This blog post brings more technical details on CacheFlow: a threat that we first reported about in December 2020. We described a huge campaign composed of dozens of malicious Chrome and Edge browser extensions with more than three million installations in total.
Introduction This summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia. We consider with moderate confidence based on our research that the chinese-speaking APT group LuckyMouse is behind the attack. The APT group planted...
After peeling away the MehCrypter’s layers in the first part of our blog series, we felt there was no other choice than to deep dive even further into the Meh password stealer payload and all its functionalities
We discovered that the Download Studio torrent client and three adblockers surreptitiously deployed the FakeMBAM backdoor through automatic updates. We reverse engineered this backdoor and describe its inner workings in this blog post.
For some time now, we’ve been monitoring a new strain of malicious programs that we are referring to as "Meh". It all started when we came across large amounts of files with randomly generated strings at their beginning, followed by a compiled AutoIt script… and what a ride it has been since.
Last fall, APT malware intrusions targeting high-profile companies in Central Asia caught our attention. A few months later, we began working together with fellow malware analysts from ESET to analyze samples used by the group to spy on a telecommunications company, a gas company, and a...
CoViper is a new wiper malware family taking advantage of the COVID-19 crisis. The wiper breaks an infected computer’s boot operation, by rewriting the Master Boot Record (MBR) located on the computer’s disk.
WiryJMPer is a seemingly ordinary dropper with unusual obfuscation. It uses two benign binaries with superfluous jumps and dead branches sandwiched between the binaries to hide its virtual machine, protecting its Netwire payload.
Mysterious dropper Almaq has caught our attention being a very specific .NET malware that was created and distributed only to attack two particular servers. Almaq is so tailor-made for exactly those two servers it contains servers' credentials and internal directory structure information...
Retadup is a malicious worm affecting Windows machines throughout Latin America. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is...