Malware

September 15, 2021

Citizen Lab has released a report detailing sophisticated iPhone exploits being used against nine Bahraini activists. The activists were reportedly hacked with the NSO Group’s Pegasus spyware using two zero-click iMessage exploits: Kismet, which was identified in 2020; and ForcedEntry, a new vulnerability that was identified in 2021. Zero-click attacks are labeled as sophisticated threats ...

September 10, 2021

A new Android banking trojan named SOVA (“owl” in Russian) is under active development, researchers said, and it has big dreams even in its infancy stage. The malware is looking to incorporate distributed denial of service (DDoS), man in the middle (MiTM) and ransomware functionality into its arsenal – on top of existing banking overlay, ...

September 3, 2021

Malware has increasingly been making use of encryption to help hide their network traffic in recent years. This makes sense especially when one realizes that ordinary network traffic is increasingly encrypted as well. Google’s own Transparency Report notes that HTTPS traffic now makes up the vast majority of network traffic passed via the Google Chrome ...

September 3, 2021

A threat actor has leaked the complete source code for the Babuk ransomware on a Russian-speaking hacking forum. Babuk Locker, also known internally as Babyk, is a ransomware operation launched at the beginning of 2021 when it began targeting businesses to steal and encrypt their data in double-extortion attacks. Read more… Source: Bleeping Computer  

September 2, 2021

QakBot, also known as QBot, QuackBot and Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed. In recent years, QakBot has become one of the leading banking Trojans around the globe. Its main purpose is ...

September 2, 2021

A dropper-as-a-service, which cyber-crime newbies can use to easily get their malware onto thousands of victims’ PCs, has been dissected and documented this week. A dropper is a program that, when run, executes a payload of malicious code. The dropper is similar to a trojan, and it can sometimes have other functionality, but its main purpose ...

August 31, 2021

Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs. Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a ...

August 31, 2021

Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. While the method is not new and demo code has been published before, projects so far came from the academic world or were incomplete and unrefined. Earlier this month, the proof-of-concept (PoC) was sold on ...

August 25, 2021

An emerging international cybergang is broadening its targets to include North American media firms, universities and one computer retailer. The advanced persistent threat (APT) group is new, according to researchers who dubbed it SparklingGoblin. Also new is a novel backdoor technique, called SideWalk, used by the APT to penetrate cybersecurity defenses. SparklingGoblin, according to ESET researchers ...

August 24, 2021

WhatsApp users sometimes feel the official app is lacking a useful feature of one sort or another, be it animated themes, self-destructing messages which automatically delete themselves, the option of hiding certain conversations from the main list, automatic translation of messages, or the option of viewing messages that have been deleted by the sender. This ...

August 24, 2021

Trend Micro researchers have uncovered a cyberespionage campaign being perpetrated by Earth Baku, an advanced persistent threat (APT) group with a known history of carrying out cyberattacks under the alias APT41. This is not the group’s first foray into cyberespionage, and its long list of past cybercrimes also includes ransomware and cryptocurrency mining attacks. Earth Baku ...

August 12, 2021

It is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous “DLL side-loading triad”: a legitimate executable, a malicious DLL to be side-loaded by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of LuckyMouse, but we ...

August 11, 2021

A new AdLoad malware variant is slipping through Apple’s YARA signature-based XProtect built-in antivirus to infect Macs as part of multiple campaigns tracked by cybersecurity firm SentinelOne. AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs), Read ...

August 9, 2021

In a previous blog entry, we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet ...

July 29, 2021

Hossein Jazi and Malwarebytes’ Threat Intelligence team released a report on Thursday highlighting a new threat actor potentially targeting Russian and pro-Russian individuals. The attackers included a manifesto about Crimea, indicating the attack may have been politically motivated. The attacks feature a suspicious document named “Manifest.docx” that uniquely downloads and executes double attack vectors: remote template ...

July 29, 2021

Investigating the recent Microsoft Exchange vulnerabilities Kaspersky and their colleagues from AMR found an attacker deploying a previously unknown backdoor, “FourteenHi”, in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity ...

July 28, 2021

Iranian hackers spent 18 months masquerading as an aerobics instructor in a cyber-espionage campaign designed to infect employees and contractors working in defence and aerospace with malware in order to steal usernames, passwords and other information which could be exploited. Active since at least 2019, the campaign used Facebook, Instagram and emails to pose as the ...

July 27, 2021

Windows internet-facing servers are being targeted by a new threat actor operating “almost completely in-memory,” according to a new report from the Sygnia Incident Response team. The report said that the advanced and persistent threat actor — which they have named “Praying Mantis” or “TG1021” — mostly used deserialization attacks to load a completely volatile, custom ...

July 26, 2021

In its five years of existence, No More Ransom has helped prevent almost a billion euros from ending up in criminals’ pockets Working from home, the beach or a café is a reality for many people today. Everything we need is stored in our digital devices, such as personal computers, laptops and mobile phones, which contain ...

July 26, 2021

Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found. Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence ...