“For your safety” – Beware of fake ING-DiBa emails

“For your safety” – Beware of fake ING-DiBa emails

Cybercriminals are currently trying to obtain sensitive data from ING-DiBa customers with dubious fake emails. The fake email claims that a problem has occurred during a routine security check of the online banking system. It advises that customers should immediately log on to an external website to avoid troubles with their bank.

However, in reality, this is a phishing attack that tries to collect personal information. In the following blog article, you will learn in detail how to protect yourself from fake emails or phishing attacks.

The fake email from our example

Fake E-Mail

A German ING-DIBA fake email (click for zoom)

The adjacent picture shows the detailed structure of the fake email – allegedly sent by ING-DiBa – in an iPhone mailbox. In fact, the email is part of a mass phishing attack and the message was sent fraudulently to a variety of email recipients.

For example, the subject line states “For Your Safety (Reference Number: xyz)”, and the presumable arbitrary order of the combination was set to “kx5qrvnzx3h” in this case. Before we blackened the personal information for reasons of data protection, we noticed that both the recipient’s address and the sender’s address had the same information. This was already a first indication of a fake email.

This scam is not uncommon amongst perpetrators when it comes to gathering information about their randomly selected victims via phishing. Those affected are especially inclined to follow the attached link if the phishing or fake email is opened on a mobile device, as it is in this case. This is particularly true if they are actual customers of the bank mentioned in the email.

In everyday life, too, recipients of phishing emails are also quick to follow the link when receiving such an email. The attacker offers the targeted person appropriate options in case a recipient does not have an account with ING-DiBa. In our example, the recipient has the opportunity to follow a flashy red button and allegedly communicate that he is not a customer of ING-DiBa. The destination of the link, however, is a phishing website, which is intended to tap user data in a big way from the mostly unsuspecting victims. The fake security notification of ING-DiBa is not an isolated case.

6 tips to detect phishing or fake emails

With the following tips, you will be able to detect phishing or fake emails to protect yourself from being affected by such attacks.

Feature No. 1: The salutation

It is striking that either a standard phrase is used to address the target person, or the salutation is completely missing. Very rarely recipients of phishing emails are addressed with their whole name. This is due to the fact that fake emails are not isolated cases, but often automated emails which are sent out millions of times. Individual addresses are rather the exception. In our example there was no address at all.

Feature No. 2: Content of the email

A phishing mail is contextually designed to hide the true intentions towards the recipient at least until he first clicks on one of the attached links. These following baits are very popular with cyber crooks:

  • Fake emails in the form of alleged PayPal security notifications
  • Phishing emails which seem to come from banks or other institutions
  • Fake email notifications that seem to come from Amazon or Ebay
  • Fake security issues in social media accounts that need to be resolved promptly

This shows that cybercriminals are very creative when it comes to fooling their victims.

Feature No. 3: The call to action

Once the attacker has created and sent out his fake email, he urges the recipient to act. In this specific case, the targeted person is initially led to an external page by clicking on a link. This page usually resembles closely the login area of a bank, an online retailer or any other company that offers certain Internet services.

Once the victim has entered his details into the according form fields and pressed the confirmation button, the cybercriminal is in possession of the login details. Now he can make orders in online shops under false names or get access to sensitive account or company data. The phishing attack has been successful.

Feature No. 4: The time shortage

An effective means often used by attackers is the limitation of time. This is an attempt to put the victim under stress and distract it. In our example, this is stated as follows: “Please log into your account as soon as possible to avoid any delay in your banking activities.”

Fear-spreading phrases in the subject line, such as “Your account has been suspended” or “An amount has been debited from your account” are also quite popular and common. These sentences cause some recipients to panic, so they follow the attached link without much thought.

Feature No. 5: Questionable buttons and links

In order to successfully carry out the process of phishing, a related link in text or button form is part of the standard repertoire of any phishing or fake email. This is also the case in our example.

Therefore, when it comes to questionable security queries that have a link, we recommend that you do not access these links from your email program. Instead, you should always directly log in to your user accounts via a browser or via the official website of the provider. This applies to online services of any kind.

Feature No. 6: This is how reputable companies and institutes work

As far as the detection of phishing emails or fake emails is concerned, it should always be remembered that reputable companies or institutes would never ask you to disclose personal information via email.

For this reason, various banks regularly point to the problem of fake emails or the so-called phishing mails. One bank states for example:

“Volksbank Raiffeisenbank or BVR will never ask bank customers for personal information such as PIN or account number via email. Neither will we insert a link to online banking in emails or ask bank customers to make test or remittance transfers. These practices are always indicators of attempted fraud.” (Source: Volksbank Raiffeisenbank)

Therefore, you can delete such an email immediately. This is ultimately the simplest way to counter a phishing attack.

Additional service information

Dangerous Amazon phishing emails cause trouble

Dangerous Amazon phishing emails cause trouble

Reputable and hardly suspicious – that’s how phishing emails, which have been circulating for several months and which allegedly come from Amazon, reach the mailboxes of many users. The reason for this is that those emails do not appear to be a cunning fraud but quite the opposite. They are so good in copying the design of a real Amazon email that they are hardly indistinguishable for end users. In addition, the cybercriminals use a personalized form of address in these phishing emails, which adds weight to the credibility of the email.

Example of such an Amazon phishing email

Example of such an Amazon phishing email (Click to enlarge image).

A phishing email personalized in this way is referred to as a “spear phishing attack”. These targeted attacks aim specifically at a single person or group of people. The behavior and personal data of target persons are spotted in advance in order to personalize the spear-phishing email the best possible way. Those fraud emails can only be identified through the sender address with which they were sent. These can, for example, be as follows:

More detailed information about possible sender addresses, the structure of phishing emails and content can be found here.

What do the attackers want to achieve?


Referring in the email to the Federal Data Protection Act, the victims are requested to verify their data. By clicking on a link, they are redirected to a fake website that is almost indistinguishable from the real Amazon site. On closer inspection, only the URL used does not match that of Amazon.

On the fake sites, the people concerned should then disclose data of themselves. Otherwise the hackers threaten to block access to the account, as shown in the example above. This is, of course, a hollow statement. Anyone who responds to this request, however, transmits his data directly to the fraudsters. The cybercriminals use the obtained data to make purchases at the expense of the person concerned or to misuse them for other criminal activities.

Does Hornetsecurity Advanced Threat Protection detect fake emails?


Hornetsecurity Advanced Threat Protection is able to detect the new Amazon phishing emails as well as other targeted attacks. Safety mechanisms including Fraud Attempt Analysis, Identity Spooning Recognition and Intention Recognition can filter out threats of this kind. A loss of sensitive data can thus be prevented and Amazon phishing emails do not even get into the mailboxes of a company or employees.

Additional service information

Disguised .NET Spyware Camolog is Stealing Access Data

Disguised .NET Spyware Camolog is Stealing Access Data

When it comes to new types of malware, there is always the question of what their objectives are. At the moment we are monitoring a new .NET spyware that has not yet been reported. It distinguishes itself by using persistent anti-analysis techniques implemented by utilizing the Confuser packer. Apart from that, the spyware does not put a lot of effort into disguising itself during runtime, thus revealing its intentions. This malware collects login details from many different programs and uses a keylogger to gather information.


This .NET spyware that we named Camolog is spreading due to an ongoing phishing campaign and it uses a keylogger to collect login details from mail clients, browsers, FTP and instant messenger clients. After these campaigns collect information, the access data gathered is usually sold by cybercriminals or used for later attacks.


In the individual emails of a large wave of spam emails, the subject headings (see screenshot) and attachments are slightly different. Most of the time, the attachments that deliver the malware are between 400KB and 1.3MB in size. In the following screenshot, you can see one of these phishing e-mails with the contact information crossed out, because in many cases, these are the information stolen from real people.


Example of a phishing mail that delivers malware.

Example of a phishing mail that delivers malware


The phishing email fools the recipients into believing that they are going to receive a price quote or an offer of some kind and this motivates them to open the attachment. However, it contains a RAR archive named “Sample Product 9076_pdf.rar”. The archive hides the executable .NET file “SampleProduct9076_pdf.exe” which serves as a dropper for the spyware and is secured by a version of the publicly available cover-up tool Confuser.


When opening the malware in the .NET decompiler dotPeek, the usage of Confuser becomes apparent. The project name “dimineata” is noticeable and can be used to identify the malware and is displayed in the screenshot below.


The .NET Decompiler dotPeek lets you analyze the Confuser.

The .NET Decompiler dotPeek lets you analyze the Confuser.


On the other hand, the application of both anti-decompiler and anti-debugger techniques makes it harder to analyze the malware. The analysis tool IDA Pro will crash when loading the binary file, specific .NET decompilers do not function properly and debuggers used in dynamic analyses fail, which means that manual analyses will rarely provide information. It’s likely that this is also one of the reasons why there is an absence of this spyware being publicly reported so far.


Bypassing security measures


The only way to obtain an overview of this malware’s behavior is to run it in a safe and controlled environment. In doing so, you can observe that the malware runs as a process named “chrome.exe” with the description “Accu-Chek 360˚ diabetes management software”. This process starts another sub-process with the same name. After a few moments, the original binary file generates a copy of itself as AppData\Local\Temp\iaq\iaq.exe, starts its sub-process and subsequently deletes itself.


At the time the sub-process is loaded, its binary data must be fully extracted and decrypted in the memory. The transfer takes place in the form of a byte array to the AppDomain.Load() function. This function is not affected by the anti-analysis methods of the cover-up tool because it belongs to the .NET framework. Unlike the malware functions, it can be easily analyzed. Thus, with a debugger such as dnSpy it is possible to set a breakpoint on this function and dump the binary file of the malware that is loaded by the dropper. But, let’s have a closer look into the malware itself.


Analysis of spyware.

Analysis of spyware.


The binary file of the dropped spyware is only masked by randomly renaming the functions and variables, not by additional anti-analysis methods. Therefore, it is possible to generate readable source code with a .NET decompiler again and thus reveal the behavior of the malware.


What information is collected?


The spyware collects numerous information: Next to the FTP Client SmartFTP’s connection data, which are saved in the favorites, but also passwords from the client WS_FTP, recently used connections from FileZilla, connections of saved sessions from WinSCP and the connection data from FTPWare.


Additionally, the account data saved in the Instant Messenger Pidgin and the passwords from the video chat tool Paltalk are read out. Camolog also diligently collects account data from the Outlook and Thunderbird mail clients as well as the login details from the YandexBrowser, ChromePlus and Chromium browsers. The spyware can also record all kind of data and password input with a keylogger.


The Spyware nests itself within the system by creating registry keys for Windows Autorun (see list of indicators). The malware is pretty good at identifying itself in the system through these registry keys and the running process “chrome.exe”.


Cloud protection by Hornetsecurity products


Through the use of our cleverly designed spam filter mechanisms, Hornetsecurity has been detecting the emails of this campaign since they first appeared and we have been filtering them out in the cloud. As a result, there is no way for the spyware to get close to our customers’ business infrastructure.


With Hornetsecurity Advanced Threat Protection, our customers benefit from being protected against any variation of this malware. Through the use of behavioral analysis, the level of protection Hornetsecurity ATP provides exceeds that of a conventional spam filter.


Here is an extract from the ATP behavioral analysis:


The detailed evaluation of the sandbox analysis.

The detailed evaluation of the sandbox analysis.


List of indicators for the detection of malware


Phishing emails


Subject lines used in the campaign:

  • Quotation request
  • Quote-Bid Identifier: ITB-0011-0-2018/AM
  • Quote-Bid Identifier: ITB-0014/0015-0-2018/AM
  • Kindly Quote-Bid Identifier: ITB-0016-0-2015/AM
  • Quotation required


Attachment of the phishing email – Win32 RAR Archive


  • File name: Sample Product 9076_pdf.rar
  • SHA256: 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6
  • Attachments of other emails of this campaign:
    • 30eaa3e9b9390f603d2a349c0a4cf064225eff3ede60a24aab8e69cf67cf83a5  Product sample 0015_pdf.rar
    • 6acf72c636aa9ff2fae225d75eea063c2ee61026151a6c405175dd06e8a5c01f  product sample 0019_pdf.rar
    • a54f7ff3ecf8acccc23fe2c52fd5e58099852f3448dcec67c6deff5fa925a4d5  Sample product 0011_pdf.rar
    • c165676976f9e91738c5b6a3442bf67832a7556e23e49f1a77c115af47b290ee  Sample Product 0014_pdf.rar
    • 97cea5ce28bbebff16251cbde247362915e8f41a89f979ae266c797aff6ef5e6  Sample Product 0016_pdf.rar
    • 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6  Sample Product 9076_pdf.rar
  • File type: RAR archive data, v4, os: Win32
  • Size: 331K
  • Content of the archive, SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6


Dropper from out of the archive


  • File name: SampleProduct9076_pdf.exe
  • SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6
  • Other dropper of the campaign:
    • 38782911f7deca093b0e6018fd6c51122a8211c9c446f89de18e6ada85afa0d1  Product sample 0015_pdf.exe
    • 542b6a778489710994aadfaca3b57e0a9c03d2e3b6d5617e3220f364cbde9a45  product sample 0019_pdf.exe
    • 04381c6ecdf618ce122084a56ca5416c6774cba4b34909e95f7a532523c3e877  Sample product 0011_pdf.exe
    • 42992976461c59a4a52e4bf202d4bfcd738408d729ff9cbc55786016cb4075c3  Sample Product 0014_pdf.exe
    • 2a159afdc686df016ee370aeed134f9c4fe44320a32ec2eb25d76270206b5b5a  Sample Product 0016_pdf.exe
    • 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6  Sample Product 9076_pdf.exe
  • File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  • Size: 429K
  • Process name: chrome.exe
  • Description: Accu-Chek 360˚ diabetes management software
  • Drops the file SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
  • Significant string:  dimineata.exe
  • Stores a copy of itself under C:\Benutzer\analyst\Appdata\Local\Temp\iaq.exe ab


Reloaded spyware:


  • File name: impartial.exe
  • SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
  • File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  • Size: 58K
  • Process name: chrome.exe


Registry Keys, of which information have been gathered


  • HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook*
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook*
  • HKEY_CURRENT_USER\Software\Paltalk
  • HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions


Files, of which information have been gathered


  • C:\Users\Administrator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
  • C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
  • C:\Users\Administrator\AppData\Roaming\FileZilla\recentservers.xml
  • C:\Users\Administrator\AppData\Roaming\Thunderbird\profiles.ini
  • C:\Users\Administrator\AppData\Roaming.purple\accounts.xml
  • C:\Users\Administrator\AppData\Local\Chromium\User Data\Default\Login Data
  • C:\Users\Administrator\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
  • C:\Users\Administrator\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data


Registry Keys, that have been created to generate persistence


  • Autorun entry for the dropper: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iaq
    • reg_value   C:\Users\ADMINI~1\AppData\Local\Temp\iaq\iaq.exe
  • Autorun entry of the spyware: Spyware: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Application
    • reg_value   C:\Users\Administrator\Desktop\chrome.exe -boot
The forecast for resellers: bright and sunny thanks to the cloud!

The forecast for resellers: bright and sunny thanks to the cloud!

The challenges are high but rewarding for system houses that focus on cloud-based services.


It is still common belief by some CEOs that cloud computing is a side issue that only progresses slowly. In reality, cloud-based technology has rapidly progressed – it is already well-established in a large number of companies. And the market continues to grow. According to market researcher ISG, the German market for public cloud services has grown annually at about 26%. Resellers have already begun to feel the consequences of this development, especially those that still offer traditional IT services. They need to rethink their market strategy to keep pace with a shifting marketplace.


Many resellers are on the right track and have expanded their portfolios by including managed services like the Spamfilter Service or Advanced Threat Protection from Hornetsecurity. IT channels are also rapidly consolidating, as the buyout of Exabyters by Telcat prove (both are Hornetsecurity partners!).  This merger represents the future of the IT channel which constantly needs to find new fields of business and offerings. Telcat plans to take over Exabyters‘ 30 employees and increase the managed service staff to 150 employees in the coming years.


Save costs, time and effort with cloud services


And there are good reasons for the growth of cloud-based solutions.  Through cloud-based services, enterprises can drastically reduce both their internal hardware and software requirements which leads to saving time and money for IT administrators. IT managers are now able to concentrate on their core competences and projects. They can also develop their department to be more flexible by scaling their outsourced activities much more easily. Concerns about cloud services creating a lack in data security and losing control are minimized by waterproof contractual agreements and a continuous growth of professionalization of the providers.


