In November 2019, we published a blog analyzing an exploit kit we named Capesand that exploited Adobe Flash and Microsoft Internet Explorer flaws. During our analysis of the indicators of compromise (IoCs) in the deployed samples that were infecting the victim’s machines, we noticed some interesting characteristics: notably that these samples were making use of obfuscation tools that made them virtually undetectable.
Security researchers have encountered a new macOS malware sample believed to be the work of the North Korean group of hackers known as Lazarus. The threat has a very low detection rate and comes with capabilities that allow it to retrieve a payload from a remote location and run it in memory, making the forensic analysis more difficult.
RiskIQ published insights into a criminal group that maximizes their profit by working in two ecosystems that are typically distinct, phishing and web skimming. By leveraging a tactic with which they had tons of experience, phishing, they could double-dip into one with which they had less expertise, web skimming. By combining tactics, this group was playing with a full deck when it came to stealing financial data. Introducing Full(z) House.
We recently wrote about the massive “sextortion” spam campaign carried out by the Phorpiex botnet. However, this is only a small part of this botnet’s malicious activity. Capable of acting like both a computer worm and a file virus, Phorpiex is spread through exploit kits and with the help of other malware and has infected more than 1,000,000 Windows computers to date. By our assessment, the annual criminal revenue generated by Phorpiex botnet is approximately half a million US dollars. Of course, to maintain such a large botnet, a reliable command and control (C&C) infrastructure is required. For malware with a small outreach, or if infected computers are not part of a single botnet, virtual private servers (VPS) are most often used. VPS hosting services can be purchased from legitimate companies. Many VPS hosting providers don’t require identity verification, and the services can be paid for anonymously.
Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).
2019 has been a busy year for exploit kits, despite the fact that they haven’t been considered a potent threat vector for years, especially on the consumer side. This time, we discovered the Spelevo exploit kit with its virtual pants down, attempting to capitalize on the popularity of adult websites to compromise more devices.
In previous JPCERT / CC Eyes, we explained malware TSCookie and PLEAD used by attack group BlackTech . The attack group has also confirmed that it uses another malware called IconDown. Although it has not been confirmed by what means IconDown is installed / executed, according to the blog published by ESET, it has been confirmed that the update function of ASUS WebStorage is exploited. It is said that. This time, I will introduce the details of IconDown confirmed in the Japanese organization.
Mobile dropper Trojans are one of today’s most rapidly growing classes of malware. In Q1 2019, droppers are in the 2nd or 3rd position in terms of share of total detected threats, while holding nearly half of all Top 20 places in 2018. Since the droppers’ main task is to deliver payload while sidestepping the protective barriers, and their developers are fully bent on countering detection, this is probably one of the most dangerous classes of malware.
Cylance Threat Researchers recently discovered obfuscated malicious code embedded within WAV audio files. Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org