Mobile malware and the Muscovites

Yesterday one of our employees was out for the evening. And naturally enough, used the metro. As you may know, the Moscow Metro is one of the busiest mass transit systems in the world, transporting approximately 9 million people a day.

With so many passengers, a number of whom now have smartphones, what are the chances of infection by Cabir or another virus for mobiles? Hard to tell exactly – all we do know is that while descending to the station, our employee detected an attempt by Cabir to infect her phone.

This is the third time she’s experienced this in two months. You may think that this is a low frequency. You may also wonder why an employee of Kaspersky Lab is walking around with a phone in ‘visible to all’ mode.

In my opinion, it shows that Cabir has already spread far and wide, in Moscow if not in other regions of Russia. OK, three times in two months, when compared to the daily attacks which PCs are subjected to, isn’t that high a frequency. And Cabir doesn’t, theoretically, pose that much of a danger.

But this case illustrates the way in which mobile malware is gathering momentum. I don’t want to think about what will happen when someone – and this will happen sooner, rather than later – releases a viable worm for mobiles which is written with the intention of doing serious damage. Seems like the Metro might become a very dangerous place for smartphone owners.

Mobile malware and the Muscovites

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox