ChewBacca – a TOR based POS malware

Point-of-sale terminal software appears to be an easy target in general for many attackers. There have recently been several high profile, and most likely non-coordinated, attacks on different retailers across the globe. Not long ago, RSA uncovered a POS malware that steals payment card and personal identification information.

After running the malicious executable through our Vinsula Execution Engine (VEE) to analyze its behavior, I found out that this POS malware is very different from the notorious BlackPOS/Kartoxa malware used in the Target attack. (more…)

Facebook-spread Adobe Update Malware Dissected and Source Code Revealed

A week ago security researcher Dancho Danchev published an excellent post - Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook

I was curious to learn more about this malware, so I ran the rogue binary (Adobe Flash Update titled FlashGuncelle.exe) through our Vinsula Execution Engine (VEE) to analyze its behavior, and I also delved into specific facets of its source code. (more…)

Scripting Bot Malware: No Need to Learn C to Launch a Cyber Attack

T wo weeks ago we came across a piece of malware that turned out to be a full-blown bot—one that is capable of taking full control over a user’s machine, and all encapsulated within less than 3K lines of source code!  What’s scary is that writing it required no special skills.  Access to some existing tools—and of course the desire to write malicious code—was all the author needed. (more…)

Vinsula Execution Engine Analysis of Venomous Snake Zero-Day Malware – CopyHook.131019.A

Malware authors frequently seek code-execution methods that not only evade detection by AV software but also cover tracks and remove evidence that could reveal the origins of the malicious code.  Different methods exist for achieving these objectives, and the high degree of extensibility in Windows provides plenty of options for the bad guys to exploit. (more…)

Catching a Headless Horseman (or analysis of Trojan.Downloader.1301007.C-Jottix)

Defeating security controls in antivirus and anti-malware systems is a common goal among malware authors. There are many sophisticated techniques and an incredible level of creativity with regard to methods of defeating these systems coming from those on “the other side of the fence.” (more…)

Hunting Down FTP Password Stealer Malware with Vinsula Execution Engine

Malware authors are getting increasingly creative in their attempts to bypass security controls and gain access to critical information by using tools such as password stealer malware to steal credentials and intercept web traffic. In this post, we build a Behavioral Profile of Password Stealer Malware Trojan.FTP.13809.A. (more…)

Trojan.Plague.13604.B – Behavioral Signature Analysis of Mutopy Malware using Vinsula

A critical part of recent malware binaries is the executable component responsible for downloading the actual malware from a designated malware server.

Our colleague, security researcher Mila Parkour, published a link to a great post at DeepEnd Research (posted by Andre M. DiMino) with some interesting results about a downloader/trojan dubbed Trojan.Plague.13604.B. This malware is a variation of Mutopy  - Win32 found by Sophos.
(more…)

Trojan.Malaria.13002 – Malware Behavioral Signature Analysis

Given the widespread continued use of spear phishing campaigns, it generally wise to approach any emails containing attachments or links to archives with a heavy dose of caution—especially when the email comes from an unknown sender.

Over the last two days I received several emails from a sender that I didn’t recognize, and proceeded to analyze the attachment with our own Vinsula Execution Engine, allowing me quickly build a behavioral profile the potential malware. Not surprisingly, the report generated by Vinsula showed clear indications that the attachment is malicious. We have titled this malware Trojan.Malaria.13002. (more…)

Trojan.Malaria.13001– New Adobe PDF Trojan Malware Found

Yesterday our colleagues from Sophos reported a new piece of Trojan malware titled Troj/ZBot-EUM. The attack delivers a ZIP file which contains an executable.

Our investigation shows that the Trojan we received (the title Trojan.Malaria.13001 uses our own naming convention) is a variation of the one detected by Sophos (first seen on 26th of April 2013) and we are hopeful that the evidence we have collected will help other security researchers, AV and Anti-Malware companies. (more…)

CVE-2013-0640 – Further Investigation into an Adobe PDF Zero-day Malware Attack

Our colleagues from FireEye recently discovered a zero-day malware attack which made use of an exploit for Adobe as described in and article titled “Adobe Investigating Reports of Reader Zero-Day Exploit”. In addition to this, Symantec Security Response published some interesting details of the inner workings of this attack in their article New Adobe PDF Zero-day Unleashes Trojan.Swaylib.

We have done additional research using a malicious file titled Mandiant.pdf (2A42BF17393C3CAAA663A6D1DADE9C93) and found additional details or what is possibly a newer variation on this attack. With our research we not only confirm the prior findings that several files were being dropped, but also have observed even more malicious files being dropped in the overall attack than have been reported. This is a sophisticated attack and we are sure there will be more details to come. (more…)

Go to Top