Threat Research

Threat Research

An Analysis of Microsoft Edge Chakra NewScObjectNoCtor Array Type Confusion (CVE-2018-0838)

CVE-2018-0838 is one of the ‘type confusion’ bugs in the Microsoft Edge Chakra Engine that was fixed by Microsoft three months ago. This bug causes memory corruption and can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page via Microsoft Edge.

By Dehui YinMay 18, 2018

Threat Research

A Wicked Family of Bots

As we continue to keep track of the latest IoT botnets, the FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago. Since then, threat actors have been adding their own flavours to the original recipe.

Threat Research | Industry Trends

Fortinet Threat Report Reveals an Evolution of Malware to Exploit Cryptocurrencies

Fortinet FortiGuard Labs today unveiled the findings of its latest Global Threat Landscape Report. The research reveals an evolution of malware to exploit cryptocurrencies.

By FortiGuard SE TeamMay 16, 2018

Threat Research

New Remcos RAT Variant is Spreading by Exploiting CVE-2017-11882

Several days ago, FortiGuard Labs captured a malware sample that was exploiting the Microsoft Office vulnerability CVE-2017-11882 patched by Microsoft last November. The sample is an RTF document with an Equation object. By analyzing its behavior in my test environment, I realized that it spreads a new variant of Remcos RAT, version “2.0.4 Pro,” that was released on April 7, 2018 from its official website. It is able to control the victim’s PC after infection.

By Xiaopeng ZhangMay 04, 2018

Threat Research

GandCrab V3 Accidentally Locks Systems with New ‘Change Wallpaper’ Feature

GandCrab is one of the most talked about ransomware families this year primarily due to its increasing distribution volume, as we described in our previous article. At the end of last month, FortiGuard Labs discovered a new spam wave from the same campaign delivering the latest version, GandCrab v3.

By Joie SalvioMay 04, 2018

Threat Research

Yet Another Crypto Mining Botnet?

In February 2018, several Russian nuclear scientists were arrested for allegedly mining cryptocurrencies using computing resources located at a Russian nuclear warhead facility. Globally, cryptominers are rapidly increasing and spreading for an obvious reason: it’s lucrative.

By David MaciejakMay 03, 2018

Threat Research

GandCrab 2.1 Ransomware on the Rise with New Spam Campaign

Recently, FortiGuard Labs has been observing a surge in an email spam campaign delivering the latest GandCrab v2.1 ransomware. This article provides a basic overview of this malicious campaign, and points out details that can help users identify it.

Industry Trends | Threat Research

Zero Day Risks and the Return of Hacking Team

There are basically two kinds of threats organizations and users face today: the ones that security vendors and threat researchers know about, and those they don’t. The ones we know about get vendor patches, signatures are updated across a variety of security tools in order to detect them, and behaviors are documented in order to detect and disrupt the more sophisticated ones. People who are affected by these sorts of attacks usually either don’t have the right security tools deployed in the right places, or they aren’t practicing adequate cyber hygiene.

Threat Research

Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner

Recently, FortiGuard Labs uncovered a new python-based cryptocurrency mining malware that uses the ETERNALROMANCE exploit, that we have dubbed “PyRoMine.” In this article, I provide an analysis of this malware and show how it leverages the ETERNALROMANCE exploit to spread to vulnerable Windows machines.

By Jasper ManuelApril 24, 2018

Threat Research

New Trickbot Plugin Harvests Email Addresses from SQL Servers, ScreenLocker Module Not for Ransom

Just a week after publishing our discovery of Trickbot’s networkDLL, the FortiGuard Labs monitoring system has found a new module called squlDll that is being actively distributed to the banking trojan’s victims.