Can someone in Cyber Security or IT help answer this basic question on the change of today’s malware? [closed]

1.) Before the most common types of malware were usually trojan horses and various other types of viruses derived from one’s own e-mail on a desktop. Given the timespan since those days, the game has changed. Today ways of breaching a user’s data have changed drastically. What are the most prevalent methods that an average person should be aware of today?

Phishing attempt?? – EML attachment from a “trusted source” might be urgent and important, or malware / phishing

I don’t usually feel competent enough to ask decent questions, let alone answer one here. But, this is rather urgent, so please be patient with me:

I CANNOT tell if the “secure encrypted message” I got in an email from a “state agency” was genuine or malware! I was somewhat (reluctantly) expecting an email from that department and their email signature appeared genuine. Unfortunately, they may or may not have attached that file, which purportedly contained the message body as an *.EML “secure attachment message”.

I couldn’t open the secure message attachment, which was the first clue of something amiss. (I also do NOT want to call them, and then have them read me the message, which would trigger a conversation I’m not prepared for, without first knowing what the message was about.)

As I started working hard to open the attachment. As I failed and researched more, my findings appeared more and more ominous. I will keep this question UPDATED with any missing details.
SUMMARY:

  • Received seemingly valid email from a known state agency, known person, known division I do business with.
  • Plain text message body:
    “Please find the attached.” [?? Odd wording –> “‘FIND‘ the attached” ??]
  • The [real] message was attached, encrypted, and only viewable by the email recipient that it was addressed to. The attachment then had to be opened by the email client, (Gmail-web). I’ve done this before once or twice, so it is a pain, but not unheard of.
  • Email ATTACHMENT was then “viewed in a an NEW WINDOW” in Chrome and Vivaldi with similar if not the same results: https://mail.google.com/mail/u/0/?????????????..[etc.]/: WHICH SAID:

[ERROR MESSAGE FROM GOOGLE MAIL:]
“You are viewing an attached message. COMPANY Mail can’t verify the authenticity of attached messages. Your document has been completed”

“VIEW COMPLETED DOCUMENTS:”
[LINK GOES TO: https://www.notion.so/(KNOWN_AGENCY_-_GUID)/]

“Ms. [known person]”
“[Known State Agency]”

  • After clicking on the link from the popup shown above, it opened a new TAB in my email browser’s page at this URI: https://www.notion.so/(KNOWN_AGENCY_-_GUID)/ which said the following:

“[KNOWN STATE AGENCY]”
“This PDF is password protected ,”   “[KNOWN PERSON] sent you an important vital file to review.”

“REVIEW FILE HERE:”
[LINK GOES TO: https://fafanfan.tk/000/nsw/data/UntitledNotebook1.html ] 

“Please take a look and let me know if these are ready to print.”
[ HUH?? Why let you know?? And, why print, instead of view?? ] 
“Kindly open with your professional email.”
[ HUH?? “Kindly”, “Professional email”?? Who talks like this?? ]
“Login with your email and password to view file.”

  • So, then I clicked on the email link and TRIED to log into my company GMAIL account.
  • It appeared to log into my account successfully, but then said I had to verify my account and to provide [either the] recovery phone or recovery email address
  • I provided a valid phone #, which failed with an error.
  • Then I tried my valid recovery email address, which also failed with an error.
  • I tried both Vivaldi and Chrome, and all failed each time. (I assumed that it opened a window without cookies, so the login to Google was from a new, unknown page.)

At this point, I started Googling the URI’s and other things —

  • Hmmm strange domains [TLD].TK ?? Searched the URI = NO hits.
  • Searched [TLD].TK — not good — It said 95% of the .TK traffic is malware / spam.
  • Searched the other URI shown above = NO hits. NOT cool.
  • I changed all my email PW’s. I checked for odd logins, but saw nothing odd. (If I provided my credentials to the bad guys, they are a bit slow today. So maybe I dodged a bullet.)
  • I Checked/scanned the downloaded file with Windows Defender — no detection
  • I submitted the file to Virus Total — no detection by anyone.
  • I also submitted the two URI’s shown above, and came up with only one hit from an unknown security company, who likely flagged the *.TK as possibly a “bad URI”.

At this point, I’m not at all sure what to do… I do NOT want to call them and start a conversation that might later deny “plausible deniability that I received this notice”. OTOH, I can’t ignore it too long, either.

RANT: I hate all these “protections”, that invite malware to be easily inserted. Then, you are relying on ordinary users to figure out if the attachments are safe?? Few users are smart enough, and I know that I’m not. (Although I’m not a total security idiot, as I’m more cautious and knowledgeable most than anyone I know.)
If Adobe wants to provide tools like this, fine. Then please make it much easier and obviously safe for both senders and [very novice] readers. For instance, use Adobe.com URI’s and never TLD’s that are also used for malware. If providing security tools, please don’t rely on these agencies’ IT staff to try to train equip their users to properly use these tools with the public, most of whom have never opened a “secure attachment”, let alone know how to open them (OR NOT), safely.

man-in-the-middle’d packets have bad and incorrect checksums on localhost, how to find the malware?

Am trying to fix a man-in-the-middle’d macOS Catalina machine. Have been viewing packets with tcpdump and noticed, on connecting to any web address, there are legit packet that gets sent to the DNS server… then… there are packets that get sent from 127.0.0.1:53482 (or some port) to 127.0.0.1:443 — the packet headers are labelled with incorrect checksum (cksum -> incorrect). Also, there are packets 127.0.0.1:62692 (or some other port) -> 127.0.0.1:32376 labelled bad checksum (bad udp cksum). And, again localhost, 127.0.0.1:5353 -> 224.0.0.251:5353 again with bad checksum (bad udp cksum). All this traffic is on the lo0 adapter.

Example of a man-in-the-middle incident on the machine:

Legit: Wiki article on different machine and different network Wiki article on man-in-the-middle'd machine

MITM: Wiki article on man-in-the-middle’d machine Wiki article on different machine and different network

Packet traces

Incorrect checksum destination 127.0.0.1:443 Incorrect checksum destination 127.0.0.1:443

Bad checksum destination 127.0.0.1:32376 Bad checksum destination 127.0.0.1:32376

Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353 Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353

Attempts to find process:

sudo lsof -i sudo lsof -i

netstat netstat

My guess is this is related to some corruption with mDNSResponder? Welcoming and appreciate any tips or suggestions on how to solve.

Many thanks

How can I determine if a malware sample is morphic? (polymorphic, metamorphic, etc)

I want to do a malware test that specifically uses recent morphic malware samples (polymorphic, metamorphic, etc). There are a couple of good sources I can pull samples from, but I need to know if their signature will change or not.

The best idea I have so far is to use a tool to disassemble it so I can look at the Assembly code. Then get it to propagate and look at the code to see if there is a change.

Does anyone know of a better way to do this? I’m not even sure of a reliable way to make it propogate.

How to check if an mp4 file contains malware?

I am not that familiar with security and malware analysis, but I know it is theoretically possible to embed a malware into files like video, audio …

Say that someone managed to embed a malware into an mp4 file and send it via gmail.
I have the following questions.

  • Is it easy to bypass the google security that is implemented in gmail so that it will not be detected as virus/malware by gmail?

  • Once, downloaded the video, how to check whether it contains a malware/virus or not (other methods than using virustotal…)?

  • Is it possible that the malware can infect multiple OS (Windows and Linux: mainly Ubuntu)?

Malware in backups

The main thing i am interested in is the 3rd point below

in short i am worried about having a virus and what will suffice to remove it.

I am on Mac and am running the latest version of Catalina. I do a lot of stuff on the commandline using iTerm2 as an emulator and fish as the shell. As a package manager i use homebrew. Not sure whether this is important or not.

The problem: my shell stopped recognizing commands like ls, brew, locate, … added slashes to the end of directory names and changed my prompt to @HUAWEI (wtf). All this happened without any direct interaction on my side. – i found nothing like this online.

