News Technology

Terminator RAT became more sophisticated in recent APT attacks

Terminator RAT Advanced Persistent Threat
Advanced Persistent Threat (APT) is a term referring to targeted attacks on enterprises and other organizations and recently referred to what appeared to be nation-state intelligence agencies using cyber assaults for both conventional espionage and industrial espionage.
Advanced threats have targeted control systems in the past and these attacks use commercially available and custom-made advanced malware to steal information or perpetrate fraud.
Terminator RAT has been used against Tibetan and Uyghur activists before and while tracking attack against entities in Taiwan, the Cyber Security company FireEye Labs recently analyzed some new samples of ‘Terminator RAT‘ (Remote Access Tool) that was sent via spear-phishing emails to targets in Taiwan.

A word document as an attachment was sent to victims, exploited a vulnerability in Microsoft Office (CVE-2012-0158), which subsequently drops a malware installer named “DW20.exe”.

Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Lets see – What Evasion techniques this Advance version of Terminator RAT is using:

This executable will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”, where it will store configurations and executable files (svchost_.exe and sss.exe).

edit startup forder path in regisrty

Malware terminates and remove itself after installation. The malware will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.

The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server at / and /

This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000.

This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startupdeter forensics investigation.” to deter forensics investigation by changing the startup location.

Also to deter file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

It is clear cybercrime is getting more organized and cybercriminals are becoming so much more sophisticated. Hackers are using stealth or advanced malware, usually to infiltrate hosts in networks and steal valuable data and APT attacks are increasingly becoming more sophisticated and harder to detect.

Cr0w Tom
News Technology

Apple’s own Encryption Mechanism allows hacker to create an Undetectable Mac OS X Malware

In the past, there was a general belief that Macs is much more secure than Windows PCs, but now Mac malware is a serious threat to the security of users’ computers and information.
One of the reasons behind the increase in Mac related Malware attacks is the fact that Apple products are popular with many prominent businessmen and influential politicians.
Daniel Pistelli, Reverse Engineer and lead developer of Cerbero Profiler, former developer of IDA Pro comes up with another interesting research, and explained The Hacker News, the basic details behind the technique he used to create an undetectable malware for Mac OS X.Apple implements internally an encryption mechanism to protect some of their own executable like “” or ““. This encryption can be applied to malware as well. If one does, anti-malware solutions can no longer detect the malware because of the encryption, but OS X has no problem loading such malware.
This same protection mechanism can be used on existing malwares that are already detected by Anti-malware products, to make them completely undetectable. Those same anti-malware products can no longer detect the malware because they don’t understand it’s encrypted.
macho decrypt
Currently, it’s true that there are fewer malware programs that are targeting Mac OS X  versus Windows. However, that doesn’t mean that Macs are totally secure.

vs after

To mitigate this problem Daniel suggests Anti-Malware product makers to either support the actual decryption , alternatively, to trust encrypted executables only when signed by Apple. Read complete technical details about the method on Daniel’s Blog.

The events of recent years have led many users to question just how secure Mac really is.

Cr0w Tom

NSA using Browser Cookies to track Tor Users

Web Cookies can track Tor Users easily
Yesterday a new classified NSA document was leaked by Edward Snowden – titled ‘Tor Stinks’ in which ideas were being kicked around for identifying Tor users or degrading the user experience to dissuade people from using the Tor browser.
The NSA had a very hard time while tracking down all Tor users and monitoring their traffic, especially since Tor servers are all over the world, but they make tracking more easy by adopting  the following techniques:
  1. By running their own hostile Tor nodes
  2. Using zero-day vulnerability of Firefox browser
  3. By tracking user’ browser Cookies
Tor access node tracking is not new and the Document says that both the NSA and GCHQ run Tor nodes themselves. In order to trace traffic back to a particular Tor user the NSA needs to know the ‘entry, relay and exit’ nodes in the anonymizer cloud between the user and the destination website.
Web Cookies can track Tor Users easily
So for tracking purpose they used self-hosted nodes, that is able to trace a very small number of Tor users in comparison to the whole system. Also, It is much difficult for the intelligence community to run enough nodes to be useful for tracking.

In the second method, NSA targeted the Tor users, using a zero-day vulnerability in Firefox browser, bundled with Tor, that allowed them to get the real IP address of Tor user. Using same technique FBI was able to track the Owner of ‘Freedom Hosting’, the biggest service provider for sites on the encrypted Tor network, hosted many child pornography sites. Mozilla has now fixed that Firefox flaw.

In another method, NSA is using web cookies to track Tor user widely. Even you are using the Tor Browser, doesn’t mean that your browser isn’t storing cookies in the system.
A cookie is a plain text file that sits on your computer in a temporary folder that stores data about a browsing session. If you log into a website it generally sets a cookie to temporarily store your information so you don’t have to log in every time you change a page, because on your next visit – website can read your information from the same stored cookies from the browser.
A cookie can track your browsing behaviors. Advertisement Agencies i.e. Google, Bing uses this data to understand how users use their partner websites and optimize their networks for the average user that visits their networks.
How NSA is using Cookies to Track Tor users ?
Let suppose that there is a famous online shopping website, owned or controlled by NSA. When a normal user will open that website from his own real IP address, the website creates a cookie on the user ‘ browser and stores real IP address and other personal information about the user.
When the same user will again visit the same NSA owned website, enabling Tor this time on the same browser – website will read last stored cookies from browser, which includes the user’ real IP address and other personal Information. Further website just needs to maintain a database of database of Real IP addresses against the Tor Proxy enabled fake IP addresses to track anonymous users.
More Popular the site is, More users can be tracked easily. Documents show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the internet.
How you can avoid Cookie tracking ?
One browser can’t read the cookies created by other broswr. So Don’t use Tor on the same browser, that you use for regular use with your real IP address. Only use the standard Tor Browser Bundle instead for Anonymous activities, which include a preconfigured Firefox browser. Anything you do inside of that browser is anonymized.
You should always clear the cookies after you’re done so any stored information, such as login information – will not be stored on that computer.
If you are doing something very interesting, you should use Tor on a virtual machine with the live OS so that cookies and cache and other OS data are dumped when the machine is closed.

This same technique is used by the Chinese government to block its citizens from reading censored internet content, and has been hypothesized as a probable NSA attack technique, but neither effort was successful enough to compromise the network as a whole.


Cr0w Tom


The FBI busted Silk Road, but not the ‘dark web’ behind it

Silk Road, the underground website where dealers sold illegal drugs, was supposed to be safe. The site was nestled deep in the dark web, accessible only through the anonymizing network Tor. All transactions were done in the anonymizing virtual currency Bitcoin. Its owner-operator, Dread Pirate Roberts, was said to be a criminal mastermind and technical wunderkind who never left a trail. It was all very hackerish and clandestine.

And yet, today the FBI shut down the site and arrested Dread Pirate Roberts. “This is supposed to be some invisible black market bazaar. We made it visible,” an FBI spokesperson told Forbes after the bust. “No one is beyond the reach of the FBI. We will find you.”

This was all very alarming for the community of Silk Road users who believed that technology was keeping them safe. Actually, it was alarming for anyone who uses the Tor network for privacy — which includes journalists, activists, and even law enforcement. How could FBI take down a site protected by Tor, the gold standard for anonymity?

Tor stands for The Onion Router, a reference to its layers of security. Tor has two main functions: one for users, one for website operators. First, Tor protects users who want to mask their activities on the web; connect to Tor, and your data will be bounced around, making random stops, until its true origin is nearly impossible to identify.

“The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints,” according to the nonprofit Tor Project, which leads development on the open source software. Users who bought and sold on the Silk Road were all signed into Tor at the time.

The second use case for Tor is to protect websites by requiring that all traffic to the site be untraceable. These “hidden services” are only accessible through Tor, creating a second, secret internet that some call the “dark web.” These sites are invisible to Google’s spiders, and there is no search engine for the dark web. Users must be signed into Tor and must know the exact address of where they’re going. In theory, assuming other precautions are taken with the actual software running the server, Tor should protect websites from revealing the location of their servers.

The FBI managed to locate the server that was hosting Silk Road, however. So does this mean Tor failed?

While it is possible that the FBI discovered some vulnerability in Tor that was not disclosed in the criminal complaint, it seems much more likely that this was old-fashioned police work. Dread Pirate Roberts made a number of errors, according to the FBI, including connecting to the Silk Road server using only a Virtual Private Network and not Tor and using an email address that contained his real name in a way that could be traced back to Silk Road. The police even intercepted a Silk Road package containing nine pieces of fake identification with the photo of the man they eventually arrested.

“Tor is not broken,” Karen Reilly, development director at the Tor Project, said in an email. “According to the criminal complaint, the accused was found through mistakes in operational security. Tor can not protect you if you use your legal name on a public forum, use a VPN with logs that are subject to a subpoena, or use any other services that collect personal information that is freely given or collected in the background.”

In other words, it looks like this was a case of sloppiness.

The FBI says in its complaint that it obtained an “image” of the Silk Road server, which is a technical term in computer forensics that refers to a bit-for-bit copy. That usually means the data was obtained from a service provider, Chester Wisniewski, a senior security advisor for network security firm Sophos, told The Verge. Even if the server was hosted outside the US, Silk Road was trafficking in drugs, guns, hacking software, child pornography, and even murder-for-hire.

“That’s the problem with Silk Road,” Wisniewski says. “If you’re dealing in stolen music and software, you can get away with that all day long. Once you start engaging in the variety of things that were going on at places like Silk Road, there’s almost always a violation of the law. Any country at some point will comply with a lawful request for data.”

Indeed, the complaint says the image was obtained via a Mutual Legal Assistance Treaty request, suggesting cooperation with a foreign government. Having a copy of the server would have allowed the FBI to comb through private messages and turn up more ways to find Dread Pirate Roberts. The FBI has held back on releasing all the details of its investigative techniques, and some won’t be revealed until a trial, if ever. The complaint refers to persons “known and unknown” who helped Dread Pirate Roberts, suggesting that maybe the FBI knew administrators or mods who could have been turned into informants.

It’s also possible that the data was obtained from the server through some kind of virus or malware injected by the FBI, which wouldn’t be Tor’s fault, either. The FBI has in the past used malware to compromise servers for hidden services, as it admitted two weeks ago in connection with the bust of a company that provided hosting for them. However, that doesn’t seem to be what happened in this case.

“Tor is still the single biggest leap forward in my lifetime for anonymity on the internet,” says Steve Santorelli, a former Scotland Yard detective and spokesperson for Team CYMRU, a security research firm focused on the internet. “Literally, people’s lives get saved because of Tor. But there are so many different ducks that need to be lined up for you to be completely bombproof. That’s why people go to jail.”


Cr0w Tom


iMessage for Android. Be careful what you trust!

A new app, which claims to bring Apple’s proprietary iMessage chat service to Android users, is raising concerns.

The free app, called iMessage Chat, is available in Google’s official Android Play store, and appears to allow Android users to instant message with their iPhone/iPad/Mac-owning buddies.

Curiously, the app was not written by Apple but by a third-party Android developer called Daniel Zweigart.

Perhaps surprisingly, Android users who have tested out the software claim that the app *does* work, and does allow you to send and receive messages between Android smartphones and users of Apple devices.

But at what cost are these messages being sent?

Sure, you don’t have to pay any money to send a message – iMessage between Apple devices is also free – but there are other considerations.

iMessage for Android

As 9to5Mac reports, the Android app fools Apple’s servers into believing it is a Mac mini in order to echange messages with your Apple-loving friends.

And to do that, you need to enter your Apple ID and password.

The same password that you use to buy apps, movies and music. The same user id and password that you use to locate your iPhone when you lose it.

You should never hand those details over to strangers.

And there’s more…

Jay Freeman, the developer behind the Cydia app store for jailbroken iPhones, raised concerns on Google Plus that the Android iMessage app doesn’t appear to connect directly with Apple’s servers, but instead processes any messages and data it receives via servers in China.


Another developer, Steve Troughton-Smith, warned on Twitter that the Android iMessage app had the ability to silently download code onto devices in the background – a feature which could be used to install malware.

I cannot state with certainty that this Android version of iMessage Chat was written with malicious intentions, but clearly there are more than enough reasons to stay well away from it.

No doubt Apple won’t delay in trying to stamp it out too. Not only will they be unhappy about their iMessage trademark being used without permission, they surely will be concerned that Android users might somehow imagine that the software has been officially endorsed by the firm.

iMessage in the Google Play store

I wouldn’t be surprised if Apple has a quiet word in Google’s ear and asks them to remove iMessage Chat from the Android app store sooner rather than later. Of course, that won’t prevent the .apk appearing on third-party app marketplaces, elsewhere on the web.

Once again, Google’s policing of its marketplace is brought into question by this definitely shady-looking app.

Cr0w Tom