There is a newly emerging high-profile ill-minded actor from North Korea, the ScarCruft hacking group. This group of individuals also is known as the APT37 (Advanced Persistent Threat). Cybersecurity researchers believe that the ScarCruft group is likely being funded by the North Korean government directly and is being used as a weapon against foreign governments and officials. Most of the APT37’s targets appear to be South Korean individuals in positions of importance or power. The ScarCruft hacking group has a long list of hacking tools, among which is the DOGCALL backdoor Trojan. The first campaign in which the DOGCALL Trojan was utilized took place in August 2016. Targeted Military and Government Institutions in South Korea In 2017 the APT37 launched an operation targeting government bodies and military institutions located in...

The APT37 (Advanced Persistent Threat) is a hacking group that has been around for a while and is believed to work in cooperation with the North Korean government (although this information is yet to be confirmed with full certainty). Most of the targets of the APT37 group are concentrated in South Korea and ten to be rather high-profile. Recently, the APT37 used spear-phishing emails to propagate a threat called NavRAT (Remote Access Trojan). Malware researchers regard the delivery method used by the attackers as rather intriguing. It also is interesting to point out that the infrastructure used in the campaigns involving NavRAT is not very conventional too. Propagates via Spear-Phishing Emails The aforementioned spear-phishing emails would contain an infected attachment in the shape of a ‘.HWP’ file. This corrupted file is named...

Hiddad is an Android-based piece of adware. Most of the activity of the Hiddad adware is concentrated in Russia, with over 40% of the victims being located there. However, there have been reports of infections in the USA, India, Germany, Ukraine, Indonesia among other countries. The creators of the Hiddad adware employ various social engineering techniques to achieve their end goal, which is convince the user to click on their advertisements. This may not sound like too much of a big deal, but the authors of the Hiddad can cash in some significant revenue if they manage to plant their creation on enough host devices. Spreads via Fake Applications This piece of adware appears to have been hosted on the official Google Play Stor, posing as several fake applications ‘Snap Tube,’ ‘Music Mania,’ and ‘Tube Mate.’ Thankfully, the developers...

The AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware. Most of the infected devices appear to be located in India and Indonesia. However, a significant number of compromised Android devices that belong to the AndroidBauts botnet also can be found in Russia, Argentina, Vietnam, Malaysia and other countries. Propagated via Fake Applications The operators of the AndroidBauts botnet are likely to have infected this staggering amount of devices by hosting fake applications on the official Google Play Store. Users tend to be less careful when they are downloading applications from...

Lotoor is a threat that is crafted to target Android devices specifically. Most of the Lotoor malware activity appears to be located in the Russian Federation, with more than 32% of the compromised devices being concentrated in this region. However, this malware family appears to be also rather active in the USA, Brazil, India, Germany, Vietnam and others. Lotoor’s Capabilities The approach of the Lotoor malware is to sneak into the target’s Android device silently and look for various exploits that may be present. Then, if any is detected, the Lotoor threat will try to use it to get administrator privileges. If this attempt is successful, the Lotoor malware will be able to receive and execute remote commands by its operators. This means that the Lotoor authors can: Collect sensitive data. Disable any security measures, which may be...

Jsecoin is a service used for mining cryptocurrency via the Web browser. This is achieved by injecting code written in JavaScript into the targeted website. Not all Web pages, which take advantage of this service are ill-intended, sometimes genuine websites use this feature, but the difference is that legitimate pages never fail to inform the user that their system will be used to mine cryptocurrency. However, there are rogue websites, which will not present the user with any notification. In the case of the cryptocurrency that is being mined is Monero. Visitors to websites, which have been injected with Jsecoin will have large amounts of their processing power used for mining Monero automatically. Often, such shady Web pages will make sure to use up as much processing power as possible with no regard for the user and their system....

APT37 (Advanced Persistent Threat) is a hacking group that is likely to operate from North Korea. Experts speculate that APT37 may be financed by the North Korean government directly. This hacking group is also known as ScarCruft. Until 2017 APT37 concentrated almost all their efforts on targets located in South Korea. However, in 2017, the hacking group began expanding their reach and started launching campaigns in other East Asian states such as Japan and Vietnam. The APT37 has also had targets located in the Middle East. The hacking group is also known to collaborate with other ill-minded actors. APT37 is meant to further North Korean interests, and thus their targets tend to be high-profile. The hacking group tends to target industries linked to automobile manufacturing, chemical production, aerospace, etc. Propagation Methods...

COMpfun is a RAT (Remote Access Trojan) that belongs to the Turla hacking group and was first detected around 2014. The Turla APT (Advanced Persistent Threat) is believed to be a group of Russian individuals that are likely to be sponsored by the Kremlin (but this information is yet to be confirmed). The Turla hacking group tends to target high-profile individuals/organizations located in Russia and Belarus. The Turla APT has an impressive arsenal of hacking tools, and if you compare the COMpfun RAT to another one of their threats, the Reductor Trojan, you will see that the latter is far more threatening and complex. However, the COMpfun RAT is not to be estimated either as it can still enable the attackers to hijack a system and gain complete control over it. Capabilities Some of the features of the COMpfun RAT include: Capturing...

One of the most recently detected ransomware threats is called Mike Ransomware, and it appears to be a variant of the HildaCrypt Ransomware. However, there is one significant difference between the HildaCrypt Ransomware and the Mike Ransomware; the latter is built to masquerade as a copy of the notorious STOP Ransomware. Malware researchers have not determined why the authors of the Mike Ransomware would take such an unusual approach. Propagation and Encryption It is not yet known what infection vectors are employed in the propagation of this data-locking Trojan. Spam emails containing infected attachments, as well as fake application updates, and bogus pirated copies of legitimate applications are among the most popular propagation methods linked to the spreading of ransomware threats. When the Mike Ransomware infiltrates a system, it...

At the beginning of October 2019, cybersecurity researchers spotted a new file-locking Trojan. Its name is HildaCrypt Ransomware. The HildaCrypt Ransomware takes the same approach as most ransomware threats; it scans the infiltrated system to locate the files of interest, locks the targeted data using an encryption algorithm, and then asks for payment in return for a decryption key, which is meant to unlock the affected files. Propagation and Encryption The methods used in the spreading of the HildaCrypt Ransomware still remain unknown. It is likely that the most popular methods of propagating ransomware threats may be at play in the case of the HildaCrypt Ransomware, such as fraudulent application updates, fake pirated copies of popular software solutions and mass spam email campaigns. After the HildaCrypt Ransomware infiltrates and...

Cybersecurity experts detect a growing number of ransomware threats circulating the Web. Some of them are projects, which have been built from scratch while others are copies of already existing and well-established file-locking Trojans. Propagation and Encryption One of the most recently detected data-encrypting Trojans is the Bora Ransomware. This newly uncovered threat belongs to the infamous STOP Ransomware family. The experts who studied the Bora Ransomware were not able to pinpoint the infection vectors, which are involved in the spreading of this ransomware threat. Usually, file-locking Trojans are propagated via mass spam email campaigns. Sometimes, ransomware authors also opt to use bogus software updates and fraudulent pirated variants of popular applications. Like most threats of this type, the Bora Ransomware runs a quick...

The TeleBots APT (Advanced Persistent Threat) is believed to originate from the Russian Federation. Though, this information is yet to be confirmed. Malware experts have determined that it is likely that some of the TeleBots members also have taken part in threatening campaigns carried out by other hacking groups like the GreyEnergy, the Sandworm team and BlackEnergy. It is largely believed that the TeleBots hacking group was involved in the infamous cyber-attack targeting the Ukrainian power grid back in 2015. This campaign is significant, particularly because it is one of the first of its kind – a large-scale hacking campaign causing a total blackout is not a common occurrence at all. In 2017 the TeleBots group also went after industry and finance-related targets located in Ukraine. The TeleBots APT Created the Petya Ransomware and...

The GreyEnergy APT (Advanced Persistent Threat) is believed to be the successor of the largely destructive hacking group known as the BlackEnergy APT. There are several reasons why cybersecurity experts believe these two hacking groups to be related: The GreyEnergy hacking group emerged about the same time as the BlackEnergy APT vanished from the world of cybercrime. Both the GreyEnergy and BlackEnergy APTs tend to operate with flexible, light-weight hacking tools that are modified and controlled easily. Most of the efforts of both hacking groups are concentrated in Poland and Ukraine. They both tend to target critical sectors like industrial or energy-related institutions. The infrastructure built and used by both GreyEnergy and BlackEnergy APT seems to be very closely related. Changing Approaches However, the individuals who appear...

The Turla APT (Advanced Persistent Threat) is an ill-famed hacking group that originates from Russia. They also are known as Uroboros, Snake, Waterbug, and Venomous Bear. The Turla APT is very popular in the world of cybercrime and has carried out many devastating hacking campaigns over the years. Some malware researchers believe that the hacking group may be sponsored by the Kremlin, but this information is not yet confirmed. Most of their campaigns are concentrated in ex-Soviet states like Belarus and Ukraine, but they also have launched operations in Iran. One of the hacking tools in the rather large arsenal of the Turla APT is the Reductor RAT (Remote Access Trojan). It is believed that the Reductor RAT is an upgraded variant of the COMpfun threat. The COMpfun Trojan’s main purpose was to serve as a first-stage payload, while the...

The authors of a threat named Muhstick Ransomware have modified their threat slight. However, it still bears a resemblance to the ransomware variants it was based on. The Muhstick Ransomware appears to be a variant of the eCh0raix Ransomware and QNAPCrypt Ransomware. These file-encrypting Trojans all target QNAP NAS (Network Attached Storage) devices. Oftentimes users may store important data or sensitive information on NAS devices as they are perceived as more secure than keeping the data on one’s hard drive commonly. Once the Muhstick Ransomware infiltrates a NAS device, it will begin encrypting all the information that is stored on it. Next, a ransom note named ‘README_FOR_DECRYPT.txt’ is dropped for the victim to read. As with most ransomware threats, the Muhstick Ransomware authors will ask the victim to pay a significant sum as a...