Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

In the past year, the Healthcare sector was one of the biggest industries that were hit by ransomware attacks. Being inclined to paying ransom to recover patient data, the Healthcare sector became a low hanging fruit for seasoned ransomware operators looking to maximize profit, such as those behind the Locky ransomware. However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.

In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a... Read more

For the past several weeks, Forcepoint Security Labs have been tracking a seemingly low-profile piece of malware which piqued our interest for a number of reasons: few samples appear to be available in the wild; there is no previous documentation referring to the C2 domains and IP addresses it uses (despite the domains appearing to be at least twelve months old); and, if its compilation timestamps are to be trusted, the campaign itself may have been active for at least six months before samples started to surface...

The primary samples examined appear in the wild with filenames mimicking that of Adobe's Content Management System [... Read more

Since January of this year, Forcepoint Security Labs™ have observed that the DragonOK campaign have started to target political parties in Cambodia. DragonOK is an active targeted attack that was first discovered in 2014. It is known to target organizations from Taiwan, Japan, Tibet and Russia with spear-phishing emails containing malicious attachments. 

The latest dropper they used is disguised as an Adobe Reader installer and installs yet another new custom remote access tool (RAT). We have named this RAT “KHRAT” based on one of the command and control servers used, kh[.]inter-ctrip[.]com, which pertained to Cambodia’s... Read more

In early March 2017 we saw a surge in malware samples with similar behaviours and low detection rates, often triggering only generic and/or heuristic antivirus signatures. Examining these revealed them to be samples of the venerable njRAT Trojan (also known as Bladabindi) and, unsurprisingly, shows their post-infection behaviour and capabilities to align with known njRAT patterns (keylogging, screen-capturing, etc.)

Two samples were examined in particular: both of these downloaded a sizeable 'blob' from Pastebin and communicated with C2s hosted on domains associated with dynamic DNS services - typical features of njRAT campaigns... Read more

Since late last year, multiple warnings have been issued to the public regarding tax-related fraud campaigns. Last month, a warning was issued to Northwich residents in the UK regarding a HM Revenue & Customs (HMRC) phishing scam, while the Internal Revenue Service (IRS) issued a similar warning to US tax payers.

Forcepoint Security Labs™ have observed a similar trend in our telemetry. Small to medium-sized tax-themed email campaigns have constantly appeared since the start of this year. For instance, just last week, our telemetry captured the following phishing email sent to some 700 recipients from the UK:

... Read more

Forcepoint™ Security Labs frequently identify new, unusual, or otherwise interesting pieces of malware. Sometimes these turn out to be elements of large, APT-driven campaigns (e.g. our report into the MONSOON campaign from August 2016:; other times these can be more 'niche', as is the case with this miniature Monero mining botnet.

Much as the California Gold Rush attracted amateurs lured by the promise of easy money (the original '49ers'), a low barrier-to-entry is tempting amateurs to take up cryptocurrency mining. Unfortunately, these 21st century... Read more

For many, ‘virtual’ currencies such as Bitcoin remain a mystery primarily associated with online criminals, despite no longer being far removed from the monetary system and transactions we’re used to.

This article is intended to serve as a primer, rather than one of our more usual technical analyses: cryptocurrencies continue to play a key role in many areas of cyber-crime being used for everything from online marketplace transactions to ransomware demands. However, with a number of legitimate organisations ranging from the Bank of England[1] to EY[2] also taking an interest cryptocurrencies and the technologies behind them, it’s... Read more

Researchers at Google and CWI have been the first to create a practical collision attack against the SHA-1 cryptographic hash function.  Previously a collision was only possible in theory with the premise that a significant amount of computing power would be necessary to generate a collision.  Now it seems as though that computing power has been harnessed by the team who have named the collision issue “SHAttered”.

Cryptographic hash functions such as SHA-1 are used extensively in applications of data integrity and data storage.  Some applications rely on a cryptographic hash function being collision-resistant, others that... Read more

Sometimes old threats continue to remain relevant for a long period of time. The longevity of the x86 CPU architecture means that rootkits leveraging its features to achieve stealth on compromised systems may have a long shelf life and enable attackers to evade detection over an extended period. In this article, we look at “Subversive” (, a Linux rootkit that uses x86 debug registers to hook the operating system kernel. Despite the last change in Subversive’s Github repository being in 2011, it compiled and operated successfully in a modern environment, on the latest release of Red Hat Enterprise... Read more

Forcepoint Security Labs™ came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.

Furthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign's targets and injected code as well... Read more