Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are...
The TaRRaK ransomware appeared in June of 2021. This ransomware contains many coding errors, so we decided to publish a small blog about them. Samples of this ransomware were spotted in our user base, so we also created a decryptor for this ransomware. Skip to instructions on how to use the TaRRaK...
Our threat hunters have been busy searching for abuse of the recently-released zero-day remote code execution bug in Microsoft Office (CVE-2022-30190). As part of their investigations, they found evidence of a threat actor hosting malicious payloads on what appears to be an Australian VOIP...
Cyberwarfare between Ukraine and Russia Foreword The first quarter of 2022 is over, so we are here again to share insights into the threat landscape and what we’ve seen in the wild. Under normal circumstances, I would probably highlight mobile spyware related to the Beijing 2022 Winter...
Certishell deploys coinminers, remote access tools (RATs) and ransomware on machines in Czechia and Slovakia hidden within illegal copies of games, tools and music.
Technical analysis of the Zloader botnet which was recently brough to court for a takedown operation and prosecution of its authors.
Parrot TDS is a new Traffic Direction System that is using tens of thousands of compromised websites. The TDS provides bad actors access to carry out malicious activity via the infected sites.
Avast Threat Intelligence Team has found a remote access tool (RAT) actively being used in the wild in the Philippines that uses what appears to be a compromised digital certificate belonging to the Philippine Navy.
Introduction We recently discovered an APT campaign we are calling Operation Dragon Castling. The campaign is targeting what appears to be betting companies in South East Asia, more specifically companies located in Taiwan, the Philippines, and Hong Kong. With moderate confidence, we can attribute...
We have seen DirtyMoe being spread by various exploit kits such as PurpleFox or via injected installers, for example, as seen for Telegram’s installer. However, one of the DirtyMoe modules also implements worming techniques to spread itself. In this next DirtyMoe series, we will dissect this module...