At the beginning of February 2018, FortiGuard Labs collected a malicious email with the subject “UPS DELIVERY UPDATE”, as shown in Figure 1. Phishers and scammers traditionally misuse the names of well-known organizations and individuals in order to make their malicious messages seem legitimate, allowing them to more easily trick unsuspecting victims. This email message contains a fake order tracking number with a bogus hyperlink that, rather than connecting the user to a legitimate website, downloads a jar malware. After a quick analysis, I was able to determine that this malware is jRAT/Adwind.
In addition to establishing an aggressive and proactive patch-and-replace protocol, it is essential that organizations have layers of security in place designed to detect malicious activity and malware, and to protect vulnerable systems.
In this blog post, we will discuss the history of sandbox detection. We will then unveil the malware families that KTIS has observed from spear-phishing emails that attempt to bypass the user-mode API hook in order to evade sandbox detection. And finally, we will share the mitigation method we use to harden the Cuckoo sandbox against this bypass technique.
As global cyberattacks persist, cybersecurity is becoming a main focus in the C-suite. Gone are the days where it’s just a concern for IT teams. These rapid, sophisticated attacks across industries have demonstrated that cybersecurity is the responsibility of the entire organization as they seek to avoid the crippling effects associated with data breaches.
There is no doubt that cryptocurrency has been on a steady rise. According to a research paper by the University of Cambridge, the market capitalization of cryptocurrency has increased more than three-fold since early last year and it’s not likely to stop there. With more and more people realizing that cryptocurrency is potentially a significantly profitable investment, this rise is likely to continue for the foreseeable future. And where there is profit, that is where malware attacks will gather. Which is why we have been expecting...
The proliferation of online devices accessing personal and financial information, the adoption of virtualized and multi-cloud environments, and the growing connection of everything – from armies of IoT devices and critical infrastructure in cars, homes, offices, and industry, to the rise of smart cities – have combined to create new destructive opportunities for cybercriminals.
Not long after a new strain of the Akuma malware was discovered targeting ZyXEL devices with a new series of login/password attacks, FortiGuard Labs last week also began detecting strange scanning activities on uncommon TCP ports 52869 and 37215. We and other threat research teams quickly began to suspect that these were tied together, and that there was a new botnet out there.
Fortinet is not standing still in the face of the rapidly changing threat environment. Recently, we added some significant new technologies to the latest iteration of FortiClient, our endpoint protection product. For example, FortiClient now includes an Anti-Exploit Engine that delivers a next-generation approach to endpoint protection. It also includes auto-patching capabilities that streamline patch management for known vulnerabilities. Automation of patching drives efficiencies while enabling organizations to address vulnerabilities faster.
Fortinet today announced the findings of its latest Global Threat Landscape Report. The research reveals that high botnet reoccurrence rates and an increase of automated malware demonstrate that cybercriminals are leveraging common exploits combined with automated attack methods at unprecedented speed and scale.
FortiGuard Labs has been actively monitoring FALLCHILL, validating all its IOCs (indicators of compromise), and providing protection for our customers. In a previous post we provided a high level overview of FALLCHILL. In this research report we dig even further, providing a deep dive analysis of the FALLCHILL Remote Administration Tool (RAT) in order to shed additional light on this threat, and thereby help our customer and the security community at large defend against this threat and similar threats.