MuddyWater is a well-known threat actor group that has been active since 2017. They have regularly targeted various organizations in Middle East and Central Asia, primarily using spear phishing emails with malicious attachments. We recently observed a few interesting delivery documents with similarities to the known MuddyWater tools, techniques and procedures.Read More
We explored possible strategies attackers can employ when abusing PowerShell Core. These proofs of concept (PoCs) would help in better understanding — and in turn, detecting and preventing — the common routines and behaviors of possible and future threats that attackers might use. The PoCs we developed using PowerShell Core were conducted on Windows, Linux, and mac OSs. Most of the techniques we applied can be seen from previous threats involving PowerShell-based functionalities, such as the fileless KOVTER and POWMET. The scenarios in our PoCs are also based on the PowerShell function they use.Read More
Several apps on Google Play posing as legitimate voice messenger platforms have automated functions such as fake survey pop-ups and fraudulent ad clicks. Observed variants were deployed one by one since October, with its evolution including evasive techniques and its infection behavior divided into several stages, as well as botnet codes possibly indicative of future attacks.Read More
BLADABINDI, also known as njRAT/Njw0rm, is a remote access tool (RAT) with a myriad of backdoor capabilities — from keylogging to carrying out distributed denial of service (DDoS) — and has been rehashed and reused in various cyberespionage campaigns since it first emerged. Indeed, BLADABINDI’s customizability and seeming availability in the underground make it a prevalent threat. Case in point: Last week, we came across a worm (detected by Trend Micro as Worm.Win32.BLADABINDI.AA) that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor.Read More
XLoader and FakeSpy are two of the most prevalent malware families that emerged from the mobile threat landscape recently. We first reported about XLoader in April 2018 when it used Domain Name System (DNS) cache poisoning/DNS spoofing to victimize users with malicious Android apps that steal PII and financial data and install additional apps. Meanwhile, we released our findings on FakeSpy in June after it infected Android users via SMS phishing or SMiShing to launch info-stealing attacks.
As of October, there have been a combined total of 384,748 victims from XLoader and FakeSpy attacks globally, with the majority of victims coming from South Korea and Japan.Read More