dcsimg
May 21, 2020

Shining a light on “Silent Night” Zloader/Zbot

When it comes to banking Trojans, ZeuS is probably the most famous one ever released. Since its source code originally leaked in 2011, several new variants proliferated online. That includes a past fork called Terdot Zbot/Zloader, which we extensively covered in 2017. But recently, we observed another bot, with a design reminiscent of ZeuS, that seems to be fairly new (a 1.0 version was … [Read more...]

Filed Under: banking Trojan, banking Trojans, HYAS, Malware, silent night, terdot, Threat analysis, zbot, Zeus, Zloader
May 6, 2020

New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app

This blog post was authored by Hossein Jazi, Thomas Reed and Jérôme Segura. We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system. Dacls is a RAT that was discovered by Qihoo 360 NetLab in December 2019 as a fully functional covert remote access … [Read more...]

Filed Under: APT, Dacls, Lazarus, Mac, Malware, rat, Threat analysis, tinkaOTP
April 9, 2020

APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure

The coronavirus (Covid-19) has become a global pandemic and this is a golden time for attackers to take advantage of this fear to increase the likelihood of their attacks success rate by performing spam and spear phishing campaigns. From late January, several cyber-criminal and state-sponsored groups have begun using coronavirus-based phishing as their infection vectors to gain a foothold on … [Read more...]

Filed Under: advanced persistent threats, APTs, covid-19, Malware, Threat analysis
April 7, 2020

Copycat criminals abuse Malwarebytes brand in malvertising campaign

While exploit kit activity has been fairly quiet for some time now, we recently discovered a threat actor creating a copycat—fake—Malwarebytes website that was used as a gate to the Fallout EK, which distributes the Raccoon stealer. The few malvertising campaigns that remain are often found on second- and third-tier adult sites, leading to the Fallout or RIG exploit kits, as a majority of … [Read more...]

Filed Under: copycat criminals, copycat sites, exploit kit, exploit kits, Exploits and vulnerabilities, fake malwarebytes site, Fallout, Fallout EK, malvertising, malvertising campaign, malvertising campaigns, Malwarebytes, Raccoon, raccoon stealer, threat actors
March 23, 2020

Fake “Corona Antivirus” distributes BlackNET remote administration tool

Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but especially data stealers. As more of us work from home, the need to secure your computer, especially if you are connecting to your company’s network, becomes more important. … [Read more...]

Filed Under: antivirus, botnet, coronavirus, covid-19, fake, Malware, rat, Social engineering, Threat analysis
March 18, 2020

Cybercriminals impersonate World Health Organization to distribute fake coronavirus e-book

The number of scams, threats, and malware campaigns taking advantage of public concern over the coronavirus is increasing each day. As a result, we’ve been actively monitoring emails within our spam honeypot to flag such threats and make sure our users are protected. Yesterday, we observed a phishing campaign similar to malspam previously discovered by MalwareHunterTeam, which … [Read more...]

Filed Under: coronavirus, coronavirus malware, covid-19, malicious attachment, malspam, phishing, phishing attack, phishing campaign, Social engineering, social engineering attacks, WHO, World Health Organization
March 16, 2020

APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT

Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with scams or malware campaigns. Profiting from global health concerns, natural … [Read more...]

Filed Under: APT, APT36, coronavirus, coronavirus malware, covid-19, credential stealer, crimson rat, exploit, Exploits, info-stealer, macro, malicious macro, Malware, nation-state attack, rat, remote administration tool, Social engineering, spear phishing, spear phishing attack, Threat analysis, transparent tribe
February 28, 2020

Domen toolkit gets back to work with new malvertising campaign

Last year, we documented a new social engineering toolkit we called “Domen” being used in the wild. Threat actors were using this kit to trick visitors into visiting compromised websites and installing malware under the guise of a browser update or missing font. Despite being a robust toolkit, we only saw Domen in sporadic campaigns last year, often reusing the same infrastructure … [Read more...]

Filed Under: buren ransomware, Domen, domen toolkit, intelrapid cryptominer, JavaScript, malicious websites, malvertising, malvertising campaigns, smoke loader, Social engineering, Threat analysis, toolkit, Vidar, vidar stealer
December 3, 2019

New version of IcedID Trojan uses steganographic payloads

This blog post was authored by @hasherezade, with contributions from @siri_urz and Jérôme Segura. Security firm Proofpoint recently published a report about a series of malspam campaigns they attribute to a threat actor called TA2101. Originally targeting German and Italian users with Cobalt Strike and Maze ransomware, the later wave of malicious emails were aimed at the US and pushing the … [Read more...]

Filed Under: backdoor, banking Trojan, banking Trojans, credential stealing, downloader, hooking browsers, IcedID Trojan, Malware, malware analysis, man-in-the-browser attacks, passwords, stealer, stealer functionality, stealing passwords, stealthy malware, Threat analysis, trickbot, Trojans
October 22, 2019

The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT

This blog post was authored by Jérôme Segura, William Tsing, and Adam Thomas. In a previous post, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat groups. This time, we looked at … [Read more...]

Filed Under: advanced persistent threats, APTs, attribution, carbanak, cybercriminal groups, dridex, Group5, Magecart, malicious domains, malicious websites, skimmer, Threat analysis
Next Page »