This week, the SonicWall Capture Labs threat research team investigated a sample of CoreWarrior malware. This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring. Infection Cycle
The malware is a UPX-packed executable that has been manually tampered with and will not unpack using the standard UPX unpacker.
Read more…
Source: Sonicwall
Related:
- Spyware Disguises as Android Applications on Google Play
January 3, 2019
Trend Micro discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users from all over the world. One of the applications we initially investigated ...
- A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access
January 3, 2019
A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways. CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than ...
- Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader
January 3, 2019
Adobe has issued an out-of-band security update to patch two critical vulnerabilities in the company’s Acrobat and Reader for both the Windows and macOS operating systems. Though the San Jose, California-based software company did not give details about the vulnerabilities, it did classify the security flaws as critical since they allow privilege escalation and arbitrary code execution in ...
- Phishing template uses fake fonts to decode content and evade detection
January 3, 2019
Proofpoint researchers recently observed a phishing kit with peculiar encoding utilized in a credential harvesting scheme impersonating a major retail bank. While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding. When the ...
- Newsmaker Interview: Bruce Schneier on Physical Cyber Threats
January 2, 2019
Bruce Schneier discusses the clash between critical infrastructure and cyber threats. Attacks on physical devices and infrastructure offer a new target for cyber crime, a new opportunity for espionage and even a few front in cyber war. Rather than exploit computers and their applications, the Internet of Things allows malicious actors to go after a whole new ...
- First-Ever UEFI Rootkit Tied to Sednit APT
December 28, 2018
Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical ...