Inside of the WASP’s nest: deep dive into PyPI-hosted malware
Photo by Matheus Queiroz on Unsplash In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…IT threat evolution Q3 2020
Targeted attacks MATA: Lazarus’s multi-platform targeted malware framework The more sophisticated threat actors are continually developing their TTPs (Tactics, Techniques and Procedures) and the toolsets they use to compromise the systems of their targets. However, malicious toolsets used to target multiple platforms are rare, because they required significant investment to develop and maintain them. In […] more…Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud
By Lorin Wu (Mobile Threats Analyst) We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious […] more…IT threat evolution Q3 2019
Targeted attacks and malware campaigns Mobile espionage targeting the Middle East At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in […] more…Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts
by Llallum Victoria (Threats Analyst) Windows Installer uses Microsoft Software Installation (MSI) package files to install programs. Every package file has a relational-type database that contains instructions and data required to install or remove programs. We recently discovered malicious MSI files that download and execute other files and could bypass traditional security solutions. Malicious actors […] more…Analyzing C/C++ Runtime Library Code Tampering in Software Supply Chain Attacks
By Mohamad Mokbel For the past few years, the security industry’s very backbone — its key software and server components — has been the subject of numerous attacks through cybercriminals’ various works of compromise and modifications. Such attacks involve the original software’s being compromised via malicious tampering of its source code, its update server, or […] more…Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments
By Miguel Ang and Donald Castillo As cybersecurity defenses continue to improve, cybercriminals have learned to become more creative with malware. We recently encountered threats being packaged inside old yet rarely used file types in spam campaigns. Spam continues to be a cybercriminal favorite – this old-school infection vector makes up more than 48 percent […] more…A Closer Look at the Locky Poser, PyLocky Ransomware
by Ian Kenefick (Threats Analyst) While ransomware has noticeably plateaued in today’s threat landscape, it’s still a cybercriminal staple. In fact, it saw a slight increase in activity in the first half of 2018, keeping pace by being fine-tuned to evade security solutions, or in the case of PyLocky (detected by Trend Micro as RANSOM_PYLOCKY.A), […] more…XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects […] more…GhostClicker Adware is a Phantomlike Android Click Fraud
By Echo Duan and Roland Sun We’ve uncovered a pervasive auto-clicking adware from as much as 340 apps from Google Play, one of which, named “Aladdin’s Adventure’s World”, was downloaded 5 million times. These adware-embedded applications include recreational games, device performance utilities like cleaners and boosters, and file managers, QR and barcode scanners, multimedia recorders […] more…SLocker Mobile Ransomware Starts Mimicking WannaCry
by Ford Qin Early last month, a new variant of mobile ransomware SLocker (detected by Trend Micro as ANDROIDOS_SLOCKER.OPST) was detected, copying the GUI of the now-infamous WannaCry. The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their […] more…Ztorg: money for infecting your smartphone
This research started when we discovered an infected Pokémon GO guide in Google Play. It was there for several weeks and was downloaded more than 500,000 times. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. The first of […] more…Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go)
Additional analysis/insights by Alfredo Oliveira A little over a year after its first variants were found in the wild, Cerber (Detected by Trend Micro as RANSOM_CERBER family) now has the reputation for being the most prolific family of ransomware in the threat landscape. Since it first emerged in Russian underground marketplaces in March, 2016, Cerber has […] more…Spora Ransomware Infects ‘Offline’—Without Talking to Control Server
Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline. Propagation vector The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to […] more…Mobile Ransomware: How to Protect Against It
In our previous post, we looked at how malware can lock devices, as well as the scare tactics used to convince victims to pay the ransom. Now that we know what bad guys can do, we’ll discuss the detection and mitigation techniques that security vendors can use to stop them. By sharing these details with other […] more…More information
- Identity Finder License – Expiration Message May Display
- Pay-to-click ad service hacked, 6.6M plaintext passwords dumped
- Cisco Aironet Access Points CVE-2019-15265 Denial of Service Vulnerability
- Dell fixes exploitable holes its own firmware update driver – patch now!
- WordPress Database Brute Force and Backdoors
- Arizona man arrested for hacking email accounts at universities
- Spam Trick Users to Download ANDROIDOS_CONTACTS.E
- Microsoft Windows Kernel CVE-2016-3256 Local Information Disclosure Vulnerability
- RSA Warns Of Zero Detection Trojan
- Cisco Patches Command Injection Flaw in ACE Appliance