The RobinHood Ransomware (RobbinHood Ransomware or RobbinHood File Extension Ransomware) is a ransomware Trojan that is used to harass computer users under the pretext of raising awareness and funds for the people of Yemen. In fact, there is no evidence to support the theory that the creators of the RobinHood Ransomware have altruistic motives. It is likelier that the con artists are using the RobinHood Ransomware to profit in the same way that the creators of most encryption ransomware Trojans act today. However, the ransom demand in the case of the RobinHood Ransomware is extremely elevated, making it very unlikely that any individual PC users will pay the RobinHood Ransomware ransom in case of an attack. Take preventive measures against ransomware Trojans like the RobinHood Ransomware, which are becoming common increasingly. Yemen...

The WanaCrypt0r Ransomware is an encryption Trojan that features a worm-like attack tactic. The WanaCrypt0r Ransomware is recognized as one of the most threatening and widespread encryption Trojans up until May 12th, 2017. The WanaCrypt0r Ransomware managed to compromise more than hundreds of thousand systems across one hundred and forty countries on its first release to the real world. The brunt of the attack was taken by PC users in Russia and the National Healthcare System in Great Britain. The Trojan managed to block access to most of the computers connected to the National Healthcare System and nearly 70% of the cases that involve the WanaCrypt0r Ransomware are recorded in Russia....

The Ryuk Ransomware is a data encryption Trojan that was identified on August 13th, 2018. It appears that private companies and healthcare institutions have been compromised with the Ryuk Ransomware. Threat actors were reported of infecting organizations in the USA and Germany. Initial analysis suggests the threat was injected in systems through compromised RDP accounts, but it is possible that there is a parallel spam campaign that carries the threat payload as macro-enabled DOCX and PDF files. General Facts and Attribution Ryuk Ransomware appeared in the middle of August 2018 with several well-planned targeted attacks against major organizations worldwide, encrypting data on infected PCs and networks and demanding the payment of a ransom in exchange for a decryptor tool. Ryuk does not demonstrate extremely advanced technical skills,...

Cybercriminals do not always end up using the malware, which they build. Often, instead of employing their hacking tools in campaigns, they would sell them or rent them to other shady individuals online. This is the case with the Blackremote RAT (Remote Access Trojan). The creators of this Trojan had posted an advertisement online, which got on the radar of malware researchers immediately. The advertisement was posted by a user with the name ‘Speccy’ or ‘Rafiki.’ The creators of the Blackremote RAT claim that their threat is ‘undetectable’ and has a long list of capabilities. Masks as a Legitimate Tool A common tactic when renting out or selling hacking tools is to try and pass it off as a legitimate application with no unsafe potential. However, the people who sell it and the people who buy it are well aware of what the real deal is....

North Korea is known to have some very highly-skilled cybercriminals, and these individuals usually work for the government. The most well-known APT (Advanced Persistent Threat) hailing from North Korea is the Lazarus hacking group. However, recently, there has been a new group that is gaining traction, ScarCruft (also known as APT37). Since the ScarCruft hacking group is funded by the North Korean government, it is logical that they are doing their bidding in the campaigns they launch. This is why most of the targets of the ScarCruft group are located in South Korea and tend to be high-ranking officials or government institutions. ScarCruft has developed a long list of hacking tools that keeps expanding over time. Targets Random Users One of the custom-built hacking tools of the APT37 is the KARAE backdoor Trojan. Malware researchers...

The newly rising star on the North Korean cybercrime stage is the ScarCruft hacking group. It also is known under the APT37 (Advanced Persistent Threat) alias. The ScarCruft hacking group is likely to be funded by the government of North Korea directly. This is why it is almost certain that the APT37 group is one of the attack dogs of Kim Jong-Un. This is why it makes sense that most of the targets of the ScarCruft hacking group are either government-linked institutions or high-ranking officials, usually located in South Korea. One of the tools in the arsenal of the ScarCruft hacking group is the SHUTTERSPEED backdoor Trojan. This threat is meant to be used as a first-stage payload, which serves to deploy additional threats on the compromised machine. The SHUTTERSPEED Trojan also can collect system information (software and hardware)...

