Internet threat news

Google Removes Creepware Apps from Play Store

Recently several publications began reporting on Google’s successful removal of 813 creepware apps from its app store. Creepware is often seen as a stalker-like application generally seen installed on smartphones and other mobile devices, a better definition will be presented below. Creepware in the past has been marketed as an anti-theft application to track stolen phones but in reality, the application can be used to track and trace victims, fundamentally allowing someone to stalk someone else. When compared to spyware, they are not as fully featured as their cousins such as LightSpy. Well, not as fully featured they still allow damage and trauma to be carried out by perpetrators.

Google was able to remove that many apps based on an algorithm developed by a group of academics which was later published in a research paper. The paper titled “The Many Kinds of Creepware Used for Interpersonal Attacks” was published in 2019 with Google managing to implement their algorithm last year as well to clamp done on the nefarious activity. Those behind the paper, academics from New York University, Cornell Tech, and NortonLifeLock, developed the algorithm with the specific purpose of detecting creep-like behaviors within apps and then ranking them.

Astaroth hides C&C details in YouTube Descriptions

In the two years since its discovery Astaroth, been seen in the wild for the first time in September 2018, has continued to evolve and add features, showing the prowess of its developers. The info-stealing trojan has now been seen to have received a significant update, boasting, even more, features designed to help it evade detection and analysis. The latest campaign seen distributing the malware is confined to Brazil only, for the time being, but previous campaigns had targeted users in Europe. However, the majority of activity in the past has been confined to the South American nation.

Discovered by IBM’s X-Force the malware was described as,

“This Trojan has been around since 2017 and uses fake invoice emails that seem to be coming from a legitimate vendor using the domains. PDC estimated that approximately 8,000 of their customers' machines saw attacks of this nature in just one week. Using CloudFlare based URLs, the campaign appears to be targeting potential customers in South America. If a potential victim does not have a South American based IP address, the malware does not attempt to infect the system. The initial payload is a malicious .LNK file that points to the next stage of infection. The infection process uses the Windows Management Instrumentation Console (WMIC) and its command line interface to download and install the malicious payload in a non-interactive mode so that the user is not aware of what is happening. To "hide in plain sight", the malware uses a domain selected from a list of 154 domains within its code and the rest of the URL that points to the payload is added. All of the domains in the list were hosted on CloudFlare. Using a legitimate vendor like this, it is harder for companies to blacklist malicious communication.”

For the most part, the malware has continued on the same path, focused namely on stealing information, since its discovery subsequent feature additions have been focussed on making the malware harder to detect and analyze. The latest campaign analyzed by Cisco Talos continues this development path in a few novel, but not necessarily new, ways. In summary, the latest campaign has included COVID-19 lures to further aid in the distribution of the malware, a tactic adopted by numerous other malware developers to take advantage of the current crisis. Of particular interest to security, researchers were the new anti-analysis and anti-sandboxing features hidden within a maze of obfuscated code as well as innovative use of YouTube channel descriptions for encoded and encrypted command and control communications implemented by the malware.

A MageCart Attack Ramps up Innovation Levels

Towards the start of the fourth quarter of 2019, a steady rise in MageCart attacks was detected by several security firms. These attacks, which rely on the attacker injecting malicious code into the scripts of shopping cart applications in order to skim the card details entered by customers. The stolen card details are then used for fraudulent transactions, or the smarter approach is to sell the details on the Dark Web. The latest shopping cart offering that was targeted was WooCommerce, with details of the attack emerging less than a month ago. Now a new MageCart attack campaign has illustrated a novel and innovative approach in order to infect victims and steal customer card details.

In summary, the attack involved the hacker creating a fake website that supposedly offered thousands of icons that could be used by website owners. Covertly, the icons hid the card skimming script and made use of a server-side trick to make sure the code was injected in shopping cart applications. The attack was discovered and analyzed by Malwarebytes, who subsequently found that the attack was a carefully crafted ruse to further the aims of a credit card skimming operation.

Kaiji Malware Brute Forces its Way In

Distributed Denial of Service (DDoS) attacks make news headlines for a number of reasons, mostly due to how they show the might of hackers in denying users a service at a whim. Whether it is government infrastructure or gamers who need to get in there hours, hackers conducting DDoS attacks can ruin anybody’s plans. While the results of these attacks are headline-generating by themselves the malware and its creation that facilitate the attack don’t get the same amount of attention. Hence why on May 3, 2020, an announcement on Twitter announcing the discovery of a new piece of malware might have gone unnoticed by the majority of Twitter’s population.

Shade Ransomware Gang ceases Operations

Recently the Shade gang announced that it would be ending all operations. This draws to a close one of the longest-running ransomware strains activity. Since 2014 the gang has been active with campaigns being conducted at a fairly constant rate since security researchers detected the variant encrypting victim’s data. Shade activity essentially fell off a cliff in late 2019 but recent announcements made by the gang can be seen as the final nail in the variants coffin.

The gang took to GitHub to make the announcement which read as follows,

“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh, or Encoder.858. In fact, we stopped its distribution at the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”

Apple Refutes Claims of Multiple iOS Zero-days

While Apple was gearing up to the much-anticipated launch of its affordable smartphone, the iPhone SE, it was facing a far more different public relations battle. While the SE was receiving praise across the board a security firm published a report detailing two separate zero-day vulnerabilities recently discovered. Broadly speaking, zero-day vulnerabilities are discovered flaws in software or harder that have not been patched by the manufacturer. As they are not patched they pose a unique and heightened threat level to users. Flaws discovered could allow for remote code execution, allowing hackers to install malware from a remote location without it been detected by security software.

The report published by ZecOps detailed the flaws according to the firm. The flaws if exploited correctly allowed for remote code execution with malware being capable of being sent via email that would be able to consume significant amounts of the device’s memory. The vulnerability, in turn, allowed for the exhaustion of device resources which in turn could be done remotely. Vulnerabilities found affecting both iOS 12 and iOS 13, with the latter flaws being able to execute on a no-click scenario which opened the mail server client in the background.

How the Dirty Coins from Sextortion Campaigns are laundered

Sextortion scams along with ransomware attacks have been popular ways cybercriminals attempt to flip a quick a profit. Profit is made in both scenarios the cybercriminal will request payment to decrypt files, or in the case of a sextortion scam extort the victim by threatening to release embarrassing content via social media related to the victim’s sexual preferences they may or may not have. In both cases, the preferred method of payment is in one cryptocurrency coin or the other. For the hacker and the scammer, the next phase of their plan would be to turn the cryptocurrency into fiat currency that can be used on a more day to day basis.

In 2017 security researchers set out to follow the money trail to find exactly how hackers, in particular those behind ransomware attack, managed to cash out. Now security researchers have once again set a task to shine a light on how those behind sextortion campaigns carry out the task we often forget about. For the most part, the effort is placed on the analysis of how the scam is spread and conducted with little emphasis placed on how the cybercriminal actually profits.

APT Group Winnti Has Games Developers in its Crosshairs

According to security firm QuoIntelligence, popular South Korean games developer Gravity was the very likely target of APT41 campaign, the group is also known as Winnti, Barium, and BlackFly. The South Korean game's developer is best known for releasing the popular mass multiplayer game Ragnarok Online. At a time when the world is struggling to cope with the COVID-19 pandemic, there appears to be a trend of advanced persistent threat (APT) groups ramping up activity and campaigns seemingly to take advantage of people’s attention being elsewhere.

Details of the attack were recently published in a report by QuoIntelligence. The report goes into great detail about the malware strains used in the attack which seem to be highly developed strains developed in 2015 by the APT group. The group itself began active campaigns in 2012 and targets a variety of industries, often the targets are related closely to industries determined by the Chinese government to be central to the nation’s economic development plans.

Cyberattack on US Airport linked to Russian APT Group

In March 2020, two websites linked with the San Francisco International Airport (SFO) had been compromised and malicious code injected into them designed to steal Windows login credentials. The two websites that were compromised were and, which contain information about various topics associated with the airport but have low traffic generation. According to a new analysis, there appears to be a strong link between a known Russian advanced persistent threat (APT) group and the incident.

Details of the attack were made public by airport authorities via a memorandum published on April 7, 2020. Details are sparse about the attack itself. The airport authority did specify that the affected websites were taken offline and passwords reset on March 23. In a series of interviews conducted with Security Week a couple of security experts shared their views on the topic. Ameet Naik of PerimeterX said,

New Magecart Attack Targets WooCommerce Sites

Since October 2019, this publication has tracked the steady rise in Magecart attacks. These attacks often involve the hackers targeting eCommerce platforms used by sites to process payments. The hacker is able to steal credit card data via injecting a malicious JavaScript code into the cart facilities offered by the platform. The code, which can be as little as 22 lines of code, is capable of skimming credit card details entered by a user and send the details to a command and control server maintained by the hacker. These details can then be sold on the Dark Web or used to purchase goods fraudulently.

In a recent article published by security firm Sucuri the analysis of a new attack campaign targeting the popular WooCommerce WordPress plugin. The plugin is a free and open-source WordPress plugin with more than 5 million active installs that make it easy to run e-commerce sites, it is seen as a particularly handy tool for brick and mortar shops to generate online sales and an online presence. In the article, it was noted that WordPress plugins have been the target of similar styled attacks in the past, with Magento and Prestashop been targeted extensively in the past. The security firm refers to these attacks as card swipers that traditionally involve malicious code making modifications to payment details within the plugin settings. Typically these modifications may involve forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. However, the campaign targeting WooCommerce involves injecting dedicated card swiping malware into WordPress is relatively new.

Hackers are Scanning for Vulnerable VPNs warns Government Agencies

The continued abuse of the COVID-19 pandemic has forced the hand of law enforcement and government agencies to dedicate time and resources to combatting cybercrime incidents rather than focussing on assisting efforts to combat the actual pandemic. In a joint statement made by both the UK’s National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) the public has been warned of hackers scanning for vulnerable VPNs to target certain employees who are now forced to work remotely.

The InfoSec community has already seen several campaigns looking to take advantage of others during the pandemic. Most have been in the form of spam emails spoofed to look like they are from the World Health Organisation (WHO) or other similar healthcare agencies. These are often used as lures to harvest credentials or to spread malware variants. Researchers have also detected activity relating to state-sponsored groups looking to take advantage of the situation.

Researchers Discover Massive DarkHotel Operation

The state-sponsored group DarkHotel has been an active thorn in the side of security firms since 2007, not to mention the victims of the group. The group has gone by many names, however, it has been much of the work done by Kaspersky Labs in analyzing the group’s activity that has led to DarkHotel sticking. Now, it would appear that the group has been conducting a massive hacking operation targeting Chinese government agencies across the globe. It is believed attacks began in March, looking to leverage the COVID-19 pandemic as a means to lure victims. Since the pandemic became a global emergency, hackers of all kinds, whether script-kiddies to advanced persistent threat (APT) groups have looked to take advantage of people’s fears regarding the disease. This trend is likely to continue as long as the pandemic rages across borders.

The latest campaign was discovered by Chinese security firm Qihoo 360, who subsequently published their findings in a blog post on April 6. Researchers discovered that the hackers used a zero-day vulnerability in Sangfor SSL VPN servers which is used to provide remote access to enterprise and government networks. Given that approximately 4 billion people are currently living under lockdown conditions due to the pandemic, the use of VPNs has increased as many still look to work remotely. This spike has led many hackers to look for flaws in VPN servers or incorrectly configured VPNs to exploit this spike in use. In practice, a VPN can be seen as a secure communication tunnel that extends a private network across public networks. This connection allows for devices separated by long distances to connect to servers on a company’s private network for example.

LightSpy Targeting iOS Devices

Since January 2020, various security firms have been tracking an active campaign spreading spyware. One of the reasons the campaign is noteworthy is that it is actively targeting iOS devices. The spyware, called LightSpy is distributed via watering hole attacks. These attacks involve the attacker looking to target specific groups of potential victims by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to a broader network. Some instances of these attacks the attacker looks to target popular websites. Once a website is found the attacker will begin to look for vulnerabilities in the websites HTML and JavaScript code which can then be leveraged to distribute malware.

The campaign distributing LightSpy differs in several ways to the traditional watering hole attack. One of the key differences is that the attackers created a website to mimic a popular website. In this instance researchers discovered that a clone of the news website Daily Apple, a popular website hosted in Hong Kong, was created to distribute LightSpy. To get users to visit the cloned website various links were posted on several platforms redirecting users to the clone website. Once the visitor accesses the website controlled by the attacker the site loads exploits onto the visitor’s device which subsequently installs LightSpy. More on the malware to follow.

Zeus Sphinx Re-emerges on the Back of COVID-19

It is not by any means new to say that hackers are looking to exploit the COVID-19 pandemic, despite the misery and loss of human life the disease has already caused, for their own benefit. At the start of February, this publication reported on several malware campaigns exploiting the health pandemic. As the situation has become worse globally so too has the number of campaigns increased looking to exploit panic sentiments and get users to unwittingly download malware. The latest example of such a morally apathetic campaign was discovered by researchers for IBM’s X-Force and involves the re-emergence of the Zeus Sphinx banking trojan.

Banking trojans typically are a family of malware designed to steal banking credentials in order to hijack accounts or sell stolen credit card details and other credentials on underground forums. In recent years many variants have upgraded their code to also hunt for cryptocurrency wallet credentials as this too has become a profitable market to exploit. One of the most well-known of these trojans is Zeus which was first detected in 2007 with widespread campaign making headlines in 2009. Eventually, Zeus’ code was leaked which in turn led to a whole host of other malware strains being created. One of those was Zeus Sphinx, sometimes also called Terdot and ZLoader, with the first major campaigns been tracked by IBM in 2017. However, the malware appears to have first emerged in 2015 and was subsequently sold on underground forums for 500 USD at the time.


Page 2 of 34

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal