dcsimg

Magecart criminals caught stealing with their poker face on

Earlier in June, we documented how Magecart credit card skimmers were found on Amazon S3. This was an interesting development, since threat actors weren’t actively targeting specific e-commerce shops, but rather were indiscriminately injecting any exposed S3 bucket. Ever since then, we’ve monitored other places where we believe a skimmer might be found next. However, we were … [Read more...]

The Hidden Bee infection chain, part 1: the stegano pack

About a year ago, we described the Hidden Bee miner delivered by the Underminer Exploit Kit. Hidden Bee has a complex and multi-layered internal structure that is unusual among cybercrime toolkits, making it an interesting phenomenon on the threat landscape. That’s why we’re dedicating a series of posts to exploring particular elements and updates made during one year of its … [Read more...]

Say hello to Lord Exploit Kit

Just as we had wrapped up our summer review of exploit kits, a new player entered the scene. Lord EK, as it is calling itself, was caught by Virus Bulletin‘s Adrian Luca while replaying malvertising chains. In this blog post, we do a quick review of this exploit kit based on what we have collected so far. Malwarebytes users were already protected against this attack. Exploit kit or … [Read more...]

Exploit kits: summer 2019 review

In the months since our last spring review, there has been some interesting activity from several exploit kits. While the playing field remains essentially the same with Internet Explorer and Flash Player as the most-commonly-exploited, it is undeniable that there has been a marked effort from exploit kit authors to add some rather cool tricks to their arsenal. For example, several exploit kits … [Read more...]

A deep dive into Phobos ransomware

Phobos ransomware appeared at the beginning of 2019. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma (a.k.a. CrySis), and probably distributed by the same group as Dharma. While attribution is by no means conclusive, you can read more about potential links between Phobos and Dharma here, to include an intriguing connection with the … [Read more...]

Fake jquery campaign leads to malvertising and ad fraud schemes

Recently we became aware of new domains used by an old malware campaign known as ‘fake jquery’, previously documented by web security firm Sucuri. Thousands of compromised websites are injected with a reference to an external JavaScript called jquery.js. However, there is something quite elusive about this campaign with regards to its payload. Indeed, to many researchers the … [Read more...]

GreenFlash Sundown exploit kit expands via large malvertising campaign

Exploit kit activity has been relatively quiet for some time, with the occasional malvertising campaign reminding us that drive-by downloads are still a threat. However, during the past few days we noticed a spike in our telemetry for what appeared to be a new exploit kit. Upon closer inspection we realized it was actually the very elusive GreenFlash Sundown EK. The threat actors behind it … [Read more...]

Magecart skimmers found on Amazon CloudFront CDN

Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network (CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers. Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain, this isn’t always the case. Some websites either use Amazon’s … [Read more...]

Hidden Bee: Let’s go down the rabbit hole

Some time ago, we discussed the interesting malware, Hidden Bee. It is a Chinese miner, composed of userland components, as well as of a bootkit part. One of its unique features is a custom format used for some of the high-level elements (this format was featured in my recent presentation at SAS). Recently, we stumbled upon a new sample of Hidden Bee. As it turns out, its authors decided to … [Read more...]

Medical industry struggles with PACS data leaks

In the medical world, sharing patient data between organizations and specialists has always been an issue. X-Rays, notes, CT scans, and any other data or related files have always existed and been shared in their physical forms (slides, paperwork). When a patient needed to take results of a test to another practice for a second opinion or to a specialist for a more detailed look, it would … [Read more...]