Aurora a trending infostealer Malware

Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset. Furthermore, SEKOIA.IO observed an increase in the number of Aurora samples distributed in the wild, as well as C2 servers. First advertised on Russian-speaking underground forums in April 2022, Aurora is a multi-purpose […]

Malware Delivered via Contact Forms

The DFIR Report expands on an intrusion from May 2022, where threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike […]

Evasive Techniques used by injected Websites

Analysis of a new technique to inject websites with SocGholish malware found using zip compression, obfuscation, strrev functions, and other evasive techniques to avoid detection. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware […]

Google PlayStore Apps Leads to Phishing Sites

A family of malicious apps from developer “Mobile apps Group sic” are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads. When users first install this malicious app, it takes a couple of days before it begins to display malicious behavior. […]

FormBook Stealer Is Gaining Traction

FormBook stealer is an infostealer‍ trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines. Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including […]

TOAD attack: Vishing and Android Banking Malware

ThreatFabric’s analysts uncovered a network of phishing websites targeting Italian online-banking users and aiming to steal their banking credentials. Further research defined a connection between this network and the Android banking Trojan dubbed Copybara, that is involved in telephone-oriented attack delivery performed by the threat actors. Latest version of it introduced unique feature that allows […]

Vidar Stealer Targets ZOOM User

Threat researchers at cybersecurity firm Cyble found six fake Zoom sites offering applications that will download Vidar Stealer malware. Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets. This stealer has links to the Arkei stealer. These sites redirect to a GitHub […]

Null Mixer Drops Malware

NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain […]

NFT malware gets new evasion abilities

A non-fungible token (NFT) is a record on a blockchain associated with a digital or physical asset—usually a digital file such as a photo, video, or audio. An NFT’s ownership is recorded in the blockchain, and it can be sold and traded. NFTs differ from cryptocurrencies, which are mostly fungible, in that NFTs are unique […]

Fake Mobile Banking Rewards Apps

Rewards Plus: Fake Mobile Banking Rewards Apps Lure Users to Install Info-Stealing RAT on Android Devices A fake mobile banking rewards app delivered through a link in an SMS campaign has been making the rounds, targeting customers of Indian banking institutions. Users who install the mobile app are unknowingly installing an Android malware with remote […]

Pay Per Install Malware Service

Pay-Per-Install (PPI) is a malware service widely used in the cybercrime ecosystem that monetizes the installation of malicious software. SEKOIA observed that PrivateLoader is one of the most widely used loaders in 2022. It is used by a PPI service to deploy multiple malicious payloads on the infected hosts. The threat actor ruzki (aka les0k, […]

Malware spreads through YouTube Ads

RedLine Spreads Through Ads for Cheats and Cracks on YouTube A malicious bundle containing the RedLine stealer and a miner is being distributed on YouTube through cheats and cracks ads for popular games. RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. […]

Dear or Alive ? An Emotet Story

Dead or Alive? An Emotet Story Emotet, while perviously takendown by Interpol and Eurojust efforts, has seen a resurgence since November 2021. In May of this year, DFIR witnessed an intrusion that started from a phishing email which included Emotet. The intrusion lasted four days and contained many of the usual suspects, including the Cobalt […]

Crypto Miners Latest Exploits

Crypto miners have been present in the threat landscape for some years, since an attacker identified the opportunity of leveraging victim’s CPUs to mine cryptocurrencies for them. Despite the current rough patch in the world of cryptocurrencies, these miners are still present and will be in the foreseeable future. Attackers have been sending malicious attachments, […]

Check Point picks up Cypto Miner disguised as Google Translate

At the end of July 2022, Check Point Research (CPR) detected a previously undisclosed cryptomining campaign, called Nitrokod, which potentially infected thousands of machines worldwide. At the campaign’s core there are several useful utilities. Created by a Turkish speaking entity, the campaign dropped malware from free software available on popular websites such as Softpedia and uptodown. The software […]

Defending against Computer Worms

What Are Computer Worms and What Are the Best Tools to Defend Your Network against Them? A computer worm is a malicious program that distributes itself across a computer network. Like biological systems, computer systems are also plagued by various maladies known as malware. Malware is an all-encompassing term that refers to malicious, hostile, and invasive programs aiming to harm computer systems or networks. […]

SocGHolish: 5+ Years of Massive Website Infection

SocGholish: 5+ Years of Massive Website Infections SocGholish is a JavaScript malware framework that has been in use since at least 2017. It is distributed through a number of malicious sites claiming to provide critical browser updates. In reality, these sites are designed to trick victims into downloading and installing malware — usually in the […]

PyPl Package Drops Fileless Linux Malware

PyPI Package ‘secretslib’ Drops Fileless Linux Malware to Mine Monero Sonatype has identified a ‘secretslib’ PyPI package that describes itself as “secrets matching and verification made easy.” On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters.  […]

Malware that runs automatically and hides on Google Play

McAfee’s Mobile Research Team has identified new malware on the Google Play Store. Most of them are disguising themselves as cleaner apps that delete junk files or help optimize their batteries for device management. However, this malware hides and continuously show advertisements to victims. In addition, they run malicious services automatically upon installation without executing […]

Scroll to top
× How can I help you? Available from 08:00 to 22:00