tag = "Malware"

BazaLoader Leads Payloads as Families Fluctuate, Players Broaden

As ransomware continues to improve its tactics and break records, PhishLabs is monitoring payload families reported in user inboxes that are used to facilitate these attacks.

Qbot Leads Payload Volume in Q2

PhishLabs is monitoring payload families reported in user inboxes. In this piece, we break down the top malware targeting enterprises in Q2.

Alien Mobile Malware Evades Detection, Increases Targets

PhishLabs is monitoring the increasing number of mobile applications targeted by the relatively new Alien Mobile Banking Trojan.

ZLoader Dominates Email Payloads in Q1

Malicious payloads delivered via email phishing continue to drive access to sensitive infrastructures and result in data compromise for enterprises.

Emotet Dismantled, Trickbot, ZLoader, and BazarLoader Step In

While it remains to be seen whether or not Emotet's operations are permanently offline after its recent disruption, we are monitoring any increases in subsequent malware variants and corresponding ransomware attacks.

When Good Websites Turn Evil: How Cybercriminals Exploit File Upload Features to Host Phishing Sites

Compromised websites are an integral part of the cybercrime ecosystem. PhishLabs recommends these steps to help prevent this kind of exploit.

Olympic Vision Keylogger and BEC Scams

The ease of buying low cost, pre-built tools broadens the range of potential targets in BEC attacks. This blog discusses one of these tools - Olympic Keylogger.

The unrelenting evolution of Vawtrak

In December 2014, Vawtrak version 0x38 was released including significant code and configuration changes that indicate momentum and an intense focus on development of the crimeware kit.

Cyberespionage Phishing Attack, Backoff Malware Spreads, Retail Breach and more | TWIC – October 24, 2014

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source). Think community financial institutions aren’t in the crosshairs for account takeover? Think again. (PhishLabs) There is clear evidence that account takeover (ATO) is a big problem and growing worse. The Federal Reserve Bank of Atlanta […]

Dyre Banking Trojan, Tyupkin ATM Malware, iWorm Botnet and More | TWIC – October 10, 2014

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Smash & Grab cybercrime attacks have been active since mid-June

Last week, researchers at Proofpoint reported an attack campaign, which was dubbed “Smash & Grab," targeting customers of JP Morgan Chase. Based on intelligence from the Phishlabs R.A.I.D. (Research, Analysis, and Intelligence Division), the “Smash & Grab" operations have been active since at least mid-June. The attacks use email messages to direct potential victims to a phishing page. Visitors to the phishing page are also exposed to an exploit kit that abuses software vulnerabilities to infect victims with malware.

Vulnerabilities found in Dendroid mobile Trojan

The full source code of the Dendroid Android RAT was leaked late last week. Analyzing the code has revealed multiple vulnerabilities due to lack of user input including XSS, SQLi, and PHP Code Execution.

New Man-in-the-Middle attacks leveraging rogue DNS

PhishLabs has observed new Man-in-the-Middle attacks using rogue DNS to takeover accounts and evade fraud detection. Customers of 70+ financial institutions are being targeted.

Avalanche-Hosted Zeus Trojan Disrupted

While investigating an instance of the Zeus Trojan that was using the Avalanche bulletproof hosting botnet, PhishLabs discovered many of the domain names referenced in the Zeus configuration file had not yet been registered including the following four: eitaepiephohthieleibesha.com llakjshbeyrv3421jbs88xc.com nmbnxcbjbh3hbhbdhjb3l4kjbn.com nzytgero34xbhsbc8484kk.com PhishLabs registered the domains and then pointed them to a server under our […]

Rock Moves to Email Attachments

For over a year, the Rock Phish Gang was using the Avalanche botnet to host their various phishing scams and malware distribution sites. Fortunately, the botnet was shutdown last week – how long remains to be seen. Unfortunately, the Rock Phish Gang have not gone away. These criminals continue to distribute their Zeus trojans and […]

Cleaning up from the Avalanche

The Avalanche botnet, also known as “MS-Redirect”, has been responsible for hosting phishing pages and malware distribution attacks on over 35 organizations, including the IRS, Facebook, MySpace, most recently NACHA, and many more. Unfortunately, there’s a great deal of confusion over how this botnet works and how it’s related to other malware. Let’s clear it […]