Logo
Hamburger Menu Icon
Yoroi Background

Author: malwarezlab

P2P Worm Spreads Crypto-Miners in the Wild

Introduction In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting […]

Read More

Anti-Debugging Techniques from a Complex Visual Basic Packer

Introduction As we described in our previous post, one of the latest trends for the attackers is to leverage the ISO files in order to reduce detection chances. This technique has also been used by a recent Hawkeye spreading campaign. “Hawkeye Keylogger” is an info-stealing malware for sale in the dark-web. Anyone can  easily subscribe […]

Read More

Spotting RATs: Tales from a Criminal Attack

Introduction In the last period we observed an increase of the malware spreading using less-known archive types as initial dropper, in particular ISO image. The spread of threats exploiting ISO image to hide themselves is helped by the Windows functionality, introduced since Windows 8, which allows the user to easily mount this file type through […]

Read More

LooCipher: The New Infernal Ransomware

Introduction A new Ransomware began to threats the digital world. This time using a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular religious figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight […]

Read More

The “Return of the WiZard” Vulnerability: Crooks Start Hitting

Introduction In the past days, a really important issue has been disclosed to the public: “Return of the WiZard” vulnerability (ref. EW N030619, CVE-2019-10149). Such vulnerability affected a wide range of Exim servers, one of the main email server technologies, extremely diffused all around the globe and in Italy too. Recently, cyber-criminals groups abused this […]

Read More

Dissecting NanoCore Crimeware Attack Chain

Introduction Historically, cyber-criminals adopted one or more layers of encryption and obfuscation to lower their footprint and avoid detection. The usage of cryptors and packers has become a commodity in the contemporary malware landscape, providing the so called “FUD” (Fully UnDetectable) capabilities to malicious code and allowing the outsourcing of the payload hiding. The CSDC […]

Read More

How Ursnif Evolves to Keep Threatening Italy

Introduction For months the Italian users have been targeted by waves of malspam delivering infamous Ursnif variants. Yoroi-Cybaze ZLab closely observed these campaigns and analyzed them to track the evolution of the techniques and the underlined infection chain, noticing an increasing sophistication. For instance the latest waves increased their target selectivity abilities by implementing various […]

Read More

The Russian Shadow in Eastern Europe: A Month Later

Introduction The Gamaredon attacks against Ukraine doesn't seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. During recent times, […]

Read More

TA505 is Expanding its Operations

Introduction In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian organization. The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. The threat group is also known for […]

Read More

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Introduction During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks. This technical article aims to bring to […]

Read More

The Stealthy Email Stealer in the TA505 Arsenal

Introduction During the last month our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also […]

Read More

ATMitch: New Evidence Spotted In The Wild

Introduction In the first days of April, our threat monitoring operations spotted a new interesting malware sample possibly active in the wild since 2017. Its initial triage suggests it may be part of an advanced attacker arsenal targeting the Banking sector, possibly related to the same APT group Kaspersky Lab tracked two years ago after […]

Read More
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram