Get2

There is a hacking group that has been developing over the past several years greatly. It is called TAT505, and researchers believe that this group is behind the notorious Locky Ransomware campaigns and the Dridex banking Trojan. The TAT505 group appears to target companies in the finance industry, mainly. The hacking group is known to launch attacks all around the globe – the United States, Canada, Singapore, Greece, Sweden, Georgia and others. When malware researchers studied the latest TAT505 campaigns, they came across two previously unknown malware families – the SDBBot RAT and the Get2 Trojan downloader. Collects Data and Delivers a Secondary Payload Much like most Trojan downloaders, once the Get2 Trojan infiltrates a host, it will start collecting information regarding the hardware of the host and the software present. All the...

Posted on October 17, 2019 in Remote Administration Tools

SDBbot RAT

While some hacking groups are employed by governments and used to do their bidding in various campaigns, other hacking groups are financially motivated purely. The TAT505 group belongs to the latter category. This hacking group’s activity was first spotted in 2017 and has been monitored ever since. They target businesses operating in the finance industry, mostly. On the 7th of September, they launched an attack targeting victims in Sweden, Singapore, Greece, Georgia and other places. The propagation method utilized by the TAT505 hacking group was bogus emails containing infected attachments. The attachment was tailored to look like a legitimate Excel document so that the user does not sense that something fishy is going on. If the targeted person opens the attachment, it will trigger the launch of the Get2 Trojan downloader. This...

Posted on October 17, 2019 in Remote Administration Tools

Graboid

Most cryptojacking worms are propagated via torrents, malvertising campaigns, bogus downloads and other popular methods. However, some cyber crooks opt to utilize more creative infection vectors. Such is the case with the Graboid cryptojacking worm. The authors of the Graboid worm are spreading this threat using unsecured containers, in this instance, Docker. Most Victims are Located in China The creators of this cryptojacking worm are not targeting a certain class of people or a specific industry or business type. However, most of the victims of the Graboid worm are located in China. It has been determined that there are likely more than 10,000 victims so far. The purpose of the Graboid cryptojacking worm is to infect a system and hijack its resources to mine the Monero cryptocurrency. By default, Docker does not have ports open for...

Posted on October 17, 2019 in Worms

RUHAPPY

A newly emerging hacking group from North Korea has been making the headlines recently. This group is known as APT37 (Advanced Persistent Threat) or ScarCruft. The APT37 group appears to be employed by the North Korean government and used as their cyber-attack-dogs alongside the infamous Lazarus hacking group. The majority of the the ScarCruft hacking group targets are prone to be located in South Korea, but there have been some notable campaigns against targets in the Middle East too. The APT37 group has a preference for stealth, and they design their tools to operate silently and remain under the radar of their victims for as long as possible. This way, the ScarCruft group can collect more information about its targets. Can Render a System Inoperable Despite the fact that most of the hacking tools in the APT37 arsenal are tailored...

Posted on October 17, 2019 in Malware

Blackremote RAT

Cybercriminals do not always end up using the malware, which they build. Often, instead of employing their hacking tools in campaigns, they would sell them or rent them to other shady individuals online. This is the case with the Blackremote RAT (Remote Access Trojan). The creators of this Trojan had posted an advertisement online, which got on the radar of malware researchers immediately. The advertisement was posted by a user with the name ‘Speccy’ or ‘Rafiki.’ The creators of the Blackremote RAT claim that their threat is ‘undetectable’ and has a long list of capabilities. Masks as a Legitimate Tool A common tactic when renting out or selling hacking tools is to try and pass it off as a legitimate application with no unsafe potential. However, the people who sell it and the people who buy it are well aware of what the real deal is....

Posted on October 16, 2019 in Remote Administration Tools

KARAE

North Korea is known to have some very highly-skilled cybercriminals, and these individuals usually work for the government. The most well-known APT (Advanced Persistent Threat) hailing from North Korea is the Lazarus hacking group. However, recently, there has been a new group that is gaining traction, ScarCruft (also known as APT37). Since the ScarCruft hacking group is funded by the North Korean government, it is logical that they are doing their bidding in the campaigns they launch. This is why most of the targets of the ScarCruft group are located in South Korea and tend to be high-ranking officials or government institutions. ScarCruft has developed a long list of hacking tools that keeps expanding over time. Targets Random Users One of the custom-built hacking tools of the APT37 is the KARAE backdoor Trojan. Malware researchers...

Posted on October 16, 2019 in Backdoors

SHUTTERSPEED

The newly rising star on the North Korean cybercrime stage is the ScarCruft hacking group. It also is known under the APT37 (Advanced Persistent Threat) alias. The ScarCruft hacking group is likely to be funded by the government of North Korea directly. This is why it is almost certain that the APT37 group is one of the attack dogs of Kim Jong-Un. This is why it makes sense that most of the targets of the ScarCruft hacking group are either government-linked institutions or high-ranking officials, usually located in South Korea. One of the tools in the arsenal of the ScarCruft hacking group is the SHUTTERSPEED backdoor Trojan. This threat is meant to be used as a first-stage payload, which serves to deploy additional threats on the compromised machine. The SHUTTERSPEED Trojan also can collect system information (software and hardware)...

Posted on October 16, 2019 in Backdoors

Leto Ransomware

An increasing amount of ransomware threats has been plaguing the Internet. One of the most popular ransomware families in 2019 has been the STOP ransomware family certainly. Malware researchers have determined that there have been more than 150 variants of this data-locking Trojan released so far. One of the most recently detected file-encrypting Trojans is the Leto Ransomware. Propagation and Encryption After spotting and studying this ransomware threat, experts concluded that this is STOP Ransomware variant. Mass spam email campaigns, fake updates, and bogus pirated copies of legitimate applications may be among the infection vectors involved in the distribution of the Leto Ransomware. As with most file-locking Trojans, the Leto Ransomware will make sure to scan all your files as soon as it manages to invade your system. Once this...

Posted on October 16, 2019 in Ransomware

RDFSNIFFER

Some hacking groups are state-sponsored and thus do the bidding of their governments in various campaigns targeting political and business sectors. Other hacking groups are autonomous and usually tend to be financially-motivated entirely. An example of the latter is the Carbanak Group (also referred to as FIN7), which is a group of shady individuals who have managed to wreak havoc all around the world over the years and cause damages in the hundreds of millions of dollars. Malware experts have detected a new tool that has been employed by the Carbanak Group, the RDFSNIFFER, recently. This hacking tool can be classified as a RAT (Remote Access Trojan) and seems to be utilized mainly as a second-stage payload with the assistance of the BOOTSWIRE Trojan loader, which is another tool that is present in the Carbanak Group’s arsenal. Targets...

Posted on October 15, 2019 in Malware

PortReuse

China is popular for its hacking groups. Some operate on their own terms, while others are believed to be sponsored by the Chinese government. One of the more notorious Chinese hacking groups is the Winnti Group. They are also known as APT41 (Advanced Persistent Threat). They have been gaining prominence since 2010. The Winnti Group is named after a hacking tool developed by this APT – the Winnti malware. This threat put the Winnti Group on the map and was first spotted in 2013. Ever since the hacking group gained some prominence thanks to the Winnti malware, they have been developing new tools, one of which is the PortReuse backdoor Trojan. Its Preference for Stealth Most backdoor Trojans follow the same pattern – they are operated via a remote C&C (Command & Control) server and tend to have a long list of capabilities. However, this...

Posted on October 15, 2019 in Backdoors

BOOSTWRITE

There are hacking groups, which are involved in activism strictly, there are others, which server various governments, and some act of pure greed. The latter is the case with the Chinese hacking group Carbanak Group, which also is known as FIN7. This hacking group became a known name ever since they launched the Carbanak Trojan. This threat managed to become one of the most notorious banking Trojans ever created and gave the name to the hacking group responsible for it. The Carbanak Group is known to mainly target companies that are involved in the restaurant, hospitality and retail industries. It appears that most of their victims are located in the United States. The Carbanak Group is developing new tools, and two of them have been spotted in the wild recently. It is likely that these new hacking tools may be utilized in campaigns...

Posted on October 15, 2019 in Trojans

GELCAPSULE

One would be surprised at how many high-profile hacking campaigns are hailing from North Korea considering how restricted the access to the Internet is over there. In the past, there used to be only one prominent hacking group originating from North Korea, and that was the Lazarus group. However, recently, there has been a new star on the horizon – the ScarCruft hacking group, which also is referred to as APT37 (Advanced Persistent Threat). Self-Preservation Techniques The ScarCruft hacking group has an expanding arsenal of hacking tools. Among them is the GELCAPSULE Trojan downloader. It has been determined that this threat is capable of recognizing whether it is being run in a sandbox environment. In case it is, as a method of self-preservation, the GELCAPSULE Trojan will halt its activity. This Trojan downloader also is known for...

Posted on October 15, 2019 in Trojan Downloader

Tarmac

Malware targeting OSX devices is not as common as malware that goes after computers running Windows. However, that does not mean that threats that are designed to target Apple computers specifically do not exist. A significant number of Mac owners believe that their devices are impenetrable falsely because it is a misconception that has brought headaches to many Apple users. Cybersecurity researchers spotted a brand new threat that targets Mac computers earlier this year. The harmful campaigns linked to this threat were concentrated in the United States, Italy and Japan. The name of this new threat is Shlayer Trojan, and it serves as a first-stage payload. For a while, malware experts were not able to determine what is the secondary payload, which the Shlayer Trojan malware delivers. However, in a more recent operation, it was...

Posted on October 14, 2019 in Malware

Attor

Attor is a threat that has been tailored to target mobile devices and has been able to operate for a couple of years without being spotted by malware researchers. This threat can be classified as a spyware tool, and it is likely that its operators have accumulated a large amount of collected data over the years. The Attor spyware has been spotted recently because its operators began targeting high-ranking individuals, which are linked to the Russian government. It appears that the activity of the Attor spyware is concentrated in Eastern Europe mainly, with the majority of targets located in the Russian Federation. May Utilize AT Commands The Attor spyware is a rather interesting threat. It has been determined that this hacking tool is built modularly. This allows the Attor malware to be very flexible. Furthermore, the design of this...

Posted on October 14, 2019 in Spyware

CORALDECK

The North Korean government is known to use the services of hackers. Recently, apart from the well-known Lazarus hacking group, a new actor has emerged, the ScarCruft APT (Advanced Persistent Threat). This hacking group also is often referred to as APT37. They appear to target high-ranking South Koreans mainly. However, malware researchers have spotted APT31 campaigns in the Middle East, as well as Vietnam and Japan. It is likely that the ScarCruft hacking group has begun operating in 2015. Preference for Stealth The ScarCruft group tends to pay special attention to stealth in its operations. Another signature component of the APT37 operations is the collection of important information from the host. One of their primary tools that the hacking group uses for gathering data is the CORALDECK malware. The first campaign involving the...

Posted on October 14, 2019 in Trojans