Blog News Malware -  

Úvod  APT blog  Attack blog  BigBrother blog  BotNet blog  Bug blog  Cyber blog  Cryptocurrency blog  Exploit blog  Hacking blog  Hardware blog  ICS blog  Incident blog  IoT blog  Malware blog  OS Blog  Phishing blog  Ransomware blog  Safety blog  Security blog  Social blog  Spam blog  Vulnerebility blog


 


Datum

Název

Info

Blog

Companies

17.3.19

FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings

This blog post continues our Script Series where the FireEye Labs Advanced Reverse Engineering (FLARE) team shares tools to aid the malware analysis community. Today, we release ironstrings: a new IDAPython script to recover stackstrings from malware.

Malware blog

FireEye

14.3.19

GlitchPOS: New PoS malware for sale Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers' websites and retail point-of-sale locations with the goal of tracking customers' payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers. Malware blog Cisco Talos

5.3.19

A New InfoStealer Campaign Targets APAC Windows Servers As time goes by, malware writers invent new methods to bypass security products. During our research, we came across an attack targeting Windows servers in APAC and revealed the attackers infrastructure, where we observed the uploading of sensitive data, such as Windows login credentials, OS version and IP addresses (internal and external) from between 3-10 different victims each second. Malware blog Checkpoint

21.2.19

Combing Through Brushaloader Amid Massive Detection Uptick Over the past several months, Cisco Talos has been monitoring various malware distribution campaigns leveraging the malware loader Brushaloader to deliver malware payloads to systems. Brushaloader is currently characterized by the use of various scripting elements, such as PowerShell, to minimize the number of artifacts left on infected systems. Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems Malware blog Cisco Talos

21.2.19

JavaScript bridge makes malware analysis with WinDbg easier As malware researchers, we spend several days a week debugging malware in order to learn more about it. We have several powerful and popular user mode tools to choose from, such as OllyDbgx64dbgIDA Proand Immunity Debugger. Malware blog Cisco Talos
17.2.19 Several Cryptojacking Apps Found on Microsoft Store Symantec found eight apps on Microsoft's app store that mine Monero without the user's knowledge. Malware blog Symantec
17.2.19 Navigating the murky waters of Android banking malware An interview with ESET malware researcher Lukáš Štefanko about Android banking malware, the topic of his latest white paper Malware blog

Eset

28.1.19

Bypassing Network Restrictions Through RDP Tunneling With more threat actors using Remote Desktop Protocol, security teams are being challenged to decipher between legitimate and malicious RDP traffic.Malware blog

FireEye

28.1.19

Cisco AMP tracks new campaign that delivers Ursnif

Cisco Talos once again spotted the Ursnif malware in the wild. We tracked this information stealer after Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine alerted us to these Ursnif infections. Thanks to AMP, we were able to prevent Ursnif from infecting any of its targets. The alert piqued our curiosity, so we began to dig a bit deeper and provide some recent IoCs related to this threat, which traditionally attempts to steal users' banking login credentials and other login information. Talos has covered Ursnif in the past, as it is one of the most popular malware that attackers have deployed recently. In April, we detected that Ursnif was being delivered via malicious emails along with the IceID banking trojan.

Malware blog

Cisco Talos

28.1.19

What we learned by unpacking a recent wave of Imminent RAT infections using AMP

Cisco Talos has been tracking a series of Imminent RAT infections for the past two months following reported data from Cisco Advanced Malware Protection's (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but an initial analysis showed a strong indication that stages exist before the deployment of the RAT. Surprisingly, the recovered samples showed no sign of Imminent RAT, but instead a commercial grade packer.

Malware blog

Cisco Talos

28.1.19

Emotet re-emerges after the holidays

While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn't mean attackers don't try to freshen it up. Cisco Talos recently discovered several new campaigns distributing the infamous banking trojan via email. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet.

Malware blog

Cisco Talos

28.1.19 2019 State of Malware report: Trojans and cryptominers dominate threat landscape Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that aims to follow the most important threats, distribution methods, and other trends that shaped the threat landscape.Malware blog Malwarebytes
28.1.19 A user’s right to choose: Why Malwarebytes detects Potentially Unwanted Programs (PUPs) By identifying and detecting Potentially Unwanted Programs (PUPs), Malwarebytes protects its users while giving them the right to choose whether they continue using their services. Learn why we do this, and how software programs can be reconsidered as legitimate under our PUP criteria.Malware blog Malwarebytes
28.1.19 Hosting malicious sites on legitimate servers: How do threat actors get away with it? Is money all hosting providers care about when it comes to allowing malicious sites on their servers? Or is there more at play? We embark on an investigation to discover their motives.Malware blog Malwarebytes

22.1.19

A Nasty Trick: From Credential Theft Malware to Business Disruption

FireEye is activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections.

Malware blog

FireEye

9.1.19 Ransomware vs. printing press? US newspapers face “foreign cyberattack” Did malware disrupt newspaper deliveries in major US cities? Here’s what’s known about the incident so far and the leading suspect: Ryuk ransomware. Plus, advice on defending your organization against such attacks.Malware blog Eset
9.1.19 2018: Research highlights from ESET’s leading lights As the curtain slowly falls on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018Malware blog Eset
9.1.19 Analysis of the latest Emotet propagation campaign An analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America by taking advantage of Microsoft Office files to hide its malicious activityMalware blog Eset
1.1.19 2018: Research highlights from ESET’s leading lights As the curtain slowly falls on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018Malware blog Eset
1.1.19 Analysis of the latest Emotet propagation campaign An analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America by taking advantage of Microsoft Office files to hide its malicious activityMalware blog Eset
21.12.18 Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service The unfortunate implications of a well-intentioned change to Google Play Developer policies – and the negative impact it has on ESET’s Android app customersMalware blog Eset
21.12.18

VBS Unique Detection

On the 29th November a VBS file was identified by Check Point’s Threat Emulation detection engine to be communicating with an external resource. Fortunately, the file inspection the engine decided to stop the attack at the most primary and earliest stage of the attack. Malware blog Checkpoint
21.12.18 Year in Malware 2018: The most prominent threats Talos tracked this year It was easy to see a wild year coming in cybersecurity. It started with a bang, with Olympic Destroyer targeting the Winter Olympics in February in an attempt to disrupt the opening ceremonies.Malware blog Cisco Talos
20.12.18 Yes, Chromebooks can and do get infected As a Mac malware specialist, I’ve seen more than my share of folks saying “Macs don’t get viruses” over the years. I’ve seen and experienced first-hand that this isn’t true—even on iOS, where despite having tight, built-in security, iPhones are still capable of getting infected by rare malware. I suppose that I shouldn’t be surprised, then, when I hear someone claim that “viruses on Chrome OS don’t exist.”Malware blog Malwarebytes
15.12.18 Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail After a two-year absence, the destructive malware Shamoon (W32.Disttrack.B) re-emerged on December 10 in a new wave of attacks against targets in the Middle East.Malware blog Symantec
14.12.18 What are Deep Neural Networks Learning About Malware? An analysis of FireEye’s deep learning-based malware classifier.Malware blog FireEye
12.12.18 FLARE Script Series: Automating Objective-C Code Analysis with Emulation We are sharing a new IDAPython library that provides scriptable emulation features to reverse engineers.Malware blog FireEye
12.12.18 Android Trojan steals money from PayPal accounts even with 2FA on There is no evidence that the flaw was misused during the six days it was alive, said the tech giantMalware blog Eset
12.12.18 Flurry of new Mac malware drops in December Last week, we wrote about a new piece of malware called DarthMiner. It turns out there was more to be seen, as not just one but two additional pieces of malware had been spotted. The first was identified by Microsoft’s John Lambert and analyzed by Objective-See’s Patrick Wardle, and the second was found by Malwarebytes’ Adam Thomas.Malware blog Malwarebytes
11.12.18 Brazilian users’ mobile devices attacked by a banking Trojan Doctor Web virus analysts have detected the Android.BankBot.495.origin Trojan attacking Brazilian financial institution customers on Google Play. This Trojan uses Android’s special features (Accessibility Service). It uses them to control infected mobile devices and steal their owners’ confidential dataMalware blog Dr Web
5.12.18 Formjacking: Targeting Popular Stores Near You Formjacking, the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites, has been making headlines lately. In our previous blog, we discussed how formjacking generally works and cited a few publicly reported attacks that targeted popular online businesses. Malware blog Symantec
5.12.18 The Dark Side of the ForSSHe ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats.Malware blog Eset
5.12.18 New ‘Under the Radar’ report examines modern threats and future technologies The new malware we see being developed and deployed in the wild have features and techniques that allow them to go beyond what they were originally able to do, either for the purpose of additional infection or evasion of detection.Malware blog Malwarebytes
1.12.18

