Can I spam from here: An Unusually Clever Spambot Tests Blacklists

Unit 42 researchers recently observed an unusually clever spambot’s attempts to increase delivery efficacy by abusing reputation blacklist service APIs. Rather than sending spam as soon as the host is infected, the bot checks common blacklists to confirm its e-mails will actually be delivered, and if not, shuts itself down. This spambot, commonly downloaded by

Andromeda Botnet Targets Italy in Recent Spam Campaigns

Over the past month, Palo Alto Networks has observed two spam campaigns targeting users residing in Italy. The spam emails attempt to install the pervasive Andromeda malware onto victim machines. This malware has been around since 2011 and shows no signs of stopping. Compromised hosts cause a victim’s machine to be attached to the Andromeda

Operation Ke3chang Resurfaces With New TidePool Malware

Introduction Little has been published on the threat actors responsible for Operation Ke3chang since the report was released more than two years ago. However, Unit 42 has recently discovered the actors have continued to evolve their custom malware arsenal. We’ve discovered a new malware family we’ve named TidePool. It has strong behavioral ties to Ke3chang

PowerSniff Malware Used in Macro-based Attacks

Introduction The concept of file-less malware is not a new one. Families like Poweliks, which abuse Microsoft’s PowerShell, have emerged in recent years and have garnered extensive attention due to their ability to compromise a system while leaving little or no trace of their presence to traditional forensic techniques. System administrators have lauded the power

Locky: New Ransomware Mimics Dridex-Style Distribution

Ransomware persists as one of the top crimeware threats thus far into 2016. While the use of document-based macros for ransomware distribution remains relatively uncommon, a new family calling itself “Locky” has borrowed the technique from the eminently successful Dridex to maximize its target base. We first learned of Locky through Invincea and expanded on

Upatre: Old Dog, New [Anti-Analysis] Tricks

Malware authors must constantly iterate on their techniques in order to stay relevant in today’s fast moving Information Security environment. The Upatre downloader has been around for nearly three years and has consistently evolved its anti-analysis capabilities to better ensure payload delivery. Using Palo Alto Networks AutoFocus, we identified several thousand functionally identical Upatre binaries

Dridex is Back and Targeting the UK

After Brian Krebs reported the September arrests of alleged key figures in the cyber crime gang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today.  Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks

Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware

The Gh0st malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s. It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet. Musical Chairs is a multi-year campaign which recently deployed a new variant