Spam and phishing in Q3 2018
Quarterly highlights Personal data in spam We have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to gain access to accounts and in targeted attacks and ransomware campaigns. In Q3, we registered a surge […] more…Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments
By Miguel Ang and Donald Castillo As cybersecurity defenses continue to improve, cybercriminals have learned to become more creative with malware. We recently encountered threats being packaged inside old yet rarely used file types in spam campaigns. Spam continues to be a cybercriminal favorite – this old-school infection vector makes up more than 48 percent […] more…CVE-2018-3211: Java Usage Tracker Local Elevation of Privilege on Windows
We found design flaw/weakness in Java Usage Tracker that can enable hackers to create arbitrary files, inject attacker-specified parameters, and elevate local privileges. In turn, these can be chained and used to escalate privileges in order to access resources in affected systems that are normally protected or restricted to other applications or users. We’ve worked […] more…A Closer Look at the Locky Poser, PyLocky Ransomware
by Ian Kenefick (Threats Analyst) While ransomware has noticeably plateaued in today’s threat landscape, it’s still a cybercriminal staple. In fact, it saw a slight increase in activity in the first half of 2018, keeping pace by being fine-tuned to evade security solutions, or in the case of PyLocky (detected by Trend Micro as RANSOM_PYLOCKY.A), […] more…Microsoft Cortana Allows Browser Navigation Without Login: CVE-2018-8253
A locked Windows 10 device with Cortana enabled on the lock screen allows an attacker with physical access to the device to do two kinds of unauthorized browsing. In the first case, the attacker can force Microsoft Edge to navigate to an attacker-controlled URL; in the second, the attacker can use a limited version of […] more…New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel
by Jaromir Horejsi and Joseph C. Chen We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. […] more…FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users
Spoofing legitimate mobile applications is a common cybercriminal modus that banks on their popularity and relies on their users’ trust to steal information or deliver payloads. Cybercriminals typically use third-party app marketplaces to distribute their malicious apps, but in operations such as the ones that distributed CPUMINER, BankBot, and MilkyDoor, they would try to get […] more…SynAck targeted ransomware uses the Doppelgänging technique
The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions. In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck […] more…Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground
Cryptocurrencies have been generating much buzz of late. While some governments are at work to regulate transactions involving them, there are others that want to stop mining activities related to them altogether. We have noted that cybercriminals have been actively engaged in cryptocurrency-mining malware activities, ranging from those that exploit consumer hardware graphics processing units […] more…XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects […] more…Understanding Code Signing Abuse in Malware Campaigns
Using a machine learning system, we analyzed 3 million software downloads, involving hundreds of thousands of internet-connected machines, and provide insights in this three-part blog series. In the first part of this series, we took a closer look at unpopular software downloads and the risks they pose to organizations. We also briefly mentioned the problem […] more…Hacked Magento Sites Steal Card Data, Spread Malware
Cybercriminals are targeting websites running the Magento platform to inject them with code that can steal credit card data and infect visitors with malware, Flashpoint reports. The open-source platform written in PHP has long stirred threat actors’ interest due to its popularity among online e-commerce sites. According to Flashpoint, members of entry-level and top-tier Deep […] more…A Closer Look at Unpopular Software Downloads and the Risks They Pose to Organizations
By Dr. Marco Balduzzi, Senior Researcher, Forward-Looking Threat Research Team As a large cyber security vendor, Trend Micro deals with millions of threat data per day. Our Smart Protection Network (SPN), among other technologies, helps us conduct research and investigate new threats and cybercrimes to improve our ability to protect our customers. In this blog post, […] more…Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard
McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a hybrid-encryption software program that uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography to ease the secure key exchange. Although ransomware using GnuPG to encrypt files […] more…‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware
Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin […] more…Cryptocurrency-Mining Malware: 2018’s New Menace?
Will cryptocurrency-mining malware be the new ransomware? The popularity and increasing real-world significance of cryptocurrencies are also drawing cybercriminal attention — so much so that it appears to keep pace with ransomware’s infamy in the threat landscape. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers in 2017. […] more…More information
- Microsoft Internet Explorer CVE-2013-1288 Use-After-Free Remote Code Execution Vulnerability
- Implanted Cisco Routers Targeting Global Networks
- Microsoft Says China-Linked Hackers Abused Azure in Attacks
- Galaxy reality check: 4 big reasons to avoid Samsung’s Android phones
- P2P Flaws Expose Millions of IoT Devices to Remote Attacks
- Microsoft shuffles more of its senior leadership
- CrowdSec Raises $14 Million for Crowdsourced Threat Intelligence Solution
- Locky Ransomware Campaign Ramps Up
- Samsung devices vulnerable to dangerous Android exploit
- Windows 7 hotspot hacker turns to software bonding