When malware is difficult to discover — and has limited samples for analysis — we propose a machine learning model that uses adversarial autoencoder and semantic hashing to find what bad actors try to hide. We, along with researchers from the Federation University Australia, discussed this model in our study titled “Generative Malware Outbreak Detection.”
Read More
In some of the recent Powload-related incidents we saw, we noticed significant changes to some of the attachments in the spam emails: the use of steganography and targeting of specific countries. Figure 2 shows the difference. For example, the samples we analyzed in early 2018 had more straightforward infection chains. These updates added another stage to the execution of malicious routines as a way to evade detection.
The Powload variants that use these techniques drop and execute the Ursnif and Bebloh data stealers. We did not see any notable differences in the payloads’ routines. The distribution tactics also resemble a spam campaign we uncovered last year, which delivered the same information stealers but distributed via the Cutwail botnet.
Read More
We discovered a malware that uses three different online services — including Slack and GitHub– as part of its routine. Analysis of the attacker’s tools, techniques, and procedures lead us to believe that this might be a targeted attack from very capable threat actors.
Read More
We analyzed a fileless banking trojan targeting three major banks in Brazil and their customers, downloading info stealers, keyloggers and a hack tool. Infected machines can be used for a botnet and mass mailed targeted attacks, and our telemetry recorded the highest infection attempts from Brazil and Taiwan.
Read More
Through data analysis of the container honeypots we’ve set up to monitor threats, we’ve uncovered notable activities of undesired or unauthorized cryptocurrency miners being deployed as rogue containers using a community-contributed container image published on Docker Hub. The image is being abused as part of a malicious service that delivers cryptocurrency-mining malware. Networking tools are retrieved to carry out lateral movement on other exposed containers and applications.
The activities we uncovered are also significant in that they don’t need to exploit vulnerabilities and don’t depend on any version of Docker. Identifying a misconfigured and thus exposed container image is all it could take for attackers to infect many exposed hosts.
Read More