TrickBot (TrickLoader) is a modular financial malware that first surfaced in October in 20161. Almost immediately researchers have noticed similarities with a credential-stealer called Dyre. It is still believed that those two families might’ve been developed by the same actor. But in this article we will not focus …

Analysis of a Polish BankBot Recently we have observed campaigns of a banking malware for Android system, which targets Polish users. The malware is a variant of the popular BankBot family, but differs from the main BankBot samples. Its victims were infected by installing a malicious application from Google Play …

Introduction Emotet is a modular Trojan horse, which was firstly noticed in June 2014 by Trend Micro. This malware is related to other types like Geodo, Bugat or Dridex, which are attributed by researches to the same family. Emotet was discovered as an advanced banker – it’s first campaign targeted …

Introduction Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. This incarnation of Nymaim was interesting for us because it gained banking capabilities and became a serious threat …

During SECURE conference we have presented our findings about criminal group, which we called “Postal Group” (“Grupa pocztowa”) based on theris modus operandi. Detailed research regarding the group have been gathered in the form of report available under the link below.   PDF   During the SECURE conference, we presented a talk …

Recently, we obtained a sample of a new Android banking trojan, named GMBot, which tries to be self-contained (i.e. does not need Windows counterpart) and uses application overlay as a poor man’s webinjects substitute. This malware uses known and common techniques, but implements them in a way similar …

In March 2015, S21sec published their analysis of the new e-banking trojan horse targetting Polish users. They named it “Slave”, because such a string was part of a path to one of the shared libraries. We think (in part thanks to the kernelmode.info thread) that Slave was made by …

In the last two weeks, the CERT team received multiple reports describing suspicious e-mail messages supposedly coming from the Warszawa Wola (a Warsaw district) Bailiff office. The message contents do not describe the alleged due in detail, thus encouraging the recipient of the message to click on the link described …

In the last few weeks we received information about a new kind of malware, similar to the VBKlip malware family. However, while reading these incident reports we got a bit of a science-fiction feeling. Users described that they went to the e-banking site and they tried to perform a wire …

We recently blogged about a new strain of malware called VBKlip. This malware was aimed at Polish online banking users. In the last few days a new, revised version of this malware has resurfaced. This new version is written in .NET and has a few new ideas which seem to …