MacKeeper User Information Exposed In Data Breach

This week, we hear the latest on the MacKeeper data breach and two variants of the Derusbi RAT family.

Breach

MacKeeper User Information Exposed

Customer names, Internet addresses, and login credentials of MacKeeper users were recently leaked online. The MacKeeper utility is designed to “optimize” Apple Mac computers. Kromtech, the German-based firm behind MacKeeper, said that users' payment details were "never at risk."

The firm believes the security expert who discovered the exposure is the only one who has accessed the data." The privacy and security of our clients' information remains our top priority and from the moment we were aware of the access, we immediately took several proactive steps to identify and correct the issue," Kromtech said in a statement. 

References:  MacKeeper Users' Details Leaked Online | 13 Million MacKeeper Users Exposed

Mitigation Strategies:

Malware

Derusbi RAT bypasses driver signature enforcement  

Derusbi is a well-known RAT family used in various APT attacks since at least 2008. Researchers have described two known variants of this malware: a client version, acting as any other RAT by contacting its command and control (C&C) server, and a server version that listens for incoming connections from a client[1].

An evolution of Derusbi has found a way to bypass Windows drivers’ signature enforcement. Various samples of this driver were signed with legitimate, stolen certificates and some were still perfectly valid.

The malware configuration can embed up to 8 C&C addresses. A configuration update mechanism is also available by requesting the URL in the configuration. The resulting web page is then parsed and examined for specific tags.

The architecture of this new Derusbi variant is distributed among various drivers and processes, each one being responsible for specific task. This prevents a single process from performing all the malicious tasks and security software from raising alerts.



[1] http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family

References: Nemesis Bootkit — A New Stealthy Payment Card Malware

Mitigation Strategies:

  • Intrusion Detection System (IDS) signature to detect the malware attempting specifically observed call back information

  • Netflow traffic may also reveal large data transfers and data leakage

  • Log management could detect external IP information from the attacker if logs are configured 

Top 20 IP Addresses

94.242.239.218 - NEW 23.91.70.51 - NEW
58.218.213.44 - NEW 104.194.26.205 - NEW
43.229.53.81 - NEW 43.229.53.87 - NEW
221.229.166.247 - NEW 23.91.70.95 - NEW
46.4.94.227 - NEW 94.141.162.45
181.112.229.30 - NEW 43.229.53.43 - NEW
46.4.94.230 - NEW 67.202.109.194 - NEW
84.245.33.104 85.214.194.176 - NEW
14.63.73.39 - NEW 193.111.140.184 - NEW
195.154.235.171 - NEW 195.154.251.81 - NEW