An increasing amount of ransomware threats has been plaguing the Internet. One of the most popular ransomware families in 2019 has been the STOP ransomware family certainly. Malware researchers have determined that there have been more than 150 variants of this data-locking Trojan released so far. One of the most recently detected file-encrypting Trojans is the Leto Ransomware. Propagation and Encryption After spotting and studying this ransomware threat, experts concluded that this is STOP Ransomware variant. Mass spam email campaigns, fake updates, and bogus pirated copies of legitimate applications may be among the infection vectors involved in the distribution of the Leto Ransomware. As with most file-locking Trojans, the Leto Ransomware will make sure to scan all your files as soon as it manages to invade your system. Once this...

Some hacking groups are state-sponsored and thus do the bidding of their governments in various campaigns targeting political and business sectors. Other hacking groups are autonomous and usually tend to be financially-motivated entirely. An example of the latter is the Carbanak Group (also referred to as FIN7), which is a group of shady individuals who have managed to wreak havoc all around the world over the years and cause damages in the hundreds of millions of dollars. Malware experts have detected a new tool that has been employed by the Carbanak Group, the RDFSNIFFER, recently. This hacking tool can be classified as a RAT (Remote Access Trojan) and seems to be utilized mainly as a second-stage payload with the assistance of the BOOTSWIRE Trojan loader, which is another tool that is present in the Carbanak Group’s arsenal. Targets...

China is popular for its hacking groups. Some operate on their own terms, while others are believed to be sponsored by the Chinese government. One of the more notorious Chinese hacking groups is the Winnti Group. They are also known as APT41 (Advanced Persistent Threat). They have been gaining prominence since 2010. The Winnti Group is named after a hacking tool developed by this APT – the Winnti malware. This threat put the Winnti Group on the map and was first spotted in 2013. Ever since the hacking group gained some prominence thanks to the Winnti malware, they have been developing new tools, one of which is the PortReuse backdoor Trojan. Its Preference for Stealth Most backdoor Trojans follow the same pattern – they are operated via a remote C&C (Command & Control) server and tend to have a long list of capabilities. However, this...

There are hacking groups, which are involved in activism strictly, there are others, which server various governments, and some act of pure greed. The latter is the case with the Chinese hacking group Carbanak Group, which also is known as FIN7. This hacking group became a known name ever since they launched the Carbanak Trojan. This threat managed to become one of the most notorious banking Trojans ever created and gave the name to the hacking group responsible for it. The Carbanak Group is known to mainly target companies that are involved in the restaurant, hospitality and retail industries. It appears that most of their victims are located in the United States. The Carbanak Group is developing new tools, and two of them have been spotted in the wild recently. It is likely that these new hacking tools may be utilized in campaigns...

One would be surprised at how many high-profile hacking campaigns are hailing from North Korea considering how restricted the access to the Internet is over there. In the past, there used to be only one prominent hacking group originating from North Korea, and that was the Lazarus group. However, recently, there has been a new star on the horizon – the ScarCruft hacking group, which also is referred to as APT37 (Advanced Persistent Threat). Self-Preservation Techniques The ScarCruft hacking group has an expanding arsenal of hacking tools. Among them is the GELCAPSULE Trojan downloader. It has been determined that this threat is capable of recognizing whether it is being run in a sandbox environment. In case it is, as a method of self-preservation, the GELCAPSULE Trojan will halt its activity. This Trojan downloader also is known for...

Malware targeting OSX devices is not as common as malware that goes after computers running Windows. However, that does not mean that threats that are designed to target Apple computers specifically do not exist. A significant number of Mac owners believe that their devices are impenetrable falsely because it is a misconception that has brought headaches to many Apple users. Cybersecurity researchers spotted a brand new threat that targets Mac computers earlier this year. The harmful campaigns linked to this threat were concentrated in the United States, Italy and Japan. The name of this new threat is Shlayer Trojan, and it serves as a first-stage payload. For a while, malware experts were not able to determine what is the secondary payload, which the Shlayer Trojan malware delivers. However, in a more recent operation, it was...

