<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">

RIG exploit kit returns, with modified pattern and free generated “freenom” domains

Posted by Michael Gorelik on September 26, 2017 at 4:20 PM

 

This report was authored by: Michael Gorelik and Assaf Kachlon.

Last week’s malware news was filled with the CCleaner backdoor exposed by Morphisec’s security solution. This week Morphisec uncovered another ongoing malware campaign, this one a drive-by-download attack that uses a modified version of the old (in hacker time) favorite, the RIG exploit kit.

First appearing in 2014, RIG generally uses gates to redirect victims from a compromised website to a landing page that contains the EK, exploiting vulnerabilities in JavaScript, Flash and VBscript in the infection chain.

Over the past 10 days, Morphisec's Threat Prevention Solution stopped a modified RIG exploit kit distributed to a large number of customers in a major drive by download campaign. Upon customer notification about the web-borne attack, we immediately identified the type of exploit kit and the delivered exploits. We reported the abuse of the registered domains to Freenom.com, the domain registration entity.

Read More

Topics: Research, Endpoint Security, Cyber Security, Attack Analysis

Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users

Posted by Michael Gorelik on September 18, 2017 at 2:40 PM

 

As widely reported today, the Avast-owned security application CCleaner was illegally modified by hackers to establish a backdoor to the hackers’ server. According to Avast, some 2.27 million users were running the weaponized version 5.33 of CCleaner. In addition, the CCleaner’s cloud version 1.07 was affected. Morphisec was first to uncover the CCleaner Backdoor saving millions of Avast user. 

Morphisec first identified and prevented malicious CCleaner.exe installations on August 20 and 21, 2017 at customer sites. Some customers shared their logs of the prevented attacks with Morphisec on September 11, 2017.Morphisec started to investigate the prevention logs right away.

Read More

Topics: Research, Endpoint Security, Cyber Security, Attack Analysis

FIN7 Takes Another Bite at the Restaurant Industry

Posted by Michael Gorelik on June 9, 2017 at 11:40 AM

INTRODUCTION

On June 7, 2017, Morphisec Lab identified a new, highly sophisticated fileless attack targeting restaurants across the US. The ongoing campaign allows hackers to seize system control and install a backdoor to steal financial information at will. It incorporates some never before seen evasive techniques that allow it to bypass most security solutions – signature and behavior based.

Read More

Topics: Cyber Attacks, Endpoint Security, Cyber Security, Attack Analysis

Iranian Fileless Attack Infiltrates Israeli Organizations

Posted by Michael Gorelik on April 27, 2017 at 12:11 PM

INTRODUCTION

From April 19-24, 2017, a politically-motivated, targeted campaign was carried out against numerous Israeli organizations. Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details. Initial reports of the attacks, published April 26 (in Hebrew) by the Israel National Cyber Event Readiness Team (CERT-IL) and The Marker, confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel. Ironically, Ben-Gurion University is home to Israel’s Cyber Security Research Center. Investigators put the origin of the attack as Iranian; Morphisec’s research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns.

Read More

Topics: 0-day exploits, Zero-day, Attack Analysis, Fileless Attacks

Morphisec Discovers New Fileless Attack Framework

Posted by Michael Gorelik on March 16, 2017 at 1:55 PM

Morphisec Discovers New Fileless Attack Framework

Ties Single Threat Actor Group to Multiple Campaigns, Interacts with Hacker.

On the 8th of March, Morphisec researchers began investigating a new fileless threat delivered via a macro-enabled Word document, which was attached to a phishing email sent to targeted high-profile enterprises. During the course of the investigation, we uncovered a sophisticated fileless attack framework that appears to be connected to various recent, much discussed attack campaigns.

Read More

Topics: Cyber Attacks, Cyber Security, Attack Analysis, Fileless Attacks

Andromeda’s Five Star Custom Packer – Hackers’ Tactics Analyzed

Posted by Roy Moshailov on March 13, 2017 at 2:08 AM

Packer-based malware is malware which is modified in the runtime memory using different and sophisticated compression techniques. Such malware is hard to detect by known malware scanners and anti-virus solutions. In addition, it is a cheap way for hackers to recreate new signatures for the same malware on the fly simply by changing the encryption/packing method. Packers themselves are not malware; attackers use this tactic to obfuscate the code’s real intention.

Read More

Topics: Cyber Attacks, Sandbox evasion, Cyber Security, Attack Analysis, Custom Packer

Our Top 10 Blog Posts of 2016

Posted by Morphisec Team on January 20, 2017 at 12:28 PM

Cybersecurity had a turbulent 2016, to say the least. We saw the rise of ransomware, the emergence of IoT botnets, landmark security legislation and Yahoo’s disclosure about its 1-billion-record-hack, the largest in history.

Read More

Topics: Exploits, ASLR, Angler Kit, APT, Ransomware, Attack Analysis

Evasive Malware Campaign with Faked HM Revenue and Customs Attachment

Posted by Roy Moshailov on December 27, 2016 at 6:32 AM

 The full report is also available as PDF. 

On December 12, 2016 Morphisec identified and monitored a new wave of sophisticated malware delivered via targeted phishing emails with malicious macro-based documents attached. The malicious documents themselves use a clever, new social engineering technique to convince the target to enable macros. Once enabled, the document calls an unknown downloader that resembles the Cerber downloader, but employs new obfuscation techniques.

Read More

Topics: Sandbox evasion, Attack Analysis

Attack Alert: Another Month, Another Hancitor Variant

Posted by Ursula Ron on December 8, 2016 at 4:23 AM

They’re starting to be as reliable as clockwork. Every 3-4 weeks a new wave of Hancitor campaigns hits, with improved targeting and new tricks to evade detection. The latest variant comes via a malicious MS Word attachment to a fairly convincing email. How do we know? Our own CEO, Ronen Yehoshua, was one of the latest targets.  Maybe the folks behind Hancitor liked our technical analysis (or get the original Hancitor report in PDF format) of the last attack so much that they wanted to deliver a new version for analysis personally.

Read More

Topics: Attack Analysis, Hancitor

New Wave of Hancitor Comes with New Evasive Techniques

Posted by Roy Moshailov on November 26, 2016 at 7:49 PM

 The full report is also available as PDF. 

From November 7 – 15, 2016, Morphisec identified and monitored a new wave of sophisticated malware attacks using a modified version of the Hancitor downloader. The malware is delivered via targeted phishing emails with malicious macro-based documents attached.

Read More

Topics: Attack Analysis

Check out our Attack Analyses!

Take a deep dive into technical analyses of attacks prevented by Morphisec.

Subscribe to our Blog

Happy to keep you in the loop with industry insight, cyber security trends,  and cyber attack information and company updates.

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....

 

Recent Posts

Most Popular Posts