AVLay RAT

The AVLay RAT (Remote Access Trojan) has been spotted in campaigns targeting users located in Brazil mainly. This threat is written in the Delphi coding language. Normally, RATs have a list of capabilities which hackers take advantage of such as the ability to collect files, plant malware, access files, and processes, etc. It is interesting that the AVLay RAT's main target is any financial information that may be hosted on the compromised system. Detects Browser Activity Regarding Banking Portals When the AVLay RAT infects a system, its first task is to establish a connection with the C&C (Command & Control) server of the attackers. This way, the AVLay RAT can siphon information about the activity of the victim. The AVLay RAT keeps an eye for any browser activity regarding certain Brazilian banking portals. Once such activity is...

Posted on July 26, 2019 in Remote Administration Tools

APT34

The APT34 (Advanced Persistent Threat) is an Iran-based hacking group that is also known as OilRig, Helix Kitten, and Greenbug. Malware experts believe that the APT34 hacking group is sponsored by the Iranian government and is used to further Iranian interests globally. The APT34 hacking group was first spotted back in 2014. This state-sponsored hacking group tends to target foreign corporations and institutions in the energy, financial, chemical, and defense industries. Operates in the Middle East The activity of the APT34 is concentrated in the region of the Middle East mainly. Often, hacking groups would exploit known exploits in outdated software. However, the APT34 prefers to propagate their threats using social engineering techniques. The group is known for their use of rarely seen techniques - for example, employing the DNS...

Posted on July 26, 2019 in Malware

Silence

Security researchers discovered a hacker group that attacked and managed to breach a multitude of banks in more than 25 countries around the world, such as India, Bangladesh, Sri Lanka and more recently. The hacker group is dubbed Silence, and it is likely the one behind the attack on the Dutch Bangla Bank Limited located in Bangladesh. The attackers made away with more than 3 million dollars in an attack on an ATM during May 2019. The Silence group has been active since 2016, involved in attacks on banks located in Russia, Eastern Europe and ex-Soviet states. It also is believed that this hacker group released the Silence malware, on the bank networks connected to the attack to run harmful commands and access the system to fund withdrawals from banks, according to security researcher Rustam Mirkasymov working for Group-IB. According...

Posted on July 26, 2019 in Malware

TidePool

TidePool is the name of a family of malware tools, exhibiting traits that are commonly found in Remote Access Tools (RATs). Remote Access Tools allow a wide range of threatening activities to be performed on the targeted machine, including read and write access to files, as well as executing commands on the victim's system. TidePool is usually contained in an infected MHTML file - essentially a richer format that allows an whole Web page to be stored in a single file. TidePool exploits the so-called MS Office Malformed ESP file vulnerability. The malware drops a DLL file in C:\Documents and Setting\AllUsers\IEHelper\mshtml.dll, then secures persistence. The next step is to send information about the victim's system to the Command and Control server of the bad actors. Once this connection has been established, the TidePool malware...

Posted on July 26, 2019 in Backdoors

DecryptIomega Ransomware

There are more and more ransomware threats coming to light each day as cyber crooks from all around the world are trying their luck in making a quick buck off the backs of innocent users. One of the newest ransomware threats that has surfaced the Internet is the DecryptIomega Ransomware. Targets Lenovo NAS Devices However, the DecryptIomega Ransomware is not your everyday boring ransomware threat. This threat is similar to the QNASCrypt Ransomware as it targets NAS (Network Attached Storage) devices. For now, the DecryptIomega Ransomware appears to specifically go after NAS devices that are produced by the large Chinese company Lenovo. Some malware researchers speculate that the DecryptIomega Ransomware may be exploiting a bug that was found in the software of the NAS devices. Others believe that the attackers may be using alternative...

Posted on July 25, 2019 in Ransomware

Novasof Ransomware

The Novasof Ransomware is a recently uncovered file-encrypting Trojan. Once malware researchers spotted and dissected this threat, they determined that it is a variant of the STOP Ransomware. Spreading and Encryption Researchers have not been able to determine what propagation method is being used in the spreading of this data-locking Trojan. Some believe that the authors of the Novasof Ransomware are employing mass spam email campaigns, bogus software updates, and pirated fake copies of legitimate applications to propagate their malicious creation. When the Novasof Ransomware succeeds in infiltrating a system, it launches a brief scan. The scan determines the locations of the files, which the Novasof Ransomware will target for locking. Next comes the encryption process. The Novasof Ransomware employs an encryption algorithm to lock...

Posted on July 25, 2019 in Ransomware

KPOT v2.0

Cybercriminals often sell their creations on hacking forums for other shady individuals to use as they please. This is the case with the KPOT Stealer. Malware researchers first spotted this threat back in the summer of 2018. The KPOT Stealer is meant to be used as a tool for collecting sensitive data such as login credentials, FTP and VPN logins, Web browser saved login details, Steam login information, social media usernames and passwords, and cryptocurrency wallets, etc. Cheaper and More Threatening Due to its fantastic functionality, the KPOT Stealer was a hit in the world of cybercrime and was implemented in numerous attacks all around the world. Its success prompted its authors to release a new and updated version of the KPOT Stealer called KPOT, which is even cheaper than the original hacking tool. KPOT has a few improvements...

Posted on July 25, 2019 in Trojans

PoSlurp

FIN8 is a hacking group that has been active for several years and has conducted a number of operations around the globe, mainly targeting financial institutions. They have a constantly evolving arsenal of hacking tools. Often, they would combine two or more hacking tools in one campaign. In one of their most recent campaigns, the tool called the BADHATCH backdoor Trojan was used to provide access to the infected host to the more malicious PoSlurp malware that is used to target PoS (Point-of-Sale) devices. The purpose of the PoSlurp malware is to collect data regarding financial information that may be located on the compromised system. Collects Credit Card Data The malicious code of the PoSlurp malware does not run in a separate process and, instead, the attackers are able to inject it into legitimate Windows processes. Then, once the...

Posted on July 25, 2019 in Malware

Facebook to Pay Record $5 Billion Fine in FTC User Privacy Settlement

Facebook, the social media giant that is home to over 2.3 billion monthly active users, has been slapped with an unprecedented fine of $5 billion by the FTC (Federal Trade Commission). The FTC announced the settlement with Facebook over the company's privacy policies, which is the largest fine ever imposed by the FTC or U.S. government for any violation. In today's landscape of the Internet, social media, and the news media, there's widespread controversy over the matters in an endless barrage of subject matters and privacy. Unfortunately, there's no end to any resolution to assuring the public that their data is safeguarded within the realm of large social media platforms like Facebook. Facebook's settlement comes amid the looming calls into Washington for much-needed accountability and transparency, which has been an increasing...

Posted on July 24, 2019 in Computer Security

Dodoc Ransomware

Like most ransomware authors nowadays, the creators of the newly spotted Dodoc Ransomware have taken the easy route in building a data-locking Trojan and have relied on the code of an already existing threat – the STOP Ransomware. Thus, the Dodoc Ransomware belongs to the family of the STOP Ransomware and is fairly similar to the original. Propagation and Encryption It is not yet clear what methods of propagation have the authors of the Dodoc Ransomware employed in the spreading of their creation. Some speculate that the cyber crooks may be using bogus software updates, pirated fake variants of legitimate applications, and spam emails which contain corrupted attachments as these are among the most common techniques of propagating this type of malware. Once the Dodoc Ransomware compromises your system, it will swiftly scan it so it can...

Posted on July 24, 2019 in Ransomware

Com2 Ransomware

Like most ransomware authors nowadays, the creators of the newly spotted Dodoc Ransomware have taken the easy route in building a data-locking Trojan and have relied on the code of an already existing threat – the STOP Ransomware. Thus, the Dodoc Ransomware belongs to the family of the STOP Ransomware and is fairly similar to the original. Propagation and Encryption It is not yet clear what methods of propagation have the authors of the Dodoc Ransomware employed in the spreading of their creation. Some speculate that the cyber crooks may be using bogus software updates, pirated fake variants of legitimate applications, and spam emails which contain corrupted attachments as these are among the most common techniques of propagating this type of malware. Once the Dodoc Ransomware compromises your system, it will swiftly scan it so it can...

Posted on July 24, 2019 in Ransomware

BADHATCH

Financially motivated hacking groups are among the most interesting subjects for malware researchers since they are known to employ advanced obfuscation and anti-debugging techniques in their projects. However, the FIN8 group has surprised researchers with the release of a rather interesting piece of malware that does not even attempt to avoid sandboxes or other virtualized environments used for malware debugging. FIN8 Use Spear-Phishing Emails to Bring BADHATCH to Targets The malware in question is called BADHATCH, and it is likely to be delivered via spear-phishing emails that contain a document that recipients are likely to see as important. However, the document is simply a decoy for an embed PowerShell script that is meant to unpack the BADHATCH malware and initialize it. In order for this to happen, the recipient must allow...

Posted on July 24, 2019 in Malware

MyloBot

Cybercrime has turned into a very profitable endeavor, and it is not a surprise that many cyber criminals are competing among each other to ensure that they will get the most profit from compromised systems. For example, many of the high-profile malware strains identified in the past few years can recognize other active cyber threats and eradicate them from the compromised host, therefore preventing other threat actors from interfering. This is precisely the case with the MyloBot malware, a cyber threat that was recently discovered on the computers of a major telecommunications company. However, it is unlikely that this is the only victim of this malware strain, and it is nearly sure that the MyloBot has infected many other users and computers too. Anti-VM Features Help MyloBot Stay Under the Radar of Researchers According to...

Posted on July 24, 2019 in Malware

MobiDash

In this day and epoch, it is surprising how many mobile phone users are not concerned with the safety of their devices at all. In 2018 a report by Statista revealed that 52.2% of all Internet traffic is generated via mobile devices. The Android OS holds over 76% of the Mobile OS market share, which means that cybercriminals are much more likely to build malware that targets Android, rather than any other mobile OS as the number of people who would be exposed to their threat would be much larger. However, some shady individuals build non-threatening software, which can still be very irritating, that targets Android users. One such application is the MobiDash adware. The purpose of this application is to spam the user with ads and pop-ups. Spreads Via Fake Applications The propagation method of adware is usually via a bogus variant of a...

Posted on July 23, 2019 in Malware

URLZone

The URLZone malware was first introduced as a banking Trojan back in 2009. However, over the years, the creators of the URLZone malware have introduced several updates to this threat and have repurposed it completely. Now, the URLZone malware serves as a first-stage payload, which is meant to deliver much more threatening and contemporary banking Trojans like the infamous Ursnif Trojan. Campaigns Targeting Japan One of the latest campaigns that employed the URLZone malware was targeting Japan. The authors of the URLZone malware had tailored a number of different phishing email templates. These phishing emails would contain a macro-laced attachment, which would carry the payload of the threat. To minimize the chances of antivirus application to detect it, the malicious code in the attachments has been heavily obfuscated....

Posted on July 23, 2019 in Malware