no-image

Travle aka PYLOT backdoor hits Russian-speaking targets

At the end of September, Palo Alto released a report on Unit42 activity where they – among other things – talked about PYLOT malware. We have been detecting attacks that have employed the use of this backdoor since at least 2015 and refer to it as Travle. Coincidentally, KL was recently involved in an investigation of a successful attack where Travle was detected, during which we conducted a deep analysis of this malware. Read Full Article

no-image

I am HDRoot! Part 2

Some time ago while tracking Winnti group activity we came across a standalone utility with the name HDD Rootkit for planting a bootkit on a computer. During our investigation we found several backdoors that the HDRoot bootkit used for infecting operating systems. Read Full Article

no-image

I am HDRoot! Part 1

Famous Chinese-speaking cybercriminal APT actor Winnti has been observed targeting pharmaceutical businesses. New threat, which Kaspersky Lab has called “HDRoot” after the original tool’s name “HDD Rootkit”, is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used to launch any other tool. Read Full Article

no-image

An Ambush for Peculiar Koreans

While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java application was detected heuristically with generic verdict… Read Full Article