Malware


NEWS 
  • Hackers are turning to RTF template injections technique to install malware on PCs

    December 2, 2021

    Nation state-backed hacking groups are exploiting a simple but effective new technique to power phishing campaigns for spreading malware and stealing information that’s of interest to their governments. Cybersecurity researchers at Proofpoint say advanced persistent threat (APT) groups working on behalf of Russian, Chinese and Indian interests are using rich text format (RTF) template injections. While the ...

  • Yanluowang: Further Insights on New Ransomware Threat

    November 30, 2021

    Yanluowang, the ransomware recently discovered by Symantec, a division of Broadcom Software, is now being used by a threat actor that has been mounting targeted attacks against U.S. corporations since at least August 2021. The attacker uses a number of tools, tactics, and procedures (TTPs) that were previously linked to Thieflock ransomware attacks, suggesting that ...

  • ScarCruft surveilling North Korean defectors and human rights activists

    November 29, 2021

    The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor we first reported in 2016. ScarCruft is known to target North Korean defectors, journalists who cover North Korea-related news and government organizations related to the Korean Peninsula, between others. Recently, we were approached by a news organization with a request ...

  • RATDispenser downloader delivers a ‘silent threat’ that wants to steal your passwords

    November 26, 2021

    Cyber criminals are using a new JavaScript downloader to distribute eight different kinds of remote access Trojan (RAT) malware and information-stealing malware in order to gain backdoor control of infected Windows systems, as well as steal usernames, passwords and other sensitive data. The downloader has been detailed by cybersecurity researchers at HP Wolf Security, who’ve called ...

  • BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors

    November 25, 2021

    We continue monitoring the campaigns using information stealer BazarLoader (detected by Trend Micro as TrojanSpy.Win64.BAZARLOADER, TrojanSpy.Win64.BAZARLOADER, and Backdoor.Win64.BAZARLOADER). While InfoSec forums have noted the spike in detections during the third quarter, we noticed two new arrival mechanisms included in the existing roster of delivery techniques that malicious actors abused for data theft and ransomware. One of ...

  • CronRAT, Linux remote access trojan hides behind the invalid date, February 31.

    November 25, 2021

    Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st. Dubbed CronRAT, the malware is currently targeting web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers. Characterized ...

  • Apple sues Israeli spyware firm NSO Group

    November 24, 2021

    Apple is suing Israeli spyware firm NSO Group and its parent company for allegedly targeting iPhone users with a hacking tool. NSO’s Pegasus software can infect both iPhones and Android devices, allowing operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras. NSO Group said its tools were made to target terrorists ...

  • Over nine million Android devices infected by info-stealing trojan

    November 23, 2021

    A large-scale malware campaign on Huawei’s AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different apps. The trojan is detected by Dr.Web as ‘Android.Cynos.7.origin’ and is a modified version of the Cynos malware designed to collect sensitive user data. The discovery and report come from researchers at Dr. Web AV, who ...

  • Emotet botnet comeback orchestrated by Conti ransomware gang

    November 19, 2021

    The Emotet botnet is back by popular demand, resurrected by its former operator, who was convinced by members of the Conti ransomware gang. Security researchers at intelligence company Advanced Intelligence (AdvIntel) believe that restarting the project was driven by the void Emotet itself left behind on the high-quality initial access market after law enforcement took it ...

  • Android malware BrazKing returns as a stealthier banking trojan

    November 18, 2021

    The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions. A new malware sample was analyzed by IBM Trusteer researchers who found it outside the Play Store, on sites where people end up after receiving smishing (SMS) messages. These HTTPS sites warn ...

  • FBI: An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software

    November 17, 2021

    As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and ...

  • Emotet, once the world’s most dangerous malware, is back

    November 16, 2021

    Emotet, once described as “the world’s most dangerous malware” before being taken down by a major international police operation, is apparently back – and being installed on Windows systems infected with TrickBot malware. Emotet malware provided its controllers with a backdoor into compromised machines, which could be leased out to other groups, including ransomware gangs, to ...

  • Fake end-to-end encrypted chat app distributes Android spyware

    November 13, 2021

    The GravityRAT remote access trojan is being distributed in the wild again, this time under the guise of an end-to-end encrypted chat application called SoSafe Chat. This particular RAT (remote access trojan) targets predominately Indian users, being distributed by Pakistani actors. The telemetry data on the most recent campaign shows that the targeting scope hasn’t changed, and ...

  • BotenaGo botnet targets millions of IoT devices with 33 exploits

    November 11, 2021

    The new BotenaGo malware botnet has been discovered using over thirty exploits to attack millions of routers and IoT devices. BotenaGo was written in Golang (Go), which has been exploding in popularity in recent years, with malware authors loving it for making payloads that are harder to detect and reverse engineer. In the case of BotenaGo, only ...

  • New PhoneSpy Android Spyware Poses Pegasus-Like Threat

    November 10, 2021

    Researchers discovered new Android spyware that provides similar capabilities to NSO Group’s Pegasus controversial software. Called PhoneSpy, the mobile surveillance-ware has been spotted activity targeting South Koreans without their knowledge. PhoneSpy disguises itself as a legitimate application and gives attackers complete access to data stored on a mobile device and grants full control over the targeted ...

  • Arrests were made, but the Mekotio Trojan lives on

    November 3, 2021

    Despite the arrest of individuals connected with the spread of the Mekotio banking Trojan, the malware continues to be used in new attacks. On Wednesday, Check Point Research (CPR) published an analysis on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru — and is now back ...

  • ‘Trojan Source’ Hides Invisible Bugs in Source Code

    November 1, 2021

    Researchers have found a new way to encode potentially evil source code, such that human reviewers see a harmless version and compilers see the invisible, wicked version. Named “Trojan Source attacks,” the method “exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the ...

  • NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

    October 25, 2021

    The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations (referred to as “service providers” for the rest of this blog) that have been granted ...

  • FIN7 Lures Unwitting Security Pros to Carry Out Ransomware Attacks

    October 22, 2021

    The financially motivated cybercrime gang behind the Carbanak backdoor malware, FIN7, has hit upon a genius idea for maximizing profit from ransomware: Hire real pen-testers to do some of their dirty work instead of striking partnerships with other criminals. According to a report from Gemini Advisory, the group has set up a fake security company (called ...

  • TA505 Gang Is Back With Newly Polished FlawedGrace RAT

    October 19, 2021

    The TA505 cybercrime group is whirring its financial rip-off machinery back up, pelting malware at a range of industries in what was initially low-volume waves that researchers saw spiral up late last month. They do bad things, but they’re so tricky that tracking them is a ton of fun, said Sherrod DeGrippo, vice president, Threat Research ...