Sunday, November 20, 2016

Nemucod downloader spreading via Facebook

Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook's file extension filter:


What is an .svg file? From Wikipedia:

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.
This means, more specifically, that you can embed any content you want (such as JavaScript). Moreover, any modern browser will therefore be able to open this file.

Contents of our 'photo' are as follows:

Copy of file on Pastebin here

It's a heavily obfuscated script, which, after opening, redirects you to the following website:

Fake Youtube - "You must install the codec extension to watch this video."

A website purporting to be Youtube, including a video from Facebook - of course, you'll need to install an additional extension to view it :)

The extension has no icon and thus seems invisible and has the following permissions:

Currently, I'm not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook (harvesting your credentials in the process), but likely it downloads other malware to your machine.

One of my security colleagues had in fact noticed similar behavior and got ransomware (Locky) as payload:

The extensions' description can be one of the following, and seem semi-random. Note that other variations are possible:

One ecavu futolaz corabination timefu episu voloda 
Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum

The Facebook security team as well as Google Chrome's store security team have been notified.

UPDATE 22/11/2016

  • The rogue Chrome extensions are removed from the store. 
  • Facebook is now filtering for SVG files as well:

Test.svg, containing just a window.alert() method


Remove the malicious extension from your browser immediately:

Additionally, run a scan with your antivirus and change your Facebook password afterwards.

Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.


As always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave.

Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen.

For those interested, all related files have been uploaded to VirusTotal, and their hashes and domains can be found, as always, on AlienVault's OTX:

Monday, November 14, 2016

Cybercrime Report Template

In this blog post I'll be contributing a template or form, made as simple as possible, to enable you to report cybercrime in a more efficient way. Scroll down if you're not interested in the background story.

The purpose or need of this form arose several years ago, when I wrote a blog post about the 'blame game'. In short, I wrote about how we are all guilty of pointing fingers when a cyberincident occurs.

In reality, the only person or entity to blame, is the one that infected you or your organisation. Since publishing that specific post, cooperation has definitely improved - whether that is due to my post or not, I'll leave aside - an example is the No More Ransom project.

The blog post concluded stating that post-infection information is scarce: there is prevention, incident handling, malware cleaning all around - but available information on what to do afterwards, when you've become an actual victim of cybercrime, was rather poor.

In short: report it to your CERT or local police department!

You can fill in the template below and download and/or print it as a PDF, which you can submit or include to an organisation of your choosing.

The template is also available on the following link:
Cybercrime Report Template

Disclaimer: no information will be sent to me or Jotform at any point.

Additionally to the template included in this blog post, or in link above, it is also separately available as a PDF.

Organisations that wish to use this template, are free to do so. I have added the source on Github, which you'll be able to find here.


Please refer to the following websites if you would also like to report this separately:
Report Cybercrime Online (EU)
IC3 Complaint Referral Form (US)
Canadian Centre for Cyber Security (CA)
ReportCyber (AUS)
Report Cybercrime (NZ)

In case you do not want to report this to any of the agencies above. just fill in the form and print it - then share it with your country's CERT or (local) police department. This can be (partly) anonymous - ask if there's option to do so.

You can find a list of CERTs here:
CERTs by Country - Interactive Map (Europe)

APCERT team members (Asia Pacific)

Friday, July 22, 2016

EU cookie law and fake Chrome extensions

When a website is serving up malware to unsuspecting visitors, it's often not too hard to find the culprit. In some cases however, it takes a bit more digging. When visiting a (not named on request) specific website, you're presented with the following message:

Your browser contains MALWARE. You have to install Chrome Malware Removal tool

After some digging on the site, nothing was suspicious at first sight. However... It did have a EU cookie law pop-up/consent:

The script behind it is as follows:

... Which contains:

Both scripts contain the warning message and a redirect to the Google Chrome store:

lang = 'en';
var msg = 'Your browser contains MALWARE. You have to install Chrome Malware Removal tool.';
if (lang == 'es') msg = "Su navegador contiene malware. Usted tiene que instalar la herramienta de eliminación de malware Chrome.";
if (lang == 'it') msg = "Il tuo browser contiene malware. È necessario installare strumento di rimozione malware Chrome.";
if (lang == 'fr') msg = "Votre navigateur contient MALWARE. Vous devez installer l'outil de suppression de logiciels malveillants Chrome.";
if (lang == 'pt') msg = "Seu navegador contém malware. Você tem que instalar o Ferramenta de remoção Chrome Malware.";
if (lang == 'de') msg = "Ihr Browser enthält MALWARE. Sie müssen Chrome Malware Removal Tool zu installieren.";
if (lang == 'ru') msg = "Ваш браузер содержит вредоносный код. Вы должны установить расширение для блокировки вредоносного кода.";
if (lang == 'gr') msg = "Το πρόγραμμα περιήγησής σας περιέχει κακόβουλο λογισμικό. Θα πρέπει να εγκαταστήσετε το Chrome Malware εργαλείο αφαίρεσης.";

You can find both scripts on Pastebin here and here.

Chrome Malware Removal Tool

At time of writing, it has over 22,000 users. You can find the malicious extension here.

UPDATE 27/07: the malicious extension has now been removed from the Chrome store.

To remove an extension from Chrome:

It is not clear whether the site offering the cookie consent script is hacked, or is in on the ploy. The following URLs are leveraged in this campaign:

Type Indicator

You can find further indicators as always on AlienVault OTX.


Stay clear from scripts offered by 3rd party EU cookie consent websites and rather create your own pop-up. A trustworthy site to create this for example is cookie-script.

As always when managing a website, keep your CMS (if any) updated as well as any plugins that may be running.

You can find more tips on how to prevent, find (and remove) malicious scripts on your website here.

Tuesday, May 10, 2016

A collection of PHP backdoors

Just a quick post to announce I've set up a GitHub repository with a collection of PHP backdoors for educational and/or testing purposes only:

Feel free to check it out and/or contribute here:

The repository will be updated continuously and gradually.

If you're interested in analysing a PHP backdoor, check out my post on PHP/C99shell:
C99Shell not dead

Additionally, find tools to deobfuscate PHP backdoors here:
PHP tools

Wednesday, May 4, 2016

SteamStealer IP visualisations

Just for fun I decided to visualise all SteamStealer IPs I've encountered (till now). They are hosting multiple fake screenshot websites, fake voice communication software, fake streaming websites, fake Steam websites and others. They may also be a C&C for the malware, or fake gambling/lottery websites.

Any additional information can also be found on my blog:
Malware spreading via Steam chat

Additionally, be sure to read the paper I wrote with Santiago from Kaspersky about SteamStealers here: The evolution of malware targeting Steam accounts and inventory

Now for the fun part:

View SteamStealer IPs in a full screen map

Alternatively, check out the following map and stats:


Russian Federation163
United Kingdom19
United States14
Czech Republic1
Virgin Islands, British1
Moldova, Republic of1

As you can see, most of them are hosted in Russia; while the United Kingdom and The Netherlands rank second and third respectively.

Note: CloudFlare is gaining popularity in 'hiding' the real server IP address. CloudFlare IPs are not included.

That's about it, hope you enjoyed! Please find below tools used to create the mapping.



SteamStealer IPs IOCs

Thursday, April 21, 2016

Nemucod ransomware information

This is a quick post on the recent Nemucod ransomware. Nemucod is (normally) a downloader which uses JavaScript  JScript (thanks Katja) to enter an unsuspecting user's machine and download additional malware (depends on campaign usually).

There's a blog post by Fortinet which explains Nemucod ransomware, so I'm not going to repeat much here: Nemucod Adds Ransomware Routine

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs.

This particular campaign is using the lure of a court appeal to spread:

The mail reads:

Notice to Appear,
You have to appear in the Court on the April 22.Please, prepare all the documents relating to the case and bring them to Court on the specified date.Note: If you do not come, the case will be heard in your absence.
The Court Notice is attached to this email.
Yours faithfully,Brian Snider,District Clerk.

It seems Nemucod ransomware got another update, as it now uses 7-zip to actually encrypt the files.

