Distribution of malicious JAR appended to MSI files signed by third parties
Microsoft Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer (.MSI) files signed by any software developer. This behaviour can be exploited by attackers to bypass some security solutions that rely on Microsoft Windows code signing to decide if files are trusted. The scenario is especially dangerous when […] more…IT threat evolution Q3 2021
IT threat evolution Q3 2021 IT threat evolution in Q3 2021. PC statistics IT threat evolution in Q3 2021. Mobile statistics Targeted attacks WildPressure targets macOS Last March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While tracking this threat actor in spring 2021, we discovered a newer version. It contains […] more…IT threat evolution Q3 2020. Non-mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network, in Q3: Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe. 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components. Attempts to run malware […] more…The Tetrade: Brazilian banking malware goes global
Introduction Brazil is a well-known country with plenty of banking trojans developed by local crooks. The Brazilian criminal underground is home to some of the world’s busiest and most creative perpetrators of cybercrime. Like their counterparts’ in China and Russia, their cyberattacks have a strong local flavor, and for a long time, they limited their […] more…Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan
By Jaromir Horejsi and Joseph C. Chen (Threat Researchers) We recently discovered a new campaign that we dubbed “Operation Overtrap” for the numerous ways it can infect or trap victims with its payload. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack. Based on our […] more…Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks
The Android banking trojan Geost was first revealed in a research by Sebastian García, Maria Jose Erquiaga and Anna Shirokova from the Stratosphere Laboratory. They detected the trojan by monitoring HtBot malicious proxy network. The botnet targets Russian banks, with the victim count at over 800,000 users at the time the study was published in […] more…Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
by Jaromir Horejsi and Joseph C. Chen We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from […] more…TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
By Hara Hiroaki, Jaromir Horejsi, and Loseway Lu (Threats Analysts) TA505 continues to show that as a cybercriminal group, they intend to wreak as much havoc while maximizing potential profits. Given the group’s active campaigns since our updates in June and July, we continued following their latest campaigns. Just like in previous operations, they continue […] more…Demystifying Blockchain: Sifting Through Benefits, Examples and Choices
You have likely heard that blockchain will disrupt everything from banking to retail to identity management and more. You may have seen commercials for IBM touting the supply chain tracking benefits of blockchain.[i] It appears nearly every industry is investing in, adopting, or implementing blockchain. Someone has probably told you that blockchain can completely transform […] more…SLUB Gets Rid of GitHub, Intensifies Slack Use
by Cedric Pernet, Elliot Cao, Jaromir Horejsi, Joseph C. Chen, William Gamazo Sanchez Four months ago, we exposed an attack that leveraged a previously unknown malware that Trend Micro named SLUB. The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174, a VBScript engine vulnerability. It used GitHub and Slack as […] more…Criminals, ATMs and a cup of coffee
In spring 2019, we discovered a new ATM malware sample written in Java that was uploaded to a multiscanner service from Mexico and later from Colombia. After a brief analysis, it became clear that the malware, which we call ATMJaDi, can cash out ATMs. However, it doesn’t use the standard XFS, JXFS or CSC libraries. […] more…AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs
By David Fiser, Jakub Urbanec and Jaromir Horejsi Misconfiguration is not novel. However, cybercriminals still find that it is an effective way to get their hands on organizations’ computing resources to use for malicious purposes and it remains a top security concern. In this blog post, we will detail an attack type where an API […] more…MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
By Daniel Lunghi and Jaromir Horejsi We found new campaigns that appear to wear the badge of MuddyWater. Analysis of these campaigns revealed the use of new tools and payloads, which indicates that the well-known threat actor group is continuously developing their schemes. We also unearthed and detailed our other findings on MuddyWater, such as […] more…VirusTotal MultiSandbox += Yoroi: Yomi sandbox
We are excited to welcome Yomi: The Malware Hunter from Yoroi to the mutisandbox project. This brings VirusTotal upl to seven integrated sandboxes, in addition to VT’s own sandboxes for Windows, MacOS, and Android. In their own words: Yomi engine implements a multi-analysis approach able to exploit both static analysis and behavioral analysis, providing ad […] more…More information
- Bug in WordPress plugin can let hackers wipe up to 200,000 sites
- Websites Hacked Redirect to Porn from PDF / DOC Links
- Resolved: Phising.psu.edu report a phish button partially unavailable
- Apple releases OS X 10.9.1 with Mail, Safari, and VoiceOver fixes
- Following Facebook and Twitter, Google Targets Iranian Influence Operation
- Apple won’t sue FBI to reveal hack used to unlock seized iPhone
- Chinese firm recalls camera products linked to massive DDOS attack
- Charring, melting laptop batteries cause HP to issue voluntary recall
- New Twitter Trust & Safety Council sets out to banish the trolls
- Windows RT 8.1 update pulled after it gives tablets the blue screen of death