Quttera | BLOG

Background There is a wide blasting of SPAM emails that pretended to be a legitimate letter from Apple about your user account being used on a new device. Due to people's instinct to click on any link embedded in the email without analyzing the content, SPAM campaigns are usually very effective when disguised under a well known brand. SPAM investigation Let's take a deep look and spot the flaws of the email:

Read more →

Background As it turned out during the malware clean-up of customer websites, hackers were using exactly this type of exploit to attack the site. Furthermore, the site got reinfected with malware as soon as someone accessed it. We got alarmed as the reinfection was so sudden, so we dig deeply and found out something else. Website Malware Incident Investigation Upon checking the access logs of the site, we found a very nifty but familiar entry on the records as shown below:

Read more →

Background There is a Black SEO/Spam poisoning campaign running that targets mainly the WordPress websites. While handling several incidents related to it, we have discovered a new self-recovering WordPress oriented malware among other malicious components. Let’s take a look at all of them. Backdoors To Control The Attacked Website We still don’t know if there is any relation between infections but all of the examined websites contained numerous generic PHP shells and backdoors which names have the following format:

Read more →

During our incident response to the client's website, we found a vulnerability in the VTEM Skitter module of Prestashop CMS. Here is the code snippet of the uploadimage.php: $uploaddir = ‘./img/’; $uploadfile = normalize(pregreplace(‘/ /’, ‘’, basename($_FILES[‘userfile’][‘name’]))); if (move_uploaded_file($_FILES[‘userfile’][‘tmp_name’], $uploaddir.$uploadfile)) echo ‘success:‘.$uploadfile; else echo ‘error’; To test if your site is vulnerable, try going to your favourite browser and enter the following in the address bar: http:///modules/vtemskitter/uploadimage.

Read more →

Information has been scattered all over the internet. Links after links are being distributed over the web through Facebook, Youtube, blogs, emails, text messages and any other form of online communication. Having said that, this also includes good and bad links which can cause problems to the visitors of these links. Unpatched sites are being exploited with a lot of infected redirections and do contain payloads to attack. A couple of weeks ago, we received a report about an unauthorized connection that the site makes whenever a visitor checks it.

Read more →

There is no such thing as a perfect web application. Some software vulnerabilities have been there since the very first application was created. The majority of today's exploitation can lead to the automatic execution of arbitrary codes without the users' permission. In this post, we show the Rig Exploit Kit's attack flow. Quttera's malware researchers uncovered and removed this malware for one of our ThreatSign customer websites. Rig Exploit Kit has been thunderous, and it is widely used by the hackers to distribute malware over the internet.

Read more →

Ransomware has become very frequent this year, and our malware researchers encounter more and more cases of cryptographic file-locking attacks. Easiness of deploying, the wide range of targets and clear business model are probably the main reasons for such popularity of this kind of malware among cyber criminals. Any company or organization is a potential target as it has been proven earlier this year when U.S. hospital computers and cancer treatment equipment were shut down due to ransomware.

Read more →

Infected Websites: How bad can it be? Here are the top reasons for having a website: Information Dissemination Personal Biography Marketing your business Online shopping Let's have a look at sample scenario: Your new and shiny website is ready and goes online to serve your goals. You are enjoying every activity involved in building up your online presence like sharing information, marketing your business, serving your online shoppers and much more.

Read more →

Deobfuscation made easy with MalwareDecoder.com Battling malware has been a very competitive and very fulfilling task nowadays. It brings joy and confidence to each Malware Analyst that can discover or unravel the code being used for an attack or infection. We at Quttera, were able to help other Malware Analysts with their tasks by providing tools for them to be used in their analysis. We have tested it with one of the suspicious files that we got on one of our clean ups.

Read more →

Malicious ads and website reputation Malvertising is one of the most profitable businesses in the cyber hacking industry. Exploiting website inventory is highly beneficial for cyber criminals as it is then sold to redirect traffic to gambling, adult, pharma and similar kinds of websites. Needless to say, that its damage to both publishing websites and advertising network reputation is huge. Ideally, Web Admins are the ones responsible for checking the Ads that their site is showing.

Read more →

Website Defacement is just a click of a button In the past few months, Quttera malware researchers encounter a significant rise in website defacements by hackers. Government websites, among the others, were under such cyber-attack and thus getting a lot of attention and concern from the public. Interesting fact that, in some cases, hacker groups used defacement as their "cyber branding". The number of such sites being defaced is then used as a global ranking of a responsible hacker group.

Read more →

Security tools serving good and bad This is a python script used by Cyber Security Analysts to check for vulnerabilities in website . Like any other network security tool, it is being utilized by many, meaning it was also being utilized by the bad guys a.k.a "hackers". While we were browsing the dark web, we stumbled upon a hacking forum where you need to take an exam before you could join their group.

Read more →

RedKit Malware Still Alive RedKit Malware RedKit malware as detected by Online Malware Scanner Background Back in 2013, we posted about RedKit infecting significant number of websites. It appears that, three years later, the statistics of the websites submitted to online malware scanner show the revive of this malware among infected websites. Malicious action Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Read more →

Traffic Distribution System (TDS) On Infected WebsitesThis malware technique is widely used to monitor and redirect traffic from compromised website to malicious content or paid referrals. In past, we highlighted similar cases in our blog: Blacklisted website used to drive traffic to ‘penny stock website’ Malicious TDS flow Malicious Traffic Distribution System diagram BackgroundThreatSign! client received complaint from his customer that his website got blocked when accessed from Google Chrome.

Read more →

FilesMan Backdoor Malware On Your Computer FilesMan is being abused in the wild What is FilesMan? It is a File Manager used to explore the files in a computer. It is the most basic malware tool that attackers upload to your website as a form of backdoor to browse your files. Some of these File Managers are sophisticated and has their own GUI (Graphical User Interface), some are capable of uploading and downloading files from your website as if the attackers were in front of your computer browsing it personally.

Read more →

What is Cross Site Scripting (XSS)? May 26th 2016 jetpack disclosed a XSS vulnerability discovered in their popular plugin. We would to take this opportunity and describe what is XSS. Cross Site Scripting or XSS attack refers to injection of the malicious code or malicious payload into pages of legitimate website. Further, when these compromised pages are visited by website users, the injected malicious code (or payload) is executed by client-side application (visitor's web browser) and performs the actual malicious action such as: redirecting visitor to another website, download and installation of malicious code, showing adult ads and etc.

Read more →

Steps To Discover Malicious Hosts Attempting To Access Your Website When dealing with previously cleaned website that got re-infected over and over again, it is essential to monitor/check who and when tried to connect to website. Usually, POST request is used to access the malware files to launch malicious script/command. Thus, once you have the file names you can review the log files (e.g. access.log for Apache) to detect the servers that were sending these malicious requests.

Read more →

Introduction This article highlights well-known website vulnerabilities, bad practices, flaws and security issues that allow hackers to compromise websites. Its purpose is strictly educative, and it should be used as a guide to enhance the web security applied to websites and web applications. Material presented below is gathered based on common mistakes made by Internet users having very limited computer science skills. The base level information shared here depicts an entire arsenal that leads to a successful cyber attack, resulting in legitimate websites getting blacklisted by search engines and security manufacturers.

Read more →

Quttera's support team is being constantly contacted by website anti-malware monitoring customers whose website(s) were blacklisted. This post lists several (not all) blacklisting authorities and how to submit your site for (re)testing by them. First, you should make sure your website no longer hosts malware, spam or any other potentially harmful content. You can do it by yourself or if you're ThreatSign customer you can simply let us do it for you.

Read more →

Obfuscated malicious JavaScript code generated hidden iframe to drive traffic to customer website Background Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Usually, such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This website is located in Ukraine and it is used by Traffic Direction System (TDS) managed by malicious domain revmihyr[.

Read more →