Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

Since the leak of the Ursnif/Gozi source code about two years ago there have been multiple campaigns delivering either Ursnif or its ‘forks’ (e.g. GozNym). 

Banking malware is a lucrative business and it was more or less inevitable that a wider range of cybercriminals will take advantage of the opportunity to run their own campaigns, adding to the original code base as they went along. We’ve already discussed some earlier campaigns on this blog, but over the past several weeks we have been examining what appears to be an offshoot of the original Ursnif codebase being targeted – for the time being – predominantly against the UK...

Read more

Those who follow the security news could hardly have missed the release of the ‘EFAIL’ vulnerabilities this week. In brief, issues have been found with OpenPGP and S/MIME email encryption which can potentially expose the decrypted text of a message to attackers.

What are PGP and S/MIME?

The authors of the EFAIL paper cover this well, but ultimately email is a plaintext communication medium – much like the majority of pen and paper letters outside of spy films – and PGP and S/MIME are methods of encrypting the content of these messages.

It should be noted at this point that PGP and S/MIME serve a...

Read more

The countdown has begun.  In February 2018 Google announced that, as of July 2018, Chrome v68 will mark HTTP websites as “Not Secure”.  This push by Google has been a long time coming as they and other vendors make a push for “encrypted by default” or “HTTPS everywhere”.  We reviewed the implications of the web moving towards encryption by default in our 2018 Security Predictions.

(A note from the blog author: While Google’s release dates and features are subject to change it is still worthwhile adopting HTTPS on your website to protect your client's privacy sooner rather than later.  You should also evaluate the implications...

Read more

We covered the basic concepts of blockchain, cryptocurrencies, and coin mining in our previous blog.

As we discussed, after a few evolutionary steps via Application Specific Integrated Circuits (ASICs) mining algorithms returned to their roots: the ‘humble’ personal computer. The suitability of algorithms such as CryptoNight (which underlies the Monero currency) ultimately led to the porting of the source code to JavaScript and a departure from the more traditional approach of having standalone executables for mining, instead executing code from within browser processes.

The Beginning of In-Browser Mining

This new...

Read more

This post is an updated and expanded version of our 2017 cryptocurrency primer.

When Bitcoin (BTC) first appeared in 2009, few people had a clear idea of what it was, let alone the waves it would generate both financially and technologically. The underlying blockchain technology was more or less a new concept, and like most new concepts was poorly understood in general.

In 2018, blockchain remains a hot topic: while it is tied in many people’s minds to cryptocurrencies, it is actually a standalone concept on which cryptocurrencies can be based. This article will clarify how blockchains work and, just as importantly,...

Read more

When it comes to cross-platform backdoors, Adwind is arguably the most popular and documented remote access tool (RAT) out there. However in the last two years, an underground group calling themselves ‘QUA R&D’ have been busy developing and improving a similar Malware-as-a-Service (MaaS) platform to the point that they have now become a major competitor to Adwind. In fact, QUA R&D's RAT – sold under the name ‘Qrypter’ – is often mistaken by the security community as Adwind.


Qrypter is a Java-based RAT that uses TOR-based command and control (C2) servers. It was first made available in March 2016 and...

Read more

Forcepoint recently published a whitepaper related to how DanderSpritz/PeddleCheap communicates with malicious implants. This is a follow-up blog post related to evasions used in DoublePulsar and DanderSpritz.

There are some very interesting network-level evasions used related to DoublePulsar and DanderSpritz. We were not able to find a complete resource with focus on these evasion techniques. So as a spin-off from the DanderSpritz/PeddleCheap research, we decided to assemble information from different resources into a blog post about these evasions.

Most of the following material is reiteration of work done by other...

Read more

Over the weekend reports were made of a cryptocurrency mining script injected into government owned and run websites across the US, UK and Australia.

The affected websites had a common theme – a script included in all that made a request to a JavaScript file hosted on BrowseAloud<dot>com.  This script, ba.js, was seemingly modified by a malicious actor to include obfuscated code that made an additional request to a cryptocurrency mining tool CoinHive. End-users who visited one of the affected websites Sunday on February 11, 2018, would have had a crypto-currency miner (CoinHive, known to mine Monero coins) run in the...

Read more

In the current era of mass malware it's becoming increasingly rare to find something beyond the ‘usual suspects’ we see being spread by high-profile botnets on a regular basis: Dridex spread by Necurs, the ever-increasing number of ransomware families, cryptocurrency miners, credential stealers… the list goes on. These sorts of malware generally make up the majority of incoming malicious samples and are, from a researcher's standpoint, typically not very interesting.

However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which...

Read more

In April 2017, a hacker group named The Shadow Brokers released some very advanced cyber weapons. The leaked tools allegedly originate from the hacking arsenal of a powerful intelligence agency.

One of the tools in the leak is a post-exploitation framework called DanderSpritz, which is used for communicating with compromised computers. Forcepoint™ has analyzed the PeddleCheap module of this DanderSpritz framework. The research focuses on network-level communications. To our knowledge, no similar research has previously been published.

Motivation for the research

PeddleCheap and its associated...

Read more