11.5 C
Sunday, October 22, 2017
Home Tags Md5

Tag: md5

In May 2017, Kaspersky Lab researchers discovered a forum post advertising ATM malware that was targeting specific vendor ATMs.

The forum contained a short description of a crimeware kit designed to empty ATMs with the help of a vendor specific API, without interacting with ATM users and their data.

The price of the kit was 5000 USD at the time of research.
On October 10, 2017, Kaspersky Labrsquo;s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers.

The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today.
20 years is a long time on the Internet.
The 2017 VirusBulletin conference is upon us and, as in previous years, wersquo;re taking the opportunity to dive into an exciting subject, guided by our experience from doing hands-on APT research.

This year we decided to put our heads together to understand the implications that the esoteric SIGINT practice of fourth-party collection could have on threat intelligence research.
The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Lab and Detectify. We were able to get help from the involved companies and cloud services to quickly shut down parts of the attack to mitigate it as fast as possible.

Introducing WhiteBear

As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear.
It is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private report. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure.
In one of our previous articles, we analyzed the NeutrinoPOS banker as an example of a constantly evolving malware family.

A week after publication, this Neutrino modification delivered up a new malicious program classified by Kaspersky Lab as Trojan-Banker.Win32.Jimmy.
During the preparation of the “IT threat evolution Q2 2017rdquo; report I found several common Trojans that were stealing money from users using WAP-billing. We hadnrsquo;t seen any Trojans like this in a while, but several of them appeared out of nowhere. Most of them had been under development since the end of 2016 / the beginning of 2017, but their prevalence increased only in the second half of Q2 2017.

Therefore, I decided to take a closer look at these Trojans.
The Trojan-Banker.AndroidOS.Faketoken malware has been known about for already more than a year.

Throughout the time of its existence, it has worked its way up from a primitive Trojan intercepting mTAN codes to an encrypter. Not so long ago, thanks to our colleagues from a large Russian bank, we detected a new Trojan sample, Faketoken.q, which contained a number of curious features.
In July 2017, during an investigation, suspicious DNS requests were identified in a partnerrsquo;s network.

The source of the queries was a software package produced by NetSarang. Our analysis showed that recent versions of the software had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.
In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae.
In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.
We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol.

A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry.