183 reports
The reverse-engineering post documents a Lazarus Windows x86 loader/backdoor delivered through the fake JMT Trading cryptocurrency application campaign. The signed JMTTrader_Win.msi installer dropped CrashReporter.exe, which executed with the “Maintain” a…
Algo Capital disclosed that wallets administered by its former CTO were compromised, resulting in the theft of about $1.9 million from fund, company, and personal holdings. The attacker gained access to recovery seed backup data after a sophisticated remo…
Objective-See analyzed a macOS backdoor that the post attributes to Lazarus and ties to the AppleJeus-style use of fake cryptocurrency trading software. The JMT Trading campaign used a legitimate-looking website and GitHub release downloads to distribute …
Thales and Verint released The Cyberthreat Handbook after analyzing about 60 attacker groups and 490 campaigns worldwide. The press release says nearly half of the profiled groups were state sponsored, with cybercriminal, hacktivist, and cyberterrorist gr…
The Financial Security Institute presentation tracks Kimsuky as a North Korea-linked spear-phishing actor active since at least 2013 and still operating in 2019, targeting infrastructure, government, North Korean defectors, politicians, diplomatic and hum…
The follow-up Lazarus Injector analysis covers a signed malware tool uploaded to VirusTotal that appears related to earlier Lazarus tooling but behaves differently from the first injector. The file expects command-line parameters for operational mode and …
ESRC reported Operation Coin Plan, a Konni campaign with strong Kimsuky links that used a malicious HWP document named as a marketing plan for cryptocurrency mining. The HWP file embedded BIN0001.PS PostScript, decoded shellcode with a 16-byte XOR key, an…
The LIFARS case study describes a $67 million cryptocurrency-mining marketplace theft ultimately linked to Hidden Cobra. The initial intrusion used social engineering that impersonated a company system engineer and mimicked a Google Docs weekly-report inv…
ESRC observed new Konni activity in South Korea using a malicious Word document likely delivered by spear phishing and disguised with a Russian-language filename about Russia, North Korea, South Korea, trade, economic ties, and investment. When macros wer…
ESRC reported another Kimsuky Smoke Screen artifact, a malicious DOCM file using the English name for North Korea and linked to the windowsmb account seen in earlier campaign activity. The document relied on macro-enabled Office execution and HTA retrieva…
SentinelOne examined a GMERA.B macOS sample distributed as Stockfoli.app, a fake bundle imitating the legitimate Stockfolio trading application. The bundle placed a seemingly genuine Stockfolio.app copy in its Resources folder while a malicious script dec…
Kaspersky’s Dtrack analysis links the RAT family to Lazarus through code similarities with older malware and activity against India’s financial sector and research centers. The investigation began with ATMDtrack banking malware targeting Indian ATMs and e…
Trend Micro analyzed GMERA macOS malware distributed as a fake trading application that mimicked the legitimate Stockfolio app to steal user information. One variant used shell scripts and remote decryption of encrypted code, while another incorporated a …
Operation Moneyholic, also known internationally as KONNI, used spear-phishing HWP documents against cryptocurrency exchanges and users. The HWP file embedded an EPS object that exploited Ghostscript CVE-2017-8291 to run encrypted shellcode and download V…
SophosLabs found that WannaCry remained highly active in 2019 because thousands of modified binaries kept spreading on Windows systems that still lacked the 2017 patch for the wormable vulnerability. In a September–December 2018 sample, all 2,725 analyzed…