Java-based Trojan was used to attack over 400,000 systems
A cross-platform remote access Trojan that’s being openly sold as a service to all types of attackers, from opportunistic cybercriminals to cyberespionage groups, has been used to attack more than 400,000 systems over the past three years. The RAT (Remote Access Tool/Trojan), which depending on the variant is known as Adwind, AlienSpy, Frutas, Unrecom, Sockrat, jRat or […] more…Java Native Layer Exploits Going Up
Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us too look into native layer exploits more closely, as they have been becoming more common this year. At this year’s Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has […] more…CVE-2013-2423 Java Vulnerability Exploit ITW
A few days after Oracle released a critical patch, CVE-2013-2423 is found to already been exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening until a few hours ago: For a closer look, the image below contains a comparison of the classes found in the […] more…Sneaky Joomla Web Malware – JavaScript Infections
So the past week has been interesting, we have been having fun with a few JavaScript infections that really forced us to put on our thinking hats. Our Senior Malware Engineer, Fioravante Cavallari, actually found the payload and dissected it – thank goodness for products based on human-intelligence. It was so interesting that we felt […] more…Tracking Threat Actors Using Images and Artifacts
When tracking adversaries, we commonly focus on the malware they employ in the final stages of the kill chain and infrastructure, often overlooking samples used in the initial ones. In this post, we will explore some ideas to track adversary activity leveraging images and artifacts mostly used during delivery. We presented this approach at the […] more…Inside of the WASP’s nest: deep dive into PyPI-hosted malware
Photo by Matheus Queiroz on Unsplash In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse […] more…AI boosts Code Language and File Format identification on VirusTotal
We are pleased to announce that VirusTotal has improved the identification of programming languages and file formats through the implementation of Generative AI (artificial intelligence). Historically, automating these tasks has been quite challenging, especially when it comes to certain scripting and plain text file formats. However, with the aid of Generative AI, we have expanded […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…Lessons learned from 2022
One of our goals is sharing with the security community as much as we learn from VirusTotal’s data to help stop, monitor and mitigate malicious activity. When looking back to 2022 we observe different interesting trends; we decided to go deeper into the three most interesting ones: evolution of distribution vectors, trending malware artifacts and […] more…Answering Log4Shell-related questions
Important notice On December 18th, Log4j version 2.17.0 was released to address open vulnerabilities. It is highly recommended to update your systems as soon as possible. History of the Log4j library vulnerabilities CVE-2021-44228 (initial vulnerability) – partly fixed in 2.15.0 CVE-2021-45046 (present in Log4j 2.15.0) – fixed in 2.16.0 CVE-2021-45105 (present in Log4j 2.16.0) – […] more…Russian-speaking cybercrime evolution: What changed from 2016 to 2021
Experts at Kaspersky have been investigating various computer incidents on a daily basis for over a decade. Having been in the field for so long, we have witnessed some major changes in the cybercrime world’s modus operandi. This report shares our insights into the Russian-speaking cybercrime world and the changes in how it operates that […] more…Great R packages for data import, wrangling, and visualization
The table below shows my favorite go-to R packages for data import, wrangling, visualization and analysis — plus a few miscellaneous tasks tossed in. The package names in the table are clickable if you want more information. To find out more about a package once you’ve installed it, type help(package = "packagename") in your R […] more…IT threat evolution in Q2 2021. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data. Quarterly figures In Q2 2021, according to data from Kaspersky Security Network: 14,465,672 malware, adware and riskware attacks were prevented. The largest share of all detected threats accrued to RiskTool programs — 38.48%. 886,105 malicious installation […] more…Andariel evolves to target South Korea with ransomware
Executive summary In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to […] more…Gootkit: the cautious Trojan
Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visitors are tricked into downloading the malware. Gootkit is […] more…Bizarro banking Trojan expands its attacks to Europe
Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. We have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries. Following in the […] more…More information
- Bitcoin exchange Coinbase tries to quell security concerns with ‘vault’ service
- Turla Cyberspies Use New Dropper in G20 Attacks
- Russian unit, GRU officer linked to 2014 shoot-down of airliner over Ukraine
- The NSA warns enterprises to beware of third-party DNS resolvers
- Juniper Junos CVE-2019-0073 Local Insecure File Permissions Vulnerability
- How to survive attacks that result in password leaks?
- Hackers turn Mandiant China security report into Trojan
- Best antivirus software: 9 top tools
- Chromo-encryption method encodes secrets with color
- Quantum Encryption Is On The Verge Of Solving The ‘100-Year Problem’ In Data Security