1025 matches found
Kaspersky Security Bulletin: Review of the Year 2017
Introduction The end of the year is a good time to take stock of the main cyberthreat incidents that took place over the preceding 12 months or so. To reflect on the impact these events had on organizations and individuals, and consider what they could mean for the overall evolution of the threat...
JanelaRAT: a financial threat targeting users in Latin America
Background JanelaRAT is a malware family that takes its name from the Portuguese word "janela" which means "window". JanelaRAT looks for financial and cryptocurrency data from specific banks and financial institutions in the Latin America region. JanelaRAT is a modified variant of BX RAT that has...
Exploits and vulnerabilities in Q1 2025
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the C...
IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
Day after day, threat actors create new malware to use in cyberattacks. Each of these new implants is developed in its own way, and as a result gets its own destiny – while the use of some malware families is reported for decades, information about others disappears after days, months or several...
Exploits and vulnerabilities in Q4 2024
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept PoC instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged...
Story of the Year: global IT outages and supply chain attacks
A faulty update by cybersecurity firm CrowdStrike triggered one of the largest IT outages in history, impacting approximately 8.5 million systems worldwide. This incident serves as a stark reminder of the critical risks posed by global IT disruptions and supply chain weaknesses. With large-scale...
How the Necro Trojan infiltrated Google Play, again
Introduction We sometimes come across modified applications when analyzing suspicious files. These are created in response to user requests for more customization options within the app or for new features that the official versions don't have. Unfortunately, it's not uncommon for popular mods to...
IT threat evolution in Q2 2024. Non-mobile statistics
The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data. Quarterly figures In Q2 2024: Kaspersky solutions blocked over 664 million attacks from various internet sources. The web antivirus...
Understanding Malware-as-a-Service
Money is the root of all evil, including cybercrime. Thus, it was inevitable that malware creators would one day begin not only to distribute malicious programs themselves, but also to sell them to less technically proficient attackers, thereby lowering the threshold for entering the cybercrimina...
Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency
Introduction Stealing cryptocurrencies is nothing new. For example, the Mt. Gox exchange was robbed of many bitcoins back in the beginning of 2010s. Attackers such as those behind the Coinvault ransomware were after your Bitcoin wallets, too. Since then, stealing cryptocurrencies has continued to...
Satacom delivers browser extension that steals cryptocurrency
Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom. The Satacom...
Uncommon infection methods—part 2
Introduction Although ransomware is still a hot topic on which we will keep on publishing, we also investigate and publish about other threats. Recently we explored the topic of infection methods, including malvertising and malicious downloads. In this blog post, we provide excerpts from the rece...
Main phishing and scamming trends and techniques
There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers deploy social engineering to persuade targets to transfer money on...
LofyLife: malicious npm packages steal Discord tokens and bank card data
On July 26, using the internal automated system for monitoring open-source repositories, we identified four suspicious packages in the Node Package Manager npm repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign...
WinDealer dealing on the side
Introduction LuoYu is a lesser-known threat actor that has been active since 2008. It primarily goes after targets located in China, such as foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and...
Evaluation of cyber activities and the threat landscape in Ukraine
Introduction When the war in Ukraine broke out, many analysts were surprised to discover that what was simultaneously happening in the cyber domain did not match their predictions1. Since the beginning of the fighting, new cyberattacks taking place in Ukraine have been identified every week, whic...
Threats to ICS and industrial enterprises in 2022
Continuing trends In recent years, we have observed various trends in the changing threat landscape for industrial enterprises, most of which have been evolving for some time. We can say with high confidence that many of these trends will not only continue, but gain new traction in the coming yea...
Threat landscape for industrial automation systems in H1 2021
The H1 2021 ICS threat report at a glance Percentage of ICS computers attacked 1. During the first half of 2021 H1 2021, the percentage of attacked ICS computers was 8%, which was 0.4 percentage points p.p. higher than that for H2 2020. Percentage of ICS computers on which malicious objects were...
Redirect auction
Weve already looked at links under old YouTube videos or in Wikipedia articles which at some point turned bad and began pointing to partner program pages, phishing sites, or even malware. It was as if the attackers were purposely buying up domains, but such a scenario always seemed to us too...
Roaming Mantis, part V
Kaspersky has continued to track the Roaming Mantis campaign. The group's attack methods have improved and new targets continuously added in order to steal more funds. The attackers' focus has also shifted to techniques that avoid tracking and research: whitelist for distribution, analysis...
A vulnerable driver: lesson almost learned
Recently, we started receiving suspicious events from our internal sandbox Exploit Checker plugin. Our heuristics for supervisor mode code execution in the user address space were constantly being triggered, and an executable file was being flagged for further analysis. At first, it looked like...
Threat Predictions for Connected Health in 2018
The landscape in 2017 In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. For example, we found open access to...
Neutrino modification for POS-terminals
From time to time authors of effective and long-lived Trojans and viruses create new modifications and forks of them, like any other software authors. One of the brightest examples amongst them is Zeus Trojan-Spy.Win32.Zbot, based on classification of "Kaspersky Lab", which continues to spawn new...
Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations
About C.A.S C.A.S Cyber Anarchy Squad is a hacktivist group that has been attacking organizations in Russia and Belarus since 2022. Besides data theft, its goal is to inflict maximum damage, including reputational. To this end, the group's attacks exploit vulnerabilities in publicly available...
A journey into forgotten Null Session and MS-RPC interfaces
A journey into forgotten Null Session and MS-RPC interfaces PDF It has been almost 24 years since the null session vulnerability was discovered. Back then, it was possible to access SMB named pipes using empty credentials and collect domain information. Most often, attackers leveraged null sessio...
BlueNoroff: new Trojan attacking macOS users
We recently discovered a new variety of malicious loader that targets macOS, presumably linked to the BlueNoroff APT gang and its ongoing campaign known as RustBucket. The threat actor is known to attack financial organizations, particularly companies, whose activity is in any way related to...
Evil Telegram doppelganger attacks Chinese users
UPDATE 11.09.2023. Google has informed us that all the apps were deleted from the Google Play store A while ago we discovered a bunch of Telegram mods on Google Play with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor says these are the fastest apps which use a...
Operation Triangulation: iOS devices targeted with previously unknown malware
While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform KUMA, we noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS device...
Ransomware and wiper signed with stolen certificates
Introduction On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the countrys computer systems. On September 10,...
Who tracked internet users in 2021–2022
Every time you go online, someone is watching over you. The services you use, the websites you visit, the apps on your phone, smart TVs, gaming consoles, and any networked devices collect data on you with the help of trackers installed on web pages or in software. The websites and services send...
Prilex: the pricey prickle credit card complex
Prilex is a Brazilian threat actor that has evolved out of ATM-focused malware into modular point-of-sale malware. The group was behind one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines, while also cloning in excess of 28,000 credit cards that...
Dynamic analysis of firmware components in IoT devices
Among the various offensive security techniques, vulnerability assessment takes priority when it comes to analyzing the security of IoT/IIoT devices. In most cases, such devices are analyzed using the black box testing approach, in which the researcher has virtually no knowledge about the object ...
How much does access to corporate infrastructure cost?
Division of labor Money has been and remains the main motivator for cybercriminals. The most widespread techniques of monetizing cyberattacks include selling stolen databases, extortion using ransomware and carding. However, there is demand on the dark web not only for data obtained through an...
Why master YARA: from routine to extreme threat hunting cases. Follow-up
On 3rd of September, we were hosting our "Experts Talk. Why master YARA: from routine to extreme threat hunting cases", in which several experts from our Global Research and Analysis Team and invited speakers shared their best practices on YARA usage. At the same time, we also presented our new...
Your new friend, KLara
While doing threat research, teams need a lot of tools and systems to aid their hunting efforts – from systems storing Passive DNS data and automated malware classification to systems allowing researchers to pattern-match a large volume of data in a relatively short period of time. These tools ar...
KSN Report: Ransomware in 2016-2017
This report has been prepared using depersonalized data processed by Kaspersky Security Network KSN. The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled, who encountered ransomware at least once in a given period, as well as research into t...
When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website
One of the most common pieces of anti-phishing advice is to double-check the website's domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, we encountered a...
Arcane stealer: We want all your data
At the end of 2024, we discovered a new stealer distributed via YouTube videos promoting game cheats. What's intriguing about this malware is how much it collects. It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla...
No need to RSVP: a closer look at the Tria stealer campaign
Introduction Since mid-2024, we've observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app APK, which we have named "Tria Stealer" after unique strings found in campaign samples. The primary targets of the...
Awaken Likho is awake: new techniques of an APT group
Introduction In July 2021, a campaign was launched primarily targeting Russian government agencies and industrial enterprises. Shortly after the campaign started, we began tracking it, and published three reports in August and September 2024 through our threat research subscription on the threat...
Approach to mainframe penetration testing on z/OS
Information technology is developing at a rapid pace, with completely new areas emerging, such as DevOps and DevSecOps – and were striving to keep up. However, in some projects, you may encounter systems built on rather outdated principles. Such systems must be approached with care, since a singl...
Threat landscape for industrial automation systems, Q1 2024
Global statistics Statistics across all threats In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%. Compared to the first quarter of 2023, the percentage decreased by 1.3 pp. Percentage of IC...
Using the LockBit builder to generate targeted ransomware
The previous Kaspersky research focused on a detailed analysis of the LockBit 3.0 builder leaked in 2022. Since then, attackers have been able to generate customized versions of the threat according to their needs. This opens up numerous possibilities for malicious actors to make their attacks mo...
Android malware, Android malware and more Android malware
Introduction Malware for mobile devices is something we come across very often. In 2023, our technologies blocked 33.8 million malware, adware, and riskware attacks on mobile devices. One of 2023s most resonant attacks was Operation Triangulation, targeting iOS, but that was rather a unique case...
The mobile malware threat landscape in 2023
The figures above are based on detection statistics received from Kaspersky users who consented to sharing usage data with Kaspersky Security Network. The data for years preceding 2023 may differ from that published previously, as the calculation methodology was refined, and the data was...
QBot banker delivered through business correspondence
In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family aka QakBot, QuackBot, and Pinkslipbot. The malware would be delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and...
Following the Lazarus group by tracking DeathNote campaign
The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, well focus on an active cluster that we dubbed DeathNote because the malware responsible for...
DTrack activity targeting Europe and Latin America
Introduction DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, weve seen it being used in financial environments where ATMs were breached, in...
IT threat evolution in Q2 2022. Mobile statistics
IT threat evolution in Q2 2022 IT threat evolution in Q2 2022. Non-mobile statistics IT threat evolution in Q2 2022. Mobile statistics These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data. Quarterly figures Accordin...
VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges
In late August 2020, we published an overview of DeathStalkers profile and malicious activities, including their Janicab, Evilnum and PowerSing campaigns PowerPepper was later documented in 2020. Notably, we exposed why we believe the threat actor may fit a group of mercenaries, offering...