Category: Malware descriptions

Gootkit is complex multi-stage banking malware capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots and lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.

Reports

We detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Malware descriptions

Gootkit: the cautious Trojan

Evolution of JSWorm ransomware

Bizarro banking Trojan expands its attacks to Europe

Browser lockers: extortion disguised as a fine

Convuster: macOS adware now in Rust

Good old malware for the new Apple Silicon platform

Ad blocker with miner included

The chronicles of Emotet

Ghimob: a Tétrade threat actor moves to infect mobile devices

RansomEXX Trojan attacks Linux systems

Life of Maze ransomware

WastedLocker: technical analysis

The Tetrade: Brazilian banking malware goes global

Magnitude exploit kit – evolution

Oh, what a boot-iful mornin’

Congratulations, you’ve won! The reality behind online lotteries

Keyloggers: How they work and how to detect them (Part 1)

Scammers’ delivery service: exclusively dangerous

Reports

PuzzleMaker attacks with Chrome zero-day exploit chain

Operation TunnelSnake

APT trends report Q1 2021

The leap of a Cycldek-related threat actor

Subscribe to our weekly e-mails