Digging deeper into JAR packages and Java bytecode
Before the Christmas break we announced the inclusion of a tool to further characterize Mac OS X executables and iPhone apps, at the same time we also silently deployed one to dig deeper into JAR packages and Java .class files. Virustotal has always scanned and produced verdicts for these types of files, as it scans […] more…Repackaging HTML5 Apps into Android Malware
Predictably, with the finalization of HTML5 standard by World Wide Web Consortium (W3C) last October, there will be a rapid growth of new HTML5 web apps coming out in the near future. Considering the platform independent characteristic in web apps, we foresee that HTML5 will accelerate the repackaging from web apps to mobile apps for […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…Andariel evolves to target South Korea with ransomware
Executive summary In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to […] more…XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
By Mac Threat Response and Mobile Research Team We have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we discovered that a developer’s Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most notable in our investigation is the discovery of two zero-day […] more…Pig in a poke: smartphone adware
Our support team continues to receive more and more requests from users complaining about intrusive ads on their smartphones from unknown sources. In some cases, the solution is quite simple. In others, the task is far harder: the adware plants itself in the system partition, and trying to get rid of it can lead to […] more…New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
By Ecular Xu and Joseph C. Chen While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX). During the first quarter of 2020, we observed Earth Empusa’s activity targeting users in Tibet and Turkey before they extended their scope […] more…A look at the ATM/PoS malware landscape from 2017-2019
From remote administration and jackpotting, to malware sold on the Darknet, attacks against ATMs have a long and storied history. And, much like other areas of cybercrime, attackers only refine and grow their skillset for infecting ATM systems from year-to-year. So what does the ATM landscape look like as of 2020? Let’s take a look. […] more…Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks
The Android banking trojan Geost was first revealed in a research by Sebastian García, Maria Jose Erquiaga and Anna Shirokova from the Stratosphere Laboratory. They detected the trojan by monitoring HtBot malicious proxy network. The botnet targets Russian banks, with the victim count at over 800,000 users at the time the study was published in […] more…Not-so-dear subscribers
Many people have had a run-in with subscriptions to mobile content providers. They appear out of the blue, and get discovered only when account funds run dry. It might seem that the obvious solution is not to visit dubious sites and not to install apps from third-party sources. But, alas, these days such advice is […] more…Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs
By Anita Hsieh, Rubio Wu, and Kawabata Kohei Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access Trojan) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file […] more…Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmyy RAT Distributed by Necurs
By Anita Hsieh, Rubio Wu, and Kawabata Kohei Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access Trojan) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file […] more…Post-Tax Season Spam Campaign Delivers URSNIF to North American Taxpayers
by Marshall Chen, Loseway Lu, Kawabata Kohei, and Rubio Wu Tax season has traditionally been notorious for increased cybercrime activity, as threat actors take advantage of a large number of people rushing to file their taxes. The problem has cost taxpayers billions of dollars — tax fraud amounted to $2.5 billion worth of losses in […] more…Necurs Evolves to Evade Spam Detection via Internet Shortcut File
By Miguel Ang Necurs, a botnet malware that’s been around since 2012, has been improved with the hopes of better defeating cybersecurity measures — it was seen to evolve its second layer of infection using a .URL file (with remote script downloaders detected by Trend Micro as MAL_CERBER-JS03D, MAL_NEMUCOD-JS21B, VBS_SCARAB.SMJS02, and MAL_SCARAB-VBS30. Necurs, a modular […] more…XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects […] more…XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails
By Abraham Camba and Janus Agcaoili We discovered a spam campaign that delivers the notorious cross-platform remote access Trojan (RAT) Adwind a.k.a. jRAT (detected by Trend Micro as JAVA_ADWIND.WIL) alongside another well-known backdoor called XTRAT a.k.a XtremeRAT (BKDR_XTRAT.SMM). The spam campaign also delivered the info-stealer Loki (TSPY_HPLOKI.SM1). DUNIHI (VBS_DUNIHI.ELDSAVJ), a known VBScript with backdoor and worm […] more…More information
- New ransomware with an old trick: “Petya” parties like it’s 1989
- Vade Secure Ordered to Pay $14 Million to Proofpoint in IP Theft Lawsuit
- Vulnerability Has Been Lurking in Avaya Phones for 10 Years
- Facebook HOAX! New algorithm will NOT only show you 26 friends
- IRS stops requiring selfies after facial recognition system is widely panned
- Cybersecurity M&A Roundup: 39 Deals Announced in July 2022
- GraphicsMagick CVE-2019-19951 Heap Buffer Overflow Vulnerability
- How fortified is your SAP against security breaches?
- Podcast: Thomas Rid on Cyberwar, Attribution and the Crypto Debate
- Resolved: UCS Service Degradation