New Medusa malware variants target Android users in seven countries
The Medusa banking trojan for Android has re-emerged after almost a year of keeping a lower profile in campaigns targeting France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.
South Korean telecom company attacks torrent users with malware — over 600,000 customers report missing files, strange folders, and disabled PCs
Korean telecom company KT Corporation sent malware to its subscribers who use Webhard's Grid Service peer-to-peer sharing program to hide their files and stop them from using the service.
Rafel RAT, Android Malware from Espionage to Ransomware Operations
Android, Google’s most popular mobile operating system, powers billions of smartphones and tablets globally. Known for its open-source nature and flexibility, Android offers users a wide array of features, customization options, and access to a vast ecosystem of applications through the Google Play Store and other sources. However, with its widespread adoption and open environment comes the risk of malicious activity. Android malware, a malicious software designed to target Android devices, poses a significant threat to users’ privacy, security, and data integrity. These malicious programs come in various forms, including viruses, Trojans, ransomware, spyware, and adware, and they can infiltrate devices through multiple vectors, such as app downloads, malicious websites, phishing attacks, and even system vulnerabilities.
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
Microsoft links Raspberry Robin malware to Evil Corp attacks
Microsoft has discovered that an access broker it tracks as DEV-0206 uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.
Flubot: the evolution of a notorious Android Banking Malware
Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the victim’s credentials, by detecting when the official banking application is open to show a fake web injection, a phishing website similar to the login form of the banking application. An important part of the popularity of Flubot is due to the distribution strategy used in its campaigns, since it has been using the infected devices to send text messages, luring new victims into installing the malware from a fake website. In this article we detail its development over time and recent developments regarding its disappearance, including new features and distribution campaigns.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild
Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including: Cookies, saved logins and forms data from […]
Malware now using stolen NVIDIA code signing certificates
Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data.
Phishing attacks target countries aiding Ukrainian refugees
A spear-phishing campaign likely coordinated by a state-backed threat actor has been targeting European government personnel providing logistics support to Ukrainian refugees.
Destructive Malware Targeting Organizations in Ukraine
Actions to Take Today: • Set antivirus and antimalware programs to conduct regular scans. • Enable strong spam filters to prevent phishing emails from reaching end users. • Filter network traffic. • Update software. • Require multifactor authentication. Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable.
TrickBot malware operation shuts down, devs move to BazarBackdoor
The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.
CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families.
macOS version of elusive 'LightSpy' spyware tool discovered
A macOS version of the LightSpy surveillance framework has been discovered, confirming the extensive reach of a tool only previously known for targeting Android and iOS devices.
Russian hackers use new Lunar malware to breach a European govt's agencies
Security researchers discovered two previously unseen backdoors dubbed LunarWeb and LunarMail that were used to compromise a European government's diplomatic institutions abroad.
Log4j Exploited by XMRig Cryptominer Malware: Analysis & Mitigation
Learn how the Log4j vulnerability (CVE-2021-44228) is exploited by XMRig cryptominer malware. Discover attack methods, indicators, and effective mitigation strategies.
Executive Summary: The Black Lotus Labs team at Lumen Technologies is tracking a malware platform we’ve named Cuttlefish, that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN). A
Attackers are using Docker Hub for malicious campaigns of various types, including spreading malware, phishing and scams. Read the analysis of 3 malware campaigns.
Leaked LockBit builder in a real-life incident response case | Securelist
Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder.
