Tag: malware

Introduction Few days ago, Cybaze-Yoroi ZLAB researchers spotted a suspicious JavaScript file needing further attention: it leveraged several techniques in order to evade all AV detection and no one of the fifty-eight antivirus solution hosted on the notorious VirusTotal platform detected it. For this reason, we decided to dissect it and investigate what kind of […]

Introduction In the past weeks, a new strange campaign emerged in the Italian landscape. It has been baptized “Operation Pistacchietto” from a username extracted from a Github account used to serve some part of the malware. This campaign has been initially studied by C.R.A.M. researchers reporting the attacker seems to be Italian, as evidenced by […]

Introduction Malware written in Go programming language has roots almost a decade ago, few years after its first public release back in 2009: starting, for instance, from InfoStealer samples discovered since 2012, abused in cyber-criminal campaigns, and ending into one of the most advanced and modern cyber arsenal, the Sofacy one. Times ago it was […]

Introduction In the past days, an infamous cyber attack targeted an high profile target on the APAC area: the Australian Parliament House. As reported by the Australian prime minister there was no evidence of any information theft and the attack has been promptly isolated and contained by the Australian Cyber Security Centre (ACSC), however the […]

Introduction Between January and February, a new, intense, ransomware campaign have been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all […]

Introduction In the last days a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular […]

Proto: N020219. Con la presente Yoroi desidera informarLa relativamente ad una campagna di attacco in corso ai danni di numerose Organizzazioni ed utenti di rete italiani. Gli attacchi si manifestano con messaggi di posta fraudolenti che simulano comunicazioni da parte del Corriere Espresso “DHL”.  All’interno delle email sono allegati archivi compressi contenenti pericolosi script eseguibili […]

Introduction Another wave of Ursnif attacks hits Italy. Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, […]

Introduction In the past days, a new particular sample has been analyzed by the researchers of Cybaze- Yoroi ZLab. As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also […]

Proto: N070119. Con la presente Yoroi desidera informarLa relativamente ad una campagna di attacco in corso ai danni di numerose utenze ed organizzazioni italiane. Le email malevole sono appositamente create con tematizzazioni amministrative e riferimenti ai nuovi obblighi di fatturazione elettronica. I messaggi fraudolenti contengono al loro interno allegati Excel in grado di infettare la […]

Introduction During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company. In the recent past, similar attack cases hit this industry, such as the […]

Introduction In the first days of January, an interesting malware sample has been disclosed through the InfoSec community: a potential GreyEnergy implant still under investigation. This kind of threat, previously analyzed by third party firms, contains similarities with the infamous BlackEnergy malware, used in the attacks against the Ukrainian energy industry back in 2015. The […]