Better Security to Drive Increase in Mobile Holiday Shopping

Shopping on mobile devices is expected to be strong during the 2017 Holiday Season, according to a new report from Trustlook. Faster network speeds, slick shopping apps, and, perhaps most significantly, the feeling of security among device owners are helping to drive this expected uptick in mobile shopping.

Continued updates to iOS and Android operating systems, as well as the proliferation of free mobile security apps, have contributed to a more secure mobile environment. Android, for instance, which represents the majority of mobile malware, is seeing fewer malware incidents, while more hackers than ever are reporting Android bugs to Google in exchange for so-called “bug bounties.”

“What jumped out the most in our study was the feeling of security between shoppers and non-shoppers,” said Allan Zhang, co-founder and CEO of Trustlook, a cybersecurity company that offers a chip-level security solution for mobile devices. “Those who feel secure on their device will shop and spend much more than those who don’t. It’s that simple.”

For the first time ever, mobile visits to retailers’ websites are expected to surpass desktop visits during the months of November and December. Still, experts warn that mobile shoppers need to be cautious, as the risk isn’t going away. “The bad guys go to where the activity is, and the activity is on mobile,” said Zhang.

Some key findings from Trustlook’s survey include:
1. 66% of users surveyed will shop on a mobile device this Holiday Season.
2. 45% of users surveyed will spend more than $250 on purchases made through a mobile device.
3. Over 80% of expected mobile shoppers either “Strongly Agreed” or “Agreed” with feeling secure, whereas for non-shoppers, the percentage was just over 50%.
4. The Home Electronics and Clothing categories are expected to see the bulk of purchases.

To see an infographic of Trustlook’s survey findings, go here. For more information on Trustlook and their AI-powered SECUREai cybersecurity platform, please visit http://www.trustlook.com.

2017-mobile-holiday-shopping-infographic

“BadRabbit” Ransomware Hits Businesses Across Europe

Trustlook Labs has investigated a ransomware outbreak dubbed “BadRabbit,” which is sweeping public organizations and businesses such as airports, banks and power utilities in Russia, Ukraine, Turkey and Bulgaria.

The malware is masked as an Adobe Flash player installer when a user clicks and downloads the file from a phishing website. The dropper (MD5: fbbdc39af1139aebba4da004475e8839) drops a DLL module into C:\Windows\infpub.dat, which is the main BadRabbit payload, and runs as C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

0119138A  |TEST CX,CX

0119138D  \JNZ SHORT BR.01191380

0119138F  PUSH 30C                                 ; /BufSize = 30C (780.)

01191394  LEA ECX,DWORD PTR SS:[EBP-61C]           ; |

0119139A  PUSH ECX                                 ; |Buffer

0119139B  CALL DWORD PTR DS:[; \GetSystemDirectoryW

011913A1  TEST EAX,EAX

011913A3  JE BR.01191487

011913A9  PUSH BR.01196CF8                         ; /StringToAdd = "\rundll32.exe"

011913AE  LEA EDX,DWORD PTR SS:[EBP-61C]           ; |

011913B4  PUSH EDX                                 ; |ConcatString

011913B5  CALL DWORD PTR DS:[] ; \lstrcatW

011913BB  TEST EAX,EAX

011913BD  JE BR.01191487

011913C3  LEA EAX,DWORD PTR SS:[EBP-1258]

011913C9  PUSH EAX                                 ; /Arg1

011913CA  LEA ECX,DWORD PTR SS:[EBP-1254]          ; |

011913D0  CALL BR.011910C0                         ; \BR.011910C0

011913D5  TEST EAX,EAX

011913D7  JE BR.01191487

011913DD  MOV ECX,DWORD PTR SS:[EBP-1258]

011913E3  PUSH EBX

011913E4  MOV EBX,DWORD PTR SS:[EBP-1254]

011913EA  PUSH ECX                                 ; /Arg1

011913EB  CALL BR.01191260                         ; \BR.01191260

011913F0  POP EBX

011913F1  TEST EAX,EAX

011913F3  JE BR.01191487

011913F9  LEA EDX,DWORD PTR SS:[EBP-124C]

011913FF  PUSH EDX                                 ; /

01191400  PUSH BR.01196D40                         ; | = "infpub.dat"

01191405  LEA EAX,DWORD PTR SS:[EBP-61C]           ; |

0119140B  PUSH EAX                                 ; |

0119140C  LEA ECX,DWORD PTR SS:[EBP-C34]           ; |

01191412  PUSH BR.01196D58                         ; |Format = "%ws C:\Windows\%ws,#1 %ws"

01191417  PUSH ECX                                 ; |s

01191418  CALL DWORD PTR DS:[]  ; \wsprintfW

The malware also drops the files “C:\Windows\dispci.exe” and “C:\Windows\cscc.dat”. The malware creates scheduled tasks to execute the file, and the executable will install a malicious bootloader.

6C561077  PUSH DWORD PTR SS:[EBP+8]

6C56107A  PUSH EAX

6C56107B  LEA EAX,DWORD PTR SS:[EBP-618]

6C561081  PUSH infpub.6C570028                            ; UNICODE "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u "

6C561086  PUSH EAX

6C561087  CALL DWORD PTR DS:[]         ; USER32.wsprintfW

[...]

