Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild
We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K, in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal.
More details:
Marijuana-themed DDoS for hire service spotted in the wild
Largely thanks to the increasing availability of easy to use DIY (do-it-yourself) DDoS bots, we continue to observe an increase in international cybercrime-friendly market propositions for ‘DDoS for hire’ services. And whereas these services can never match the bandwidth capabilities and vendor experience offered by their Russian/Eastern European counterparts, they continue to empower novice Internet users with the ability to launch a DDoS attack against virtually anyone online.
In this post, I’ll profile a recently launched marijuana themed DDoS for hire service and emphasize on how, despite it’s built in pseudo-anti abuse process, the service is prone to be abused by novice cybercriminals looking for cost-effective ways to cause disruption online.
More details: read more…
Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware
Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails.
More details:
Compromised Indian government Web site leads to Black Hole Exploit Kit
By Dancho Danchev
Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns.
Let’s profile the campaign, list the malicious URLs, associate them with previously launched malicious campaigns, and provide actual MD5s for historical OSINT preservation/attribution purposes.
More details: read more…
Recent spike in FBI Ransomware striking worldwide
By Israel Chavarria
Recently we have seen a spike of this ransomware in the wild and it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you pay to unblock your computer. read more…
Fake ‘Export License/Payment Invoice’ themed emails lead to malware
By Dancho Danchev
We have just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals.
More details: read more…
New commercially available DIY invisible Bitcoin miner spotted in the wild
By Dancho Danchev
Just as we anticipated in our previous analysis of a commercially available Bitcoin miner, cybercriminals continue “innovating” on this front by releasing more advanced and customizable invisible Bitcoin miners for fellow cybercriminals to take advantage of.
In this post, we’ll profile yet another invisible Bitcoin miner, once again available for purchase on the international cybercrime-friendly marketplace, emphasize on its key differentiation features, as well as provide MD5s of known miner variants.
More details:
CVs and sensitive info soliciting email campaign impersonates NATO
By Dancho Danchev
Want to join the North Atlantic Treaty Organization (NATO)? You may want to skip the CVs/personally identifiable information soliciting campaign that I’m about to profile in this post, as you’d be involuntarily sharing your information with what looks like an intelligence gathering operation.
More details: read more…
DIY malware cryptor as a Web service spotted in the wild – part two
By Dancho Danchev
With more Web-based DIY malware crypters continuing to pop up online, both novice and experienced cybercriminals can easily obfuscate any malicious sample into an undetected — through signatures based scanning not behavioral detection — piece of malware, successfully bypassing perimeter based defenses currently in place.
In this post I’ll profile a recently launched service, empowering virtually everyone using it, with the capability to generate undetected malware. I’ll emphasize on its key differentiation factors and provide sample MD5s known to have been crypted using the service.
More details:
Commercial ‘form grabbing’ rootkit spotted in the wild
By Dancho Danchev
Trust is vital. It’s also the cornerstone for the growth of E-commerce in general, largely thanks to the mass acceptable of a trusted model for processing financial data and personally identifiable information. For years, the acceptance and mass implementation of PKI (Public Key Infrastructure) has been a driving force that resulted in a pseudo-secure B2C, B2B, and B2G electronic marketplace, connecting the world’s economies in a 24/7/365 operating global ecosystem.
The bad news? Once the integrity of a host or a mobile device has been compromised, SSL, next to virtually every two-factor authentication mechanism gets bypassed by the cybercriminals that compromised the host/device, leading to a situation where users are left with a ‘false feeling of security‘.
In this post, I’ll profile a recently advertised commercial ‘form grabbing’ rootkit, that’s capable of ‘”grabbing” virtually any form of communication transmitted over SSL
More details: read more…
Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages
By Dancho Danchev
The gang of cybercriminals behind the ‘Magic Malware‘ has launched yet another malicious spam campaign, attempting to trick U.K users into thinking they’ve received a notification for a “New MMS” message. In reality, once users execute the malicious attachment, it will download and drop additional malware on the affected hosts, giving the cybercriminals behind the campaign complete access to the affected host.
More details: read more…
Android.RoidSec: This app is an info stealing “sync-hole”!
Android.RoidSec has the package name “cn.phoneSync”, but an application name of “wifi signal Fix”. From a ‘Malware 101’ standpoint, you would think the creators would have a descriptive package name that matches the application name. Not so, in this case. So what is Android.RoidSec? It’s a nasty, malicious app that sits in the background (and avoids installing any launcher icon) while collecting all sorts of info-stealing goodness. read more…