Malware


NEWS 
  • DarkSide on Linux: Virtual Machines Targeted

    May 28, 2021

    As we discussed in our previous blog, the DarkSide ransomware is targeting organizations in manufacturing, finance, and critical infrastructures in regions such as the United States, France, Belgium, and Canada. The DarkSide ransomware targets both Windows and Linux platforms. We also noticed that the Linux variant, in particular, targets ESXI servers. In this blog, we focus ...

  • Russian gang behind SolarWinds hack returns with phishing attack disguised as mail from US aid agency

    May 28, 2021

    Nobelium, the Russia-aligned gang identified as the perpetrators of the supply chain attack on SolarWinds’ Orion software, has struck again, Microsoft vice president Tom Burt in a blogpost Thursday. Burt’s post says the attacks saw Nobelium gain access to accounts on the email marketing service “Constant Contact” operated by The United States Agency for International Development ...

  • Evolution of JSWorm ransomware

    May 25, 2021

    Over the past few years, the ransomware threat landscape has been gradually changing. We have been witness to a paradigm shift. From the massive outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, a lot of ransomware actors have moved to the covert but highly profitable tactic of “big-game hunting”. News of ransomware causing ...

  • Apple Exec Calls Level of Mac Malware ‘Unacceptable’

    May 20, 2021

    Apple is using the growing threat of malware on its Mac platform as a defense in a lawsuit that could force the company to open up new channels of applications for its mobile iOS platform. In testimony in a California court Wednesday, Apple head of software engineering, Craig Federighi called the level of malware threat against ...

  • BazarCall: Call Centers Help Spread BazarLoader Malware

    May 19, 2021

    BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network. The threat actor behind BazarLoader uses different methods to distribute this malware to potential ...

  • Bizarro banking Trojan expands its attacks to Europe

    May 17, 2021

    Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. We have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries. Following in the ...

  • Ransomware world in 2021: who, how and why

    May 12, 2021

    As the world marks the second Anti-Ransomware Day, there’s no way to deny it: ransomware has become the buzzword in the security community. And not without good reason. The threat may have been around a long time, but it’s changed. Year after year, the attackers have grown bolder, methodologies have been refined and, of course, ...

  • New ransomware: CISA warns over FiveHands file-encrypting malware variant

    May 12, 2021

    The US Cybersecurity & Infrastructure Security Agency (CISA) has warned organizations to be cautious of a relatively new ransomware variant called FiveHands. FiveHands ransomware has been around since January 2021, but CISA said it was “aware of a recent, successful cyberattack against an organization” using this strain of file-encrypting malware. Read more… Source: ZDNet  

  • New Android malware targeting banks in Italy, Spain, Germany, Belgium, and the Netherlands

    May 11, 2021

    A new Android trojan has been identified by security researchers, who said on Monday that once it is successfully installed in the victim’s device, those behind it can obtain a live stream of the device screen and also interact with it via its Accessibility Services. The malware, dubbed “Teabot” by security researchers with Cleafy, has been ...

  • Operation TunnelSnake

    May 6, 2021

    Formerly unknown rootkit used to secretly control networks of regional organizations Windows rootkits, especially those operating in kernel space, are pieces of malware infamous for their near absolute power in the operating system. Usually deployed as drivers, such implants have high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations ...

  • The UNC2529 Triple Double: A Trifecta Phishing Campaign

    May 4, 2021

    In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of the malware, this threat actor appears experienced and well resourced. This blog post will discuss the ...

  • New Buer Malware Downloader Rewritten in E-Z Rust Language

    May 3, 2021

    A variant of the Buer malware, which is being distributed in emails disguised as DHL support shipping notices, comes with a fresh code rewrite in the popular Rust language and looks like it may be in the process of prepping for rental to other cybercrooks. Using the increasingly popular, efficient and easy-to-use Rust programming language will ...

  • Suspected Chinese state hackers target Russian submarine designer

    April 30, 2021

    Hackers suspected to work for the Chinese government have used a new malware called PortDoor to infiltrate the systems of an engineering company that designs submarines for the Russian Navy. They used a spear-phishing email specifically crafted to lure the general director of the company into opening a malicious document. The threat actor targeted Rubin Central Design ...

  • Babuk quits ransomware encryption, focuses on data-theft extortion

    April 30, 2021

    A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers. The explanation comes after yesterday the group posted and deleted two announcements about their plan to close the project and release ...

  • A specially crafted update is deleting Emotet botnet malware from infected PCs

    April 26, 2021

    A specially crafted update created by law enforcement has triggered the process of removing the Emotet botnet malware from 1.6 million infected computers around the world. Emotet was thought to be the world’s largest botnet, known for spewing millions of malware-laden spam emails each day. Law enforcement in the US, Canada and Europe conducted a coordinated ...

  • Telegram Platform Abused in ‘ToxicEye’ Malware Campaigns

    April 22, 2021

    Hackers are leveraging the popular Telegram messaging app by embedding its code inside a remote access trojan (RAT) dubbed ToxicEye, new research has found. A victim’s computer infected with the ToxicEye malware is controlled via a hacker-operated Telegram messaging account. The ToxicEye malware can take over file systems, install ransomware and leak data from victim’s PCs, ...

  • Malware and ransomware gangs have found this new way to cover their tracks

    April 22, 2021

    Theres’s been a huge uptick in the proportion of malware using TLS or the Transport Layer Security to communicate without being spotted, cybersecurity firm Sophos reports. While HTTPS helps prevent eavesdropping, man-in-the-middle attacks, and hijackers who try to impersonate a trusted website, the protocol has also offered cover for cybercriminals to privately share information between a ...

  • Novel Email-Based Campaign Targets Bloomberg Clients with RATs

    April 21, 2021

    A new email-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg’s industry-based services. Cisco Talos Intelligence researchers discovered the campaign, dubbing it and its perpetrator “Fajan,” and asserting it is likely the work of one actor from an Arabic-speaking country. Researchers ...

  • IcedID Circulates Via Web Forms, Google URLs

    April 12, 2021

    Website contact forms and Google URLs are being used to spread the IcedID trojan, according to researchers at Microsoft. Attackers are using “contact us” forms on websites to send emails targeting organizations with trumped-up legal threats, researchers said. The messages consistently mention a copyright infringement by a photographer, illustrator or designer, and they contain a link ...

  • Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware

    April 9, 2021

    More than a year after Operation DRBControl, a campaign by a cyberespionage group that targets gambling and betting companies in Southeast Asia, we found evidence that the Iron Tiger threat actor is still interested in the gambling industry. This blog details how Iron Tiger threat actors have updated their toolkit with an updated SysUpdate malware variant ...