Blog News Malware -  

Úvod  APT blog  Attack blog  BigBrother blog  BotNet blog  Bug blog  Cyber blog  Cryptocurrency blog  Exploit blog  Hacking blog  Hardware blog  ICS blog  Incident blog  IoT blog  Malware blog  OS Blog  Phishing blog  Ransomware blog  Safety blog  Security blog  Social blog  Spam blog  Vulnerebility blog


 


Datum

Název

Info

Blog

Companies

19.5.19

Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage

ESET researchers have discovered that the attackers have been distributing the Plead malware via compromised routers and man-in-the-middle attacks against the legitimate ASUS WebStorage software

Malware blog

Eset

12.5.19

Turla LightNeuron: An email too far

ESET research uncovers Microsoft Exchange malware remotely controlled via steganographic PDF and JPG email attachments

Malware blog

Eset

6.5.19

Panda Malware: It’s Not Just About Cryptocurrencies Anymore

F5 Labs and the Security Operations Center (SOC) for WebSafe analyzed Panda banking Trojan configurations active in February and March 2019. They discovered Panda has expanded its scope beyond cryptocurrencies to include online advertisers and digital analytics.

Malware blog

F5 Labs

6.5.19

Gozi Banking Trojan Pivots Towards Italian Banks in February and March

F5 Labs and the product development research team for F5 WebSafe have been following the Gozi banking trojan (also known as Ursnif) and publishing its targets to notify those organizations to be on high alert for fraud. The Gozi configurations analyzed in this article were active in February and March 2019, and were focused on targeting financial institutions in Italy, with the exception of one payment processor in Australia (which was also targeted by Gozi in August 2018).

Malware blog

F5 Labs

6.5.19

Ramnit Returns to its Banking Roots, Just in Time for Italian Tax Season

F5 Labs and the F5 Security Operations Center (SOC) for WebSafe analyzed Ramnit banking Trojan Malware configurations active in February and March 2019. They discovered that Ramnit authors were—once again—largely targeting financial services websites, specifically in Italy.

Malware blog

F5 Labs

6.5.19

CARBANAK Week Part Four: The CARBANAK Desktop Video Player

Part One, Part Two and Part Three of CARBANAK Week are behind us. In this final blog post, we dive into one of the more interesting tools that is part of the CARBANAK toolset. The CARBANAK authors wrote their own video player and we happened to come across an interesting video capture from CARBANAK of a network operator preparing for an offensive engagement. Can we replay it?

Malware blog

FireEye

6.5.19

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

In the previous installment, we wrote about how string hashing was used in CARBANAK to manage Windows API resolution throughout the entire codebase. But the authors used this same string hashing algorithm for another task as well. In this installment, we’ll pick up where we left off and write about CARBANAK’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators.

Malware blog

FireEye

6.5.19

CARBANAK Week Part Three: Behind the CARBANAK Backdoor

In June 2017, we published a blog post sharing novel information about the CARBANAK backdoor, including technical details, intel analysis, and some interesting deductions about its operations we formed from the results of automating analysis of hundreds of CARBANAK samples. Some of these deductions were claims about the toolset and build practices for CARBANAK. Now that we have a snapshot of the source code and toolset, we also have a unique opportunity to revisit these deductions and shine a new light on them.

Malware blog

FireEye

6.5.19

Dispelling Myths Around SGX Malware

SGX-based malware may not be as troublesome as believed. We'll explain why that is and how Symantec is ready to deal with such malware if they were to appear.

Malware blog

Symantec

6.5.19

Qakbot levels up with new obfuscation techniques

Qakbot, also known as Qbot, is a well-documented banking trojan that has been around since 2008. Recent Qakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to detect and remove the trojan. Qakbot is known to target businesses with the hope of stealing their login credentials and eventually draining their bank accounts.

Malware blog

Cisco Talos

6.5.19

JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan

Malware loaders are playing an increasingly important role in malware distribution. They give adversaries the ability to gain an initial foothold on a system and are typically used to deliver various malware payloads following successful compromise. These attacks are popping up more frequently, as we covered in July with Smoke Loader and Brushaloader earlier this year.

Malware blog

Cisco Talos

24.4.19

Ramnit Returns to its Banking Roots, Just in Time for Italian Tax Season

F5 Labs and the F5 Security Operations Center (SOC) for WebSafe analyzed Ramnit banking Trojan Malware configurations active in February and March 2019. They discovered that Ramnit authors were—once again—largely targeting financial services websites, specifically in Italy.

Malware blog

F5 Labs

24.4.19

CARBANAK Week Part One: A Rare Occurrence

It is very unusual for FLARE to analyze a prolifically-used, privately-developed backdoor only to later have the source code and operator tools fall into our laps. Yet this is the extraordinary circumstance that sets the stage for CARBANAK Week, a four-part blog series that commences with this post.

Malware blog

FireEye

24.4.19

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

In the previous installment, we wrote about how string hashing was used in CARBANAK to manage Windows API resolution throughout the entire codebase. But the authors used this same string hashing algorithm for another task as well. In this installment, we’ll pick up where we left off and write about CARBANAK’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators

Malware blog

FireEye

24.4.19

FINTEAM: Trojanized TeamViewer Against Government Targets

Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.

Malware blog

Checkpoint

24.4.19

PreAMo: A Clicker Campaign found on Google Play

Checkpoint’s researchers, with the help of Craig Silverman at BuzzFeed, have uncovered a series of applications conducting fraudulent activities against Ad Agencies. Craig Silverman reached out to Check Point with the leads for the applications as a part of his story. The malware found from those leads, dubbed ‘PreAMo’, imitates the user by clicking on banners retrieved from three ad agencies – Presage, Admob, and Mopub.

Malware blog

Checkpoint

24.4.19

New HawkEye Reborn Variant Emerges Following Ownership Change

Malware designed to steal sensitive information has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers.

Malware blog

Cisco Talos

13.4.19

OceanLotus: macOS malware update Latest ESET research describes the inner workings of a recently found addition to OceanLotus’s toolset for targeting Mac users Malware blog

Eset

5.4.19

Doctor Web’s experts reveal a Trojan exploiting zero-day vulnerabilities of the official Counter Strike client Doctor Web's experts detect more and more Trojans of the Android.HiddenAds family, displaying obnoxious ads, on Google Play. Since the beginning of February, about 40 new modifications of such malicious apps have been found and downloaded by some 10,000,000 users. Malware blog Dr Web

5.4.19

Doctor Web warns: Cybercriminals spread Android Trojans via Instagram Doctor Web’s lab has investigated the Trojan.Belonard malware that exploited the vulnerabilities of the Counter-Strike 1.6 game client to infiltrate users’ computers. Once installed, the Trojan replaced the game files and the list of available game servers. Malware blog Dr Web

5.4.19

Dozens of Apps on Microsoft Store Displaying Adult, Gambling Content We discovered 81 potentially unwanted applications (PUAs) on the Microsoft Store, some of which display pornographic images and gambling content. While some have been removed, most of these apps are still available to download from the app store. Malware blog Symantec

14.3.19

GlitchPOS: New PoS malware for sale Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers' websites and retail point-of-sale locations with the goal of tracking customers' payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers. Malware blog Cisco Talos

5.3.19

A New InfoStealer Campaign Targets APAC Windows Servers As time goes by, malware writers invent new methods to bypass security products. During our research, we came across an attack targeting Windows servers in APAC and revealed the attackers infrastructure, where we observed the uploading of sensitive data, such as Windows login credentials, OS version and IP addresses (internal and external) from between 3-10 different victims each second. Malware blog Checkpoint

21.2.19

Combing Through Brushaloader Amid Massive Detection Uptick Over the past several months, Cisco Talos has been monitoring various malware distribution campaigns leveraging the malware loader Brushaloader to deliver malware payloads to systems. Brushaloader is currently characterized by the use of various scripting elements, such as PowerShell, to minimize the number of artifacts left on infected systems. Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems Malware blog Cisco Talos

21.2.19

JavaScript bridge makes malware analysis with WinDbg easier As malware researchers, we spend several days a week debugging malware in order to learn more about it. We have several powerful and popular user mode tools to choose from, such as OllyDbgx64dbgIDA Proand Immunity Debugger. Malware blog Cisco Talos
17.2.19 Several Cryptojacking Apps Found on Microsoft Store Symantec found eight apps on Microsoft's app store that mine Monero without the user's knowledge. Malware blog Symantec
17.2.19 Navigating the murky waters of Android banking malware An interview with ESET malware researcher Lukáš Štefanko about Android banking malware, the topic of his latest white paper Malware blog

Eset

28.1.19

Bypassing Network Restrictions Through RDP Tunneling With more threat actors using Remote Desktop Protocol, security teams are being challenged to decipher between legitimate and malicious RDP traffic.Malware blog

FireEye

28.1.19

Cisco AMP tracks new campaign that delivers Ursnif

Cisco Talos once again spotted the Ursnif malware in the wild. We tracked this information stealer after Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine alerted us to these Ursnif infections. Thanks to AMP, we were able to prevent Ursnif from infecting any of its targets. The alert piqued our curiosity, so we began to dig a bit deeper and provide some recent IoCs related to this threat, which traditionally attempts to steal users' banking login credentials and other login information. Talos has covered Ursnif in the past, as it is one of the most popular malware that attackers have deployed recently. In April, we detected that Ursnif was being delivered via malicious emails along with the IceID banking trojan.

Malware blog

Cisco Talos

28.1.19

What we learned by unpacking a recent wave of Imminent RAT infections using AMP

Cisco Talos has been tracking a series of Imminent RAT infections for the past two months following reported data from Cisco Advanced Malware Protection's (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but an initial analysis showed a strong indication that stages exist before the deployment of the RAT. Surprisingly, the recovered samples showed no sign of Imminent RAT, but instead a commercial grade packer.

Malware blog

Cisco Talos

28.1.19

Emotet re-emerges after the holidays

While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn't mean attackers don't try to freshen it up. Cisco Talos recently discovered several new campaigns distributing the infamous banking trojan via email. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet.

Malware blog

Cisco Talos

28.1.19 2019 State of Malware report: Trojans and cryptominers dominate threat landscape Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that aims to follow the most important threats, distribution methods, and other trends that shaped the threat landscape.Malware blog Malwarebytes
28.1.19 A user’s right to choose: Why Malwarebytes detects Potentially Unwanted Programs (PUPs) By identifying and detecting Potentially Unwanted Programs (PUPs), Malwarebytes protects its users while giving them the right to choose whether they continue using their services. Learn why we do this, and how software programs can be reconsidered as legitimate under our PUP criteria.Malware blog Malwarebytes
28.1.19 Hosting malicious sites on legitimate servers: How do threat actors get away with it? Is money all hosting providers care about when it comes to allowing malicious sites on their servers? Or is there more at play? We embark on an investigation to discover their motives.Malware blog Malwarebytes

22.1.19

A Nasty Trick: From Credential Theft Malware to Business Disruption

FireEye is activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections.

Malware blog

FireEye

9.1.19 Ransomware vs. printing press? US newspapers face “foreign cyberattack” Did malware disrupt newspaper deliveries in major US cities? Here’s what’s known about the incident so far and the leading suspect: Ryuk ransomware. Plus, advice on defending your organization against such attacks.Malware blog Eset
9.1.19 2018: Research highlights from ESET’s leading lights As the curtain slowly falls on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018Malware blog Eset
9.1.19 Analysis of the latest Emotet propagation campaign An analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America by taking advantage of Microsoft Office files to hide its malicious activityMalware blog Eset
1.1.19 2018: Research highlights from ESET’s leading lights As the curtain slowly falls on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018Malware blog Eset
1.1.19 Analysis of the latest Emotet propagation campaign An analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America by taking advantage of Microsoft Office files to hide its malicious activityMalware blog Eset
21.12.18 Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service The unfortunate implications of a well-intentioned change to Google Play Developer policies – and the negative impact it has on ESET’s Android app customersMalware blog Eset
21.12.18

