dcsimg

Fake jquery campaign leads to malvertising and ad fraud schemes

Recently we became aware of new domains used by an old malware campaign known as ‘fake jquery’, previously documented by web security firm Sucuri. Thousands of compromised websites are injected with a reference to an external JavaScript called jquery.js. However, there is something quite elusive about this campaign with regards to its payload. Indeed, to many researchers the … [Read more...]

GreenFlash Sundown exploit kit expands via large malvertising campaign

Exploit kit activity has been relatively quiet for some time, with the occasional malvertising campaign reminding us that drive-by downloads are still a threat. However, during the past few days we noticed a spike in our telemetry for what appeared to be a new exploit kit. Upon closer inspection we realized it was actually the very elusive GreenFlash Sundown EK. The threat actors behind it … [Read more...]

Magecart skimmers found on Amazon CloudFront CDN

Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network (CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers. Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain, this isn’t always the case. Some websites either use Amazon’s … [Read more...]

Hidden Bee: Let’s go down the rabbit hole

Some time ago, we discussed the interesting malware, Hidden Bee. It is a Chinese miner, composed of userland components, as well as of a bootkit part. One of its unique features is a custom format used for some of the high-level elements (this format was featured in my recent presentation at SAS). Recently, we stumbled upon a new sample of Hidden Bee. As it turns out, its authors decided to … [Read more...]

Medical industry struggles with PACS data leaks

In the medical world, sharing patient data between organizations and specialists has always been an issue. X-Rays, notes, CT scans, and any other data or related files have always existed and been shared in their physical forms (slides, paperwork). When a patient needed to take results of a test to another practice for a second opinion or to a specialist for a more detailed look, it would … [Read more...]

Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses

CrySIS, aka Dharma, is a family of ransomware that has been evolving since 2006. We have noticed that this ransomware has become increasingly active lately, increasing by a margin of 148 percent from February until April 2019. The uptick in detections may be due to CrySIS’ effective use of multiple attack vectors. Profile of the CrySIS ransomware CrySIS/Dharma, which Malwarebytes … [Read more...]

Exploit kits: spring 2019 review

Exploit kit activity remains fairly unchanged since our last winter review in terms of active distribution campaigns. But this spring edition will feature a new exploit kit and another atypical EK, in that it specifically goes after routers. The main driver behind these drive-by download attacks are various malvertising chains with strong geolocation filtering. This explains why some exploit … [Read more...]

“Funky malware format” found in Ocean Lotus sample

Recently, at the SAS conference I talked about “Funky malware formats”—atypical executable formats used by malware that are only loaded by proprietary loaders. Malware authors use them in order to make static detection more difficult, because custom formats are not recognized as executable by AV scanners. Using atypical formats may also slow down the analysis process because the … [Read more...]

Say hello to Baldr, a new stealer on the market

By William Tsing, Vasilios Hioureas, and Jérôme Segura Over the past few months, we have noticed increased activity and development of new stealers. One such new stealer, called Baldr, first appeared in January 2019, and our analysis of this malware finds that its authors were serious about making a long-lasting product. Unlike many banking Trojans that wait for the victim to log into their … [Read more...]

Plugin vulnerabilities exploited in traffic monetization schemes

In their Website Hack Trend Report, web security company Sucuri noted that WordPress infections rose to 90 percent in 2018. One aspect of Content Management System (CMS) infections that is sometimes overlooked is that attackers not only go after the CMSes themselves—WordPress, Drupal, etc.—but also third-party plugins and themes. While plugins are useful in providing additional features for … [Read more...]