Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server.Read More
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.
We’ve observed at least five runs from June 23 to July 27, 2017, each of which sent several malicious emails per target. Affected industries were financial institutions, including banks, and mining firms. Of note is how the attackers diversified their tactic—sending different emails for each run, per target.Read More
The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.
Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.
There are three versions of GhostCtrl. The first stole information and controlled some of the device’s functionalities without obfuscation, while the second added more device features to hijack. The third iteration combines the best of the earlier versions’ features—and then some. Based on the techniques each employed, we can only expect it to further evolve.Read More
What sort of interest would a businessman have in a news agency? That was the question that arose from our recent investigation on an attack that appears to target a media agency in South Korea. Shadow Force is a new backdoor that replaces a DLL called by a particular Windows service. Once that backdoor is open, the attacker…Read More
It doesn’t take an advanced malware to disrupt a business operation. In fact, even a simple backdoor is enough to do it. Earlier this year the Trend Micro Forward-Looking Threat Research Team closely monitored the operations of two Nigerian cybercriminals — identified through aliases Uche and Okiki — who attacked small businesses from developing countries to steal information and intercept transactions with…Read More