Introduction Initially Evil was brought to our attention by an incident reported on 2017-01-08. By that time the Internet was completely silent on that threat and we had nothing to analyze. We found first working sample day later, on 2017-01-09. In this article we will shortly summarize our analysis and …

Campaign CryptoMix is another ransomware family that is trying to earn money by encrypting victims files and coercing them into paying the ransom. Until recently it was more known as CryptFile2, but for reasons unknown to us it was rebranded and now it’s called CryptoMix. It was observed in …

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads …

Necurs is one of the biggest botnets in the world – according to MalwareTech there are a couple millions of infected computers, several hundred thousand of which are online at any given time. Compromised computers send spam email to large number of recipients – usually the messages are created to look like …

At the beginning of the May here in Poland we have couple of free days. 3rd May is Constitution Day, and May 1st is Labour Day. Most of us use those days to unwind after winter, but some malware authors apparently didn’t: a few weeks ago, our friends started …

GMBot (also known as slempo) was described on our blog on October 2015. This malicious application for phishing login and password associated with a specific user of electronic banking uses known and common techniques of application overlay. It is nothing else but a normal phishing attack, very similar to the …

Our CERT laboratory recently received a sample of iBanking malware (along with a malicious JavaScript code snippet associated with it), posing as the mobile Trusteer Rapport antimalware solution. The attack scenario isn’t new, it has been used many times in the past, but recently we see an increase in …

Our laboratory recently received a sample of malware used for attacks on Polish users of electronic banking. Analysis of this malware gave us reasons to believe, that this is the software written by the authors of Banatrix (which we discussed in greater detail in our earlier posts), Slave and e-mail …

CERT Polska has partnered together with Microsoft, ESET and law enforcement agencies including US-CERT/DHS, FBI, Interpol and Europol in activities aimed at disrupting of the Dorkbot malware family. This disruption – which includes sinkholing of the botnet’s infrastructure – took place yesterday. Dorkbot is a well-known family of malware, operating …

Intro Dridex mostly comes to us as spam which contains a .doc with some macros, responsible for downloading a dropper. One can quickly analyze it using oledump.py and looking through vbscript, or naturally, just try to run it in a sandbox and obtain the dropped files. CFG extraction After …