Attor is a threat that has been tailored to target mobile devices and has been able to operate for a couple of years without being spotted by malware researchers. This threat can be classified as a spyware tool, and it is likely that its operators have accumulated a large amount of collected data over the years. The Attor spyware has been spotted recently because its operators began targeting high-ranking individuals, which are linked to the Russian government. It appears that the activity of the Attor spyware is concentrated in Eastern Europe mainly, with the majority of targets located in the Russian Federation. May Utilize AT Commands The Attor spyware is a rather interesting threat. It has been determined that this hacking tool is built modularly. This allows the Attor malware to be very flexible. Furthermore, the design of this...

The North Korean government is known to use the services of hackers. Recently, apart from the well-known Lazarus hacking group, a new actor has emerged, the ScarCruft APT (Advanced Persistent Threat). This hacking group also is often referred to as APT37. They appear to target high-ranking South Koreans mainly. However, malware researchers have spotted APT31 campaigns in the Middle East, as well as Vietnam and Japan. It is likely that the ScarCruft hacking group has begun operating in 2015. Preference for Stealth The ScarCruft group tends to pay special attention to stealth in its operations. Another signature component of the APT37 operations is the collection of important information from the host. One of their primary tools that the hacking group uses for gathering data is the CORALDECK malware. The first campaign involving the...

There is a newly emerging high-profile ill-minded actor from North Korea, the ScarCruft hacking group. This group of individuals also is known as the APT37 (Advanced Persistent Threat). Cybersecurity researchers believe that the ScarCruft group is likely being funded by the North Korean government directly and is being used as a weapon against foreign governments and officials. Most of the APT37’s targets appear to be South Korean individuals in positions of importance or power. The ScarCruft hacking group has a long list of hacking tools, among which is the DOGCALL backdoor Trojan. The first campaign in which the DOGCALL Trojan was utilized took place in August 2016. Targeted Military and Government Institutions in South Korea In 2017 the APT37 launched an operation targeting government bodies and military institutions located in...

The APT37 (Advanced Persistent Threat) is a hacking group that has been around for a while and is believed to work in cooperation with the North Korean government (although this information is yet to be confirmed with full certainty). Most of the targets of the APT37 group are concentrated in South Korea and ten to be rather high-profile. Recently, the APT37 used spear-phishing emails to propagate a threat called NavRAT (Remote Access Trojan). Malware researchers regard the delivery method used by the attackers as rather intriguing. It also is interesting to point out that the infrastructure used in the campaigns involving NavRAT is not very conventional too. Propagates via Spear-Phishing Emails The aforementioned spear-phishing emails would contain an infected attachment in the shape of a ‘.HWP’ file. This corrupted file is named...

Hiddad is an Android-based piece of adware. Most of the activity of the Hiddad adware is concentrated in Russia, with over 40% of the victims being located there. However, there have been reports of infections in the USA, India, Germany, Ukraine, Indonesia among other countries. The creators of the Hiddad adware employ various social engineering techniques to achieve their end goal, which is convince the user to click on their advertisements. This may not sound like too much of a big deal, but the authors of the Hiddad can cash in some significant revenue if they manage to plant their creation on enough host devices. Spreads via Fake Applications This piece of adware appears to have been hosted on the official Google Play Stor, posing as several fake applications ‘Snap Tube,’ ‘Music Mania,’ and ‘Tube Mate.’ Thankfully, the developers...

The AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware. Most of the infected devices appear to be located in India and Indonesia. However, a significant number of compromised Android devices that belong to the AndroidBauts botnet also can be found in Russia, Argentina, Vietnam, Malaysia and other countries. Propagated via Fake Applications The operators of the AndroidBauts botnet are likely to have infected this staggering amount of devices by hosting fake applications on the official Google Play Store. Users tend to be less careful when they are downloading applications from...