Malware


NEWS 
  • Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks

    September 28, 2022

    The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. Last week, the LockBit 3.0 ransomware builder was leaked on Twitter after the LockBit operator had a falling out with his developer. This builder allows anyone to build a fully functional encryptor and decryptor that threat ...

  • New NullMixer dropper infects your PC with a dozen malware families

    September 27, 2022

    A new malware dropper named ‘NullMixer’ is infecting Windows devices with a dozen different malware families simultaneously through fake software cracks promoted on malicious sites in Google Search results. NullMixer acts as an infection funnel, using a single Windows executable to launch a dozen different malware families, leading to over two dozen infections running a single ...

  • Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware

    September 21, 2022

    Trend Micro researchers observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining. Confluence has already released a security advisory detailing the fixes necessary for all affected products, namely all versions ...

  • Webworm: Espionage Attackers Testing and Using Older Modified RATs

    September 15, 2022

    Symantec, by Broadcom Software, has gained insight into the current activities of a group we call Webworm. The group has developed customized versions of three older remote access Trojans (RATs), including Trochilus, Gh0st RAT, and 9002 RAT. At least one of the indicators of compromise (IOCs) observed by Symantec was used in an attack against ...

  • Self-spreading stealer attacks gamers via YouTube

    September 15, 2022

    An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer. Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords ...

  • Shape-shifting cryptominer savaging Linux endpoints and IoT

    September 10, 2022

    AT&T cybersecurity researchers have discovered a sneaky piece of malware targeting Linux endpoints and IoT devices in the hopes of gaining persistent access and turning victims into crypto-mining drones. The malware was dubbed “Shikitega” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid ...

  • SharkBot malware sneaks back on Google Play to steal your logins

    September 4, 2022

    A new and upgraded version of the SharkBot malware has returned to Google’s Play Store, targeting banking logins of Android users through apps that have tens of thousands of installations. The malware was present in two Android apps that did not feature any malicious code when submitted to Google’s automatic review. However, SharkBot is added in an ...

  • Oh no, that James Webb Space Telescope snap might actually contain malware

    September 1, 2022

    Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims’ computers – albeit in a roundabout way. The malicious code, written in Go, is hidden in a .jpeg of the stunning first proper image taken by the recently deployed spacecraft. More specifically, the obfuscated code is Base64-encoded and included in ...

  • ModernLoader delivers multiple stealers, cryptominers and RATs

    August 30, 2022

    Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the ...

  • That ‘clean’ Google Translate app is actually Windows crypto-mining malware

    August 30, 2022

    Watch out: someone is spreading cryptocurrency-mining malware disguised as legitimate-looking applications, such as Google Translate, on free software download sites and through Google searches. The cryptomining Trojan, known as Nitrokod, is typically disguised as a clean Windows app and works as the user expects for days or weeks before its hidden Monero-crafting code is executed. It’s said ...

  • Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

    August 24, 2022

    There have already been reports on code-signed rootkits like Netfilter, FiveSys, and Fire Chili. These rootkits are usually signed with stolen certificates or are falsely validated. However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game ...

  • Grandoreiro banking malware targets manufacturers in Spain, Mexico

    August 19, 2022

    The notorious ‘Grandoreiro’ banking trojan was spotted in recent attacks targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico. The malware has been active in the wild since at least 2017 and remains one of the most significant threats of its kind for Spanish-speaking users. The recent campaign, spotted ...

  • Switching side jobs: Links between ATMZOW JS-sniffer and Hancitor

    August 17, 2022

    The hacker group ATMZOW and its JavaScript-sniffer became known in 2020, thanks to the Malwarebytes researchers, when the group installed a JS sniffer on a website that was collecting donations for victims of the Australia bushfires. However, based on a specific obfuscation technique used by the group, we can track its activities back to 2015 as ...

  • Malware devs already bypassed Android 13’s new security feature

    August 17, 2022

    Android malware developers are already adjusting their tactics to bypass a new ‘Restricted setting’ security feature introduced by Google in the newly released Android 13. Android 13 was released this week, with the new operating system being rolled out to Google Pixel devices and the source code published on AOSP. As part of this release, Google attempted ...

  • Chinese hackers backdoor chat app with new Linux, macOS malware

    August 12, 2022

    Versions of a cross-platform instant messenger application focused on the Chinese market known as ‘MiMi’ have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems. SEKOIA’s Threat & Detection Research Team says that the app’s macOS 2.3.0 version has been backdoored for almost four ...

  • New Linux malware brute-forces SSH servers to breach networks

    August 4, 2022

    A new botnet called ‘RapperBot’ is being used in attacks since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers to establish a foothold on the device. The researchers show that RapperBot is based on the Mirai trojan but deviates from the the original malware’s normal behavior, which is uncontrolled propagation to as many ...

  • Examining New DawDropper Banking Dropper and DaaS on the Dark Web

    August 2, 2022

    Malicious actors have been surreptitiously adding a growing number of banking trojans to Google Play Store via malicious droppers this year, proving that such a technique is effective in evading detection. Additionally, because there is a high demand for novel ways to distribute mobile malware, several malicious actors claim that their droppers could help other ...

  • CISA and ACSC Release Top 2021 Malware Strains

    August 2, 2022

    CISA and the Australian Cyber Security Centre (ACSC) have published a joint Cybersecurity Advisory on the top malware strains observed in 2021. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. As malicious cyber actors have been using most of these top malware strains for ...

  • Vietnamese attacker circumvents Facebook security with ‘DUCKTAIL’ malware

    July 27, 2022

    Security vendor WithSecure, which was spun out in March 2022 as F-Secure’s enterprise security arm, claims it’s found malware that targets Facebook Business accounts. “The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware,” states WithSecure’s report on the campaign. “The malware is designed to steal browser ...

  • Amadey malware pushed via software cracks in SmokeLoader campaign

    July 24, 2022

    A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures. Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads. While its distribution has faded after 2020, Korean researchers at AhnLab report that a ...