VBS Unique Detection

On the 29th November a VBS file was identified by Check Point’s Threat Emulation detection engine to be communicating with an external resource. Fortunately, the file inspection the engine decided to stop the attack at the most primary and earliest stage of the attack. Malware blog Checkpoint
21.12.18 Year in Malware 2018: The most prominent threats Talos tracked this year It was easy to see a wild year coming in cybersecurity. It started with a bang, with Olympic Destroyer targeting the Winter Olympics in February in an attempt to disrupt the opening ceremonies.Malware blog Cisco Talos
20.12.18 Yes, Chromebooks can and do get infected As a Mac malware specialist, I’ve seen more than my share of folks saying “Macs don’t get viruses” over the years. I’ve seen and experienced first-hand that this isn’t true—even on iOS, where despite having tight, built-in security, iPhones are still capable of getting infected by rare malware. I suppose that I shouldn’t be surprised, then, when I hear someone claim that “viruses on Chrome OS don’t exist.”Malware blog Malwarebytes
15.12.18 Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail After a two-year absence, the destructive malware Shamoon (W32.Disttrack.B) re-emerged on December 10 in a new wave of attacks against targets in the Middle East.Malware blog Symantec
14.12.18 What are Deep Neural Networks Learning About Malware? An analysis of FireEye’s deep learning-based malware classifier.Malware blog FireEye
12.12.18 FLARE Script Series: Automating Objective-C Code Analysis with Emulation We are sharing a new IDAPython library that provides scriptable emulation features to reverse engineers.Malware blog FireEye
12.12.18 Android Trojan steals money from PayPal accounts even with 2FA on There is no evidence that the flaw was misused during the six days it was alive, said the tech giantMalware blog Eset
12.12.18 Flurry of new Mac malware drops in December Last week, we wrote about a new piece of malware called DarthMiner. It turns out there was more to be seen, as not just one but two additional pieces of malware had been spotted. The first was identified by Microsoft’s John Lambert and analyzed by Objective-See’s Patrick Wardle, and the second was found by Malwarebytes’ Adam Thomas.Malware blog Malwarebytes
11.12.18 Brazilian users’ mobile devices attacked by a banking Trojan Doctor Web virus analysts have detected the Android.BankBot.495.origin Trojan attacking Brazilian financial institution customers on Google Play. This Trojan uses Android’s special features (Accessibility Service). It uses them to control infected mobile devices and steal their owners’ confidential dataMalware blog Dr Web
5.12.18 Formjacking: Targeting Popular Stores Near You Formjacking, the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites, has been making headlines lately. In our previous blog, we discussed how formjacking generally works and cited a few publicly reported attacks that targeted popular online businesses. Malware blog Symantec
5.12.18 The Dark Side of the ForSSHe ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats.Malware blog Eset
5.12.18 New ‘Under the Radar’ report examines modern threats and future technologies The new malware we see being developed and deployed in the wild have features and techniques that allow them to go beyond what they were originally able to do, either for the purpose of additional infection or evasion of detection.Malware blog Malwarebytes
1.12.18

The Evolution of BackSwap

The BackSwap banker has been in the spotlight recently due to its unique and innovative techniques to steal money from victims while staying under the radar and remaining undetected. Malware blog Checkpoint
29.11.18 Trojan clicker distributed under the guise of DynDNS Typically, cybercriminals use several traditional malware distribution channels, the main one being spamming. However, occasionally one comes across other means of distribution. Doctor Web’s experts will touch on one of them in this article.Malware blog Dr Web
26.11.18 Banking Trojan attacks European users of Android devices Banking Trojans remain among the most dangerous malware programs; they help attackers steal confidential information and money from users. Doctor Web malware analysts have detected one such Trojan on Google Play. Malware blog Dr Web
23.11.18 Black Friday special by Emotet: Filling inboxes with infected XML macros Emotet starts another massive spam campaign just as Black Friday begins to pick up steamMalware blog Eset
21.11.18 Cmd and Conquer: De-DOSfuscation with flare-qdb Learn how to use flare-qdb to bring “script block logging” to the Windows command interpreter, and moreMalware blog FireEye
10.11.18 Metamorfo Banking Trojan Keeps Its Sights on Brazil Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers. Malware blog Cisco Talos
30.10.18 Gallmaker: New Attack Group Eschews Malware to Live off the Land A new attack group is targeting government, military, and defense sectors in what appears to be a classic espionage campaign.Malware blog Symantec
25.10.18 Banking Trojans continue to surface on Google Play The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 usersMalware blog

