Booking a Taxi for Faketoken

The Trojan-Banker.AndroidOS.Faketoken malware has been known about for already more than a year. Throughout the time of its existence, it has worked its way up from a primitive Trojan intercepting mTAN codes to an encrypter. The authors of its newer modifications continue to upgrade the malware,...

Andariel deploys DTrack and Maui ransomware

On July 7, 2022, the CISA published an alert, entitled, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector," related to a Stairwell report, "Maui Ransomware." Later, the Department of Justice announced that they had effectively clawed...

The Tetrade: Brazilian banking malware goes global

Introduction Brazil is a well-known country with plenty of banking trojans developed by local crooks. The Brazilian criminal underground is home to some of the worlds busiest and most creative perpetrators of cybercrime. Like their counterparts in China and Russia, their cyberattacks have a stron...

Holy water: ongoing targeted water-holing attack in Asia

On December 4, 2019, we discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. This campaign has been active since at least May 2019, and targets an Asian religious and ethnic group. The threat actor's...

Smartphone shopaholic

Have you ever noticed strange reviews of Google Play apps that look totally out of place? Their creators might give it five stars, while dozens of users rate it with just one, and in some cases the reviews seem to be talking about some other program entirely. If so, you may be unknowingly...

Threat predictions for industrial security in 2019

Kaspersky Security Bulletin: Threat Predictions for 2019 Cryptocurrency threat predictions for 2019 Cyberthreats to financial institutions 2019: overview and predictions The past few years have been very intense and eventful when it comes to incidents affecting the information security of...

Masha and these Bears

Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a prolific, well resourced, and persistent adversary. They are sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile. Our previous post on their 2017 activity stepped...

Mining is the new black

UPDATED March 5th, 15.00 Last year we published a story revealing the rise of miners across the globe. At the time we had discovered botnets earning millions of USD. We knew this was just the beginning of the story, which turned out to develop rapidly. Together with the rest of the world, we have...

Cybercriminals target early IRS 2018 refunds now

On Monday, Jan 29th, IRS officially opened its 2018 season. Some taxpayers already filed their taxes and cybercriminals know it too. So, right after two days of the official 2018 season opening, we got phishing messages with a fake refund status Websites: The link in the email leads to a hacked...

Convuster: macOS adware now in Rust

Introduction Traditionally, most malicious objects detected on the macOS platform are adware: besides the already familiar Shlayer family, the TOP 10 includes Bnodlero, Cimpli, Adload and Pirrit adware. As a rule, most tend to be written in C, Objective-C or Swift. Recently, however, cybercrimina...

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that actors, such as the Lazarus group, are going after intelligence that could help these efforts by attacking entities related to COVID-19 research. Whi...

Happy New Fear! Gift-wrapped spam and phishing

Pre-holiday spam Easy money In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line. For...

DDoS attacks in Q2 2019

News overview The second quarter of 2019 turned out to be richer than the first in terms of high-profile DDoS attacks. True, most of the campaigns that attracted media attention appeared to be politically, rather than commercially, motivated — and that despite the fact that some security experts...

We know what your kids did this summer

For many kids and teenagers, summer is all about ditching school books in favor of hobbies and fun. Every year we release a report on children's interests, as reflected in their online activity. This summer, we investigated what they prefer in their free time. The Parental Control module in...

Ymir: new stealthy ransomware in the wild

Introduction In a recent incident response case, we discovered a new and notable ransomware family in active use by the attackers, which we named "Ymir". The artifact has interesting features, including a large set of operations performed in memory with the help of the malloc , memmove and memcmp...

Targeted Malware Reverse Engineering Workshop follow-up. Part 2

If you have read our previous blogpost "Targeted Malware Reverse Engineering Workshop follow-up. Part 1", you probably know about the webinar we conducted on April 8, 2021, with Kaspersky GReATs Ivan Kwiatkowski and Denis Legezo, to share best practices in reverse engineering and demonstrate...

Looking at Big Threats Using Code Similarity. Part 1

Today, we are announcing the release of KTAE, the Kaspersky Threat Attribution Engine. This code attribution technology, developed initially for internal use by the Kaspersky Global Research and Analysis Team, is now being made available to a wider audience. You can read more about KTAE in our...

