Skipper

The Turla hacking group is one of the most infamous actors in the world of cybercrime. They have been given the APT (Advanced Persistent Threat) title by cybersecurity experts. This APT is believed to originate from Russia and is likely to be working with the Russian Government. The reason this is so widely believed is because of the targets that the Turla hacking group goes after. Most of the victims of the Turla APT are linked to politics in one way or another. Often, the targets are political actors in ex-Soviet states, as well as Western government entities. This is why malware experts believe that the efforts of the Turla APT are directed into furthering the political interests of the Kremlin. This hacking group is well-known for its affinity to use old hacking tools alongside new ones. They tend to update their cyber-threats...

Posted on June 13, 2019 in Trojans

Armageddon Ransomware

Recently, malware experts happened upon a new ransomware threat. This file-encrypting Trojan appears to be based on the HiddenTear Ransomware – an open source ransomware project. It is not known exactly what propagation method is employed in spreading the Armageddon Ransomware, but it is speculated that some of the methods used may be fraudulent software updates, corrupted pirated applications and spam email campaigns. When a machine is infiltrated by the Armageddon Ransomware, it would be scanned with the end goal of locating the files, which will be encrypted in the next step of the attack. Once that is done, the encryption process will be executed. The Armageddon Ransomware alters the names of the files it locks. When the encrypting of the data is completed, the Armageddon Ransomware launches a pop-up window, which serves as a...

Posted on June 13, 2019 in Ransomware

‘Unlock11@protonmail.com' Ransomware

Malware researchers have come upon another emerging data-locking Trojan recently. This threat is called the ‘Unlock11@protonmail.com’ Ransomware. This malware does not seem to belong to any of the famous ransomware families. It is not confirmed what infection vectors are employed in propagating the ‘Unlock11@protonmail.com’ Ransomware. However, it is likely that the creators of the ‘Unlock11@protonmail.com’ Ransomware may be relying on spam emails containing corrupted attachments, faux application updates, and infected pirated software to spread their threat. Once a system is infiltrated by the ‘Unlock11@protonmail.com’ Ransomware, the threat would begin a scan. The scan is meant to determine the locations of the files, which the ‘Unlock11@protonmail.com’ Ransomware is targeting. Then, the ‘Unlock11@protonmail.com’ Ransomware would...

Posted on June 13, 2019 in Ransomware

Warning: Digitally Signed Malware is On the Rise

Code signing is, theoretically, a great tool for discriminating between legitimate executables and suspicious, potentially harmful malware. However, recent submissions to online threat databases show a worrying trend - an increasing number of real malware is being distributed with very real certificates issued from real authorities. Over the course of roughly 12 months VirusTotal, a service that collects, catalogs and analyses threat samples using a variety of tools and methods, has accumulated nearly 4000 different pieces of malware that have all been digitally signed by legitimate certification authorities. The institutions issuing those certificates included Entrust, DigiCert, Go Daddy, GlobalSign, Sectigo and VeriSign. The data comes from a report published by Medium's Chronicle Blog. There may be more Digitally-Signed Malware than...

Posted on June 13, 2019 in Computer Security

IPStorm

Some more dedicated cybercriminals focus their efforts into building large-scale botnets, which can be used for various purposes and prove to be very profitable. However, building up a sizeable botnet and then maintaining it is not achievable easily. This is why not many cyber crooks have succeeded in this task. Botnets can be employed in different operations. A very common one is using a botnet for a DDoS (Distributed Denial of Service) attacks. Other times the hijacked machines can be used for mining cryptocurrency, which is then sent to the operator of the botnet. However, when spotted, it may not be evident what the purpose of a botnet is. This is the case of the IPStorm botnet – malware researchers are yet to identify what operations this botnet is involved in. It has not been confirmed how this threat is being propagated. The...

Posted on June 12, 2019 in Malware

PCASTLE

PCASTLE is not the most sophisticated malware when it comes to the way it was created - its sole function is to execute a series of PowerShell commands that perform the actions that will be discussed in this post. Ever since cryptocurrencies gained traction, cybercriminals have been finding more and more ways to misappropriate them or generate them on the backs of unsuspecting users. In its essence, the PCASTLE malware is a Trojan cryptocurrency miner. It is not known with certitude how the PCASTLE malware is being propagated exactly, but cybersecurity experts have identified whom the target is – computers located in China. Out of all identified victims of the PCASTLE threat, 92% are machines with Chinese IP addresses. Once the PCASTLE Trojan lands on a host, it executes the XMRig mining tool to start mining the cryptocurrency of...

Posted on June 12, 2019 in Malware

Html Ransomware

Malware researches have come across a new threat recently, which they called the Html Ransomware. When it was dissected, the Html Ransomware revealed that it is a variant of the very widely known Dharma Ransomware. Cybersecurity experts have not been able to identify the infection vector employed in spreading the Html Ransomware, but it is speculated that the authors of the threat may be using spam email campaigns, bogus software updates, and corrupted pirated data to propagate their creation. Once the Html Ransomware gets access to a computer, it starts off the attack by performing a scan on the data present on the system. When the scan is completed, the Html Ransomware would have located all the files, which it intends to encrypt. Then, the Html Ransomware would begin the encryption process. When a file undergoes the encryption...

Posted on June 12, 2019 in Ransomware

Bisquilla Ransomware

Recently, cybersecurity experts happened upon a new ransomware threat – the Bisquilla Ransomware. Unlike most newly emerging malware of this type, the Bisquilla Ransomware appears to be a project started from scratch, rather than a slightly altered variant of an already existing file-locking Trojan. Most ransomware authors have been getting rather lazy recently, and instead of creating their own threats, they rely on already established data-encrypting Trojans like the Dharma Ransomware or the STOP Ransomware to build their threats on. The Bisquilla Ransomware is an exception to this rule. This threat is disguised as a Google Chrome updater. When the Bisquilla Ransomware infiltrates your system, it will present you with a pop-up window, which states ‘Please relax and enjoy a warm cup of tea while I encrypt your files. Do not turn off...

Posted on June 12, 2019 in Ransomware

ICEFOG

ICEFOG (also called Fucobha) is a threat that has been familiar to malware researchers for a while now. This threat has been around since 2013 and is believed to originate from a Chinese-speaking hacking group also named ICEFOG. The ICEFOG malware did not manage to stick around for long and was believed to be an abandoned project. However, a reputable malware expert has released a statement that two updated variants of the ICEFOG malware have been spotted recently. The new versions of the ICEFOG threat are believed to have been used in campaigns in 2014 and 2018. There is evidence that new variants are being used by several different APTs (Advanced Persistent Threat), not just by the original creators of the ICEFOG malware. The new and updated versions of the ICEFOG malware are called ICEFOG-M and ICEFOG-P. They pack a serious number...

Posted on June 11, 2019 in Malware

GoldBrute

Often, the first place where cybercriminals look to penetrate a machine running Windows is via Microsoft’s RDP (Remote Desktop Protocol). One of the most significant Windows OS vulnerabilities to be unveiled in the past few months is BlueKeep. Exploiting this vulnerability would potentially enable malware to spread laterally and amplify its reach and the harm it causes greatly. Recently, the Remote Desktop Protocol has been targeted by cyber crooks again and much to the surprise of malware experts, the attackers have not exploited the BlueKeep vulnerability. This latest campaign is remarkable in its scale, but the cybercriminals have decided to keep it simple this time. The activity of a huge botnet was spotted by cybersecurity experts recently. The botnet in question is called GoldBrute. The GoldBrute botnet locates RDP-enabled...

Posted on June 11, 2019 in Botnets

Myskle Ransomware

Cybersecurity researchers have come across a new data-encrypting Troja recently. This threat was given the name Myskle Ransomware. It is likely that this new ransomware threat is a variant of the well-established STOP Ransomware. It is not yet clear what infection vector is employed by the cyber crooks responsible for the Myskle Ransomware, but malware experts believe that this file-locking Trojan may be propagated via spam emails containing infected attachments, bogus software updates and corrupted pirated content. Once the Myskle Ransomware penetrates a system successfully, it begins the attack with a scan. The idea behind the scan is to locate the files, which are targeted for encryption. After completing the scan and locating the desired files, the Myskle Ransomware would begin encrypting them. This threat adds an extension at the...

Posted on June 11, 2019 in Ransomware

Muslat Ransomware

Recently, malware researchers have spotted a new ransomware threat emerging, which has already claimed one victim in Morocco. This new data-locking Trojan was dubbed Muslat Ransomware, and when further examined, this ransomware threat revealed to be a part of the infamous STOP Ransomware family. It is not known with full certainty what propagation method have the cyber crooks responsible for the Muslat Ransomware applied in spreading their creation, but experts speculate that the infection vectors may include mass spam email campaigns, alongside pirated software and faux app updates. When the Muslat Ransomware infiltrates the targeted host, it begins scanning the system. The purpose of the scan performed by the Muslat Ransomware is to determine the locations of the files, which will be targeted for encryption. When the scan is...

Posted on June 11, 2019 in Ransomware

GAMEFISH

GAMEFISH (which also goes by the name Downrage) is a tool that belongs to the infamous hacking group Fancy Bear, also known as APT28 (Advanced Persistent Threat) and Sofacy. Fancy Bear is believed to originate from Russia and is known to have been active since 2004 so that it is fair to say that they are not new to this. These cyber crooks have a particular taste for high-profile political targets. This has lead malware experts to believe that Fancy Bear may be linked to the Russian Government and is likely operating on their behalf, to further Russian interests globally. One of Fancy Bear’s big-scale operations that took place rather recently was their attack launched against certain French political actors before the presidential elections in France in 2018. It is likely that the GAMEFISH tool is used in the first stage of an attack...

Posted on June 10, 2019 in Malware

Boston Ransomware

Malware experts have discovered a new ransomware threat circulating the Web recently. This new file-locking Trojan was dubbed the Boston Ransomware, and when it was further dissected, it became clear that this threat belongs to th STOP Ransomware family. It is not yet clear how the authors of the Boston Ransomware are propagating their creation exactly. However, experts speculate that pirated software, mass spam email campaigns, and bogus software updates may be at play here. Once the Boston Ransomware infiltrates a host, it starts scanning the system. The reason of this scan is to determine the locations of the files this threat was programmed to target. Then, the Boston Ransomware will start encrypting the data targeted. When the Boston Ransomware locks a file, it applies an extra extension at the end of the file name – ‘.boston.’...

Posted on June 10, 2019 in Ransomware

Heroset Ransomware

Heroset Ransomware is a recently uncovered data-encryption Trojan. When malware experts studied this threat, they concluded that the Heroset Ransomware is a variant of the very popular STOP Ransomware. Cybersecurity researchers cannot confirm with full certainty how the Heroset Ransomware is being spread. However, it is like that the authors of the threat may be employing faux software updates, infected pirated content, and spam emails as an infection vector. If the Heroset Ransomware infiltrates a system successfully, it will start the attack by performing a scan. The scan is meant to locate all the data, which the Heroset Ransomware will later encrypt. Once this step is completed, the Heroset Ransomware will begin the encryption process. After the encryption process is through, you will notice that the names of your files have been...

Posted on June 10, 2019 in Ransomware