dcsimg

Meet Extenbro, a new DNS-changer Trojan protecting adware

Recently, we uncovered a new DNS-changer called Extenbro that comes with an adware bundler. These DNS-changers block access to security-related sites, so the adware victims can’t download and install security software to get rid of the pests. From our viewpoint, this might be like sending in an elephant to save the mosquito, but the threat actors behind this attack have been known to use … [Read more...]

Adware and PUPs families add push notifications as an attack vector

Some existing families of potentially unwanted programs and adware have added browser push notifications to their weapons arsenal. Offering themselves up as browser extensions on Chrome and Firefox, these threats pose as useful plugins then haggle users with notifications. A family of search hijackers The first I would like to discuss is a large family of Chrome extensions that were already … [Read more...]

Emotet revisited: pervasive threat still a danger to businesses

One of the most common and pervasive threats for businesses today is Emotet, a banking Trojan turned downloader that has been on our list of top 10 detections for many months in a row. Emotet, which Malwarebytes detects as Trojan.Emotet, has been leveled at consumers and organizations across the globe, fooling users into infecting endpoints through phishing emails, and then spreading laterally … [Read more...]

A week in security (September 10 – 16)

Last week on Malwarebytes Labs, we assessed the security of a portable router, identified ways to waste a scammer’s time, named the many faces of omnichannel fraud, questioned the security of 2FAs, profiled a massive tech support scam operation, and exposed a new HMRC phishing campaign. Other cybersecurity news: Trend Micro addressed the burning questions related to their Mac App store apps … [Read more...]

Process Doppelgänging meets Process Hollowing in Osiris dropper

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of … [Read more...]

Fake Fortnite for Android links found on YouTube

The extremely popular video game Fortnite is coming to Android sometime this summer, and the fanbase is going wild. Not surprisingly, mobile malware developers are taking advantage. Already, there are several videos on YouTube with links claiming to be versions of Fortnite for Android, despite the fact the game has yet to be released on this platform. Swati Khandelwal of The Hacker News highlights … [Read more...]

An in-depth malware analysis of QuantLoader

This guest post is written by Vishal Thakur, CSIRT/Salesforce. For more on Vishal, read his bio at the end of the blog. QuantLoader is a Trojan downloader that has been available for sale on underground forums for quite some time now. It has been used in campaigns serving a range of malware, including ransomware, Banking Trojans, and RATs. The campaign that we are going to analyze is serving a … [Read more...]

Bogus hack apps hack users back for cryptocash

Recently, we discovered a gold…er…APK mine of fake hacking apps. The “legitimate” versions of hack apps are intended to hack other apps in order to get something for free. Although it’s unclear what exactly these fake apps claim to hack, the real hack job is done to unsuspecting users. Search and you will find Disclaimer:  I, and Malwarebytes, do not recommend the process I’m about to … [Read more...]

Lo lo lo Loapi Trojan could break your Android

Kaspersky has found what they deem as a jack of all trades malicious app they call Trojan.AndroidOS.Loapi. Like the Trojan AsiaHitGroup we discovered last month on Google Play, this malware can do all the things—it’s a downloader, dropper, SMS Trojan, and can push ads all from the same malicious app. If left to its own devices, it could overheat the phone by taxing the processor, make the … [Read more...]

Seamless campaign serves RIG EK via Punycode (updated)

Update (2017-12-05): We noted some malvertising chains using a new domain name (newadultthem[.]info) also hosted on the same IP address as the Punycode one. – – The Seamless campaign is one of the most prolific malvertising chains pushing the RIG exploit kit and almost exclusively delivering the Ramnit Trojan. Identification of Seamless is typically easy, due to its use of static … [Read more...]