Top 5 best Third Party apple watch leather bands and straps

The luxurious apple watch leather bands from official are simple and best, but cost us about $150. And now you can find a wide variety of styles, colors, and clasps for both 42 mm and 38 mm Apple Watch sizes in the market. So today we round up the 5 best third party apple watch leather bands and straps for your easy choose to save money. These well-designed and sweet bands fit for Apple Watch & Sport & Edition Version 38mm/42mm.

1.  Hoco Hermes Apple watch bands
We put this Hoco Hermes Apple watch bands at the first place due to it comes 3-in-1 bands bundle. That is to say, the package combines Single tour, Double Tour and cuff bands. The leather is really nice and adapters are well-polished.

We have written an article about How to get Hermès look with third party apple watch Hermès bands.


2.  Baseus Modern apple watch leather bands

Baseus Modern Luxury band has been made with quality leather. It is durable, simple in style and features pure steel buckle. The leather band is available in 3 colors, which are red, black and khaki. Red color is perfect for girls. You can now personalize your Apple Watch by replacing the original band.

3.  Jisoncase Retro Premium Leather Bands

This Jisoncase Wrist Band for Apple Watch is made from premium Leatherette. Precise cut holes on the Apple leather band to fit well for most wrist, standard length just as Apple's original ones. This band comes in black, brown and red colors.

4.  Benks Cowhide Leather Strap Replacement Buckle

The Benks cowhide leather strap features a simple design and comes with 2 colors: Black and Brown. If you are looking for one band that make your Apple Watch just a little more classic, then you can’t miss this. The bands come with the stainless steel attachments and provides long service life.

5.  Hoco Classic Leather Replacement Strap

This watch band has been made with soft genuine leather. With good looking appearance coupled with classic finish, it would make an appreciable profile with Apple Watch. The quality of material makes it very durable.
It’s comfortable to wear. Pick up this watch band, if you wish to give your Watch a formal look.

All the third party apple watch bands we listed above are fit for Apple Watch & Sport & Edition Version 38mm/42mm. So pick your favorite one.

Source from:  Top 5 best Third Party apple watch leather bands and straps

More ransomware shenanigans

Recently, an update of the infamous CryptoWall ransomware (or cryptoware) was released - you can read more about that particular ransomwere here: CryptoWall 4.0 released with new Features such as Encrypted File Names

Additionally, another ransomware variant has made a return, read more about that one here:
“Offline” Ransomware Encrypts Your Data without C&C Communication

And let's not forget about this one either: Chimera Ransomware focuses on business computers

Did I mention yet there's ransomware for Linux as well? Have a look at Linux.Encoder.1 while you're at it.

... But wait, there's more! You've guessed it, yet another ransomware variant has returned. I wonder what's going on these days, the (cyber)criminals seem to get even more competitive.

Lawrence Abrams over at Bleeping Computer recently wrote an article about the variant we have here as well, as we have caught an updated variant of Poshcoder or Poshkoder or Power Worm:
Shoddy Programming causes new Ransomware to destroy your Data


Moving on to the infection vector and process:

Kan du kontrollera den bifogade filen och låt mig veta vad du tycker? Tack

I just got this document, could you please check it and get back to me? Thanks

Email headers indicate:
Received: from techdallas.xyz (45.63.12.192.vultr.com [45.63.12.192])

45.63.12.192 - IPvoid - Whois

IP location: United States (VirusTotal)

Attached is a file called Bilaga.doc or Document.doc. Other variations are possible, depending on the language (in this case either Swedish or English).

Let's see what's inside Bilaga.doc:

Ole10Native is in fact a VBS file

As you can see, there's an ObjectPool present, containing an Ole native file. The former contains storages for embedded OLE objects. In this case, it's containing a VBS file: 

The VBscript uses Powershell with certain flags or parameters to download a file to the %TEMP% folder and execute it:

(Note that by default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems)

• -WindowStyle hidden: don't display anything to the user (set WindowStyle as hidden)
• -ExecutionPolicy Bypass: no scrips are blocked, neither are there any warnings or prompts
• -nologo: starts the PowerShell console without displaying the copyright banner
• -noprofile: tells PowerShell to not load profile (user) scripts

You can find a tad more information on these commands here.

But what is the user seeing? Opening the Word document, there's another, clickable 'document': 

Clicking the icon, warning message from Word

Decoy message

Then nothing happens, except in the background:

PowerShell download & running the malware

Another PowerShell script (.ps1 file) is being executed, which will start encrypting files with the following extensions:

"*.pdf","*.xls","*.docx","*.xlsx","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.doc","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.php","*.aac","*.ac3","*.amf","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"

As you can see, it has covered quite a lot of extensions. Nathan Scott from Bleeping Computer provided an image with a great explanation on what the script does:

(Source)

In the version I saw, the PowerShell scripts were slightly different, in fact an 'improved version'.

After encrypting all your files, it will drop an HTML file (named DECRYPT_INSTRUCTION.html) on the root of all your folders which contains the following message:

Ransom message - you may need to pay up to $ 1000

It generates your #UUID by the following simple PowerShell command:

Get-wmiobject Win32_ComputerSystemProduct UUID

When visiting said Onion (Tor) link:

Unlock message

Difference here from the version of October is that they also offer to decrypt 1 file, as proof they can actually decrypt all your files again. Unfortunately, the encryption fails horribly (for example, no extension is appended) and your files will be unrecoverable. For more information, see here.

Prevention

• Don't open attachments from unknown senders - ever.
• Install an antivirus and keep it up-to-date and running. Enable the option to scan Compressed Files. 
• Consider disabling Windows Script Host. You can use my tool, Rem-VBSworm with option D for example.
• Alternatively, you can install Analog X's Script Defender, which will block these scripts (JS, VBS, ...) as well.
• Consider disabling PowerShell if you don't need or use it. There are two possible options:
  
  
  
  Note that if you have a company laptop, you should inform with your network administrator first.
• Improve security for your Microsoft Office package. (Word, Excel, ...)
  This means disabling ActiveX, disabling macros and blocking external content. Useful links:
  Enable or disable ActiveX controls in Office documents
  Enable or disable macros in Office documents
  Block or unblock external content in Office documents
• As with all ransomware cases: take backups!

Some time ago, I did a Q&A on ransomware, which also included several general tips on how to prevent (ransomware and other) malware. You can find and read those tips here.




Disinfection

• Identify and kill malicious processes (use Task Manager for example). In this specific case:
  winword.exe, wscript.exe, powershell.exe
• Run a full scan with your installed antivirus product.
• Run a full scan with another antivirus and/or antimalware product.
• In a company: unplug your network cable & warn your network administrator immediately!

Conclusion

Ransomware is far from dead (that is, encrypting ransomware or cryptoware, the "old" ransomware isn't very much around anymore), thus it's important to take preventive measures as outlined above.

You may find IOCs (Indicators Of Compromise) as usual on AlienVault's OTX.

Resources

Bleeping Computer - Shoddy Programming causes new Ransomware to destroy your Data

Microsoft - More Powerful Ways to Launch Windows PowerShell

Microsoft - Object Linking and Embedding (OLE)

Microsoft - ObjectPool Storage

Sophos - Russian ransomware takes advantage of Windows PowerShell

SS64 - An A-Z Index of Windows PowerShell commands 

Trend Micro - Ransomware Now Uses Windows PowerShell 

Acknowledgments

Thanks to my colleague Ville from Panda Security Sweden for alerting me about this incident and Lawrence & Nathan over at Bleeping Computer for their already available information.

Naev, Valyria Tear, Wyrmsun, ReTux

Wymrsun 1.6.0 was recently released (announcement on our forums and on Steam). Wyrmsun is inspired by the original Warcraft games and many reviewers on Steam compare it to Warcraft II. The project continues a steady development pace which is always a good sign so I encourage RTS fans to try it out.

Wyrmsum

Naev 0.6.1 has been released. After a long period without releases until release 0.6.0 appeared in March, this follow up release indicates a return to regular progress for the project. Naev is a 2D space trading and combat game.

I couldn't find a more recent video but here's a bit of a development log of some features for the 0.6.0 release.

Speaking of resurgent projects, Valyria Tear has some news.

The most noticeable change is that I killed a few days ago a very nasty bug that was there from the beginning, making the lua threads never freed from memory. This means the game won't end up anymore swallowing gigs of memory for nothing and crash due to some memory overflow.

Well that does sound like a bit of a killjoy, so good to see it fixed. Other changes are in the blog post.

Onto more things slightly more dubiously open source in nature...

ReTux 0.2 has been released. ReTux is a new Super Tux inspired game. It is a completely rewritten (in Python) codebase although uses many of the assets from the original Super Tux so naturally people will mistake the two despite the significant differences. I already covered the IndieGoGo campaign in a previous article.

ReTux

I'm not really on board with the way the developer Onpon4 is now soliciting $20 for access to the code. I think he's both hurting himself by limiting exposure of the game (you need a password to access the downloads) as well as asking for a fairly significant sum in an age where AAA games are of a similar price a year after release (and regularly on offer, as any Humble Bundle or Steam user will know).

I would say he should just get it on Steam, sell it there, and be open source outside of that. Perhaps have additional levels in the Steam version but accept that charging for the source code is as pointless as it is ineffective.

GameGuardian v8.0.0 APK

GameGuardian
Without it, you are played by games; with it, you play games in your own rules!
“Game Guardian” is a game hack/alteration tool. With it, you can modify money, HP, SP, and much more. You can enjoy the fun part of a game without suffering from its unseasonable design.

Main Features

• Search game value with precise number.
• Search game value with vague instructions, e.g. larger or smaller.
• Lock the game value to a fixed number.
• Save/Load the managed list.
• Touch Guardian sprite to bring up the tool during gaming.
• Change game speed.
• Runs on ARM and x86 devices, including x86 emulators (BlueStacks, Droid4X, Genymotion etc.)
• Supports Android 2.3.3+ (Gingerbread) through Android M.
• Game deceleration and acceleration (ARM devices only)
• Explicit and “fuzzy” numeric searches
• Supports: Dword, Float, XOR, Word, Byte, or Auto data-type searches
• Modify all search results at once
• Filtering of search results (address greater than and less than, value greater than and less than)
• App locale for over 90 languages

What’s New in Version 8.0.0

Major changes:

• Rewritten search engine.
• Rewritten storage engine.

Minor changes:

• Improved root detection.
• Tons of bug fixes.
• Updated translations.
• Better avoiding of detection.
• Allowed search for 0 or -1 as first search.
• Improved in-app text (ie front page text description).

How To Use GameGuardian?

1. Make sure Game Guardian is running (doggy icon will be translucent on screen)
2. Open game and find value you want to change (cash, HP etc)
3. Press icon, search tab and press search and enter the number
4. Go back to the game and change the value in some way (gain money etc)
5. Go back to GG and search again for the new value and your results will be narrowed down
6. If needed, repeat steps 4 and 5 until down to very few results.
7. Long-press on value and enter the desired value. Go back to app and the value will be changed!:)

Screenshots

Requires

• Android: 2.2 and up
• ** ROOT ONLY **
• This tool only works in rooted devices!!

Downloads

GameGuardian v8.0.0 (2.3 MB) | Mirror

A quick look at a signed spam campaign

I noticed the following tweet pass by on Twitter:

Just received my 1st-ever digitally signed piece of spam. The ribbon is bound to entice someone 2 click on the email pic.twitter.com/470TpdaPDE

— Robert (Роберт) (@RobertIdAu) November 9, 2015

The mail received is as follows:

Spam but digitally signed

As Robert correctly notes, since the mail is digitally signed, it may entice people more to open the attachment and get infected. In case you're wondering, the key id of the certificate is as follows:
FE:22:B7:24:E3:4F:27:D9:05:E0:CC:B8:BD:DE:F4:8D:23:FD:2F:D9 (copy of cert on Pastebin)
Issuer: C=IT, O=DigitPA, OU=Ufficio interoperabilita' e cooperazione, CN=DigitPA CA1

Signature details. S/MIME message format

Both first and second mail are coming from: 175.156.221.127 - IPvoid - Whois (DomainTools)

IP location: Singapore (VirusTotal)

On to the attachment (the .xml file is harmless):

"recalculation.zip" attached

Hello
This recalculation of payments for the last month.
I remind you of your debt 3148,48 AUD.
Please pay as soon as possible.

The ZIP file contains 2 files: recalculation_77979.pdf.js & info_9455.txt. The TXT file just contains the name of the first file, which tries to hide as a PDF file but is in fact JavaScript (JS).

Part of the JavaScript

You can find the original JavaScript on Pastebin. You can also find the decoded base64 here and the final obtained JavaScript here. In the final JavaScript, you'll see it downloads a file and renames it to a random filename, then executes it:

Download

Run

It fetches a file from: 203.255.186.156 - IPvoid - Whois (DomainTools)

IP location: Korea (VirusTotal)

The eventual payload may be Andromeda/Gamarue, which will make your machine part of a botnet. Some information on the dropped DLL file (this is all static analysis):

Meta-data
==================================================================
File:    28236726.dll
Size:    495630 bytes
Type:    PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5:     934df5b173790da14ef3a817ec1fc422
SHA1:    e90b6e45f255350d0fd4cba361a09ad5d8271af1
ssdeep:  12288:GysxmAb/DC7BfWLc9ivHsegWDhNSKDWrV5rJfT:jo768wAAExDoPr9
Date:    0x429CE7C3 [Tue May 31 22:40:03 2005 UTC]
EP:      0x1000bddb .text 0/5
CRC:     Claimed: 0x0, Actual: 0x83498 [SUSPICIOUS]
Packers: Armadillo v1.xx - v2.xx

Functions in our DLL file

You may also find the file on VirusTotal, SHA1 hash: e90b6e45f255350d0fd4cba361a09ad5d8271af1


There's also an analysis available by Reverse.it (Hybrid Analysis) on Windows 7 32bit & Windows 7 64bit. Feel free to perform any additional research on it, let me know if you find something interesting or should you find out exactly which kind of malware this is.

Just as a note, while all that is happening in the background, a decoy PDF file gets opened as well, as to not raise suspicion:

Decoy PDF document (not malicious)

Prevention

For administrators:

• Sender's end: Create an SPF record, as to prevent sender address forgery. More on SPF here.
• Receiver's end: Turn on SPF checking on your mailserver.
• If possible, turn on full support for DMARC. More on DMARC here.
• Check that only your mailserver may access the WAN (or RED) on port 25. Configure this in your firewall.
• Check that you use strong passwords for your Domain Controller server(s). 
• Check that antivirus is installed, up-to-date and running on all workstations. (if applicable)
• If not needed, you can disable Windows Script Host (WSH), as it's needed for JavaScript to run locally. Read how to do that here. 

For endusers:

• Don't open attachments from unknown senders - ever.
• Install an antivirus and keep it up-to-date and running. Enable the option to scan Compressed Files. 
• Preferably, see that your antivirus has a firewall as well, to prevent unauthorised access.
• Consider disabling Windows Script Host. You can use my tool, Rem-VBSworm with option D for example.
• Alternatively, you can install Analog X's Script Defender, which will block these scripts (JS, VBS, ...) as well.

Some time ago, I did a Q&A on ransomware, which also included several general tips on how to prevent (ransomware and other) malware. You can find and read those tips here.




Disinfection

As usual:

• Look for suspicious Run keys (find locations here) and delete the associated file(s).
  In our case, all files were dropped in the %TEMP% folder. Also, don't forget to look for rundll32.exe processes, as the payload was a DLL file. More information on rundll32 here.
• Run a full scan with your installed antivirus product.
• Run a full scan with another antivirus and/or antimalware product.
• In a company: warn your network administrator immediately!

Conclusion

Now how was that mail sent out? There's no sure way of telling - it's possible the company is compromised (by either malware or an attacker), there's no SPF record, the certificate has been stolen (unlikely but not impossible), .... Most likely, a machine is infected by a spambot.

Note that with PEC (Posta Elettronica Certificata), a user can send a signed message even when the mailserver is not compromised. PEC means the server signs a message to ensure timestamp and sender, not content. More on PEC here (ITA) or here (EN). See also point 2 and 4 in the Prevention tips above.

I've contacted all related parties and hoping I'll get a reply soon, or at the very least they will perform some analysis and cleaning.

Follow the prevention tips above to stay safe. If you're looking for Indicators of Compromise (IOCs), they can be found as usual on AlienVault's OTX.