In April 2018, we spotted the first ransomware employing the Process Doppelgänging technique – SynAck ransomware. It should be noted that SynAck is not new, but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant. Read Full Article
Breaking The Weakest Link Of The Strongest Chain
Around July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor. The attack compromised their devices and exfiltrated data to the attackers’ C&C. In addition, the compromised devices were pushed Trojan updates. The operation remains active at the time of writing this post. Read Full Article
Obfuscated malicious office documents adopted by cybercriminals around the world
After going out of fashion for a number of years, malicious macros inside Office files have recently experienced a revival. And why not, especially if they are a lot cheaper than exploits and capable of doing the same job? Read Full Article
Encrypted Java Archive Trojan bankers from Brazil
I have never bought a PlayStation and neither has my colleague Micha-san from Japan – well, in his case, at least not from Brazil. Nonetheless, we both received the same email notification: In this instance cybercriminals from Brazil have used a new,… Read Full Article
The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor
New Adobe PDFs exploiting CVE-2013-0640 drop sophisticated malware known as “MiniDuke”. Read Full Article
Steganography or encryption in bankers?
Cybercriminals avoiding detection and automated monitoring by block cipher using. Read Full Article
iFrames = Apple too?
Looking up definitions for ‘iframe’ does indeed give results about “… a constraint of the H.264 codec specified by Apple to ensure ease of consumer video editing.”. Such iframes do contain all necessary rendering information and serve as reference to construct other frames. But here we discuss the other kind of iframes – HTML tags. Read Full Article
New Brazilian banking Trojans recycle old URL obfuscation tricks
Fabio, our researcher in Brazil, has noticed malware authors using an old trick to mask URLs. The trick involves specifying an IP address such as say, 66.102.13.19 (the IP address of google.com, borrowed from my colleague, Costin) in a numerical base other than base 10. Read Full Article
More thoughts on drawing the line
More thoughts on drawing the line Read Full Article
Drawing the line
The Race to Zero is not a questionable affair – no questions about it…it is unethical. Read Full Article