Cerber ransomware delivered in format of a different order of Magnitude

As a follow up to our study into the Magnitude exploit kit and its gate which we profiled in a previous blog post, we take a look at an interesting technique used to distribute the Cerber ransomware. Exploit kits are a very effective means of serving malicious payloads and an important aspect is...

Explained: security certificates

As a result of my PowerShell series 1,2,3, where I used the handling of certificates as an example, mainly because I wanted a method to keep track easier of which certificates were being added by malware, I've have received some questions about how security certificates work and how they stopped...

A week in security (July 31 – August 6)

Last week we explored some basic PowerShell commands, dived into the new methods used by TrickBot, and wrote at length about the Magnitude exploit kit redirection chain. Our teams were busy at both BlackHat and DefCon, and outside of those famous hallways, we also took time to fire up some basic...

Apple phish: Summary report statement

If the following message lands in your mailbox, you may wish to throw on your "This is highly suspicious" cap before proceeding further: The email is titled RE: Summary Report Statement login and update account 08/05/2017 Note the old spammer trick of placing "RE:" at the start to make you think...

Learning PowerShell: basic programs

In the previous posts we have looked at some elementary PowerShell concepts and we have constructed some basic commands to export and compare data. We did this by using an example of certificates being dumped in the “Untrusted” category by some malware. This time we will try to write a program th...

DEFCON 25

After a few days in Las Vegas and after BlackHat, DEFCON 25 is finally over! It was an amazing time around awesome people. I didn't attend all the talks, but most of the ones I saw were interesting: There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers, by Luke...

Black Hat USA 2017 Recap

What do you get when you put hackers, gambling, and dogs together? Black Hat USA 2017 …and a random zoo conference happening next door. Last week, we wrapped up another successful trip to Las Vegas for Black Hat. For those of you who couldn’t make it or had too much Vegas fun and need a reminder ...

Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain

Over the last few months, we have been keeping an eye on the Magnitude exploit kit which is mainly used to deliver the Cerber ransomware to specific countries in Asia. Our telemetry shows that South Korea is most impacted via ongoing malvertising campaigns. When a visitor goes to a website that...

TrickBot comes with new tricks – attacking Outlook and browsing data

Last year we reported about a new modular malware using a network protocol similar to Dyreza - you can read about it here. The malware was not very stealthy and some parts were looking to be under development, but we noticed its potential and capability to be easily extended. Indeed, authors of...

Learning PowerShell: some basic commands

My first Powershell script The first PowerShell script I wrote see below was a quick fix to remove certificates from the “Untrusted” registry key after a Vonteera infection. After some initial commands, this script basically loops back for every certificate that doesn’t belong under a certain key...

A week in security (July 24 – July 30)

Last week, we recognized one of the unsung heroes of our times, explained what the Dark Web is, revealed challenges one of our experienced when putting together his conference presentation for SteelCon, revealed the potential dangers of smart toys to kids, and made a prediction following the...

Mobile Menace Monday: Malicious clicker with extra maliciousness included

A new malicious clicker has emerged onto third-party app stores. Chinese in origin, the malicious app uses heavy obfuscation and poses as a battery optimizer app. We classify is as Android/Trojan.Clicker.hyj. Click to view slideshow. Hide what’s inside To obfuscate its code, Clicker.hyj uses an A...

Today is System Administrator Appreciation Day

And we are enormously grateful. What started off as a tongue-and-cheek offshoot of Administrative Professionals Day has now become a special holiday that people around the world recognize and practice. Dear reader, today is System Administrator Appreciation Day. Let’s be honest, maintaining the...

Fireball arrests made

Following some arrests in China, we may see a decrease in the amount of adware and adfraud hailing from the Rafotech labs. According to some reports 250 million machines may have been infected with one variant or another of Rafotechs’ products. We have shared some information about the potential...

The state of ransomware among SMBs

In a report conducted by Osterman Research and sponsored by Malwarebytes, more than 1,000 small and medium-sized businesses were surveyed in June 2017 about ransomware and other critical security issues. What we discovered was surprising—ransomware authors aren’t only targeting enterprise...

The real problem with ransomware

Ransomware – a specialized form of malware that encrypts files and renders them inaccessible until the victim pays a ransom – is an extremely serious problem and it’s quickly getting worse. The FBI estimated that ransomware payments were $1 billion in 2016, up from “just” $24 million a year...

Explained: the Dark Web

You may have seen the Dark Web referenced in popular TV shows and have gotten the wrong idea, or if you already knew about it, you may have snorted in derision. It’s also sometimes called the Deep Web, when in fact the Dark Web is only a part of the Deep Web. Terminology Surface Web is what we...

SteelCon: Mahkra ni Orroz

I recently gave a talk at Sheffield's SteelCon, a huge security event spread over a few days with no end of interesting activities taking place. My presentation, called Makhra ni Orroz, is a good 45 minutes of non stop talking and pictures and things. It's also a bit different in terms of what I...

FBI: Smart toys could harm children’s privacy and physical safety

The Federal Bureau of Investigation has recently issued a Public Service Announcement PSA, encouraging consumers—parents, in particular—to think twice before purchasing internet-connected toys. Smart toys and entertainment devices for kids are part of the Internet of Things, and as such, they hav...

Bye, bye Petya! Decryptor for old versions released.

Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project. You can read the full story here. Based on the released key, we prepared a decryptor that is capable of unlocking all the...

A week in security (July 17 – July 23)

Over the last week, we have covered Play Protect, android’s new security system and how the Dutch police ran Hansa Market after the take down of Alpha Bay, both major players on the Dark Web. We also provided some tips on how to stay cyber safe this summer. We also saw how the Terror exploit kit...

Play Protect: Android’s new security system is now available

Play Protect, a security suite for Android devices, was originally introduced in mid-May of this year during the Google I/O conference. And in just a couple of months, the tech giant has made it available for all their mobile users. Play Protect is the amalgamation of Google’s Android security...

7 tips to stay cyber safe this summer

You’ve probably already seen the back-to-school ads on TV and rolled your eyes a little bit. We’re with you: There’s still plenty of summer left. That’s why we want to remind you about some of the cybersecurity pitfalls you might encounter during the remainder of the summer season. Whether you’re...

Hansa Market on Dark Web seized by Dutch police

In a simultaneous press conference issued by the Dutch police and US Attorney General Jeff Sessions we learned that the Dark Web market places Alphabay and Hansa market have been seized and shut down by international cooperating authorities. As it turned out Hansa Market was already under control...

Terror EK actor experiments with URL shortener fraud

Terror EK is an exploit kit made from a mishmash of stolen code and with very limited distribution. In the past few months, we have seen a few minor updates to its code base which remains largely simplistic in comparison to professional-grade exploit kits of the past such as Angler EK, or...

Adware the series, the final: Tools section

So far in this series, we have handed you some methods to recognize and remediate adware. We used this diagram as a guideline. During this journey, we have touched upon several free tools that we used to get some insight on what type of infection we were dealing with and where the adware could be...

A week in security (July 10 – July 16)

Last week, we took a look at some of your malware infection stories, took a stroll through the basics of PowerShell, explored a piece of .NET malware, and shone the spotlight on the Petya ransomware family. Elsewhere, the following stories were taking place: Latest updates for Consumers...

Keeping up with the Petyas: Demystifying the malware family

Last June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine. Since there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this small guide on the background of the Petya family. The origin of Petya...

A .NET malware abusing legitimate ffmpeg

There is a growing trend among malware authors to incorporate legitimate applications in their malicious package. This time, we analyzed a malware downloading a legitimate ffmpeg. Using this application, this simple spyware written in .NET got a powerful feature. Most of the malware is sufficient...

Learning PowerShell: The basics

I bet I went about learning PowerShell the wrong way, so I may need your help, readers of this blog. If only to organize my knowledge and use it for the fight against malware and not just to figure out how it was used in malware. The first serious look I had at PowerShell was when I was trying to...

Roundup: your malware infection stories

You hear the cautionary tales all the time. So-and-so didn’t have an antivirus in place and was infected with malware. Such-and-such business had limited cybersecurity infrastructure and was hit with a ransomware attack. You think: Sure, but it probably won’t happen to me. I’m a safe surfer. I’ve...

A week in security (July 03 – July 09)

Last week, we released our second quarter Cybercrime Tactics & Techniques report, where we revealed that ransomware outbreaks were dominant during this quarter. You can read the full report on the post below: Report: Second quarter dominated by ransomware outbreaks Our researchers continue to sha...

Report: Second quarter dominated by ransomware outbreaks

The second quarter of 2017 brought ransomware to unprecedented levels with worldwide outbreaks that went almost out of control. In scenarios reminiscent of yesteryears worms, WannaCry created global panic as it used a critical vulnerability in the SMBv1 protocol to propagate like wildfire. Within...

All this EternalPetya stuff makes me WannaCry

Another week goes by and yet again we have another ransomware outbreak initially dropped by a malicious software update and eventually spreading within internal networks using several methods - including EternalBlue - the leaked exploit from the ShadowBrokers group. Security researchers can’t see...

The key to old Petya versions has been published by the malware author

As research concluded, the original author of Petya, Janus, was not involved in the latest attacks on Ukraine. His original malware was pirated and extended by an unknown actor read more here. As a result of the recent events, Janus probably decided to shut down the Petya project. Similarly to th...

AdGholas malvertising thrives in the shadows of ransomware outbreaks

The latest wave of ransomware following the WannaCry outbreak has kept everyone very busy and been the topic of many conversations. In the meantime, other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific...

A week in security (June 26 – July 02)

Last week, we offered our readers tips on how to detect phishing attempts, gave an overview of Google's Be Internet Awesome campaign, supplemented an ongoing series on adware, and introduced the Malwarebytes Endpoint Protection to those who aren't already in the know. We also pushed out a number ...

EternalPetya – yet another stolen piece in the package?

Since June 27th we have been investigating the outbreak of the new Petya-like malware armed with an infector similar to WannaCry. Since day one, various contradicting theories started popping up. Some believed that this malware is a rip-off of the original Petya, while others think that it is...

EternalPetya and the lost Salsa20 key

We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry. The research is still in progress, and the full report will be published soon. In this post, we will focus on some new important aspects of the current malware. The low-level attac...

Solution Corner: Malwarebytes Endpoint Protection

We’ve been busy here at Malwarebytes with several product announcements recently. Malwarebytes Incident Response was released in late April, providing threat detection and remediation via our new cloud-based platform. Right on its heels, leveraging the same platform is Malwarebytes Endpoint...

Adware the series, part 6

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the...

Petya-esque ransomware is spreading across the world

UPDATE 6/29/2017 1045 PST: According to information uncovered within Malwarebytes Labs, we have determined that this ransomware variant is coded to erase a unique and randomly generated key that is used to encrypt the MFT Master File Table. The destruction of the Salsa20 key makes it very unlikel...

The smart, alert, strong, kind, and brave way to Internet awesome

Mom and Dad, do you know when to start talking to your kids about internet safety? Google’s new Be Internet Awesome program might just be the perfect topic to start off that conversation. Launched this National Internet Safety Month, Be Internet Awesome aims to teach kids to explore the internet...

Mobile Menace Monday: Fake WannaCry Scanner

With all the buzz around the PC ransomware WannaCry, it’s no surprise that a fake antivirus FakeAV has emerged on Google Play. Entitled WannaCry Ransomware Protector for Android, the bold claim it makes is right in its name. So how do we know this claim is false? Simple, there is no WannaCry...

Something’s phishy: How to detect phishing attempts

Dear you, It appears you need to update your information. Click here to tell us all your secrets. No really, it's totally safe. We're not going to steal your identity, we swear. If only phishing attempts were that obvious. Instead, these days it's hard to tell a phish apart from a foul, if you...

A week in security (June 19 – June 25)

Last week, we expanded on all the different technologies that Malwarebytes uses to break the attack chain and our Incident Response solution. We also warned you about a Roblox Robux generator scam and a phish targeting customers of Barclays Bank. Below are notable news stories and security-relate...

Solution Corner: Malwarebytes Incident Response

Unless you’ve been stuck at a fiery music festival, I don’t need to tell you the threat landscape is constantly evolving and that threats have become increasingly sophisticated at evading detection. Recent Malwarebytes Labs reports, including the 2017 State of Malware shine a light on just how fa...

Barclays Bank customers targeted by phishers

Today we have a phish targeting customers of Barclays Bank, located at: bankdotbarclaydotcodotukdotolbdotauthdotloginlinkdotactiondotp1242557947640dotchofcgdotcom/bd/ The phish opens up with an initial lunge for personal details: The first page asks for a surname, then offers the potential victim...

The Roblox Robux generator is too good to be true

Roblox is an enormously popular MMORPG title for kids available on both PC and console, and it suffers no end of scammers trying to fleece its players as a result. While the game tries to block and filter text/URLs and comes with additional security features, potentially dubious sites also bounce...

A week in security (Jun 12 – Jun 18)

Last week was very busy for the Labs, with a look at so-called numeric tech support scams, a visit to the huge Infosec Europe conference, an exploration of Mac Malware as a Service, and a walk through the myths of online bullying. Elsewhere: A huge click-farm is busted Jaff Ransomware is thwarted...