Trojan distributed as 8 Ball Pool game hack

The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as "hack" and "cheats."


Infection Cycle The Trojan arrives as a file named "hack 8 ball pool.exe." Upon execution, it copies itself to the following directory:
  • %TEMP%\chrome.exe
In order to start after reboot the Trojan adds the following keys to the registry:
  • HKLM\software\microsoft\windows\currentversion\run[8ce73491bf190a3fd7028c92bd3331b1] "%TEMP%\chrome.exe"
To bypass the windows firewall it adds the following to the registry:
  • HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list [%TEMP%\chrome.exe]
It then makes the following DNS query:

Figure 1: DNS query to hackernople.no-ip.biz


It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:

Figure 2: Trojan sending personal information to a remote C&C server


We have also noticed the Trojan sending desktop screenshots to a remote server:

Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server


This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.

Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe


It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.

Figure 5: Packets showing the infected machine receiving an executable


Figure 6: Receiving command to execute and install WebBrowserPassView
This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
  • GAV: Barys.RAT (Trojan)


Source : Dell SonicWALL Security Center
Have a good time.
(Be knowledgeable, pass it on then)

Allowing WeChat to Sign Up and to get QR Code for login in SonicWall

SonicWall's Application Control block some required Application for WeChat Application.

So that Mobile Device users using WeChat will not be able to Sign Up in you network and they will get "Connection error. Check your network settings."


For those who already has account also will not able to sign in by using QR code.

Laptop/Desktop WeChat user also will encounter the error as below.



To solve these issue, you need to Unblock/Allow the Applications from below Application Signature List in your SonicWall.
Application Category : Proxy-Access (27)
Application : Proxy-Access HTTP (966)
Application Signature : Proxy-Access HTTP Proxy -- HTTP Proxy POST (9685)

You still need to Allow/Exclude below IP Address lists from Application Control List of your SonicWall.(In fact, WeChat used many IP Addresses and need to check logs and add some more if your issue not resolve yet by adding below list.)
203.205.129.101
203.205.147.168
203.205.151.160
140.206.160.213

Once you done above steps, your users shouldn't be any issue when they using WeChat either on their Mobile Devices or Laptop/Desktop within your network.
(For me I really do not want to allow for this application as it is not secure but have to allow because of business need. So I have to monitor closely on usage of this application.)

Have a good time.
(Be knowledgeable, pass it on then)

Increased Online Shopping and Increased Malicious Email Threats

As usual, online shopping website are discounting for year ends after ThanksGiving Day, Black Friday and Cyber Monday.
As a result, spammer also launch spam campaign to find the victim via online shopping.

Below are guide for "How to stay safe" at online and "Best practices for avoiding email scams".

How to Stay Safe

An important skill to stay safe online is how to identify fraudulent domain names used in malicious links in emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of hostnames. Appearing to come from a legitimate sources, the malicious email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user's system. Other attack vectors come directly in email attachments--word docs, executables, and other infected files.

Best practices for avoiding email scams

- Never click on links in emails without thinking about it carefully.
- Authenticate the sender: Is the sender truly who they say they are? Do I recognize and trust the sender?
- Educate end users on how to hover over links in emails to identify the real domain name in the email from address, as well as in any links in the email body.
- If there is any doubt about the authenticity of this domain name? Taking the example above, customer_service@amazon.com--0123-xyz.malicious-site.com. Is this domain in the sender's email address, malicious-site.com, owned by Amazon or by someone else? (The easiest way is just to go to amazon.com and take care of any notifications or required actions by first logging-in to the site directly, rather than clicking on links in emails.
- For users that are unable to identify domain names in links and email addresses, advise them never to click on a link sent in an email, but rather to open the site in a browser by typing manually in the address bar to ensure that they are going to the legitimate site.
- Always report suspicious emails to your Security Administrator, or directly to the site being spoofed. If in doubt, ask before clicking.
- Never open file attachments from unknown/untrusted sources.
- Stay up-to-date with software patches for Operating Systems, web browsers and all other software on the computer.
- Install and keep up-to-date host-based, and network-based Gateway Anti-Virus, and Intrusion Detection systems.

That's all for general security guide lines for end users and for IT professional who need to care security of organization.

Hope it may useful for some.

Have a good time.
(Be knowledgeable, pass it on then)