Malware

Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses - CrySIS, aka Dharma, is a ransomware family making waves over the last two months, often being used in targeted attacks through RDP access. What other tricks are up its sleeve?

Malware | Threat analysis

Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses

May 15, 2019 - CrySIS, aka Dharma, is a ransomware family making waves over the last two months, often being used in targeted attacks through RDP access. What other tricks are up its sleeve?

Read more
“Funky malware format” found in Ocean Lotus sample - Recently, one of our researchers presented at the SAS conference on

Malware | Threat analysis

“Funky malware format” found in Ocean Lotus sample

April 19, 2019 - Recently, one of our researchers presented at the SAS conference on "Funky malware formats"—atypical executable formats used by malware that are only loaded by proprietary loaders. In this post, we analyze one of those formats in a sample called Ocean Lotus from the APT 32 threat group in Vietnam.

Read more
Spotlight on Troldesh ransomware, aka ‘Shade’ - Troldesh is ransomware that relies heavily on user interaction. Nevertheless, a recent spike in detections shows it's been successful against businesses in the first few months of 2019.

Malware | Threat analysis

Spotlight on Troldesh ransomware, aka ‘Shade’

March 6, 2019 - Troldesh is ransomware that relies heavily on user interaction. Nevertheless, a recent spike in detections shows it's been successful against businesses in the first few months of 2019.

Read more
Analyzing a new stealer written in Golang - We captured a new information-stealing malware written in Golang (Go). Read up on our analysis of its functionality, as well as the tools researchers can use to unpack malware written in this relatively new programming language.

Malware | Threat analysis

Analyzing a new stealer written in Golang

January 30, 2019 - We captured a new information-stealing malware written in Golang (Go). Read up on our analysis of its functionality, as well as the tools researchers can use to unpack malware written in this relatively new programming language.

Read more
What’s new in TrickBot? Deobfuscating elements - TrickBot has been present in the threat landscape from quite a while. We wrote about its first version in October 2016. October 2018 marks end of the second year since TrickBot’s appearance. Possibly the authors decided to celebrate the anniversary by a makeover of some significant elements of the core. This post is an analysis of the updated obfuscation used by TrickBot’s main module.

Malware | Threat analysis

What’s new in TrickBot? Deobfuscating elements

November 12, 2018 - TrickBot has been present in the threat landscape from quite a while. We wrote about its first version in October 2016. October 2018 marks end of the second year since TrickBot’s appearance. Possibly the authors decided to celebrate the anniversary by a makeover of some significant elements of the core. This post is an analysis of the updated obfuscation used by TrickBot’s main module.

Read more
Fileless malware: part deux - In part two of this series on fileless malware, our malware analyst walks readers through two demonstrations of fileless malware attacks and shows the problems with detecting them using static signatures.

Malware | Threat analysis

Fileless malware: part deux

October 5, 2018 - In part two of this series on fileless malware, our malware analyst walks readers through two demonstrations of fileless malware attacks and shows the problems with detecting them using static signatures.

Read more
Reversing malware in a custom format: Hidden Bee elements - When we recently analyzed payloads related to Hidden Bee (dropped by the Underminer EK), we noticed something unusual. After reversing the malware, we discovered that its authors actually created their own executable format. Follow our step-by-step analysis for a closer look.

Malware | Threat analysis

Reversing malware in a custom format: Hidden Bee elements

August 30, 2018 - When we recently analyzed payloads related to Hidden Bee (dropped by the Underminer EK), we noticed something unusual. After reversing the malware, we discovered that its authors actually created their own executable format. Follow our step-by-step analysis for a closer look.

Read more
Fileless malware: getting the lowdown on this insidious threat - In this series of articles, we provide an in-depth discussion of fileless malware and their related attacks. In part one, we cover a brief overview of the problems with and general features of fileless malware, laying the groundwork for technical analysis of various samples employing fileless and semi-fileless methods.

Malware | Threat analysis

Fileless malware: getting the lowdown on this insidious threat

August 29, 2018 - In this series of articles, we provide an in-depth discussion of fileless malware and their related attacks. In part one, we cover a brief overview of the problems with and general features of fileless malware, laying the groundwork for technical analysis of various samples employing fileless and semi-fileless methods.

Read more
Process Doppelgänging meets Process Hollowing in Osiris dropper - Process doppleganging, a rare technique of impersonating a process, was discovered last year, but hasn't been seen much in the wild since. It was an interesting surprise, then, to discover its use mixed in with Process Hollowing, yet another technique, in a dropper for the Osiris banking Trojan.

Malware | Threat analysis

Process Doppelgänging meets Process Hollowing in Osiris dropper

August 13, 2018 - Process doppleganging, a rare technique of impersonating a process, was discovered last year, but hasn't been seen much in the wild since. It was an interesting surprise, then, to discover its use mixed in with Process Hollowing, yet another technique, in a dropper for the Osiris banking Trojan.

Read more

Select your language