While companies largely benefit from cloud services, resellers seeking to reorganize their portfolio will face massive changes in their organization, logistics and processes. First, there is the change from typical contracts with an annual or even multiannual duration to monthly contracts. Consequently, the cashflow will naturally change from large single payments to small monthly payments. This adjustment holds some advantages, as there will be a steady regular cashflow.


Changes can be hard but rewarding


Beyond that, resellers need to bring their service mentality to the next level, as customers are expecting a higher service quality when using cloud-based services. For example, they demand a very high quality of service, which ideally is available 24/7 on both a technical and sales level. For this, server capacities need to be created or increased, employees trained for the new services and possibly working in shifts. So, many challenges that require a huge amount of planning, assertiveness and even capital investment, wait for resellers.


Nonetheless, the struggle can pay off.  Simply relying on existing technologies and not preparing for the future has rarely paid out, although in the future there will remain niches that resellers could occupy. The cloud with all its disruptions of prevalent technologies cannot be stopped. Channel executives should not evaluate the situation wrong, otherwise they will end like German emperor Wilhelm II., who is alleged to have said, “I believe in the horse. The automobile is only a temporary occurrence.“

NanoCore – Creative distribution of an old acquaintance

NanoCore – Creative distribution of an old acquaintance

Attackers do not always have to use newly developed malicious codes. If it seems appropriate to them, they often also use proven malware for their purposes. In that case, it is obviously very important to choose the distribution path in such a way that the malicious software can be placed without the victim noticing. We took a closer look at such an approach using the example of NanoCore.


NanoCore is a Remote Access Trojan, which has been available in various versions as a relatively inexpensive finished product since 2013. Remote Access Trojans are a very dangerous type of malware that allows attackers to remotely control and monitor infected systems. In 2015, the full version and all plugins of NanoCore was cracked and has been available for free in underground forums ever since.


The developer of NanoCore was arrested last year and sentenced to 3 years imprisonment . This case is of particular importance, since it was the first time a developer of a dual-use tool, who did not use the tool “for personal use” for hacking, was convicted. Crucial to the conviction was the fact that the developer had offered the software in hacker forums even though he knew that some of his customers would use the tool for illegal purposes.


NanoCore has still not gone out of style and continues to be up to no good. However, because the tool is very well-analyzed and therefore easily detectable by antivirus products, the attackers often have to be creative to deliver the Trojan. For this reason, they come up with elaborate concealment methods.


Last week, we witnessed a cyber-attack with NanoCore, which creatively combined various techniques to deliver and install the Remote Access Trojan. To do this, the attackers used a combination of phishing, a self-extracting Winrar archive, and the legitimate AutoIT administration tool.


Delivery via phishing mail


The initial phishing mail tricks the recipient into a special business offer, which is supposed to be included in an enclosed PDF called “inquiry.pdf”. The email tries to be more convincing by using the complete contact information. Since this information is often real, we have blackened it in the screenshot below.


Example of a phishing mail

Example of a phishing mail


The attached phishing PDF looks like a link to Dropbox but includes a URL that downloads an archive file from another source.


Fake Dropbox-Seite zu Malware-Link

Fake Dropbox page to malware link


This “inquiry.zip” ZIP archive contains the file “inquiry.scr”. The file extension “scr” is only an alternative to “exe” and was formerly used for executable PE files that install screensavers. In this case, it is a self-extracting Winrar archive that is being misused as a malware dropper.


Use of a self-extracting archive


The strings contained in the file show that the scr file is a self-extracting Winrar archive. Significant strings include:


  • Software\WinRAR SFX
  • winrarsfxmappingfile.tmp
  • WinRAR self-extracting archive


The archive could not be extracted manually without error. Only an execution of the file shows the undamaged content of the archive, consisting of:


  • 42 randomly named files with different endings, which are only about 500 bytes in size and contain ASCII data
  • The legitimate administration tool AutoIT, renamed as “mta.exe”
  • An ASCII file “qoa.docx” that is 951K in size and contains the configuration for AutoIT
  • • An ASCII file “stt = dsr” that is 3MB in size and contains an obfuscated script in the AutoIT native VBA-like scripting language


In August 2015, TALOS reported a similar attack that used the combination of a self-extracting archive with AutoIT to distribute NanoCore. Since this attack had even more similarities to the attack we observed, we suggest a link between these incidents. For example, the attack stops for 20 seconds once a running Avast process is detected. In 2015, however, an office macro was used in the phishing mail, while in this case a PDF was used. There are also differences in the payloads delivered, such as the delivery of additional malware in the 2015 Talos attack.


