IIS extensions are on the rise as backdoors to servers

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services IIS extensions as covert backdoors into servers. IIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for...

Threat profile: Egregor ransomware is making a name for itself

What is Egregor? Egregor ransomware is a relatively new ransomware first spotted in September 2020 that seems intent on making its way to the top right now. Egregor is considered a variant of Ransom.Sekhmet based on similarities in obfuscation, API-calls, and the ransom note. As weve reported in...

Chinese APT group targets India and Hong Kong using new variant of MgBot malware

This blog post was authored by Hossein Jazi and Jérôme Segura On July 2, we found an archive file with an embedded document pretending to be from the government of India. This file used template injection to drop a malicious template which loaded a variant of Cobalt Strike. One day later, the sam...

Decoy Microsoft Word document delivers malware through a RAT

In this post, we take a look at a Microsoft Word document which itself is somewhat clean, but is used to launch a multi-stage attack that relies on the hyperlink feature in the OpenXML format. This then loads another document that contains an exploit. Most malicious Microsoft Office documents...

Patch now! Exchange servers attacked by Hafnium zero-days

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium. “HAFNIUM primarily targets entities in the United States across a number ...

Internet Explorer zero-day: browser is once again under attack

Update 2018-05-25: CVE-2018-8174 has been added to the RIG exploit kit MDNC. Update 2018-05-22: Security researcher Richard Warren mentioned that a fully working IE zero-day now patched with payload was uploaded to VirusTotal. We decided to test Malwarebytes against it, since last time we only ha...

The state of malicious cryptomining

While cryptocurrencies have been around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unfortunately, the same benefits offered by these decentralized and somewhat anonymous digital currencies were quickly abused to extort money, as w...

Exploit kits: summer 2018 review

The uptick trend in cybercriminals using exploit kits that we first noticed in our spring 2018 report has continued into the summer. Indeed, not only have new kits been found, but older ones are still showing signs of life. This has made the summer quarter one of the busiest we've seen for exploi...

Meltdown and Spectre fallout: patching problems persist

Last week, the disclosure by multiple teams from Graz and Pennsylvania University, Rambus, Data61, Cyberus Technology, and Google Project Zero of vulnerabilities under the aliases Meltdown and Spectre rocked the security world, sending vendors scurrying to create patches, if at all possible, and...

Magniber ransomware improves, expands within Asia

This blog post was authored by @hasherezade and Jérôme Segura. The Magnitude exploit kit is one of the longest-serving browser exploitation toolkits among those still in use. After its inception in 2013, it enjoyed worldwide distribution with a liking for ransomware. Eventually, it became a priva...

Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT

A variant of a remote code execution vulnerability with Internet Explorer's scripting engine known as CVE-2018-8373 patched last August has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro, we recognized the infrastructure serving this exploit. The same static...

How threat actors are using SMB vulnerabilities

Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block SMB to propagate through an organization’s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services. A pat...

Security vulnerabilities: 5 times that organizations got hacked

Businesses and governments these days are relying on dozens of different Software-as-a-Service SaaS applications to run their operations — and it’s no secret that hackers are always looking for security vulnerabilities in them to exploit. According to research by BetterCloud, the average company...

Maze: the ransomware that introduced an extra twist

An extra way to create leverage against victims of ransomware has been introduced by the developers of the Maze ransomware. If the victim is not convinced that she should pay the criminals because her files are encrypted, there could be an extra method of extortion. Over time, more organizations...

Magnitude exploit kit switches to GandCrab ransomware

The GandCrab ransomware is reaching far and wide via malspam, social engineering schemes, and exploit kit campaigns. On April 16, we discovered that Magnitude EK, which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too. While Magnitude EK remains...

APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT

Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria—all while...

Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void

Sodinokibi ransomware, also known as Sodin and REvil, is hardly three months old, yet it has quickly become a topic of discussion among cybersecurity professionals because of its apparent connection with the infamous-but-now-defunct GandCrab ransomware. Detected by Malwarebytes as...

Woody RAT: A new feature-rich malware spotted in the wild

This blog post was authored by Ankur Saini and Hossein Jazi The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year. This advanced custom Rat is mainly the work of a threat actor that targets...

Adobe Reader zero-day discovered alongside Windows vulnerability

During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash CVE-2018-4878 and more recently for Internet Explorer CVE-2018-8174. The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we...

The top 5 most routinely exploited vulnerabilities of 2021

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States CISA, NSA, and FBI, Australia ACSC, Canada CCCS, New Zealand NZ NCSC, and the United Kingdom NCSC-UK has detailed the top 15 Common Vulnerabilities and Exposures CVEs routinely exploited by malicious cybe...

PSA: New Microsoft Word 0day used in the wild

Microsoft has just patched an important vulnerability in Microsoft Word during its latest patch Tuesday cycle. According to the security firm that found it 1, this new zero-day CVE-2017-8759 was used in targeted attacks to install a piece of malware known as FinFisher. Microsoft Office has been i...

RIG exploit kit distributes Princess ransomware

We have identified a new drive-by download campaign that distributes the Princess ransomware AKA PrincessLocker, leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads. We had analyzed the PrincessLocker...

New spear phishing campaign targets Russian dissidents

This blog post was authored by Hossein Jazi. -- Updated to clarify the two different campaigns Cobalt Strike and Rat Several threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is actively monitoring these threats...

New macro-less technique to distribute malware

One of the most common and effective infection vectors, especially for businesses, is the use of malicious Office documents. This year alone, we witnessed two zero-days for both Flash and the VBScript engine, which were first actually embedded into Office documents before gaining wider adoption i...

Exploit kits: fall 2018 review

Exploit kit EK activity continues to surprise us as the weather cools, the leaves change, and we move into the fall of 2018. Indeed, shortly after our summer review, a new exploit kit was discovered, and while no new vulnerabilities were added to the current EKs, several malvertising chains are...

Blocks for Flash and others coming to Office 365

If you're a user of Microsoft Office products such as Word and Excel, you're probably aware that they've been used as inroads for malware for a long, long time. But what about malware attacks without Macros? Sure. Macro malware for Macs? That, too. Malicious documents and spying tools? Danger, Wi...

Fake IRS notice delivers customized spying tool

While macro-based documents and scripts make up for the majority of malspam attacks these days, we also see some campaigns that leverage documents embedded with exploits. Case in point, we came across a malicious Microsoft Office file disguised as a CP2000 notice. The Internal Revenue Service IRS...

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 for a zero-day remote code vulnerability, Follina, already being exploited in the wild via malicious Word documents. Q: What exactly is Follina? A: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified ...

PrintNightmare 0-day can be used to take over Windows domain controllers

In a rush to be the first to publish a proof-of-concept PoC, researchers have published a write-up and a demo exploit to demonstrate a vulnerability that has been dubbed PrintNightmare. Only to find out they had alerted the world to a new 0-day vulnerability by accident. What happened? In June,...

Magecart Group 4: A link with Cobalt Group?

Note: This blog post is a collaboration between the Malwarebytes and HYAS Threat Intelligence teams. Magecart is a term that has become a household name, and it refers to the theft of credit card data via online stores. The most common scenario is for criminals to compromise e-commerce sites by...

A week in security (March 11 – 17)

Last week on Malwarebytes Labs, we looked at the Lazarus group in our series about APT groups, we discussed the introduction of Payment Service Directive 2 PSD2 in the EU, we tackled Google’s Nest fiasco, and the launch of Mozilla's Firefox Send. In addition, we gave you an overview of the...

A week in security (September 18 – September 24)

Last week, we kept you updated on our blog about the infected versions of CCleaner that were offered as downloads on the official servers. We also warned you against a fake IRS notice that delivers a customized spying tool, some of the threats currently facing gamers, and a Netflix scam that has...

Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities

The National Security Agency NSA, the Cybersecurity and Infrastructure Security Agency CISA, and the Federal Bureau of Investigation FBI have jointly released a Cybersecurity Advisory called Russian SVR Targets U.S. and Allied Networks, to expose ongoing Russian Foreign Intelligence Service SVR...

Atomic research institute breached via VPN vulnerability

Remember when we told you to patch your VPNs already? I hate to say "I told you so", but I informed you thusly. According to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Koreas state-run nuclear research institute last month. The crime: ti...

Drive-by download campaign targets Chinese websites, experiments with exploits

During our web crawls we sometimes come across bizarre findings or patterns we haven't seen before. This was the case with a particular drive-by download attack planted on Chinese websites. While by no means advanced it turned out to be fairly buggy, we witnessed a threat actor experimenting with...

Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild

Pulse Secure has alerted customers to the existence of an exploitable chain of attack against its Pulse Connect Secure PCS appliances. PCS provides Virtual Private Network VPN facilities to businesses, which use them to prevent unauthorized access to their networks and services. Cybersecurity...

Exploit kits: winter 2019 review

Active malvertising campaigns in December and the new year have kept exploit kit activity from hibernating in winter 2019. We mostly observed Fallout and RIG with the occasional, limited GrandSoft appearance for wider geo-targeting. In addition, narrowly-focused exploit kits such as Magnitude,...

Patch now! Microsoft Exchange is being attacked via ProxyShell

Last Saturday the Cybersecurity and Infrastructure Security Agency issued an urgent warning that threat actors are actively exploiting three Microsoft Exchange vulnerabilities—CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. These vulnerabilities can be chained together to remotely execute...

A look into Drupalgeddon’s client-side attacks

Drupal is one of the most popular Content Management Systems CMS, along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability CVE-2018-7600 followed by yet another CVE-2018-7602 almost a month later, both aptly nicknamed Drupalgeddon 2 a...

Thousands of Hikvision video cameras remain unpatched and vulnerable to takeover

In September 2021 we told you about insecure Hikvision security cameras that were ready to be taken over remotely. However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update, and...

Microsoft pushes patch to prevent ‘WannaCry level’ vulnerability

This month marks the two-year anniversary since the infamous WannaCry attack. As an anniversary present to the world, Microsoft has pushed out patches to secure a newly-identified Remote Desktop Protocol RDP vulnerability found in certain Windows operating systems. The potential damage of the...

‘Hidden Bee’ miner delivered via improved drive-by download toolkit

This blog post was authored by @hasherezade and Jérôme Segura. We recently detected a drive-by download attack trying to exploit CVE-2018-4878, a vulnerability in Flash Player, in a sequence that was not matching any of the exploit kit patterns that we currently track. Upon investigation, we...

Exploit kits: spring 2019 review

Exploit kit activity remains fairly unchanged since our last winter review in terms of active distribution campaigns. But this spring edition will feature a new exploit kit and another atypical EK, in that it specifically goes after routers. The main driver behind these drive-by download attacks...

Exploit kits: Spring 2018 review

Since our last report on exploit kits, there have been some new developments with the wider adoption of the February Flash zero-day, as well as the inclusion of a new exploit for Internet Explorer. We have not seen that many changes in the drive-by landscape for a long time, although these are th...

Equifax breach: What you need to know [updated]

updates 9/14/2017 Equifax has released information and confirmed the vulnerability CVE-2017-5638 that was used in this breach after several days of intense scrutiny around Apache Struts. To make matters worse, there already was a patch available for this flaw in March 2017, two months prior to th...

Fake browser update seeks to compromise more MikroTik routers

This blog post was authored by @hasherezade and Jérôme Segura. MikroTik, a Latvian company that makes routers and ISP wireless systems, has been dealing with several vulnerabilities affecting its products' operating system over the past few months. Ever since a critical flaw in RouterOS was...

$320 milllion stolen from Wormhole crypto-trading platform

By using an exploit in the software of crypto-trading platform Wormhole, threat actors have stolen an estimated $322 million in cryptocurrencies. The platform is offering a $10 million award for the stolen money and details about the attack. How they pulled it off Wormhole Portal is a web-based...

FragAttack: New Wi-Fi vulnerabilities that affect… basically everything

A new set of vulnerabilities with an aggressive name and their own website almost always bodes ill. The name FragAttack is a contraction of fragmentation and aggregation attacks, which immediately indicates the main area where the vulnerabilities were found. The vulnerabilities are mostly in how...

Exploit kits: Winter 2018 review

In the past, we used to do a blog series on exploit kits where we would periodically check in on the main players in the market. In March 2017, we wrote the Winter 2017 review, before exploit kit activity dropped down to a whisper. We've since discontinued our blog series, for lack of development...

Underminer exploit kit improves in its latest iteration

One of the most interesting exploit kits we track is also a bit of an elusive one, and as such does not receive the same scrutiny as its RIG and Fallout counterparts. Underminer was mentioned in our Fall 2018 round up, and at the time was using CVE-2018-8174 Internet Explorer and CVE-2018-4878...