Read the original article: Our New Blog Security Intelligence Blog has a new home! Our new site is https://www.trendmicro.com/en_us/research.html Read new threat discoveries, relevant perspectives on security incidents and attacks, and the latest news happening in the cybersecurity space. See…
Tag: http://feeds.trendmicro.com/Anti-MalwareBlog/
August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
Read the original article: August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild The August batch of Patch Tuesday updates includes 120 updates for the Microsoft suite, with 17 fixes rated as Critical, and the remaining…
XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
Read the original article: XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits We have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we discovered that a developer’s Xcode…
Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts
Read the original article: Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of over 1,000 companies…
Ensiko: A Webshell With Ransomware Capabilities
Read the original article: Ensiko: A Webshell With Ransomware Capabilities Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the…
Ensiko: A Webshell With Ransomware Capabilities
Read the original article: Ensiko: A Webshell With Ransomware Capabilities Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the…
Updates on ThiefQuest, the Quickly-Evolving macOS Malware
Read the original article: Updates on ThiefQuest, the Quickly-Evolving macOS Malware By Steven Du, Gabrielle Mabutas, and Luis Magisa Right as July of this year began, we noticed an emerging malware dubbed by most as ThiefQuest (also known as EvilQuest),…
Patch Tuesday: Fixes for ‘Wormable’ Windows DNS Server RCE, SharePoint Flaws
Read the original article: Patch Tuesday: Fixes for ‘Wormable’ Windows DNS Server RCE, SharePoint Flaws The July update issues 123 patches, including fixes in RemoteFX vGPU, Microsoft Office, Microsoft Windows, OneDrive, and Jet Database Engine. The patches address 18 vulnerabilities…
Patch Tuesday: Fixes for ‘Wormable’ Windows DNS Server RCE, SharePoint Flaws
Read the original article: Patch Tuesday: Fixes for ‘Wormable’ Windows DNS Server RCE, SharePoint Flaws The July update issues 123 patches, including fixes in RemoteFX vGPU, Microsoft Office, Microsoft Windows, OneDrive, and Jet Database Engine. The patches address 18 vulnerabilities…
XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers
Read the original article: XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware. While the XORDDoS…
New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
Read the original article: New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as…
Patch Tuesday: Fixes for LNK, SMB, and SharePoint Bugs
Read the original article: Patch Tuesday: Fixes for LNK, SMB, and SharePoint Bugs This month’s Patch Tuesday had the highest number of entries so far in 2020 — a whopping 129, a continuation of the trend seen from the previous…
New Tekya Ad Fraud Found on Google Play
Read the original article: New Tekya Ad Fraud Found on Google Play In late March, researchers from CheckPoint found the Tekya malware family, which was being used to carry out ad fraud, on Google Play. These apps have since been…
Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique
Read the original article: Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique We recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (Trend Micro…
Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers
Read the original article: Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers We found two malware files that pose as Zoom app installers. One of the samples installs a backdoor that allows malicious actors to run routines remotely, while…
Netwalker Fileless Ransomware Injected via Reflective Loading
Read the original article: Netwalker Fileless Ransomware Injected via Reflective Loading Ransomware in itself poses a formidable threat for organizations. As a fileless threat, the risk is increased as it can more effectively evade detection. We discuss how Netwalker ransomware…
May Patch Tuesday: More Fixes for SharePoint, TLS, Runtime, and Graphic Components Released
Read the original article: May Patch Tuesday: More Fixes for SharePoint, TLS, Runtime, and Graphic Components Released This month’s Patch Tuesday includes 111 fixes for Microsoft. Of the 111 vulnerabilities, 16 have been rated Critical while the rest have been…
QNodeService: Node.js Trojan Spread via Covid-19 Lure
Read the original article: QNodeService: Node.js Trojan Spread via Covid-19 Lure QNodeService is a new, undetected malware sample written in Node.js, which is an unusual choice for malware authors. The malware has functionality that enables it to download/upload/execute files, steal…
Targeted Ransomware Attack Hits Taiwanese Organizations
Read the original article: Targeted Ransomware Attack Hits Taiwanese Organizations A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to…
WebMonitor RAT Bundled with Zoom Installer
Read the original article: WebMonitor RAT Bundled with Zoom Installer We encountered an attack that conceals RevCode WebMonitor RAT by abusing Zoom installers. The post WebMonitor RAT Bundled with Zoom Installer appeared first on . Advertise on IT Security…
Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
Read the original article: Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining By David Fiser and Jaromir Horejsi (Threat Researchers) Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this…
Grouping Linux IoT Malware Samples With Trend Micro ELF Hash
Read the original article: Grouping Linux IoT Malware Samples With Trend Micro ELF Hash We created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters Linux IoT malware created using ELF files. The post Grouping Linux IoT…
Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
Read the original article: Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining By David Fiser and Jaromir Horejsi (Threat Researchers) Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this…
Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems
Read the original article: Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems We have constantly observed suspicious activities caused by adware, with common behaviors that include access to seemingly random domains with alternating consonant and vowel names,…
Gamaredon APT Group Use Covid-19 Lure in Campaigns
Read the original article: Gamaredon APT Group Use Covid-19 Lure in Campaigns In March, we came across an email with a malware attachment that used the Gamaredon group’s tactics. Some of the emails used the coronavirus pandemic as a topic…
April Patch Tuesday: Fixes for Font-Related, Microsoft SharePoint, Windows Components Vulnerabilities
Read the original article: April Patch Tuesday: Fixes for Font-Related, Microsoft SharePoint, Windows Components Vulnerabilities Microsoft’s Patch Tuesday for April released fixes for a couple of critical font-related vulnerabilities, like an earlier disclosed one found in Adobe Type Manager Library…
April Patch Tuesday: Fixes for Font-Related, Microsoft SharePoint, Windows Components Vulnerabilities
Read the complete article: April Patch Tuesday: Fixes for Font-Related, Microsoft SharePoint, Windows Components Vulnerabilities Microsoft’s Patch Tuesday for April released fixes for a couple of critical font-related vulnerabilities, like an earlier disclosed one found in Adobe Type Manager Library…
Coronavirus Update App Leads to Project Spy Android and iOS Spyware
We discovered a cyberespionage campaign we have named Project Spy infecting Android and iOS devices with spyware by using the coronavirus disease (Covid-19) as a lure. The post Coronavirus Update App Leads to Project Spy Android and iOS Spyware appeared…
Zoomed In: A Look into a Coinminer Bundled with Zoom Installer
We found a coinminer bundled with the legitimate installer of video conferencing app Zoom. Users who attempt to download the installer get more than what they bargain for as they instead download the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO. The post Zoomed…
More Than 8,000 Unsecured Redis Instances Found in the Cloud
We discovered 8,000 Redis instances that are running unsecured in different parts of the world, even ones deployed in public clouds. The post More Than 8,000 Unsecured Redis Instances Found in the Cloud appeared first on . Advertise on…
Raccoon Stealer’s Abuse of Google Cloud Services and Multiple Delivery Techniques
Raccoon emerged as Malware as a Service (MaaS) last April 2019. Despite its simplicity, Raccoon became popular among cybercriminals and was mentioned as a notable emerging malware in underground forums in a malware popularity report. The post Raccoon Stealer’s Abuse…
Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links
A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they…
OpenSMTPD Vulnerability (CVE-2020-8794) Can Lead to Root Privilege Escalation and Remote Code Execution
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on…
Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan
We recently discovered a new campaign that we dubbed “Operation Overtrap” for the numerous ways it can infect or trap victims with its payload. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using…
March Patch Tuesday: LNK, Microsoft Word Vulnerabilities Get Fixes
Following the unexpectedly long list of fixes included in last month’s Patch Tuesday, March brings an even longer one, albeit less eventful. A total of 115 vulnerabilities were fixed, 26 of which were identified as Critical as they could lead…
Busting Ghostcat: An Analysis of the Apache Tomcat Vulnerability (CVE-2020-1938 and CNVD-2020-10487)
Apache Tomcat is a popular open-source Java servlet container, so the discovery of Ghostcat understandably set off some alarms. This blog entry seeks to put the most feared Ghostcat-related scenario into perspective by delving into the unlikely circumstances that would…
Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks
We decided to dig deeper the behavior of Geost, a trojan targetting Russian banks, by reverse engineering a sample of the malware. The trojan employed several layers of obfuscation, encryption, reflection, and injection of non-functional code segments that made it…
Security Risks in Online Coding Platforms
Before cloud integrated development environments (IDEs) became an option, you, i.e., the developer, typically need to download and/or install everything you need onto your own workstations. However, as DevOps gained traction and cloud computing usage grew, you can now also…
LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File
Recently, we discovered LokiBot (detected by Trend Micro as Trojan.Win32.LOKI) impersonating a popular game launcher to trick users into executing it on their machines. Further analysis revealed that a sample of this variant employs a quirky, installation routine that involves…
An In-Depth Technical Analysis of CurveBall (CVE-2020-0601)
A code-level root cause analysis of CVE-2020-0601 in the context of how applications are likely to use CryptoAPI to handle certificates — more specifically in the context of applications communicating via Transport Layer Security (TLS). The post An In-Depth Technical…
February Patch Tuesday: Fixes for Critical LNK, RDP, Trident Vulnerabilities
The first Patch Tuesday of 2020 in January brought an unusually long list of patches, but February brings an even wider range of fixes that address a total of 99 vulnerabilities — including 12 classified as Critical, with the remaining…
Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems
We observed an increase in hacking group Outlaw’s activities in December, with updates on the kits’ capabilities reminiscent of their previous attacks. The post Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems appeared first on . …
Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud
We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and…
Security Analysis of Devices That Support SCPI and VISA Protocols
Standard Commands for Programmable Instruments (SCPI) is a legacy protocol that most advanced measurement instruments support. However, it is important to note that authentication is not innate in this protocol. The post Security Analysis of Devices That Support SCPI and…
Security Analysis of Devices That Support SCPI and VISA Protocols
Standard Commands for Programmable Instruments (SCPI) is a legacy protocol that most advanced measurement instruments support. However, it is important to note that authentication is not innate in this protocol. The post Security Analysis of Devices That Support SCPI and…
January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop, Cryptographic Bugs
2020 starts off with a relatively heavy list of patches for Microsoft users. January is typically a light month for fixes, but Microsoft released patches for 49 vulnerabilities (eight of which are Critical and all the remaining classified as Important)…
January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop, Cryptographic Bugs
2020 starts off with a relatively heavy list of patches for Microsoft users. January is typically a light month for fixes, but Microsoft released patches for 49 vulnerabilities (eight of which are Critical and all the remaining classified as Important)…
First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
We found three malicious apps in the Google Play store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication…
First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
We found three malicious apps in the Google Play store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication…