Threat Category: Financial threats | Page 21

The Internet knows no borders, but according to our data, cybercrime has specific ‘geographical features’.

How easy is it for bad guys to buy valid digital certificates from CAs using fake data and start signing Trojan bankers with them? In Brazil it appears to be very easy.

Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. Unfortunately this does not mark the end of the Carberp story.

In 2011, mobile malware reached a new qualitative level.

From an unholy alliance between Brazilian Bankers and Carders is created the ‘Chupa Cabra’ malware, developed to attack payment devices

A simple message on a Google forum in August sparked an investigation which would eventually bring down the DigiNotar certificate authority.

Cybercriminals avoiding detection and automated monitoring by block cipher using.

Operators of botnets based on SpyEye have started hiding real С&Cs in the customconnector plugin

Latin America has ceased to be a region that simply receives attacks from across the world. Since late 2009 it has begun to copy fraudulent business models through which American cybercriminals have begun producing their own criminal resources.

Online banking is now a run-of-the-mill affair for most.

But now we will discuss TDSS and its new module for Bitcoin. In the beginning of August a new section [tslcaloc] has appeared in the TDSS configuration files while bot was running on infected machine.

Brazilian trojans beyond the borders: now starts to attack banks in Europe

I found an interesting “bug” in the malicious .php script on the .cc domain. For example, instead of clicking on http://3cm.kz/example, just put at the end http://3cm.kz/example+ or http://3cm.kz/example* or any other and for each new special char you will get the binary. One special char per one new download. The second short URL service used by the criminals is http://shortn.me

Well, today I found that Amazon Web services (Cloud) now is being used to spread financial data stealers.

Kaspersky Lab detected the first rootkit banker created to infect 64-bit systems. It was detected in a drive-by-download attack made by Brazilian cybercriminals.

Reports

Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.

Kaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor.

Kaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant.

Kaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their signature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.

Financial threats

The geography of cybercrime: Western Europe and North America

Brazilian Trojan Bankers Now Digitally Signed

Carberp: it’s not over yet

Mobile Malware Evolution, Part 5

The ‘Chupa Cabra’ malware: attacks on payment devices

IT Threat Evolution: Q3 2011

Steganography or encryption in bankers?

SpyEye vs. Tracker

Latin American banks under fire from the Mexican VOlk-Botnet

ZeuS-in-the-Mobile – Facts and Theories

TDSS + Bitcoin = ?

Brazilian Trojans beyond borders

Tracking bugs in Zeus campaigns

Financial data stealing Malware now on Amazon Web Services Cloud

Rootkit Banker – now also to 64-bit

Reports

HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor

Evasive Panda APT poisons DNS requests to deliver MgBot

Cloud Atlas activity in the first half of 2025: what changed

Subscribe to our weekly e-mails