Inside of the WASP’s nest: deep dive into PyPI-hosted malware
Photo by Matheus Queiroz on Unsplash In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…Extracting type information from Go binaries
During the 2021 edition of the SAS conference, I had the pleasure of delivering a workshop focused on reverse-engineering Go binaries. The goal of the workshop was to share basic knowledge that would allow analysts to immediately start looking into malware written in Go. A YouTube version of the workshop was released around the same […] more…Operation TunnelSnake
Windows rootkits, especially those operating in kernel space, are pieces of malware infamous for their near absolute power in the operating system. Usually deployed as drivers, such implants have high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to […] more…MosaicRegressor: Lurking in the Shadows of UEFI
Part II. Technical details (PDF) UEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine’s boot sequence and load the operating system, while using a feature-rich environment to do so. At […] more…IT threat evolution Q2 2019. Statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network, Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe. 217,843,293 unique URLs triggered Web Anti-Virus components. Attempted infections by malware designed to steal […] more…Project TajMahal – a sophisticated new APT framework
Executive summary ‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its […] more…Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system
In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread malicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications such as Facebook and Chrome. During our research, it became clear […] more…Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia. Third party security researchers named the MuddyWater campaign as such because of the difficulties in attributing the attacks. […] more…The Banking Trojan Emotet: Detailed Analysis
Introduction In the summer of 2014, the company Trend Micro announced the detection of a new threat – the banking Trojan Emotet. The description indicated that the malware could steal bank account details by intercepting traffic. We call this modification version 1. In the autumn of that year a new version of Emotet was found. […] more…Inside the EquationDrug Espionage Platform
Introduction EquationDrug is one of the main espionage platforms used by the Equation Group, a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. (See full report here [PDF]). EquationDrug, which is still in use, dates back to 2003, […] more…More information
- Google Chrome 33 released, with better security
- McAfee’s 2013 Consumer Threat Predictions
- How To List Your website on Google and other search engines
- Cisco and remote-work lessons learned in education during the pandemic
- Public Hotspots Are a Privacy and Security Minefield: Shield Yourself
- NSA can record 100% of another country’s telephone calls
- Cisco spending $2.7B for Sourcefire, company that commercialized Snort open-source security tool
- Ready, Set, Shop: Enjoy Amazon Prime Day Without the Phishing Scams
- S3 Ep117: The crypto crisis that wasn’t (and farewell forever to Win 7) [Audio + Text]
- The CIA triad: Definition, components and examples