Another change is the slight drop in price. Whereas before it was 0.60358 bitcoins ($267.14 or €236.43), it's now 0.49731 bitcoins ($220.11 or €194.80).

New message reads:

Nemucod ransomware message

Nemucod encrypting a whole plethora of filetypes, appending the .crypted extension


If you have opened a .JS file (JScript file) from an unknown sender, open Task Manager immediately and stop all the following processes (at least in this version of Nemucod):

a0.exe (actually 7-zip disguised)

The faster you do this, the less files will be encrypted. Run a scan with your antivirus program and a scan with another antivirus program to verify the malware has been removed.

Note: It's always useful to keep a copy of the ransomware note handy, as it's easier to identify the ransomware and if it can be decrypted.


I'm only briefly reporting on this for those in need, but currently, the known decryptors are suited for this version. However, Fabian from Emsisoft is already working hard to make a decryptor available, so please have patience!

If you have an older version of Nemucod, you can try one of either decryptors:
Emsisoft Decrypter for Nemucod 
nemucod_decrypter (you will need to install Python for this)

You can also try restoring files with Shadow Explorer. (alternate link)

For more information, please visit the following Bleeping Computer topic
.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic


In particular for Nemucod, don't open any JScript/JavaScript files from unknown senders.

For more tips on ransomware prevention, be sure to check out this page I've set up:
Ransomware Prevention


Same as with all malware: don't open attachments from unknown senders!

Please find below IOCs and additional resources.


.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic
ID ransomware
JavaScript-toting spam emails: What should you know and how to avoid them?
Nemucod ransomware IOCs
Ransomware overview
Ransomware Prevention
TrojanDownloader: JS/Nemucod

Thursday, March 24, 2016

Ransomware prevention

Very short blog post to let you know I now also have an English version of my article 'preventie van ransomware', on how to prevent ransomware.

You can find it as a page (see top of my blog) or here:
Ransomware Prevention

Translations are available in Dutch (Nederlands) and French (français).

Thanks to @WawaSeb for the French translation. If you would like to translate this page in your own language, feel free to do so and send me the link so it can be added.

Tuesday, March 15, 2016

All your creds are belong to us

In the past, I've blogged about Steam Stealers (malware that specifically targets gamers and users of Valve's platform) before (see 1, 2), but this blog post will be a bit different.

Working together with Santiago Pontiroli, Security Researcher at Kaspersky Lab Global Research and Analysis Team, we've written a paper on these infamous Steam Stealers.

Check out our blog post here or directly download the PDF from here.


Sunday, February 21, 2016

Preventie van ransomware

This blog post will be fully in Dutch. If you'd like to read English material, be sure to check out this page. There's also a Q&A on ransomware. On that page, you'll also find links to translations in French and Korean.

Ransomware heeft in principe geen introductie meer nodig, maar kortgezegd zal deze specifieke soort malware (bijna) al je bestanden encrypteren en een bepaald bedrag vragen (tegenwoordig vaak in Bitcoin) om terug toegang tot al je bestanden te verkrijgen.

Andere benamingen: "CryptoLocker", cryptoware, encrypting ransomware.

Deze blog post is opgesplitst in twee luiken: 1 voor thuisgebruikers, 1 voor bedrijven. De meeste tips zijn echter ook uitwisselbaar en kunnen naar believen worden toegepast.

Tot slot worden ook enkele tools ter beschikking gesteld als aanvulling alsook extra resources.


  • Gebruik, afhankelijk van de mailclient, een degelijke anti-spam filter. In zo goed als alle online diensten (bv., Gmail, ...) wordt deze reeds standaard aangeboden.
  • Open nooit een bijlage van een onbekende afzender. 
  • Blokkeer de executie van macro's in je Office-pakket
  • Schakel Windows Script Host uit. Gebruik hiervoor bijvoorbeeld optie D in mijn tool.
  • Schakel PowerShell uit. Dit kan via Configuratiescherm > Programma's >
    Windows Onderdelen in- of uitschakelen.
  • Gebruik een degelijke anti-virus/anti-malware en firewall oplossing en houdt deze up-to-date.
  • Verwijder alle oude Java versies, of verwijder Java volledig indien mogelijk.
  • Verwijder SilverLight indien mogelijk.
  • Installeer steeds alle relevante Windows updates.
  • Activeer click-to-play voor Flash in je browser. Dit hangt af van je browser zelf.
  • Installeer NoScript of vergelijkbaar in je browser.
  • Installeer een adblocker in je browser, bijvoorbeeld uBlock Origin.
  • Er is eveneens een freeware programma beschikbaar, dat heel wat zaken voor je automatisch gaat instellen (zoals bekende locaties waarvan ransomware zich start gaat monitoren) genaamd CryptoPrevent.

