Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube.
Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.
Figure 1. Countries affected by this malicious ad campaign
In the first part of this series, we discussed both the routines and entry point of the banking malware DYRE. However, information theft isn’t the last step for this malware. It turns out this malware is also involved in yet another scheme—the parcel mule scam.
The Parcel and the Mule
During our analysis of DYR malware, Global BlackPoint, a web panel, was uncovered.
Figure 1. Global BlackPoint site
A quick search online led to domain listings, which have been leased over a year ago. ...
We’re nearing the holiday season and some of you might be going for some early holiday shopping—checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year:
We have seen a surge of fake bank emails. We’ve also seen other forms of spammed threats, including KELIHOS, VAWTRACK, and even some forms of the 419 scam.
We have also witnessed the increase in BANKER malware. Variants of this malware ...
PoS malware has been in the news lately due to data breaches in various high-profile retailers. Card information stolen from these attacks have ended up on the well-known underground shop Rescator. We prefer to refer to the people behind this shop as the Lampeduza gang, as Rescator is not the only person running this business.
We have found that other cybercrime gangs are using the fame of the Lampeduza gang to lure other cybercriminals into accessing fake online credit card shops.
Since the discovery of Shellshock, Trend Micro has continuously monitored the threat landscape for any attacks that may leverage these vulnerabilities. So far, we have identified an active IRC bot, exploit attempts in Brazil and China, botnet attacks, and a wide variety of malware payloads such as ELF_BASHLITE.A, ELF_BASHLET.A, and PERL_SHELLBOT.WZ among others. It is reported that other vulnerable protocols like HTTP, SMTP, SSH, and FTP are also affected by Shellshock.
We found that one of the payloads of Bash vulnerabilities, which we ...