Clik here to view.
Prism themed ransomware - Kovter evolution
Prism logo ;)I found a new (to me - it seems it's 2 weeks old) Prism Themed ransomware. Not really worth a post but could make you smile too...so here is it :Prism Themed Ransomware -...
View ArticleClik here to view.
Finally ! Here is ... GrandSoft Private SploitPack !!
(not the logo - just for Thumbnail)That's a lot of exclamation mark but when you can name something after wondering for months what it was, you want to share the !!!I've heard of GrandSoft and from...
View ArticleClik here to view.
Revoyem goes international - shocking distribution....
The dirty Revoyem (aka DirtyDecrypt) ransomware seems to have appeared at the end of March 2013 and was targeting Germany and Great Britain only. It looks like they are now going international and are...
View ArticleClik here to view.
jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits
A new variant of a "Kore-ish" Cool EK appeared few days ago.Yes...it's difficult to follow the EK fast moving landscape...No payload in the jar for that one.Some instances of this "Cool EK" in...
View ArticleClik here to view.
Cookie-Bomb : The "Северная Сказка" Iframer way
For Thumbnail(from turn.com)First mention of what they named "CookieBomb" code injection attack come from @MalwareMustDie in this post.#MalwareMustDie NEW #BLOG: Proof of Concept of "CookieBomb" attack...
View ArticleClik here to view.
Flimrans Affiliate : Borracho
In middle of may a new Ransomware appeared (or at least was spotted), pushed in a new Exploit Kit named Flimkit by Chris Wakelin.Flimkit pushing FlimransEncoded Payload in the Jar404 Call back for...
View ArticleClik here to view.
Late Disclosure - Darkleech Actors /Home/ - some numbers
To illustrate a post to come on Blackhole Transition here are some numbers for the /home/ aka q.php Blackhole aka Darkleech fuelled.Note : Darkleech module filter user-agent. Infection tried only on IE...
View ArticleClik here to view.
Paunch's arrest...The end of an Era !
snipshot of :Spin up of a Supermassive Black Hole Illustration Credit: Robert Hurt, NASA/JPL-CaltechNote: This post is a work in progress. Not all group have transitioned. So I will update (if I am...
View ArticleClik here to view.
Meet Madness Pro or Few days rise of a Ddos Botnet
At begining of September I landed on a new instance of Cool Exploit Kit : /paper/Cool EK pushing Dipverdle which then call Home and gatherMadness ( sometimes no analysis needed ;) ) ddos botDipverdle...
View ArticleClik here to view.
Urausy is going Regional in United States
As long as there will be people paying...I guess we'll have news to write about Ransomware.Today I faced a new Design for Urausy in United States...Was wondering what was making it new.See :Urausy -...
View ArticleClik here to view.
Jolly Roger Stealer - Stoberox.B(?)/Zlader.F
Piece of Jolly Roger Stealer AdvertOriginal Text of the Advert------------------------------------------ Jolly Roger Stealer - обновленная система сбора па, Стилер пассов с функционалом лоадераДоброго...
View ArticleClik here to view.
Kovter becomes even more abominable . Also add new targets.
In Kovter NL DesignKovter is following Revoyem's path.Double shock on victims and new targeted countries.This evolution has been spotted by Rich from MalwarebytesMalware-Ransomers Getting Very Sick....
View ArticleClik here to view.
Big Andromeda Campaign back on track. From Sweet Orange to Neutrino
This is not the usual post I write but decided to go on as the campaign is quite big (enough to modify the EK market share feeling) and I have some compromised domain to share for remediation (see at...
View ArticleClik here to view.
Magnitude EK : Pop Pop !
MagnitudeMagnitude is a community name choosen for an Exploit Kit previously referred to as "Popads".Why Popads ?Many days after it was first spotted, the driveby was being done using Malvert pushed...
View ArticleClik here to view.
CVE-2013-2551 and Exploit Kits
A late post to sum up what has been seen in Exploit Kits regarding that CVE-2013-2551.This vulnerability has been exploited during Pwn2Own 2013 by VUPEN the 2013-03-07First mention was by Yonathan...
View ArticleClik here to view.
Inside a (The?) Simda Affiliate : Партнёрка Podmena (formerly Chesto)
Simda being distributed in Affiliate mode can be found via many different infection vectors.But it's the only payload of what I call "Styx Kein"First mention of this Styx "instance" I found comes from...
View ArticleClik here to view.
CVE-2013-0074 (Silverlight) integrates Exploit Kits
Angler EK is definitely on the move. It's not a huge surprise when we can speculate that the team behind is the same that was first using Cool EK (Paunch VIP customer) and is behind the Reveton...
View ArticleClik here to view.
MagicTraffic : a look inside a Zaccess/Sirefef affiliate
Thx @Horgh_rce for the time spent studying different sets of samples.There are at least 2 affiliates spreading Zaccess/Sirefef.- MagicTraffic- Sti PpiMaybe (?) a third one : SmartPrivate (?) (which...
View ArticleClik here to view.
Reveton planting "evidences" on "the crime scene"
Fast post on last Reveton move. Thanks @MalwareSigs & @Ash4er for inputs :)Reading Lavasoft Security Bulletin: November 2013 I saw a Ransomware design that was new to me. Lavasoft was associating...
View ArticleClik here to view.
One ...random...Gameover Zeus Team Pony sample Story
Pony Icon above fragment ofKhaled Desouki Photo tied to Tharir Square eventsPost to share some intel on the "Moar Pony" sample pointed by SpiderLabs in the "Moar Pony" FAQ.<edit 2013-12-09>Have...
View Article