Malware Technologies – Page 13

The BlueNoroff cryptocurrency hunt is still on

Posted on January 13, 2022 by Seongsu Park, Vitaly Kamluk

It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Continue reading The BlueNoroff cryptocurrency hunt is still on→

Answering Log4Shell-related questions

Posted on December 20, 2021 by Kaspersky

Check out the answers to some of users’ biggest security questions about the Log4Shell vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105). Continue reading Answering Log4Shell-related questions→

PseudoManuscrypt: a mass-scale spyware attack campaign

Posted on December 16, 2021 by Kaspersky ICS CERT

Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal. Continue reading PseudoManuscrypt: a mass-scale spyware attack campaign→

Owowa: the add-on that turns your OWA into a credential stealer and remote access panel

Posted on December 14, 2021 by Paul Rascagneres, Pierre Delcher

We found a suspicious binary and determined it as an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. We named the malicious module ‘Owowa’, Continue reading Owowa: the add-on that turns your OWA into a credential stealer and remote access panel→

Trickbot module descriptions

Posted on October 19, 2021 by Oleg Kupreev

In this article we describe the functionality of the Trickbot (aka TrickLoader or Trickster) banking malware modules and provide a tip on how to download and analyze these modules. Continue reading Trickbot module descriptions→

Lyceum group reborn

Posted on October 18, 2021 by Mark Lechtik, Aseel Kayal, Paul Rascagneres

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia. Continue reading Lyceum group reborn→

SAS 2021: Learning to ChaCha with APT41

Posted on October 12, 2021 by Securelist

John Southworth gives insights about APT41 and the malware used by the threat actor – the Motnug loader and its descendant, the ChaCha loader; also, shares some thoughts on the actor’s attribution and the payload, including the infamous CobaltStrike. Continue reading SAS 2021: Learning to ChaCha with APT41→

SAS 2021: Operation Software Concepts

Posted on October 12, 2021 by Securelist

Experts from NTT Security (Japan) will cover a new APT named Operation Software Concepts. They will share details about this multi-stage attack campaign targeting government and defense sector. Continue reading SAS 2021: Operation Software Concepts→

Ransomware in the CIS

Posted on October 7, 2021 by Fedor Sinitsyn, Yanis Zinchenko

Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker. Continue reading Ransomware in the CIS→

GhostEmperor: From ProxyLogon to kernel mode

Posted on September 30, 2021 by Mark Lechtik, Aseel Kayal, Paul Rascagneres, Vasily Berdnikov

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor. Continue reading GhostEmperor: From ProxyLogon to kernel mode→