New Jenkins Campaign Hides Malware, Kills Competing Crypto-Miners

Article / Jul 16, 2018

By liron segal

Threat actors continue to find creative yet relatively unsophisticated ways to launch new campaigns to reap profits from crypto-mining operations.

Tackling Gootkit's Traps

Article / Jul 11, 2018

By julia karpin

Gootkit malware uses misleading code to hinder manual research and automated analysis.

BackSwap Defrauds Online Banking Customers Using Hidden Input Fields

Article / Jun 29, 2018

By ruby cohen doron voolf

BackSwap demonstrates unique behavior in its manipulation of user input fields and its handling of International Bank Account Numbers (IBANs).

New Struts 2 Campaign Compiles Its Own C# Downloader, Leverages a User Profile Page as Its C&C Server

Article / Jun 23, 2018

By liron segal

Attackers continue to find new and creative ways to carry out malicious crypto-mining operations, employing multiple exploits in a single campaign.

New Campaign Targeting Apache Struts 2, WebLogic Deploys Malware Using VBScript

Article / Jun 21, 2018

By liron segal

With the vast availability of new exploits and the competition for victims’ resources, the multi-exploit trend continues to be popular among attackers.

The Eternal Struggle: Security Versus Users

/ Jun 7, 2018

By ray pompon

F5 Labs writes for Help Net Security, explaining how to deal with the often-adversarial relationship between security professionals and the users they support.

Advanced Attackers: Stealthy, Patient, Dangerous

Blog / May 31, 2018

By ray pompon

Advanced attackers are considered a top threat by CISOs. Although they are rare, their stealthy determination to learn everything about a target before they strike makes them especially dangerous.

Windows IIS 6.0 CVE-2017-7269 Is Targeted Again to Mine Electroneum

Article / Apr 12, 2018

By andrey shalnev

Attackers are targeting a Windows IIS vulnerability first disclosed a year ago to mine Electroneum.

The Global Playing Field is Leveling Out as Europe and Asia Take on More DDoS Attacks

Article / Apr 6, 2018

By sara boddy justin shattuck ilan meller damien rocha

The latest DDoS trends include the return of large volumetric DDoS attacks, the rise of application targeted attacks, and businesses in Europe and Asia are growing targets.

Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond

/ Apr 3, 2018

By david holmes

People are mining coins all over the place-all it costs is money for the power bill. So, of course, clever people are figuring out how to use other people’s power to mine cryptocurrency.

Old Dog, New Targets: Switching to Windows to Mine Electroneum

Article / Mar 28, 2018

By andrey shalnev

Apache Struts 2 Jakarta Multipart Parser RCE crypto-mining campaign is now targeting Windows, not just Linux systems.

rTorrent Client Exploited In The Wild To Deploy Monero Crypto-Miner

Article / Feb 28, 2018

By andrey shalnev

A previously undisclosed misconfiguration vulnerability in the rTorrent client is being exploited in the wild to mine Monero.

XMRig Miner Now Targeting Oracle WebLogic and Jenkins Servers to Mine Monero

Blog / Feb 21, 2018

By andrey shalnev

The drop zone server used earlier to mine Monero on compromised Jenkins automation servers is now being used in a new campaign targeting Oracle Web Logic servers.

Ramnit Goes on a Holiday Shopping Spree, Targeting Retailers and Banks

Article / Jan 15, 2018 (MODIFIED: Jan 25, 2018)

By doron voolf

Ramnit’s latest twist includes targeting the most widely used web services during the holidays: online retailers, entertainment, banking, food delivery, and shipping sites.

A Spectre of Meltdowns Could be in Store for 2018, Including Fileless Malware Attacks and More Costly Bots

Blog / Jan 10, 2018 (MODIFIED: Jan 15, 2018)

By lori macvittie

Every week, another bug, vulnerability, or exploit is released—we need a multi-layered security strategy to deal with threats like Spectre and Meltdown.

Trickbot Rapidly Expands its Targets in August, Shifting Focus to US Banks and Credit Card Companies

Article / Sep 14, 2017 (MODIFIED: Oct 17, 2017)

By sara boddy jesse smith doron voolf

TrickBot released a new worm module, shifted its focus towards the US, and soared past the one thousand target URLs mark in a single configuration.

Trickbot Focuses on Wealth Management Services from its Dyre Core

Article / Jul 27, 2017 (MODIFIED: Sep 1, 2017)

By doron voolf sara boddy jesse smith

As TrickBot evolves, we examine version 24, which heavily targets Nordic financial institutions, and we take a close look at the Dyre–TrickBot connection.

Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs

Blog / Jun 15, 2017 (MODIFIED: Aug 1, 2017)

By sara boddy jesse smith doron voolf

TrickBot shows no signs of slowing down as new targets are added and command and control servers hide within web hosting providers’ networks.

Marcher Gets Close to Users by Targeting Mobile Banking, Android Apps, Social Media, and Email

Article / Apr 7, 2017 (MODIFIED: Sep 11, 2017)

By doron voolf

Marcher targets focused on European, Australian, and Latin American banks, along with PayPal, eBay, Facebook, WhatsApp, Viber, Gmail, and Yahoo—all in the month of March.

Ramnit’s Twist: A Disappearing Configuration

Blog / Feb 17, 2017 (MODIFIED: Jul 6, 2017)

By anna dorfman

The Ramnit banking Trojan continues to evolve, this time with the intent of making the malware harder to detect.

Trickbot Now Targeting German Banking Group Sparkassen-Finanzgruppe

Blog / Dec 1, 2016 (MODIFIED: Jul 6, 2017)

By shaul vilkomir preisman

TrickBot, the latest arrival to the banking malware scene and successor to the infamous Dyre botnet, is in constant flux.

Little Trickbot Growing Up: New Campaign

Blog / Nov 7, 2016 (MODIFIED: Dec 28, 2017)

By julia karpin shaul vilkomir preisman anna dorfman

Recently there have been several reports of a financial malware named TrickBot; this malware's code looks similar to Dyre.

Malware Targeting Bank Accounts Has a Swapping Pattern

Article / Sep 1, 2016 (MODIFIED: Jul 6, 2017)

By doron voolf elman reyes

Attackers use an IBAN swapping technique to exchange a legitimate account number with their own destination mule account number before funds transfers occur.

Dridex is Watching You

Article / Jun 17, 2016 (MODIFIED: Jul 6, 2017)

By anna dorfman

And we're watching Dridex. Here's the latest in this malware's evolution.

Webinject Crafting Goes Professional: Gozi Sharing Tinba Webinjects

Blog / May 26, 2016 (MODIFIED: Jul 6, 2017)

By doron voolf

Webinject crafting is a separate profession now. Hackers write webinjects and sell them to fraudsters, who use them to weaponize Trojans.

Dridex Update: Moving to US Financials with VNC

Article / Apr 26, 2016 (MODIFIED: Jul 6, 2017)

By doron voolf

Ongoing campaign analysis has revealed that Dridex malware's latest focus has strongly shifted in recent months to US banks.

Dridex Botnet 220 Campaign: Targeting UK Financials With Webinjects

Article / Feb 25, 2016 (MODIFIED: Jul 6, 2017)

By maxim zavodchik

Like many other financial Trojans, the notorious Dridex malware keeps evolving and strengthening its presence.

Yasuo-Bot: Flexible, Customized, Fraudulent Content

Article / Dec 14, 2015 (MODIFIED: Jul 6, 2017)

By shaul vilkomir preisman

Standard mobile banking trojans post their own fraudulent content over banking applications. Yasuo-Bot goes further.

Webinject Analysis:

Article / Dec 12, 2015 (MODIFIED: Jul 6, 2017)

By elman reyes

Webinject attacks modify webpages to allow fraudsters to collect credentials, or act more directly against user accounts.

Dyre Update: Moving to Edge and Windows 10 With Anti-Antivirus

Blog / Nov 11, 2015 (MODIFIED: Jul 6, 2017)

By julia karpin

Dyre malware is a well-known threat that keeps security pros on their toes due in part to the frequent changes the authors incorporate.

Follow us on social media.