Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them. Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but to pay for the r

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection is through the use of Offic

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously. Here are actual emails featuring familiar social engineering tactics: The zip attachments contain the WSF. &nbs

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key. We decided to take a closer look on the D

It’s like the Russian nesting doll of ransomware. We found this new ransomware delivery tactic particularly interesting and took a deeper look. Let’s start with some facts about a JSE File. A JSE File is an encoded JScript. The acronym stands for JScript Encoded File. This encoding can be done by the executable “screnc.exe” or by using Microsoft’s Scri

ThreatTrack Security Labs researchers caught wind of a phishing email masking itself as a Booking.com email. The malware-disguised email includes an “E-TICKET_CONFIRM.doc” attachment that, once downloaded, walks the user through steps to enable embedded macro codes that infect the computer with CryptoWall. CryptoWall 4 masked as a Bookings.com email. How It

A fresh malware sample was recently spotted using an attached Microsoft Compiled HTML (Help file) attached to spam messages. A Microsoft Help file is a binary file, which encompasses a set of HTML files; it usually has a .chm or .hlp extension. The malicious help file malware analyzed – a .chm file – arrived via spam email posing as coming from J

The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document macros instead of the usual executable types, such as .exe files contained in a .zip. Dyre’s Hedsen spambot, responsible for the bulk of Upatre emails we’ve been tracking, now uses a template to send infected-macro Word files as s

ThreatTrack Security Labs researchers have confirmed the credential-stealing Trojan Dyre  is using a new dropper — and a valid digital certificate — to carry out its dirty work over HTTPS connections. The Ruckguv downloader works by injecting a dll into an instance of Windows Service Host (svchost.exe). Windows Service Host then uses HTTPS to download Dyreza

On March 3, security researchers noted that an age-old SSL bug—in existence for more than 10 years—allows hackers under the right conditions to exploit a man-in-the-middle attack and gain access to potentially sensitive information. FREAK (Factoring RSA-EXPORT Keys) SSL relies on outdated ‘export grade’ cryptography settings, which are still contained within

The Dyre Trojan has expanded its attack vectors, aiming to harvest sensitive data from an expanding list of targeted websites. Previously, Dyre had been known to seek out banking credentials as its primary targets, but ThreatTrack Security Labs researchers recently discovered multiple new types of domains, which have become part of Dyre’s standard target ind

January was a busy month for the developers of Dyre/Dyreza. The group reintroduced their Upatre link spam with some additional subterfuge. This article will explore two types of spambots that Dyre utilizes;  the following diagram presents a simplified visual on how each type executes. Differences between two current Dyre spambots. Dyre bot operators have sta

ThreatTrack Security Labs researchers continue to monitor the evolution Dyre (aka Dyreza), the banking-credential-stealing Trojan that appears to be quickly filling the gap left by the takedown of GameOver Zeus. We reported earlier on how Dyre has been associated with malicious spam utilizing the Upatre downloader, and our researchers also cited how Dyre’s l

Job seekers beware. A login-credential-stealing Trojan is trying to steal your email address and password when you access CareerBuilder.com. We recently reported on the evolution of Dyre as observed by ThreatTrack Security Labs. The latest developments to this data-stealing Trojan, also known as Dyreza, is an expanded list of targeted sites, including the ad

ThreatTrack Security Labs recently identified some unsurprising holiday shopping threats via a seasonal malware delivery ploy: malicious holiday shopping spam. This particular campaign targeted customers of major retailers with a Thanksgiving Day message, but it would be best to stay on guard for similar ploys throughout the holiday season as predicted recen