Tag: malware

Introduction Back in March we spotted and monitored a new emerging threat which we dubbed as GoBrut botnet. In our previous blog post, we analyzed a Windows version of this bot, arguing about the usage of the GoLang programming language, a modern language able to reach extremely high level of code portability, potentially enabling the […]

Introduction Few months ago we started observing a cyber operation aiming to attack private companies in various business sectors, from automotive to luxury, education, and media/marketing.  The attack attribution is still unclear but the large scale of the malicious activities has also been confirmed by Unit42, who reported attack attempt against government verticals too.  The […]

Introduction Recently our attention was caught by a really particular malware sample most probably linked to recent cyber criminal operation against the banking sector. This piece of malicious code is a so called "ATM malware": a malicious tool  part of a criminal arsenal able to interact with Automatic Teller Machine. ATM malware are used in […]

Introduction In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting […]

Introduction As we described in our previous post, one of the latest trends for the attackers is to leverage the ISO files in order to reduce detection chances. This technique has also been used by a recent Hawkeye spreading campaign. “Hawkeye Keylogger” is an info-stealing malware for sale in the dark-web. Anyone can  easily subscribe […]

Proto: N020719. Con la presente Yoroi desidera informarLa riguardo al recente rilevamento di nuovo vettore di attacco potenzialmente utilizzabile da cyber-criminali e attaccanti attraverso email malevole. Sono stati infatti rilasciati dettagli tecnici relativi a metodologie atte ad abusare dello strumento di sistema Microsoft Compiled HTML Help presente su tutti i sistemi Microsoft e responsabile dell’apertura […]

Introduction In the last period we observed an increase of the malware spreading using less-known archive types as initial dropper, in particular ISO image. The spread of threats exploiting ISO image to hide themselves is helped by the Windows functionality, introduced since Windows 8, which allows the user to easily mount this file type through […]

Introduction A new Ransomware began to threats the digital world. This time using a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular religious figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight […]

Introduction In the past days, a really important issue has been disclosed to the public: “Return of the WiZard” vulnerability (ref. EW N030619, CVE-2019-10149). Such vulnerability affected a wide range of Exim servers, one of the main email server technologies, extremely diffused all around the globe and in Italy too. Recently, cyber-criminals groups abused this […]

Introduction Historically, cyber-criminals adopted one or more layers of encryption and obfuscation to lower their footprint and avoid detection. The usage of cryptors and packers has become a commodity in the contemporary malware landscape, providing the so called “FUD” (Fully UnDetectable) capabilities to malicious code and allowing the outsourcing of the payload hiding. The CSDC […]

Introduction For months the Italian users have been targeted by waves of malspam delivering infamous Ursnif variants. Yoroi-Cybaze ZLab closely observed these campaigns and analyzed them to track the evolution of the techniques and the underlined infection chain, noticing an increasing sophistication. For instance the latest waves increased their target selectivity abilities by implementing various […]

Introduction In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian organization. The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. The threat group is also known for […]