Posts created by: Tomer Bar

Unit 42 examines the BadPatch campaign consisting of 4 types of malware and new attack methods.

Unit 42 resarchers recently observed a new version of the “Infy” malware dubbed “Foudre”.

This post explores how the attackers attempt to gain a foothold into target networks before briefly describing the malware families used.

Downeks and Quasar RAT used in recent targeted attacks against governments. Get the full report from Unit 42.

Summary Unit 42 published a blog at the beginning of May titled “Prince of Persia,” in which we described the discovery of a decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry interests worldwide. Subsequent to the publishing of this article, through cooperation with the parties responsible for the C2

Attack campaigns that have very limited scope often remain hidden for years. If only a few malware samples are deployed, it’s less likely that security industry researchers will identify and connect them together. In May 2015, Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account, sent

Unit 42 researchers have observed a new Remote Access Tool (RAT) constructed by an unknown actor of Italian origin. This RAT, referred to as uWarrior because of embedded PDB strings, has been previously described by an independent researcher who noted a potentially unknown exploit being used against Microsoft Office.

This post is the first in a new series titled Examining the Cybercrime Underground. Each post will delve into different aspects of how cybercriminals operate, using current examples of tools and techniques. What are their tools of the trade? How do they get them? How do they overcome challenges posed by security and anti-fraud systems? How do

CTB-Locker is a well-known ransomware Trojan used by crimeware groups to encrypt files on the victim’s endpoints and demand ransom payment to decrypt the files back to their original state.  Earlier this week we detailed a new CTB-Locker campaign and why legacy security products won’t protect enterprise networks. In this blog post we will detail

Introduction CTB-Locker is a well-known ransomware Trojan used by crimeware groups to encrypt files on the victim’s endpoints and demand ransom payment to decrypt the files back to their original state, but most antiviruses detect it by mistake as CryptoLocker (only one vendor correctly detects it as CTB-Locker). The attack vector is very basic and repeats