Yara signatures for “Careto” - The Masked APT
Author: Alberto Ortega
Yara signatures for “Careto” - The Masked APT
Last week, Kaspersky Lab released their research (Unveiling "Careto" - The Masked APT) on a fresh APT campaign, which is supposed to had been running for several years. The campaign has different pieces of malware designed for Windows and OSX systems, and also clues of components for Android and iOS devices. The main targets of…
Ransomware now accepts bitcoin as a payment method
Looking at the evolution of ransomware, accepting bitcoin as a payment method is probably taking too long for most common ransomware families. Not long ago, we have seen a ransomware family that accepts MoneyPak, Ukash, cashU and Bitcoin as payment methods. Its name is CryptoLocker and is detected by Microsoft as Crilock.A. Just one month after Microsoft released the…
Yara rules for leaked KINS toolkit
Just a few days ago, the source code of the famous KINS banking trojan was leaked. KINS is a professional-grade banking trojan, destinated to infect as much computers as possible in order to steal credit cards, bank account credentials and related information from victims. Seen as a replacement to Citadel, it was identified in the wild not long ago. Now,…
How public tools are used by malware developers, the antivm tale
Malware authors are aware of new technologies and research made by the security community. This is palpable when they implement new vulnerability exploitation on their tools or even reuse source code that belongs to public projects. We have discussed antivm and antisandbox analysis tricks seen in malware samples several times. Not long ago we came across a malware sample that…
Take care of your server, or it will be hacked and sold
Have you ever had a server open to the internet with SSH service running? Then you know how common it is to receive break in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines. But what happens next? What is the business behind these…
Urausy ransomware family, a quick internals overview
Ransomware is popular among bad actors. Reveton malware family (based on Citadel) made a difference last year, now it is loosing popularity in favor of Urausy, just another lock-screen ransomware. There are a plenty of them living in the wild, but in this post we are going to focus on Urausy. These malware families are being spread by using exploit…
Set up your keylogger to report by email? Bad idea! (The case of Ardamax)
A couple of days ago, I was surfing our wild Internet when I came up with a dirty piece of software dedicated to steal accounts of a popular build-with-bricks videogame. The program offered a premium account of the videogame for free. The real fact is that it was a stealer, which installs a keylogger on your computer to record and…
Hardening Cuckoo Sandbox against VM aware malware
Some time ago, we wrote a post about how a lot of malware samples check the execution environment, and if it is unwanted (VM, debugger, sandbox, ...) the execution unexpectedly finishes. We use Cuckoo Sandbox in the lab for our analysis tasks, we really love how customizable it is. Sometimes we have to deal with malware aware of the execution environment,…
Your malware shall not fool us with those anti analysis tricks
It is well known that a big amount of malware samples are aware of the execution environment. This means that a malware sample can change his behavior if it detects that the running environment is unwanted. There are resources, public source code, and even programs that detail how to bypass automatic malware analysis systems and make things awkward for malware…
Capfire4 malware, RAT software and C&C service together
A big amount of the malware out there are RAT (Remote administration tool) samples. This is software created by people specialized on it, people that develop, improve and sell their tools. It has capabilities that let the attacker spy on the victims with actions like screen capturing, keylogging, password stealing, command execution and remote access and controlling. Their clients…
Detecting malware domains by syntax heuristics
An important challenge we face when feeding our Open Source IP Reputation System is to differentiate between real threats and false positives. However, nothing in the universe is black or white. Each IP in the database has a reliability value from 1 to 10. That’s because in some special scenarios, an IP can be good and bad at the same…