In a recent incident response case, Kaspersky researchers discovered a new and notable ransomware family in active use by the attackers, which they named “Ymir”.
The artifact has interesting features for evading detection, including a large set of operations performed in memory with the help of the malloc, memmove and memcmp function calls. In the case the researchers analyzed, the attacker was able to gain access to the system via PowerShell remote control commands. After that, the attacker installed multiple tools for malicious actions, such as Process Hacker and Advanced IP Scanner. Eventually, after reducing system security, the adversary ran Ymir to achieve their goals.
Read more…
Source: Kaspersky
Related:
- Attack Uses Docker Containers To Hide, Persist, Plant Malware
July 27, 2017
A novel attack vector allows for adversaries to abuse the Docker API to hide malware on targeted systems, and even execute remote code. The proof of concept attack was developed by researchers at Aqua Security, and the technique was first demonstrated today at Black Hat by Sagie Dulce, senior security researcher, with Aqua Security. The attack works ...
- Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!
July 17, 2017
A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer. Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help ...
- NSA Advocates Data Sharing Framework
June 23, 2017
The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys. “We need to conduct defenses in a way that ...