Short Summary:
A new spyware targeting South Korean Android users has been discovered. This malware disguises itself as a recording app and uses Amazon AWS as a Command and Control (C&C) server to steal sensitive information such as contacts, text messages, photos, and videos from infected devices.…
The Luxy malware combines both stealing and ransomware functionalities, resembling the Umbral stealer. It collects user credentials and browser details via Telegram while encrypting files and leaving a ransom note with a decryption key. The malware is a 32-bit .NET executable that employs various techniques to evade detection and steal sensitive information.…
Recently, we saw a tweet about a document claiming to be reporting about the recent “Indian Election Results”. On analysis, we found that it was dropping a “Crimson RAT” payload. This RAT, mostly used by the Transparent Tribe APT, is capable of stealing credentials and other sensitive information.…
In the last few months we’ve been observing a lot of tweets talking about the rise in Vietnamese-based malware aka Braodo Stealer. This blog gets into the nuances of Braodo, an information stealer, capable of stealthily infiltrating the victims’ system to harvest their sensitive information, such as credentials, banking information and more, and do their intended damage like, identity theft and financial losses.…
Stealers are a widespread threat providing threat actors with access to a wealth of sensitive data which is then exfiltrated to them for further abuse. Kematian Stealer, a PowerShell based tool is one such sophisticated malware.
Recently we came across a tweet about Kematian Stealer. It was a PowerShell based Token-Grabber.…
Threat actors are constantly working on novel ways to target users across the globe. This blog is about SpyMax, an Android RAT that targets Telegram users. A point to be noted is that this RAT does not require the targeted device to be rooted; making it easier for the threat actors to do the intended damage.…
Typically spread through malicious attachments, drive-by downloads, or social engineering, Remcos RAT has been active since 2016. Initially presented by BreakingSecurity, a European company, as a legitimate remote control tool, it has since been exploited by threat actors for nefarious purposes, despite claims of restricted access for lawful use.…
Recently we at K7Labs came across a tweet and analysed the Evil Ant ransomware sample mentioned in the tweet.
Evil Ant,also a member of ransomware list that employs Python, a versatile and widely used programming language. This blog describes how this ransomware works and what its features are.…
Recently we got our hands on a set of samples which had a big data section with high entropy and had fake executable information like WinRar, Chrome, CustomRP, etc. Out of curiosity we analysed one but we weren’t able to find any interesting Win32APIs used by this sample.…
Recently, we came across an update from PolySwarm regarding a new Variant of Zloader. Zloader is a malware based on Zeus, which has been targeting financial institutions and its customers. This blog gets into the nuances of the new techniques used by Zloader.
Technical AnalysisIt was observed that Zloader had very few Import functions and it was obfuscated and threat actors were making sure that Zloader only runs with the filename “IonPulse.exe”.…
Remember ‘.tprc’, the cyber scourge that sent shivers down spines in 2021? It seems this digital phoenix has risen from the ashes, reborn in a new, even more menacing form. December 2023 marks the unsettling return of ‘.tprc’, not just a rehash of the old, but a cunning evolution that puts both individuals and organizations on high alert.…
Recently we came across a tweet about DotStealer malware, and on observing its behavior we found it to be stealing user information like User Login and Credit card data, along with system information such as the contents of Desktop and Downloads folder. All this stolen data is exfiltrated through a Telegram account.…
The digital world that we live in has been always facing different types of cyber attacks. Of late, there has been a spurt in ransomware (a malware that permanently blocks access to the victim’s data demanding a ransom) attacks across the globe causing great concern for organizations and individuals alike. …
The Qakbot malware has reappeared just four months after law enforcement disrupted its distribution in the “Duck Hunt” operation. Lately, various security companies have noticed the malware spreading through phishing emails. Microsoft, which discovered this, described it as a small-scale campaign starting on December 11, 2023, specifically targeting the hospitality industry.…
Python has dominated over other programming languages over the decade and it keeps growing with the support of its open source community. There are many open source python projects and applications that are popular and used by millions of users; but have you heard of open source malware?…
Information Stealers are a pervasive threat and are capable of providing threat actors with a rich source of sensitive data.
Recently, we came across this tweet that the Serpent Stealer is on sale on the dark web. A .NET based malware, this has the ability to not only acquire sensitive information from the most popular online browsers and applications but also has the capability to exfiltrate passwords. …
Threat actors focus on gaining remote access and control of victims’ devices. For this they either use fake apps or masquerade as legitimate apps. This blog is about the Rusty Droid RAT, which masquerades Chrome browser for Android. The sample under consideration is taken from this tweet.…
Remote Access Trojan (RAT) is a type of malware that, as the name suggests, can remotely access a victims’ system after successful infection. This blog is about one such RAT, RomCom RAT which can take complete control of a compromised system by spoofing and deploying fake versions of legitimate applications on the victims’ system to gain initial trust. …
Recently, researchers at K7 Labs found a website that was ostensibly providing cracked software for macOS. The website appears well done and claims to provide safe, fast and free software. But in reality people were unintentionally downloading the Pirrit adware. The name of the site was crack(-)mac(.)com.…
Go code related malwares are getting pretty common day by day because of multiple reasons like easy to code, a single codebase which can be used to generate samples for multiple OSes, difficult to reverse engineer, etc. We came across a campaign recently where attackers used Go based clip bankers to steal crypto on the go using a Telegram bot .…