Malware


NEWS 
  • QakBot technical analysis

    September 2, 2021

    QakBot, also known as QBot, QuackBot and Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed. In recent years, QakBot has become one of the leading banking Trojans around the globe. Its main purpose is ...

  • Dissected: A dropper-as-a-service miscreants pay to push their malware onto potentially 1,000s of victims

    September 2, 2021

    A dropper-as-a-service, which cyber-crime newbies can use to easily get their malware onto thousands of victims’ PCs, has been dissected and documented this week. A dropper is a program that, when run, executes a payload of malicious code. The dropper is similar to a trojan, and it can sometimes have other functionality, but its main purpose ...

  • LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection

    August 31, 2021

    Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs. Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a ...

  • Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs

    August 31, 2021

    Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. While the method is not new and demo code has been published before, projects so far came from the academic world or were incomplete and unrefined. Earlier this month, the proof-of-concept (PoC) was sold on ...

  • US Media, Retailers Targeted by New SparklingGoblin APT

    August 25, 2021

    An emerging international cybergang is broadening its targets to include North American media firms, universities and one computer retailer. The advanced persistent threat (APT) group is new, according to researchers who dubbed it SparklingGoblin. Also new is a novel backdoor technique, called SideWalk, used by the APT to penetrate cybersecurity defenses. SparklingGoblin, according to ESET researchers ...

  • Triada Trojan in WhatsApp mod

    August 24, 2021

    WhatsApp users sometimes feel the official app is lacking a useful feature of one sort or another, be it animated themes, self-destructing messages which automatically delete themselves, the option of hiding certain conversations from the main list, automatic translation of messages, or the option of viewing messages that have been deleted by the sender. This ...

  • APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign

    August 24, 2021

    Trend Micro researchers have uncovered a cyberespionage campaign being perpetrated by Earth Baku, an advanced persistent threat (APT) group with a known history of carrying out cyberattacks under the alias APT41. This is not the group’s first foray into cyberespionage, and its long list of past cybercrimes also includes ransomware and cryptocurrency mining attacks. Earth Baku ...

  • IT threat evolution Q2 2021

    August 12, 2021

    It is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous “DLL side-loading triad”: a legitimate executable, a malicious DLL to be side-loaded by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of LuckyMouse, but we ...

  • New AdLoad malware variant slips through Apple’s XProtect defenses

    August 11, 2021

    A new AdLoad malware variant is slipping through Apple’s YARA signature-based XProtect built-in antivirus to infect Macs as part of multiple campaigns tracked by cybersecurity firm SentinelOne. AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs), Read ...

  • Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising

    August 9, 2021

    In a previous blog entry, we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet ...

  • Security team finds Crimea manifesto buried in VBA Rat using double attack vectors

    July 29, 2021

    Hossein Jazi and Malwarebytes’ Threat Intelligence team released a report on Thursday highlighting a new threat actor potentially targeting Russian and pro-Russian individuals. The attackers included a manifesto about Crimea, indicating the attack may have been politically motivated. The attacks feature a suspicious document named “Manifest.docx” that uniquely downloads and executes double attack vectors: remote template ...

  • APT trends report Q2 2021

    July 29, 2021

    Investigating the recent Microsoft Exchange vulnerabilities Kaspersky and their colleagues from AMR found an attacker deploying a previously unknown backdoor, “FourteenHi”, in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity ...

  • TA456 hackers built an elaborate online profile to fool their targets into downloading malware

    July 28, 2021

    Iranian hackers spent 18 months masquerading as an aerobics instructor in a cyber-espionage campaign designed to infect employees and contractors working in defence and aerospace with malware in order to steal usernames, passwords and other information which could be exploited. Active since at least 2019, the campaign used Facebook, Instagram and emails to pose as the ...

  • ‘Praying Mantis’ threat actor targeting Windows internet-facing servers with malware

    July 27, 2021

    Windows internet-facing servers are being targeted by a new threat actor operating “almost completely in-memory,” according to a new report from the Sygnia Incident Response team. The report said that the advanced and persistent threat actor — which they have named “Praying Mantis” or “TG1021” — mostly used deserialization attacks to load a completely volatile, custom ...

  • Unhacked: 121 Tools Against Ransomware On A Single Website

    July 26, 2021

    In its five years of existence, No More Ransom has helped prevent almost a billion euros from ending up in criminals’ pockets Working from home, the beach or a café is a reality for many people today. Everything we need is stored in our digital devices, such as personal computers, laptops and mobile phones, which contain ...

  • Malware Makers Using ‘Exotic’ Programming Languages

    July 26, 2021

    Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found. Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence ...

  • New PetitPotam attack allows take over of Windows domains

    July 23, 2021

    A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, and thus an entire Windows domain. Many organizations utilize Microsoft Active Directory Certificate Services, which is a public key infrastructure (PKI) server that can be used to authenticate users, services, and machines on a Windows domain. Read ...

  • FIN7’s Liquor Lure Compromises Law Firm with Backdoor

    July 23, 2021

    Financial cybercrime gang FIN7 has rebounded after the jailing of some key members, launching a campaign that uses as a lure a legal complaint involving the liquor company that owns Jack Daniels whiskey. The gambit successfully compromised at least one law firm, giving them a shot of the JSSLoader remote-access trojan (RAT), researchers said. According to ...

  • StrongPity APT Group Deploys Android Malware for the First Time

    July 21, 2021

    We recently conducted an investigation into a malicious Android malware sample, which we believe can be attributed to the StrongPity APT group, that was posted on the Syrian e-Gov website. To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of ...

  • Windows 0-Days Used Against Dissidents in Israeli Broker’s Spyware

    July 16, 2021

    A set of unique spyware strains created by an Israeli firm and allegedly used by governments around the world to surveil dissidents has been defanged by Microsoft, the software giant said. The private company, called variously Candiru, Grindavik, Saito Tech and Taveta (and dubbed “Sourgum” by Microsoft), reportedly sells its wares exclusively to governments, according to ...