Ransomware has been a hot topic the last couple of weeks. We’re seeing its versatility, with distribution techniques spanning server vulnerabilities to advertising platforms, along with the use of AV tools to distract from its activities. There’s yet another CISA Malware Analysis Report (MAR) focused on the North Korean government’s malicious cyber activity, this time the malware variant known as ELECTRICFISH.
For more articles, check out our #onpatrol4malware blog.
A journey to Zebrocy land
At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. Read more.
Nigerian BEC Scammers Shifting to RATs As Tool of Choice
Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids. Read more.
Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses
CrySIS, aka Dharma […] has become increasingly active lately, increasing by a margin of 148 percent from February until April 2019. Read more.
MAR-10135536-21 – North Korean Tunneling Tool: ELECTRICFISH
Working with U.S. Government partners, DHS and FBI identified a malware variant used by the North Korean government. This malware has been identified as ELECTRICFISH. Read more.
Qakbot Assembles Itself from Encrypted Halves to Evade Detection
A malware campaign was observed disseminating a new Qakbot banking Trojan variant which comes with a novel persistence technique that improves its evasion skills…. Read more.
Hawkeye keylogger using fileless delivery system via Amazon AWS
Source: My Online Security
We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan [using] a zip file containing the trojan itself or a malformed word doc either containing macros or…. Read more.
Sodinokibi Ransomware Being Installed on Exploited WebLogic Servers
Attackers are exploiting a recently disclosed WebLogic vulnerability to install a new ransomware called Sodinokibi. As this vulnerability is trivial to exploit, it is important [to] patch immediately…. Read more.
Buhtrap backdoor and ransomware distributed via major advertising platform
This is just what has been happening for the past few months, where a group using two well-known backdoors — Buhtrap and RTM — as well as ransomware and cryptocurrency stealers, has targeted organizations, mainly in Russia. Read more.