Top IT Security Bloggers
TrendLabs - Malware Blog
-
IoT Attack Opportunities Seen in the Cybercrime Underground
TrendLabs - Malware BlogWe looked into IoT-related discussions from several cybercrime underground communities and found discussions ranging from tutorials to actual monetization schemes for IoT-related attacks. For this entry, we provide an overview of what cybercriminals see as perfect openings for attacks on IoT technologies.
The post IoT Attack Opportunities Seen in the Cybercrime Underground appeared first on . -
‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
TrendLabs - Malware BlogThis new iteration of Purple Fox that we came across, also being delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It now also eschews its use of NSIS in favor of abusing PowerShell, making Purple Fox capable of fileless infection. It also incorporated additional exploits to its infection chain, most likely as a foolproof mechanism to ensure that it can still infect the system. Purple Fox is a downloader malware; besides retrieving and executing cryptocurrency-mining threats, it can also deliver other kinds of malware.
The post ‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell appeared first on . -
Malware Classification with ‘Graph Hash,’ Applied to the Orca Cyberespionage Campaign
TrendLabs - Malware BlogIn malware research, threat hunting and sharing of threat intelligence, such as exchanging indicators of compromise (IoCs) in the form of hashes (e.g., MD5s, SHA256s), are common industry practices and helpful for information security professionals. Researchers, for instance, would typically search for malware samples on VirusTotal using hashes. However, hashes have some characteristics that could limit researchers trying to do file or threat correlation, such as the one-to-one relationship between a file and its hash. To overcome limitations, other hashing techniques, methodologies, and tools have been proposed, such as ssdeep, sdhash, imphash, and even our own Trend Micro Locality Sensitive Hashing (TLSH) — and they can indeed help researchers find and identify the similarities between binary files. These approaches use binary as a point of view.
Our research, which we’ve named “Graph Hash,” builds on the advantages of these two approaches by calculating the hash of executable files using a graph view, which would help in classifying malware more consistently and efficiently. Our research aims to provide a viable approach to malware classification, which, in turn, can help in the sharing of actionable threat intelligence beyond simple checksums, such as MD5s and secure hash algorithm (SHA) families.
The post Malware Classification with ‘Graph Hash,’ Applied to the Orca Cyberespionage Campaign appeared first on . -
Spam Campaign Abuses PHP Functions for Persistence, Uses Compromised Devices for Evasion and Intrusion
TrendLabs - Malware BlogWe found a spam campaign that uses compromised devices to attack vulnerable web servers. From the devices, attackers use a PHP script to send an email with an embedded link to a scam site to specific email addresses. The use of compromised devices for attacks make attribution difficult, and attackers can have repeated access to the server even after patching.
The post Spam Campaign Abuses PHP Functions for Persistence, Uses Compromised Devices for Evasion and Intrusion appeared first on . -
Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
TrendLabs - Malware BlogAfter looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter. Another notable feature is that the malware can now also update its command and control server address using data from bitcoin transactions.
The post Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions appeared first on . -
Hiding in Plain Text: Jenkins Plugin Vulnerabilities
TrendLabs - Malware BlogBy David Fiser (Senior Cyber Threat Researcher) Jenkins is a widely used open-source automation server that allows DevOps developers to build, test, and deploy software efficiently and reliably. In order to make the most out of Jenkins’ modular architecture, developers make use of plugins that help extend its core features, allowing them to expand the...
The post Hiding in Plain Text: Jenkins Plugin Vulnerabilities appeared first on . -
‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information
TrendLabs - Malware BlogDespite having an apparent lull in the first half of 2019, phishing will remain a staple in a cybercriminal’s arsenal, and they're not going to stop using it. The latest example is a phishing campaign dubbed Heatstroke, based on a variable found in their phishing kit code. Heatstroke demonstrates how far phishing techniques have evolved — from merely mimicking legitimate websites and using diversified social engineering tactics — with its use of more sophisticated techniques such as steganography.
The post ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information appeared first on . -
TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
TrendLabs - Malware BlogTA505 continues to wreak as much havoc for maximized profits. Still using ServHelper and FlawedAmmyy, they continue to make small changes: targeting other countries, entities, or the combination of techniques used for deployment with each campaign.
The post TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy appeared first on . -
Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities
TrendLabs - Malware BlogSince it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.
The post Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities appeared first on . -
Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response
TrendLabs - Malware BlogWhen we first investigated MyKings in 2017, we focused on how the cryptominer-dropping botnet malware used WMI for persistence. Like Mirai, MyKings seems to be constantly undergoing changes to its infection routine. The variant we analyzed for this incident did not just have a single method of retaining persistence but multiple ones, as discussed in the previous section. In addition to WMI, it also used the registry, the task scheduler, and a bootkit — the most interesting of which is the bootkit.
The post Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response appeared first on .