Security News

The TA505 cybercrime group is whirring its financial rip-off machinery back up, pelting malware at a range of industries in what was initially low-volume waves that researchers saw spiral up late last month. In an analysis published on Tuesday, Proofpoint said that its researchers have been tracking renewed malware campaigns from TA505 that started out slowly at the beginning of September - with only several thousand emails per wave, distributing malicious Excel attachments - and then pumped up the volume later in the month, resulting in tens to hundreds of thousands of emails by the end of September.

It's a well-known fact that powerful malware can be bought on the dark web and used with relative ease. A new report from Cisco's Talos cybersecurity research team illustrates just how dangerous out-of-the-box remote access trojan malware can be: A campaign it has dubbed "Armor Piercer" has been attacking the Indian government since December 2020.

A phishing campaign that mostly targeted the global aviation industry may be connected to Nigeria, according to Cisco Talos. The malicious campaigns centred around phishing emails linking to "Off-the-shelf malware" being sent to people around the world - even those with a marginal interest in commercial aviation.

A never-before-documented Windows malware strain dubbed MosaicLoader is spreading worldwide, acting as a full-service malware-delivery platform that's being used to infect victims with remote-access trojans, Facebook cookie stealers and other threats. "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," researchers at Bitdefender explained, in an analysis released on Tuesday.

The malware was identified by a team of threat researchers at Trend Micro, and named BIOPASS RAT. "What makes BIOPASS RAT particularly interesting is that it can sniff its victim's screen by abusing the framework of Open Broadcaster Software Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via real-time messaging protocol," the Trend Micro team reported. The attack misuses the object storage service of Alibaba Cloud to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims."

"Attached herewith is the revised circular," the malicious email reads. "Since 50 percent of the malicious emails targeted South Korea, we can speculate that threat actors were closely monitoring local news about the vaccination campaign in the country and anticipated shipment of 14 million doses of coronavirus vaccine," the spokesperson said.

An email campaign is delivering a Java-based remote access trojan that can not only steal credentials and take control of systems, but also presents as fake ransomware, Microsoft researchers have discovered. The Microsoft Security Intelligence team has outlined details of a "Massive email campaign" delivering the StrRAT malware that they observed last week and reported in a series of tweets earlier this week.

A cyberattack campaign that goes after aviation targets has been uncovered, which is spreading remote access trojan malware bent on cyber-espionage. Once installed, the RATs connect to a command-and-control server that's hosted on a dynamic hosting site to register with the attackers.

A new email-based campaign by an emerging threat actor aims to spread various remote access trojans to a very specific group of targets who use Bloomberg's industry-based services. Researchers have been tracking the email based campaign since Fajan first commenced activity in March, recovering a "Relatively low volume" of samples that make it tricky to determine "Whether the campaigns are carefully targeted or mass-spammed," according to a report posted online Wednesday.

A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap image file to drop a remote access trojan capable of stealing sensitive information. Attributing the attack to the Lazarus Group based on similarities to prior tactics adopted by the adversary, researchers from Malwarebytes said the phishing campaign started by distributing emails laced with a malicious document that it identified on April 13.