One of the goals of malware authors is to keep their creation undetected by antivirus software. One possible solution for this are crypters. A crypter encrypts a program, so it looks like meaningless data and it creates an envelope for this encrypted program also called a stub. This stub looks like...
Forum Advertisement MassLogger is an information stealer, first sold in hacking forums around April 2020. The malware author claims it to be the “most powerful logger and recovery tool” which costs $99 USD worth of Bitcoin for a lifetime license. MassLogger is highly configurable and gives its...
This blog post brings more technical details on CacheFlow: a threat that we first reported about in December 2020. We described a huge campaign composed of dozens of malicious Chrome and Edge browser extensions with more than three million installations in total.
Introduction This summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia. We consider with moderate confidence based on our research that the chinese-speaking APT group LuckyMouse is behind the attack. The APT group planted...
After peeling away the MehCrypter’s layers in the first part of our blog series, we felt there was no other choice than to deep dive even further into the Meh password stealer payload and all its functionalities
We discovered that the Download Studio torrent client and three adblockers surreptitiously deployed the FakeMBAM backdoor through automatic updates. We reverse engineered this backdoor and describe its inner workings in this blog post.
For some time now, we’ve been monitoring a new strain of malicious programs that we are referring to as "Meh". It all started when we came across large amounts of files with randomly generated strings at their beginning, followed by a compiled AutoIt script… and what a ride it has been since.
Last fall, APT malware intrusions targeting high-profile companies in Central Asia caught our attention. A few months later, we began working together with fellow malware analysts from ESET to analyze samples used by the group to spy on a telecommunications company, a gas company, and a...
CoViper is a new wiper malware family taking advantage of the COVID-19 crisis. The wiper breaks an infected computer’s boot operation, by rewriting the Master Boot Record (MBR) located on the computer’s disk.
WiryJMPer is a seemingly ordinary dropper with unusual obfuscation. It uses two benign binaries with superfluous jumps and dead branches sandwiched between the binaries to hide its virtual machine, protecting its Netwire payload.