German users targeted with Gootkit banker or REvil ransomware

This blog post was authored by Hasherezade and Jérôme Segura On November 23, we received an alert from a partner about a resurgence of Gootkit infections in Germany. Gootkit is a very capable banking Trojan that has been around since 2014 and possesses a number of functionalities such as keystroke or video recording designed to steal financially-related information. In this latest campaign, … [Read more...]

Chinese APT group targets India and Hong Kong using new variant of MgBot malware

This blog post was authored by Hossein Jazi and Jérôme Segura On July 2, we found an archive file with an embedded document pretending to be from the government of India. This file used template injection to drop a malicious template which loaded a variant of Cobalt Strike. One day later, the same threat actor changed their template and dropped a loader called MgBot, executing and injecting … [Read more...]

Hidden Bee: Let’s go down the rabbit hole

Some time ago, we discussed the interesting malware, Hidden Bee. It is a Chinese miner, composed of userland components, as well as of a bootkit part. One of its unique features is a custom format used for some of the high-level elements (this format was featured in my recent presentation at SAS). Recently, we stumbled upon a new sample of Hidden Bee. As it turns out, its authors decided to … [Read more...]