Last but not least, de twee belangrijkste punten:

  • Denk altijd twee keer na alvorens een link of bijlage aan te klikken/te openen.
  • Neem geregeld backups! Vergeet niet om na de backup je externe harde schijf los te koppelen. Wees ook voorzichtig met backups naar de cloud - eenmaal je merkt dat je geïnfecteerd bent, verbreek meteen de netwerkverbinding en/of sluit het toestel af om de schade te beperken.

    Test ook of de backup geslaagd is en herstel enkele (test)bestanden. Een backup is altijd de beste optie hier om bestanden terug te zetten, maar dan moet je ook weten dat deze gelukt is.


Ook in bedrijven zijn vele van de bovenstaande tips van toepassing. Het overgrote deel hiervan is ook perfect toepasbaar via Group Policies (GPO).

Enkele aanvullingen:

  • Gebruik steeds sterke wachtwoorden voor je servers (ongeacht domain controller of fileserver, etc...).
  • Installeer steeds alle relevante Windows updates.
  • Schakel indien mogelijk toegang tot RDP uit. Indien dit niet mogelijk is, gebruik een goede firewall oplossing (hardwarematig) met VPN. Gebruik ook hier sterke wachtwoorden/authenticatie. Schakel 2FA/MFA voor VPN toegang of op zijn minst voor administrator toegang.
  • Schakel administrator-rechten uit voor gewone gebruikers. De meeste gebruikers met een bedrijfslaptop zouden in theorie geen programma's of dergelijke moeten installeren.
  • Schakel via GPO het gebruik van macro's in Office uit indien mogelijk (of sta enkel macro's toe die digitaal ondertekend zijn), schakel Windows Script Host uit en verplicht het gebruik van antivirus.
  • Installeer dus ook antivirus op alle toestellen in het netwerk en zeker voor gebruikers die hun toestel mee naar huis (mogen) nemen.
  • Indien aanwezig, activeer de optie om gearchiveerde bestanden te laten scannen door de antivirus.
  • Installeer een degelijke anti-spam oplossing en verbiedt het gebruik van bijlagen met gevaarlijke extensies (.exe, .scr, ....) maar blokkeer ook JavaScript bestanden (.js).
  • Verifieer de file sharing permissies van je gebruikers. Wees hier zo efficiënt mogelijk in. Een gebruiker tot groep X heeft niets te zoeken op de share van groep Y? Beperk de toegang. (maak bijvoorbeeld gebruik van ACLs)
  • Informeer gebruikers over de gevaren van het openen van bijlagen van een onbekende afzender of het zomaar losweg klikken op een link in een onbekende mail. Heb eveneens een actieplan klaar voor moest er zich toch een malware-infectie voordoen (ransomware of anders).
  • Gebruik policies om EXE bestanden vanuit bepaalde locaties niet toe te staan. Link.

Last but not least, de twee belangrijkste punten:
  • 'Failing to prepare is preparing for failure'. Preventie is belangijker dan desinfectie. 
  • Neem geregeld backups! Vergeet niet om na de backup je externe harde schijf los te koppelen. Wees ook voorzichtig met backups naar de cloud - eenmaal je merkt dat je geïnfecteerd bent, verbreek meteen de netwerkverbinding en/of sluit het toestel af om de schade te beperken.

    Test ook of de backup geslaagd is en herstel enkele (test)bestanden. Een backup is altijd de beste optie hier om bestanden terug te zetten, maar dan moet je ook weten dat deze gelukt is.


Gebruik bij voorkeur Internet Explorer of Edge niet - andere browsers zijn namelijk meer 'customizable', wat wil zeggen dat je met een add-on of extensie wat extra bescherming kan instellen.
(vergeet echter niet om deze extensies ook up-to-date te houden)

Activeer click-to-play voor plugins (zoals Flash of Silverlight)
uBlock Origin (Chrome)
uBlock Origin (Firefox)

Blokkeer de uitvoering van scripts:
Remediate VBS Worm
Script Defender

CryptoPrevent Malware Prevention:

Waarom moet ik oudere Java-versies van mijn computer verwijderen?

PowerShell uitschakelen:


Back-ups maken en terugzetten: veelgestelde vragen

ActiveX-besturingselementen in Office-documenten in- of uitschakelen
Externe inhoud in Office-documenten blokkeren of deblokkeren
Macro's in Office-bestanden in- of uitschakelen

Gebruik makend van GPO:

Identificeer ransomware:
ID Ransomware

Ransomware overzicht:
Ransomware Overview

No More Ransom project (decrypters etc.):
The No More Ransom Project

Ransomware extra informatie:
Ransomware: a Q&A

Windows File Sharing:
Understanding Windows Server 2008 File and Folder Ownership and Permissions

Windows Script Host (WSH):
Disabling Windows Script Host

Tuesday, February 2, 2016

Vipasana ransomware new ransom on the block

Yet another ransomware is going around (since at least the 20th of December), which I've dubbed Vipasana ransomware due to where you need to send your encrypted files to:

Message in Russian, you need to mail to get your files back

The name may be derived from Vipassanā or 'insight meditation'.

The message in Russian reads:

твои файлы зашифрованы, если хочешь
все вернуть, отправь 1 зашифрованный файл на эту почту:

ВНИМАНИЕ!!! у вас есть 1 неделя что-бы написать мне на почту, по прошествии
этого срока расшифровка станет не возможна!!!!


Your files are encrypted, if you want them all returned,
send 1 encrypted file to this email:

ATTENTION!!! you have 1 week to send the email, after
this deadline decryption will not be possible !!!!

It seems these ransomware authors first want you to send an email before requiring any other action, rather than immediately (or in a certain timeframe) paying Bitcoins to get your files back. In this sense, their technique is novel. Instead of the usual 24/48/72h to pay up, they give you a week.

Do not be fooled: this does not make them 'good guys' in any way, they encrypted your files and as such are criminals.

Search results for are non-existent, with the exception of one victim hit by this ransomware:

Email addresses used in this specific ransomware campaign:

Files will be encrypted and renamed following below naming convention:[ID]-[DATE-TIME].randomname-[RANDOM].[XYZ].CBF

Where [XYZ] is also a random 'extension', the real extension is .cbf

ver-CL may refer to the version number of the ransomware, indicating there are older versions as well.

Targeted file extensions:

.r3d, .rwl, .rx2, .p12, .sbs, .sldasm, .wps, .sldprt, .odc, .odb, .old, .nbd, .nx1, .nrw, .orf, .ppt, .mov, .mpeg, .csv, .mdb, .cer, .arj, .ods, .mkv, .avi, .odt, .pdf, .docx, .gzip, .m2v, .cpt, .raw, .cdr, .cdx, .1cd, .3gp, .7z, .rar, .db3, .zip, .xlsx, .xls, .rtf, .doc, .jpeg, .jpg, .psd, .zip, .ert, .bak, .xml, .cf, .mdf, .fil, .spr, .accdb, .abf, .a3d, .asm, .fbx, .fbw, .fbk, .fdb, .fbf, .max, .m3d, .dbf, .ldf, .keystore, .iv2i, .gbk, .gho, .sn1, .sna, .spf, .sr2, .srf, .srw, .tis, .tbl, .x3f, .ods, .pef, .pptm, .txt, .pst, .ptx, .pz3, .mp3, .odp, .qic, .wps

I have sent over all necessary files to the good people over at Bleeping Computer, as there may be a way to recover files. If so, I will update this post.

Update - 12/02: thanks to a tweet from Catalin this appears to be another version of so called "offline" ransomware, discovered by Check Point:
“Offline” Ransomware Encrypts Your Data without C&C Communication

Note this is in fact a Cryakl variant.

Unfortunately, there doesn't appear to be a way to recover your files once encrypted. Your best best in trying to recover files is using a tool like Shadow Explorer, which will check if you can restore files using 'shadow copies' or 'shadow volume copies'.

If that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva


Ransomware is, unfortunately, long from gone. Almost each week or month, new variants or totally new strains of ransomware are popping up. In this way, the first and foremost rule is:

Create (regular) backups!

For more prevention advise, see here

You may also find a list of Indicators of Compromise (IOCs; hashes, domains, ...) over at AlienVault:
Vipasana ransomware

Tuesday, January 19, 2016

Chrome extension empties your Steam inventory

I recently got notified about the following topic (and post) on
Known scammer alt opening a gambling site

In there, you can see a Steam user named Delta (Steam profile down below) has created several 'helpful' Chrome extensions for Counter-Strike: Global Offensive (CS:GO).

A few examples:

'Read and change all your data on the websites you visit'

Other examples are:

CSGODouble Theme Changer
CS:GO Double Withdraw Helper
Csgodouble AutoGambling Bot
Improved CSGODouble

Instead of being able to change your CS:GO Double theme, your items from your inventory are getting stolen; instead of trading with X or Y person you trust, the items go to the scammer rather than whoever you're trading with:

All the addons he made can be found here. You can report them to Google as well by clicking 'Report Abuse' > 'Malware'. Note: some of them are still in the store despite several reports.

Update (20/01): all mentioned extensions are now removed from the Chrome Web Store.

76561198254328724 is the Steam ID of the scammer, who currently has a/is on trade probation; which means they recently had a trade ban removed.

Update (20/01): 'Delta' is now trade banned (again):

You can find his Steam profile here and his SteamRep profile here. (SteamRep is "a non-profit site that partners with community administrators to improve the safety of game-related trading.")


As opposed to actual SteamStealers, this one's pretty easy to disinfect or remove, as you can simply remove the extension(s) from Chrome:

In this example:

You may read more about installing, managing and removing extensions here. If you're having problems removing one of the extensions, you can also try resetting your Chrome browser.


Does it look suspicious? Does it sound too good to be true? Don't install it!

For more prevention tips on securing your Steam account, see my earlier post about SteamStealers here.

Steam also has a FAQ set up in regards to: Spyware, Malware, Adware, or Virus Interfering with Steam


SteamStealers are (unfortunately) nothing new. Criminals are getting craftier and better in attempting to steal items or account credentials (along with other credentials) from unsuspecting users.

As opposed to actual malware or SteamStealers being loaded on your machine, this time it's a browser extension - thus be wary of anything that looks too good to be true and think twice
before you install anything (whether that be an extension, a 'screensaver' or images that look like you ;) ).

Follow the prevention tips above to stay safe. For any questions or feedback, don't hesitate to comment.

Sunday, January 10, 2016

Security Predictions 2016

Since everyone's doing it, here are some of my security predictions for 2016.

  • More ransomware
  • More misuse of the word 'CryptoLocker' (this ransomware died somewhere in 2014)
  • More malware
  • More misspellings of malware ('mallware', 'maleware', etc.)
  • More IoT devices (Internet of Things)
  • More ransomware or other malware for IoT devices
  • More database/company breaches
  • More spam, phishing, etc.
  • More (ATM) skimming
  • More nation-state malware
  • More governments spying on their citizens
  • More privacy concerns
  • ...

Essentially: more of the same. I also suspect 2016 the year of more nation-state malware to be discovered/uncovered. And of course more encrypting ransomware (aka 'cryptoware') as it's still a succesful recipe. As long as people pay the ransom, they will keep bringing out new & improved versions/variants.

More security predictions (and probably more explained in depth or simply better ones) can be found by performing a search with your favorite search engine.

May you have a safe, malware-free, privacy-friendly 2016!