Insights and analysis by Augusto Remillano II With additional analysis by Patrick Noel Collado and Karen Ivy Titiwa We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS malware (detected by Trend Micro as

By Raphael Centeno and Llallum Victoria With additional insights from Bren Matthew Ebriega Cybercriminals are taking advantage of “the new normal” — involving employees’ remote working conditions and the popularity of user-friendly online tools — by abusing and spoofing popular legitimate applications to infect systems with malicious routines. We found two m

News overview Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web — people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery

The video gaming landscape has changed drastically over the past few decades. Some of these changes have led to considerable developments in the cyberthreat landscape as it applies to gaming companies, the games themselves and the user base that enjoys them. Integration of the cloud, mobile apps and social networks, the diversity of games and platforms, th

Kaspersky has continued to track the Roaming Mantis campaign. The group’s attack methods have improved and new targets continuously added in order to steal more funds. The attackers’ focus has also shifted to techniques that avoid tracking and research: whitelist for distribution, analysis environment detection and so on. We’ve also observe

The financial malware arena became a mainstream issue a little over a decade ago with the rise of malware like the Zeus Trojan, which at the time was the first commercial banking Trojan available to the cybercrime world. We have come a long way since, and the past decade saw banking Trojans become increasingly sophisticated, specialized and exclusive, operat

AZORult has its history. However, a few days ago, we discovered what appears to be one of its most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows. Screenshot of a fake ProtonVPN website The campaign started at the end of November 2019 when the threat actor behind it registered a new domain und

After 20 years of prominence, distributed denial-of-service (DDoS) attacks may be causing more devastating effects than ever. The first DDoS attack occurred way back on July 22, 1999 when a network of 114 computers infected with a malicious script called Trin00 attacked a computer at the University of Minnesota, according to MIT Technology Review. The infect

News overview In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. The first attacks using A

by Aliakbar Zahravi  We recently found notable malware activity affecting devices running Linux, a platform that has battled numerous issues just this year. Further analysis of retrieved malware samples revealed that these actions were connected to a botnet called Momentum (named for the image found in its communication channel). We found new details on the

By Feike Hacquebord, Cedric Pernet, and Kenney Lu The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narr

News overview This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently registered an attack on one of their clients that was carried out

Since 2008, cyber-criminals have been creating malware to attack IoT-devices, such as routers and other types of network equipment. You will find a lot of statistics on this on Securelist, most notably, here and here. The main problem with these IoT/embedded devices is that one simply cannot install any kind of security software. How do we deal with that? Th

By Jaromir Horejsi and Joseph C. Chen (Threat Researchers) We found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as “Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March. We’ve been actively monitoring this threat since its emergence and early development, and saw it being frequen

Exactly one week ago, Emotet, one of the most dangerous threats to organizations in the last year, resumed its malicious spam campaigns after several months of inactivity. Based on our telemetry, we can see that the botnet started becoming chatty with its command and control servers (C2), about a week or so before the spam came through. Figure 1: Communic