Sober.y increased activity

Sober variants are well known for complex replication patterns and payloads. They have also been using spoofed e-mail addreses in the “From:” field, pretending to come from the FBI; reason enough for many unsuspecting users to fall victim to the worm. Sober.K, discovered on February 21 2005, was the first to pretend that.

Sober.y, which is currently the most popular variant, started spreading actively on Monday, November 21. Although it was released last week, it didn’t really pick up speed unless Monday, thanks to the help from a couple of other variants in the family, one of the complex replication patterns mentioned above.

Interesting enough, while we have plenty of reports from our mailpots distributed around the world, very few of them originate in Russia. This happened in the past, most of the time with the peak of reports originating in Germany. Overall, Sober.y is still behind in absolute number of samples for the past 24 hours, but its rate of increase is higher, meaning it will probably become number one in the next day or so.

The outbreak is major, but according to our statistics, it’s no match for say, Sober.a back in 2003. One of the reasons for this is that generic protection, as well as the speed of reaction of antivirus companies has improved a lot since then, too.

Sober.y increased activity

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox