We have constantly observed suspicious activities caused by adware, with common behaviors that include access to seemingly random domains with alternating consonant and vowel names, scheduled tasks, and in-memory execution via WScript that has proven to be an effective method to hide their operations for at least four years.Read More
When we first investigated MyKings in 2017, we focused on how the cryptominer-dropping botnet malware used WMI for persistence. Like Mirai, MyKings seems to be constantly undergoing changes to its infection routine. The variant we analyzed for this incident did not just have a single method of retaining persistence but multiple ones, as discussed in the previous section. In addition to WMI, it also used the registry, the task scheduler, and a bootkit — the most interesting of which is the bootkit.Read More
Through our managed detection and response (MDR) monitoring, we discovered the modular Emotet malware distributing the Nymaim malware, which then loads the Nozelesn ransomware. We detected this particular Emotet variant in one of our monitored endpoints in the hospitality industry in February 2019. For this threat investigation, we also sourced 580 similar Emotet file attachment samples from our telemetry and gathered data between January 9, 2019 and February 7, 2019.Read More
Smart Protection Network (SPN) data and observations from Managed Detection and Response (MDR) for the North American region show the persistence of older threats and tactics: delivery methods such as spam emails are still going strong, while ransomware attacks have seen a renewed vigor alongside newer threats such as cryptocurrency mining malware in the third quarter of 2018.
However, the prevalence of these older threats should not be misconstrued as a sign that threat actors are resting on their laurels. In fact, it should be taken as proof that they are constantly improving proven tools and techniques to get ahead in the never-ending cat-and-mouse game between cybercriminals and security providers.Read More
A spam campaign we observed in September indicates attackers are angling towards a more sophisticated form of phishing. The campaign uses hijacked email accounts to deliver URSNIF as part of or as a response to an existing email thread.Read More