Trickbot Trojan Gets 'BokBot' Proxy Module to Steal Banking Info.




In 2017, IBM's X-Force team discovered a banking trojan named as 'BokBot', which redirects users to malicious online banking websites or can link victims to a browser procedure in order to insert unauthorized content onto official bank pages, it's also known as IcedID.

The authors of Trickbot trojan have begun to distribute a custom proxy module to the users; Trickbot trojan is a new component originated from BokBot's code for web injection, it works with some of the widely used web browsers.

The new variant came with its separate configuration file, it was detected on an infected system on 5th of July as "shadnewDll".

How does the malware work?

The malicious process begins with an infected Office Word document that downloads the Ursnif trojan after deploying a PowerShell script. Then, a Trickbot version along with the IcedID proxy module is received by the compromised host, it is programmed to intercept and modify web traffic.

After examining the component, Vitali Kremez, security researcher, said that it can be attached to the following web browsers: Microsoft Edge, Mozilla Firefox, Internet Explorer and Google Chrome.

Upon further inspection, the module appeared to be particularly adapted for TrickBot or other fraud bank operations which is based on the installion of this malware and its variants.

Referencing from the research of FireEye, "The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations." 

OceanLotus’ Ratsnif (A Remote Access Trojan)- Thinngs You Need To Know




OceanLoutus’ Ratsnif, an especially undetected remote access Trojan which mainly is used for cyber-espionage purposes has become better and is now capable of SSL hijacking and modifying web pages.

The very prominent malicious actor OceanLotus is quite fairly known for its espionage campaigns in the Vietnam. APT32, CobaltKitty, SeaLotus and APT-C-oo are few of its aliases in the infosec community.

The hackers behind this malicious threat actor usually combine “commercially available tools” such as Cobalt Strike with unique malware.

Four separate variants of the Ratsnif RAT family were analysed by prominent researchers only to find out that it evolved from a debug build to a release version.

It now comes filled with fresh features like DNS and MAC spoofing, SSL Hijacking, packet sniffing, HTTP redirection and injection, setting up remote shell access and ARP poisoning.

Per sources, the three early versions were found out to have a compilation date from 2016 whereas the most recent one was from August 2018.

The oldest variant of the Ratsnif, per the researchers, apparently was a debug build compiled in August 2016. The domain for its command and control (C2) server was activated the very day.

A newer version with no so gigantic changes was compiled the very next day. Both the samples were tested for detection against the anti-virus engines present on VirusTotal service at the same time.

A third version with September 2016 as its compilation date appeared with almost similar functioning and is believed by the researchers to be one of the earlier builds.

It wasn’t loaded with all the features but surely was capable of setting up a remote shell and serve for ARP poisoning, DNS spoofing and HTTP redirection.

In its early stages it collects information such as usernames, computer names, Windows system directory, and network adapter info and workstation configuration and sends it to C2.



The fourth Ratsnif sample was no longer accompanied by a list of C2 servers and delegated communication to a different malware used on the host victim.

It also, originally happened to introduce a configuration file and to extend the set of features to make it more effectual.

If one wishes to decrypt the traffic it could be done by using version 3.11 of the wolfSSL library which was earlier known as CyaSSL.

The configuration file happens to be unsecured and is simply a “text file encoded in Base64 with a parameter on its own line”.

Ratsnif could also cause a memory red violation owing it to a bug, when parsing a specific parameter (“dwn_ip’). Due to this the value’s passed as a string when it should be a pointer to a string.

According to the analyzers, the 2016 versions of Ratsnif contained all packets to a PCAP file but the 2018 version employs multiple sniffer classes for wresting sensitive information from packets.

This lowers the amount of data the attacker requires to collect, exfiltrate and process and also shows what information the attacker is after.

Ratsnif has done an essentially tremendous job at staying out of the limelight. Nonetheless it is not up to the standards of OceanLotus’ other malware endeavors.


Javascript-Based Trojan Disguised As Game Cheats By Attackers




Researchers have made a recent discovery on a modular downloader Trojan based on a new Javascript, disguised and circulated to target as game cheats by means of websites and owned by its designers.

They found that the Trojan dubbed as MonsterInstall — utilizes Node.js to execute itself especially on the victim's machines.

Found by Yandex, the malware was sent over to Doctor Web's research team for further investigation together with a little extra data on how the Trojan sample was distributed.

The MonsterInstall downloader Trojan after launch is known to 'gain persistence' by adding itself to the already infected computer's autorun to naturally be launched after the machine is rebooted.

It begins by gathering the system information and sends it to its command and-control (C&C) server, "In response, it receives links to the Trojan’s worker and updater modules, unpacks them and installs them into the system."

"When users attempt to download a cheat they download a password-protected 7zip archive to their computers , inside which there is an executable file; which upon launch, downloads the requested cheats alongside other Trojan’s components," says Doctor Web.

The Trojan at that point grabs every one of the segments it needs, to play out its pernicious undertakings with the crypto mining module being downloaded as xmrig.dll that will end xmr, xmr64, and windows-update processes it discovers running on the compromised system.

"Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same Trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month," also note the Doctor Web researchers.

The gamers however have been quite recently being focused upon by the attackers yet this isn't the first time and it beyond any doubt isn't the last as well. For instance, the cybercriminals have used the pernicious game servers to endeavor to infect CS 1.6 players utilizing game client vulnerabilities just as to advance different servers for money.

Despite the fact that Doctor Web had the option to bring down the domains utilized by the Trojan to send gamers to the fake servers with the assistance of the REG.ru domain name registrar, safety measures are at any rate prescribed to the present and active users.



Google Confirms Several Android Devices Shipped With a Malware




Google tackles yet another vulnerability dubbed as Triada, a malware in the form of a code that affected some Android devices even before they shipped.

The malware is such cunningly structured by the hackers, that it displays ads and spam on a cell phone, on endless Android smartphones and stays undetected for long.

Google, in a rather detailed blog post, clarifies "Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren't part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development...Based on analysis; we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada."

The activities of Triada were first discovered by Kaspersky Labs through the two posts which had stayed profound into the workings of the malware, first was back in March 2016 and the other in a consequent post in June 2016.

What makes this Trojan progressively perilous is simply the way that it hides itself from the list of applications running and installed on the Android smartphone, making it unimaginable for the anti-virus applications and anti-malware applications to identify it, then again it makes it hard for the framework to distinguish if a peculiar or an undesirable procedure is running in the background.

Triada is additionally known to modify the Android's Zygote process too.

Google, upon finding out about the functions and workings of Triada in 2016, had immediately removed the malware from all devices utilizing Google Play Protect. In any case, the malevolent actors amped up their endeavors and discharged a much smarter version of the Trojan in 2017.

What's more, since this more 'smarter version' was implanted in the system libraries it could furtively download and run noxious modules. The most concerning fact being that it can't be erased utilizing the standard techniques and methods.

As indicated by a well-known software suite Dr.Web, the modified version of Traida is known to be found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.


Emotet trojan one of the biggest malware

Emotet is a banking Trojan that started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

Emotet poses a grave risk for individuals and businesses of all sizes. Here's a look at what you can do to safeguard your business against this pernicious Trojan malware.

Emotet infections typically start with a simple phishing email that contains an attachment or a link to download a file. The recipient is persuaded to click the link or open the file and they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts trying to spread to other devices on the network.

The addition of new capabilities into Emotet, inspired by other successful malware such as WannaCry, has made it a much more potent threat capable of moving laterally and infecting entire networks alarmingly quickly. It’s a modular Trojan that’s often employed as the vanguard of a bigger attack, piercing the outer defenses and then downloading other banking Trojans and spreading them around.

As persistent and pernicious as Emotet is, you can take effective action to guard against it.

First, ensure that you don’t have unsecured devices on your network. Take steps to identify and secure unmanaged devices. Eradicate potential blind spots like internet of things devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.

Emotet trojan is back with a bang

Emotet gang takes their operation to a whole new level, showing why they're today's most dangerous malware. It would seem it now has taken on new tactics in the form of hijacking users old email chains and then responding from a spoofed address to portray legitimacy, this additional tactic can heighten a hackers chances when stealing financial information once a victim has been lured into clicking on said malicious content. Targeted emails appears to affect both private and public sectors, including government, particularly those that provide financial and banking services.

Emotet is a known banking Trojan, discovered five years ago, first in Europe and the USA. It started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

It injects itself into a user’s device via malspam links or attachments, with the intent to steal financial data. It targets banking emails and can sometimes deploy further attacks once inside a device.

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

This campaign targeted mainly Chile and used living off the land techniques (LotL) to bypass Virus Total detections. This up and coming tactic uses already installed tools on a users’ device to remain undetected for as long as possible.

Sextortion Scams At a Rise Yet Again; Now Leading To Ransomware



In the recent times the sextortion email scams have been at a high rise as they have proved time and time again to being quite a significant and effective method for producing easy money for the hoodlums. A sextortion scam is basically when an individual receives an email stating that they have been spied upon while they were browsing adult websites.

The sextortion campaign which traps recipients into installing the Azorult data stealing Trojan, then further downloading and installing the GandCrab ransomware is in the highlight now.

The first infection, Azorult, will be utilized to steal data from the user's PC, for example, account logins, cookies, documents, chat history, and that's just the beginning. At that point it installs the GandCrab Ransomware, which will encrypt the computer's information.

There have been numerous cases of such scams being accounted for generally where the emails may likewise contain passwords of the users that were leaked amid information breaches so as to make the scams look progressively genuine.

Experts at ProofPoint detected another campaign that as opposed to containing a bitcoin addresses to send a blackmail payment to prompts the user to download a video they made of them indulging in certain "exercises". The downloaded compress document, however, contains an executable that will further install the malware onto the computer.

"However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware," stated ProofPoint's research.

The downloaded documents will be named like Foto_Client89661_01.zip and the full text of the sextortion trick email is below:




This new strategy is turned out to be significantly hazardous, as when the recipients are already terrified with the need to affirm if a video exists. They download the document, endeavor to open the compressed file, and thusly find themselves infected with two distinct sorts of malware.

Consequently, it is recommended for the user's to not believe anything they receive via email from a strange address and rather do a few inquiries on the Web to check whether others have experienced emails this way or not.


An Experimental Form of Android Malware Delivers a Banking Trojan, a Keylogger and Ransomware




An experimental form of Android malware, which was first considered to be an updated version of Lokibot, is known to convey a banking Trojan, a keylogger and ransomware to those most likely to succumb to it.

It is said to contain a couple of new features that the specialists are naming it as a yet another type of malware - MysteryBot.

The MysteryBot and the LokiBot are referred to share the same command as well as the control server which in this way shows an already established strong link between these two types of malware, with the potential that they've been produced by the same attacker.

"The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of personal identifiable information in order to perform fraud," wrote researchers.

While the MysteryBot is well equipped for performing various pernicious exercises, like making a phone call, stealing contact information, forwarding the incoming calls to another device, setting the keylogger, it is also capable of encoding the files possessed by the device and erases all contact information on the device.

It has the ability to effectively target Android versions 7 and 8 utilizing overlay screens intended to look like genuine bank websites, while numerous other Android malware families are focusing on attacking the older variants of the Google operating system.

Is additionally said to use a somewhat complex keylogging functionality that was never known and it supposedly employees two other banking Trojan's keylogging Module (CryEye and Anubis) to abuse the Android Accessibility service.

Be that as it may, notwithstanding a portion of the abilities of MysteryBot presently being underdeveloped, the malware is as yet a potential danger.


MysteryBot isn't at present widespread and is still being worked on, however it is recommended that the users ought to be careful about any applications they download which requests an over the top number of authorizations.