Tuesday, 6 June 2017

Chthonic Trojan is back in nation-state cyberattack against Ukraine

Recently, we discovered a nation-state cyber attack against one government institution in Ukraine. 
The attackers sent a spear phishing email that contained the archived JavaScript used to download and execute the Chthonic backdoor that belongs to the Zeus family.

Saturday, 3 June 2017

XData ransomware attacked users in Ukraine


On May 18, the author(s) of XData ransomware ran the massive attack against Ukrainian users supposedly leveraging the EternalBlue exploit as well as an ordinary spearphishing email delivery method. A week later, an anonymous user, supposedly the author of AES-NI ransomware the XData is based on, released the master private key. Currently, the XData decryption tools are available. We analysed the XData code and found two host-based 'kill-switches', one of them is about detecting an antivirus running on an infected machine.

Wednesday, 17 May 2017

Ransomware Protection Test - April 2017


During the last decade, ransomware (cryptolockers) show sustainable growth that can be explained by an effective business model that incorporates an anonymous payment system (Bitcoin) and network (TOR). This allows attackers to go untraceable and unpunished in their criminal activities.

Monday, 15 May 2017

WannaCry 2.0: Indicators of Compromise


WannaCry (WannaCryptor) is becoming probably the most popular cryptolocker in the history of ransomware. It has nothing new in terms of files encryption (RSA + AES using MS CryptoAPI) but uses MS17-010 (a.k.a. ETERNALBLUE named by NSA) vulnerability to propagate itself through local networks using the Server Message Block (SMB) protocol as a network worm resulting in thousands of infections of Windows machines that have not been updated so far.

Tuesday, 2 May 2017

Targeted attack against the Ukrainian military

One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain.


Monday, 3 April 2017

Thursday, 30 March 2017

New Shade cryptolocker confuses analysis tools with 'MS-DOS EXE' file type

A new build of Shade (Troldesh) ransomware comes with a broken PE header making PE analysis tools recognize it as a nonexecutable 'MS-DOS EXE' file. As a result, the detection rate on VirusTotal is 1/59.