menu

Contact Us

1 (800) 723-1166 |

Malware

HomeMalware
HomeMalware

Carbanak Group uses Google for Malware Command-and-Control

Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.

MM Core In-Memory Backdoor Returns as "BigBoss" and "SillyGoose"

In October 2016 Forcepoint Security Labs™ discovered new versions of the MM Core backdoor being used in targeted attacks. Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component.

The Many Evolutions of Locky

First spotted in February 2016, the Locky crypto-ransomware has become a dangerous threat to both large organisations and residential users alike. In this blog we give a brief overview of what Locky is and cover the significant aspects of its infamous history.

BITTER: A Targeted Attack Against Pakistan

Introduction

Forcepoint Security Labs™ recently encountered a strain of attacks that appear to target Pakistani nationals. We named the attack "BITTER" based on the network communication header used by the latest variant of remote access tool (RAT) used:

Our investigation indicates that the campaign has existed since at least November 2013 but has remained active until today. This post intends to share the results of our research.

Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware

On September 27, 2016 Forcepoint Security Labs noticed that the Russian boxing site allboxing[.]ru was compromised. The site is injected with code that attempts to silently redirect users to a third party website containing an exploit and a Russian banking trojan. The injected code employs several evasion tactics, and ensures that the redirect only occurs when there is significant user interaction on the website.

Zeus Delivered by DELoader to Defraud Customers of Canadian Banks

Throughout September 2016 we have observed an actor sending malware to Canadian nationals by e-mail. Upon investigation we have determined the malware payload to be DELoader, which downloads a Zeus variant banking trojan upon execution.

E-mail Lures

The e-mails typically pretend to be from the Canada Revenue Agency (CRA) claiming that the individual has a tax payment outstanding.

Dridex in the Shadows - Blacklisting, Stealth, and Crypto-Currency

Dridex has drastically reduced in volume throughout 2016. Actors are now appearing to prefer crypto-ransomware such as Locky over the infamous banking trojan. However, Dridex is still being actively developed.  Here is Forcepoint Security Labs we have seen a number of changes and improvements over the last few months.

NELocker - A Javascript Ransomware Boilerplate

An actor known for distributing the Kovter and Miuref (aka Boaxxe) malware families has been working on a Javascript-based Nemucod ransomware for several months. Recently the actor has begun dropping legitimate command line utilities like 7Zip and PHP onto infected systems to perform the encryption.

Cerber Actor Distributing Malware Over E-mail Via WSF Files

Last week we tracked an interesting e-mail campaign that was distributing double zipped files with Windows Script Files (WSFs) inside. When executed, these WSFs downloaded the Cerber crypto-ransomware. Cerber has previously been seen distributed via exploit kits and over e-mail using DOC files with macros. This is the first time that we have seen Cerber distributed via the use of WSFs.

E-mail Lure

The e-mail lures followed a convention of "[someone@somewhere.tld] Invoice-or-bill-related-subject-line". For example:

JIGSAW - Some of the Missing Pieces

Forcepoint Security Labs has already blogged recently about the JIGSAW crypto-ransomware outbreaks that have been reported in the media.  We decided to perform a little more investigation into the malware and see what we could find.  What we briefly found offers some insight into the economics of JIGSAW, the 'black' marketplace it is traded from and the level (or absence) of sophistication in the author and his/her customers.

Pages