CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, which was used by the DRIDEX banking trojan discovered earlier this year.Read More
In this blog post, we will look into smaller scale attacks in which an actor group allegedly attacked high profile targets working in the energy and transportation sector of South Korea for more than three years in a row. These attacks, which are known as OnionDog, received some publicity in the media. A perfunctory look into these actors’ activities might easily lead to hasty conclusions on attribution. We had a more thorough look, in which we reached an interesting conclusion: OnionDog is not a targeted attack. OnionDog is a cyber drill.Read More
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.
We’ve observed at least five runs from June 23 to July 27, 2017, each of which sent several malicious emails per target. Affected industries were financial institutions, including banks, and mining firms. Of note is how the attackers diversified their tactic—sending different emails for each run, per target.Read More
Cerber ransomware has acquired the reputation of being one of the most rapidly evolving ransomware families to date. Just in May, we pointed out how it had gone through six separate versions with various differences in its routines. Several months later and it seems to have evolved again, this time adding cryptocurrency theft to its routines. This is on top of its normal ransomware routines, giving the attackers two ways to profit off of one infection.Read More
As cybercriminals start to focus on pulling off attacks without leaving a trace, fileless malware will become a more common attack method. However, many of these malware are fileless only while entering a user’s system, as they eventually reveal themselves when they execute their payload. Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET that uses a completely fileless infection chain making it more difficult for anti-malware engineers to examine.Read More