Exposing Fox Tempest: A malware-signing service operation

In this article 1. Fox Tempest’s role and impact 2. Fox Tempest’s malware signing as a service infrastructure 3. Defending against Fox Tempest-enabled attacks 4. Microsoft Defender detections 5. Indicators of compromise Fox Tempest is a financially motivated threat actor that operates a...

PikaBot distributed via malicious search ads

During this past year, we have seen an increase in the use of malicious ads malvertising and specifically those via search engines, to drop malware targeting businesses. In fact, browser-based attacks overall have been a lot more common if we include social engineering campaigns. Criminals have...

TrickBot Crashes Security Researchers’ Browsers in Latest Upgrade

Trojan titan TrickBot has added a striking anti-debugging feature that detects security analysis and crashes researcher browsers before its malicious code can be analyzed. The new anti-debugging feature was discovered by Security Intelligence analysts with IBM, who reported the emergence of a...

BazaCall: Phony call centers lead to exfiltration and ransomware

Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. Apart...

Rietspoof malware distributes ransomware via messaging apps

By Waqas A malware strain dubbed as Rietspoof has been under the radar of researchers at Avast since last August. Reportedly, researchers suspect that the malware is on the rise and it is being distributed via Skype, Facebook Messenger, and other messaging apps. Researchers maintain that the...

Ukrainian Man Arrested For Distributing NotPetya Ransomware And Helping Tax Evaders

Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware Petya.A, also known as NotPetya — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine as well as different parts of Europe around 45 days ago...

Are All Ransom Attacks Considered Ransomware?

Ransomware has loomed large in the news of late. It seems to be around every turn, and it’s not going anywhere. The untraceability of Bitcoin payments, coupled with new blackhat tools available to anyone at little if any cost, means extortion attempts will continue to grab headlines worldwide. Bu...

MSRT July 2016 – Cerber ransomware

As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool MSRT includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows...

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence DTI identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign. As shown in Figure 1, Locky spam activity was uninterrupted until June 1,...

CryptXXX Jumps From Angler to Neutrino Exploit Kit

Crooks behind the revamped CryptXXX 3.100 ransomware have switched its distribution from the Angler Exploit Kit to the Neutrino Exploit Kit. The sudden change in distribution was spotted on Monday by researchers at the SANS Internet Storm Center. “This is not the first time we’ve seen campaigns...

Latest Flash Zero Day Being Used to Push Ransomware

Exploits for a zero-day vulnerability in Adobe Flash Player are being aggressively distributed in two exploit kits. The zero day, meanwhile, was patched by Adobe in an emergency update released Thursday night. Attackers are using the previously unpatched flaw in the maligned Flash Player to infec...