A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs.
To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself. The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with Coyote. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Dissected: A dropper-as-a-service miscreants pay to push their malware onto potentially 1,000s of victims
September 2, 2021
A dropper-as-a-service, which cyber-crime newbies can use to easily get their malware onto thousands of victims’ PCs, has been dissected and documented this week. A dropper is a program that, when run, executes a payload of malicious code. The dropper is similar to a trojan, and it can sometimes have other functionality, but its main purpose ...
- Scam artists are recruiting English speakers for business email campaigns
September 1, 2021
Native English speakers are being recruited in their droves by criminals trying to make Business Email Compromise (BEC) more effective. BEC schemes can be simple to execute and among the most potentially devastating for a business, alongside threats such as ransomware. A BEC scam will usually start with a phishing email, tailored and customized depending on the ...
- Names and addresses of 110,000 UK gun owners are leaked online by animal rights activists in huge security breach
September 1, 2021
Authorities are investigating a large data breach that could put thousands of Britain’s gun enthusiasts at risk. The names, home addresses and contact details of 111,295 people who own firearms in the UK have been taken and leaked online by animal rights activists. The breach, first reported by The Register website, concerns individuals have used the Guntrader ...
- Cyberattackers are now quietly selling off their victim’s internet bandwidth
August 31, 2021
Cyberattackers are now targeting their victim’s internet connection to quietly generate illicit revenue following a malware infection. On Tuesday, researchers from Cisco Talos said “proxyware” is becoming noticed in the cybercrime ecosystem and, as a result, is being twisted for illegal purposes. Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out ...
- LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection
August 31, 2021
Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs. Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a ...
- Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs
August 31, 2021
Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. While the method is not new and demo code has been published before, projects so far came from the academic world or were incomplete and unrefined. Earlier this month, the proof-of-concept (PoC) was sold on ...