Attackers abuse automation tool AutoIT


AutoIT is a legal tool , used to automate administrative tasks. It provides its own scripting language, which is based on VBA. The tool is available for free and has unfortunately been used so many times by criminals to install malware that it is sometimes mistaken for being dangerous.


The AutoIT script in the file “stt = dsr” from the ZIP archive has an AntiAV technique built in which will put the application to sleep if the process “avastui.exe” is running on the system. It reads out different values from the section “Setting” in the “qoa.docx” configuration file. Afterwards, a randomly named file is created into which one of the detected strings is written. This file is also an obfuscated AutoIT script, 272K in size, and is called “DIENU” in our case. In this file, the string “Settings File Name” is overwritten with the name of the configuration file “qoa.docx”. Then the script sets the attributes of all extracted files to “hidden” and “read only” to make them as inconspicuous as possible. AutoIT is started and the created “DIENU” script, which uses “qoa.docx” as a configuration file, is passed to AutoIT.


Intelligent system check before installing NanoCore


The “DIENU” script makes some changes to the system, such as changing the system configuration and registry entries. It tries to find out if it is running in a VMware or Virtualbox Sandbox. If so, the script aborts to avoid potential analysis. Subsequently, the Remote Access Trojan is installed by injecting malicious code into the process memory of RegSvcs.exe – a .NET tool designed to install services. This technique is often used to hide malware in legitimate programs.


NanoCore's System Instrusion

Functional sequence of the NanoCore attack


Flexibility of NanoCore through modular design


NanoCore has a modular structure. The respective plugins, which can be switched on and off independently, are described in detail in an article by DigiTrust. Two plugins were used in this attack: the client plugin in version and the surveillance plugin with product version number


The plugins were written as library files “ClientPlugin.dll” and “SurveillanceExClientPlugin.dll” for .NET and obfuscated with the tool “Eazfuscator.NET 3.3”. The methods have the attributes “DebuggerHiddenAttribute” and “DebuggerNonUserCode”, to complicate the analysis with a debugger. This prohibits debugging these methods and setting breakpoints.




The client plugin is the basic element that handles communication with the command-and-control server and the management of collected information in a key/value collection. The information can optionally be compressed and send to the C2 server via pipe. The client also has options to change settings, uninstall plugins as well as uninstall and control the host computer, such as shutting it down, restarting it, or disabling security mechanisms.




The surveillance plugin comes with all sorts of features for spying on the victim. This allows the attacker to collect passwords, logs and DNS records. The host computer is remotely controllable, and recordings of key inputs, the microphone, or the webcam can be recorded.


The Surveillance Plugin can receive four commands:


  1. Password: SendTools, EmailClient, InternetBrowser
  2. Logging: (KeyboardLogging, ApplicationLogging, DNSLogging, GetLogs, DeleteLogs, ExportLogs, ViewLogs)
  3. Keyboard: Write, Download, LogToServer
  4. Dns: GetRecords


Generally speaking, it is a comprehensive toolkit to remotely control and monitor the infected computer.


No getting through thanks to Hornetsecurity ATP


As sophisticated as the obfuscation methods of this NanoCore attack are, the true intent of the tool is recognized by the behavioral analysis of the Hornetsecurity ATP Sandbox. It recognizes both the unpacking of the files, the creation of new files, the process injection of the NanoCore DLLs into a legitimate process, the modification of the registry entries as well as the network communication.


Analysis activities of Hornetsecurity ATP

Analysis activities of Hornetsecurity ATP


Indicators of Compromise


Die folgenden Dateien mit ihren sha256-Hashwerten wurden in dem Angriff verwendet. Da AutoIT eine legitime Software ist, führen wir das Tool hier nicht mit auf.


