RIG exploit kit distributes Princess Ransomware

We have identified a new drive-by download campaign that distributes the Princess Ransomware, leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads. We had analyzed the Princess Ransomware last November and pointed out that despite similarities with Cerber’s onion page, the actual … [Read more…]

Locky ransomware adds anti sandbox feature

By Marcelo Rivero and Jérôme Segura The Locky ransomware has been very active since its return which we documented in a previous blog post. There are several different Locky campaigns going on at the same time, the largest being the one from affiliate ID 3 which comes with malicious ZIP containing .VBS or .JS attachments. Malwarebytes … [Read more…]

Locky ransomware adds new anti sandbox feature

By Marcelo Rivero and Jérôme Segura The Locky ransomware has been very active since its return which we documented in a previous blog post. There are several different Locky campaigns going on at the same time, the largest being the one from affiliate ID 3 which comes with malicious ZIP containing .VBS or .JS attachments. Malwarebytes … [Read more…]

BSides Manchester: Malvertising – under the hood

antispyware

I’ve talked about malvertising a fair bit at security events down the years and I was lucky enough to be able to add to the tally at this month’s BSides Manchester conference. Whether your preferred variety is desktop, mobile, or even virtual/augmented reality, there’s hopefully something here for everyone. “Malvertising: under the hood” covers the following … [Read more…]

Introducing WhiteBear

As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private … [Read more…]

Malware vaccination tricks: blue pills or red pills

antispyware

First, let me explain what I mean by malware vaccination tricks. Most of you will have heard about some of these. Vaccination tricks are in fact techniques that use safety checks done by malware against that same malware. The malware checks for the presence of certain files or registry keys as a sign that the … [Read more…]

Jimmy Nukebot: from Neutrino with love

“You FOOL! This isn’t even my final form!”style=”text-align:right”> In one of our previous articles, we analyzed the NeutrinoPOS banker as an example of a constantly evolving malware family. A week after publication, this Neutrino modification delivered up a new malicious program classified by Kaspersky Lab as Trojan-Banker.Win32.Jimmy. NeutrinoPOS vs Jimmy The authors seriously rewrote the … [Read more…]

419 spam: 10 million US dollars, courtesy of “Rev. Goodluck Ebola”

I’m not saying an email claiming to be from the “Central Bank of Nigeria” with a contact handler named “Rev. Goodluck Ebola” will raise too many red flags, but… Click to Enlarge CENTRAL BANK OF NIGERIA OFFICE OF THE GOVERNOR Zaria Street, Off Samuel Akintola Street,Garki 11, Garki-Abuja. Our Ref: FGN/CBN/NIG/01/2017. Your Ref…………………………. From The … [Read more…]

Inside the Kronos malware – part 2

In the previous part of the Kronos analysis, we took a look at the installation process of Kronos and explained the technical details of the tricks that Kronos uses in order to remain more stealthy. Now we will move on to look at the malicious actions that Kronos can perform. Analyzed samples ede01f7431543c1fef546f8e1d693a85 – downloader … [Read more…]

A week in security (August 21 – August 27)

antispyware

In our blog posts, we announced the introduction of, and explained the necessity for, real-time protection for our Mac and Android users. Also explaining what you can expect them to do for you and answering the questions that we expect to be frequently asked. We looked at 4 key steps you can take within your … [Read more…]