A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs.
To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself. The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with Coyote. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Details of 10.6 million MGM hotel guests posted on a hacking forum
February 19, 2020
The personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week. Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s ...
- Assessment of Ransomware Event at U.S. Pipeline Operator
February 19, 2020
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on 18 February 2020 on a ransomware incident impacting a natural gas compression facility at an unidentified U.S. pipeline operator. The ransomware event impacted both IT and ICS assets by causing loss of view and control impacts that caused the facility to implement controlled shutdown processes ...
- Threat Spotlight: Nuke Ransomware
February 19, 2020
Nuke ransomware, first identified in 2016, encrypts files with an AES 256-bit encryption key that is protected by asymmetrically encrypting it using 2048-bit RSA. Once a file is encrypted, Nuke changes the file name to a combination of random characters followed by a .nuclear55 extension. For example, an infected file name might be “ab0a+afbamcdEcmf.nuclear55”. Once Nuke executes it ...
- SMS Attack Spreads Emotet, Steals Bank Credentials
February 19, 2020
Attackers are sending SMS messages purporting to be from victims’ banks – but once they click on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware. Emotet has continued to evolve since its return in September, including a new, ...
- LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File
February 14, 2020
LokiBot, which has the ability to harvest sensitive data such as passwords as well as cryptocurrency information, proves that the actors behind it is invested in evolving the threat. In the past, we have seen a campaign that exploits a remote code execution vulnerability to deliver LokiBot using the Windows Installer service, a Lokibot variant that uses ISO ...
- Wireshark Tutorial: Examining Qakbot Infections
February 13, 2020
Qakbot is an information stealer also known as Qbot. This family of malware has been active for years, and Qakbot generates distinct traffic patterns. This Wireshark tutorial reviews a recent packet capture (pcap) from a Qakbot infection. Understanding these traffic patterns can be critical for security professionals when detecting and investigating Qakbot infections. Note: This tutorial assumes you have ...