Home   Blog   Twitter   Database  

Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh*

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets' camera, and remote-control the gizmos.…

Posted: 20 Jul 2018 | 9:31 am

Hackers hold 80,000 healthcare records to ransom

CarePartners said its forensic investigation identified 1500 affected records - the hackers say they took 80,000.

Posted: 20 Jul 2018 | 4:50 am

Calisto Trojan for macOS

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).


We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018
Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.


As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan

With SIP enabled

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available

Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:

The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:

Attempt to contact the C&C server

Extra functions

Static analysis of Calisto revealed unfinished and unused additional functionality:

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton

Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:


DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

Posted: 20 Jul 2018 | 3:00 am

iPhone Users: This Mobile Malware Could Allow Cybercriminals to Track Your Location

The iPhone and many of the apps designed to live on the device have the ability to track our location. Whenever they set up these apps, however, users get the option to opt in or out of location tracking services. But what happens when a malicious campaign doesn’t give users the option to opt of having their location tracked by cybercriminals? In fact, just this week, it has been discovered that iPhone users may be faced with that very possibility, as a sophisticated mobile malware campaign is gaining access to devices by tricking users into downloading an open-source mobile device management (MDM) software package.

First, let’s back up – how does a mobile device management software package work, exactly? Well, according to Continuum, Mobile device management (MDM) is a type of software used by an IT department to monitor, manage, and secure employees’ mobile devices. Therefore, once hijacked by hackers, this software could be used to gain almost complete access to a mobile device.

So, with this malicious MDM campaign, cybercriminals can gain access to a device and steal various forms of sensitive information, including the phone number, serial number, location, contact details, user’s photos, SMS messages, and Telegram and WhatsApp chat messages.

As of now, it’s not entirely clear how this campaign is being spread – though many signs point to social engineering. So, given the information we do know – the next question is what should iPhone users do next to stay secure? Start by following these tips:

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iPhone Users: This Mobile Malware Could Allow Cybercriminals to Track Your Location appeared first on McAfee Blogs.

Posted: 18 Jul 2018 | 10:17 am

Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication

Blackgear (also known as Topgear and Comnie) is a cyberespionage campaign dating back to 2008, at least based on the Protux backdoor used by its operators. It targets organizations in Japan, South Korea, and Taiwan, leveling its attacks on public sector agencies and telecommunications and other high-technology industries. In 2016, for instance, we found their campaigns attacking Japanese organizations with various malware tools, notably the Elirks backdoor. Blackgear’s operators are well-organized, developing their own tools, which we observed to have been recently fine-tuned, based on their latest attacks.

A notable characteristic of Blackgear is the degree to which its attacks are taken to evade detection, abusing blogging, microblogging, and social media services to hide its command-and-control (C&C) configuration. Compared to when C&C information is embedded within the malware, where it’s preset and can thus be easily blocked, this tactic lets Blackgear’s operators to quickly change C&C servers as needed. It can, in turn, prolong the campaign’s foothold in the system and enable attackers to carry out further lateral movement.

Analyzing the Marade downloader (detected by Trend Micro as TSPY_MARADE.ZTBC) and the version of Protux (BKDR_PROTUX.ZTBC) employed by Blackgear’s latest campaigns, we found their encrypted configurations on blog and social media posts (see Figure 1). This can be an indication that these malware tools were developed by the same group.

Figure 1. Marade’s encrypted configuration on a Facebook post

Figure 2. Infection chain of Blackgear’s attack

Attack chain
To paint a bigger picture of Blackgear’s attacks, we correlated the tools and tactics they used against their targets. Here’s a summary of Blackgear’s latest campaign:

  1. Use a decoy document or fake installer file, sent via spam email to lure a potential victim into clicking it.
  2. The decoy document will extract the Marade downloader. It drops itself in the machine’s Temp folder and increases its file size to over 50MB in order to bypass traditional sandbox solutions.
  3. Marade will check if the infected host can connect to the internet and if it is installed with anti-virus (AV) software.
  4. If the affected system can connect online and doesn’t have AV software, Marade will connect to a Blackgear-controlled public blog or social media post to retrieve an encrypted C&C configuration. Otherwise, Marade will use the C&C information embedded in its code.
  5. The encrypted strings will pose as a magnet link to keep its malicious traffic from being detected by AV software. Marade will then decrypt the encrypted strings and retrieve the C&C server information.
  6. The C&C server will send Protux to the victim’s host and execute it. Protux, a known backdoor, is executed by abusing the rundll32 dynamic-link library (DLL). It tests the host’s network, retrieves the C&C server from another blog, and uses the RSA algorithm to generate the session key and send information to the C&C server.

Blackgear’s malware tools are delivered to targets using RAR self-extracting executable (SFX) files or office Visual Basic Script (VBScript) to create a decoy document. Below is a screenshot of the SFX files and document used by the latest campaigns:

Figure 3. Contents of malicious SFX file used by Blackgear, posing as a Flash Player installer

Figure 4. Malicious document used by Blackgear (top) and how VBScript is used to execute Marade (bottom)

Figure 5. Encrypted configurations of Protux (top) and Marade (bottom) in the same blog post

Correlating Marade and Protux
The encrypted configurations of Marade and Protux can both be found on a single blog post. As shown in Figure 5, the strings highlighted in red function as a search tag to identify the location of the configuration information; those highlighted in orange pertain to the encrypted configuration that Protux will retrieve.

In Blackgear’s previous campaigns, Protux’s configuration format had to be changed to another version. For instance, Protux’s older iteration will look for the “++a++” tag, as shown in Figure 5. The format used by Protux’s latest version is now similar to Marade’s, as shown in Figure 6.

Figure 6. Protux’s encrypted configuration on a public blog (note the six magnet URLs; the third is Protux’s latest configuration format)

Reverse analysis of Protux’s latest version also allowed us to determine how to decrypt the C&C information, which is done in the Python code shown below. This can also be used by researchers, system administrators, and information security professionals when decrypting Protux’s latest version.
#!/usr/bin/env python2
#-*-coding:utf-8 -*-

import os, sys, datetime, operator, base64

def decrypt():
   if len(sys.argv) != 2:
      print “Usegae : ./decrypt_protux_magnet.py <Full magnet strings>”

str = sys.argv[1]
head = str.find(“magnet:?xt=urn:bhih:”)
tail = str.find(“&xl=”)
   if -1 == tail:
tail = str.find(“&amp;xl=”)

   if -1 == head or -1 == tail:
      print(“can’t find delimiter”)

b64_data = str[len(“magnet:?xt=urn:bhih:”): tail]

b64_decode = base64.b64decode(b64_data)
key = ord(b64_decode[2])
data = b64_decode[4:]

output_file = open(“C2_info”, “wb”)
   for single_byte in data:
output_file.write(chr(ord(single_byte) ^ key))
if __name__ == ‘__main__’:
decrypt ()

A new remote controller tool
We were also able to source a sample of Protux’s remote controller tool. This provides a user interface (UI) that allows attackers to send instructions to and monitor any compromised endpoint host. This tool can also remotely control Marade in the affected system.

Figure 7. The controller retrieving the Marade-related information (top) and collecting Protux-related information (bottom)

Based on the controller’s behavior, we can posit that both Marade and Protux were authored by the same threat actors. Each serves a specific role once in the system. Marade acts as the first stage of attack, sending the compromised system’s information to the C&C server and then awaiting commands from the controller. This allows threat actors to monitor and check whether the affected system is of interest to them. If so, the attack moves to the second stage by deploying Protux. The tool can also control the communication between the backdoor and attacker in real time. The following is a list of Protux’s notable components and their functions:


Protux: An old dog learning new tricks

Protux is an old backdoor, with its first version developed in 2005. It uses DLL injection to execute its routines. Based on this behavior, we can map out a pattern, from the downloader to the decoy documents used. The trigger format is: %system32/rundll32.exe <PROTUX file name> <export name>.

We saw two notable changes throughout Protux’s history: its export name and how it functions:

Export name Year How C&C information is retreieved
TStartUp 2005 – 2012 Directly connect to the C&C server and use DNS server to retrieve the C&C IP address.
CRestart 2009 – 2014 Use web DNS query to retrieve the C&C IP address, e.g., ip138[.]com.
CReset 2013 – 2018 Find the encrypted configuration through keywords on blog services.

Our research into and correlation of Protux led us to several samples that have version numbers embedded in them. The highlighted portions in Figure 8 show the backdoor’s version number and timestamp with the “with encrypt” strings. We also found that these versions encrypt the communication to its C&C servers.

Protux’s latest version, 3.7, uses the open-source compiler OpenCSP to generate a session key with the RSA algorithm.

Figure 8. Different versions of Protux used by Blackgear

Figure 9. Protux with the OpenCSP encryption function

Building a proactive incident response strategy
Blackgear has been targeting various industries since its emergence a decade ago. Its apparent staying power stems from the furtive ways with which its attacks can evade traditional security solutions. For instance, Blackgear employs two stages of infection for each of its attacks. The potential victim may not be able to notice the intrusions as the first stage involves only profiling and reconnaissance. And once infection with a backdoor occurs, typical red flags may not be raised as it abuses microblogging and social media services to retrieve information needed for C&C communication.

Indeed, Blackgear’s attacks exemplify the need for organizations to develop and implement security strategies that can proactively respond to threats. A robust threat hunting strategy, for instance, helps validate indicators of attack to ascertain if the intrusions, threats, or suspicious system activities are one-off attacks or part of a larger campaign. This further visibility equips organizations with actionable threat intelligence, context, and insights that can be used to delve deeper into an attack — which security gaps are exploited, if the attack has multiple payloads, or if the malware has already spread within the network.

Organizations can also consider managed detection and response, which provides in-depth threat analysis and correlation — from networks to servers and endpoints — to obtain a complete picture of and further understand a targeted attack. Managed detection and response also helps make better sense of system- and network-level activities that an organization may not have the time or resources to do.

A list of indicators of compromise (IoCs) related to Blackgear is in this appendix.

Trend Micro solutions
The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect threats delivered by Blackgear even without any engine or pattern update.

Blackgear’s campaigns also use email as an entry point, which is why it’s important to secure the email gateway. The Trend Micro™ Hosted Email Security no-maintenance cloud solution delivers continuously updated protection to stop spam, malware, spear phishing, and advanced targeted attacks before they reach the network. The Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security solutions prevent malware from ever reaching end users. At the endpoint level, the Trend Micro™ Smart Protection Suites deliver several capabilities that minimize the impact of attacks.

The post Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication appeared first on .

Posted: 17 Jul 2018 | 5:01 am

Reflow JavaScript Backdoor

A script was left behind on a compromised machine. This led to the discovery of a Windows backdoor written in JavaScript and the C&C backend scripts. Unfortunately I can’t post too much details because the victim’s organization name is present in the files.

The backdoor script is less than 2KB and the only indication of its presence on a compromised PC is a running process called “wscript.exe”, which is a legitimate Windows program. The main part of the script contains an endless do-loop awaiting commands after passing the query string “reflow” to the C&C else it sleeps for 4 hours.

The callback to the C&C looks like this:

I wanted to find out more so I searched for code snippets in various search engines and VirusTotal but that led me nowhere. I turned to Recorded Future and found exactly what I was looking for. In case you don’t know Recorded Future helps to enrich your raw data with useful contextualized and correlated threat intelligence. What I like best is its ability to find things that search engines can’t because it’s been removed from paste sites or posted to a private forum, as examples.

The results I got show three hits to matching files that were deleted back in December 2017. The cached data and link back to the original source helped me recover a compressed file with the C&C package.

There are four main scripts (3 PHP and 1 JavaScript files) in the package that are copied to a web server. The web server may be attacker-controlled or compromised by some means. The main script, index.php, contains an SVG animation that looks like this when a visitor happens to visit the page.

This script shows that when “reflow” is passed to the page, contents of a malicious JavaScript file (renamed as a PNG file) is sent to the victim PC and eval’d by the backdoor script. The malicious script uses WMI to obtain the system Information then sends that info back as part of its authentication method.

Here you can see the malicious script running an endless loop waiting for commands such as upload, download, and execute.

The “mAuth” function generates short random strings, concatenates them along with the system info and passes that to the C&C in a cookie after Base64-encoding it. These random strings are important as they are used as markers to identify instructions contained between them.

Data is transmitted back to the C&C using AJAX. There’s a function called “FillHeader” that populates the HTTP header.

Again, this is what the HTTP request looks like when the victim PC checks in:

Performing a Base64-decode on the cookie value results in the 2nd line. Repeating the Base64-decode on the string after the second caret reveals the system info.

One of the PHP scripts appears to be a template which is modified with HTML code to make the page look legitimate (e.g. it contain parts of an organization’s actual webpage). The script is renamed and referenced by the index.php script. This script has all the functions responsible for uploading and downloading files as well as creating activity logs. Among the log files are victim’s IP addresses, what files have been uploaded and downloaded, session information, etc.

The “Authentication” function reads in the cookie value from victims and parses out the system info, and defines variables used to create the log filenames. The victim’s username and computer name are MD5-hashed and used as part of the log filenames. When a victim PC connects to the C&C, three files are created on the C&C server:

The last PHP script in their package is used to interact with and send commands to the victim PCs. Note the timezone and interesting login method.

The available commands are quite limited but is more than enough to upload additional, more powerful tools to the victim PC and gain further access into their network. And finally, if the attackers sense they are about to be discovered, they can delete all the important log files with another set of commands built into this script.

I don’t have any attribution information on these scripts but it doesn’t seem to be related to your-typical-crime-gang. It appears that this campaign is still ongoing as other files show updated timestamps.

Posted: 30 Mar 2018 | 1:12 pm

Rootkit Umbreon / Umreon - x86, ARM samples

Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
Research: Trend Micro

There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)


Download Email me if you need the password  

File information

Part one (full package)

#File NameHash ValueFile Size (on Disk)Duplicate?
1.umbreon-ascii0B880E0F447CD5B6A8D295EFE40AFA376085 bytes (5.94 KiB)
2autoroot1C5FAEEC3D8C50FAC589CD0ADD0765C7281 bytes (281 bytes)
3CHANGELOGA1502129706BA19667F128B44D19DC3C11 bytes (11 bytes)
4cli.shC846143BDA087783B3DC6C244C2707DC5682 bytes (5.55 KiB)
5hideportsD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)Yes, of file promptlog
6install.sh9DE30162E7A8F0279E19C2C30280FFF85634 bytes (5.5 KiB)
7Makefile0F5B1E70ADC867DD3A22CA62644007E5797 bytes (797 bytes)
8portchecker006D162A0D0AA294C85214963A3D3145113 bytes (113 bytes)
9promptlogD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)
10readlink.c42FC7D7E2F9147AB3C18B0C4316AD3D81357 bytes (1.33 KiB)
11ReadMe.txtB7172B364BF5FB8B5C30FF528F6C51252244 bytes (2.19 KiB)
12setup694FFF4D2623CA7BB8270F5124493F37332 bytes (332 bytes)
13spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)Yes, of file spytty.sh
14umbreon.c91706EF9717176DBB59A0F77FE95241C1007 bytes (1007 bytes)
15access.c7C0A86A27B322E63C3C29121788998B8713 bytes (713 bytes)
16audit.cA2B2812C80C93C9375BFB0D7BFCEFD5B1434 bytes (1.4 KiB)
17chown.cFF9B679C7AB3F57CFBBB852A13A350B22870 bytes (2.8 KiB)
18config.h980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)
19config.h.dist980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)Yes, of file config.h
20dirs.c46B20CC7DA2BDB9ECE65E36A4F987ABC3639 bytes (3.55 KiB)
21dlsym.c796DA079CC7E4BD7F6293136604DC07B4088 bytes (3.99 KiB)
22exec.c1935ED453FB83A0A538224AFAAC71B214033 bytes (3.94 KiB)
23getpath.h588603EF387EB617668B00EAFDAEA393183 bytes (183 bytes)
24getprocname.hF5781A9E267ED849FD4D2F5F3DFB8077805 bytes (805 bytes)
25includes.hF4797AE4B2D5B3B252E0456020F58E59629 bytes (629 bytes)
26kill.cC4BD132FC2FFBC84EA5103ABE6DC023D555 bytes (555 bytes)
27links.c898D73E1AC14DE657316F084AADA58A02274 bytes (2.22 KiB)
28local-door.c76FC3E9E2758BAF48E1E9B442DB98BF8501 bytes (501 bytes)
29lpcap.hEA6822B23FE02041BE506ED1A182E5CB1690 bytes (1.65 KiB)
30maps.c9BCD90BEA8D9F9F6270CF2017F9974E21100 bytes (1.07 KiB)
31misc.h1F9FCC5D84633931CDD77B32DB1D50D02728 bytes (2.66 KiB)
32netstat.c00CF3F7E7EA92E7A954282021DD72DC41113 bytes (1.09 KiB)
33open.cF7EE88A523AD2477FF8EC17C9DCD7C028594 bytes (8.39 KiB)
34pam.c7A947FDC0264947B2D293E1F4D69684A2010 bytes (1.96 KiB)
35pam_private.h2C60F925842CEB42FFD639E7C763C7B012480 bytes (12.19 KiB)
36pam_vprompt.c017FB0F736A0BC65431A25E1A9D393FE3826 bytes (3.74 KiB)
37passwd.cA0D183BBE86D05E3782B5B24E2C964132364 bytes (2.31 KiB)
38pcap.cFF911CA192B111BD0D9368AFACA03C461295 bytes (1.26 KiB)
39procstat.c7B14E97649CD767C256D4CD6E4F8D452398 bytes (398 bytes)
40procstatus.c72ED74C03F4FAB0C1B801687BE200F063303 bytes (3.23 KiB)
41readwrite.cC068ED372DEAF8E87D0133EAC0A274A82710 bytes (2.65 KiB)
42rename.cC36BE9C01FEADE2EF4D5EA03BD2B3C05535 bytes (535 bytes)
43setgid.c5C023259F2C244193BDA394E2C0B8313667 bytes (667 bytes)
44sha256.h003D805D919B4EC621B800C6C239BAE0545 bytes (545 bytes)
45socket.c348AEF06AFA259BFC4E943715DB5A00B579 bytes (579 bytes)
46stat.cE510EE1F78BD349E02F47A7EB001B0E37627 bytes (7.45 KiB)
47syslog.c7CD3273E09A6C08451DD598A0F18B5701497 bytes (1.46 KiB)
48umbreon.hF76CAC6D564DEACFC6319FA167375BA54316 bytes (4.21 KiB)
49unhide-funcs.c1A9F62B04319DA84EF71A1B091434C644729 bytes (4.62 KiB)
50cryptpass.py2EA92D6EC59D85474ED7A91C8518E7EC192 bytes (192 bytes)
51environment.sh70F467FE218E128258D7356B7CE328F11086 bytes (1.06 KiB)
52espeon-connect.shA574C885C450FCA048E79AD6937FED2E247 bytes (247 bytes)
53espeon-shell9EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
54espeon.c499FF5CF81C2624B0C3B0B7E9C6D980D14899 bytes (14.55 KiB)
55listen.sh69DA525AEA227BE9E4B8D59ACFF4D717209 bytes (209 bytes)
56spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
57ssh-hidden.shAE54F343FE974302F0D31776B72D0987127 bytes (127 bytes)
58unfuck.c457B6E90C7FA42A7C46D464FBF1D68E2384 bytes (384 bytes)
59unhide-self.pyB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
60listen.shF5BD197F34E3D0BD8EA28B182CCE7270233 bytes (233 bytes)

part 2 (those listed in the Trend Micro article)
#File NameHash ValueFile Size (on Disk)
1015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28acA47E38464754289C0F4A55ED7BB556489375 bytes (9.16 KiB)
20751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53aF9BA2429EAE5471ACDE820102C5B81597512 bytes (7.34 KiB)
30a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
40ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ffB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
5122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e86709EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
6409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64aB4746BB5E697F23A5842ABCAED36C9146149 bytes (6 KiB)
74fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234D0D97899131C29B3EC9AE89A6D49A23E65160 bytes (63.63 KiB)
88752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784E7E82D29DFB1FC484ED277C70218781855564 bytes (54.26 KiB)
9991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b730885222B1863ACDC0068ED5D50590CF792DF057664 bytes (7.48 KiB)
10a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddfA977F68C59040E40A822C384D1CEDEB6176 bytes (176 bytes)
11aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809bDF320ED7EE6CCF9F979AEFE451877FFC26 bytes (26 bytes)
12acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa452584D552B5D22E40BDA23E6587B1BC532D6852 bytes (6.69 KiB)
13c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480087DD79515D37F7ADA78FF5793A42B7B11184 bytes (10.92 KiB)
14e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853BBEB18C0C3E038747C78FCAB3E0444E371940 bytes (70.25 KiB)

Posted: 20 Mar 2018 | 6:29 am

Equifax breach could be most costly in corporate history

NEW YORK/TORONTO (Reuters) – Equifax Inc (EFX.N) said it expects costs related to its massive 2017 data breach to surge by $275 million this year, suggesting the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

“It looks like this will be the most expensive data breach in history,” said Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks.

Total costs of the breach, which compromised sensitive data of some 247 million consumers, could be“well over $600 million,” after including costs to resolve government investigations into the incident and civil lawsuits against the firm, he said.

The post Equifax breach could be most costly in corporate history appeared first on CyberESI.

Posted: 2 Mar 2018 | 11:37 am

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am