TrendMicro discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kits and its payload challenging to analyze.

McAfee Labs has noticed a significant shift by some actors toward using trusted Windows executables, rather than external malware, to attack systems. One of the most popular techniques is a “fileless” attack. Because these attacks are launched through reputable executables, they are hard to detect. Both consumers and corporate users can fall victim to this threat. In corporate environments, attackers use this vector to move laterally through the network. One fileless threat, CactusTorch, uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive; hence traditional file scanners fail to detect these attacks.

The latest Micropsia malware version analyzed in Radware’s research lab is the most sophisticated tool used by this APT group. It includes advanced surveillance features such as microphone recording, keylogging and document stealing from USB flash drives. It also resembles the old versions’ C2 communication behavior by including references to famous TV shows and characters.


In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).


In late 2017, Volexity began tracking a new e-commerce financial data theft framework named JS Sniffer. The framework gives attackers a quick and efficient way to steal data from compromised e-commerce websites. JS Sniffer is optimized to steal data from compromised websites running the Magento e-commerce platform. However, Volexity has observed the framework on e-commerce websites leveraging OpenCart,, Shopify, WordPress, and others as well. Volexity initially identified the framework following a highly targeted attack campaign against a website that facilitates online ticket sales for numerous events and venues.

The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices. Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code. In their newest evolution, samples also target the D-Link DSL-2750B OS Command Injection vulnerability, only a few weeks after the publication of its Metasploit module on the 25th of May (even though the vulnerability has been public knowledge since February of 2016)

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto. The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Since November 2014, the Golden Rat Organization (named APT-C-27 by 360, different to APT-27 from Mandiant) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform. So far, we have captured 29 Android platform attack samples, 55 Windows platform attack samples, and 9 C&C domain names.

On July 18, in an officially released routine patch update, Oracle fixed CVE-2018-2893, an Oracle WebLogic Server remote code execution vulnerability. Three days later, at 2018-07-21 11:24:31 GMT+8, we noticed that a malicious campaign that we have been tracking for a long time start to exploit this vulnerability to spread itself. This campaign has been using luoxkexp[.]com as main C2, and we named it luoxk.

A backdoor was introduced on eslint-scope (version 3.7.2) upon which ESLint depends. It seems that the goal of this hack was to leak NPM tokens. We advise you to take the following actions as soon as possible: Revoke all your NPM tokens at once Enable 2FA on your NPM account for all scopes Audit the NPM packages you own to ensure nobody published new versions without you knowing If you are running a private registry or a mirror, delete this package Ensure you don’t have eslint-scope version 3.7.2 on your computers