The Hangul Word Processor (HWP) is a word processing application which is fairly popular in South Korea. It possesses the ability to run PostScript code, which is a language originally used for printing and desktop publishing, although it is a fully capable language. Unfortunately, this ability is now being exploited in attacks involving malicious attachments.Read More
The Android-targeting BankBot malware (all variants detected by Trend Micro as ANDROIDOS_BANKBOT) first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum. BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials. BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.Read More
We first detected the banking malware EMOTET back in 2014, we looked into the banking malware’s routines and behaviors and took note of its information stealing abilities via network sniffing. After a period of relative inactivity, it appears it’s making a comeback with increased activity from new variants that have the potential to unleash different types of payloads in the affected system.Read More
Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications.
We saw a similar—albeit a lot simpler and less creative—attack on Autodesk® A360, comparable to the way file-sharing sites are being used to host malware. Abusing A360 as a malware delivery platform can enable attacks that are less likely to raise red flags. It resembled the way Google Drive was misused as a repository of stolen data, for instance.
The payloads we saw during our research—remote access tools (RATs)—are also notable. We found that after they were downloaded and executed, the RATs/backdoors would phone back to their respective command-and-control servers, which are resolvable via free DNS services. It’s not a novel technique, but our correlation of the indicators of compromise (IoCs) suggests that a potentially sustained, cybercriminal operation took advantage of this platform.Read More
In early August we discussed a case where a backdoor (BKDR_ANDROM.ETIN) was being installed filelessly onto a target system using JS_POWMET.DE, a script that abused various legitimate functions. At the time, we did not know how the threat arrived onto the target machine. We speculated that it was either downloaded by users or dropped by other malware.Read More