Malware descriptions

Gumblar update

As expected, we can confirm more compromised machines. Our current count looks as follows:

7798    UNITED STATES
1765    INDIA
1332    ARGENTINA
1244    TURKEY
1094    RUSSIAN FEDERATION
1084    GERMANY
968      SPAIN
950      ISLAMIC REPUBLIC OF IRAN
881      REPUBLIC OF KOREA
878      MOROCCO
822      CANADA
815      PERU
792      JAPAN
712      THAILAND
689      AUSTRIA
678      ROMANIA
655      POLAND
654      ISRAEL
628      SWEDEN
599      ITALY

These numbers stand for unique hosts, some of them contain several user directories etc. which means that the real count is much higher than shown here. As mentioned before, each of these hosts are spreading a set of malicious files which are sent to a user depending on the computer’s environment. We used the site www.virustotal.com to confirm current detection status of 41 AntiVirus Vendors who participate on that site. The result showed that currently only 3 out of 41 vendors detect the malicious *.php file which is injected at above locations. The malicious *.pdf file scored with 4/41 and the flash content was detected by 3 out of 41 vendors. However, the main executable payload was detected by 33 vendors. Of course, these malicious files can be changed at any time by the criminals who operate this scheme. We are closely monitoring further development in order to protect our users as fast as possible.

Gumblar update

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox