privileges.

Any number of tricks can convince at least some users into executing additional malicious software that removes the attack software from quarantine and, through the previously set-up file junction, places the software into a privileged directory. The attacker then must somehow execute the attack software from the joined system directory to proceed.

Attackers have developed numerous methods for avoiding or fooling attempts at conviction, while antimalware makers spend a significant proportion of their efforts identifying the attackers tricks so that malware will be accurately identified.

For malware writers to use this technique, they need obvious malware that will ensure conviction. Accompanying the “red herring” malware must be additional software that can hide its true intent (replace the quarantined item, set up file junction, induce the copying to system privileges, and execute the attacker’s code).

Compared with executing one or two steps against users who are running with administrative privileges, AVGater requires more steps, each of which must be executed successfully and in proper order. AVGater demands greater skill to include careful interactions between at least three steps, and at least one user-induced action. This scenario is credible, though more involved than other easy, repeatable attacks.

[i] Software can be proven to be incorrect, but it is difficult to prove it absolutely error free. Readers may wish to investigate Alan Turing’s “Turing’s Proof,” whose math is believed to prove that an automated process cannot prove that an automated process is correct.

The post Should I Worry About AVGater, Which Exploits Some Security Products? appeared first on McAfee Blogs.

Nov 22 2017

Malware Mines, Steals Cryptocurrencies From Victims

How’s your Bitcoin balance? Interested in earning more? The value of cybercurrency is going up. One way to increase your holdings is by “mining,” which is legal as long as it is done with the proper permissions. Using your own mining equipment or establishing a formal agreement for outsourcing are two methods. Hardware vendors such as Asus manufacture motherboards that are specifically tailored for mining cryptocurrency.

Bitcoin mining involves complex mathematical calculations that are carried out by a computer’s hardware and result in transaction records. These records are added to the Bitcoin public ledger, the “blockchain.” The ledger keeps track of all transactions and verifies these transactions are legitimate.

Cybercriminals are also attracted to online currency, which fuels much of their business, including malware purchases and ransomware payments. Cybercriminals would rather find outside computing power instead of using their own equipment because the price of a dedicated mining machine could exceed US$5,000. Cybercriminals often seek to bypass the agreement phase and maliciously introduce malware that will either use a victim’s computing power to mine for coins or simply locate and steal the user’s cryptocurrency.

Three popular Bitcoin miners.


The number of instances of mining malware has increased significantly, to 1.65 million victims this year, according to one report. That’s a lot of slowing machines and increased electricity costs. For individual users, the slowness and increased electricity bill may be trivial, and go unnoticed for a time. For businesses with hundreds or thousands of machines, however, the cost increase can be substantial.

The increased interest in illegally mining or stealing cryptocurrencies correlates easily with the increased value of these currencies. One Bitcoin (BTC) was recently worth more than $7,500, up from around $3,000 a few weeks ago. Even considering an earlier decline in value, Bitcoin has been trending upward for years. This upswing in value and the recent adoption of Bitcoin in Japan and South Korea as a legal tender have increased the demand for acquiring Bitcoin and altcoins. In September cybercriminals stole $63,000 worth of cryptocurrency in about three months by taking advantage of a flaw in Microsoft Windows Internet Information Services.

The price of Bitcoin since 2010. Source: CoinDesk.

Initial coin offerings (ICOs) have also contributed to this gold rush. ICOs are similar to IPOs but instead of issuing to investors shares of a new company, the investors are given cryptocurrency in the hopes a new company will be successful and result in a higher value for their digital coins.

During the last few years we have seen an increase in innovation by malware authors to infiltrate this space, resulting in malware that both mines or steals coins and spans various and platforms. Let’s break down some of the tools and techniques in the world of crypto-mining/-stealing malware that has arisen.

  • NightMiner
  • Adylkuzz
  • EternalMiner
  • MulDrop.14
  • ELF Linux/Mirai
  • OSX/Miner-D
  • Dridex
  • Trickbot
  • Jimmy Nukebot
  • HawkEye
  • Cerber
  • Web Mining


NightMiner mining malware was first seen in the wild in March 2015 and has been used to mine the Monero cryptocurrency. Some cybercriminals have turned to Monero due to its built-in security features and lower cost to mine. For example, Monero by default supports many blockchain obfuscation and anonymity technologies such as stealth addresses and crypto notes. This malicious software has been discovered on network attached storage (NAS) devices and takes advantage of those devices’ powerful CPU and GPU resources. The mining software can stay under the radar on these devices because most administrators fail to install antimalware software on NAS systems. Sophos released an extensive report discussing this malware.


Adylkuzz is more recent, coming on the scene in this year. The mining malware is similar to the well-known ransomware WannaCry in that it exploits two flaws in Microsoft’s server message block (SMB) that are known as EternalBlue and DoublePulsar. Both defects were leaked by the Shadow Brokers hacking group and are believed to be the work of the U.S. National Security Agency’s Equation Group. Adylkuzz is unique in that it will block all access to TCP Port 445, preventing other malware from taking advantage of the SMB flaws.

Code snippet from the EternalBlue Metasploit module.


Linux systems are not immune. EternalMiner took advantage of a vulnerability in Samba to infect as many systems as possible. The flaw allowed Samba servers to load and execute code remotely after a shared library was uploaded by a malicious client. A patch to address the seven-year-old flaw was released in May, but cybercriminals made thousands of dollars before network administrators could update their servers.


Researchers have seen instances of Raspberry Pi—a small, versatile single-board computer— attacked by the crypto mining malware Linux.MulDrop.14. The malicious software does not attempt to mine the CPU-intensive Bitcoin but, like NightMiner, focuses on Monero. This action shows a level of innovation as cybercriminals expand their scope to acquire cryptocurrencies across additional platforms.

ELF Linux/Mirai

Cryptocurrency malware mining has been discovered in connection with the Mirai botnet. ELF Linux/Mirai continues to evolve and has added a Bitcoin miner slave module, allowing the malware to mine cryptocurrency from thousands of infected IoT devices, according to a report from IBM X-Force. Mirai, discovered in August 2016, infected IoT devices and has also been responsible for several DDoS attacks, including against DNS provider Dyn and Liberia’s Internet infrastructure.


Source: McAfee Labs Threats Report, March 2017


Although Apple’s Mac OS has not been heavily targeted, it is also not immune. OSX/Miner-D both steals Bitcoins and mines a system. This malware has been around since 2011 and is the second most common malware on the Mac. The malware, which is inserted into legitimate apps uploaded to torrent sites, made a surge early this year and resulted in more than 20% of all detections in May. We expect to soon see new variants of this malicious software.


Cryptocurrency mining has caught the attention of the Dridex Trojan’s developers. Dridex is a banking Trojan that steals credentials to access accounts. Samples of this malware were discovered in 2016 that find and steal cryptocurrency wallets.

Dridex is sophisticated malware. The developers behind this malware continue to evolve its code to avoid detection, increase infections, distribute ransomware, steal banking and personal information, and now pilfer Bitcoins.


The cybercriminals behind Trickbot have added the capability to steal cryptocurrency. Trickbot has been around for years and has recently added as one of its attack vectors. Once a system is infected, the malware monitors the victim’s browsing habits and injects a fake login page whenever the user visits The fake page allows criminals to steal the login information, resulting in the theft cryptocurrencies including Bitcoin, Ethereum, and Litecoin as well as other digital assets. 

Jimmy Nukebot

Another Trojan making headlines is Jimmy Nukebot. The authors behind the malicious software used code from the NeutrinoPOS banker Trojan. This variant, detected by McAfee as RDN/PWS-Banker, does not steal bank card data as before but installs various modules that contain a payload. One payload mines Monero. The digital wallet associated with the miner has received only about $45, which may indicate the malware authors either changed wallets or have stopped mining, according to Kaspersky.

McAfee Labs detections for some variants of mining malware. Peek detections are the highest number of detection occurrences on a single date in 2017.


The credential harvesting malware HawkEye, which surfaced in 2014, has added Bitcoin wallet stealing to its arsenal. The malware is well known for stealing a variety of credentials from web browsers and mail clients. Recent samples show HawkEye targeting the file wallet.dat, which holds the user’s Bitcoin private keys along with other transaction information.


Developers behind most ransomware prefer the ransoms be paid using cryptocurrency. In the recent case of Cerber, however, the actors have resorted to stealing the coins from the wallet before encrypting the system. Cerber is one of the most prolific ransomware families, infecting millions of computers worldwide. The ransomware has seen a decline in the past few months but continues to wreak havoc.

The number of Cerber samples detected during the last 90 days. Source: Ransomware Tracker.

Web Mining

One new trend is a technique that mines cryptocurrency when visitors connect to websites. Coinhive and Crypto-Loot, as well as others, sell Monero mining software that allows the buyer to insert JavaScript into websites. The JavaScript mines cryptocurrency by using the site visitor’s CPU power. The service has been a hot topic since it first appeared because the software can be used maliciously to allow cybercriminals to mine cryptocurrency without users consent. A few legitimate sites, including The Pirate Bay and a major television company, have recently been found using the software to mine Monero. The entertainment conglomerate has removed the code but it remains unclear whether hackers injected the software or if the company included the code to make a few extra dollars while unsuspecting users were watching their favorite shows.

The Pirate Bay has also removed the mining code and released a statement claiming the 24-hour test was designed to see if the popular file-sharing site could use the miner to generate revenue and potentially replace ads. A few other sites, including Iridium and PublicHD, are using the JavaScript code openly: Both sites inform their users of the code and in the case of Iridium allow them to opt out. The unsuspected use of web miners has caused some websites to go dark. Internet provider Cloudflare began shutting down domains after the company discovered Coinhive’s software mining Monero from visitors to torrent site ProxyBunker. The domains, which were shuttered for not allowing users to opt out, were reopened after removing the mining code.

JavaScript code from Iridium’s Google Chrome miner extension.

Crypto mining is not new, but it has gained attention due to the popularity of cryptocurrency, ICOs, and the overall value increase of alt coins. As the adoption rate for cryptocurrency grows, we can expect cybercriminals to increasingly illegally mine or steal cryptocurrency. They can exploit online funds to shop on the dark web or in exchange for real currency.

A timeline of leading cryptocurrency miners.

The post Malware Mines, Steals Cryptocurrencies From Victims appeared first on McAfee Blogs.