VIRUS-NEWS
Russian-speaking cybercrime evolution: What changed from 2016 to 2021
by Ruslan Sabitov20 Oct 2021 at 12:00pm
This report shares our insights into the Russian-speaking cybercrime world and the changes in how it operates that have happened in the past five years.
Trickbot module descriptions
by Oleg Kupreev19 Oct 2021 at 10:00am
In this article we describe the functionality of the Trickbot (aka TrickLoader or Trickster) banking malware modules and provide a tip on how to download and analyze these modules.
Lyceum group reborn
by Mark Lechtik, Aseel Kayal, Paul Rascagneres18 Oct 2021 at 11:00am
According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group?s activity, focused on two entities in Tunisia.
MysterySnail attacks with Windows zero-day
by Boris Larin, Costin Raiu12 Oct 2021 at 5:07pm
We detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. Variants of the malware payload used along with the zero-day exploit were detected in widespread espionage campaigns. We are calling this cluster of activity MysterySnail.
Ransomware in the CIS
by Fedor Sinitsyn, Yanis Zinchenko7 Oct 2021 at 10:00am
Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker.
GhostEmperor: From ProxyLogon to kernel mode
by Mark Lechtik, Aseel Kayal, Paul Rascagneres, Vasily Berdnikov30 Sep 2021 at 10:00am
While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to d...
DarkHalo after SolarWinds: the Tomiris connection
by Ivan Kwiatkowski, Pierre Delcher29 Sep 2021 at 2:45pm
We discovered a campaign delivering the Tomiris backdoor that shows a number of similarities with the Sunshuttle malware distributed by DarkHalo APT and target overlaps with Kazuar.
FinSpy: unseen findings
by GReAT28 Sep 2021 at 2:45pm
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset, we has been tracking deployments of this spyware since 2011. In the report we decided to share some of our unseen findings about the actual state of FinSpy implants.
BloodyStealer and gaming assets for sale
by Leonid Bezvershenko, Dmitry Galov, Marc Rivero27 Sep 2021 at 10:00am
We take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market.
Wake me up till SAS summit ends
by Securelist23 Sep 2021 at 8:00am
What do cyberthreats, Kubernetes and donuts have in common ? except that all three end in ?ts?, that is? All these topics will be mentioned during the new SAS@Home online conference, scheduled for September 28th-29th, 2021.
