The Gamaredon Group Toolset Evolution

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.

Exploring the Cybercrime Underground: Part 3 – Into the RAT Nest

In this third part of Unit 42’s Cybercrime Underground blog series, we’re taking a slightly different approach. In this blog we begin with data from a real attack in the wild, and use the evidence from that attack to make a connection back to underground forums and the actors who are using them. Rather than starting

2016 Updates to Shifu Banking Trojan

Overview Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others. Palo Alto Networks Unit 42 research has

Review of Regional Malware Trends in EMEA: Part 1

Introduction As we head towards the end of the year it’s common to reflect on the year almost behind us and to predict what the new year approaching will bring in terms of security challenges. This blog is part of a series that describe malware trends seen in the EMEA (Europe Middle East and Africa)

Palo Alto Networks Unit 42 Vulnerability Research December 2016 Disclosures

As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have reported six vulnerabilities that have been fixed by Apple, Adobe and Microsoft. This includes two vulnerabilities in Apple WebKit and impacts iCloud for Windows, Safari, iTunes for Windows, tvOS and iOS. CVE-2016-7639: Tongbo Luo CVE-2016-7642:

Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue

Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit).  As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE

PluginPhantom: New Android Trojan Abuses “DroidPlugin” Framework

Recently, we discovered a new Google Android Trojan named “PluginPhantom”, which steals many types of user information including: files, location data, contacts and Wi-Fi information. It also takes pictures, captures screenshots, records audios, intercepts and sends SMS messages. In addition, it can log the keyboard input by the Android accessibility service, acting as a keylogger.

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on