The Evolution of BackSwap

The BackSwap banker has been in the spotlight recently due to its unique and innovative techniques to steal money from victims while staying under the radar and remaining undetected. Malware blog Checkpoint
29.11.18 Trojan clicker distributed under the guise of DynDNS Typically, cybercriminals use several traditional malware distribution channels, the main one being spamming. However, occasionally one comes across other means of distribution. Doctor Web’s experts will touch on one of them in this article.Malware blog Dr Web
26.11.18 Banking Trojan attacks European users of Android devices Banking Trojans remain among the most dangerous malware programs; they help attackers steal confidential information and money from users. Doctor Web malware analysts have detected one such Trojan on Google Play. Malware blog Dr Web
23.11.18 Black Friday special by Emotet: Filling inboxes with infected XML macros Emotet starts another massive spam campaign just as Black Friday begins to pick up steamMalware blog Eset
21.11.18 Cmd and Conquer: De-DOSfuscation with flare-qdb Learn how to use flare-qdb to bring “script block logging” to the Windows command interpreter, and moreMalware blog FireEye
10.11.18 Metamorfo Banking Trojan Keeps Its Sights on Brazil Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers. Malware blog Cisco Talos
30.10.18 Gallmaker: New Attack Group Eschews Malware to Live off the Land A new attack group is targeting government, military, and defense sectors in what appears to be a classic espionage campaign.Malware blog Symantec
25.10.18 Banking Trojans continue to surface on Google Play The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 usersMalware blog

Eset

25.10.18 LuminosityLink RAT author sentenced to 2.5 years in jail As part of his plea agreement, the author of the malware also forfeited the proceeds from his crimes – 114 Bitcoin worth $725,000Malware blog

Eset

18.10.18

Godzilla Loader and the Long Tail of Malware

To most victims, malware is a force of nature. Zeus, Wannacry, Conficker are all vengeful gods, out to punish the common man for clicking the wrong link. Even for a security analyst, it’s easy to fall into the kind of thinking where malicious tools and campaigns emerge out of the ether, forged by an invisible hand. Malware blog Checkpoint

16.8.18

VBEtaly: An Italian Ursnif MalSpam Campaign

Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.

Malware blog

Checkpoint

5.8.18

Ramnit’s Network of Proxy Servers

Research By: Alexey Bukhteyev As you may know, Ramnit is one of the most prominent banking malware families in existence today and lately Check Point Research monitored a new massive campaign of Ramnit, dubbed...

Malware blog

Checkpoint

31.7.18

Osiris: An Enhanced Banking Trojan

Research By: Yaroslav Harakhavik and Nikita Fokin Following our recent analysis of the Kronos banking Trojan, we discovered that Kronos has also now been enhanced to hide its communication with C&C server using Tor....

Malware blog

Checkpoint

30.7.18

A Malvertising Campaign of Secrets and Lies

Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple...

Malware blog

Checkpoint

30.7.18

Emotet: The Tricky Trojan that ‘Git Clones’ The Emotet Trojan downloader originally debuted in 2014 as a banking Trojan that took an unusual approach to stealing banking credentials; Instead of hooking per-browser functions in the victim’s web browser process, Emotet...Malware blog

Checkpoint

30.7.18

GlanceLove: Spying Under the Cover of the World Cup When the whistle of the first match of the 18 World Cup blew, it didn’t just signal the start of an exciting tournament for football fans worldwide, but also gave the green light...Malware blog

Checkpoint

30.7.18

Deep Dive into UPAS Kit vs. Kronos By Mark Lechtik Introduction In this post we will be analyzing the UPAS Kit and the Kronos banking Trojan, two malwares that have come under the spotlight recently due to the back story...Malware blog

Checkpoint

30.7.18

RottenSys: Not a Secure Wi-Fi Service At All Research By: Feixiang He, Bohdan Melnykov, Elena Root Key Findings: RottenSys, a mobile adware, has infected nearly 5 million devices since 2016. Indications show the malware could have entered earlier in the supplier..Malware blog

Checkpoint

30.7.18

Malware Displaying Porn Ads Discovered in Game Apps on Google Play Research by: Elena Root & Bogdan Melnykov Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside around 60 game apps, several of whichMalware blog

Checkpoint

30.7.18

Malicious Flashlight Apps on Google Play Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google. The suspicious scripts override the user’s decision to disable ads showing outside of a.Malware blog

Checkpoint

30.7.18

ParseDroid: Targeting The Android Development & Research Community Researchers: Eran Vaknin, Gal Elbaz, Alon Boxiner, Oded Vanunu Latest research from the Check Point Research Team has revealed several vulnerabilities, that puts each and every organization that does any type of Java/Android..Malware blog Checkpoint

30.7.18

The Perfect ‘Inside Job’ Banking Malware

Researchers:  Mark Lechtik and Raman Ladutska The Brazilian cyberspace is known to be a whole ecosystem of its own and, although the banking malware that originates there has traditionally been somewhat basic, recent..

Malware blog

Checkpoint

30.7.18

September’s Most Wanted Malware: Locky Shoots Back Up Global Rankings

Check Point’s latest Global Threat Index has revealed a massive increase in worldwide Locky attacks during September, with the ransomware impacting 11.5% of organizations globally over the course of the month. Locky has...

Malware blog

Checkpoint

30.7.18

ExpensiveWall: A dangerous ‘packed’ malware on Google Play that will hit you in your wallet!

Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges for fake services to users’ accounts without their knowledge. According to...

Malware blog

Checkpoint

30.7.18

July’s Most Wanted Malware: RoughTed and Fireball Decrease, But Stay Most Prevalent

Check Point’s latest Global Threat Impact Index reveals that that the number of organizations impacted globally by the RoughTed malvertising campaign fell by over a third during July, from 28% to 18%. RoughTed

Malware blog

Checkpoint

30.7.18

Is Malware Hiding in Your Resume?

Eran Vaknin, Dvir Atias, Alon Boxiner The popular business social network LinkedIn has accumulated over 500 million members across 200 countries worldwide. Whether you’re a manager seeking to expand your team or a..

Malware blog

Checkpoint

30.7.18

June’s Most Wanted Malware: RoughTed Malvertising Campaign Impacts 28% of Organizations

THE TAKEAWAY Check Point’s latest Global Threat Impact Index revealed that 28% of organizations globally were affected by the Roughted malvertising campaign during June. IN CONTEXT A large-scale malvertising campaign, RoughTed is used...

Malware blog

Checkpoint

30.7.18

OSX/Dok Refuses to Go Away and It’s After Your Money

Following up on our recent discovery of the new OSX/Dok malware targeting macOS users, we’d like to report that the malicious actors behind it are not giving up yet. They are aiming at.

Malware blog

Checkpoint

30.7.18

May’s Most Wanted Malware: Fireball and Wannacry Impact More Than 1 in 4 Organizations Globally

THE TAKEAWAY: Check Point’s latest Global Threat Impact Index revealed more than one in four organizations globally was affected by the Fireball or Wannacry attacks during May. The top three malware families were...

Malware blog

Checkpoint

30.7.18

How the CopyCat malware infected Android devices around the world

Check Point researchers identified a mobile malware that infected 14 million Android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues...

Malware blog

Checkpoint

30.7.18

BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor

Background In the wake of WannaCry, a new cyber threat has emerged from the NSA leak. Making use of previously exposed tools, Petya once again is engaged in another large scale attack. Important.

Malware blog

Checkpoint

30.7.18

FIREBALL – The Chinese Malware of 250 Million Computers Infected

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns.

Malware blog

Checkpoint

30.7.18

The Judy Malware: Possibly the largest malware campaign found on Google Play

Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean

Malware blog

Checkpoint

30.7.18

Hacked in Translation – from Subtitles to Complete Takeover

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers..

Malware blog

Checkpoint

30.7.18

April’s Most Wanted Malware: Exploit Kit Attacks Continue, While Slammer Worm Resurfaces Again

Check Point’s latest Global Threat Impact Index detected a continued increase in the number of organizations being targeted with Exploit Kits, as Rig EK became the most prevalent form of attack, while there..

Malware blog

Checkpoint

30.7.18

DiamondFox modular malware – a one-stop shop

Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure...

Malware blog

Checkpoint

30.7.18

DiamondFox modular malware – a one-stop shop

Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure...

Malware blog

Checkpoint

30.7.18

Update – OSX/Dok Campaign

Our ongoing investigation of the OSX/DOK campaign has led us to detect several new variants of this malware. These new variants have the same functionality as the previous ones, and are designed to.

Malware blog

Checkpoint

30.7.18

OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic (updated)

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check.

Malware blog

Checkpoint

30.7.18

An In-depth Look at the Gooligan Malware Campaign

Check Point mobile threat researchers today published a technical report that provides deep technical analysis of the Gooligan Android malware campaign, which was first announced on November 30. The report discusses the ins and outs of.

Malware blog

Checkpoint

30.7.18

More Than 1 Million Google Accounts Breached by Gooligan

As a result of a lot of hard work done by our security research teams, we revealed today a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of..

Malware blog

Checkpoint

30.7.18

ImageGate: Check Point uncovers a new method for distributing malware through images

Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these..

Malware blog

Checkpoint

18

Increased Use of a Delphi Packer to Evade Malware Classification

The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools.

Malware blog

FireEye

18

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov.

Malware blog

FireEye

18

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

FireEye recently observed a campaign involving Microsoft Office vulnerabilities being used to distribute the FELIXROOT backdoor.

Malware blog

FireEye