Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments
By Miguel Ang and Donald Castillo As cybersecurity defenses continue to improve, cybercriminals have learned to become more creative with malware. We recently encountered threats being packaged inside old yet rarely used file types in spam campaigns. Spam continues to be a cybercriminal favorite – this old-school infection vector makes up more than 48 percent […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…Andariel evolves to target South Korea with ransomware
Executive summary In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to […] more…Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902
Update as of 10:00 A.M. PST, July 30, 2020: Our continued analysis of the malware sample showed adjustments to the details involving the URI and Shodan scan parameters. We made the necessary changes in this post. We would like to thank F5 Networks for reaching out to us to clarify these details. With additional insights […] more…New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
By Ecular Xu and Joseph C. Chen While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX). During the first quarter of 2020, we observed Earth Empusa’s activity targeting users in Tibet and Turkey before they extended their scope […] more…VirusTotal MultiSandbox += QiAnXin RedDrip
VirusTotal would like to welcome QiAnXin RedDrip to the multi-sandbox project! QiAnXin is now sending execution behavior reports to the VirusTotal ecosystem for a wide variety of file types. In their own words: QiAnXin RedDrip Sandbox, developed by QI-ANXIN Threat Intelligence Center, is a cloud‐based malware analysis service provided to security researchers, analysts as well […] more…Why Running a Privileged Container in Docker Is a Bad Idea
By David Fiser and Alfredo Oliveira Privileged containers in Docker are, concisely put, containers that have all of the root capabilities of a host machine, allowing the ability to access resources which are not accessible in ordinary containers. One use case of a privileged container is running a Docker daemon inside a Docker container; another […] more…(Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
By Arianne Dela Cruz, Jay Nebre and Augusto Remillano II As the value of cryptocurrencies increased (after a short dip in 2018), we observed increased activity from cryptocurrency mining malware this year, particularly infections and routines involving Monero miners. Over a span of a few months, we came across an infection routine that exploited vulnerabilities […] more…Waterbear is Back, Uses API Hooking to Evade Security Product Detection
By Vickie Su, Anita Hsieh, and Dove Chiu Waterbear, which has been around for several years, is a campaign that uses modular malware capable of including additional functions remotely. It is associated with the cyberespionage group BlackTech, which mainly targets technology companies and government agencies in East Asia (specifically Taiwan, and in some instances, Japan […] more…Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
by Noel Anthony Llimos and Carl Maverick Pascual In November 2018, we covered a Trickbot variant that came with a password-grabbing module, which allowed it to steal credentials from numerous applications. In January 2019, we saw Trickbot (detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.AD) with new capabilities added to its already extensive bag of tricks. Its authors clearly […] more…Necurs Evolves to Evade Spam Detection via Internet Shortcut File
By Miguel Ang Necurs, a botnet malware that’s been around since 2012, has been improved with the hopes of better defeating cybersecurity measures — it was seen to evolve its second layer of infection using a .URL file (with remote script downloaders detected by Trend Micro as MAL_CERBER-JS03D, MAL_NEMUCOD-JS21B, VBS_SCARAB.SMJS02, and MAL_SCARAB-VBS30. Necurs, a modular […] more…Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia. Third party security researchers named the MuddyWater campaign as such because of the difficulties in attributing the attacks. […] more…Ztorg: money for infecting your smartphone
This research started when we discovered an infected Pokémon GO guide in Google Play. It was there for several weeks and was downloaded more than 500,000 times. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. The first of […] more…ATM infector
Seven years ago, in 2009, we saw a completely new type of attack on banks. Instead of infecting the computers of thousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called Skimer. Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have been […] more…The Duqu 2.0 persistence module
We have previously described how Duqu 2.0 doesn’t have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated. The attackers created an unusual persistence module which they deploy on compromised networks. It […] more…The Banking Trojan Emotet: Detailed Analysis
Introduction In the summer of 2014, the company Trend Micro announced the detection of a new threat – the banking Trojan Emotet. The description indicated that the malware could steal bank account details by intercepting traffic. We call this modification version 1. In the autumn of that year a new version of Emotet was found. […] more…More information
- Outages Blamed on Malware Still Plaguing Budget Airlines
- Oracle’s "Patch Tuesday" brings 113 patches across 13 product families
- Extending Security to the Public Cloud is the Easy Part
- Hungarian Official: Government Bought, Used Pegasus Spyware
- Senator says Snapchat ‘hiding something’ by skipping data breach hearing
- Fake Font Update on Google Chrome Uses Social Engineering to Infect Users with Ransomware
- Chinese hotel chain’s customer data on Dark Web – 500M records for $50K
- Threat Hunting Summit Virtual Event NOW LIVE
- Financial Impact of Ransomware Attack on Sopra Steria Could Reach €50 Million
- Google confirms critical Android crypto flaw used in $5,700 Bitcoin heist