The departure of TeslaCrypt from the ransomware circle has gone and made waves in the cybercriminal world. Bad guys appear to be jumping ships in hopes of getting a chunk out of the share that was previously owned by TeslaCrypt. In line with this recent event, indicators are pointing to a new strong man in the ransomware game: CryptXXX.Read More
The blog page of one of the leading media sites in the United Kingdom, “The Independent” has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident and are working with them to contain the situation. For their part, the news website staff was quick to respond and take action to mitigate the risk this event posed to the website itself and its user base.Read More
The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.Read More
We’ve uncovered a new exploit kit in the wild through a malvertising campaign we’ve dubbed “ProMediads”. We call this new exploit kit Sundown-Pirate, as it’s indeed a bootleg of its precursors and actually named so by its back panel.
ProMediads has been active as early as 2016, employing Rig and Sundown exploit kits to deliver malware. Its activities dropped off in mid-February this year, but suddenly welled on June 16 via Rig. However, we noticed that ProMediads eschewed Rig in favor of Sundown-Pirate on June 25.
It’s worth noting that Sundown-Pirate is only employed by ProMediads so far. This could mean that it’s yet another private exploit kit, like the similarly styled GreenFlash Sundown exploit kit that was exclusively used by the ShadowGate campaign.Read More
Fileless infections are exactly what their namesake says: they’re infections that don’t involve malicious files being downloaded or written to the system’s disk. While fileless infections are not necessarily new or rare, it presents a serious threat to enterprises and end users given its capability to gain privileges and persist in the system of interest to an attacker—all while staying under the radar. For instance, fileless infections have been incorporated in a targeted bot delivery, leveraged to deliver ransomware, infect point-of-sale (PoS) systems, and perpetrate click fraud. The key point of the fileless infection for the attacker is to be able to evaluate each compromised system and make a decision whether the infection process should continue or vanish without a trace.
The cybercriminal group Lurk was one of the first to effectively employ fileless infection techniques in large-scale attacks—techniques that arguably became staples for other malefactors.Read More