Coinvault, the court case

Today, after almost 3 years of waiting, it was finally the day of the trial. In the Netherlands, where the whole case took place, the hearings are open to the public. Meaning anyone who is interested can visit. And it was quite busy. Because besides the suspects, their lawyers, the judges and the...

IoT hack: how to break a smart home… again

There can never be too many IoT gadgets – that's what people usually think when buying yet another connected device with advanced functionality. From our perspective, we also think there can't be too many IoT investigations. So, we have continued our experiments into checking and uncovering how...

Miners on the Rise

Miners are a class of malware whose popularity has grown substantially this year. The actual process of cryptocurrency mining is perfectly legal, though there are groups of people who hoodwink unwitting users into installing mining software on their computers, or exploiting software vulnerabiliti...

Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain

In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome web...

Exploits and vulnerabilities in Q2 2024

Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the...

Windows CLFS and five exploits used by ransomware operators (Exploit #4 – CVE-2023-23376)

This is part five of our study about the Common Log File System CLFS and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous parts first if you havent already. You can skip to the other parts using this table of...

DDoS attacks in Q2 2020

News overview Not just one but two new DDoS amplification methods were discovered last quarter. In mid-May, Israeli researchers reported a new DNS server vulnerability that lurks in the DNS delegation process. The vulnerability exploitation scheme was dubbed "NXNSAttack". The hacker sends to a...

Financial Cyberthreats in 2019

Methodology Financial cyberthreats are malicious programs that target users of services such as online banking, e-money, and cryptocurrency, or that attempt to gain access to financial organizations and their infrastructure. These threats are usually accompanied by spam and phishing activities,...

Threat Landscape for Industrial Automation Systems in H2 2018

H2 2018 in figures All statistical data used in this report was collected using the Kaspersky Security Network KSN, a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the...

DDoS attacks in Q3 2022

News overview In Q3 2022, DDoS attacks were, more often than not, it seemed, politically motivated. As before, most news was focused on the conflict between Russia and Ukraine, but other high-profile events also affected the DDoS landscape this quarter. The pro-Russian group Killnet, active since...

Mobile malware evolution 2021

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data. Figures of the year In 2021, Kaspersky mobile products and technologies detected: 3,464,756 malicious installation packages 97,661 new mobile banking Trojans...

Managed Detection and Response in Q4 2020

Download full report PDF As cyberattacks become more sophisticated, and security solutions require more resources to analyze the huge amount of data gathered every day, many organizations feel the need for advanced security services that can deal with this growing complexity in real time, 24/7...

Ad blocker with miner included

Some time ago, we discovered a number of fake apps delivering a Monero cryptocurrency miner to user computers. They are distributed through malicious websites that may turn up in the victims search results. By the look of it, it appears to be a continuation of the summer campaign covered by our...

Calisto Trojan for macOS

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We...

ToddyCat: Keep calm and check logs

ToddyCat is an advanced APT actor that we described in a previous publication last year. The group started its activities in December 2020 and has been responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Our first publication was focused on their main tools,...

A cryptor, a stealer and a banking trojan

Introduction As long as cybercriminals want to make money, theyll keep making malware, and as long as they keep making malware, well keep analyzing it, publishing reports and providing protection. Last month we covered a wide range of cybercrime topics. For example, we published a private report ...

Threat landscape for industrial automation systems. Statistics for H2 2020

Figures Indicator | H1 2020 | H2 2020 | 2020 ---|---|---|--- Global percentage of attacked ICS computers | 32.6% | 33.42% | 38.55% Percentage of attacked ICS computers by region Northern Europe | 10.1% | 11.5% | 12.3% Western Europe | 15.1% | 14.8% | 17.6% Australia | 16.3% | 17.0% | 18.9% United...

Explicit content and cyberthreats: 2019 report

'Stay at home' is the new motto for 2020 and it has entailed many changes to our daily lives, most importantly, in terms of our digital content consumption. With users opting to entertain themselves online, malicious activity has grown. Over the past two years we have reviewed how adult content h...

Story of the year 2019: Cities under ransomware siege

Ransomware has been targeting the private sector for years now. Overall awareness of the need for security measures is growing, and cybercriminals are increasing the precision of their targeting to locate victims with security breaches in their defense systems. Looking back at the past three year...

Disappearing bytes: Reverse engineering the MS Office RTF parser

Microsoft Office was a prime target for attacks in 2017. As well as the large number of vulnerabilities discovered and proof-of-concept exploits published, malware authors felt it necessary to prevent detection of 'one-day' and 'old-day' exploits by antivirus software. It also became clear that...

Threat Predictions for Connected Life in 2018

Download the Kaspersky Security Bulletin: Threat Predictions for Connected Life in 2018 Introduction: To be awake is to be online The average home now has around three connected computers and four smart mobile devices. Hardly surprising, considering that 86 per cent of us check the Internet sever...

Threat Predictions for Automotive in 2018

The landscape in 2017 Modern cars are no longer just electro-mechanical vehicles. With each generation, they become more connected and incorporate more intelligent technologies to make them smarter, more efficient, comfortable and safe. The connected-car market is growing at a five-year compound...

The Festive Complexities of SIGINT-Capable Threat Actors

To read the full paper and learn more about this, refer to "Walking in Your Enemy's Shadow: When Fourth-Party Collection Becomes Attribution Hell" Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt manipulation have proven enough...

BasBanke: Trend-setting Brazilian banking Trojan

BasBanke is a new Android malware family targeting Brazilian users. It is a banking Trojan built to steal financial data such as credentials and credit/debit card numbers, but not limited to this functionality. The propagation of this threat began during the 2018 Brazilian elections, registering...

Financial Cyberthreats in 2017

In 2017, we saw a number of changes to the world of financial threats and new actors emerging. As we have previously noted, fraud attacks in financial services have become increasingly account-centric. User data is a key enabler for large-scale fraud attacks, and frequent data breaches - among...

A King’s Ransom It is Not

The first half of 2017 began with two intriguing ransomware events, both partly enabled by wormable exploit technology dumped by a group calling themselves "The ShadowBrokers". These WannaCry and ExPetr ransomware events are the biggest in the sense that they spread the quickest and most...

StripedFly: Perennially flying under the radar

Introduction Its just another cryptocurrency miner… Nobody would even suspect the mining malware was merely a mask, masquerading behind an intricate modular framework that supports both Linux and Windows. It comes equipped with a built-in TOR network tunnel for communication with command servers,...

Kids on the Web in 2021: Infinite creativity

For over a year weve been living in a world gripped by the COVID-19 pandemic. Not only has the pandemic affected peoples lifestyles, it has also accelerated the development and implementation of technologies that make it easier for us to complete everyday and work-related tasks. We no longer need...

Unwanted notifications in browser

When, back in 2015, push notifications were just appearing in browsers, very few people wondered how this tool would be used in the future: once a useful technology made to keep regular readers informed about updates, today it is often used to shell website visitors with unsolicited ads. To achie...

The cybercrime ecosystem: attacking blogs

Executive summary The Cybercrime Ecosystem is a series of articles explaining how cybercriminals operate, what drives them, what techniques they use and how we, regular Internet users, are part of that ecosystem. The articles will also cover technical details and up-to-date research on the threat...

Kaspersky Security Bulletin 2018. Statistics

Kaspersky Security Bulletin 2018. Top security stories Kaspersky Security Bulletin 2018. Story of the year: miners Kaspersky Security Bulletin 2018. Threat Predictions for 2019 All the statistics used in this report were obtained using Kaspersky Security Network KSN, a distributed antivirus netwo...

Happy IR in the New Year!

At the end of last year Mr. Jake Williams from aka @MalwareJake asked a very important question about Lack of visibility during detecting APT intrusions in twitter. Results show us that endpoint analysis is the most important part of any research connected with APTs. Also, for sure endpoint...

EAGERBEE, with updated and novel components, targets the Middle East

Introduction In our recent investigation into the EAGERBEE backdoor, we found that it was being deployed at ISPs and governmental entities in the Middle East. Our analysis uncovered new components used in these attacks, including a novel service injector designed to inject the backdoor into a...