Malware

December 8, 2022

“Dosen’t matter how long you wait for the bus on a rainy day, X seconds was enough to get wet?” Just to clarify, the above subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs). While hunting for less common Deathstalker intrusions that use ...

December 5, 2022

Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties. Googler Łukasz Siewierski found and reported the security issue and it’s a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of ...

December 5, 2022

If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, Kaspersky researchers highlighted an increase in the popularity of platform-independent languages and ESXi support, and recently, Kaspersky published a research about ransomware borrowing ...

December 4, 2022

A new set of Android malware, phishing, and adware apps have infiltrated the Google Play store, tricking over two million people into installing them. The apps were discovered by Dr. Web antivirus and pretend to be useful utilities and system optimizers but, in reality, are the sources of performance hiccups, ads, and user experience degradation. One app ...

November 29, 2022

Malware-slinging miscreants are taking advantage of a trending TikTok challenge — and viewers’ dirty minds — to spread data-stealing malware via a phony app that’s had more than one million views so far. The new TikTok trend is called Invisible Challenge, and it involves a person filming themself naked while using an effect called Invisible Body ...

November 28, 2022

Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus. UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to ...

November 17, 2022

Since their first blog post in February of 2020 on the remote access tool (RAT) known as LodaRAT (or Loda), Cisco Talos has monitored its activity and covered their findings in subsequent blog posts. As a continuation of this series, this blog post details new variants and new behavior Cisco Talos researchers have observed while monitoring ...

November 16, 2022

Today, malware spreads easily, infecting computers of various users. Commonly found on filesharing websites, they disguise themselves as normal applications. Users are then enticed to download them to save money on those programs. However, users risk their security in doing so. Free apps that are infected by a trojan will also affect users who download ...

November 15, 2022

State-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted. Symantec, by Broadcom Software, was able to link this activity to a group we track as Billbug due to the use in this campaign of tools previously attributed to this group. Billbug (aka Lotus ...

November 15, 2022

DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, Kaspersky researchers seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power ...

November 15, 2022

Google has removed a series of apps downloaded by over a million Android users from the Google Play Store that infected smartphones with malware and bombarded devices with malicious pop-up ads. The malware has been detailed by cybersecurity researchers at Malwarebytes. The apps were still available to download for a number of days after the research ...

November 10, 2022

A ongoing phishing campaign has infected thousands of home and corporate users with a new version of the ‘IceXLoader’ malware. The authors of IceXLoader, a malware loader first spotted in the wild this summer, have released version 3.3.3, enhancing the tool’s functionality and introducing a multi-stage delivery chain. The discovery of the Nim-based malware came in June ...

November 8, 2022

A new Chrome browser botnet named ‘Cloud9’ has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim’s browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and ...

November 7, 2022

Trend Micro researchers observed an uptick in attacks targeting bank customers in India, the common entry point being a text message with a phishing link. The SMS content urges the victims to open the embedded phishing link or malicious app download page and follow the instructions: To fill in their personally identifiable information (PII) and ...

November 7, 2022

The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs. Last month, a threat actor began distributing malware called ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files. However, instead of providing contact info to negotiate a ransom, ...

October 31, 2022

Kaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new modifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated fileless malware first named in a blogpost from JPCERT/CC in February 2020. The malware was regularly modified and upgraded by the developers to target media, diplomatic, governmental and ...

October 31, 2022

While advanced persistent threats get the most breathless coverage in the news, many threat actors have money on their mind rather than espionage. You can learn a lot about the innovations used by these financially motivated groups by watching banking Trojans. Because attackers constantly create new techniques to evade detection and perform malicious acts, studying monetarily ...

October 30, 2022

A new and destructive ‘Azov Ransomware’ data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack. The Azov Ransomware falsely claims to have been created by a well-known security researcher named Hasherazade and lists other researchers, myself, and BleepingComputer, ...

October 28, 2022

Symantec, by Broadcom Software, has discovered a previously undocumented dropper that is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs. The dropper (Trojan.Geppei) is being used by an actor Symantec calls Cranefly (aka UNC3524), to install another piece of ...

October 28, 2022

Unit 42 researchers recently discovered a Guloader variant that contains a shellcode payload protected by anti-analysis techniques, which are meant to slow human analysts and sandboxes processing this sample. To help speed analysis for this sample and others like it, we are providing a complete Python script to deobfuscate the Guloader sample that is available ...