The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations’ Networks – Disposable mail news

Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Insidious Android malware gives up all malicious features but one to gain stealth – 10 minute mail

ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security

ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions, notably wiping out the victim’s bank account or cryptocurrency wallet and taking over their email or social media accounts. Called “DEFENSOR ID”, the banking trojan was available on Google Play at the time of the analysis. The app is fitted with standard information-stealing capabilities; however, this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android’s Accessibility Service – to fully unleash the app’s malicious functionality.

The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth. Its creators reduced the app’s malicious surface to the bare minimum by removing all potentially malicious functionalities but one: abusing Accessibility Service.

Accessibility Service is long known to be the Achilles’ heel of the Android operating system. Security solutions can detect it in countless combinations with other suspicious permissions and functions, or malicious functionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on DEFENSOR ID.

By “all” we mean all security mechanisms guarding the official Android app store (including the detection engines of the members of the App Defense Alliance) and all security vendors participating in the VirusTotal program (see Figure 1).

Figure 1. According to the VirusTotal service, no security vendor detected the DEFENSOR ID app until it was pulled off the Play store

DEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is analyzed here; we weren’t able to determine if the earlier versions were also malicious. According to its profile at Google Play (see Figure 2) the app reached a mere 10+ downloads. We reported it to Google on May 16, 2020 and since May 19, 2020 the app has no longer been available on Google Play.

The developer name used, GAS Brazil, suggests the criminals behind the app targeted Brazilian users. Apart from including the country’s name, the app’s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia. That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking. However, there is also an English version of the DEFENSOR ID app (see Figure 3) besides the Portuguese one, and that app has neither geographical nor language restrictions.

Playing further off the suggested GAS Tecnologia link, the app promises better security for its users. The description in Portuguese promises more protection for the user’s applications, including end-to-end encryption. Deceptively, the app was listed in the Education section.

Figure 2. The DEFENSOR ID app on Google Play – Portuguese version (translates roughly as: “Your new Defensor app available for: / Individuals / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)

Figure 3. The DEFENSOR ID app on Google Play – English version

Functionality

After starting, DEFENSOR ID requests the following permissions:

  • allow modify system settings
  • permit drawing over other apps, and
  • activate accessibility services.

If an unsuspecting user grants these permissions (see Figure 4), the trojan can read any text displayed in any app the user may launch – and send it to the attackers. This means the attackers can steal the victim’s credentials for logging into apps, SMS and email messages, displayed cryptocurrency private keys, and even software-generated 2FA codes.

The fact the trojan can steal both the victim’s credentials and can control also their SMS messages and generated 2FA codes means DEFENSOR ID’s operators can bypass two-factor authentication. This opens the door to, for example, fully controlling the victim’s bank account.

To make sure the trojan survives a device restart, it abuses already activated accessibility services that will launch the trojan right after start.


 

Figure 4. The permission requests by DEFENSOR ID

Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app, launching an app and then performing any click/tap action controlled remotely by the attacker (see Figure 5).

Figure 5. The list of commands DEFENSOR ID may get from its C&C server

In 2018, we saw similar behavior, but all the click actions were hardcoded and suited only for the app of the attacker’s choice. In this case, the attacker can get the list of all installed apps and then remotely launch the victim’s app of their choice to either steal credentials or perform malicious actions (e.g. send funds via a wire transfer).

We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “Modify system settings”. Subsequently, the malware will change the screen off time-out to 10 minutes. This means that, unless victims lock their devices via the hardware button, the timer provides plenty of time for the malware to remotely perform malicious, in-app operations.

If the device gets locked, the malware can’t unlock it.

Malware data leak

When we analyzed the sample, we realized that the malware operators left the remote database with some of the victims’ data freely accessible, without any authentication. The database contained the last activity performed on around 60 compromised devices. We found no other information stolen from the victims to be accessible.

Thanks to this data leak, we were able to confirm that the malware really worked as designed: the attacker had access to the victims’ entered credentials, displayed or written emails and messages, etc.

Once we reached the non-secured database, we were able to directly observe the app’s malicious behavior. To illustrate the level of threat the DEFENSOR ID app posed, we performed three tests.

First, we launched a banking app and entered the credentials there. The credentials were immediately available in the leaky database – see Figure 6.

Figure 6. The banking app test: the credentials as entered (left) and as available in the database (right)

Second, we wrote a test message in an email client. We saw the message uploaded to the attackers’ server within a second – see Figure 7.

Figure 7. The email message test: the message as written (left) and as available in the database (right)

Third, we documented the trojan retrieving the Google Authenticator 2FA code.

Figure 8. The software generated 2FA code as it appeared on the device’s display (left) and as available in the database (right)

Along with the malicious DEFENSOR ID app, another malicious app named Defensor Digital was discovered. Both apps shared the same C&C server, but we couldn’t investigate the latter as it had already been removed from the Google Play store.

Indicators of Compromise (IoCs)

Package Name Hash ESET detection name
com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A
com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access    T1475 Deliver Malicious App via Authorized App Store Impersonates security app on Google Play.
T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application.
Discovery T1418 Application Discovery Sends list of installed apps on device.  
Impact   T1516 Input Injection Can enter text and perform clicks on behalf of user.
Collection T1417 Input Capture Records user input data.
Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C&C.



Lukas Stefanko


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Rise of a Mobile Banking Malware Which Steals Personal Financial Information – Disposable mail news

The federal cybersecurity agency cautions about the rise of a new mobile banking malware called “EventBot”, which purportedly steal personal financial information and says it might influence Android phone users in India, in a most recent advisory.

The Trojan infection may “masquerade as a legitimate application such as Microsoft Word, Adobe flash and others using third-party application downloading sites to infiltrate into victim device” as per an alert issued by the (CERT-In) Computer Emergency Response Team of India, the national technology arm to combat cyber-attacks and guard the Indian cyberspace.

“It has been observed that a new Android mobile malware named EventBot is spreading. It is a mobile-banking Trojan and info-stealer that abuses Android’s in-built accessibility feature to steal user data from financial applications, read user SMS messages and intercept SMS messages, allowing malware to bypass two-factor authentication,” said the CERT-In warning.

As indicated by the CERT-In the virus “to a great extent target financial apps like PayPal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, TransferWise, Coinbase, paysafecard and so on”

The agency said while “EventBot” has not been “seen” on Google Playstore till now, it can “masquerade” as a certified mobile phone application.

The virus further prompts the users to offer access to their device accessibility services.

The advisory claimed that the virus is equipped for recovering notifications about other installed applications and read the contents of various applications.

Over time, it can also read Lock Screen and in-app PIN that can give the attacker more privileged access over victim device,”

The cybersecurity agency has proposed certain counter-measures to check the virus infection within the Android phones: “Do not download and install applications from untrusted sources like unknown websites and links on unscrupulous messages; install updated anti-virus solution; prior to downloading or installing apps even from Google Playstore), always review the app details, number of downloads, user reviews, comments and the ‘additional information’ section”

Lastly, it requested that users abstain from utilizing unsecured, unknown Wi-Fi systems, and for prior affirming of a banking/financial application from the source organization.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Fileless Malware Attacks and How To Fight Them! – Disposable mail news

It has been crystal clear over these years with the increase in a number of cyber-attacks of an equally unique kind making it almost impossible for the out-dated or conventional security mechanisms to intercept and fight.

As if a single one-of-a-kind cyber-attack tool wasn’t enough, the threat actors now are laden with polymorphic tactics up their sleeves. Per sources, an entirely new version of a threat could be created every time after infection.

After “polymorphism” became apparent, the vendors as per reports engineered “generic signatures” had numerous variants in them. But the cyber-cons always managed to slip in a new kind.

This is when the malware authors came up with a concept of fileless attacking. They fabricated malware that didn’t need files to infect their targets and yet caused equal damage.

Per sources, the most common fileless attacks use applications, software, or authorized protocol that already exists on the target device. The first step is a user-initiated action, followed by getting access to the target’s device memory which has been infected by now. Here the malicious code is injected via the exploitation of Windows tools like Windows Management Instrumentation and PowerShell.

Per reports, the Modus Operandi of a fileless attack is as follows:
It begins with a spam message which doesn’t look suspicious at all and when the unaware user clicks on the link in it they are redirected to a malicious website.
The website kicks-off the Adobe Flash.
That initiates the PowerShell and Flash employs the command line to send it instructions and this takes place inside the target device’s memory.
The instructions are such that one of them launches a connection with a command and control server and helps download the malicious PowerShell script which ferrets down sensitive data and information only to exfiltrate it later.

Researchers note that as these attacks have absolutely nothing to do with stocking malicious files onto the target’s device, it becomes more difficult for security products to anticipate or perceive any such attack because they are evidently left with nothing to compare the attacks with. The fact that files less malware can hide from view in the legitimate tools and applications makes it all the worse.

Recently lots of fileless attacks surfaced and researchers were elbow deep in analyzing them. According to sources, some well-known corporate names that faced the attacks include, Equifax that had a data breach via a command injection vulnerability, the Union Crypto Trader faced a remote code execution in the memory, the version used was a ‘trojanized’ form a legitimate installer file and the U.S. Democratic National Committee faced two threat actors used a PowerShell backdoor to automatically launch malicious codes.

These attacks are obviously disconcerting and require a different kind of approach for their prediction or prevention. A conventional security system would never be the solution corporates and organizations need to stand against such attacks.

Per sources, the Network Detection and Response (NDR) seem to be a lucrative mechanism for detecting uncommon malicious activities. It doesn’t simply count on signatures but uses a combination of machine learning tactics to fetch out irregular network behaviors. It perceives what is normal in a particular system, then tries to comprehend what isn’t normal and alerts the overseers.

Researchers think an efficient NDR solution takes note of the entire surrounding of a device including what is in the network, cloud deployments, in the IoT sections and not to mention the data storage and email servers.

Per sources, NDR gradually works up to its highest efficiency. Its and its sensors’ deployment takes a considerable amount of time and monitoring. But the final results encompass enhanced productivity, decreased false alerts, and heightened security.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

The Dreambot Malware Botnet Appears To Have Gone Silent and Possibly Shut Down – Disposable mail news

Dreambot’s backend servers as per a report published by the CSIS Security Group, a cyber-security firm situated in Copenhagen, seem to have gone quiet and potentially shut down completely.

It started in March around the same time when the cybersecurity community likewise stopped seeing the new Dreambot samples disseminated in the wild. 

Benoit Ancel, the malware analyst at the CSIS Security Group, says, “The lack of new features? The multiplication of new Gozi variants? The huge rise of Zloader? COVID-19? We can’t be sure exactly what was the cause of death, but more and more indicators point at the end of Dreambot.” 

The Dreambot malware’s apparent demise put an end to a six-year-old “career” on the cybercrime landscape. First spotted in 2014, it was created on the leaked source code of the more seasoned Gozi ISFB banking trojan, one of the most reused bits of malware today. 

With time, Dreambot received new highlights, like the Tor-hosted command and control servers, a keylogging capacity, the capacity to steal browser cookies and information from email clients, a screenshot feature, the capacity to record a victim’s screen, a bootkit module, and a VNC remote access feature – just to name the most significant.

Typical Dreambot Control Panel

Besides, Dreambot likewise evolved from a private malware botnet into what’s known as a Cybercrime-as-a-Service (CaaS). 

 As a CaaS, the Dreambot creators would publicize access to their botnet on hacking and malware forums. Various crooks could gain access to a part of Dreambot’s infrastructure and an adaptation of the Dreambot malware, which they’d be answerable for distributing to victims. 

Dreambot “customers” would infect victims, steal funds, and pay the Dreambot gang a week after week, month to month, or at a yearly expense.

CSIS says this model seems to have been fruitful. “We counted more than a million [Dreambot] infections worldwide just for 2019,” Ancel said. 

In any case, the CSIS researcher additionally said that as of late, Dreambot developed from being only a banking trojan. All the more explicitly, it evolved from a specific banking trojan into a generic trojan. 

Criminals would lease access to the Dreambot cybercrime machine, yet not use it to steal money from bank accounts. Instead, they’d taint countless computers, and afterward review each target, searching for explicit computers. 

Nonetheless, Dreambot operators have not been ‘publicly identified’ and stay on the loose. The explanation behind this whole cybercrime platform’s current disappearance likewise stays a mystery.

Be that as it may, with the operators everywhere, Dreambot’s return ‘remains a possibility’.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Lucy: A File Encryption Android Malware that for Ransomware Operations – Disposable mail news


A malware that attacks Android smartphones has increased its Maas (malware-as-a-service) operations with file encryption capabilities to carry out ransomware attacks.

The malware, according to cybersecurity experts, is called “Lucy.” The Lucy gang is a group of Russian hackers who became famous two years ago by launching the Black Rose Lucy service, a malware that allowed Botnet attacks on android smartphones.

According to Checkpoint Research, “Because the Android accessibility service can mimic a user’s on-screen click, this is the crucial element for Black Rose to carry out malicious activities. Once the accessibility service is enabled, Black Rose can quickly shuffle through screens to grant itself device admin privileges.” 

The Lucy service allows its users to attach files on vulnerable devices, which ask for $500 as a ransom in the browser window. The message says that it comes from the FBI, and the user must pay the ransom because he is found guilty of storing adult content on his android smartphone.

The FBI note here aims to frighten the victims into paying the ransom to hackers. The hackers demanding payment from their victims based on legal consequences is blackmail, as it is entirely unethical. The victims are blackmailed for storing pornographic content and visiting adult websites.

To make the ransom more serious and believing, the hackers say that they have the victim’s photograph and location, which they have posted on the FBI’s criminal investigation website. The ransom should be paid within three days of the notification, if not, the penalty triples, says the message warning.

It may sound strange, but the hackers don’t demand cryptocurrency payments. Instead, they ask for credit card credentials, which is odd because, in most of the cases, the ransom is asked in terms of cryptocurrency as it is easy to cash in.

According to Check Point Research’s 2010 data, “The Black Rose dropper family samples we acquired disguise either as an Android system upgrade or image files. Samples primarily leverage Android’s accessibility service to install their payload without any user interaction and forge an interesting self-protection mechanism.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

BazarBackdoor: A Malware similar to Trickbot, targets Corporates – Disposable mail news


According to cybersecurity experts, a new phishing campaign is allowing malware backdoor entry. The malware which is said to be created by hacking group Trickbot will enable hackers to jeopardize and take control of an organization’s network.
It is a necessary measure to have a back door for hackers to gain entry access and control the company’s network in sophisticated network attacks. It is required in the following cyberattacks- corporate espionage, data extraction attacks, specified ransomware attacks.

According to several reports, the attack was first discovered two weeks ago. The malware is called “BazarBackdoor” or simply “backdoor” by the cybersecurity experts. The malware serves as a tool kit for hackers to gain access to an enterprise’s network.
Trickbot is said to be the creator of this malware because of BazarBackdoor sharing similar coding, cryptos, and designs.


About BazarBackdoor 


The attacks first start in the form of phishing campaigns that try to lure victims through click baits like ‘coronavirus relief funds,’ ‘customer complaints,’ ‘COVID reports’ or merely a list of downsizing reports that are directly linked to google docs. The hackers, unlike other phishing campaigns, are using creative techniques to lure the users to different landing pages like fake customer complaints page or fake COVID fund relief page. The landing pages either pretend to be a PDF, Word, or Excel document, which can’t be viewed appropriately. Hence, a link is provided to the users to view the document appropriately. When the users click the link, the documents get downloaded either in word or PDF format with a ‘preview’ title. Windows don’t have a default file extension; therefore, the user thinks that these files are original. Thus, doing this enables the backdoor entry for the malware.


Attack linked to Trickbot 


According to cybersecurity experts, the malware targets explicitly companies and corporate enterprises. It is likely to be developed by the same hacking group responsible for creating another malware named Trickbot. Trickbot and BazarBackdoor share similar cryptos, and both use the same email patterns to launch their attacks. As a precaution, corporate companies are suggested to stay alert and ask their employees not to open any unknown link sent via email.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

A look at the ATM/PoS malware landscape from 2017-2019 – 10 minute mail

From remote administration and jackpotting, to malware sold on the Darknet, attacks against ATMs have a long and storied history.  And, much like other areas of cybercrime, attackers only refine and grow their skillset for infecting ATM systems from year-to-year. So what does the ATM landscape look like as of 2020? Let’s take a look.

The world of ATM/PoS malware

ATM attacks aren’t new, and that’s not surprising. After all, what is one of the primary motives driving cyber criminals? Money. And ATMs are cash hubs—one successful attack can net you hundreds of thousands of dollars. In the past, even high-profile threat actors have made ATMs their prime target.

However, attacking ATMs is a bit different from traditional financial-related threats, like phishing emails or spoofed websites. That’s because ATMs operate in a unique space in the tech world: they’re still connected to the corporate networks but at the same time must be accessible to anyone that passes by. The resulting technical differences means the attack methods differ from those used for traditional endpoints.

ATMs also share several common characteristics that make them particularly vulnerable to attacks:

  • Traditional software that is part of the warranty offered by the vendors → If major changes occur that are not approved by the ATM vendor, including installing AV software, then sometimes this warranty is lost.
  • Regular use of outdated operating systems and the apps its runs on
  • Locations chosen in a way that provide access to as many customers as possible, including those in remote regions → These isolated locations often lack any reasonable physical security

Old software means unpatched vulnerabilities—ones criminals can exploit—and isolated areas makes it easier for criminals to gain physical access to the internal ports of the motherboard. This is especially typical for the old ATM machines located in many regions with low resources and no budgets for ATM upgrades.  When combined, ATMs become not only a highly profitable target—but an easy one.

From 2017 to 2019, there has been a marked increase in ATM attacks, due to a few families being particularly active. These target systems around the globe, regardless of the vendor, and have one of two goals: either stealing customers’ information or funneling funds directly from the bank.

Considering all of the above, we decided to delve further into what has been happening in the world of ATM/PoS malware for the last few years.

ATM/oOS malware attacks: by the numbers

To gain a closer look at ATM malware worldwide, we utilized the statistics processed by Kaspersky Security Network (KSN) over the course of the past three years globally.

Number of unique devices that encountered ATM/PoS malware, 2017-2019 (download)

The results showed that the number of unique devices protected by Kaspersky that encountered ATM/PoS (point-of-sale) malware at least once experienced a two-digit growth in 2018—and this number held steady, even increasing slightly, in 2019.

Geography of unique devices that encountered ATM/PoS malware, 2017 (download)

TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2017

Country Devices
1 Russian Federation 1016
2 Brazil 423
3 Vietnam 281
4 United States 148
5 India 137
6 Turkey 96
7 China 94
8 Germany 58
9 Philippines 53
10 Mexico 51

The ten countries that had the greatest number of unique devices affected by ATM/POS malware were relatively dispersed around the globe, with the highest number in Russia. Russia has had a long history of threat actors targeting financial institutions. For example, it was in 2017 that Kaspersky researchers  uncovered an ATM malware dubbed “ATMitch” that was gaining remote access control over ATMS at Russian banks. In addition, the relatively high rates in both Brazil and Mexico can be partially attributed to Latin and South America’s longstanding history as a hotspot of ATM malware.

Geography of unique devices that encountered ATM/PoS malware, 2018 (download)

TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2018

Country Devices
1 Russian Federation 1370
2 Brazil 753
3 Italy 537
4 United States 519
5 Vietnam 433
6 India 408
7 Thailand 369
8 Germany 277
9 Turkey 224
10 Iran 198

In 2018, the countries with the greatest number of ATM/PoS malware incidents recorded by unique devices remained distributed worldwide, but the countries remained similar to 2017, with the highest activity recorded in Russia and Brazil.

The overall increase in the number of devices affected can be attributed to both the reappearance of new ATM malware and the development of new families:

  • ATMJackpot first appeared in Taiwan back in 2016. It infects the banks’ internal networks, allowing it to withdraw funds directly from the ATM. ATMJackpot was able to reach thousands of ATMs.
  • WinPot was discovered at the beginning of 2018 in Eastern Europe and was designed to make the infected ATM automatically dispense all cash from its most valuable cassettes. Because of its time counter, its execution is time-dependent: if the targeted system’s time does not fall within the preset period during which the malware was programmed to work (e.g. March), WinPot silently stops operating without showing its interface.
  • Ice5 originated in Latin America. Its engineering tool is written in a scripting language that allows the attackers to achieve a significant level of manipulation over the infected ATMs. The initial infection occurs via the USB port.
  • ATMTest is a multi-stage infection in 2018. It requires console access to the ATM, meaning the attackers have to gain remote access to the bank’s networks. This malware was originally coded to steal money in rubles.
  • Peralta was an evolution of the infamous ATM malware project called Ploutus, which led to losses of $64,864,864.00 across 73,258 compromised ATMs. Both Peralta and Ploutus originated in Latin America.
  • ATMWizX was discovered in the fall of 2018 and dispenses all cash automatically, starting with the most valuable cassettes.
  • ATMDtruck also appeared in the fall of 2018 with indications that the first victims were in India. It collects enough information from the credit cards inputted into the infected ATM that it can actually clone them. It drops the malware “Dtrack”, which is a sophisticated spy tool.

