Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

01 Mar 2021

A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads. "The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today. "In recent years

Why do companies fail to stop breaches despite soaring IT security investment?

01 Mar 2021

Let's first take a look back at 2020! Adding to the list of difficulties that surfaced last year, 2020 was also grim for personal data protection, as it has marked a new record number of leaked credentials and PI data. A whopping 20 billion records were stolen in a single year, increasing 66% from 12 billion in 2019. Incredibly, this is a 9x increase from the comparatively "small" amount of 2.3

Chinese Hackers Targeted India's Power Grid Amid Geopolitical Tensions

01 Mar 2021

Amid heightened border tensions between India and China, cybersecurity researchers have revealed a concerted campaign against India's critical infrastructure, including the nation's power grid, from Chinese state-sponsored groups. The attacks, which coincided with the standoff between the two nations in May 2020, targeted a total of 12 organizations, 10 of which are in the power generation and

SolarWinds Blames Intern for 'solarwinds123' Password Lapse

01 Mar 2021

As cybersecurity researchers continue to piece together the sprawling SolarWinds supply chain attack, top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.  The said password "solarwinds123" was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

01 Mar 2021

A prolific North Korean state-sponsored hacking group has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry. Attributing the attacks with high confidence to the Lazarus Group, the new findings from Kaspersky signal an expansion of the APT actor's tactics by going beyond the usual gamut of financially-motivated

Old posts >>

ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

27 Feb 2021

Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. The findings were presented on Wednesday at the Network and Distributed System Security

Cisco Releases Security Patches for Critical Flaws Affecting its Products

01 Mar 2021

Cisco has addressed a maximum severity vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) that could allow an unauthenticated, remote attacker to bypass authentication on vulnerable devices. "An attacker could exploit this vulnerability by sending a crafted request to the affected API," the company said in an advisory published yesterday. "A successful

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

25 Feb 2021

Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems. "Threat actors aligned with the Chinese Communist Party's state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users' Gmail accounts," Proofpoint said

The Top Free Tools for Sysadmins in 2021

25 Feb 2021

It's no secret that sysadmins have plenty on their plates. Managing, troubleshooting, and updating software or hardware is a tedious task. Additionally, admins must grapple with complex webs of permissions and security. This can quickly become overwhelming without the right tools. If you're a sysadmin seeking to simplify your workflows, you're in luck. We've gathered some excellent software

Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack

25 Feb 2021

Ukraine is formally pointing fingers at Russian hackers for hacking into one of its government systems and attempting to plant and distribute malicious documents that would install malware on target systems of public authorities. "The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most

Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique

27 Feb 2021

With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defenses, thereby posing a threat to web security and privacy. Called CNAME Cloaking, the practice of blurring the distinction between first-party and third-party cookies not only results in leaking sensitive private information without

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks

24 Feb 2021

New research has uncovered a significant increase in QuickBooks file data theft using social engineering tricks to deliver malware and exploit the accounting software. "A majority of the time, the attack involves basic malware that is often signed, making it hard to detect using antivirus or other threat detection software," researchers from ThreatLocker said in an analysis shared today with The

Everything You Need to Know About Evolving Threat of Ransomware

24 Feb 2021

The cybersecurity world is constantly evolving to new forms of threats and vulnerabilities. But ransomware proves to be a different animal—most destructive, persistent, notoriously challenging to prevent, and is showing no signs of slowing down. Falling victim to a ransomware attack can cause significant data loss, data breach, operational downtime, costly recovery, legal consequences, and

Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now

24 Feb 2021

VMware has addressed multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems. "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying

Experts Find a Way to Learn What You're Typing During Video Calls

23 Feb 2021

A new attack framework aims to infer keystrokes typed by a target user at the opposite end of a video conference call by simply leveraging the video feed to correlate observable body movements to the text being typed. The research was undertaken by Mohd Sabra, and Murtuza Jadliwala from the University of Texas at San Antonio and Anindya Maiti from the University of Oklahoma, who say the attack

5 Security Lessons for Small Security Teams for the Post COVID19 Era

23 Feb 2021

A full-time mass work from home (WFH) workforce was once considered an extreme risk scenario that few risk or security professionals even bothered to think about. Unfortunately, within a single day, businesses worldwide had to face such a reality. Their 3-year long digital transformation strategy was forced to become a 3-week sprint during which offices were abandoned, and people started working

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs

23 Feb 2021

Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents. Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain

Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks

23 Feb 2021

Cybersecurity researchers on Monday tied a string of attacks targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called UNC2546. The attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named

How to Fight Business Email Compromise (BEC) with Email Authentication?

22 Feb 2021

An ever-evolving and rampant form of cybercrime that targets emails as the potential medium to conduct fraud is known as Business Email Compromise. Targeting commercial, government as well as non-profit organizations, BEC can lead to huge amounts of data loss, security breach, and compromised financial assets. It is a common misconception that cybercriminals usually lay their focus on MNCs and

Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online

25 Feb 2021

On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA). Although the group has since signed off following the unprecedented disclosures, new "conclusive"

New 'Silver Sparrow' Malware Infected Nearly 30,000 Apple Macs

22 Feb 2021

Days after the first malware targeting Apple M1 chips was discovered in the wild, researchers have disclosed yet another previously undetected piece of malicious software that was found in about 30,000 Macs running Intel x86_64 and the iPhone maker's M1 processors. However, the ultimate goal of the operation remains something of a conundrum, what with the lack of a next-stage or final payload

Privacy Bug in Brave Browser Exposes Dark-Web Browsing History of Its Users

21 Feb 2021

Brave has fixed a privacy issue in its browser that sent queries for .onion domains to public internet DNS resolvers rather than routing them through Tor nodes, thus exposing users' visits to dark web websites. The bug was addressed in a hotfix release (V1.20.108) made available yesterday. Brave ships with a built-in feature called "Private Window with Tor" that integrates the Tor anonymity

New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card

20 Feb 2021

Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim's Mastercard contactless card while believing it to be a Visa card. The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a

Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials

19 Feb 2021

A credential stealer infamous for targeting Windows systems has resurfaced in a new phishing campaign that aims to steal credentials from Microsoft Outlook, Google Chrome, and instant messenger apps. Primarily directed against users in Turkey, Latvia, and Italy starting mid-January, the attacks involve the use of MassLogger — a .NET-based malware with capabilities to hinder static analysis —

SolarWinds Hackers Stole Some Source Code for Microsoft Azure, Exchange, Intune

18 Feb 2021

Microsoft on Thursday said it concluded its probe into the SolarWinds hack, finding that the attackers stole some source code but confirmed there's no evidence that they abused its internal systems to target other companies or gained access to production services or customer data. The disclosure builds upon an earlier update on December 31, 2020, that uncovered a compromise of its own network to


Hackers Improve SEO Before Deploying Malware

01 Mar 2021

Spyware Fan MBS Accused By US Intel Of Khashoggi Death

01 Mar 2021

Clubhouse's Security And Privacy Lag Behind Its Quick Growth

01 Mar 2021

Judge Approves $650 Million Settlement Of Privacy Lawsuit Against Facebook

01 Mar 2021

Old posts >>

Malware Must Die

Old posts >>

MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat

24 Feb 2020

Chapters: [TelnetLoader] [EchoLoader] [Propagation] [NewActor] [Epilogue] Prologue A month ago I wrote about IoT malware for Linux operating system, a Mirai botnet's client variant dubbed as FBOT. The writing [link] was about reverse engineering Linux ELF ARM 32bit to dissect the new encryption that has been used by their January's bot binaries, The threat had been on vacuum state for almost

MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained

15 Jan 2020

Prologue [For the most recent information of this threat please follow this ==> link] I setup a local brand new ARM base router I bought online around this new year 2020 to replace my old pots, and yesterday, it was soon pwned by malware and I had to reset it to the factory mode to make it work again (never happened before). When the "incident" occurred, the affected router wasn't dead but it

More about my 2019.HACK.LU Keynote talk

28 Oct 2019

As promised, this is my additional notes and review about my Keynote talk in 2019.HACK.LU (link). My keynote talk title is very long actually, but it explained the description of the whole slides clearly. What was presented is about TODAY's Linux post exploitation, process injection, fileless execution from infrastructures and components that has been supporting those activities, based on the

MMD-0064-2019 - Linux/AirDropBot

28 Sep 2019

Prologue There are a lot of botnet aiming multiple architecture of Linux basis internet of thing, and this story is just one of them, but I haven't seen the one was coded like this before. Like the most of other posts of our analysis reports in MalwareMustDie blog, this post has been started from a friend's request to take a look at a certain Linux executable malicious binary that was having a

MMD-0063-2019 - Summary of 3 years MMD research (Sept 2016-Sept 2019)

21 Sep 2019

Hello, it's unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time. If you want to see what we were doing during all of our silence time just click this link The background / TLDR It was in September 2016 when we decided to move our blog and since then myself and the team had a lot of fun in learning and

MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via IoT botnet

08 Mar 2017

Sticky note: We call this threat as "Strudels Attack" 1. Background In this post there is no malicious software/malware analyzed, but this is one of the impact of the malware infecting IoT devices caused by weak credentials that are utilized by the bad actors for bigger crime process. The only malicious aspect written in the post is/are individual(s) involved and participated to these attacks,

MMD-0061-2016 - EnergyMech 2.8 overkill mod

03 Dec 2016

This is a new threat analysis report I wrote in MalwareMustDie blog (this) after we moved out from blogger, I hope you like the new blog system and design, and enjoy the post! An unattended or abandoned Linux/UNIX system with its web service online (specially with the CGI function intact) with not having recent updates can be soon be exploited and infected by Linux malware. Scanner for

MMD-0060-2016 - Linux/UDPfker and ChinaZ threat today

30 Oct 2016

Background ChinaZ is the PRC (Public Rep of China) actor's made Linux ELF DDoS malware and its service. This threat has been covered several times in this blog post, several takedown efforts also had been taken, yet the threat is still lurking us, until now. Using specific indicators used during their infection effort, I can manage to trace the overall activity and their activity has been

MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 ready

29 Oct 2016

It's a Kaiten/Tsunami? No.. STD?? No! It's a GayFgt/Torlus/Qbot? No!! Is it Mirai?? NO!! It's a Linux/IRCTelnet (new Aidra)! ..a new coded IoT DDoS botnet's Linux malware.. Summary This post is a report of what it seems to be a new IRC botnet ELF malware, that is obviously used for performing DDoS attack via IRC botnet. It was coded with partially is having specification as per Tsunami/Kaiten

MMD-0058-2016 - Linux/NyaDrop - a linux MIPS IoT bad news

14 Oct 2016

Background Since the end of September 2016 I received a new type of attacks that aims the MIPS platform I provided to detect IoT attacks. I will call this threat as new ELF Linux/NyaDrop as per the name used by threat actor himself, for the "nyadrop" binary that is dropped in the compromised system. This is not the "really" first time we're seeing this threat actually, in this year, some

MMD-0057-2016 - Linux/LuaBot - IoT botnet as service

06 Sep 2016

Background On Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn't any detail or comment what so ever just one cute little ARM ELF stripped binary file with following data: arm_lsb: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped hash: a220940db4be6878e47b74403a8079a1 This is a cleanly GCC: (GNU) 5.3.x

MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled..

01 Sep 2016

Our recent analysis about Mirai is in here==>[Link] Background From August 4th 2016 several sysadmin friends were helping us by uploading this malware files to our dropbox. The samples of this particular ELF malware ware not easy to retrieve, there are good ones and also some broken ones, I listed in this post for the good ones only. This threat is made by a new ELF trojan backdoor which is now

MMD-0055-2016 - Linux/PnScan ; ELF worm that still circles around

24 Aug 2016

Background Just checked around internet and found an interesting ELF worm distribution that may help raising awareness for fellow sysadmins. As per shown in title, it's a known ELF malware threat, could be a latest variant of "Linux/PnScan", found in platform x86-32 that it seems run around the web within infected nodes before it came to my our hand. This worm is more aiming embed platform and I

MMD-0054-2016 - ATMOS botnet facts you should know

07 Jun 2016

The background This post is about recent intelligence and sharing information of the currently emerged credential stealer and spying botnet named "Atmos", for the purpose of threat recognizing, incident response and may help reverse engineering. This report is the third coverage of online crime toolkit analysis series that we disclose in MalwareMustDie blog, on previous posts we disclosed about

[Slide|Video] Kelihos & Peter Severa; the "All Out" version

09 May 2016

Tag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, Saever, Saushkin We yanked this page off along with the slides & its video links from public view to support cyber crime investigation to stop the botnet for good. It's a good will from our investigation team and there's

MMD-0053-2016 - A bit about ELF/STD IRC Bot: x00's CBack aka xxx.pokemon(.)inc

16 Apr 2016

Latest UPDATE incident of this threat is-->[link] Background I received the report of the host in Google cloud network is serving ELF malware: { "ip": "", "hostname": "", "prefix": "", "org": "AS15169 Google Inc.", "city": "Mountain View", "region": "California", "country": "USA", "loc": "37.4192,

MMD-0052-2016 - Overview of "SkidDDoS" ELF++ IRC Botnet

07 Feb 2016

Tag: kaiten, ktx, tsunami, STD, stdbot, torlus, Qbot, gayfgt, lizard, lizkebab, sinden, sdn, $dn, bossaline, bossabot, dtool, aidra, lightaidra, zendran, styx, Code, Robert, cod, unixcod, styxcod, irc, ircbot, ddos, elfbot, ddoser, nix, elf, linux, unix. backdoor, syn flood, ack flood, ntp flood, udp flood, dns amp, xmas attack, pan flood, x00, cback, LiGhT, Proxseas, BLJ, KaitenBot, fairy, Alex,

MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2)

03 Feb 2016

The background In September 2014 during the ShellShock exploitation incidents was in the rush, one of them is the case MMD-0027-2014 of two ELF malware dropped payloads via ShellShock attack, a new malware and a backconnect ELF, with the details can be read in-->[here] Today I found another interesting ELF x86-32 sample that was reported several hours back, the infection vector is also via

MMD-0050-2016 - Incident report: ELF Linux/Torte infection (in Wordpress)

12 Jan 2016

The indicator Several hours ago, it was detected a suspicious inbound access on a Wordpress site with the below log: (Thank's for the hard work from Y) It's an unusual traffic coming from the unusual source of ip address:||56534 | | PIRIX-INET | RU | | Comfortel Ltd. | |57010 | |

MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack

09 Jan 2016

Background This is a short post for supporting the takedown purpose. Warning: Sorry, this time there's nothing fancy nor "in-depth analysis" :-) Yet the current hacking & infecting scheme is so bad, so I think it's best for all of us (fellow sysadmins in particular) to know this information for mitigation and hardening purpose. In this case, a bad actor was using java coded malware injected to a

MMD-0048-2016 - DDOS.TF = (new) ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshells

05 Jan 2016

Background Linux exploitation by bad actors from People Republic of China (in short: PRC) is not a new matter. Their attacks are coming everyday and their method is also improving by days. This post is another case of the issue, except it is reporting you some improvement and new source of DoS threat from the same landscape. The unique point of this one is by combining ElasticSearch

MMD-0047-2015 - SSHV: SSH bruter ELF botnet malware w/hidden process kernel module

24 Dec 2015

Background Apparently Linux ELF malware is becoming an interesting attraction from several actors from People Republic of China(in short: PRC). This post is one good example about it. It explains also why myself, from my team (MMD), put many effort to study Linux executable malicious scheme came from that region recently, so does our colleges professional researchers in industry started to put

MMD-0046-2015 - Kelihos 10 nodes CNC on NJIIX, New Jersey USA, with a known russian crook who rented them

21 Dec 2015

Global variable declaration to read correctly #include int main(void) { char * email = "XXXXX\(censored\)\ data"; } Background Note2: Considering: The attack of Kelihos botnet to my country and several countries is still un-stoppable and on-going, Yet I was told to censored Kelihos investgation on 2013 without getting good follow up from law enforcement in this planet, no

MMD-0045-2015 - KDefend: a new ELF threat with a disclaimer

04 Dec 2015

Background It's been a while not writing new analysis in our blog & this timing is just perfect. On December 1st, 2015 this sample was detected by our ELF team member @benkow_ ..and our ELF Team started to investigate the threat and come into conclusion that another new ELF malware was spotted, and post this is the report. It was calling itself "KDefend" or "KDLinux", so we call it as "Linux/

MMD-0044-2015 - Source code disclosure of bunch of SkiDDoS ELF malware

23 Nov 2015

This sharing has been closed due to time limit (60days) - Thank you MalwareMustDie,NPO is a white-hat non-profit security research workgroup launched in August 2012 for/by security professionals and malware researchers gathered to form a work-flow to reduce malware infection in internet. In this opportunity I, hereby, on behalf of the active projects and field operational ELF malware researches,