Eset

25.10.18 LuminosityLink RAT author sentenced to 2.5 years in jail As part of his plea agreement, the author of the malware also forfeited the proceeds from his crimes – 114 Bitcoin worth $725,000Malware blog

Eset

18.10.18

Godzilla Loader and the Long Tail of Malware

To most victims, malware is a force of nature. Zeus, Wannacry, Conficker are all vengeful gods, out to punish the common man for clicking the wrong link. Even for a security analyst, it’s easy to fall into the kind of thinking where malicious tools and campaigns emerge out of the ether, forged by an invisible hand. Malware blog Checkpoint

16.8.18

VBEtaly: An Italian Ursnif MalSpam Campaign

Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.

Malware blog

Checkpoint

5.8.18

Ramnit’s Network of Proxy Servers

Research By: Alexey Bukhteyev As you may know, Ramnit is one of the most prominent banking malware families in existence today and lately Check Point Research monitored a new massive campaign of Ramnit, dubbed...

Malware blog

Checkpoint

31.7.18

Osiris: An Enhanced Banking Trojan

Research By: Yaroslav Harakhavik and Nikita Fokin Following our recent analysis of the Kronos banking Trojan, we discovered that Kronos has also now been enhanced to hide its communication with C&C server using Tor....

Malware blog

Checkpoint

30.7.18

A Malvertising Campaign of Secrets and Lies

Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple...

Malware blog

Checkpoint

30.7.18

Emotet: The Tricky Trojan that ‘Git Clones’ The Emotet Trojan downloader originally debuted in 2014 as a banking Trojan that took an unusual approach to stealing banking credentials; Instead of hooking per-browser functions in the victim’s web browser process, Emotet...Malware blog

Checkpoint

30.7.18

GlanceLove: Spying Under the Cover of the World Cup When the whistle of the first match of the 18 World Cup blew, it didn’t just signal the start of an exciting tournament for football fans worldwide, but also gave the green light...Malware blog

Checkpoint

30.7.18

Deep Dive into UPAS Kit vs. Kronos By Mark Lechtik Introduction In this post we will be analyzing the UPAS Kit and the Kronos banking Trojan, two malwares that have come under the spotlight recently due to the back story...Malware blog

Checkpoint

30.7.18

RottenSys: Not a Secure Wi-Fi Service At All Research By: Feixiang He, Bohdan Melnykov, Elena Root Key Findings: RottenSys, a mobile adware, has infected nearly 5 million devices since 2016. Indications show the malware could have entered earlier in the supplier..Malware blog

Checkpoint

30.7.18

Malware Displaying Porn Ads Discovered in Game Apps on Google Play Research by: Elena Root & Bogdan Melnykov Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside around 60 game apps, several of whichMalware blog

Checkpoint

30.7.18

Malicious Flashlight Apps on Google Play Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google. The suspicious scripts override the user’s decision to disable ads showing outside of a.Malware blog

Checkpoint

30.7.18

ParseDroid: Targeting The Android Development & Research Community Researchers: Eran Vaknin, Gal Elbaz, Alon Boxiner, Oded Vanunu Latest research from the Check Point Research Team has revealed several vulnerabilities, that puts each and every organization that does any type of Java/Android..Malware blog Checkpoint

30.7.18

The Perfect ‘Inside Job’ Banking Malware

Researchers:  Mark Lechtik and Raman Ladutska The Brazilian cyberspace is known to be a whole ecosystem of its own and, although the banking malware that originates there has traditionally been somewhat basic, recent..

Malware blog

Checkpoint

30.7.18

September’s Most Wanted Malware: Locky Shoots Back Up Global Rankings

Check Point’s latest Global Threat Index has revealed a massive increase in worldwide Locky attacks during September, with the ransomware impacting 11.5% of organizations globally over the course of the month. Locky has...

Malware blog

Checkpoint

30.7.18

ExpensiveWall: A dangerous ‘packed’ malware on Google Play that will hit you in your wallet!

Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges for fake services to users’ accounts without their knowledge. According to...