What i did prior to the problem occurring: I updated and upgraded homebrew (more than one day before), i installed the cisco anyconnect client (one day before) i downloaded a pdf from an untrustworthy page (about 7 hours before) – not smart i know.

Here is what i wonder about: 1) Does this sound like a virus to you? 2) If it were/is a virus – is it usually enough to reinstall macos from recovery or reformat the drive and then reinstalling? 3) What about the iCloud backup. After i reinstalled would i not just redownload any infected files from the cloud – this im am wondering about in general. How should i deal with this in general? I.e. when are viruses in backups a problem.

I am well aware that this is very context specific.

Thank you a lot in advance

What is the meaning of similar JA3 in many APK malware analysis reports?

In an online malware analysis website that called – “Joe Sandbox” , I found a few reports of APKS that have the exact same JA3 fingerprint. Those are the reports that I found: https://www.joesandbox.com/analysis/103507/0/html https://www.joesandbox.com/analysis/208046/0/html https://www.joesandbox.com/analysis/209043/0/html https://www.joesandbox.com/analysis/209453/0/html

My question is- Since they all share the same JA fingerprint, does it mean there is any connection between them? (By “connection” I mean – If they all were created by the same the developer, if they all were targeted a specific person etc) if not, why do they share the same JA3 fingerprint value?

Thank you for you help, and sorry for the ignorance on the subject.

Accidentally clicked spam email link on android, risk of malware?

I was browsing my spam folder on my phone in the gmail app and stupidly let curiosity get the better of me. The app had blocked images by default but I clicked to allow them as well as accidentally clicked a link in the email while scrolling through. A page began to load but I closed it before anything visually loaded as soon as I saw the URL.

I was on a Oneplus 5 android phone connected to my home WiFi. Android version 9 with August 1, 2019 security patch. Gmail app last updated Feb 12th 2020. The gmail app had permissions to my contacts, calendar, and storage at the time I clicked the link. The phone is rooted with magisk but no root prompts were given so I don’t think this is an issue..?

The email was a spam email about someone who had viewed me on linkedin recently. From long-pressing to copy the url, the link I believe I clicked was http://mycity.citywork.vn/wp-content/uploads/2020/twisterrt.php

I’ve already run a malwarebytes virus scan from the mobile app on the phone (came up clean) and changed the passwords (from another PC) to all 5 emails that I had linked in the gmail app as well as cleared the app caches and storage.

I was wondering if any experts could let me know what damage could possibly have been done considering the scenario (android device, home network, gmail app, clicked links in possibly malicious spam email causing a page to load, but no further prompts, user input, or changes as far as I was able to see), as well as if possible to investigate the link to determine what it was attempting to do/load.

I’m a fairly technical (and fairly paranoid) person looking for a fairly technical answer in terms of the potential of whether something malicious could have been run/installed on the device and whether a full device wipe is recommended.

Thanks in advance for your help!

Is testing for all executables without considering any files in the system is enough for deducing whether the system is infected with malware?

I came to know that the malicious activities will be carried out only by a software(program) whereas the malicious files(data to the softwares installed in the system) can’t perform the malicious activities directly by themselves but they can responsible for bringing those malicious softwares to the system( say like steganography).Hence those softwares also must be installed ( automatically or manually) before performing their activity.

If this is true scanning for malware in softwares before they get installed( triggered manually or automatically) is enough to say that the system is 100% secure(considering that our detector is ideally 100%accurate)?

Is it safe to disable SATA ports in the BIOS to isolate the corresponding hard drives from malware?

I have three SATA hard drives that I use every day. Suppose I disable the corresponding SATA ports of these hard drives through my BIOS, add another storage device to my PC, install another instance of Windows 10 and run unsafe executables on it – would my three SATA hard drives be completely isolated and safe?

As I understand it, unmounted partitions are at risk, but not partitions that I exclude by disabling the corresponding SATA ports.

Is this correct?