VirusTotal Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 17:28:13 +0000 en-US hourly 1 https://wordpress.org/?v=75336 200474804 Hundreds of Military and Intelligence Agencies Uploaded Data to VirusTotal https://gridinsoft.com/blogs/intelligence-data-on-virustotal/ https://gridinsoft.com/blogs/intelligence-data-on-virustotal/#respond Thu, 20 Jul 2023 11:03:17 +0000 https://gridinsoft.com/blogs/?p=16143 An employee of the Google-owned platform VirusTotal accidentally uploaded a file with the names, email addresses and other data of hundreds of people working in intelligence agencies and ministries of defense around the world. In particular, the list includes persons associated with the US Cyber Command, the NSA, the Pentagon, the FBI and a number… Continue reading Hundreds of Military and Intelligence Agencies Uploaded Data to VirusTotal

The post Hundreds of Military and Intelligence Agencies Uploaded Data to VirusTotal appeared first on Gridinsoft Blog.

]]>
An employee of the Google-owned platform VirusTotal accidentally uploaded a file with the names, email addresses and other data of hundreds of people working in intelligence agencies and ministries of defense around the world. In particular, the list includes persons associated with the US Cyber Command, the NSA, the Pentagon, the FBI and a number of units of the US Army.

Interestingly, just the other day we wrote about a large leak of letters from the US military due to the typo, and we also wrote about a Western Digital data leak after a hack.

US Military Agencies Data on VirusTotal

Der Spiegel journalists were the first to leak an important 313 kilobyte file containing information about 5600 VirusTotal clients. According to them, the list contains the names of organizations and email addresses of employees who have registered accounts.

The publication emphasizes that it has verified the authenticity of the list and made sure that many of the people listed are actually civil servants, and some of the victims can be easily found on LinkedIn. According to media reports, more than 20 entries on the list belong to members of the US Cyber Command, the US Department of Justice, the Pentagon, the federal police, the FBI, the NSA, and so on.

From the UK, the list included more than ten employees of the Ministry of Defense, as well as email addresses belonging to employees of CERT-UK, which is part of the country’s Government Communications Center (GCHQ). According to the GCHQ email format, employee mailboxes contain only the initials of each user’s last name. However, full names are contained in email addresses belonging to specialists from the Ministry of Defense, the Cabinet of Ministers, the Office for the Decommissioning of Nuclear Power Plants and the UK Pension Fund.

In addition, employees of various ministries of Germany (including the Federal Police, the Federal Criminal Police Office and the Military Counterintelligence Service), Japan, the United Arab Emirates, Qatar, Lithuania, Israel, Turkey, France, Estonia, Poland, Saudi Arabia, Colombia, the Czech Republic, Egypt, Slovakia and Ukraine became victims of the leak. About 30 more email addresses belong to employees of Deutsche Bahn (Germany’s main railway operator), and the file also contains data about employees of the Bundesbank and such large companies as BMW, Mercedes-Benz and Deutsche Telekom.

Why is that so critical?

Although the leak only affects email addresses and names, even these can be valuable information for hackers. The fact is that the file sheds light on people who deal with cybersecurity and malware in many companies, departments and organizations. As a result, they can become targets for spear phishing attacks or social engineering. In addition, it can be understood from the list that, for example, some military personnel use personal mailboxes and personal Gmail, Hotmail and Yahoo accounts in their work.

Google representatives have already told the media that they are aware of the leak, and the company has already taken all necessary measures to eliminate it.

We are aware that one of our employees inadvertently distributed a small segment of email addresses of customer group administrators and organization names on the VirusTotal platform. We removed the listing from the platform within an hour of posting it and are looking into our internal processes and technical controls to improve their performance in the future.Google statement upon the situation

The post Hundreds of Military and Intelligence Agencies Uploaded Data to VirusTotal appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/intelligence-data-on-virustotal/feed/ 0 16143
Most Often, Malware to Bypass Protection Impersonates Skype, Adobe Acrobat and VLC https://gridinsoft.com/blogs/malware-to-bypass-protection/ https://gridinsoft.com/blogs/malware-to-bypass-protection/#respond Fri, 05 Aug 2022 11:08:55 +0000 https://gridinsoft.com/blogs/?p=9832 VirusTotal analysts presented a report on the methods that malware operators use to bypass protection and increase the effectiveness of social engineering. The study showed that attackers are increasingly imitating legitimate applications such as Skype, Adobe Reader and VLC Player to gain the trust of victims. Let me remind you that we also wrote that… Continue reading Most Often, Malware to Bypass Protection Impersonates Skype, Adobe Acrobat and VLC

The post Most Often, Malware to Bypass Protection Impersonates Skype, Adobe Acrobat and VLC appeared first on Gridinsoft Blog.

]]>
VirusTotal analysts presented a report on the methods that malware operators use to bypass protection and increase the effectiveness of social engineering.

The study showed that attackers are increasingly imitating legitimate applications such as Skype, Adobe Reader and VLC Player to gain the trust of victims.

Let me remind you that we also wrote that Scammers spread malware under the mask of the Brave browser, and also that Hackers majorly use Microsoft and DHL brands in phishing attacks.

One of the simplest social engineering tricks we have seen is to make a malware sample look like a legitimate program. The icon is very important for such programs because it is used to convince victims that these programs are legitimate.experts say.

Attackers use various approaches to compromise endpoints by tricking users into downloading and running seemingly harmless executable files. Researchers report that in addition to Skype, Adobe Reader and VLC Player, hackers often disguise their programs as 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom and WhatsApp.

Such deception, among other things, is achieved through the use of legitimate domains in order to bypass firewall protection. Some of the most commonly abused domains are discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com, and qq[.]com.

In total, the experts found at least 2.5 million suspicious files downloaded through 101 domains included in the list of 1000 best sites according to Alexa.

Another commonly used tactic is signing malware with valid certificates, usually stolen from software developers. Since January 2021, VirusTotal has detected over a million malware samples, of which 87% had a legitimate signature when they were first uploaded to the database.

VirusTotal also reports that it found 1,816 malware samples that disguised themselves as legitimate software, hiding in the installers of popular programs, including products such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox and Proton VPN.

Thinking about the methods of attackers in general, we can conclude that they can use both opportunistic factors (for example, stolen certificates) in the short and medium term, as well as routine (most common) automated procedures, within which they seek to visually reproduce [legitimate] applications.the researchers conclude.

The post Most Often, Malware to Bypass Protection Impersonates Skype, Adobe Acrobat and VLC appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/malware-to-bypass-protection/feed/ 0 9832
AstraLocker Ransomware Operators Publish File Decryption Tools https://gridinsoft.com/blogs/astralocker-ransomware-operators/ https://gridinsoft.com/blogs/astralocker-ransomware-operators/#respond Wed, 06 Jul 2022 09:11:22 +0000 https://gridinsoft.com/blogs/?p=9179 AstraLocker ransomware operators have announced that the malware is ending its work and have uploaded data decryption tools to VirusTotal. The hackers say that they do not plan to return to ransomware in the future, but intend to switch to cryptojacking. The Bleeping Computer reports that it has already studied the archive published by the… Continue reading AstraLocker Ransomware Operators Publish File Decryption Tools

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.

]]>
AstraLocker ransomware operators have announced that the malware is ending its work and have uploaded data decryption tools to VirusTotal. The hackers say that they do not plan to return to ransomware in the future, but intend to switch to cryptojacking.

The Bleeping Computer reports that it has already studied the archive published by the attackers and confirms that the decryptors are real and really help to decrypt the affected files.

Let me remind you that we also said that Free decryptor for BlackByte ransomware was published, and also that Cybersecurity specialists released a free decryptor for Lorenz ransomware.

Journalists note that they tested only one decryptor, which successfully decrypted files blocked during one of the AstraLocker campaigns. The other decryptors in the archive are apparently designed to decrypt files damaged during previous campaigns.

AstraLocker ransomware operators
Archive content

The journalists also managed to get a comment from one of the malware operators:

It was fun, but fun always ends. I close the whole operation, decryptors in ZIP files, clean. I’ll be back. I’m done with ransomware for now and I’m going to get into cryptojacking lol.

Although the malware developer did not say why AstraLocker suddenly stopped working, journalists believe that this may be due to recently published reports by security experts who studied the malware. This could bring AstraLocker to the attention of law enforcement.

Emsisoft, a company that helps ransomware victims recover data, is currently developing a universal decryptor for AstraLocker, which should be released in the near future.

What will we no longer see in the criminal world?

Threat intelligence firm ReversingLabs recently reported that AstraLocker used a somewhat unusual method of encrypting its victims’ devices compared to other strains of ransomware.

Instead of first compromising the device (hacking it or buying access from other attackers), the AstraLocker operator will directly deploy the payload from email attachments using malicious Microsoft Word documents.

The honeypots used in the AstroLocker attacks are documents that hide an OLE object with a ransomware payload that will be deployed after the target clicks “Run” in the warning dialog displayed when the document is opened.

Before encrypting files on a compromised device, the ransomware will check to see if it is running on a virtual machine, terminate processes, and stop backup and antivirus services that could interfere with the encryption process.

Based on analysis by ReversingLabs, AstraLocker is based on the leaked source code of Babuk Locker (Babyk) ransomware, a buggy yet still dangerous strain that came out in September 2021.

Also, one of the Monero wallet addresses in the AstraLocker ransom note was also linked to the operators of the Chaos ransomware.

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/astralocker-ransomware-operators/feed/ 0 9179