Incidents

Cabir source code published

Over the last few days we see several versions of Cabir. They are not very different from each other, just in unimportant ways.

Today we found out that the source code that these different versions were compiled from was published on the Internet. This means it can be accessed by anyone.

As far as we know, until now the Cabir source code was accessible only to a limited number of people, including members of the international virus writing group 29A. It was a 29A member who wrote the original version of Cabir. We think it was planned to publish the source code in the next edition of the group’s electronic journal.

However, it looks that someone has already got access to the code, and now it’s public. This will lead to a lot of new versions of Cabir, which has already been detected in the wild in 7 countries.

Cabir source code published

Your email address will not be published.

 

Reports

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox