Ransomware has been a hot topic the last couple of weeks. We’re seeing its versatility, with distribution techniques spanning server vulnerabilities to advertising platforms, along with the use of AV tools to distract from its activities. There’s yet another CISA Malware Analysis Report (MAR) focused on the North Korean government’s malicious cyber activity, this time the malware variant known as ELECTRICFISH. 

For more articles, check out our #onpatrol4malware blog.


A journey to Zebrocy land

Source: ESET

At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. Read more.


Nigerian BEC Scammers Shifting to RATs As Tool of Choice

Source: BleepingComputer

Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids. Read more.

Linux ransomware

Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses

Source: Malwarebytes

CrySIS, aka Dharma […] has become increasingly active lately, increasing by a margin of 148 percent from February until April 2019. Read more.


MAR-10135536-21 – North Korean Tunneling Tool: ELECTRICFISH

Source: CISA

 Working with U.S. Government partners, DHS and FBI identified a malware variant used by the North Korean government. This malware has been identified as ELECTRICFISH. Read more.

Linux ransomware

Qakbot Assembles Itself from Encrypted Halves to Evade Detection

Source: BleepingComputer

A malware campaign was observed disseminating a new Qakbot banking Trojan variant which comes with a novel persistence technique that improves its evasion skills…. Read more.

AV tools

Dharma Ransomware Uses AV Tool to Distract from Malicious Activities

Source: Trendmicro

The Dharma ransomware has been around since 2016, but it has continued to target and successfully victimize users and organizations around the world. Read more.


Hawkeye keylogger using fileless delivery system via Amazon AWS

Source: My Online Security

We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan [using] a zip file containing the trojan itself or a malformed word doc either containing macros or…. Read more.


Sodinokibi Ransomware Being Installed on Exploited WebLogic Servers

Source: BleepingComputer

Attackers are exploiting a recently disclosed WebLogic vulnerability to install a new ransomware called Sodinokibi. As this vulnerability is trivial to exploit, it is important [to] patch immediately…. Read more.


Buhtrap backdoor and ransomware distributed via major advertising platform

Source: ESET

This is just what has been happening for the past few months, where a group using two well-known backdoors — Buhtrap and RTM — as well as ransomware and cryptocurrency stealers, has targeted organizations, mainly in Russia. Read more.