Geography of unique devices that encountered ATM/PoS malware, 2019 (download)

TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2019

Country Devices
1 Russian Federation 2306
2 Iran 1178
3 Brazil 819
4 Vietnam 416
5 India 353
6 Germany 228
7 United States 220
8 Italy 197
9 Turkey 149
10 Mexico 114

This past year, the ten countries with the highest level of ATM/PoS malware activity remained the same, with only one change: Mexico once again entered the top ten, while Thailand left.

Overall, the total number of devices affected increased once again. In fact, ATM/PoS malware activity reached new levels by the spring of 2019 with a string of operations: ATMqot, ATMqotX, and ATMJaDi. ATMgot operates directly on the ATM using the dispenser to withdraw the maximum number of banknotes allowed; if it cannot do this, it will default to 20 notes. This malware also possesses anti-forensic techniques that allow it to delete traces of the infection from the ATMs, as well as some video files, which could potentially be used as part of video monitoring.

ATMJadi orginated in Latin America and is capable of cashing out ATMs. Since it’s a Java-based project, it’s platform-dependent—and thus highly targeted. In order to be installed, the attackers must gain access to the bank’s network. This suggests the attackers first compromise the bank’s infrastructure. But what’s perhaps most interesting is the false flag section with strings in the Russian language.

The problem of cyberattacks is compounded by the use of outdated and unpatched systems. That means that, even as new 2019 malware families were developed, the old ATM families from the previous years can still be used to launch successful attacks.

A look towards the future

ATM/PoS malware will only continue to evolve, and so, we will continue to monitor the ecosystem closely. We’ve already seen WinPot, first discovered in 2018, active this year in different parts of the world.

Latin America has long been known as a region of innovative cybercriminals who adopt techniques other region uses. It’s not surprising then that a new trend was recently discovered in development: an ATM MaaS project whereby a group in Latin America is attempting to sell ATM malware developed for each major vendor on the market. Projects like these provide further evidence that the world of ATM malware is still evolving, with cybercriminals continuously developing better attack strategies.

Our research has also shown that, beyond Latin America, countries in Europe and the APAC region are of particular interest to ATM attackers, as is the United States. This signifies that ATM malware is a truly global threat. After all, ATMs are located in nearly every country and few systems offer access to such massive amounts of fund.

How, then, can you protect your money? No matter how digital banking has become, ATMs are still an inevitable part of managing your funds. While you can’t control whether or not an ATM machine is attacked, by conscientiously monitoring your accounts and financial transactions, you can make sure suspicious activity is quickly identified and the proper channels duly notified. This should help mitigate the damage caused by any attack.

For financial institutions, staying secure requires a comprehensive, multi-step approach:

  1. Evaluate which attack vectors are more likely to be used and generate a threat model. This will depend, for example, on what network architecture is in place and where the ATM is installed – a place not controlled by your organization, such as a wall on the street, or an office under video surveillance, etc.
  2. Determine which ATMs are outdated or have an OS version that’s reaching the end of its vendor support. If you cannot replace the legacy devices, pay attention to this fact in your threat model and set the appropriate security solution settings, which do not affect the device’s productivity.
  3. Regularly conduct security assessments or pentests of ATMs to find possible cyberattack vectors. Kaspersky’s threat hunting service can also help you find sophisticated cybercriminals.
  4. Regularly review the physical safety of ATMs to detect abnormal elements implemented by attackers.
  1. If ATM configurations permit it, install a security solution that protects the devices from different attack vectors, such as Kaspersky Embedded Systems Security. If the device has extremely low system specs, the Kaspersky solution would still protect it with a Default Deny whitelisting scenario

PoS terminals are in many aspects similar to ATMs, but still possess a number of differences to be mindful of—and tackled accordingly. Apart from the steps mentioned above (which remain applicable), the following must be taken into account:

  1. Often more powerful when compared to an average ATM, Windows-based PoS terminals offer greater spaces for attackers’ maneuvering and are capable of running a broad range of modern malware and hacking tools. This makes implementation of multi-layered protection a must.
  2. While also residing in public spaces, they generally lack ATMs’ heavy armor. Therefore, they are more susceptible to direct attacks using unauthorized devices. This makes properly configured Device Control even more valuable.
  3. As they are frequently involved not only in financial, but also personal, data processing, this adds to their attractiveness for cyberattacks and also subjects them to more legislation. In combination with direct attack scenarios, implementation of file integrity monitoring and log inspection are mandatory, preferably in a way that allows tracking changes offline.
  4. Embedded systems should be protected not only by host-based security, but also by application of network-level security, such as Secure Web Gateways or Next-gen Firewalls capable of detecting and blocking unsolicited communications and other systems both inside and outside of the company’s infrastructure.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Protect your phone from malicious apps by malware scanner VirusTotal Mobile – Disposable mail news


Google last year removed 85 apps from play store after security researchers found that these apps were adwares in disguise.
These were all sorts of applications from Gaming, TV to remote control simulator apps on the Android Play Store. It goes on to show that even the apps from Google play store are not safe and could be running codes and scripts on your phone.

Some of these apps even had API key certificates and apart from these 85 apps, there are other apps that could be malicious and roaming undetected. It is very imperative to protect our phones and machines from such harmful apps and other files that could have been downloaded from “unknown sources”.
It is always good to carefully grant permissions to applications but still some apps could be running in the background, duplicating virus or downloading malware files into your phone.

 One way to protect your phone from such attacks is by using a malware scanner.
A virus/malware scan is the process where software scans and identifies viruses in a computing devise. Through a scan, you can review and identify threatening viruses and programs. Anti-virus software will also do the work but scanning through a scanner adds an extra cushion of security as they usually have more virus and malware codes and scanned by multiple anti-viruses than lone anti-virus software.

Virustotal Mobile, an android application available on play store is a virus scanner app that scans the application installed on your phone for any malicious file like malware, virus, trojans or worms and notifies you if any such malware exists. Scanning your phone for viruses and running this application to remove any malware on your device is a critical process of maintaining your mobile device. If a virus does get onto your phone and is not removed, then it could result in numerous problems like losing important data, your personal data may be leaked or your device could be compromised.

 The app, Virustotal Mobile scans your application by more than 50 anti-virus flagging suspicious content and even files and Url’s can be checked, not only apps. It is developed by VirusTotal.com, a trusted virus, malware, and Url scanner. Its good to remember that the app only tells you the malicious content and not removes the malware.

 Simple, effective and fast (without those annoying adds or pings) Virustotal Mobile is a must-have a tool to protect your phone from dubious apps that could be running pre-installed codes.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers Use SSL Certificates to Launch Malware Attack – Disposable mail news



The latest report published by Meno Security indicates that 52% of the top one million websites have “HTTPS” in their URL, not traditional “HTTP.” 

Despite this, the data says that these organizations that don’t conduct satisfactory SSL reviews are more vulnerable to breaches and cyberattacks.

According to recent research, hackers, while creating phishing websites, now use SSL as well, which endangers the organization’s effort to keep its workers safe. In 96.7% of all user-initiated website visits that work over HTTPS, a mere 58% (approx) of the URL connections are HTTPs in the email, which indicates that firewalls and proxies are unaware of the threat until the organizations conduct an SSL investigation.

If the users are in the illusion that the green lock sign of HTTPS means they are safe, they might want to consider it again, for the hackers use the encryption too. Many people still think that as long as they have an SSL certificate, their webspace is secure, which, unfortunately, is not valid. Recent cyberattacks show that the malware is prone to these types of SSL certificate, and is now hiding behind this sign, which was once a symbol of safety.

Many organizations from the beginning have relied upon firewalls and proxies to ensure the safety of web access.

But many organizations in the present time ignore the decryption and inspection SSL certificates, which has become very crucial. Point to be noted is that when the SSL decryption is enabled, the operations of these devices are down by a factor of five, which is why these enterprises refrain from conducting SSL inspection.

Since 2014, even Google started giving priority in rankings to HTTPS websites on its Search Engine Result Page, considering they are safer.

According to Kowsik Goswami, chief technology officer at Menlo Security, there are many reasons why many enterprises don’t turn SSL inspection. The main reason is privacy, as many organizations are concerned about their employees’ privacy when they investigate the links the employees have visited. The other reason is performance, as the operations turn down by a factor of 5 when SSL inspection is on.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.