Sayad (Flying Kitten) Infostealer – is this the work of the Iranian Ajax Security Team?

Information stealing malware has become increasingly popular among malware authors targeting not just typical end-users, but also specific organizations and states. We have come across an intriguing piece of malware (dubbed Sayad) that implements multiple host data collection methods and wraps them up into a single .NET DLL. Sayad malware is typically distributed through phishing emails.


Analysis of CryptoLocker Racketeer spread through fake Energy Australia email bills

Over the last few months there has been a massive outbreak of the Ransomware CryptoLocker.  CryptoLocker is malware that first silently encrypts a user’s files and then requires the user pay a ransom to obtain the encryption key needed for decrypting the files.  CryptoLocker “Racketeer” (details about the name “Racketeer” at the end of the post) has been distributed through fake Energy Australia electricity bills. The phishing emails look very authentic, making them a powerful tool for delivering the malicious software.  On May 30th 2014, Energy Australia published a warning “New email scam reported” with an example of the hoax email. (more…)

ChewBacca – a TOR based POS malware

Point-of-sale terminal software appears to be an easy target in general for many attackers. There have recently been several high profile, and most likely non-coordinated, attacks on different retailers across the globe. Not long ago, RSA uncovered a POS malware that steals payment card and personal identification information.

After running the malicious executable through our Vinsula Execution Engine (VEE) to analyze its behavior, I found out that this POS malware is very different from the notorious BlackPOS/Kartoxa malware used in the Target attack. (more…)

Facebook-spread Adobe Update Malware Dissected and Source Code Revealed

A week ago security researcher Dancho Danchev published an excellent post – Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook

I was curious to learn more about this malware, so I ran the rogue binary (Adobe Flash Update titled FlashGuncelle.exe) through our Vinsula Execution Engine (VEE) to analyze its behavior, and I also delved into specific facets of its source code. (more…)

Scripting Bot Malware: No Need to Learn C to Launch a Cyber Attack

T wo weeks ago we came across a piece of malware that turned out to be a full-blown bot—one that is capable of taking full control over a user’s machine, and all encapsulated within less than 3K lines of source code!  What’s scary is that writing it required no special skills.  Access to some existing tools—and of course the desire to write malicious code—was all the author needed. (more…)

Vinsula Execution Engine Analysis of Venomous Snake Zero-Day Malware – CopyHook.131019.A

Malware authors frequently seek code-execution methods that not only evade detection by AV software but also cover tracks and remove evidence that could reveal the origins of the malicious code.  Different methods exist for achieving these objectives, and the high degree of extensibility in Windows provides plenty of options for the bad guys to exploit. (more…)

Catching a Headless Horseman (or analysis of Trojan.Downloader.1301007.C-Jottix)

Defeating security controls in antivirus and anti-malware systems is a common goal among malware authors. There are many sophisticated techniques and an incredible level of creativity with regard to methods of defeating these systems coming from those on “the other side of the fence.” (more…)

Hunting Down FTP Password Stealer Malware with Vinsula Execution Engine

Malware authors are getting increasingly creative in their attempts to bypass security controls and gain access to critical information by using tools such as password stealer malware to steal credentials and intercept web traffic. In this post, we build a Behavioral Profile of Password Stealer Malware Trojan.FTP.13809.A. (more…)

Trojan.Plague.13604.B – Behavioral Signature Analysis of Mutopy Malware using Vinsula

A critical part of recent malware binaries is the executable component responsible for downloading the actual malware from a designated malware server.

Our colleague, security researcher Mila Parkour, published a link to a great post at DeepEnd Research (posted by Andre M. DiMino) with some interesting results about a downloader/trojan dubbed Trojan.Plague.13604.B. This malware is a variation of Mutopy  – Win32 found by Sophos.

Trojan.Malaria.13002 – Malware Behavioral Signature Analysis

Given the widespread continued use of spear phishing campaigns, it generally wise to approach any emails containing attachments or links to archives with a heavy dose of caution—especially when the email comes from an unknown sender.

Over the last two days I received several emails from a sender that I didn’t recognize, and proceeded to analyze the attachment with our own Vinsula Execution Engine, allowing me quickly build a behavioral profile the potential malware. Not surprisingly, the report generated by Vinsula showed clear indications that the attachment is malicious. We have titled this malware Trojan.Malaria.13002. (more…)

Go to Top