Stone Panda is an APT (Advanced Persistent Threat) that is believed to originate from China. Due to the nature of their targets, often big corporations and government bodies, many speculate that the Stone Panda APT may be funded by the Chinese Government. They have launched several attacks against businesses based in Japan with the first one registered back in 2014. Often, the Stone Panda hacking group would employ the Poison Ivy RAT (Remote Access Trojan) and the PlugX RAT – these are hacking tools, which are not a product of the Stone Panda APT, but they like to borrow them. Recently, there was yet another attack launched against a Japanese company in the pharmaceutical industry. In this most recent attack, it became apparent that the Stone Panda APT have developed their own unique hacking tool – the ChChes backdoor Trojan. What led...

A new ransomware threat has been circulating the Web recently. It is called TROLL Ransomware and does not seem to be a variant of any of the popular ransomware threats. Malware experts have not been able to conclude how the TROLL Ransomware is being propagated. Some speculate that the infection vectors employed in the spreading of the TROLL Ransomware may be the ones we all know too well – bogus software updates, infected pirated copies of popular software, and spam email campaigns with infected attachments. When the TROLL Ransomware successfully gains access to a targeted system, it will scan the files present on the machine. Then, the TROLL Ransomware will determine the locations of the files which it was programmed to go after. The next step of the attack is the encryption process. When the TROLL Ransomware locks a file, it alters...

The WALAN Ransomware is a data-locking Trojan that has recently surfaced the Internet. When cybersecurity experts dissected the WALAN Ransomware, there were no indications that this threat belongs to any of the popular ransomware families. It is not known with certainty what infection vectors are being used to propagate the WALAN Ransomware. However, there are some speculating that the authors of the WALAN Ransomware may be employing spam email campaigns, faux application updates, and corrupted pirated software as a means of spreading their creation. If the user falls for the trickery of the WALAN Ransomware, they will grant access to their system to the file-encrypting Trojan. Once the WALAN Ransomware infiltrates the PC, it will start scrutinizing it. The purpose of the scan is to locate the files, which will later be encrypted....

Backdoor:Hawkball.A is a method used to bypass encryption or authentication of computer systems and products. This backdoor can be used in accessing passwords, erasing data on hard drives, as well as transferring information onto a cloud. The backdoor was found under the name Hawkball, appearing to target Russian-speaking countries and government members located in Central Asia. The way the backdoor works includes importing malware into an infected system. Once that is done, it begins collecting information on the victimized computers. For the backdoor to work and to be transported, a malicious file was used that appeared to come from a counter terrorist organization that centered on ex-Eastern Bloc republics. The name of the text translated into 'Collection of the guiding composition of anti-terrorist security units and special...

The hacking group known as Stone Panda, HOGFISH, and APT10 (Advanced Persistent Threat) have been gaining traction again with another campaign launched that employs the RedLeaves RAT (Remote Access Trojan). The Stone Panda hacking group are believed to originate from China, and there have been speculations that their harmful activity may be sponsored by the Chinese government. APT10 is known for attacks on businesses and government institutions located in Japan and Norway, likely doing the bidding of Chinese officials. The infection vector employed in these campaigns was phishing emails, which contained macro-laced Microsoft Office documents. If the victims get tricked into opening the infected document, they will give it access to their system, and the RedLeaves RAT will be launched. Then, the RedLeaves Trojan will make sure to gain...

The Cutlet ATM threat, also called Cutlet Maker, has been quite popular in the world of cyber criminals for about four years now. Despite its rather high price, the Cutlet ATM malware has been a preferred tool by many cyber crooks. The authors of the Cutlet ATM threat are providing their clients with very thorough instructions in both English and Russian. These instructions not only teach the client how to set up and use the Cutlet ATM malware but also how to gain access to the USB port of the ATM and how to avoid detection. To employ the Cutlet ATM threat successfully, the attackers need to split into two groups – one that operates the malware behind a computer screen, and one, which will likely have to drill a hole into the ATM targeted to plug the USB containing the threat into the machine. Once the Cutlet ATM threat is launched...

The Adage Ransomware is a newly spotted data-locking Trojan that has been circulated the Internet. When malware experts looked into the Adage Ransomware, it became apparent quickly that this threat is a variant of the Phobos Ransomware. It is not known yet what the exact infection vector used in spreading the Adage Ransomware is. However, researchers speculate that the attackers may be using spam email campaigns containing corrupted attached files, bogus software updates, and infected pirated applications to propagate their creation. If the users fall for one of these tricks, they will give the Adage Ransomware access to their systems. Once the Adage Ransomware infiltrates the machine, it will start the attack by scanning it. The end goal of the scan is to determine the locations of the files present on the system. Then, the targeted...

Cybersecurity researchers have uncovered a new data-encrypting Trojan recently. It is called the Truke Ransomware, and it is a part of the infamous STOP Ransomware family that has been plaguing the Internet for years now. Malware experts have not yet concluded as to how the Truke Ransomware is being propagated. However, it has been speculated that the authors of the Truke Ransomware may be using faux application updates, infected pirated software, and the tried and tested spam email campaigns to spread their creation. When the Truke Ransomware manages to gain access to a computer, it will start the attack by performing a scan. This is done to identify the locations, which this file-locking Trojan will encrypt. Then, the Truke Ransomware will begin the encryption process. When this threat locks a file, it alters its name too. The Truke...

With the continuously growing popularity of cryptocurrencies, cybercriminals worldwide have been finding more and more ways to exploit this trend and back a buck off the back of unsuspecting users online. Usually, cyber crooks aim at spreading their malware as far and as wide as possible and because Windows is the most popular OS in the world, by far, most malware created targets machines that run Windows. However, some cyber crooks stray from this well-trodden path. This is the case with the authors of the Bird Miner. They have built their cryptocurrency miner to target only devices that run OSX, and it uses a Linux virtual machine to host and run the crypto mining software chosen by the attackers. The Bird Miner is programmed to mine Monero cryptocurrency. In the first campaign where the Bird Miner was detected, it appeared that the...

Cybersecurity experts who specialize in spotting ransomware threats have recently come across a new data-locking Trojan. They named it DMO Ransomware. It appears that the DMO Ransomware is not a variant of any of the popular ransomware threats that have been plaguing the Internet. Malware researchers have not been able to confirm what infection vector has been employed in the propagation of the DMO Ransomware. However, there have been speculations that the creators of this file-encrypting Trojan may be using emails containing a corrupted file, infected pirated applications, and bogus software updates to spread their threat. The DMO Ransomware performs a scan on the system as soon as it manages to infiltrate it. The scan determines the locations of the files which will be locked by the DMO Ransomware. Then, the encryption process...

The Cephalo Ransomware is a recently uncovered file-encrypting Trojan that has been circulating the Web. Malware experts that have studied it suspect that the Cephalo Ransomware may be a variant of the infamous HiddenTear Ransomware. It is not yet known with full certainty what is the propagation method used in spreading the Cephalo Ransomware. However, experts suspect that the infection vectors employed in propagating the Cephalo Ransomware e may be mass spam email campaigns, faux application updates, and infected pirated software. If the Cephalo Ransomware infiltrates a system successfully, it will begin its attack by performing a scan. The goal is to determine what are the locations of the files which the Cephalo Ransomware has been programmed to target. Once this is done, the Cephalo Ransomware will begin encrypting the files...

A new ransomware threat was recently spotted – the Middleman2020 Ransomware. Upon further investigation, cybersecurity experts concluded that the Middleman2020 Ransomware might be a variant of the Maoloa Ransomware. Malware researchers have been unable to confirm what are the exact infection vectors employed in spreading the Middleman2020 Ransomware. There have been speculations that this threat has been propagated using fraudulent application updates, infected pirated software and, likely, mass spam email campaigns. Once the Middleman2020 Ransomware gains access to a system, it performs a quick scan. The scan determines the location of the files which the Middleman2020 Ransomware will be encrypting. Then, the encryption process begins. When a file undergoes the encryption process of the Middleman2020 Ransomware, its name will be...

Lately, smartphones have been turning into a more and more integral part of our lives. Many people use their smartphones more than they use computers. Naturally, this means that people also are storing more and more data on their mobile devices, which includes sensitive personal information. Cybercriminals do not miss out on such opportunities, and all sorts of threats targeting mobile devices have been developed. The GolfSpy malware is one such case. It is known that the GolfSpy threat is built to target Android devices. The authors of GolfSpy threat have been propagating it via fraudulent posts on social media. The GolfSpy malware has been involved in campaigns with targets in the Middle East. It appears that the GolfSpy threat is targeting military personnel, which has led some to believe that the attackers have political...

Sometimes there are cases where the authors of a piece of malware are not the con actors themselves. People who create software often take an interest in malware too and end up developing a piece of malware, usually as a hobby project or an educational tool. This is all good and well until they decide to make it public or go even further and reveal the full source code of their creation. This is an ideal scenario for cyber crooks because obtaining new hacking tools is usually difficult or/and costly. Having a new hacking utility served to them on a silver platter, for free, is something all cybercriminals dream of certainly. If tech literate enough, they can even modify the threat and weaponize it even further. It would appear that this is exactly the case with the Lilith RAT. It seems that what started as a fun project by, in theory,...

The SystemCrypter Ransomware is a brand-new ransomware threat that has been spotted recently. Upon further investigation, it appears that this data-locking Trojan does not belong to any of the popular ransomware families but is a separately developed threat. Cybersecurity researchers have not been able to determine the exact infection vector used in propagating this file-encrypting Trojan, but it is very likely that the authors of the SystemCrypter Ransomware have employed spam email campaigns alongside faux software updates and infected pirated applications in spreading their creation. When the SystemCrypter Ransomware infiltrates a PC, it will begin the attack by scanning the data present on the system. The objective of this scan is to determine the locations of the files, which will be targeted for encryption. Next is the encryption...