6C5682BB  LEA EAX,DWORD PTR SS:[EBP-658]

6C5682C1  PUSH EAX

6C5682C2  LEA EAX,DWORD PTR SS:[EBP-E58]

6C5682C8  PUSH infpub.6C571820                            ; UNICODE "schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00"

6C5682CD  PUSH EAX

6C5682CE  CALL DWORD PTR DS:[]         ; USER32.wsprintfW

6C5682D4  ADD ESP,14

The malware generates a random key by calling “CryptGenRandom”, then encrypts the key with the embedded RSA-2048 pubic key:

image1

The key is then used to encrypt the files on the system with the AES-128 encryption algorithm. The malware encrypts files with the following file extensions:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

The malware skips the files under the following directories:

\Windows
\Program Files
\ProgramData
\AppData

The ransom message “Readme.txt” is written in the root of drives.

After the scheduled task reboots the system, the following ransom note is shown on the system:

image2

The malware run “wevtutil” and “fsutil” commands to clean event logs:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

The malware also attempts to affect the system on the network. It uses the following embedded username/password to do a brute-force login into the other system over SMB.

Usernames:
alex
netguest
superuser
nasadmin
nasuser
nas
ftpadmin
ftpuser
asus
backup
operator
other user
work
support
manager
rdpadmin
rdpuser
rdp
ftp
boss
buh
root
Test
user-1
User1
User
Guest
Admin
Administrator

Passwords:
god
sex
secret
love
321
123321
uiop
zxcv
zxc321
zxc123
zxc
qwerty123
qwerty
qwert
qwer
qwe321
qwe123
qwe
777
77777
55555
111111
password
test123
admin123Test
Admin123
user123
User123
guest123
Guest123
administrato
Administrato
1234567890
123456789
12345678
1234567
123456
12345
1234
123
test
adminTest
user
guest
administrator

Hashes (MD5)
Trustlook Labs has identified the following hashes associated with BadRabbit:

Dropper:
fbbdc39af1139aebba4da004475e8839

Payload:
1d724f95c61f1055f0d02c2154bbccd3 c:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f c:\Windows\dispci.exe
b4e6d97dafd9224ed9a547d52c26ce02 c:\Windows\cscc.dat

Summary
The ability to spread via SMB makes the BadRabbit ransomware particularly destructive, as it can infect systems in the network very quickly and easily. It is further proof that ransomware, with its monetary incentives, continues to be the trend of malware developed by criminal hackers. Thankfully, Trustlook’s antivirus engine can effectively detect ransomware attacks and protect our customers.

Trustlook at Qualcomm’s 5G Summit in Hong Kong

Trustlook was thrilled to be part of Qualcomm’s 5G Summit in Hong Kong this week. We were excited to have a booth to show off our innovative chip-level mobile security and token technology that is made possible by using Qualcomm’s Haven Security Platform.

The 2017 Summit brought together global device manufacturers and operators, along with software & hardware technology companies, to strategize and discuss industry trends and technology developments. This year, the event highlighted 5G, connectivity, IoT and the connected world and so much more. Here is a very insightful report on the Top 9 Things at Qualcomm’s 5G Summit.


How Trustlook works with Qualcomm

Trustlook has integrated its SECUREai engine with the Qualcomm Haven™ Security Platform on the Qualcomm® Snapdragon™ 835 mobile platform. Using power-efficient machine learning-based behavioral analysis, the solution is designed to support enhanced device security through real-time detection and classification of zero-day malware and privacy violations.

The Qualcomm Haven Security Platform supports advanced hardware-based security features such as fingerprint and iris authentication, device attestation, and real-time device behavior monitoring. Trustlook’s SECUREai is a suite of embeddable security engines that identify advanced malware, detect device behavior anomalies, and classify threats using proprietary AI technology. SECUREai supports multiple platforms including Android, security gateways, IoT devices, and currently powers products of leading mobile device makers such as Huawei and Tecno Mobile, and numerous Android security apps.

The Trustlook solution on Qualcomm Haven Security Platform is available to handset OEMs on the Snapdragon 835 mobile platform, and is expected to be supported by additional Snapdragon SoCs later this year.

Trustlook on list of Top 500 Cybersecurity companies

cybersecurity-ventures1-1

Trustlook is honored and excited to be on the Cybersecurity 500 list published by Cybersecurity Ventures. The Cybersecurity 500 is the definitive list of the world’s hottest and most innovative companies in the cybersecurity industry.

Trustlook has been around only since 2013, but has built a reputation for reliable cybersecurity products that push the engineering envelope. We focus extensively on Artificial Intelligence (AI) as the foundation for all our security products to rapidly improve performance. We have products for consumers, app developers, OEMs, systems integrators, and large enterprises. We protect mobile phones, network appliances, and IoT devices. Pretty much anyone looking to build security into an app or computing device can benefit from our technology.

To read the article, please go here. To learn more about Trustlook or to schedule a demo, please visit www.trustlook.com.

Trustlook Named to the 50 Most Admired Companies of The Year for 2017

Trustlook has been named by The Silicon Review magazine as one of the 50 Most Admired Companies of The Year for 2017. This prestigious list honors some of the most promising ventures from across the technology landscape. This year’s list includes companies in cloud computing, infrastructure, and security.

“Trustlook is honored to received this distinction,” says Allan Zhang, CEO and co-founder of Trustlook. “This is not only recognition for our forward-thinking products, but also for the great people and culture we have at the company.”

Trustlook has been around only since 2013, but has built a  reputation for reliable cybersecurity products that push the engineering envelope. They focus extensively on Artificial Intelligence (AI) as the foundation for all their security products to rapidly improve performance. They have products for consumers, app developers, OEMs, systems integrators, and large enterprises. They protect mobile phones, network appliances, and IoT devices. Pretty much anyone looking to build security into an app or computing device can benefit from their technology.

To read the article, please go here. To learn more about Trustlook or to schedule a demo, please visit www.trustlook.com.

2017-10-11_1244