Tracking Threat Actors Using Images and Artifacts
When tracking adversaries, we commonly focus on the malware they employ in the final stages of the kill chain and infrastructure, often overlooking samples used in the initial ones. In this post, we will explore some ideas to track adversary activity leveraging images and artifacts mostly used during delivery. We presented this approach at the […] more…Inside of the WASP’s nest: deep dive into PyPI-hosted malware
Photo by Matheus Queiroz on Unsplash In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse […] more…AI boosts Code Language and File Format identification on VirusTotal
We are pleased to announce that VirusTotal has improved the identification of programming languages and file formats through the implementation of Generative AI (artificial intelligence). Historically, automating these tasks has been quite challenging, especially when it comes to certain scripting and plain text file formats. However, with the aid of Generative AI, we have expanded […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…Answering Log4Shell-related questions
Important notice On December 18th, Log4j version 2.17.0 was released to address open vulnerabilities. It is highly recommended to update your systems as soon as possible. History of the Log4j library vulnerabilities CVE-2021-44228 (initial vulnerability) – partly fixed in 2.15.0 CVE-2021-45046 (present in Log4j 2.15.0) – fixed in 2.16.0 CVE-2021-45105 (present in Log4j 2.16.0) – […] more…Andariel evolves to target South Korea with ransomware
Executive summary In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to […] more…Gootkit: the cautious Trojan
Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visitors are tricked into downloading the malware. Gootkit is […] more…IT threat evolution Q3 2020
Targeted attacks MATA: Lazarus’s multi-platform targeted malware framework The more sophisticated threat actors are continually developing their TTPs (Tactics, Techniques and Procedures) and the toolsets they use to compromise the systems of their targets. However, malicious toolsets used to target multiple platforms are rare, because they required significant investment to develop and maintain them. In […] more…Internet Explorer and Windows zero-day exploits used in Operation PowerFall
Executive summary In May 2020, Kaspersky technologies prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for […] more…New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
By Ecular Xu and Joseph C. Chen While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX). During the first quarter of 2020, we observed Earth Empusa’s activity targeting users in Tibet and Turkey before they extended their scope […] more…IT threat evolution Q1 2020. Statistics
These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data. Quarterly figures According to Kaspersky Security Network, Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe. A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components. […] more…More Than 8,000 Unsecured Redis Instances Found in the Cloud
By David Fiser (Security Researcher) We discovered 8,000 Redis instances that are running unsecured in different parts of the world, even ones deployed in public clouds. These Redis instances have been found without Transport Layer Security (TLS) encryption and are not password protected. Redis, according to its developers, is originally intended to be used only […] more…Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks
The Android banking trojan Geost was first revealed in a research by Sebastian García, Maria Jose Erquiaga and Anna Shirokova from the Stratosphere Laboratory. They detected the trojan by monitoring HtBot malicious proxy network. The botnet targets Russian banks, with the victim count at over 800,000 users at the time the study was published in […] more…Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud
By Lorin Wu (Mobile Threats Analyst) We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious […] more…Looking into Attacks and Techniques Used Against WordPress Sites
By David Fiser (Senior Cyber Threat Researcher) WordPress is a well-known open-source content management system (CMS) used for creating websites and personal blogs. The CMS is estimated to be used by 35% of all websites today, which makes it an ideal target for threat actors. A weak point in the platform is all it takes […] more…The cybercrime ecosystem: attacking blogs
Executive summary The Cybercrime Ecosystem is a series of articles explaining how cybercriminals operate, what drives them, what techniques they use and how we, regular Internet users, are part of that ecosystem. The articles will also cover technical details and up-to-date research on the threat landscape to provide a more realistic understanding of why this […] more…More information
- If the "Deep Web" becomes searchable, is it still deep? 60 Sec Security [VIDEO]
- iGenius’ Crystal: An enterprise-class digital assistant at last?
- Otter.ai launches Otter Assistant to help Zoom-fatigued workers
- USB fuel cell promises two-week smartphone charge
- Fintech investments in APAC to quadruple in 2015: Accenture
- Apple online store goes down in preparation of iPhone X preorders
- Silk Road 2.0 deputy sentenced to 8 years in jail
- MobileIron names Barry Mainz new CEO
- Bradley Manning finally fesses up over WikiLeaks…
- Cybersecurity Market Forecasts: AI, API, Adaptive Security, Insurance Expected to Soar