96 matches found
Massive Malspam Campaign Finds a New Vector for FlawedAmmyy RAT
A widespread spam campaign from the well-known financial criminal group TA505 is spreading the FlawedAmmyy RAT using a brand-new vector: Weaponized PDFs containing malicious SettingContent-ms files. The SettingContent-ms file format was introduced in Windows 10; it allows a user to create...
New Dridex Variant Emerges With An FTP Twist
A variant of the Dridex banking trojan recently popped up in an email campaign, with an unusual twist: The attackers used compromised FTP sites for hosting malicious documents, according to researchers at Forcepoint. It was a notable departure from the norm of using HTTP links and could represent...
Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection
Introduction TLS Thread Local Storage callbacks are provided by the Windows operating system to support additional initialization and termination for per-thread data structures. As previously reported, malicious TLS callbacks, as an anti-analysis trick, have been observed for quite some time and...
EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Criminals behind the Retefe banking Trojan have added a new component to their malware that uses the NSA exploit EternalBlue. The update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows vulnerability, and could signal an emerging trend, said researchers a...
New Dridex Phishing Campaign Delivers Fake Accounting Invoices
A new variant of the banking trojan Dridex is part of a sophisticated phishing attack targeting users of the cloud-based accounting firm Xero. The global campaign is the latest in what security experts at Trustwave said is a wave of phishing attacks against Xero and other financial and accounting...
US Government Site Was Hosting Ransomware
As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. Researcher Ankit Anubhav of NewSky Security tweeted the discovery Wednesday, and within hours, the malware link was taken down. It’s...
Threat Hunting for Dridex Attacks: Top Questions from Security Teams
Editor's Note: This article originally appeared on RedCanary.com. I recently spoke on a threat hunting webinar with our partner Carbon Black in which we dove into Dridex attacks: how they work, why they’re so effective, and how security teams can detect them through a proactive threat hunting...
New Jaff Ransomware Part Of Active Necurs Spam Blitz
A new malware family called Jaff has been identified by researchers who say they are currently tracking multiple massive spam campaigns distributing the malware via the Necurs botnet. “It came out of nowhere with a huge bang,” Cisco Talos researchers said Friday In the last 24 hours, the firm has...
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...
Locky Ransomware Roars Back to Life Via Necurs Botnet
Cybercriminals behind the Locky ransomware and Necurs botnet are back in business. Last Friday researchers spotted both delivering nearly 35,000 emails in just a few hours, the first major Locky campaign researchers have seen in months, according to Cisco Talos. Researchers warn the latest Locky...
The Word Vulnerability, CVE-2017-0199 dissect that Microsoft patch that you installed? - Vulnerability warning-the black bar safety net
! Foreword Recently, FireEye detects a use of the vulnerability, CVE-2017-0199 malicious OfficeRTF document--earlier this week FreeBuf also reported the vulnerability, without the need to enable Word macros, open a malicious RFT document can be infected with a malicious program. When the user ope...
Spread banking Trojan the Office 0day vulnerabilities-vulnerability warning-the black bar safety net
Micro-step online Threat Intelligence briefing Number: TB-2017-0003 Report confidence: 90 TAG: Microsoft, Office, 0day, vulnerabilities, phishing mails, Dridex TLP: yellow only accept the report of the Organization for internal use Date: 2017-04-11 Update Micro-step online to GMT 4 May 11, to the...
Office Zero Day Delivering FINSPY Spyware to Victims in Russia
Since at least January, unidentified state-sponsored attackers have been targeting victims in Russia with FINSPY spyware delivered in exploits for an Office and WordPad zero-day vulnerability patched on Tuesday by Microsoft. Separately, the same zero-day has been leveraged in financially motivate...
Critical Security Updates from Adobe, Microsoft
Adobe and Microsoft separately issued updates on Tuesday to fix a slew of security flaws in their products. Adobe patched dozens of holes in its Flash Player, Acrobat and Reader products. Microsoft pushed fixes to address dozens of vulnerabilities in Windows and related software. The biggest chan...
CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...
CVE-2017-0199
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Co...
Microsoft Patches Three Vulnerabilities Under Attack
Microsoft today patched a zero-day Word vulnerability that has been publicly attacked along with deploying fixes for Internet Explorer, Microsoft Edge and Windows 10. In all, nine Microsoft products received updates totaling 45 unique CVEs. Three of the vulnerabilities among Tuesday’s updates,...
Microsoft Patches Word Zero-Day Spreading Dridex Malware
Microsoft on Tuesday released a patch for a zero-day vulnerability that was discovered late last week and used to spread the Dridex banking Trojan. Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a...