dcsimg

Maze: the ransomware that introduced an extra twist

An extra way to create leverage against victims of ransomware has been introduced by the developers of the Maze ransomware. If the victim is not convinced that she should pay the criminals because her files are encrypted, there could be an extra method of extortion. Over time, more organizations have found ways to keep safe copies of their important files or use some kind of rollback technology to … [Read more...]

Copycat criminals abuse Malwarebytes brand in malvertising campaign

While exploit kit activity has been fairly quiet for some time now, we recently discovered a threat actor creating a copycat—fake—Malwarebytes website that was used as a gate to the Fallout EK, which distributes the Raccoon stealer. The few malvertising campaigns that remain are often found on second- and third-tier adult sites, leading to the Fallout or RIG exploit kits, as a majority of … [Read more...]

Exploit kits: fall 2019 review

Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, we’re seeing new exploit kits emerge. Based on our telemetry, these drive-bys are happening worldwide (with the exception of a few that are geo-targeted) and are fueled by malvertising most often found on adult … [Read more...]

Exploit kits: summer 2019 review

In the months since our last spring review, there has been some interesting activity from several exploit kits. While the playing field remains essentially the same with Internet Explorer and Flash Player as the most-commonly-exploited, it is undeniable that there has been a marked effort from exploit kit authors to add some rather cool tricks to their arsenal. For example, several exploit kits … [Read more...]

Exploit kits: spring 2019 review

Exploit kit activity remains fairly unchanged since our last winter review in terms of active distribution campaigns. But this spring edition will feature a new exploit kit and another atypical EK, in that it specifically goes after routers. The main driver behind these drive-by download attacks are various malvertising chains with strong geolocation filtering. This explains why some exploit … [Read more...]

Exploit kits: winter 2019 review

Active malvertising campaigns in December and the new year have kept exploit kit activity from hibernating in winter 2019. We mostly observed Fallout and RIG with the occasional, limited GrandSoft appearance for wider geo-targeting. In addition, narrowly-focused exploit kits such as Magnitude, Underminer, and GreenFlash Sundown stayed on the same track: delivering ransomware to mostly Asian … [Read more...]

Improved Fallout EK comes back after short hiatus

After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During its absence, we noticed an increase in RIG EK campaigns, perhaps to fill that temporary void. Fallout EK is distributed via malvertising chains (one of them we track under the name HookAds), especially through adult traffic. Since January 15, Fallout EK activity … [Read more...]

Vidar and GandCrab: stealer and ransomware combo observed in the wild

We have been tracking a prolific malvertising campaign for several weeks and captured a variety of payloads, including several stealers. One that we initially identified as Arkei turned out to be Vidar, a new piece of malware recently analyzed in detail by Fumik0_ in his post: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis). In Norse Mythology, Víðarr is a god and son of … [Read more...]

Exploit kits: fall 2018 review

Exploit kit (EK) activity continues to surprise us as the weather cools, the leaves change, and we move into the fall of 2018. Indeed, shortly after our summer review, a new exploit kit was discovered, and while no new vulnerabilities were added to the current EKs, several malvertising chains are still going strong. Smoke Loader, Ramnit, and AZORult are some of the most common payloads we’ve … [Read more...]