-
A deeper look at Tofsee modules
Tofsee is a multi-purpose malware with wide array of capabilities – it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more. All of this is possible because of its modular nature. We have already published about Tofsee/Gheg a few months ago – https://www.cert.pl/en/news …
Read more -
Ramnit – in-depth analysis
If we look on Ramnit’s history, it’s hard to exactly pin down which malware family it actually belongs to. One thing is certain, it’s not a new threat. It emerged in 2010, transferred by removable drives within infected executables and HTML files. A year later, a more …
Read more -
Mole ransomware: analysis and decryptor
Mole ransomware is almost month old ransomware (so it’s quite old from our point of view), that was distributed mainly through fake online Word docs. It’s a member of growing CryptoMix family, but encryption algorithm was completely changed (…again). We became interested in this variant after victims contacted …
Read more -
Analysis of Emotet v4
Introduction Emotet is a modular Trojan horse, which was firstly noticed in June 2014 by Trend Micro. This malware is related to other types like Geodo, Bugat or Dridex, which are attributed by researches to the same family. Emotet was discovered as an advanced banker – it’s first campaign targeted …
Read more -
Evil: A poor man’s ransomware in JavaScript
Introduction Initially Evil was brought to our attention by an incident reported on 2017-01-08. By that time the Internet was completely silent on that threat and we had nothing to analyze. We found first working sample day later, on 2017-01-09. In this article we will shortly summarize our analysis and …
Read more -
Technical analysis of CryptoMix/CryptFile2 ransomware
Campaign CryptoMix is another ransomware family that is trying to earn money by encrypting victims files and coercing them into paying the ransom. Until recently it was more known as CryptFile2, but for reasons unknown to us it was rebranded and now it’s called CryptoMix. It was observed in …
Read more -
Tofsee – modular spambot
Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads …
Read more -
Necurs – hybrid spam botnet
Necurs is one of the biggest botnets in the world – according to MalwareTech there are a couple millions of infected computers, several hundred thousand of which are online at any given time. Compromised computers send spam email to large number of recipients – usually the messages are created to look like …
Read more -
Network traffic periodicity analysis of dark address space
Network traffic directed to dark address space of IPv4 protocol can be a good source of information about current state of the Internet. Despite the fact that no packets should be sent to such addresses, in practice various traffic types can be observed there, for example echoes of Denial of …
Read more -
Newest addition to a happy family: KBOT
At the beginning of the May here in Poland we have couple of free days. 3rd May is Constitution Day, and May 1st is Labour Day. Most of us use those days to unwind after winter, but some malware authors apparently didn’t: a few weeks ago, our friends started …
Read more