Cybercrime

May 7, 2020

Focusing on one of the most active subsets of the global threat landscape, Palo Alto Networks Unit 42 tracks Nigerian cyber criminals involved in Business Email Compromise (BEC) activities under the name SilverTerrier. Over the past 90 days (Jan. 30 – Apr. 30), we have observed three SilverTerrier actors/groups launch a series of 10 COVID-19 themed ...

May 6, 2020

A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to target databases and email servers for encryption. The information we gathered indicates that this attack started hitting organizations in early May. Analysis of the malware points ...

May 6, 2020

Researchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by MalwareHunterTeam. Analyzing some of the files, we found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports. The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, ...

May 6, 2020

Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web — people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, ...

May 5, 2020

A spam campaign using emails that have Excel file (.xls) attachments (detected by Trend Micro as Trojan.XF.HIDDBOOK.THDBHBO) has been seen circulating and targeting users in Italy and some users in Germany and other countries. The attachment appears blank when opened, but it has a sheet set to “hidden” that attempts to connect to a URL and download a ...

May 5, 2020

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, dismantled InfinityBlack, a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud. On 29 April 2020, the Polish National Police (Policja) searched six locations in five Polish regions and arrested five individuals believed to be members of ...

May 4, 2020

Unit 42 researchers analyzed 1.2 million newly observed hostnames (NOH) containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86,600+ fully qualified domain names are classified as  “high-risk” or “malicious” (C2, malware, or phishing), spread across various regions , as shown in Figure 1. The United States ...

May 1, 2020

Threat actors are using people’s interest in the Department of Labor’s Family and Medical Leave Act (FMLA) to spread what appears to be the TrickBot trojan in a new spam campaign that security researchers discovered recently. Recent analysis from spam honeypots set by IBM X-Force discovered actors targeting email recipients with fake messages that claim to ...

May 1, 2020

A newly discovered variant of the Cerberus Android trojan has been spotted, with vastly expanded and more sophisticated info-harvesting capabilities, and the ability to run TeamViewer. It was spotted by researchers being used in a targeted campaign on a multinational conglomerate. Unusually, the sample propagated through the employee pool via the infected company’s mobile device management ...

April 30, 2020

A cybercrime group operating since mid-2019 has breached the email accounts of high-ranking executives at more than 150 companies, cyber-security firm Group-IB reported today. The group, codenamed PerSwaysion, appears to have targeted the financial sector primarily, which accounted for more than half of its victims; although, victims have been recorded at companies active across other verticals ...