Malware blog

Checkpoint

30.7.18

July’s Most Wanted Malware: RoughTed and Fireball Decrease, But Stay Most Prevalent

Check Point’s latest Global Threat Impact Index reveals that that the number of organizations impacted globally by the RoughTed malvertising campaign fell by over a third during July, from 28% to 18%. RoughTed

Malware blog

Checkpoint

30.7.18

Is Malware Hiding in Your Resume?

Eran Vaknin, Dvir Atias, Alon Boxiner The popular business social network LinkedIn has accumulated over 500 million members across 200 countries worldwide. Whether you’re a manager seeking to expand your team or a..

Malware blog

Checkpoint

30.7.18

June’s Most Wanted Malware: RoughTed Malvertising Campaign Impacts 28% of Organizations

THE TAKEAWAY Check Point’s latest Global Threat Impact Index revealed that 28% of organizations globally were affected by the Roughted malvertising campaign during June. IN CONTEXT A large-scale malvertising campaign, RoughTed is used...

Malware blog

Checkpoint

30.7.18

OSX/Dok Refuses to Go Away and It’s After Your Money

Following up on our recent discovery of the new OSX/Dok malware targeting macOS users, we’d like to report that the malicious actors behind it are not giving up yet. They are aiming at.

Malware blog

Checkpoint

30.7.18

May’s Most Wanted Malware: Fireball and Wannacry Impact More Than 1 in 4 Organizations Globally

THE TAKEAWAY: Check Point’s latest Global Threat Impact Index revealed more than one in four organizations globally was affected by the Fireball or Wannacry attacks during May. The top three malware families were...

Malware blog

Checkpoint

30.7.18

How the CopyCat malware infected Android devices around the world

Check Point researchers identified a mobile malware that infected 14 million Android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues...

Malware blog

Checkpoint

30.7.18

BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor

Background In the wake of WannaCry, a new cyber threat has emerged from the NSA leak. Making use of previously exposed tools, Petya once again is engaged in another large scale attack. Important.

Malware blog

Checkpoint

30.7.18

FIREBALL – The Chinese Malware of 250 Million Computers Infected

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns.

Malware blog

Checkpoint

30.7.18

The Judy Malware: Possibly the largest malware campaign found on Google Play

Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean

Malware blog

Checkpoint

30.7.18

Hacked in Translation – from Subtitles to Complete Takeover

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers..

Malware blog

Checkpoint

30.7.18

April’s Most Wanted Malware: Exploit Kit Attacks Continue, While Slammer Worm Resurfaces Again

Check Point’s latest Global Threat Impact Index detected a continued increase in the number of organizations being targeted with Exploit Kits, as Rig EK became the most prevalent form of attack, while there..

Malware blog

Checkpoint

30.7.18

DiamondFox modular malware – a one-stop shop

Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure...

Malware blog

Checkpoint

30.7.18

DiamondFox modular malware – a one-stop shop

Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure...

Malware blog

Checkpoint

30.7.18

Update – OSX/Dok Campaign

Our ongoing investigation of the OSX/DOK campaign has led us to detect several new variants of this malware. These new variants have the same functionality as the previous ones, and are designed to.

Malware blog

Checkpoint

30.7.18

OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic (updated)

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check.

Malware blog

Checkpoint

30.7.18

An In-depth Look at the Gooligan Malware Campaign

Check Point mobile threat researchers today published a technical report that provides deep technical analysis of the Gooligan Android malware campaign, which was first announced on November 30. The report discusses the ins and outs of.

Malware blog

Checkpoint

30.7.18

More Than 1 Million Google Accounts Breached by Gooligan

As a result of a lot of hard work done by our security research teams, we revealed today a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of..

Malware blog

Checkpoint

30.7.18

ImageGate: Check Point uncovers a new method for distributing malware through images

Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these..

Malware blog

Checkpoint

18

Increased Use of a Delphi Packer to Evade Malware Classification

The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools.

Malware blog

FireEye

18

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov.

Malware blog

FireEye

18

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

FireEye recently observed a campaign involving Microsoft Office vulnerabilities being used to distribute the FELIXROOT backdoor.

Malware blog

FireEye