Malware


NEWS 
  • D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant

    March 5, 2021

    Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network. Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15. In ...

  • New in Ransomware: AlumniLocker, Humble Feature Different Extortion Techniques

    March 4, 2021

    Trend Micro researchers recently discovered two new ransomware variants, AlumniLocker and Humble, which exhibit different sophisticated behaviors and extortion techniques post-encryption. One of these techniques includes an unusually high ransom payment and a threat to publicize victims’ critical data. These new variants prove that ransomware’s targeted and extortion-focused era is alive and well in 2021. Technical analyses AlumniLocker ...

  • Microsoft reveals GoldMax, Sibot and GoldFinder new malware strains used by SolarWinds hackers

    March 4, 2021

    Microsoft has revealed information on newly found malware the SolarWinds hackers deployed on victims’ networks as second-stage payloads. The company now tracks the “sophisticated attacker” who used the Sunburst backdoor and Teardrop malware during the SolarWinds supply-chain attack as Nobelium. Security researchers with the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender Research Team found ...

  • New Sunshuttle Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452

    March 4, 2021

    Mandiant Threat Intelligence discovered a new backdoor uploaded by a U.S.-based entity to a public malware repository in August 2020 that we have named SUNSHUTTLE. SUNSHUTTLE is written in GO, and reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading ...

  • Supermicro, Pulse Secure release fixes for ‘TrickBoot’ attacks

    March 4, 2021

    Supermicro and Pulse Secure have released advisories warning that some of their motherboards are vulnerable to the TrickBot malware’s UEFI firmware-infecting module, known as TrickBoot. Last year, cybersecurity firms Advanced Intelligence and Eclypsium released a joint report about a new malicious firmware-targeting ‘TrickBoot’ module delivered by the notorious TrickBot malware. When executed, the module will analyze a ...

  • Ursnif Trojan has targeted over 100 Italian banks

    March 3, 2021

    The Ursnif Trojan has been traced back to attacks against at least 100 banks in Italy. According to Avast, the malware’s operators have a keen interest in Italian targets and attacks against these banking institutions have led to the loss of credentials and financial data. The cybersecurity firm said on Tuesday that at least 100 banks have ...

  • Compromised Website Images Camouflage ObliqueRAT Malware

    March 2, 2021

    The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites. The remote access trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they’re redirected ...

  • Ryuk Ransomware: Now with Worming Self-Propagation

    March 2, 2021

    A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have found. The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). The agency said that it achieves self-replication by scanning for network shares, and then ...

  • Emotet One Month After the Takedown

    March 2, 2021

    2021 got off to a fantastic start for the cybersecurity community with the news that the infamous botnet Emotet had been brought down in a coordinated global operation, “Operation Ladybird.” As the first security vendor to detect and profile the Trojan all the way back in 2014, we’re particularly delighted to be seeing the back of ...

  • Mobile malware evolution 2020

    March 1, 2021

    In their campaigns to infect mobile devices, cybercriminals always resort to social engineering tools, the most common of these passing a malicious application off as another, popular and desirable one. All they need to do is correctly identify the application, or at least, the type of applications, that are currently in demand. Therefore, attackers constantly ...

  • Go malware is now common, having been adopted by both APTs and e-crime groups

    February 26, 2021

    The number of malware strains coded in the Go programming language has seen a sharp increase of around 2,000% over the last few years, since 2017, cybersecurity firm Intezer said in a report published this week. The company’s findings highlight and confirm a general trend in the malware ecosystem, where malware authors have slowly moved away ...

  • Lazarus targets defense industry with ThreatNeedle

    February 25, 2021

    We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. After taking a closer look, we identified the malware ...

  • So Unchill: Melting UNC2198 ICEDID to Ransomware Operations

    February 25, 2021

    Mandiant Advanced Practices (AP) closely tracks the shifting tactics, techniques, and procedures (TTPs) of financially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released a blog post detailing intrusion tradecraft associated with the deployment of MAZE. As of publishing this post, we track 11 distinct groups that have deployed MAZE ransomware. ...

  • APT32 state hackers target human rights defenders with spyware

    February 23, 2021

    Vietnam-backed hacking group APT32 has coordinated several spyware attacks targeting Vietnamese human rights defenders (HRDs) between February 2018 and November 2020. The state hackers also pointed their attacks at a nonprofit (NPO) human rights organization from Vietnam, as Amnesty International’s Security Lab revealed (full report here). The spyware used by the APT32 hackers allowed them to read ...

  • Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11

    February 22, 2021

    Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product. Multiple Accellion FTA customers, including the Jones Day Law Firm, Kroger and Singtel, have all ...

  • Chinese hackers cloned attack tool belonging to NSA’s Equation Group

    February 22, 2021

    Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say. On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by FireEye in 2015 ...

  • IronNetInjector: Turla’s New Malware Loading Tool

    February 19, 2021

    In recent years, more and more ready-made malware is released on software development hosting sites available for everybody to use – including threat actors. This not only saves the bad guys development time, but also makes it much easier for them to find new ideas to prevent detection of their malware. Unit 42 researchers have found ...

  • Silver Sparrow Malware Found Nesting on 30K Macs

    February 19, 2021

    Hard on the heels of a macOS adware being recompiled to target Apple’s new in-house processor, researchers have discovered a brand-new family of malware targeting the platform. Curiously, in the samples seen so far by analysts at Red Canary, the malware (dubbed Silver Sparrow) has been executing on victim machines with the final payload yet to ...

  • Masslogger Swipes Microsoft Outlook, Google Chrome Credentials

    February 17, 2021

    Cybercriminals are targeting Windows users with a new variant of the Masslogger trojan, which is spyware designed to swipe victims’ credentials from Microsoft Outlook, Google Chrome and various instant-messenger accounts. Researchers uncovered the campaign targeting users in Italy, Latvia and Turkey starting in mid-January. When the Masslogger variant launched its infection chain, it disguised its malicious ...

  • France links Russian Sandworm hackers to hosting provider attacks

    February 15, 2021

    The French national cyber-security agency has linked a series of attacks that resulted in the breach of multiple French IT providers over a span of four years to the Russian-backed Sandworm hacking group. ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) has not been able to determine how the servers were compromised. Therefore, it ...