Financial cyberthreats in 2022

Financial gain remains the key driver of cybercriminal activity. In the past year, weve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats ...

Malware Delivered through Google Search

Criminals using Google search ads to deliver malware isnt new, but Ars Technica declared that the problem has become much worse recently. The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past,...

Researchers Detail OriginLogger RAT — Successor to Agent Tesla Malware

Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan RAT known as Agent Tesla. A .NET based keylogger and remote access, Agent Tesla has had a long-standing...

Threat Roundup for July 29 to August 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 29 and Aug. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...

Emotet modules and recent attacks

Emotet was first found in the wild in 2014. Back then its main functionality was stealing user banking credentials. Since then it has survived numerous transformations, started delivering other malware and finally became a powerful botnet. In January 2021 Emotet was disrupted by a joint effort of...

Dridex affiliate dresses up as Scrooge

Threat actors are hoping to catch a few more victims before they leave work for the Christmas holidays. The recent malicious spam campaigns malspam we and others have observed appear to have been created by someone who wants to play Scrooge and add onto peoples already heightened state of anxiety...

Malspam banks on Kaseya ransomware attack

The Malwarebytes Threat Intelligence Team recently found a malicious spam campaign making the rounds and banking on the ransomware attack that forced Kaseya to shut down its VSA service. This is a classic example of an opportunistic attack conducted by potentially another threat actor/group off t...

Malicious spam campaigns delivering banking Trojans

In mid-March 2021, we observed two new spam campaigns. The messages in both cases were written in English and contained ZIP attachments or links to ZIP files. Further research revealed that both campaigns ultimately aimed to distribute banking Trojans. The payload in most cases was IcedID...

Spam and phishing in 2019

Figures of the year The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018. The biggest source of spam this year was China 21.26%. 44% of spam e-mails were less than 2 KB in size. Malicious spam was detected most commonly with the Exploit.MSOffice.CVE-2017-11882 verdic...

Fake 'Windows Update' Installs Cyborg Ransomware

A malicious spam campaign that informs victims it contains a “critical Windows update” instead leads to the installation of Cyborg ransomware, researchers have found. Further, they were able to access its builder, which can be used to create malware variants. The email-based threat, discovered...

Popular File-Sharing Service WeTransfer Used in Malicious Spam Campaigns

Hackers are abusing the popular file-sharing service called WeTransfer to circumvent defensive email gateways that are designed to block spam messages with malicious URLs. Researchers have observed an uptick in attacks targeting banking, power and media industries using this technique. The hack...

Malware Loader ‘Brushaloader’ Grows More Menacing

The tenacious loader malware called Brushaloader is growing more menacing, showing no signs of abatement despite best efforts by security professionals. First identified in June 2018, the Brushaloader malware is now more pervasive, stealthy and growing in popularity faster than ever before. New...

Spam and phishing in 2018

Numbers of the year The share of spam in mail traffic was 52.48%, which is 4.15 p.p. less than in 2017. The biggest source of spam this year was China 11.69%. 74.15% of spam emails were less than 2 KB in size. Malicious spam was detected most commonly with the Win32.CVE-2017-11882 verdict. The...

TAU Threat Intelligence Notification: Shade Ransomware

Summary Recently there is a new wave of malicious spam campaign distributing Shade ransomware via sending malicious JavaScript attachments. The spam campaign was mainly targeting users from Russia, and the ransom note was written in both Russian and English. This variant of Shade ransomware will...

ThreatList: Gift Card-Themed BEC Holiday Scams Spike

With cyber threats rampant between Black Friday and Christmas, security experts are warning of a wave of business-style email scams hitting inboxes designed to appeal to holiday shoppers. Attacks involve scam messages purporting to be gift card deals or links to corporate donations. According to...

TrickBot takes over as top business threat

Last quarter brought with it a maddening number of political ads, shocking and divisive news stories on climate change and gun laws, and mosquitoes. We hate mosquitoes. In related unpleasant news, it also apparently ushered in an era of banking Trojans that, as of this moment, shows no signs of...

Metamorfo Banking Trojan Keeps Its Sights on Brazil

This blog post was authored by Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura. Executive Summary Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card...

Loki Bot: On a hunt for corporate passwords

Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot. The malware's key objective is to steal passwords from browsers,...

Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution

This blog post was authored by Edmund Brumaghin and Holger Unterbrink, with contributions from Adam Weller. Executive Summary Gozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past several years. Banking trojans are a type of malware tha...

Jaff Ransomware: Player 2 Has Entered The Game

This post was written by Nick Biasini, Edmund Brumaghin and Warren Mercer with contributions from Colin GradySummaryTalos is constantly monitoring the email threat landscape and tracking both new threats as well as changes to existing threats. We recently observed several large scale email...