Palo Alto Networks Researcher Discovers Four Critical Vulnerabilities in Adobe Flash Player

Palo Alto Networks was recently credited with the discovery of four new vulnerabilities affecting Adobe Flash Player. Researcher Tao Yan discovered critical vulnerabilities CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985 affecting Adobe Flash Player. Descriptions of each, as well as details on affected versions and products, are included in the Adobe Security Bulletin. Adobe has released security updates

Palo Alto Networks Discovers Two Adobe Reader Privileged JavaScript Zero-Days

We recently discovered two zero-day vulnerabilities in Adobe Reader. Adobe has since released a patch (on October 6, 2016) to fix these vulnerabilities, which are named CVE-2016-6957 and CVE-2016-6958. These vulnerabilities could allow an attacker to compromise Adobe Reader by bypassing restrictions on JavaScript API execution (CVE-2016-6957) and security provisions that prevent arbitrary execution of

Palo Alto Networks Researcher Discovers Eight Critical Vulnerabilities in Adobe Flash Player

Palo Alto Networks was recently credited with the discovery of eight new vulnerabilities affecting Adobe Flash Player. Researcher Tao Yan discovered critical vulnerabilities CVE-2016-4182, CVE-2016-4237, CVE-2016-4238, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, and CVE-2016-4285 affecting Adobe Flash Player. Descriptions of each, as well as details on affected versions and products, are included in the following Adobe Security

Aveo Malware Family Targets Japanese Speaking Users

(This blog post is also available in Japanese.) Palo Alto Networks has identified a malware family known as ‘Aveo’ that is being used to target Japanese speaking users. The ‘Aveo’ malware name comes from an embedded debug string within the binary file. The Aveo malware family has close ties to the previously discussed FormerFirstRAT malware

Fresh Baked HOMEKit-made Cookles – With a DarkHotel Overlap

Threat actors tend to reuse certain tools, a trend we observed during recent Unit 42 research published on MNKit. In this post, we will discuss a fresh toolkit, which on the surface, appeared similar to MNKit, but functionally was found to be quite different. This toolkit, which we named “HOMEKit”, is similar to MNKit in

Orcus – Birth of an unusual plugin builder RAT

Unit 42 has been tracking a new Remote Access Trojan (RAT) being sold for $40 USD since April 2016, known as “Orcus”. Though Orcus has all the typical features of RAT malware, it allows users to build custom plugins and also has a modular architecture for better management and scalability. The objective of this blog

Afraidgate: Major Exploit Kit Campaign Switches from CryptXXX Ransomware Back to Locky

By mid-July 2016, the Afraidgate campaign stopped distributing CryptXXX ransomware. It is now distributing the “.zepto” variant of Locky. Afraidgate has been using Neutrino exploit kit (EK) to distribute malware after Angler EK disappeared in early June 2016. As we previously reported, this campaign continues to utilize gate domains using name servers from afraid.org.

SpyNote Android Trojan Builder Leaked

Our team recently discovered a new Android Trojan called SpyNote which facilitates remote spying. The builder, which creates new versions of the malware, recently leaked on several malware discussion forums. SpyNote is similar to OmniRat and DroidJack, which are RATs (remote administration tools) that allow malware owners to gain remote administrative control of an Android

Palo Alto Networks Researchers Discover Critical Safari 9.1 Vulnerability

Palo Alto Networks researchers were recently credited with the discovery of an Apple product vulnerability. Researchers Tongbo Luo and Bo Qu discovered a WebKit vulnerability (CVE-2016-4589) affecting Safari in Apple iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later, and Apple TV (4th generation).

PowerWare Ransomware Spoofing Locky Malware Family

Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family. PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016. The malware is responsible for encrypting files on a victim’s machine and demanding a ransom via the

Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks

As mentioned in our previous blog, we observed the Sofacy group using a new persistence mechanism that we call “Office Test” to load their Trojan each time the user opened Microsoft Office applications. Following the report, we received several questions regarding this persistence method, specifically how it works and which versions of Microsoft Office were

Andromeda Botnet Targets Italy in Recent Spam Campaigns

Over the past month, Palo Alto Networks has observed two spam campaigns targeting users residing in Italy. The spam emails attempt to install the pervasive Andromeda malware onto victim machines. This malware has been around since 2011 and shows no signs of stopping. Compromised hosts cause a victim’s machine to be attached to the Andromeda

Palo Alto Networks Researchers Discover Two Critical Internet Explorer Vulnerabilities

Palo Alto Networks researchers discovered two new critical Internet Explorer (IE) vulnerabilities affecting IE versions 9, 10, and 11. Both are included in Microsoft’s July 2016 Security Bulletin, and documented in Microsoft Security Bulletin MS16-084. In our continued commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program

How to Track Actors Behind Keyloggers Using Embedded Credentials

Mo’ key loggers, mo’ problems This past year Unit 42 has seen a resurgence of keylogger activity and it seems like every week a new research blog comes out talking about one of four popular families: KeyBase, iSpy, HawkEye, or PredatorPain. These blogs usually delve into the technical workings of the threats, discuss their relationship to each

Investigating the LuminosityLink Remote Access Trojan Configuration

In recent weeks, I’ve spent time investigating the LuminosityLink Remote Access Trojan’s (RAT) embedded configuration. For those unaware, LuminosityLink is a malware family costing $40 that purports to be a system administration utility. However, when executed, the malware leverages a very aggressive keylogger, as well as a number of other malicious features that allow an