Top IT Security Bloggers

TrendLabs - Malware Blog
  • Locky Ransomware Now Downloaded as Encrypted DLLs

    TrendLabs - Malware Blog
    The Locky ransomware family has emerged as one of the most prominent ransomware families to date, being sold in the Brazilian underground and spreading via various exploits. Locky has, over time, become known for using a wide variety of tactics to spread–including macros, VBScript, WSF files, and now, DLLs.
    Recently we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    Locky Ransomware Now Downloaded as Encrypted DLLs
  • New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses

    TrendLabs - Malware Blog
    In a span of one to two weeks, three new open source ransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases, which could suggest that they are targeting businesses.
    Both Hidden Tear and EDA2 are considered as the first open source ransomware created for educational purposes. However, these were quickly abused by cybercriminals. RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware (detected as RANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses
  • Ransomware and Business Email Compromise (BEC) Lead Year of Online Extortion

    TrendLabs - Malware Blog
    Emails have become the battleground for the first half of the year in terms of security. It is the number one infection vector that have ushered in 2016’s biggest threats so far—ransomware and business email compromise (BEC). Ransomware infections normally start via email. Based on our findings, 71% of the known ransomware families’ delivery method is through spam.
    Looking at the threat trends so far, both ransomware and BEC have proved profitable across the world. This echoes our prediction that 2016 would be the Year of Online Extortion. Ransomware continues to threaten business-critical data and cost organization thousands of dollars in losses; BEC scams bank on social engineering lures that lead even companies’ top decision-makers to transfer huge sums of money—totaling to over US$3 billion in estimated losses.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    Ransomware and Business Email Compromise (BEC) Lead Year of Online Extortion
  • When Hackers Hack Each Other—A Staged Affair in the French Underground?

    TrendLabs - Malware Blog
    Recently, Trend Micro published a blog post on a new illegal gambling system known as “French Dark Bets (FDB).” FDB is run and hosted by one of the biggest French underground marketplace, the French Dark Net (FDN). This betting system runs entirely on Bitcoins (BTC), which make it easy for cybercriminals to inject and collect money through this platform.
    Over the last few weeks, a series of events caught our attention: The FDN and FDB went offline and came back online within a few days, announcing that they were hacked and money was stolen. Following this incident, FDN went back online with changed features.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    When Hackers Hack Each Other—A Staged Affair in the French Underground?
  • BANKER Trojan Sports New Technique to Take Advantage of 2016 Olympics

    TrendLabs - Malware Blog
    Despite the 2016 Olympics coming to a close, cybercriminals remain relentless in using the sporting event as a social engineering hook to distribute a banking Trojan. Earlier this month, we spotted a phishing campaign that led victims to unknowingly download the Banker malware. Although Banker has been in the wild for years, this time we see it using a Dynamic Loading Library (DLL) with malicious exported functions. One of the export calls used is to check if the victimized system is located in Brazil. If the geolocation points to Brazil, then another malicious file is downloaded. This particular new routine points to the possibility of the cybercriminals’ intention of riding on the popularity of the Olympics to lure users. Apart from Banker, there are reports indicating that other banking Trojans, are doing the same thing. For instance, Sphinx ZeuS has enhanced its capabilities because of the Olympics.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    BANKER Trojan Sports New Technique to Take Advantage of 2016 Olympics
  • New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

    TrendLabs - Malware Blog
    In a constant game of cat and mouse, the perpetrators behind Locky ransomware have updated their arsenal yet again with a new tactic—using Windows Scripting File (WSF) for the arrival method. WSF is a file type that allows the combination of multiple scripting languages within a single file. Leveraging WSF pose challenges in detection and analysis, as traditional endpoint solutions scan and filter files based on their list of monitored files. Since WSF is not commonly associated with ransomware routines, this creates a window of exposure and can possibly pass off as a non-malicious file. This was reportedly seen in Cerber’s email campaign last May. Possibly, Locky is possibly following suit to Cerber’s tactic since this is an effective tactic in bypassing security measures like sandbox and blacklisting technologies.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files
  • R980 Ransomware Found Abusing Disposable Email Address Service

    TrendLabs - Malware Blog
    Perhaps emboldened by the success of their peers, attackers have been releasing more ransomware families and variants with alarming frequency. The latest one added to the list is R980 (detected by Trend Micro as RANSOM_CRYPBEE.A).
    R980 has been found to arrive via spam emails, or through compromised websites. Like Locky, Cerber and MIRCOP, spam emails carrying this ransomware contain documents embedded with a malicious macro (detected as W2KM_CRYPBEE.A) that is programmed to download R980 through a particular URL. From the time R980 was detected, there have been active connections to that URL since July 26th of this year.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    R980 Ransomware Found Abusing Disposable Email Address Service
  • Can Internet of Things be the New Frontier for Cyber Extortion?

    TrendLabs - Malware Blog
    The Internet of Things (IoT)—the network of devices embedded with capabilities to collect and exchange information—has long been attracting the attention of cybercriminals as it continues to gain momentum in terms of its adoption. Gartner has estimated that more than 20.8 billion IoT devices will be in use by 2020; IoT will be leveraged by over half of major business processes and systems, with enterprises projected to lead in driving IoT revenue.
    How can cybercriminals potentially take advantage of this? Despite being equipped with new applications and hardware, most IoT devices are furnished with outdated connection protocols and operating systems (OS).
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    Can Internet of Things be the New Frontier for Cyber Extortion?
  • August Patch Tuesday: Nine Bulletins, Five Rated Critical

    TrendLabs - Malware Blog
    The second Tuesday of August has arrived, which means one thing for Microsoft users: Patch Tuesday. Relatively speaking, August's batch of patches is relatively light, with only nine bulletins, although five are rated as Critical.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    August Patch Tuesday: Nine Bulletins, Five Rated Critical
  • BlackHat2016: badWPAD – The Doubtful Legacy of the WPAD Protocol

    TrendLabs - Malware Blog
    WPAD is a protocol that allows computers to automatically discover Web proxy configurations and is primarily used in networks where clients are only allowed to communicate to the outside world through a proxy - which is the case in most enterprises. To easily configure proxy settings for different types of applications which require an internet connection, WPAD, also known as “autoproxy”, was first implemented and promoted by Netscape® 2.0 in 19961 for Netscape Navigator® 2.0. The tool can apply to any system that supports proxy auto-discovery, like most browsers, operating systems and some applications not working from operating systems.
    Warnings of security issues have been around for many years. These risks have been recognized in the security community for years, but for some reason been left largely ignored. In fact it is relatively easy to exploit WPAD. In basic terms, the security issue with the WPAD protocol revolves around the idea that whenever the protocol makes a request to a proxy, anyone else can create a service that answers that request and can practically impersonate the real web proxy (Man-in-the-Middle attack).
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    BlackHat2016: badWPAD – The Doubtful Legacy of the WPAD Protocol

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release

Market Place