Tag Archives: advanced cyber-security

Sticky Attacks: When the operating system turns against you

Cyber-attackers are always finding new ways of bypassing the protection systems installed on computers in order to avoid detection and steal user data. In that respect, Black Hat hackers have always turned to malware-based attacks (phishing, network worms, or the dreaded Trojans with ransomware as the most dangerous example) to reach their goals: break into companies to steal credentials and huge amounts of other data in exchange for a ransom… At least, until now.

PandaLabs has recently detected a quite clever attack targeting a company in Hungary. What makes it so special? Well, the attack does not use any malware as such, but scripts and other tools belonging to the operating system itself in order to bypass scanners. This is just another example of the increased self-confidence and professionalization we have been observing among cyber-crooks in recent months.

Analysis of a malware-less attack

First, and as has become the norm in the latest security incidents analyzed at the lab, the attack starts with the attackers launching a brute-force attack against a server with the Remote Desktop Protocol (RDP) enabled. Once they get the computer’s login credentials, they have complete access to it.

Then, the first thing that the attackers do is run the sethc.exe file with the parameter 211 from the computer’s Command Prompt window (CMD). This turns on the system’s “Sticky Keys” feature. We are sure you have seen this message before:


Next, a program called “Traffic Spirit” is downloaded and run. “Traffic Spirit” is a traffic generator application which in this case is used to make extra money out of the compromised computers.

Traffic Spirit website

Then, a self-extracting file is launched that uncompresses the following files in the %Windows%cmdacoBin folder:

  • registery.reg
  • SCracker.bat
  • sys.bat

The attackers then proceed to run the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat gets run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

The user name and password are obtained from two variables included in the sys.bat file:

This way, the attacker installs a backdoor on the affected machine. With this backdoor, the attacker will be able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature (for example, by pressing the SHIFT key five times), and enter the relevant user name and password to open a command shell:

The command shell shortcuts will allow the attacker to access certain directories, change the console color, and make use of other typical command-line commands.

However, the attack doesn’t stop here. In their attempt to make as much profit as possible from the targeted company, the attacker installs a bitcoin miner to take advantage of every compromised computer for free money. Bitcoin mining software aims to use the victims’ computer resources to generate the virtual currency without them realizing. A cheap and very effective way to monetize computer infections.

How does the Sticky Keys feature aid cyber-crooks?

If an attacker can actually access a targeted computer via an RDP connection, what do they need a backdoor for? The answer to this question is quite simple: By installing a backdoor on the affected machine, even if the victim realizes that their system has been compromised and changes the Remote Desktop credentials, all the attacker has to do is  press the SHIFT key five times to enable Sticky Keys and run the backdoor to be able to access the system again. And remember, all of this without running malware on the affected computer.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organization from serious financial and reputational harm. Protect your corporate network with the security solution that best adapts to your needs.


The post Sticky Attacks: When the operating system turns against you appeared first on Panda Security Mediacenter.

When cyber-security becomes an affair of state


The Netherlands, France and Germany will hold presidential elections in the coming months. A series of electoral processes that take place in the wake of the U.S. elections, during which, Russian cyber-attackers leaked thousands of Democratic National Committee emails which some claim may have affected the election result – a possibility ruled out by President Trump despite finally admitting the existence of said attacks.

Dutch authorities will count all

election ballots by hand to stop hackers.

Following the events on the other side of the pond, some European leaders are now worried that Russian cyber-espionage groups may try to influence their elections in order to help far-right candidates. European Security Commissioner Julian King has admitted that cyber-attacks could be used “to manipulate democratic processes.” More specifically, cyber-security experts fear the possibility that phishing attacks may be used to extract confidential information that tarnishes the reputation of certain candidates, as was the case with Hillary Clinton.

Growing cyber-security fears ahead of coming European elections 

The first elections will take place in the Netherlands, where voters will go to the polls on March 15. The Dutch government has resorted to extreme measures to combat cyber-attacks aimed at manipulating the general election. In fact, Dutch authorities have announced that they will count all ballots cast by hand, and will communicate the election results by phone to avoid any risk of hackers messing with the results. This announcement was made after a cyber-security expert stated that the software used at Dutch polling stations is vulnerable to hacking.

The two rounds of France’s 2017 presidential elections will take place on April 23 and May 7, and French authorities are warning political parties about the increased threat of cyber-attacks. French Defense Minister Jean-Yves Le Drian recently said that in 2016 about 24,000 external attacks against his ministry were blocked by security, and warned of a real risk of cyber-attacks on French civil infrastructure such as electricity, telecommunications and transport.

Germany will hold its federal election on September 24. According to Stefan Soesanto, cyber-security expert at the European Council on Foreign Relations, the German federal system could lead to communication failures among security teams. Just a few months ago, German Chancellor Angela Merkel expressed her concern that Russia could try to influence Germany’s general elections, and recently indicated that security will be a key issue in the election campaign.

Taking all of this into account, it seems clear that cyber-security will play a key role in order to stop cyber-attacks from having an impact on Europe’s upcoming elections.  However, it is not only political parties that must step up their defenses. The best way for your organization to protect itself against cyber-attaks, including phishing emails, is to have an advanced cyber-security solution in place, such as Panda’s Security Adaptive Defense 360. Prevention, detection, response and remediation becomes an affair of state.

The post When cyber-security becomes an affair of state appeared first on Panda Security Mediacenter.