Point-of-sale terminal software appears to be an easy target in general for many attackers. There have recently been several high profile, and most likely non-coordinated, attacks on different retailers across the globe. Not long ago, RSA uncovered a POS malware that steals payment card and personal identification information.
After running the malicious executable through our Vinsula Execution Engine (VEE) to analyze its behavior, I found out that this POS malware is very different from the notorious BlackPOS/Kartoxa malware used in the Target attack. (more…)
A week ago security researcher Dancho Danchev published an excellent post - Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook
I was curious to learn more about this malware, so I ran the rogue binary (Adobe Flash Update titled FlashGuncelle.exe) through our Vinsula Execution Engine (VEE) to analyze its behavior, and I also delved into specific facets of its source code. (more…)
T wo weeks ago we came across a piece of malware that turned out to be a full-blown bot—one that is capable of taking full control over a user’s machine, and all encapsulated within less than 3K lines of source code! What’s scary is that writing it required no special skills. Access to some existing tools—and of course the desire to write malicious code—was all the author needed. (more…)
Malware authors frequently seek code-execution methods that not only evade detection by AV software but also cover tracks and remove evidence that could reveal the origins of the malicious code. Different methods exist for achieving these objectives, and the high degree of extensibility in Windows provides plenty of options for the bad guys to exploit. (more…)
Defeating security controls in antivirus and anti-malware systems is a common goal among malware authors. There are many sophisticated techniques and an incredible level of creativity with regard to methods of defeating these systems coming from those on “the other side of the fence.” (more…)
Malware authors are getting increasingly creative in their attempts to bypass security controls and gain access to critical information by using tools such as password stealer malware to steal credentials and intercept web traffic. In this post, we build a Behavioral Profile of Password Stealer Malware Trojan.FTP.13809.A. (more…)
A critical part of recent malware binaries is the executable component responsible for downloading the actual malware from a designated malware server.
Our colleague, security researcher Mila Parkour, published a link to a great post at DeepEnd Research (posted by Andre M. DiMino) with some interesting results about a downloader/trojan dubbed Trojan.Plague.13604.B. This malware is a variation of Mutopy - Win32 found by Sophos.
Given the widespread continued use of spear phishing campaigns, it generally wise to approach any emails containing attachments or links to archives with a heavy dose of caution—especially when the email comes from an unknown sender.
Over the last two days I received several emails from a sender that I didn’t recognize, and proceeded to analyze the attachment with our own Vinsula Execution Engine, allowing me quickly build a behavioral profile the potential malware. Not surprisingly, the report generated by Vinsula showed clear indications that the attachment is malicious. We have titled this malware Trojan.Malaria.13002. (more…)
Yesterday our colleagues from Sophos reported a new piece of Trojan malware titled Troj/ZBot-EUM. The attack delivers a ZIP file which contains an executable.
Our investigation shows that the Trojan we received (the title Trojan.Malaria.13001 uses our own naming convention) is a variation of the one detected by Sophos (first seen on 26th of April 2013) and we are hopeful that the evidence we have collected will help other security researchers, AV and Anti-Malware companies. (more…)
Our colleagues from FireEye recently discovered a zero-day malware attack which made use of an exploit for Adobe as described in and article titled “Adobe Investigating Reports of Reader Zero-Day Exploit”. In addition to this, Symantec Security Response published some interesting details of the inner workings of this attack in their article New Adobe PDF Zero-day Unleashes Trojan.Swaylib.
We have done additional research using a malicious file titled Mandiant.pdf (2A42BF17393C3CAAA663A6D1DADE9C93) and found additional details or what is possibly a newer variation on this attack. With our research we not only confirm the prior findings that several files were being dropped, but also have observed even more malicious files being dropped in the overall attack than have been reported. This is a sophisticated attack and we are sure there will be more details to come. (more…)