Inside of the WASP’s nest: deep dive into PyPI-hosted malware
Photo by Matheus Queiroz on Unsplash In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse […] more…MosaicRegressor: Lurking in the Shadows of UEFI
Part II. Technical details (PDF) UEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine’s boot sequence and load the operating system, while using a feature-rich environment to do so. At […] more…Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia. Third party security researchers named the MuddyWater campaign as such because of the difficulties in attributing the attacks. […] more…APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located in the United States and South Korea. The group uses a variety of techniques and […] more…IT threat evolution Q2 2019. Statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network, Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe. 217,843,293 unique URLs triggered Web Anti-Virus components. Attempted infections by malware designed to steal […] more…The Banking Trojan Emotet: Detailed Analysis
Introduction In the summer of 2014, the company Trend Micro announced the detection of a new threat – the banking Trojan Emotet. The description indicated that the malware could steal bank account details by intercepting traffic. We call this modification version 1. In the autumn of that year a new version of Emotet was found. […] more…Extracting type information from Go binaries
During the 2021 edition of the SAS conference, I had the pleasure of delivering a workshop focused on reverse-engineering Go binaries. The goal of the workshop was to share basic knowledge that would allow analysts to immediately start looking into malware written in Go. A YouTube version of the workshop was released around the same […] more…Project TajMahal – a sophisticated new APT framework
Executive summary ‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its […] more…Inside the EquationDrug Espionage Platform
Introduction EquationDrug is one of the main espionage platforms used by the Equation Group, a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. (See full report here [PDF]). EquationDrug, which is still in use, dates back to 2003, […] more…Operation TunnelSnake
Windows rootkits, especially those operating in kernel space, are pieces of malware infamous for their near absolute power in the operating system. Usually deployed as drivers, such implants have high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to […] more…Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system
In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread malicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications such as Facebook and Chrome. During our research, it became clear […] more…More information
- IPv4 vs IPv6 Performance Comparison – Part 2
- Resolved: VMhosting Service Degradation
- Facebook to train women in India about digital security
- Fraudsters are playing a different kind of card game
- Major Cybersecurity Breach of US Court System Comes to Light
- Recent Threats Highlight Vulnerabilities CVE-2012-0779 and CVE-2012-0507
- AT&T announces cloud-based storage, 5 GB free for iOS users
- LinkedIn confirms hack, over 60% of stolen passwords already cracked
- Zoom Vulnerability Lets Hackers Hijack Your Webcam
- Google CEO Faces House Grilling on Breach, China Censorship