Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities

Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.

The post Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities appeared first on .


Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response

When we first investigated MyKings in 2017, we focused on how the cryptominer-dropping botnet malware used WMI for persistence. Like Mirai, MyKings seems to be constantly undergoing changes to its infection routine. The variant we analyzed for this incident did not just have a single method of retaining persistence but multiple ones, as discussed in the previous section. In addition to WMI, it also used the registry, the task scheduler, and a bootkit — the most interesting of which is the bootkit.

The post Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response appeared first on .


Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times

The mobile platform is ubiquitous — enabling users to make online transactions, run their everyday lives, or even use it in the workplace. It’s no surprise that fraudsters and cybercriminals would want to cash in on it. Delivering adware, for example, enables them to monetize affected devices while attempting to be innocuous. And while they may be viewed as a nuisance at best, mobile ad fraud- and adware-related incidents became so rampant last year that it cost businesses hefty financial losses.

The post Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times appeared first on .


Analysis: New Remcos RAT Arrives Via Phishing Email

In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIT wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.

The post Analysis: New Remcos RAT Arrives Via Phishing Email appeared first on .


August Patch Tuesday: Update Fixes ‘Wormable’ Flaws in Remote Desktop Services, VBScript Gets Disabled by Default

While none of the vulnerabilities were listed as under active attack at the time of August Patch Tuesday release, a few of the bugs addressed this month fall under the “wormable” category, namely remote code execution (RCE) vulnerabilities in the Remote Desktop Services. This month's Patch Tuesday also disables the scripting language VBScript by default on Internet Explorer on Windows 7, 8, and 8.1.

The post August Patch Tuesday: Update Fixes ‘Wormable’ Flaws in Remote Desktop Services, VBScript Gets Disabled by Default appeared first on .