Malware


NEWS 
  • Agent Tesla Keylogger Gets Data Theft and Targeting Update

    December 15, 2020

    Six-year-old keylogger malware called Agent Tesla has been updated again, this time with expanded targeting and improved data exfiltration features. Agent Tesla first came into the scene in 2014, specializing in keylogging (designed to record keystrokes made by a user in order to exfiltrate data like credentials and more) and data-stealing. Since then keylogger has only ...

  • Using MITRE ATT&CK to Identify an APT Attack

    December 15, 2020

    Security teams and researchers depend on publicly documented analyses of tools, routines, and behaviors to update themselves on the latest findings in the cybersecurity landscape. Published information serves as a reference for the known tactics, techniques, and procedures (TTPs) to install defenses against advance persistent threats (APTs) and prevent attacks that are likely to occur ...

  • Investigating the Gootkit Loader

    December 11, 2020

    Since October 2020, we saw an increase in the number of Gootkit cases targeting users in Germany. We investigated this development and found that the Gootkit loader was now capable of sophisticated behavior that enabled it to surreptitiously load itself onto an affected system and make analysis and detection more difficult. This capability was used to ...

  • MountLocker ransomware gets slimmer, now encrypts fewer files

    December 11, 2020

    MountLocker ransomware received an update recently that cut its size by half but preserves a weakness that could potentially allow learning the random key used to encrypt files. This ransomware operation started in July 2020, and it targets corporate networks. Its operators steal data before encrypting it and threaten victims to leak files unless their multi-million ...

  • Rana Android Malware Updates Allow WhatsApp, Telegram IM Snooping

    December 7, 2020

    Researchers have discovered new samples of a previously discovered Android malware, which is believed to be linked to the APT39 Iranian cyberespionage threat group. The new variant comes with new surveillance capabilities – including the ability to snoop on victims’ Skype, Instagram and WhatsApp instant messages. According to U.S. feds, the developers of this malware are ...

  • The chronicles of Emotet

    December 4, 2020

    More than six years have passed since the banking Trojan Emotet was first detected. During this time it has repeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of high-profile incidents and multimillion-dollar losses. The malware is still in fine fettle, and remains one of the most potent cybersecurity threats ...

  • What did DeathStalker hide between two ferns?

    December 3, 2020

    DeathStalker is a threat actor who has been active starting 2012 at least, and we exposed most of his past activities in a previous article, as well as during a GREAT Ideas conference in August 2020. The actor draught our attention in 2018, because of distinctive attacks characteristics that did not fit the usual cybercrime ...

  • TrickBot’s new module aims to infect your UEFI firmware

    December 3, 2020

    The developers of TrickBot have created a new module that probes for UEFI vulnerabilities, demonstrating the actor’s effort to take attacks at a level that would give them ultimate control over infected machines. With access to UEFI firmware, a threat actor would establish on the compromised machine persistence that resists operating system reinstalls or replacing of ...

  • Turla’s ‘Crutch’ Backdoor Leverages Dropbox in Espionage Attacks

    December 2, 2020

    Researchers have discovered a previously undocumented backdoor and document stealer, which they have linked to the Russian-speaking Turla advanced persistent threat (APT) espionage group. The malware, which researchers call “Crutch,” is able to bypass security measures by abusing legitimate tools – including the file-sharing service Dropbox – in order to hide behind normal network traffic. Researchers ...

  • Malicious npm packages caught installing remote access trojans

    December 1, 2020

    The security team behind the “npm” repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described ...

  • Gootkit malware returns to life alongside REvil ransomware

    November 30, 2020

    After a year-long vacation, the Gootkit information-stealing Trojan has returned to life alongside REvil Ransomware in a new campaign targeting Germany. The Gootkit Trojan is Javascript-based malware that performs various malicious activities, including remote access for threat actors, keystroke capturing, video recording, email theft, password theft, and the ability to inject malicious scripts to steal online ...

  • Digitally Signed Bandook Trojan Reemerges in Global Spy Campaign

    November 30, 2020

    A wave of targeted cyberattack campaigns bent on espionage is cresting around the globe, using a strain of a 13-year old backdoor trojan named Bandook. According to Check Point Research, Bandook was last spotted being used in 2015 and 2017/2018, in the “Operation Manul” and “Dark Caracal” campaigns, respectively. The malware then all but disappeared from ...

  • Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group

    November 25, 2020

    Three suspects have been arrested in Lagos following a joint INTERPOL, Group-IB and Nigeria Police Force cybercrime investigation. The Nigerian nationals are believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams. The suspects are alleged to have developed phishing links, domains, ...

  • New Grelos Skimmer Variants Siphon Credit Card Data

    November 20, 2020

    Just as seasonal online shopping kicks into high gear, new variants of the point-of-sale Grelos skimmer malware have been identified. Variants are targeting the payment-card data of online retail shoppers on dozens of compromised websites, researchers warn. The Grelos skimmer malware has been around since 2015, and its original version is associated with what are called ...

  • New Mount Locker Ransomware Version Targeting TurboTax Files

    November 20, 2020

    A new version of the Mount Locker crypto-ransomware strain is specifically targeting victims’ TurboTax files. As reported by Bleeping Computer, Advanced Intel’s Vitali Kremez came across a new Mount Locker sample that specifically sought out files used by the TurboTax tax preparation software. In particular, Kremez observed the sample going after files bearing the “.tax,” “.tax2009,” “.tax2013” ...

  • QBot partners with Egregor ransomware in bot-fueled attacks

    November 20, 2020

    The Qbot banking trojan has dropped the ProLock ransomware in favor of the Egregor ransomware who burst into activity in September. Qbot, otherwise known as QakBot or QuakBot, is Windows malware that steals bank credentials, Windows domain credentials, and provides remote access to threat actors who install ransomware. Victims usually become infected with Qbot through phishing emails ...

  • Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes

    November 19, 2020

    So, you’re a ransomware gang and you want to ensure that you have caught the attention of your latest corporate victim. You could simply drop your ransom note onto the desktop of infected computers, informing the firm that their files have been encrypted. Too dull? You could lock infected PCs and display a ghoulish skull on a bright ...

  • More than 200 systems infected by new Chinese APT ‘FunnyDream’

    November 17, 2020

    A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years. The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender. The attacks ...

  • Jupyter trojan: Newly discovered malware stealthily steals usernames and passwords

    November 16, 2020

    A newly uncovered trojan malware campaign is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems. Jupyter infostealer has been detailed by cybersecurity company Morphisec who discovered it on the network of an unnamed higher ...

  • New TroubleGrabber Discord malware steals passwords, system info

    November 13, 2020

    TroubleGrabber, a new credential stealer discovered by Netskope security researchers, spreads via Discord attachments and uses Discord webhooks to deliver stolen information to its operators. Several threat actors use the new info stealer to target gamers on Discord servers and to steal their passwords and other sensitive information. Its capabilities are similar to another malware strain dubbed ...