Patch Tuesday: Fixes for LNK, SMB, and SharePoint Bugs

This month’s Patch Tuesday had the highest number of entries so far in 2020 — a whopping 129, a continuation of the trend seen from the previous months. The update includes fixes for LNK, SMB, SharePoint, and Win32k vulnerabilities. While the update contained a significant number of patches, only 11 were rated Critical. One of … [Read more…]

New Tekya Ad Fraud Found on Google Play

By Ford Qin (Mobile Threats Analyst) In late March, researchers from CheckPoint found the Tekya malware family, which was being used to carry out ad fraud, on Google Play. These apps have since been removed from the store, but we recently found a variant of this family that had made its way onto Google Play … [Read more…]

Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique

By Jessie Huang (Mobile Threats Analyst) We recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (Trend Micro detects these as AndroidOS_HiddenAd.HRXJA). This includes behavior that can be seen even when the user is not actively using the phones; the video below shows … [Read more…]

Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

By Raphael Centeno and Llallum Victoria With additional insights from Bren Matthew Ebriega Cybercriminals are taking advantage of “the new normal” — involving employees’ remote working conditions and the popularity of user-friendly online tools — by abusing and spoofing popular legitimate applications to infect systems with malicious routines. We found two malware files that pose … [Read more…]

Netwalker Fileless Ransomware Injected via Reflective Loading

By Karen Victor Threat actors are continuously creating more sophisticated ways for malware to evade defenses. We have observed Netwalker ransomware attacks that involve malware that is not compiled, but written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk. This makes this ransomware variant a fileless … [Read more…]

QNodeService: Node.js Trojan Spread via Covid-19 Lure

Insights and Analysis by Matthew Stewart We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, … [Read more…]

Targeted Ransomware Attack Hits Taiwanese Organizations

A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to target databases and email servers for encryption. The information we gathered indicates that this attack started hitting organizations in early May. Analysis of the malware … [Read more…]

WebMonitor RAT Bundled with Zoom Installer

By Raphael Centeno, Mc Justine De Guzman, and Augusto Remillano II The coronavirus pandemic has highlighted the usefulness of communication apps for work-from-home (WFH) setups. However, like they always do, cybercriminals are expected to exploit popular trends and user behavior. We have witnessed threats against several messaging apps including Zoom. In early April, we spotted … [Read more…]

Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining

By David Fiser and Jaromir Horejsi (Threat Researchers) Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. These malicious files have … [Read more…]

Gamaredon APT Group Use Covid-19 Lure in Campaigns

By Hiroyuki Kakara and Erina Maruyama Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. Their campaigns are generally known for targeting Ukrainian government institutions. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group’s activities. In March, we came across an email … [Read more…]