McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages. Wextract.exe is a Windows executable file that is used to extract files from a cabinet (.cab) file. Cabinet files are compressed archives that are used to package and distribute software, drivers, and other files. It is a legitimate […]
Malicious firmware for TP-Link Routers
Check Point Research (CPR) exposes a malicious firmware implant for TP-Link routers allowed attackers to gain full control of infected devices and access compromised networks while evading detection. CPR attributes the attacks to a Chinese state-sponsored APT group dubbed “Camaro Dragon”. The firmware image contained several malicious components, including a custom MIPS32 ELF implant dubbed […]
Android Banking Malware
Check Point Research encountered an Android Banking Malware named FakeCalls, a malware that can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees – this attack is called voice phishing. FakeCalls malware targeted the South Korean market and possesses the functionality of a Swiss army […]
Emotet Malicous Mail is Back
After several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file. The .zip files are not password protected. The themes of the attached files include finances and invoices. The .zip […]
Imposter HTTP Libraries Lurk on PyPI
ReversingLabs researchers discovered more than three dozen malicious packages on the PyPI repository that mimic popular HTTP libraries. The descriptions for these packages, for the most part, don’t hint at their malicious intent. Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries. The packages […]
S1deload Stealer – Social Network Account Hijacker
An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems’ resources to mine cryptocurrency. Bitdefender is calling the malware S1deload Stealer for its use of DLL side-loading techniques to get past security defenses and execute its malicious components. […]
Roaming Mantis: New DNS Changer In Its Malicious Mobile App
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, Kaspersky observed a DNS changer function implemented in its Android malware Wroba.o. Back in 2018, Kaspersky first saw Roaming Mantis activities targeting the Asian region, including Japan, South Korea […]
GodFather: Android Malware
GodFather is a notorious Android banking trojan known for targeting banking users, mostly in European countries. Recently, CRIL identified several GodFather Android samples masquerading as MYT application. The GodFather Android malware, after successful installation on the victim’s device, steals sensitive data such as SMSs, basic device details, including installed apps data, and the device’s phone […]
Android Malware Infects 300,000 Facebook users
Android malware dubbed Schoolyard Bully Trojan has infected and extracted information from over 300,000 devices in 71 countries since 2018, the mobile security firm Zimperium zLabs reported. The apps were marketed as educational on Google Play Store and primarily targeted Facebook users in Vietnam. The report cautions that the apps, though now removed from the Google Play […]
Google ADs pointing to malware
Fake sites for popular software have been seen pushing IcedID malware (also known as Bokbot). Search Engine Optimization (SEO) is a technique that websites use to increase their visibility for search engines like Google. Cyber criminals occasionally use SEO to direct search traffic to malicious advertisement links. These ads redirect users to fake software sites […]
Recent TrueBot infections
Since August 2022, Talos has seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor that is responsible for several high-impact attacks on financial institutions in several countries around the world. Recently, the attackers have shifted from using malicious emails […]
Aurora a trending infostealer Malware
Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset. Furthermore, SEKOIA.IO observed an increase in the number of Aurora samples distributed in the wild, as well as C2 servers. First advertised on Russian-speaking underground forums in April 2022, Aurora is a multi-purpose […]
Malware Delivered via Contact Forms
The DFIR Report expands on an intrusion from May 2022, where threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike […]
Evasive Techniques used by injected Websites
Analysis of a new technique to inject websites with SocGholish malware found using zip compression, obfuscation, strrev functions, and other evasive techniques to avoid detection. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware […]
Google PlayStore Apps Leads to Phishing Sites
A family of malicious apps from developer “Mobile apps Group sic” are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads. When users first install this malicious app, it takes a couple of days before it begins to display malicious behavior. […]
FormBook Stealer Is Gaining Traction
FormBook stealer is an infostealer trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines. Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including […]
TOAD attack: Vishing and Android Banking Malware
ThreatFabric’s analysts uncovered a network of phishing websites targeting Italian online-banking users and aiming to steal their banking credentials. Further research defined a connection between this network and the Android banking Trojan dubbed Copybara, that is involved in telephone-oriented attack delivery performed by the threat actors. Latest version of it introduced unique feature that allows […]
Bumblebee is Increasing its Capacity and Evolving
Bumblebee is in constant evolution, which is best demonstrated by the fact that the loader system has undergone a radical change twice in the range of a few days — first from the use of ISO format files to VHD format files containing a powershell script, then back again. Changes in the behavior of Bumblebee’s […]
Vidar Stealer Targets ZOOM User
Threat researchers at cybersecurity firm Cyble found six fake Zoom sites offering applications that will download Vidar Stealer malware. Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets. This stealer has links to the Arkei stealer. These sites redirect to a GitHub […]
Null Mixer Drops Malware
NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain […]