As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. Emotet is high-volume malware that often changes and modifies its attack patterns. This latest modification of the Emotet attack follows suit.

North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector.

We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.

If you’re still running macOS Mojave or earlier, now is the time to take action to ensure your Mac maintains protection against malware.

Raccoon is a malware family that has been sold as malware-as-a-service on underground forums since early 2019. In early July 2022, a new variant of this malware was released. The new variant, popularly known as Raccoon Stealer v2, is written in C unlike previous versions which were mainly written in C++.

Microsoft has discovered that an access broker it tracks as DEV-0206 uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.

In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware

Google researchers said the app was designed to figure out who may want to use this kind of app.

Joker, Facestealers and Banker swarming Google Play store

In January 2022, a new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was discovered. Despite using simple malicious advertisements, the malware became widespread, potentially leaking data from thousands of users and organizations.

Il malware EnvyScout (APT29) è stato veicolato anche in Italia

Unit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics. On May 19, one such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.

Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.

Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the victim’s credentials, by detecting when the official banking application is open to show a fake web injection, a phishing website similar to the login form of the banking application. An important part of the popularity of Flubot is due to the distribution strategy used in its campaigns, since it has been using the infected devices to send text messages, luring new victims into installing the malware from a fake website. In this article we detail its development over time and recent developments regarding its disappearance, including new features and distribution campaigns.

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

We compare the targeting and business models of the Conti and LockBit ransomware groups using data analysis approaches. This will be presented in full at the 34th Annual FIRST Conference on June 27, 2022.

Learn about the unique implementations of API Hammering malware samples and how to mitigate them.

Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.

New details connect police in India to a plot to plant evidence on victims' computers that led to their arrest.

Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]

Symbiote is a new Linux malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines.

Don’t let cyber threats get the best of you. Read our post, SVCReady: A New Loader Gets Ready, to learn more about cyber threats and cyber security.

FluBot is a new Android malware first discovered in December 2020. During the first few months, FluBot has been active in Spain, Hungary and Poland. Since then, the development of the malware advan…

In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We described how XLoader emerged in the Darknet community to fill the empty niche after Formbook sales were abruptly stopped by its author. We did a deep technical analysis followed by a description of XLoader for macOS along with common points and differences in how both malware families conceal the heart of the whole operation, the Command-and-Control (C&C) infrastructure. However, the world does not stand still, and this applies to the malware cyber-world as well.

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

Observing a 254% increase in activity over the last six months from a versatile Linux trojan called XorDdos, the Microsoft 365 Defender research team provides in-depth analysis into this stealthy malware's capabilities and key infection signs.

Research is largely theoretical but exposes an overlooked security issue.

In this analysis, Cyble looks at the Eternity Malware suite, listing a wide variety of malware for sale on Telegram.

The attack was the first in five years to use Sandworm's Industroyer malware.

In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […]