Joker Malware Hits Google Play with 17 Variants

Digital attackers uploaded 17 versions of the Joker malware family to Google’s Play Store in September 2020 as part of an ongoing effort to target Android users. How the Attackers Bypassed Google’s Vetting Process The Zscaler ThreatLabZ research team found on Sept. 24, 2020, that digital attackers had concealed the Joker malware versions in applications ranging from…

Confucius APT deploys Warzone RAT

Uptycs’ threat research team published a piece about Warzone RAT and its advanced capabilities in November 2020. During the first week of January 2021, we discovered an ongoing targeted attack campaign related to Confucius APT, a threat actor / group primarily targeting government sectors in South Asia. This attack was identified by our in-house osquery-based sandbox that…

Operation Spalax, an ongoing malware campaign targeting Colombian entities

Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies. Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively.   The attacks aimed at government institutions and private companies, most of them in the energy and metallurgical sectors.  The campaign has…

Rogue Android RAT emerges from the darkweb

Experts discovered an Android Remote Access Trojan, dubbed Rogue, that can allow to take over infected devices and steal user data. Rogue is a new mobile RAT discovered by researchers from Check Point while investigating the activity of the darknet threat actors known as Triangulum and HeXaGoN Dev. Both actors are Android malware authors that are…

New Variant of Ursnif Continuously Targeting Italy

Ursnif (also known as Gozi) is identified as a banking Trojan, but its variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.  The Ursnif Trojan has been observed targeting Italy over the past year. A few days ago, FortiGuard Labs detected a phishing campaign in the wild that was spreading a fresh…

The Lokibot malware is used by cyberattackers primarly for stealing credentials from a compromised system. In a recent campaign, a new version of the malware has been found equipped with more misdirection and anti-analysis features.   What happened? This new campaign uses a complex, multi-stage, multi-layered dropper to execute Lokibot on the target machine. The developers behind…

Hancitor activity resumes after a hoilday break

Introduction Campaigns spreading Hancitor malware were active from October through December 2020, but Hancitor went quiet after 2020-12-17.  On Tuesday 2021-01-12, criminals started sending malicious spam (malspam) pushing Hancitor again.  Some people have already tweeted about this year’s first wave of Hancitor.  See the links below. https://twitter.com/James_inthe_box/status/1349015970220748809 https://twitter.com/ffforward/status/1349018081486659587 https://twitter.com/r_jordan3/status/1349058833964961794 https://twitter.com/executemalware/status/1349106968569536518 Today’s diary reviews recent Hancitor activity from…

TA551 Hacker Group Pushes New Information Stealer Malware IcedID

TA551 also known as Shathak is an email-based malware distribution campaign that frequently targets English-speaking victims. This campaign has aimed German, Italian and Japanese speakers. TA551 in the past pushed different families of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID malware, another information stealer.   Chain of…