Search This Blog

Showing posts with label Trojan. Show all posts

Trojans, Backdoors and Droppers the Top Three Malware Globally?



According to a few recent surveys and analysis conducted by some well-known and influential cybersecurity agencies, there are approximately 3 top malwares that the users should be aware of. 

'Gate-crashing' enterprises and users globally are Trojans, Backdoors, and Droppers which comprise 72 percent of the total cyber-attacks across the globe, as per anonymized statistics from free requests from Kaspersky Threat Intelligence Portal. 

The statistics likewise show that the different sorts of malware that researchers most frequently examine and investigate don't harmonize with the most widespread ones. 

By and large, submitted hashes or dubious uploaded files ended up being Trojans (25 percent of requests), Backdoors, a malware that gives an attacker remote control over a computer (24 percent), and Trojan-Droppers (23 percent) that install different malignant objects. 

Denis Parinov, Acting Head of Threats Monitoring and Heuristic Detection explains "We have noticed that the number of free requests to the Kaspersky Threat Intelligence Portal to check viruses or pieces of code that insert themselves in over other programs, is extremely low less than one percent, but it is traditionally among the most widespread threats detected by endpoint solutions," 

Later added, “Viruses are rarely of interest to researchers, most likely because they lack novelty compared to other threats." 

Despite the fact that Trojans are typically the most widespread type of malware, however, Backdoors and Trojan-Droppers are not as common as they just make up 7 percent and 3 percent of every malevolent file blocked by the Kaspersky endpoint products. 

The researchers say, "This difference can be explained by the fact that researchers are often interested in the final target of the attack, while endpoint protection products are seeking to prevent it at an early stage," 

Nonetheless, in order to develop response and remediation measures, security analysts need to distinguish the objective of the attack, the root of a malignant object, its prominence, and at the end, the report specified that it's the security researchers who need to identify all components within the dropper.

The First Ransomware Attack and the Ripples It Sent Forward In Time


What was once a simple piece of malware discovered just 20 years ago this month exhibited its capacity which transformed the entire universe of cyber-security that we know of today?

Initially expected to just harvest the passwords of a couple of local internet providers, the malware, dubbed as 'LoveBug' spread far and wide, infecting more than 45 million devices to turn into the first piece of malware to truly take businesses offline.

LoveBug was the shift of malware from a constrained exposure to mass demolition. 45 million compromised devices daily could rise to 45 million daily payments.

Be that as it may, eleven years before anybody had known about LoveBug, the IT industry saw the first-ever main case of ransomware, as AIDS Trojan. AIDS Trojan which spread through infected floppy disks sent to HIV specialists as a feature of a knowledge-sharing activity.

The 'lovechild' of LoveBug and AIDS Trojan was the ransomware that followed, with GPCoder and Archievus hitting organizations around the globe through which the hackers additionally bridled ecommerce sites to discover better ways to receive payments.

The protection industry responded by taking necessary steps with 'good actors' cooperating to decipher the encryption code on which Archievus depended, and sharing it broadly to assist victim with abstaining from paying any ransom.

From that point forward the 'cat and mouse' game has proceeded with viruses like CryptoLocker, CryptoDefense, and CryptoLocker2.0 constructing new attack strategies, and the protection industry executing new defenses. Presently ransomware has become increasingly sophisticated and progressively prevalent as targets today are more averse to be individuals since large businesses can pay enormous sums of cash.

And yet, data protection has become progressively sophisticated as well, with certain four areas that should now be a part of each business' ransomware strategy: protect, detect, respond, and recover. Social engineering and phishing are also presently becoming progressively central to the success of a ransomware attack.

The LoveBug was effective in a scattergun fashion, yet at the same time depended on social engineering.

Had individuals been less disposed to open an email with the subject line ‘I love you', the spread of the malware would have been 'far more limited'.

Nevertheless, the users presently ought to be more alert of the increasingly diverse threats in light of the fact that inexorably, hackers are expanding their threats data exfiltration or public exposure on the off chance that they feel that leaking data may be progressively 'persuasive' for their targets.

Thus so as to react to the issue, it's essential to have backup copies of data and to comprehend the nature and estimation of the information that may have been undermined in any way.

Cybercriminals Spreading Node.js Trojan Promising Relief from the Outbreak of COVID-19


A java downloader going by the extension “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar” has been recently detected. Drawing inferences from its name, researchers suspected it to be associated with COVID-19 themed phishing attacks.

Running this file led to the download of an undetected malware sample that is written in Node.js; Node.js is an open-source, cross-platform, Javascript runtime environment that executes Javascript code outside of a browser and as it is primarily designed for web server development, there's a very less probability of it being already installed onto systems.

The trojan that is suspected of employing the unconventional platform for bypassing detection has been labeled as 'QNodeService'. The malware has been designed to perform a number of malicious functions including uploading, downloading, and executing files.

It is also configured to steal credentials stored in web browsers and perform file management etc. Currently, the malware appears to be targeting Windows systems only, however, the code signifies a potential for 'cross-platform compatibility', researchers concluded a possibility of the same being a 'future goal' for cybercriminals.

Cybercriminals are devising new methods all the time to design malware such as trojans to infect as many machines as possible without getting noticed.

To stay on a safer side, users are recommended to block malware from acquiring access via all the possible doorways like endpoints, networks, and emails.

Fileless Malware Attacks and How To Fight Them!



It has been crystal clear over these years with the increase in a number of cyber-attacks of an equally unique kind making it almost impossible for the out-dated or conventional security mechanisms to intercept and fight.

As if a single one-of-a-kind cyber-attack tool wasn’t enough, the threat actors now are laden with polymorphic tactics up their sleeves. Per sources, an entirely new version of a threat could be created every time after infection.

After "polymorphism" became apparent, the vendors as per reports engineered “generic signatures” had numerous variants in them. But the cyber-cons always managed to slip in a new kind.

This is when the malware authors came up with a concept of fileless attacking. They fabricated malware that didn’t need files to infect their targets and yet caused equal damage.

Per sources, the most common fileless attacks use applications, software, or authorized protocol that already exists on the target device. The first step is a user-initiated action, followed by getting access to the target’s device memory which has been infected by now. Here the malicious code is injected via the exploitation of Windows tools like Windows Management Instrumentation and PowerShell.

Per reports, the Modus Operandi of a fileless attack is as follows:
It begins with a spam message which doesn’t look suspicious at all and when the unaware user clicks on the link in it they are redirected to a malicious website.
The website kicks-off the Adobe Flash.
That initiates the PowerShell and Flash employs the command line to send it instructions and this takes place inside the target device’s memory.
The instructions are such that one of them launches a connection with a command and control server and helps download the malicious PowerShell script which ferrets down sensitive data and information only to exfiltrate it later.
Researchers note that as these attacks have absolutely nothing to do with stocking malicious files onto the target’s device, it becomes more difficult for security products to anticipate or perceive any such attack because they are evidently left with nothing to compare the attacks with. The fact that files less malware can hide from view in the legitimate tools and applications makes it all the worse.

Recently lots of fileless attacks surfaced and researchers were elbow deep in analyzing them. According to sources, some well-known corporate names that faced the attacks include, Equifax that had a data breach via a command injection vulnerability, the Union Crypto Trader faced a remote code execution in the memory, the version used was a 'trojanized' form a legitimate installer file and the U.S. Democratic National Committee faced two threat actors used a PowerShell backdoor to automatically launch malicious codes.

These attacks are obviously disconcerting and require a different kind of approach for their prediction or prevention. A conventional security system would never be the solution corporates and organizations need to stand against such attacks.

Per sources, the Network Detection and Response (NDR) seem to be a lucrative mechanism for detecting uncommon malicious activities. It doesn’t simply count on signatures but uses a combination of machine learning tactics to fetch out irregular network behaviors. It perceives what is normal in a particular system, then tries to comprehend what isn’t normal and alerts the overseers.

Researchers think an efficient NDR solution takes note of the entire surrounding of a device including what is in the network, cloud deployments, in the IoT sections and not to mention the data storage and email servers.

Per sources, NDR gradually works up to its highest efficiency. Its and its sensors’ deployment takes a considerable amount of time and monitoring. But the final results encompass enhanced productivity, decreased false alerts, and heightened security.

The Dreambot Malware Botnet Appears To Have Gone Silent and Possibly Shut Down


Dreambot's backend servers as per a report published by the CSIS Security Group, a cyber-security firm situated in Copenhagen, seem to have gone quiet and potentially shut down completely.

It started in March around the same time when the cybersecurity community likewise stopped seeing the new Dreambot samples disseminated in the wild. 

Benoit Ancel, the malware analyst at the CSIS Security Group, says, “The lack of new features? The multiplication of new Gozi variants? The huge rise of Zloader? COVID-19? We can't be sure exactly what was the cause of death, but more and more indicators point at the end of Dreambot." 

The Dreambot malware's apparent demise put an end to a six-year-old "career" on the cybercrime landscape. First spotted in 2014, it was created on the leaked source code of the more seasoned Gozi ISFB banking trojan, one of the most reused bits of malware today. 

With time, Dreambot received new highlights, like the Tor-hosted command and control servers, a keylogging capacity, the capacity to steal browser cookies and information from email clients, a screenshot feature, the capacity to record a victim's screen, a bootkit module, and a VNC remote access feature - just to name the most significant.

Typical Dreambot Control Panel

Besides, Dreambot likewise evolved from a private malware botnet into what's known as a Cybercrime-as-a-Service (CaaS). 

 As a CaaS, the Dreambot creators would publicize access to their botnet on hacking and malware forums. Various crooks could gain access to a part of Dreambot's infrastructure and an adaptation of the Dreambot malware, which they'd be answerable for distributing to victims. 

Dreambot "customers" would infect victims, steal funds, and pay the Dreambot gang a week after week, month to month, or at a yearly expense. CSIS says this model seems to have been fruitful. "We counted more than a million [Dreambot] infections worldwide just for 2019," Ancel said. 

In any case, the CSIS researcher additionally said that as of late, Dreambot developed from being only a banking trojan. All the more explicitly, it evolved from a specific banking trojan into a generic trojan. 

Criminals would lease access to the Dreambot cybercrime machine, yet not use it to steal money from bank accounts. Instead, they'd taint countless computers, and afterward review each target, searching for explicit computers. 

Nonetheless, Dreambot operators have not been 'publicly identified' and stay on the loose. The explanation behind this whole cybercrime platform's current disappearance likewise stays a mystery. Be that as it may, with the operators everywhere, Dreambot's return 'remains a possibility'.


Windows 10 Users Beware! TrickBots' Prevalence And Conveyance Escalates in Devices



Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i<7-9 arbitrary="" digits="">.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.


Betting and Gambling Websites under Cyberattack from Chinese Hackers


Since last year's summers, Chinese hackers have been targeting South Asian companies that own online gambling and betting websites. The gambling companies in South Asia have confirmed the hacks, whereas rumors of cyberattacks on betting websites have also emerged from Europe, and the Middle East, however, the rumors are yet to confirm, says the reports of cybersecurity group Trend Micro and Talent-Jump. Cybersecurity experts claim that no money was stolen in these hacks against the gambling websites. However, hackers have stolen source codes and databases. The motive of the attack was not a cybercrime, but rather espionage intended attack to gain intelligence.


According to the experts, a group named 'DRBControl' is responsible for the cyberattack. According to the reports of Trend Micro, the hacking techniques used in this particular cyberattack incident is similar to methods done by Emissary Panda and Winnti. All of these hacking groups are from China that has launched cyberattack campaigns in the benefits of the Chinese state. As of now, it is not confirmed whether DRBControl is launching these cyberattacks in the interests of the Chinese government. According to the cybersecurity group FireEye, not all the attacks have been state-sponsored, as a side business, hackers have been launching these attacks for profits and money.

How did the attacks happen?

The techniques used by DRBControl is not very uncommon or unique. Rather, the attacking techniques used to target victims and steal their data were pretty simple. The hackers send phishing emails that contain backdoor entries malware, and if the user is lured into opening these mails, the system gets infected with backdoor Trojans. However, these backdoor Trojans are not the same as the others.

This kind of Trojan relies on Dropbox file service for hosting and sharing to be used as C&C (control-and-command), to store stolen data and 2nd level payloads. Hence the name, DropBox Control. The Chinese hackers usually use the backdoor Trojans to install other hacking malware and tools so that they can roam through the network and trace the path to the source codes and databases to steal the user data.

TrickBot Added New Stealthy Backdoor for High-Value Targets



The authors behind the infamous TrickBot malware – a modular banking trojan that targets sensitive financial information and also acts as a dropper for other malware–have developed a stealthy custom backdoor, circulating by the name 'PowerTrick', to monitor high-value targets and infiltrate them accordingly.

Statistics demonstrate that TrickBot is one of the top crimeware codes and cyberattack groups in existence currently. Developers behind TrickBot have made frequent upgradations in order to evade detection even fluently, empower its stealth, make it hard to research and let it bypass security configurations on user devices.

PowerTrick has been primarily created as an attempt to keep up with the fast paced era of constantly evolving defense mechanisms by effectively bypassing some of the most sophisticated security controls and highly secured networks of high value. Referencing from the statements given by SentinelLabs security researchers, Vitali Kremez, Joshua Platt and Jason Reaves on Thursday, "The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure air-gapped high-value networks."

According to the analysis, PowerTrick is configured to carry out commands and send back the results in the Base64 format. It is injected as a follow-up module after the victim's system has been infected by the TrickBot.

How does it work?

During the examinations, researchers discovered an initial backdoor script being sent out, at times draped as a Powershell task, it goes on to establish contact with command-and-control (C2) server. Once the contact has been successfully established, the authors send their very first command which leads to the downloading of the main PowerTrick backdoor. After the installation of the same, the malware starts executing common backdoor functions, it carries out check-in and then awaits further commands to act upon. Once received, it acts upon these commands and returns the results/errors.

“Once the system and network have been profiled, the actors either stealthily clean up and move on to a different target of choice, or perform lateral movement inside the environment to high-value systems such as financial gateways,” as per the SentinelLab analysis.

"TrickBot has shifted focus to enterprise environments over the years to incorporate many techniques from network profiling, mass data collection, incorporation of lateral traversal exploits,” researchers concluded.

“This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments, it is similar to a company where the focus will shift depending on what generates the best revenue.”

Alert! USB Flash Drive Malware: Threats Decoded!


The cybercriminals have gotten all the savvier when it comes to finding out new ways of administering malware into the victims’ devices.

The next in the list happens to be “Malicious USB sticks”. These are employed whenever an attacker needs a “physical” entrance to a computer or any device for that matter.

The first related incident goes back a decade when the highly malicious, “Stuxnet” worm was disseminated to attack Iranian networks by means of USB sticks.

An “unattended” USB flash drive might as well cause an equally malicious problem if plugged into a host network or system. These drives could be carrying viruses or even ransomware.

The ultimate motive of these drives could range from easy-going hacking into systems to disrupting major businesses and their operations.

These USB sticks are extremely malicious and could lead to major setbacks and cyber harm for victim organizations and their clients and other individuals at large.

Reportedly, there are several other malware that are carried and transmitted through USB flash drives and per sources they encompass of:

1. The “Flame” modular computer malware
2. The “Duqu” collection of computer malware


There are numerous things, threats, and risks that a malicious USB flash drive poses to its users. Backdoors, Trojans, ransomware attacks and information stealing are common endeavors.


As per sources, browser hijackers could also be installed to mislead the users to the hackers’ website where adware, grey ware, malware or spyware could be injected in the device.

The users could follow the following safety and protection mechanisms to steer clear of the contingencies of the aforementioned attacks:

1. Updating the computer and other device software on a regular basis is a must. All the essential patches must be downloaded to clear the vulnerabilities.
2. Enable all the security features on the devices. Fingerprint authentication is a good option in such cases.
3. Keep all your USB flash drives absolutely secure and safe and prepared against hackers.
4. Never plug in unauthorized or unknown USB flash drives in your business devices especially those at your workplace.
5. Keep separate drives for work and home devices.

Zeppelin Is Back! Ransomware Stealing Data Via Remote Management Software


Hackers are employing remote management software to steal data and exploit networks only to install “Zeppelin” ransomware on compromised devices.

Reportedly, “ConnectWise” is the name of the software that fabricates agents that are installed on target computers. Once the agent kicks off, the device appears on the ConnectWise Control Site management software.

"ConnectWise" is a remote management software generally employed by MSPs and IP professionals to acquire access and render support to remote devices.

The ransomware Zeppelin was recently per reports spread via “ScreenConnect” which is a desktop control tool basically in charge of remotely executing commands on a user’s device and managing it.

The ScreenConnect client was installed on a compromised station leading to a massive real estate company’s network being jeopardized.

The client that is named, ScreenConnect.ClientService.exe would run in the background undetected waiting all the while for a “remote management connection”.

The software was then used to execute numerous commands that harvest data from back-up systems and install malware, Trojans capable of stealing data, other exploitation tools to make the network more vulnerable and finally the Zeppelin ransomware to infect machines.

The attack starts with the execution of the CMD script that readies the device for the ransomware installation. A “registry file” is installed which “configures the public encryption key”, which is then used by the ransomware to disable Windows defender by deactivating several security mechanisms.

Per reports, the hacker would execute a PowerShell command that downloads the Zeppelin ransomware in form of a file by the name of “oxfordnew.exe or oxford.exe on the C drive of Windows in the “Temp folder” section.

In most cases, such ransomware attacks are employed by firstly hacking the MSP and then configuring the remote management software to wreak havoc.

Instead, here, the hackers themselves deployed the ScreenConnect software only to have complete control over the situation and making as much trouble as possible.

Ransomware is being used at high rates where repeated incidents of stealing data are coming in light. The hackers use the stolen data as a weight to get people to pay in exchange for it.

Zeppelin, Maze, and REvil are leading names in the ransomware market.

Facebook Files a Lawsuit Against a Company for Running Malicious Ads?



Reportedly, Facebook filed a lawsuit against a “Chinese Company” that allegedly put user accounts at large only to put up suspicious ads on the platform.

The running and distribution of advertisements which were about “counterfeit goods” and “dietary pills” was the only purpose of compromising the accounts in question.

The aforementioned company, per reports, goes by the name of “ILikeAD Media International Company Ltd.” It is, according to sources represented by the authors of the malware scheme, namely, "Huang Toa" and "Chen Xiao Cong".

Purportedly, the aforementioned authors apparently employed two basic ploys to mask their actual aim.

Using images of celebrities, aka “celeb bait” to lure people into clicking on them is one of them and the other happens to be something called “Cloaking”.

Cloaking refers to the act of hiding something from the Facebook systems so that the real destination of a link and advertisement is concealed.

The ad after getting clicked on would lead the users to the genuine “landing page” whereas Facebook would be tricked into seeing a version that’s legitimate according to the policies and terms of the advertising policies.

Per Facebook, in most cases, Cloaking is foolproof as it hardly ever leaves tracks behind, making it pretty tough to realize the identity of actors. This majorly happens to be the reason why there are no specific rules about this.


Reportedly, another attack along the same lines was observed when fake PDF file editor was being pushed only to steal Amazon and Facebook session cookies. The malware at work, per reports, goes by the name of “Socelars”.

Along with session cookies, other data like access tokens, email addresses, credit card information, account IDs et cetera have allegedly constituted a part of the compromised data.

The cookies are later on used to link with several Facebook URLs where one among them accesses the “account_billing” directory.

The information allowing users to call a Facebook Graph API and extract data from the users’ Ads Manager settings is the major part of what’s inside the directory.

The malware which was being distributed via numerous websites was in actuality a new “Trojan” which had almost nothing in common with the other types.

There’s no knowing if the above-mentioned malware has anything to do with the organization that Facebook sued but it surely suits the description.

All the users who had fallen prey to the schemes pulled off by the cyber-cons were handsomely compensated for, along with getting their accounts secured and free of any unauthorized access.

Facebook is very well aware of the jeopardy its users almost got into and is all-in for taking precautionary measures to erase any chances of repetition.

Vulnerability found in Android Phones exploited by bank thieves through malicious apps


Researchers from security firm Promon, found a vulnerability in millions of fully patched Android phones, that's being exploited by malware through malicious apps designed to drain the user's bank account. The vulnerability is exploited by 36 apps, including bank trojans. These apps masquerade as legitimate apps already installed by the user posing on it or inside it, say the researchers. As the user already trusts these apps, after installing these then ask for permissions like recording audio or video, taking photos, reading text messages or phishing login credentials.



Victims who click yes, fall prey to the scam. Lookout and Promon, researchers reported on Monday that they found 36 apps exploiting the spoofing vulnerability. This includes BankBot banking trojan, which's been active since 2017 and apps from this malware have been caught on Google Play repeatedly. And the only way the users can protect themselves is by clicking 'no' to the permissions. TaskAffinity is the function in Android where this vulnerability occurs that lets the app disguise as other app and work in the multitasking environment. Using this the malicious app is placed inside or top of the target. "Thus the malicious activity hijacks the target's task," Promon researchers wrote.

"The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible. The malicious app then only needs to appear like the target app to successfully launch sophisticated attacks against the user. It is possible to hijack such a task before the target app has even been installed." Promon is calling the vulnerability, "StrandHogg," neither promon nor lookout has revealed the apps but Google has removed these apps from their market.

Still, the vulnerability remains a problem in Android. Google representatives said, "We appreciate the researchers['] work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate to improve Google Play Protect's ability to protect users against similar issues."

New Chrome Password Stealer, 'CStealer' Sends Stolen Data to a MongoDB Database


The information collected by the Chrome browser including passwords, usernames, and other user credentials is being exposed to heavy risk as a new trojan known as CStealer attempts to steal the confidential data stored onto Google's Chrome browser.

Password stealer trojans include applications that tend to run in the background and silently gather sensitive information about the system such as connected users and network activity. It attempts to steal confidential information stored onto the system and the browsers like usernames, passwords and other credentials which once being stolen are sent to a specified destination by the attacker.

While the idea behind this info-stealing trojan is just like many others- which is to steal user credentials saved onto the browser's password manager, however, the fact that CStealer uses a remote MongoDB database to store the stolen data is what makes this case unprecedented and interesting.

The malware which was discovered by MalwareHunterTeam and was later analyzed by James does not compile and send the stolen data to a C2 under the author's command, rather, it is programmed to directly connect to a remote MongoDB data and utilize it to keep the stolen passwords stored, according to the findings.

As soon as the passwords are successfully stolen, the malware tends to link to the database and store the stolen data as per the network traffic created which was examined by James. In order to carry this out, the malware carries hardcoded MongoDB credentials and to connect to the database, it uses the MongoDB C Driver as the client library.

Notably, the approach is a bit more sophisticated and not as mainstream, however, ultimately it gets the agenda right as it successfully gets the credentials stolen. In doing so, indirectly it also gives a free invitation to other hackers to access the victim's confidential information as it tends to decrypt the privacy layers already. To exemplify, anyone who would examine the malware afterward, from law enforcers to security officers, will be able to retrieve the hardcoded passwords and employ them to get to the stolen data.

A Trojan that Steals User's Banking Information via Fake McDonald Coupons


Spread via malvertising attacks, the banking trojan fools its victims through fake McDonald's coupons as a bait. This came into notice when banking details of Latin American buyers were tried to steal. The trojan discovered by experts at ESET is known as Mispadu, and it is similar to other trojans like Casbaneiro and Amavaldo that are found in Latin America. The trojan uses a remote crypto key for covering its original language. Mispadu targets users from Mexico and Brazil.


False McDonald’s tokens are used to lure the customers- 

The process consists of using bogus McD offer tokens as bait. These discount vouchers are either sent through spam e-mails or facebook ads which when clicked, takes the user to the primary site of the coupon. When the user clicks the button to get the coupon, they are displayed with an MSI option. The hacker uses this MSI installer to start a command that deciphers and performs an initializing course which allows them to connect to a remote server. "The trojan was also detected when working on a harmful Chrome version. It's built to shield the Google Chrome network to instead affect its victims' devices through the support of JavaScript," confirms ESET's inquiry.

Loots banking and personal information- 

Once the malware successfully invades a system, Mispadu uses false popup notifications to convince possible targets to share personal data. The primary aim of the trojan is to obtain critical system knowledge like- commonly used Latin American banking apps menu and downloaded safety products. The trojan also steals information from several network browsers and e-mail consumers. This includes Google Chrome, Mozilla Firefox, Outlook, Internet Explorer, and many more.

"Mispadu can also steal crypto funds like Bitcoins using a technique like a clipboard hijacking. But fortunately, no such case has appeared to date," says ESET. The elements of the Google Chrome expansion that the trojan uses for sharing can also collect users' transaction information and debit card data through various sites by scouring the information from data application lists. "For securing a backdoor entry in your device, Mispadu can automatically capture a screenshot, regulate your keyboard and mouse controls, and recover commands," say the experts.

New Hacking Group Deploying Backdoors and Ransomware in Windows via Word docs


Researchers from Proofpoint have detected a scheme of malware campaigns from a new hacking group called TA2101, that's targeting various organizations from Germany and Italy, creating backdoor malware into their security systems. These attackers also trick people by impersonating the United States Postal Service and tax entities and distributing 'Maze Ransomware' as well as banking Trojans. The research group noted that these attackers use legal and licensed penetration tools like Cobalt Strike and Metasploit after entering the network. These tools are used by organizations to secure their network by analyzing loopholes and vulnerabilities, meanwhile, adversaries like Cobalt Group, APT32, and APT19 exploit this software by installing backdoors.

Deploying Backdoors in Windows via Word Docs 

These malicious actors have been tricking victims into clicking through phishing emails that contain ransomware and even banking trojans- by sending email alerts that require immediate action, like emails from the German Federal Ministry of Finance, United States Postal Service, law enforcement and finance firms. But, what's happening behind the curtains is them deploying ransomware in your windows via a word document, that opens when you open the attachment.

Proofpoint researchers have been observing these impersonators from October 16 until November 12, 2019, their collected data gave a clear sight of the attacker's target, how they operate by sending spams to companies, IT units from Germany, Italy, and United States. “Researchers also Observed a consistent set of TTP (Tactics, Techniques, and Procedures) that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns”, Proof point said.

Among the samples, the emails contained attached weaponized word documents which when opened, made the system perform a series of commands- that is turning on PowerShell script, which eventually downloads and installs the Maze ransomware. In targets related to Healthcare Vertical and companies, the emails and word documents installed IcedID payload trojan into the system.

17 Trojan infested apps you need to delete from your iPhone right now!


Just like the ancient Greek story, where soldiers sneak into the gates of troy by hiding inside a wooden horse similarly Trojans sneak in your phone in the face of harmless apps that you voluntarily install. Apple users are being warned about such apps, to check their devices against a list of malware apps and delete them according to a report by Wandera.

Research team at Wandera, a software-as-a-service firm, has identified 17 apps that install malicious Trojan module on iOS devices. Apple says that the infected apps have been removed from the app store but after examination they found that the apps did not contain the claimed Trojan malware. Instead, the apps were removed because of being adware specifically called the "clicker Trojan malware" and included code that enabled artificial click-through of add and made it seem like you viewed an advertisement which is against App Store's guidelines. Apple further said that the protective tools of App Store have been updated to detect such apps.

 Below is the list of infected apps:

RTO Vehicle Information
EMI Calculator & Loan Planner
File Manager - Documents
Smart GPS Speedometer
CrickOne - Live Cricket Scores
Daily Fitness - Yoga Poses
FM Radio PRO - Internet Radio
My Train Info - IRCTC & PNR​ (not listed under developer profile)
Around Me Place Finder
Easy Contacts Backup Manager
Ramadan Times 2019
Pro Restaurant Finder - Find Food
BMI Calculator PRO - BMR Calc
Dual Accounts Pro
Video Editor - Mute Video
Islamic World PRO - Qibla
Smart Video Compressor

The developer of these is AppAspect Technologies, from India with apps for iOS as well as Android. Wandera said that on examining these apps, they didn't contain the clicker Trojan malware but they used too. Covington thinks it's a possibility that they used to contain Trojan but were pulled from the store, and republished after removing the Trojan module, perhaps the bust on Play store made them retreat and focus their attention on iOS.

According to Wandera, the Trojan not only performed adware but also steal information and data to send to external command or controller, create back-doors, performance degradation, battery drain and heavy bandwidth use. The fact that they published on App Store and remained undetected is alone a matter of concern. “We were amazed with this one,” Wandera VP Michael Covington said in a statement to Forbes. “We've seen a couple of issues creep into the Apple App Store over the last few months—and it always seems to be the network element.”

Apple stands it's ground that any such Trojan malware existed, saying there was no danger beyond ad click-through fraud. But the good news is, the problem is solved on deleting the apps and no remains are left behind. “There is no access to special frameworks that might have left something behind,” Covington explained.

ATTENTION ANDROID USERS: REMOVE THESE APPS IMMEDIATELY!




A minimum of 24 extremely popular android applications were found to be infested with malware. They were tested positively with Trojan which is known by the name of “Joker”.

Per sources, this Trojan provokes the interaction of the device with advertisement websites. It could steal SMS messages and private data.

As per the sources following are the names of the applications that are being said to be infested with the Trojan:
  • Beach Camera 4.2
  • Mini Camera 1.0.2
  • Soby Camera 1.0.1
  • Declare Message 10.02
  • Rapid Face Scanner 10.02
  • Leaf Face Scanner 1.0.3
  • Spark Wallpaper 1.1.11
  • Humour Camera 1.1.5
  • Rudy SMS Mod
  • Antivirus Security – Security Scan, App Lock 1.1.2
  • Collate Face Scanner 1.1.2
  • Ignite Clean 7.3
  • Advocate Wallpaper 1.1.9
  • Print Plan scan 1.03
  • Great VPN 2.0
  • Climate SMS 3.5
  • Dazzle Wallpaper 1.0.1
  • Cute Camera 1.04
  • Board Picture editing 1.1.2
  • Altar Message 1.5
  • Age Face 1.1.2
  • Reward Clean 1.1.6
  • Certain Wallpaper 1.02
  • Mini Camera 1.0.2

Security researchers strictly advise every user to uninstall any of these applications if found in their devices.

CamScanner Returns After Being Removed by Google for Having Malware



Researchers at multinational cybersecurity company, Kaspersky Labs, discovered a malicious module in the widely used mobile scanning app, CamScanner. As a result of the discovery, the app was taken down by Google from its play store last week. Seemingly, the iOS version of the app remained unaffected by the malware.

On 5th September 2019, the developers of the popular PDF creator app, announced its comeback on their official Twitter handle. Reportedly, they have removed all advertising SDKs in the latest version of CamScanner, i.e., version 5.12.5, which can be downloaded by the users from Google Play Store.

There were issues in the previous version of the app, however, the app, CamScanner in itself is a completely authentic and widely used application.



According to the researchers at Kaspersky Labs, “Recent versions of the app shipped with an advertising library containing a malicious module,”

“The module is a Trojan-Dropper that means the module extracts and runs another malicious module from an encrypted file included in the app’s resources. This “dropped” malware, in turn, is a Trojan-Downloader that downloads more malicious modules depending on what its creators are up to at the moment,” they added.

The Trojan-Dropper module which is called as “Trojan-Dropper.AndroidOS.Necro.n”  is configured to befool users into signing up for paid subscriptions by showing them intrusive advertisements.

Trickbot Trojan Gets 'BokBot' Proxy Module to Steal Banking Info.




In 2017, IBM's X-Force team discovered a banking trojan named as 'BokBot', which redirects users to malicious online banking websites or can link victims to a browser procedure in order to insert unauthorized content onto official bank pages, it's also known as IcedID.

The authors of Trickbot trojan have begun to distribute a custom proxy module to the users; Trickbot trojan is a new component originated from BokBot's code for web injection, it works with some of the widely used web browsers.

The new variant came with its separate configuration file, it was detected on an infected system on 5th of July as "shadnewDll".

How does the malware work?

The malicious process begins with an infected Office Word document that downloads the Ursnif trojan after deploying a PowerShell script. Then, a Trickbot version along with the IcedID proxy module is received by the compromised host, it is programmed to intercept and modify web traffic.

After examining the component, Vitali Kremez, security researcher, said that it can be attached to the following web browsers: Microsoft Edge, Mozilla Firefox, Internet Explorer and Google Chrome.

Upon further inspection, the module appeared to be particularly adapted for TrickBot or other fraud bank operations which is based on the installion of this malware and its variants.

Referencing from the research of FireEye, "The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations." 

OceanLotus’ Ratsnif (A Remote Access Trojan)- Thinngs You Need To Know




OceanLoutus’ Ratsnif, an especially undetected remote access Trojan which mainly is used for cyber-espionage purposes has become better and is now capable of SSL hijacking and modifying web pages.

The very prominent malicious actor OceanLotus is quite fairly known for its espionage campaigns in the Vietnam. APT32, CobaltKitty, SeaLotus and APT-C-oo are few of its aliases in the infosec community.

The hackers behind this malicious threat actor usually combine “commercially available tools” such as Cobalt Strike with unique malware.

Four separate variants of the Ratsnif RAT family were analysed by prominent researchers only to find out that it evolved from a debug build to a release version.

It now comes filled with fresh features like DNS and MAC spoofing, SSL Hijacking, packet sniffing, HTTP redirection and injection, setting up remote shell access and ARP poisoning.

Per sources, the three early versions were found out to have a compilation date from 2016 whereas the most recent one was from August 2018.

The oldest variant of the Ratsnif, per the researchers, apparently was a debug build compiled in August 2016. The domain for its command and control (C2) server was activated the very day.

A newer version with no so gigantic changes was compiled the very next day. Both the samples were tested for detection against the anti-virus engines present on VirusTotal service at the same time.

A third version with September 2016 as its compilation date appeared with almost similar functioning and is believed by the researchers to be one of the earlier builds.

It wasn’t loaded with all the features but surely was capable of setting up a remote shell and serve for ARP poisoning, DNS spoofing and HTTP redirection.

In its early stages it collects information such as usernames, computer names, Windows system directory, and network adapter info and workstation configuration and sends it to C2.



The fourth Ratsnif sample was no longer accompanied by a list of C2 servers and delegated communication to a different malware used on the host victim.

It also, originally happened to introduce a configuration file and to extend the set of features to make it more effectual.

If one wishes to decrypt the traffic it could be done by using version 3.11 of the wolfSSL library which was earlier known as CyaSSL.

The configuration file happens to be unsecured and is simply a “text file encoded in Base64 with a parameter on its own line”.

Ratsnif could also cause a memory red violation owing it to a bug, when parsing a specific parameter (“dwn_ip’). Due to this the value’s passed as a string when it should be a pointer to a string.

According to the analyzers, the 2016 versions of Ratsnif contained all packets to a PCAP file but the 2018 version employs multiple sniffer classes for wresting sensitive information from packets.

This lowers the amount of data the attacker requires to collect, exfiltrate and process and also shows what information the attacker is after.

Ratsnif has done an essentially tremendous job at staying out of the limelight. Nonetheless it is not up to the standards of OceanLotus’ other malware endeavors.