Discovered by Trend Micro in 2014, the banking Trojan Emotet has been brought back to life by malware authors last year with its own spamming module that has allowed it to spread, target new industries and regions, and evade sandbox and malware analysis techniques. This year, we examined Emotet’s activities to learn more about how this modular malware wreaks havoc: We did a comprehensive research on Emotet’s artifacts — 8,528 unique URLs, 5,849 document droppers, and 571 executables collected between June 1, 2018 and September 15, 2018 — to discover Emotet’s infrastructure as well as possible attribution information.Read More
Smart Protection Network (SPN) data and observations from Managed Detection and Response (MDR) for the North American region show the persistence of older threats and tactics: delivery methods such as spam emails are still going strong, while ransomware attacks have seen a renewed vigor alongside newer threats such as cryptocurrency mining malware in the third quarter of 2018.
However, the prevalence of these older threats should not be misconstrued as a sign that threat actors are resting on their laurels. In fact, it should be taken as proof that they are constantly improving proven tools and techniques to get ahead in the never-ending cat-and-mouse game between cybercriminals and security providers.Read More
Cybercriminals make use of old file types in brand-new ways in spam attachments, proving that they are regularly experimenting to evade spam filters.Read More
We recently found a malware that abuses two legitimate Windows files — the command line utility wmic.exe and certutil.exe, a program that manages certificates for Windows — to download its payload onto the victim’s device. What’s notable about these files is that they are also used to download other files as part of its normal set of features, making them susceptible to abuse for malicious purposes.Read More
While ransomware has noticeably plateaued in today’s threat landscape, it’s still a cybercriminal staple. In fact, it saw a slight increase in activity in the first half of 2018, keeping pace by being fine-tuned to evade security solutions, or in the case of PyLocky (detected by Trend Micro as RANSOM_PYLOCKY.A), imitate established ransomware families and ride on their notoriety.
In late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware. Although it tries to pass off as Locky in its ransom note, PyLocky is unrelated to Locky. PyLocky is written in Python, a popular scripting language; and packaged with PyInstaller, a tool used to package Python-based programs as standalone executables.Read More