Wave Systems Corp. (fka WAVXQ)

[Genz2]

Password and credit card-stealing Azorult malware adds new tricks

https://www.zdnet.com/article/password-and-credit-card-stealing-azorult-malware-adds-new-tricks/

Malware can now steal more types of cryptocurrecny and comes with other updates, likely in response to a free version being leaked online

A form of password, credit card details and cryptocurrency-stealing malware has been updated, making it even more potent for cyber criminals.

The Azorult malware has been been operating since 2016 and enables crooks to steal credentials including passwords, credit card details, browser histories and contents of cryptocurrency wallets from victims.

Now a new version of it is being advertised in an underground forum, as uncovered by researchers at tech security company Check Point, who describe it as "substantially updated".

New features include the ability to steal additional forms of crpytocurrency from the wallets of victims - BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore and Exodus Eden.

Reflecting the fast pace of malware development, the developer of Azorult also boats improvements to the cryptocurrency wallet stealer components and improvements to the loader.

Researchers also note some behind-the-scenes changes compared to previous versions of the malware, including a new encryption method to obfuscate the domain name, as well as a new key for connecting to the command and control server.

This new version of the malware first appeared for sale on October 4 - shortly after source code for Azorult versions 3.1 and 3.2 were leaked online. Check Point has already seen the free tools being used to power Gazorp, a malware builder which allows users to essentially generate an earlier version of Azorult at no cost.

It's likely this which has spurred the author of Azorult into releasing a new and improve version of the malware for sale.

"It is plausible that the Azorult's author would like to introduce new features to the malware and make it worthy as a product in the underground market," said Israel Gubi, malware researcher at Check Point.

The latest version of Azorult is delivered through the RIG exploit kit, using uses vulnerabilities in Internet Explorer and Flash Player to launch JavaScript, Flash, and VBscript-based attacks to distribute malware to users.

Previous versions of Azorult have also been known to be distributed via phishing emails which encourage potential victims to download a malicious Microsoft Word attachment, which when run, takes advantage of exploits in order to download and install the malware.

With Azorult seemingly reliant on known vulnerabilities to spread, users can go a long way to protect themselves from falling victim to it by ensuring they've installed the relevant software updates and patches.
=================================================================
Kaspersky says it detected infections with DarkPulsar, alleged NSA malware

https://www.zdnet.com/article/kaspersky-says-it-detected-infections-with-darkpulsar-alleged-nsa-malware/

Victims located in Russia, Iran, and Egypt; related to nuclear energy, telecommunications, IT, aerospace, and R&D.

Kaspersky Lab said today that it detected computers infected with DarkPulsar, a malware implant that has been allegedly developed by the US National Security Agency (NSA).

"We found around 50 victims, but believe that the figure was much higher," Kaspersky Lab researchers said today.

"All victims were located in Russia, Iran, and Egypt, and typically Windows 2003/2008 Server was infected," the company said. "Targets were related to nuclear energy, telecommunications, IT, aerospace, and R&D."

Kaspersky researchers were able to analyze DarkPulsar because it was one one of the many hacking tools that were dumped online in the spring of 2017.

The hacking tools were leaked by a group of hackers known as the Shadow Brokers, who claimed they stole them from the Equation Group, a codename given by the cyber-security industry to a group that's universally believed to be the NSA.

DarkPulsar went mostly unnoticed for more than 18 months as the 2017 dump also included EternalBlue, the exploit that powered last year's three ransomware outbreaks --WannaCry, NotPetya, and Bad Rabbit.

Almost all the infosec community's eyes have been focused on EternalBlue for the past year, and for a good reason, as the exploit has now become commodity malware.

But in recent months, Kaspersky researchers have also started to dig deeper into the other hacking tools leaked by the Shadow Brokers last year.

They looked at FuzzBunch, which is an exploit framework that the Equation Group has been using to deploy exploits and malware on victims' systems using a CLI interface similar to the Metasploit pen-testing framework.

They also looked at DanderSpritz, a FuzzBunch plugin that works as a GUI application for controlling infected victims.

DarkPulsar is a FuzzBunch "implant," a technical term that means "malware," that's often used together with DanderSpritz.

But in a report released today, Kaspersky researchers said the DarkPulsar code included in the Shadow Brokers leak isn't the entirety of DarkPulsar.

"We analyzed this tool and understood that it is not a backdoor itself, but the administrative part only," Kaspersky said.

A major breakthrough came when they realized that some constants from the DarkPulsar administrative interface code were also most likely used by the actual malware.

Researchers created special rules to detect these constants in files scanned by the Kaspersky antivirus. This is how they detected the roughly 50 computers that were still infected with the actual DarkPulsar malware.

Based on the functions they found in the DarkPulsar admin interface, researchers say the malware is primarily used as a backdoor to infected computers.

The malware's main features are its ability to run arbitrary code via a function named "RawShellcode" and the ability to upload other DanderSpritz payloads (malware) via the "EDFStageUpload" function, greatly expanding the operator's hold and capabilities on an infected system.

Kaspersky researchers also believe that the number of computers that have been infected with DarkPulsar is most likely larger than the 50 detections they found.

The malware also included a self-delete function, which Equation Group operators likely used to cover their tracks after the Shadow Brokers dumped their tools online.

"So the 50 victims are very probably just ones that the attackers have simply forgotten," researchers said.

As for who is behind these hacks, Kaspersky didn't say. It is unclear if the Shadow Brokers managed to get their hands on the full DarkPulsar malware but then opted not to include the actual backdoor in the package of leaked tools.

These 50 infections could very easily be the work of Equation Group cyber-espionage operations or the work of the Shadow Brokers themselves.
==================================================================
These two articles discuss malware and Wave has Wave Endpoint Monitor which doesn't have to be modified to detect complicated strains of malware, its ready to detect malware out of the box. If the computers in article 2 were using Wave Endpoint Monitor in the first place, Kaspersky wouldn't have had the malware to detect! imo.

Besides using WEM in article one to detect the malware, Wave VSC 2.0 would have rendered the password stealing moot due to a PIN number and the TPM protecting the computer.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/malware-protection

https://www.wavesys.com/products/wave-endpoint-monitor

https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

https://www.wavesys.com/