A week before Christmas, cryptocurrency mining botnet PGMiner is showing smarter ways to hack into a victim’s machine. At its core, PGMiner attempts to connect to the mining pool for Monero mining. Learn more on this and other malware in this batch of InfoSec articles.

For more articles, check out our #onpatrol4malware blog.


Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

Source: Microsoft

Recent campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence. Read more.

DNS data mining case study – skidmap

Source: Netlab

The DNS protocol carries data that, to a certain extent, reflects a good deal of the user behaviors, thus security analysis of DNS data can cover a decent amount of the malicious activities. Read more.

Running in Circles

Source: The Citizen Lab

Circles is a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe. Circles is affiliated with NSO Group, which develops the oft-abused Pegasus spyware. Read more.


The chronicles of Emotet

Source: Secure List

The banking Trojan Emotet has repeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of high-profile incidents and multimillion-dollar losses. Read more.

TrickBot’s new module aims to infect your UEFI firmware

Source: Bleeping Computer

TrickBot malware developers have created a new module that probes for UEFI vulnerabilities, demonstrating the actor’s effort to take attacks at a level that would give them ultimate control over infected machines. Read more.

How to Beat Nefilim Ransomware Attacks

Source: Picus

In this blog post, Picus provides tactics, techniques and procedures (TTPs) utilized by the Nefilim threat actors, since detecting and blocking TTPs used by a threat is the most effective method to prevent that threat. Read more.


Malware Delivery Platforms in 2020

Source: marcoramilli

They wrote for IEEE a paper title: “Multi-stage delivery of malware” (HERE) where they described how threat actors were abusing multistaging techniques to inoculate malicious and unwanted software. Read more.

BEC Response Guide— Tips for Responding to Business Email Compromise Incidents

Source: Ronnie T

Malware incidents suck, but if you want to know what it’s like responding to a BEC incident, triple the carnage, shake the snow globe, set it on fire and there you go, Business Email Compromise incident. Read more.


PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL

Source: PaloAlto

The cryptocurrency mining botnet was named “PGMiner” after its delivery channel and mining behavior. At its core, PGMiner attempts to connect to the mining pool for Monero mining. Read more.

Trickbot Now Offers ‘Trickboot’: Persist, Brick, Profit

Source: eclypsium

The new functionality, dubbed as “TrickBoot,” makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. Read more.

APT Group Targeting Governmental Agencies in East Asia

Source: Decoded Avast.io

Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia. They consider based on their research that the chinese-speaking APT group LuckyMouse is behind the attack. Read more.