Digital attackers uploaded 17 versions of the Joker malware family to Google’s Play Store in September 2020 as part of an ongoing effort to target Android users. How the Attackers Bypassed Google’s Vetting Process The Zscaler ThreatLabZ research team found on Sept. 24, 2020, that digital attackers had concealed the Joker malware versions in applications ranging from…
Uptycs’ threat research team published a piece about Warzone RAT and its advanced capabilities in November 2020. During the first week of January 2021, we discovered an ongoing targeted attack campaign related to Confucius APT, a threat actor / group primarily targeting government sectors in South Asia. This attack was identified by our in-house osquery-based sandbox that…
Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies. Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively. The attacks aimed at government institutions and private companies, most of them in the energy and metallurgical sectors. The campaign has…
Experts discovered an Android Remote Access Trojan, dubbed Rogue, that can allow to take over infected devices and steal user data. Rogue is a new mobile RAT discovered by researchers from Check Point while investigating the activity of the darknet threat actors known as Triangulum and HeXaGoN Dev. Both actors are Android malware authors that are…
Ursnif (also known as Gozi) is identified as a banking Trojan, but its variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors. The Ursnif Trojan has been observed targeting Italy over the past year. A few days ago, FortiGuard Labs detected a phishing campaign in the wild that was spreading a fresh…
The Lokibot malware is used by cyberattackers primarly for stealing credentials from a compromised system. In a recent campaign, a new version of the malware has been found equipped with more misdirection and anti-analysis features. What happened? This new campaign uses a complex, multi-stage, multi-layered dropper to execute Lokibot on the target machine. The developers behind…
Introduction Campaigns spreading Hancitor malware were active from October through December 2020, but Hancitor went quiet after 2020-12-17. On Tuesday 2021-01-12, criminals started sending malicious spam (malspam) pushing Hancitor again. Some people have already tweeted about this year’s first wave of Hancitor. See the links below. https://twitter.com/James_inthe_box/status/1349015970220748809 https://twitter.com/ffforward/status/1349018081486659587 https://twitter.com/r_jordan3/status/1349058833964961794 https://twitter.com/executemalware/status/1349106968569536518 Today’s diary reviews recent Hancitor activity from…
Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack. Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains. But while Sunspot is the latest discovery in the SolarWinds hack,…
TA551 also known as Shathak is an email-based malware distribution campaign that frequently targets English-speaking victims. This campaign has aimed German, Italian and Japanese speakers. TA551 in the past pushed different families of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID malware, another information stealer. Chain of…
In September 2020, we began investigating a Microsoft Exchange server at a Kuwaiti organization that a threat group compromised as part of a continued xHunt campaign. This investigation resulted in the discovery of two new backdoors called TriFive and Snugy, which we discussed in a prior blog, as well as a new webshell that we call BumbleBee…