Threat Category: Financial threats | Page 22

Malicious programs targeting the confidential data used to access online banking systems have long been the bane of financial organizations worldwide

It’s holiday time, and of course the bad guys know that shopping is a popular activity during this period, particularly in Europe and the US.

During routine malware analysis we sometimes find new techniques which are being used by Brazilian cybercriminals to remove security protection.

We’ve had a number of people contacting us with queries about ‘Kaspersky Lab Antivirus Online’ after their computer showed them the ransom message.

Today we heard a disturbing rumor about a new version of Gpcode. We immediately began talking to victims and trawling the Internet for samples.

Our previous blog on Gpcode said we’d managed to find a way to restore files in addition to those files that can be restored using the PhotoRec utility.

Our StopGpcode project has attracted a lot of attention from individual researchers and organizations who are interested in solving the puzzle of the blackmailing virus. Thanks for all of the feedback.

Currently, it’s not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition.

The whole new Gpcode outbreak has set me thinking about attackers and victims in general. Yes, decrypting the key used by the new Gpcode is a thorny problem and there’s no guarantee of success. So I’d like to remind everyone that common sense is as improtant as good technology.

Passivity on the…

Along with antivirus companies around the world, we’re faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge.

Following on from Vitaly’s post about the new Gpcode variant, I just thought I’d remind everyone to back up their data.

We’ve detected a new variant of Gpcode – a dangerous file-encryptor. It encrypts a whole variety of user files, targeting files with extensions such as DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc.

There’s been an update on the Trojan case we mentioned earlier this week – a 24 year old has been sentenced to five and a half years for computer crime.

Regular readers of this blog and our analytical articles may remember that in summer last year we wrote about a new variant of Bancos.aam designed to steal data from users of QUIK, a Russian Internet trading system

Virus Descriptions 101

Reports

According to Kaspersky, Librarian Ghouls APT continues its series of attacks on Russian entities. A detailed analysis of a malicious campaign utilizing RAR archives and BAT scripts.

Kaspersky GReAT experts uncovered a new campaign by Lazarus APT that exploits vulnerabilities in South Korean software products and uses a watering hole approach.

MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.

Kaspersky researchers analyze GOFFEE’s campaign in H2 2024: the updated infection scheme, new PowerModul implant, switch to a binary Mythic agent.

Financial threats

Lock, stock and two smoking Trojans: bank robbery in the 21st century

Cybercriminals go shopping

Friendly fire

Not Kaspersky

Gpcode – here we go again

Another way of restoring files after a Gpcode attack

Gpcode update

Restoring files attacked by Gpcode.ak

Don’t be a victim

Help crack Gpcode

A cautionary reminder

Gpcode: the return of the file encryptor

QUIK conviction

Turning a QUIK buck

Virus Descriptions 101

Reports

Sleep with one eye open: how Librarian Ghouls steal data by night

Operation SyncHole: Lazarus APT goes back to the well

IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia

GOFFEE continues to attack organizations in Russia

Subscribe to our weekly e-mails