June 22, 2018 | Chris Doman

Malicious Documents from Lazarus Group Targeting South Korea

By Chris Doman, Fernando Martinez and Jaime BlascoWe took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the…

June 20, 2018 | Jose Manuel Martin

GZipDe: An Encrypted Downloader Serving Metasploit

At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:This is the first step of a multistage infection in which several servers and…

Get the latest security news in your inbox.

Subscribe via Email

June 11, 2018 | Chris Doman

More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

Written By Chris Doman and Jaime BlascoIntroductionRecently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.…

June 1, 2018 | Javier Ruiz

Satan Ransomware Spawns New Methods to Spread

Today, we are sharing an example of how previously known malware keeps evolving and adding new techniques to infect more systems.BleepingComputer first reported on Satan ransomware in January 2017. Recently, Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign.…

May 1, 2018 | Chris Doman

MassMiner Malware Targeting Web Servers

Written in collaboration wih Fernando MartinezOne of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers.One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us…

January 8, 2018 | Chris Doman

A North Korean Monero Cryptocurrency Miner

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with…

November 9, 2017 | Chris Doman

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.LockCrypt doesn’t have heavy code…

October 19, 2017 | Chris Doman

ARP Spoofing Used to Insert Malicious Adverts

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.The open file server at http://222.186.11[.]182:9999The Rar ArchiveOne of the…

June 27, 2017 | Sacha Dawes

New Variant of Petya / PetrWrap Ransomware Strikes

On June 27th the AlienVault Labs Team became aware of a new ransomware, a variant of the Petya malware, that is spreading rapidly and is known to have affected organizations in Russia and the Ukraine, and some other parts of Europe. A pulse detailing the Indicators of Compromise for this variant of Petya can be found in the AlienVault Open…

June 21, 2017 | Chris Doman

SamSam Ransomware Targeted Attacks Continue

Normally new variants of ransomware families aren't particularly interesting.SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually.In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year.The attacks seem to peak…

June 9, 2017 | Peter Ewane

MacSpy: OS X RAT as a Service

MacSpy is advertised as the "most sophisticated Mac spyware ever”, with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.The authors state that…

May 19, 2017 | Eddie Lee

Diversity in Recent Mac Malware

In recent weeks, there have been some high-profile reports about Mac malware, most notably OSX/Dok and OSX.Proton.B. Dok malware made headlines due to its unique ability to intercept all web traffic, while Proton.B gained fame when attackers replaced legitimate versions of HandBrake with an infected version on the vendor’s download site. Another lower profile…

Watch a Demo ›
GET PRICE FREE TRIAL