A North Korean Monero Cryptocurrency Miner

January 8, 2018 | Chris Doman
January 8, 2018 | Chris Doman

A North Korean Monero Cryptocurrency Miner

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with…

November 9, 2017 | Chris Doman

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.LockCrypt doesn’t have heavy code…

Get the latest security news in your inbox.

Subscribe via Email

October 19, 2017 | Chris Doman

ARP Spoofing Used to Insert Malicious Adverts

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.The open file server at http://222.186.11[.]182:9999The Rar ArchiveOne of the…

June 27, 2017 | Sacha Dawes

New Variant of Petya / PetrWrap Ransomware Strikes

On June 27th the AlienVault Labs Team became aware of a new ransomware, a variant of the Petya malware, that is spreading rapidly and is known to have affected organizations in Russia and the Ukraine, and some other parts of Europe. A pulse detailing the Indicators of Compromise for this variant of Petya can be found in the AlienVault Open…

June 21, 2017 | Chris Doman

SamSam Ransomware Targeted Attacks Continue

Normally new variants of ransomware families aren't particularly interesting.SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually.In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year.The attacks seem to peak…

June 9, 2017 | Peter Ewane

MacSpy: OS X RAT as a Service

MacSpy is advertised as the "most sophisticated Mac spyware ever”, with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.The authors state that…

May 19, 2017 | Eddie Lee

Diversity in Recent Mac Malware

In recent weeks, there have been some high-profile reports about Mac malware, most notably OSX/Dok and OSX.Proton.B. Dok malware made headlines due to its unique ability to intercept all web traffic, while Proton.B gained fame when attackers replaced legitimate versions of HandBrake with an infected version on the vendor’s download site. Another lower profile…

May 12, 2017 | AlienVault Labs

Ongoing WannaCry Ransomware Spreading Through SMB Vulnerability

As of early this morning (May 12th, 2017), the AlienVault Labs team is seeing reports of a wave of infections using a ransomware variant called “WannaCry” that is being spread by a worm component that leverages a Windows-based vulnerability.There have been reports of large telecommunication companies, banks and hospitals being affected. Tens of thousands of networks worldwide have…

May 6, 2017 | Chris Doman

MacronLeaks – A Timeline of Events

It's been a very familiar feeling reading about the documents leaked to impact the elections in France tomorrow.Often the best defence is to have a proper understanding of what has happened. A quick draft timeline of events from an analysis of document meta-data and forum posts is below.Attacks in March and AprilA number of domains, identified…

May 4, 2017 | Jaime Blasco

OAuth Worm Targeting Google Users - You Need to Watch Cloud Services

Yesterday, many people received an e-mail from someone they knew and trusted asking them to open a "Google Doc.” The email looked, felt, and smelled like the real thing—an email that Google normally sends whenever a share request is made. However, the email contained a button that mimicked a link to open a document in Google Docs.…

March 31, 2017 | Chris Doman

New Features in Open Threat Exchange (OTX)

Its been a busy couple of months for the OTX team, making lots of improvements to make OTX more useful for security researchers and InfoSec professionals. Thought it was time to give you and update. Here's what's new in OTX:Easier Way to Create PulsesWe've rebuilt the way you create pulses from scratch. So you can…

March 14, 2017 | Jaime Blasco

Apache Struts Vulnerability Being Exploited by Attackers

Last week a new vulnerability affecting Apache Struts was reported (CVE-2017-5638) that affects the Apache Struts Jakarta Multipart parser. The vulnerability allows an unauthenticated attacker to execute code in the affected system by creating a specially crafted Content-Type HTTP header.Starting last Thursday (March 9, 2017), we have seen a high number of attackers trying to exploit this vulnerability. Different payloads…

Watch a Demo ›