2018-10-23 - Proofpoint - Contributor

sLoad and Ramnit pairing in sustained campaigns against UK and Italy

sLoad and Ramnit pairing in sustained campaigns against UK and Italy Describe sLoad campaigns by an actor with long history of activity, including the personalization of email messages with the recipient's name and address Read More ›

2018-07-24 - Proofpoint - Contributor

Kronos Reborn

Kronos Reborn An evolution of Kronos hiding behind Tor appeared. Osiris? Read More ›

2018-04-12 - Proofpoint - Author

EITest: Sinkholing the oldest infection chain

EITest: Sinkholing the oldest infection chain EITest, the oldest infection chain of its kind has been sinkholed. Read More ›

2018-03-29 - Proofpoint - Author

Sandiflux: Another Fast Flux infrastructure used in malware distribution emerges

Sandiflux: Another Fast Flux infrastructure used in malware distribution emerges Another (Not Darkcloud/Fluxxy) Fast Flux infrastructure emerges. Read More ›

2018-03-13 - Proofpoint - Author

Drive-by as a service: BlackTDS

Drive-by as a service: BlackTDS A service presented as a "Cloud TDS" is advertised underground since end of 2017. Read More ›

2018-01-31 - Proofpoint - Author

Smominru Monero mining botnet making millions for operators

Smominru Monero mining botnet making millions for operators Tracking the massive Smominru botnet, the combined computing power of which has earned millions of dollars for its operators. Read More ›

2017-11-01 - Proofpoint - Author

Threat Actor Profile: KovCoreG, The Kovter Saga

Threat Actor Profile: KovCoreG, The Kovter Saga This blog traces the activities of KovCoreG, also referred to as MaxTDS by FoxIT InTELL, from its early days distributing the Zaccess backdoor to its latest social engineering attacks. Read More ›

2017-08-19 - Proofpoint - Contributor

APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed

APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed As we examined a document exploitation chain, we found that DealersChoice, the attack framework that the document uses, is now also exploiting CVE-2017-11292 Read More ›

2017-08-06 - Proofpoint - Author

Kovter Group malvertising campaign exposes millions to potential ad fraud malware infections

Kovter Group malvertising campaign exposes millions to potential ad fraud malware infections Few groups are able to infiltrate the advertising chain on the most visited websites. This post looks at a recent KovCoreG campaign and describes what we know of the current state of their very active social engineering scheme. Read More ›

2017-08-14 - Proofpoint - Author

Threat actor goes on a Chrome extension hijacking spree

Threat actor goes on a Chrome extension hijacking spree At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft. Read More ›

2017-06-20 - Proofpoint - Author

AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware

AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware The AdGholas group has been implicated in some of the largest malvertising campaigns we have ever observed. While this group has remained active, it appears that a number of universities in the United Kingdom were recently infected with ransomware via an AdGholas infection chain, a marked departure from the banking Trojans this group usually distributes. Read More ›

2017-05-25 - Proofpoint - Contributor

Where are the exploits of yesteryear?

Where are the exploits of yesteryear? A more significant reason for the decline in EK activity is that exploitable vulnerabilities are aging quickly. Read More ›

2017-05-15 - Proofpoint - Author

Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar

Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar Another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Read More ›

2017-01-17 - Proofpoint - Author

EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme

EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme “EITest” is a well-documented infection chain that generally relies on compromised websites to direct users to exploit kit landing pages. Read More ›

2016-12-13 - Proofpoint - Author

Home Routers Under Attack via Malvertising on Windows, Android Devices

Home Routers Under Attack via Malvertising on Windows, Android Devices An improved version of the “DNSChanger EK” used in ongoing malvertising campaigns. Read More ›

2016-07-28 - Proofpoint - Author

Massive AdGholas Malvertising Campaigns Use Steganography and File Whitelisting

Massive AdGholas Malvertising Campaigns Use Steganography and File Whitelisting A massive malvertising network operating since 2015. Run by a threat actor we designated as AdGholas and pulling in as many as 1 million client machines per day. Read More ›

2015-12-22 - Proofpoint - Contributor

Gootkit banking Trojan jumps the Channel

Gootkit banking Trojan jumps the Channel Read More ›

2015-09-04 - Proofpoint - Author

Too Many Crooks in the Kitchen

Too Many Crooks in the Kitchen Read More ›