Kaspersky analysis of the backdoor in XZ
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
Distinctive Campaign Evolution of Pikabot Malware
Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a
North Korea’s Post-Infection Python Payloads – One Night in Norfolk
Throughout the past few months, several publications have written about a North Korean threat actor group’s use of NPM packages to deploy malware to developers and other unsuspecting victims. This blog post provides additional details regarding the second and third-stage malware in these attacks, which these publications have only covered in limited detail.
Threat Actors Deliver Malware via YouTube Video Game Cracks
Key takeaways Proofpoint identified multiple YouTube channels distributing malware by promoting cracked and pirated video games and related content. The video descriptions include links leading t...
Accidentally Crashing a Botnet
As part of our research into the cryptomining botnet kmsdbot, we rendered it useless.
Shc Linux Malware Installing CoinMiner
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
Microsoft links Raspberry Robin malware to Evil Corp attacks
Microsoft has discovered that an access broker it tracks as DEV-0206 uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.
Il malware EnvyScout (APT29) è stato veicolato anche in Italia
Il malware EnvyScout (APT29) è stato veicolato anche in Italia
Microsoft finds Raspberry Robin worm in hundreds of Windows networks
Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.
Flubot: the evolution of a notorious Android Banking Malware
Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the victim’s credentials, by detecting when the official banking application is open to show a fake web injection, a phishing website similar to the login form of the banking application. An important part of the popularity of Flubot is due to the distribution strategy used in its campaigns, since it has been using the infected devices to send text messages, luring new victims into installing the malware from a fake website. In this article we detail its development over time and recent developments regarding its disappearance, including new features and distribution campaigns.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild
Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Researchers devise iPhone malware that runs even when device is turned off
Research is largely theoretical but exposes an overlooked security issue.
A closer look at Eternity Malware
In this analysis, Cyble looks at the Eternity Malware suite, listing a wide variety of malware for sale on Telegram.
Russia’s Sandworm hackers attempted a third blackout in Ukraine
The attack was the first in five years to use Sandworm's Industroyer malware.
Raccoon Stealer: “Trash panda” abuses Telegram
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including: Cookies, saved logins and forms data from […]
Malware now using stolen NVIDIA code signing certificates
Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data.
Phishing attacks target countries aiding Ukrainian refugees
A spear-phishing campaign likely coordinated by a state-backed threat actor has been targeting European government personnel providing logistics support to Ukrainian refugees.
Destructive Malware Targeting Organizations in Ukraine
Actions to Take Today: • Set antivirus and antimalware programs to conduct regular scans. • Enable strong spam filters to prevent phishing emails from reaching end users. • Filter network traffic. • Update software. • Require multifactor authentication. Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable.
TrickBot malware operation shuts down, devs move to BazarBackdoor
The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.
Linux-Targeted Malware Increases by 35% in 2021
CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families.
AceCryptor malware has surged in Europe, researchers say
Researchers at ESET say they spotted thousands of new infections with AceCryptor, which allows malware to slip into systems without being detected by anti-virus software.
DarkGate Opens Organizations for Attack via Skype, Teams
From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA) abusing instant messaging platforms to deliver a VBA loader script to victims. This script downloaded and executed a second-stage payload consisting of a AutoIT scripting containing the DarkGate malware code. It’s unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization.
8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation
Over 8,000 subdomains belonging to recognized brands and organizations are being exploited for malicious email distribution.
European Parliament finds spyware on defense committee members’ phones
Officials handling security and defense issues were the target of phone hacking, internal email says.
Poland's PM says authorities in the previous government widely and illegally used Pegasus spyware | AP News
Poland’s new prime minister says he has documentation proving that state authorities under the previous government used the powerful Pegasus spyware illegally and targeted a “very long” list of hacking victims.
Accidentally Crashing a Botnet
As part of our research into the cryptomining botnet kmsdbot, we rendered it useless.
Shc Linux Malware Installing CoinMiner
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
Microsoft links Raspberry Robin malware to Evil Corp attacks
Microsoft has discovered that an access broker it tracks as DEV-0206 uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.