Security News

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites
2021-03-02 00:52

"The Gootkit malware family has been around more than half a decade - a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today. Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S. First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.

'Rogue' Android RAT Can Take Control of Devices, Steal Data
2021-01-13 12:30

A recently discovered Mobile Remote Access Trojan can take control of the infected Android devices and exfiltrate a trove of user data, Check Point security researchers warn. Dubbed Rogue, the Trojan is the work of Triangulum and HeXaGoN Dev, known Android malware authors that have been selling their malicious products on underground markets for several years.

It’s Not the Trump Sex Tape, It’s a RAT
2021-01-06 21:20

"The email, with the subject"GOOD LOAN OFFER!!," at first glance, looks like a usual investment scam," Lopera said in the report about the find. "No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive file called"TRUMP SEX SCANDAL VIDEO.jar.

Crypto-Hijacking Campaign Leverages New Golang RAT
2021-01-05 20:34

Reseachers are raising the alarm for a newly identified operation leveraging a new Remote Access Tool written in Golang to steal crypto-currency from unsuspecting users. Discovered last month, the campaign is believed to have been active since January 2020, consisting of a fully-fledged marketing campaign, custom applications related to crypto-currency, fake social media accounts, websites, and the new RAT, which Intezer calls ElectroRAT. Widely undetected, the Golang backdoor is written from scratch and is designed to target Windows, Linux, and macOS. To lure crypto-currency users into downloading Trojanized apps, the threat actor behind the campaign promoted the tools on crypto-currency and blockchain forums, as well as on social media platforms.

Ransomware Attackers Using SystemBC Malware With RAT and Tor Proxy
2020-12-16 06:33

Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research. The SystemBC RAT has since expanded the breadth of its toolset with new characteristics that allow it to use a Tor connection to encrypt and conceal the destination of C2 communications, thus providing attackers with a persistent backdoor to launch other attacks.

New RAT malware gets commands via Discord, has ransomware feature
2020-10-23 13:13

The new 'Abaddon' remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware. In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies the Discord client to have it steal credentials and other information.

Evilnum hackers targeting financial firms with a new Python-based RAT
2020-09-04 12:37

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities-which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. Two of the four flaws can be exploited to gain remote code execution on target systems by sending specially crafted chat messages in group conversations or specific individuals.

Evilnum hackers targeting financial firms with a new Python-based RAT
2020-09-04 05:37

An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan that can steal passwords, documents, browser cookies, email credentials, and other sensitive information. In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT called "PyVil RAT," which possesses abilities to gather information, take screenshots, capture keystrokes data, open an SSH shell and deploy new tools.

Python-based Spy RAT Emerges to Target FinTech
2020-09-03 15:28

The malware's emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT. According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools such as LaZagne. The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations as a lure.

Triple-Threat Cryptocurrency RAT Mines, Steals and Harvests
2020-09-02 20:11

A previously undocumented malware family called KryptoCibule is mounting a three-pronged cryptocurrency-related attack, while also deploying remote-access trojan functionality to establish backdoors to its victims. Looking at timestamps in the various versions of KryptoCibule that ESET has identified, the malware dates from December 2018, researchers said.