Yara signatures for “Careto” - The Masked APT

February 19, 2014 | Alberto Ortega

Author: Alberto Ortega

February 19, 2014 | Alberto Ortega

Yara signatures for “Careto” - The Masked APT

Last week, Kaspersky Lab released their research (Unveiling "Careto" - The Masked APT) on a fresh APT campaign, which is supposed to had been running for several years. The campaign has different pieces of malware designed for Windows and OSX systems, and also clues of components for Android and iOS devices. The main targets of…

October 17, 2013 | Alberto Ortega

Ransomware now accepts bitcoin as a payment method

Looking at the evolution of ransomware, accepting bitcoin as a payment method is probably taking too long for most common ransomware families. Not long ago, we have seen a ransomware family that accepts MoneyPak, Ukash, cashU and Bitcoin as payment methods. Its name is CryptoLocker and is detected by Microsoft as Crilock.A. Just one month after Microsoft released the…

Get the latest security news in your inbox.

Subscribe via email


October 10, 2013 | Alberto Ortega

Yara rules for leaked KINS toolkit

Just a few days ago, the source code of the famous KINS banking trojan was leaked. KINS is a professional-grade banking trojan, destinated to infect as much computers as possible in order to steal credit cards, bank account credentials and related information from victims. Seen as a replacement to Citadel, it was identified in the wild not long ago. Now,…

October 4, 2013 | Alberto Ortega

How public tools are used by malware developers, the antivm tale

Malware authors are aware of new technologies and research made by the security community. This is palpable when they implement new vulnerability exploitation on their tools or even reuse source code that belongs to public projects. We have discussed antivm and antisandbox analysis tricks seen in malware samples several times. Not long ago we came across a malware sample that…

June 26, 2013 | Alberto Ortega

Take care of your server, or it will be hacked and sold

Have you ever had a server open to the internet with SSH service running? Then you know how common it is to receive break in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines. But what happens next? What is the business behind these…

June 17, 2013 | Alberto Ortega

Urausy ransomware family, a quick internals overview

Ransomware is popular among bad actors. Reveton malware family (based on Citadel) made a difference last year, now it is loosing popularity in favor of Urausy, just another lock-screen ransomware. There are a plenty of them living in the wild, but in this post we are going to focus on Urausy. These malware families are being spread by using exploit…

February 11, 2013 | Alberto Ortega

Set up your keylogger to report by email? Bad idea! (The case of Ardamax)

A couple of days ago, I was surfing our wild Internet when I came up with a dirty piece of software dedicated to steal accounts of a popular build-with-bricks videogame. The program offered a premium account of the videogame for free. The real fact is that it was a stealer, which installs a keylogger on your computer to record and…

December 19, 2012 | Alberto Ortega

Hardening Cuckoo Sandbox against VM aware malware

Some time ago, we wrote a post about how a lot of malware samples check the execution environment, and if it is unwanted (VM, debugger, sandbox, ...) the execution unexpectedly finishes. We use Cuckoo Sandbox in the lab for our analysis tasks, we really love how customizable it is. Sometimes we have to deal with malware aware of the execution environment,…

November 5, 2012 | Alberto Ortega

Your malware shall not fool us with those anti analysis tricks

It is well known that a big amount of malware samples are aware of the execution environment. This means that a malware sample can change his behavior if it detects that the running environment is unwanted. There are resources, public source code, and even programs that detail how to bypass automatic malware analysis systems and make things awkward for malware…

June 21, 2012 | Alberto Ortega

Capfire4 malware, RAT software and C&C service together

A big amount of the malware out there are RAT (Remote administration tool) samples. This is software created by people specialized on it, people that develop, improve and sell their tools. It  has capabilities that let the attacker spy on the victims with actions like screen capturing, keylogging, password stealing, command execution and remote access and controlling. Their clients…

February 1, 2012 | Alberto Ortega

Detecting malware domains by syntax heuristics

An important challenge we face when feeding our Open Source IP Reputation System is to differentiate between real threats and false positives. However, nothing in the universe is black or white. Each IP in the database has a reliability value from 1 to 10. That’s because in some special scenarios, an IP can be good and bad at the same…