The King is Dead, Long live the King: Angler May Have Disappeared but Neutrino Quickly Fills In

Posted by Michael Gorelik on Jul 6, 2016 5:11:36 PM

Angler Hangs Up Its Pole

Back in April, more than 80% of drive by download attacks were attributed to Angler. Now? Nearly zero. Speculation abounds regarding its disappearance earlier this month. A vacation by Angler operators? Black market price wars? But the close timing to the roundup in Russia of 50 criminals associated with the Lurk banking Trojan attacks seems the most likely culprit. In this case, Angler may be off the table for good. Unfortunately, Angler’s apparent demise didn’t slow down cyber criminals for long; they simply switched to Neutrino.

Read More

Topics: Attack Analysis

Dridex is Back with a Vengeance. Adding More Evasion Techniques to its Arsenal.

Posted by Michael Gorelik on Jul 2, 2016 8:29:11 PM

The disappearance of Angler has left a gaping hole in the malware market which cybercriminals are only to happy to fill with new variants of old standbys. The latest to reemerge after a period of disuse are Locky and Dridex. A new Locky campaign spotted in the wild on June 20 is analyzed by Pierluigi Paganini on the Security Affairs site. Now a bigger and badder Dridex has reappeared, with more sophisticated evasion tactics, including a new sandbox evasion technique.

Read More

Topics: Exploits, Exploit Kit, Sandbox evasion, Attack Analysis

Less is More (Dangerous): A Dissection of Fileless In-Memory Attacks

Posted by Michael Gorelik on Jun 13, 2016 8:58:34 PM

With fileless malware popping up more and more frequently, particularly sophisticated PowerShell attacks, we thought it useful to examine these threats by reverse engineering those in-memory samples from Virus Total that have the lowest detection rates.

Read More

Topics: Exploits, Attacks, Advanced Persistent Threats, APT, Attack Analysis

Flash Vulnerability Problems No Flash in the Pan [CVE-2016-4117]

Posted by Michael Gorelik on May 20, 2016 3:25:23 PM

Yet another critical Flash vulnerability was uncovered this month, thanks to researchers at FireEye. The vulnerability, CVE-2016-4117, exists in Flash 21.0.0.226 and earlier versions for Windows, Mac, Linux, and Chrome OS. It received a CVSS v3 rating of 9.8, indicating extremely critical (Adobe rushed out a patch earlier this week).

Read More

Topics: Attacks, APT, Attack Analysis

Recycling Known Vulnerabilities -  Old Cyber Attack Goes Stealth

Posted by Michael Gorelik on May 11, 2016 12:45:48 AM
 

In the course of our research we constantly encounter the simple but harsh truth that malware authors can easily bypass popular security products with small variations to their code. In this technical analysis, we present the inner details of a very specific attack that was identified several years back, and which has security patches, but which embodies the new sophistication which makes it invisible to almost every security product.

Read More

Topics: Attack Analysis

Javascript in IE Overtakes Flash as Number One Target for Angler Exploit Kit

Posted by Michael Gorelik on Mar 2, 2016 8:30:53 AM

In Morphisec labs, we are constantly tracking the behavior of the exploit kits that are making life easy for hackers and complicated for security managers. Since the EKs need to take advantage of whatever vulnerability they can find on an end user’s device, they typically have a roster of vulnerabilities to try, and if the first one does not work, they go on to the next one.

Read More

Topics: Exploits, Angler Kit, Attack Analysis

How the EPS File Exploit Works to Bypass EMET (CVE-2015-2545) – A Technical Exploration

Posted by Michael Gorelik on Feb 16, 2016 10:32:33 PM

A few days ago @PhysicalDrive0 (malware hunter) published a new word document sample that we were intrigued to check in Morphisec Labs.  We wanted to see if our product performs its immediate prevention objective. And it did, as expected.

Read More

Topics: Exploits, Attack Analysis

Flash Zero-day Quickly Propagates to Unaware Sites

Posted by Michael Gorelik on Nov 9, 2015 7:15:04 PM

Have you ever wondered what happens to zero-day exploits after their big splash on day zero? Often 0-days are developed to target a specific organization, as in this Pawn Storm-related instance reported by Trend Micro, which targeted specific people within the Foreign Affairs Ministry.

Read More

Topics: Exploits, Attacks, 0-day exploits, Moving Target Defense, Zero-day, Attack Analysis

In-The-Wild, Nuclear Kit Found That Automatically Generates Flash Exploit Variants On-The-Fly

Posted by Michael Gorelik on Oct 15, 2015 1:13:18 PM

After our recent blog post about an encrypted Flash exploit, we went back to analyze some more of these exploit files. We took some of the newer exploit recordings available on a malware aggregation site, and tried to decrypt them using the same Diffie-Hellman protocol that had worked for us before. We discovered that enough time had gone by that the Nuclear Exploit Kit team had already upped their game, and the brute force decryption did not work anymore. So what’s a researcher to do?

Read More

Topics: Exploits, Attacks, Attack Analysis

Encrypted Flash Exploit that Bypasses Mitigations Found In the Wild

Posted by Michael Gorelik on Oct 1, 2015 12:03:36 PM

One of our favorite things to do is to reproduce exploits in our research labs. We do this for two main reasons: first, because we are naturally curious, and second, to constantly ensure that our solution prevents these exploits natively (spoiler: it does ;).

Read More

Topics: Exploits, Research, Attack Analysis

Check out our Attack Analyses!

Take a deep dive into technical analyses of attacks prevented by Morphisec.

Subscribe to our Blog

Happy to keep you in the loop with industry insight, cyber security trends,  and cyber attack information and company updates.

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....