  • inquiry.pdf** 9c5d693e7c86f8f0c05af495d95a9d6f998ec93bec5c6f8d560d54f8a945f866
  • inquiry.zip** e0d88bab6749297eb1c03ec1e86bb0d9b7e53d10de8c05dcde032e5f040d03a2
  • inquiry.scr** 4a71602852c7a1a2b3c3c9690af9a96b57c622b459e4fff4f34d43c698b034b8
  • DIENU** 5612ac210a8df891f9ed07c5a472beb0d78f1f714f9f37e31320ec1edbc41d9c
  • SurveillanceExClientPlugin.dll** 01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
  • ClientPlugin.dll** 61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
  • qoa.docx** f36603bf7558384d57a9f53dfcd1e727bd6f56d4a664671f06fd5ca1383413d0
  • stt=dsr** 6236beb6702dd8396339fdad8c4539d7e177733a0f7cff1ded06f060895feac1


Domain from which the zip archive was downloaded: htXp://ibeitou.com/inquiry.zip

Cybercrime Trends 2018: Upcoming dangers in the coming year

Cybercrime Trends 2018: Upcoming dangers in the coming year

A look into the future can be worthwhile. Especially with regards to cybercrime, it is advantageous if companies already know at least approximately what they can expect in the year to come. Because so far each year was characterized individually by different scenarios of threats.

For example, the year 2016 was still considered the golden age of phishing, as can be seen from an article by heise online. 2017 brought us a change in trend and was particularly strongly influenced by ransomware attacks such as WannaCry, Bad Rabbit and NotPetya. So what can or should we expect for 2018? Let’s take a glimpse.

Cryptocurrencies in the focus

At least one thing can already be said: In 2018, new and more complex methods of attack will set new standards again. The cryptojacking attacks, which are already growing rapidly in numbers, could for example be influential for the coming year. Cryptojacking is an attack method in which cybercriminals hijack foreign computers in order to dig for cryptocurrencies, mostly bitcoins.

It can be enough to visit one of more than 50,000 websites that contain the malicious code. They contain a tiny javascript piece of the cryptomining service “Coinhive”, which automatically causes the computers to “dig” cryptocurrencies for the hackers. The performance of the processor of affected devices is demanded in such a way that they can hardly be used for other activities.

Given the persistently high price of cryptocurrencies, it is also likely that there will be new types of ransomware in 2018 that specialize in blackmailing Bitcoin and others. New targets could be smart devices such as televisions or mobile phones with Android system software, as these are particularly easy to hijack for hackers.

Macros and exploits still cause trouble

The attacks with harmful scripts that cybercriminals particularly like to hide in Office files, will probably continue to accompany us in 2018.

They tend to communicate consistently with compromised websites from different devices. For example, the attackers use PowerShell to perform command-and-control activities to achieve the desired effect that way.

In particular, our security lab gives warning of attacks that use exploits. Unlike macros, these require less or even no user interaction to infect the system. This method often exploits vulnerabilities in popular software shortly after they are released. If the victims’ systems have not been updated yet, then the hackers will have an easy job.

The “Internet of Things” is much loved – also among cybercriminals

The “Internet of Things” has by now been on everyone’s lips. The interconnection of objects is not only popular among technophiliacs. Increasingly, cybercriminals also take their pleasure in it. This is simply due to the fact that many of the wireless connected devices are not quite up to date in terms of safety.

The “Mirai botnet” has already shown us impressively, how vulnerable unsafe configured IoT devices can be. It seized millions of Internet-related everyday devices such as routers, observation cameras and even toasters. This was followed by a large-scale of DDoS attacks, which even occasionally led to disruptions at Amazon, Netflix or Twitter, therefore even striking very popular Internet services.

Even branches such as the medical sector are taking more and more use of the Internet of Things. Because it is convenient to connect medical devices to the Internet, for example to digitize medical records. However, the resulting dangers should not be underestimated.

Conclusion: Taking the right precautions saves a lot of trouble

As threatening as the new developments may seem: Companies that already use a sophisticated and proven IT security concept have only little to fear.

By contrast, the mere use of antivirus software does not ensure a safe IT infrastructure. On the contrary, the use of traditional anti-virus programs can even have a negative impact on a company’s IT security, as we have previously reported.

In fact, considerably more things matter: Efficient IT security concepts are based in particular on prevention and the use of effective IT security solutions. Cloud-based IT security solutions, such as the services provided by Hornetsecurity, play an increasing role in this. They safeguard you against even the most sophisticated cyberattacks, so that not even ransomware and others can throw your business off track.

Additional information: