Labs report: summer ushers in unprecedented season of breaches

In this edition of the Malwarebytes Cybercrime Tactics and Techniques report, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. We also observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams. Categories: Malwarebytes news Tags: 3rd quarterandroid malwareastrumbreachcerbercybercrimecybercrime tactics and techniquesemotetEquifaxexploit kitfrancophonefruitflyglobeimposterLockymac malwaremalicious spammalspamMalwarebytesmalwarebytes labsnational health serviceNHSoceanlotusq3 2017reportRIGsmartscreensonictech support scamstrickbottrojan.clicker.hyjwhole foods (Read more...) The post Labs report: summer ushers in unprecedented season of breaches appeared first on Malwarebytes Labs.
Read more

Drive-by mining and ads: The Wild Wild West

Cryptomining in the browser is all the rage lately. But what are the impacts for users when it is being abused by dubious publishers? Categories: Social engineering Threat analysis Tags: adsbrowsercoinhivecryptominercryptominingcryptonightexploit kitJSmalvertisingmalware (Read more...) The post Drive-by mining and ads: The Wild Wild West appeared first on Malwarebytes Labs.
Read more

Top Exploit Kit Activity Roundup – Summer 2017

Overview: This is the third installment in a series of blogs highlighting the recent activity of the top exploit kits. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. EK authors offer their services for sale, distributing malware for other malicious actors. In this blog, we will be looking at the most active EKs, including RIG, Magnitude, Terror, and the newest arrival - Disdain. You can read our roundup from spring 2017 here. RIG Exploit Kit RIG remains the most consistently active exploit kit, distributed over several simultaneous campaigns to install ransomware, banking Trojans, and cryptocurrency mining software on vulnerable systems. In the latter part of spring, we saw a small decline in RIG activity; however, since then, we observed generally steady RIG traffic, with the exception of small spikes in June and August. Figure 1: RIG hits, June 2017 – August 2017 Figure 2: RIG heat map, June 2017 – August 2017 The distribution of RIG hosts remains somewhat similar to previous reports, although the activity we observed in Southeast Asia and South America earlier this year was absent this quarter. In addition, the last three months show an increase in the RIG...
Read more

A week in security (August 28 – September 3)

Last week, we looked at what actions Kronos can perform in the final installment of a 2-part post. We also dived into Locky, again, a ransomware that just made a comeback, and found that its latest variant (as of this writing) has anti-sandboxing capabilities. This means that once Locky has determined that it’s residing in... Categories: Security world Week in security Tags: 419 scamexploit kitinsider threatskronosLockymalvertisingPrincessLockerransomwarerecapRIGsecurityweekly blog roundup (Read more...) The post A week in security (August 28 – September 3) appeared first on Malwarebytes Labs.
Read more

Wonder Woman, Piracy, and the Cerber Ransomware

It’s become a lucrative business for malicious actors to host illegal streaming websites and upload or link to bootlegged content. The income from such activity is generated from the advertisements served to visitors. At the same time, attackers have become more savvy, devising new methods for getting users to click on ad links, as we noted in a previous blog. In some cases, users are  tricked into clicking on ad links before being allowed to watch the streaming content. Others require visitors to simply close the ads; while that may seem harmless, we have observed one example in which Exploit Kit actors are using this technique to their benefit. Analysis In this instance, we observed the streaming website gomoviesto serving visitors the Magnitude Exploit Kit (EK). While many watchful users might have checked this site for malicious activity on a website scanner, there’s a good chance they wouldn’t have found any. We checked the gomoviesto site on VirusTotal and, at the time of this writing, the streaming site had no detection. Figure 1: VirusTotal scanner analysis The streaming website has a collection of bootlegged copies of recently released movies. One such movie was Wonder Woman, and the site offered multiple links to audience-recorded (“cammed”)...
Read more

Top Exploit Kit Activity Roundup – Spring 2017

Overview This is the fifth in a series of posts in which we're examining recent activity of the current top exploit kits. An exploit kit (EK) is a rapidly deployable software package designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. Through spring 2017, we have seen several significant changes in various exploit kits' structure and distribution. The RIG EK maintains its position as the most active exploit kit, serving a variety of ransomware payloads. Traffic to the Sundown, KaiXin, and Terror EKs all fell, though the latter two remain active. Magnitude EK has shown a slight increase in visibility, targeting users in Southeast Asia with a malvertising campaign. You can find our previous roundup here. RIG Exploit Kit RIG remains the most active exploit kit, although overall traffic has been marginally decreasing over the past several months. RIG is still a primary distributor of various ransomware payloads, and we have recently observed it dropping cryptocurrency mining software. ...
Read more

Top Exploit Kit Activity Roundup – Winter 2017

Overview This is the fourth in a series of posts in which we're examining recent activity of the current top exploit kits. An exploit kit (EK) is a rapidly deployable software package designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. Notable changes have been observed this quarter in several EKs, including a limited return of Neutrino, a new KaiXin campaign, and changes to Sundown URL schemes. You can find our previous roundup here. RIG Exploit Kit Throughout late 2016 and early 2017, RIG has remained the most active exploit kit, although overall activity has decreased in comparison to our previous review. Figure 1: RIG hits, December 2016 – February 2017 Last fall, RIG took over as the primary distributor of CryptXXX ransomware, and became the EK of choice for the EITest and pseudoDarkleach campaigns, after the Neutrino EK was presumably shut down in September 2016. RIG continues to drop various ransomware payloads: CryptoShield, Cerber, Locky, and...
Read more

Top Exploit Kit Activity Roundup – Fall 2016

Overview This is the third in a series of blogs reviewing the activity of the current top exploit kits. Exploit Kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers as a way to deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for sale, distributing malware for other malicious actors. Since our last roundup, there have been significant changes in several EKs. Neutrino, a very active EK during the summer, went offline in late September. RIG EK activity has increased, especially with the shutdown of Neutrino. New variants of Neutrino and RIG appeared in October, with modifications to their URL patterns and JavaScript source. You can read our previous roundup here. Neutrino Exploit Kit Following the shutdown of Angler EK in June, Neutrino activity significantly increased to fill the hole it left. Neutrino became a primary EK for malvertising campaigns as well as the main distributor of CryptXXX ransomware payloads. From late July through late September, Neutrino was frequently observed delivering CrypMIC, a recent CryptXXX variant, via the pseudoDarkleech and EITest...
Read more
Page 1 of 212