Malware reports

Malware Miscellany, October 2008

  1. Greediest Trojan targeting banks
    Now that autumn is into its stride, there’s been a change in this category; October’s winner is Trojan-Spy.Win32.Bzub.cqz, rather than a member of the Banker family. Bzub.cqz targets clients of 34 different banks.

  2. Greediest Trojan targeting payment systems
    Trojan.Win32.Agent.afhy comes out top, attacking 4 different epayment systems at once.

  3. Greediest Trojan targeting payment cards
    The Agent family wins again in this category, with Trojan.Win32.Agent.agyz searching out users of 5 card systems.

  4. Stealthiest malicious program
    The Hupigon family, which makes frequent appearances in this category, takes the lead in October; one modification of Backdoor.Win32.Hupigon.btlis packed with 8 different packers.

  5. Smallest malicious program
    In spite of being a mere 20 bytes in size, Trojan.BAT.KillAll.an is able to delete all files from disk.

  6. Largest malicious program
    Trojan.Win32.Haradong makes a return this month – modification .ga weighs in at more than 200MB.

  7. Most common vulnerability on the Internet
    In October, Exploit.SWF.Downloader.hn accounted for 2.3% of all malicious content detected on the Internet.

  8. Most common malicious program on the Internet
    Trojan-Downloader.Win32.IstBar.cx was the most common malicious program on the Internet in October, accounting for a “modest” 2.1% of all malicious content detected.

  9. Most common Trojan family
    Backdoor.Win32.Hupigon puts in yet another appearance in this category, this time with 3891new modifications.

  10. Most common virus/ worm family
    There are no changes in this category either this month, with Worm.Win32.AutoRun taking the crown again. And its numbers are similar to those of last month – 651 new modifications in October as against September’s 655.

Malware Miscellany, October 2008

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox