Adwind Rat

Adwind is a backdoor written in JAVA and arrives thru spam email.  It’s a cross-platform Remote Access Tool (RAT) that can run on Windows, Mac OS, Linux and Android platforms. This malware is found to be sold in the dark web and was previously used by hackers to target banks. It has different names such as…

July 27th, 2017 by Joe Dela Cruz

Ransom BTCWare

BTCWare is a ransomware that first appeared around March 2017. We describe here the latest variant, called BTC.Aleta due to the extension used on the encrypted files. As one gets infected with this ransomware, they get greeted by this ransom note: Fig. 1. BTCWare ransom note Installation This ransomware first checks its presence on the…

July 25th, 2017 by Paul Kimayong

Jaff Ransomware

Jaff ransomware is a file encrypting malware that arrives via download by special crafted macro documents from spam emails. It encrypts users data with a “.jaff” file extension and then requests the victim pay a ransom. 1.) Files The following files are usually seen on the system: ReadMe.bmp ReadMe.html ReadMe.txt Encrypted files with extension “.jaff” The desktop wallpaper…

June 21st, 2017 by Joe Dela Cruz

Donoff

Donoff is a type of malicious office document that contains macro.  This type malware usually arrives as an attachment or a direct link in spam mails.  For instance, we have seen this malware being distributed in the following spam mail.   The url “http://www.entwistle-law.com/papers/divorce_michael.menousek.doc” is actually a hyperlink leading to the following download url: http://walden[.]co[.]jp/wp/divorce/divorce[.]php?id=ZWxlZTNAdHJpYnVuZW1lZGlhLmNvbQ== The…

April 6th, 2017 by Paul Kimayong

Kuluoz

Kuluoz Malware family is known to spread through Spam emails. The general email subject or spam attachments would come by names related to parcel deliveries, Airline tickets, applications, resumes etc. They come with a Microsoft Word Document associated icon. The malware checks whether it runs in the context of a debugger by using ‘IsDebuggerPresent’ API…

March 13th, 2017 by Marci Kusanovich

Gamarue

Gamarue is a worm that can be distributed by exploit kits, spam emails, USB drive or dropped by another malware.   Gamarue performs a multi-level process hollowing to hide itself. It executes its code by mapping into wuauclt.exe rather than changing the entry point using setThreadContext() like most process hollowing techniques. Here’s a dump of how that is achieved:…

March 13th, 2017 by Marci Kusanovich

Cerber Ransomware

Cerber is file Encrypting ransomware known to delivered by Exploit kits specifically. It encrypts files with various file extension on the victim and asks the victim to pay ransomware.  1)Files The following files are usually seen on the system: Decrypt My files.html Decrypt My files.txt  A copy of the malware is seen in %appdata% Also…

January 3rd, 2017 by Abhijit Mohanta

Trojan Qadars

  Qadars is a dangerous banking Trojan similar to Zeus and Carberp. It is currently on version 3 and the latest version we have seen is v3.0.0.1. Qadars started in 2013 to attack banks in France and Netherlands. In 2015 and 2016, they expanded their target to the United States, Canada, Australia and the Netherlands. According…

December 27th, 2016 by Paul Kimayong

Ghost Push

What is Ghost Push? Ghost Push (a.k.a Gooligan) is a type of Trojan that hides in popular apps by repackaging them and inserting itself. It is capable of rooting an Android device and installing other apps.  It gains root access by beaconing to its CnC server, and the CnC would reply a download URL for…

December 22nd, 2016 by Marci Kusanovich

Trojan ScvMiner

This is a bitcoin miner dropper which will use the system CPU to mine bitcoins. It effectively slows down the system by using most of the CPU power. The file arrives as an auto script compiled binary and the autoit source code is as follows:   #NoTrayIcon #Region #AutoIt3Wrapper_Compression=4 #EndRegion $pwd = “” $digits = 3…

December 22nd, 2016 by Marci Kusanovich

TrojanDownloader Nemucod

Nemucod is a downloader associated with Locky and Cerber ransomware. It usually arrives as an attachment to email. It may arrive as a stand alone javascript or vbscript or a zip file containing malicious scripts. Nemucod also uses .wsf extension. WSF or Windows Scripting File is a file type used by the Microsoft Windows Script…

December 3rd, 2016 by Paul Kimayong

Trojan Kovter

Kovter is a Trojan that performs click-fraud on infected system. It can also update itself or download additional malware. It employs fileless installation and hooks certain API as its persistence mechanism. It may arrive via drive-by-download on compromised websites or malvertising. It can also be installed through phishing links from emails.   Fig. 1: Phishing…

November 1st, 2016 by Paul Kimayong

Zepto Ransomware

Zepto is a file encrypting malware. It is one of the latest ransomware which affects Windows systems. It encrypts files using strong encryption algorithm and adds “.zepto” as file extensions of encrypted files. It demands 0.5 BTC from infected users. It has high resemblance with Locky ransomware. Arrival and Distribution Similar to Locky, Zepto may…

October 17th, 2016 by Courtney

Backdoor Pbot

Backdoor Pbot is a PHP backdoor shell which connects to an IRC server and wait for commands to execute. This bot is usually dropped or installed on a compromised server. This web shell can be accessed through specific URL depending on the files location on the compromised server. Based on Cyphort’s data, the following URLs…

October 17th, 2016 by Courtney

See the Anti-SIEM in Action.

Schedule a live demo at your convenience, and we’ll present the detection, analytics, and mitigation capabilities of the platform.