Unit 42 goes inside the coop with new analysis and additional information on malicious HenBox applications
Unit 42 discovers HenBox, an Android Malware family masquerading as legitimate apps on third-party app stores.
Unit 42 tracks how attackers use fraudulent accounts and compromise infrastructures of legitimate businesses to deliver Hancitor malware.
Unit 42 gives a walkthrough of the analysis of the VERMIN malware, details links between the activity observed, and IOCs for all activity discovered.
Unit 42 investigates Boleto Mestre, a malspam campaign impersonating invoice documents of a popular Brazilian payment method.
The Blockbuster saga continues: Unit 42 researchers disclose attack activity targeting individuals involved with U.S. defense contractors.
The Blockbuster sequel: Unit 42 researchers identify new overlapping threats tied to 2014’s Operation Blockbuster.
Introduction As we head towards the end of the year it’s common to reflect on the year almost behind us and to predict what the new year approaching will bring in terms of security challenges. This blog is part of a series that describe malware trends seen in the EMEA (Europe Middle East and Africa)
Unit 42 recently observed a 9002 Trojan delivered using a combination of shortened links and a shared file hosted on Google Drive. The delivery method also uses an actor-controlled server hosting a custom redirection script to track successful clicks by targeted email addresses. The infrastructure associated with this 9002 Trojan sample was also found to
As mentioned in our previous blog, we observed the Sofacy group using a new persistence mechanism that we call “Office Test” to load their Trojan each time the user opened Microsoft Office applications. Following the report, we received several questions regarding this persistence method, specifically how it works and which versions of Microsoft Office were
Over the past month, Palo Alto Networks has observed two spam campaigns targeting users residing in Italy. The spam emails attempt to install the pervasive Andromeda malware onto victim machines. This malware has been around since 2011 and shows no signs of stopping. Compromised hosts cause a victim’s machine to be attached to the Andromeda
Mo’ key loggers, mo’ problems This past year Unit 42 has seen a resurgence of keylogger activity and it seems like every week a new research blog comes out talking about one of four popular families: KeyBase, iSpy, HawkEye, or PredatorPain. These blogs usually delve into the technical workings of the threats, discuss their relationship to each
In previous posts we have discussed how AutoFocus accelerates the analysis, hunting, and incident response workflows by providing full context for threat events seen on your network, as well as high-level visibility into how targeted a threat is against you or your industry peers. This visibility into the threat landscape enables teams to move away
In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the