Hamburger Menu Icon
Yoroi Background

Tag: malware

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Introduction During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks. This technical article aims to bring to […]

Read More

The Stealthy Email Stealer in the TA505 Arsenal

Introduction During the last month our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also […]

Read More

Campagna Gootkit verso PEC Italiane

Proto: N020519. Con la presente Yoroi desidera informarLa relativamente ad una pericolosa campagna di attacco in corso ai danni di Organizzazioni italiane. Sono state infatti intercettate email dirette a caselle di Posta Elettronica Certificata (PEC) contenenti allegati infetti. I messaggi tentano di ingannare l’utente simulando comunicazioni legate a problematiche amministrative, tuttavia al loro interno sono […]

Read More

ATMitch: New Evidence Spotted In The Wild

Introduction In the first days of April, our threat monitoring operations spotted a new interesting malware sample possibly active in the wild since 2017. Its initial triage suggests it may be part of an advanced attacker arsenal targeting the Banking sector, possibly related to the same APT group Kaspersky Lab tracked two years ago after […]

Read More

LimeRAT spreads in the wild

Introduction Few days ago, Cybaze-Yoroi ZLab team came across an interesting infection chain leveraging several techniques able to defeat traditional security defences and hiding a powerful inner payload able to seriously threaten its victims. The whole infection chain was originated by a LNK file, a technique used by advanced attackers and APTs too, for this […]

Read More

Yoroi Welcomes "Yomi: The Malware Hunter"

Nowadays malware represents a powerful tool for cyber attackers and cyber criminals all around the world, with over 856 million of distinct samples identified during the last year it is, with no doubt, one of the major kinds of threat that companies and organizations are tackling to keep running their business without losing resources, time, […]

Read More

Ursnif: The Latest Evolution of the Most Popular Banking Malware

Introduction Few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from over a decade and was one of the most active malwares listed in 2017 and […]

Read More

Ghidra SRE: The AZORult Field Test

Introduction One of the most anticipated moments in the infosec community during the last few months was, with no doubt, the Ghidra public release. On the 5th of March, at the RSA conference, Ghidra has been presented to the public revealing the inner details of the Software Reverse Engineering (SRE) framework that National Security Agency […]

Read More

Decrypting the Qrypter Payload

Introduction During the last weeks, Yoroi’s monitoring operation intercepted some malicious emails required further attention: they were sent to a very few organizations and the contents was specifically tailored for Italian speaking targets. This messages warned the users about imminent summons against them, inviting them to read the attached lawsuit, a not so innocent looking […]

Read More

The Ursnif Gangs keep Threatening Italy

Introduction The Ursnif trojan confirms itself as one of the most active malware threats in cyberspace, even during the past days, when new attack attempts reached several organization across Italy. Cybaze-Yoroi ZLab teams dissected its infection chain to keep tracking the evolution of this persistent malware threat, analyzing its multiple stages, each one with the […]

Read More

Campagna di Attacco Ransomware

Proto: N070319. Con la presente Yoroi desidera informarLa relativamente ad una pericolosa campagna di attacco rivolta ad aziende italiane. Le email intercettate sono appositamente curate per ingannare i malcapitati destinatari simulando l’invio di candidature spontanee per posizioni vacanti. Il documento Office in allegato contiene però codice macro in grado di infettare la macchina bersaglio con […]

Read More

The Document that Eluded AppLocker and AMSI

Introduction Few days ago, during intel sources monitoring operation, the Cybaze-Yoroi ZLAB team encountered an interesting Office document containing some peculiarities required a deeper analysis: its payload includes techniques suitable to bypass modern Microsoft security mechanisms such as AppLocker, the application whitelisting security feature in place in well-configured Windows OSes, and the newer Anti-Malware Scan […]

Read More
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram