Incidents

Rogue AV raising the stakes

A couple of months I blogged about how the creators of rogue AV solutions are keeping a close eye on developments in the antivirus market. And my colleague Vyacheslav recently wrote a whole article about rogue AV which highlighted, among other things, the huge increase in this type of malware.

Last week I looked at some samples which showed that the bad guys behind this stuff are ratcheting their efforts up a notch. Here’s the GUI of Trojan.Win32.FraudPack.acji:

And here’s the product it’s imitating:

There are two points which attracted my attention:

  • The interface of the rogue AV is a very close copy of the genuine solution
  • The logo isn’t the same, but the rogue incorporates the Windows Security Center logo, and reinforces the perception that it’s a genuine product by using the name of a legitimate free AV solution.

In other words, the rogue AV guys are getting closer and closer to creating exact copies of real AV solutions, at least in terms of the GUI. This makes it much more difficult to determine at a glance whether or not a solution is rogue, for novices and more experienced users alike.

This example shows that maybe we’re not so far from the time when rogue AV solutions will visually be exact copies of legitimate security software. And with the FBI estimating losses caused by scareware at around $150 million dollars, the stakes are getting higher all the time.

Rogue AV raising the stakes

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox