Inside of the WASP’s nest: deep dive into PyPI-hosted malware
Photo by Matheus Queiroz on Unsplash In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…IT threat evolution Q3 2021
IT threat evolution Q3 2021 IT threat evolution in Q3 2021. PC statistics IT threat evolution in Q3 2021. Mobile statistics Targeted attacks WildPressure targets macOS Last March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While tracking this threat actor in spring 2021, we discovered a newer version. It contains […] more…IT threat evolution Q3 2020. Non-mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network, in Q3: Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe. 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components. Attempts to run malware […] more…The Tetrade: Brazilian banking malware goes global
Introduction Brazil is a well-known country with plenty of banking trojans developed by local crooks. The Brazilian criminal underground is home to some of the world’s busiest and most creative perpetrators of cybercrime. Like their counterparts’ in China and Russia, their cyberattacks have a strong local flavor, and for a long time, they limited their […] more…Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan
By Jaromir Horejsi and Joseph C. Chen (Threat Researchers) We recently discovered a new campaign that we dubbed “Operation Overtrap” for the numerous ways it can infect or trap victims with its payload. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack. Based on our […] more…Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
by Jaromir Horejsi and Joseph C. Chen We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from […] more…SLUB Gets Rid of GitHub, Intensifies Slack Use
by Cedric Pernet, Elliot Cao, Jaromir Horejsi, Joseph C. Chen, William Gamazo Sanchez Four months ago, we exposed an attack that leveraged a previously unknown malware that Trend Micro named SLUB. The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174, a VBScript engine vulnerability. It used GitHub and Slack as […] more…SettingContent-ms can be Abused to Drop Complex DeepLink and Icon-based Payload
by Michael Villanueva Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe. SettingContent-ms […] more…Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system
In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread malicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications such as Facebook and Chrome. During our research, it became clear […] more…Confucius Update: New Tools and Techniques, Further Connections with Patchwork
by Daniel Lunghi and Jaromir Horejsi Back in February, we noted the similarities between the Patchwork and Confucius groups and found that, in addition to the similarities in their malware code, both groups primarily went after targets in South Asia. During the months that followed in which we tracked Confucius’ activities, we found that they […] more…OPC UA security analysis
This paper discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. In publishing this material, we hope to draw the attention of vendors that develop software for industrial automation systems and the industrial internet of things to problems associated with using such widely available technologies, which turned out to […] more…Spam and phishing in 2016
The year in figures According to Kaspersky Lab, in 2016: The proportion of spam in email flows was 58.31%, which is 3.03 percentage points more than in 2015. 62.16% of spam emails were no more than 2 KB in size. 12.08% of spam was sent from the US. Trojan.Win32.Bayrob was the most popular malware family […] more…More information
- Google Chrome patches mysterious new zero-day bug – update now
- China calls for cooperation rather than war in cyberspace
- CoinImp Cryptominer and Fully Qualified Domain Names
- Google’s move into home automation means even less privacy
- Malvuln Project Catalogues 260 Vulnerabilities Found in Malware
- AstraZeneca vaccine linked to rare blood clots, EU regulators conclude
- LinkedIn flips the two-factor authentication switch
- Singaporeans get hard token baked into credit card
- VMware fixes possible exploits in server virtualisation products
- How enterprise networking is changing with a work-at-home workforce