The blog highlights the results from Unit 42’s research into misconfigured containers, methods for identifying services exposed to the public, and mitigation steps to secure container services. In this blog, we identify common misconfigurations in container services. This allows our readers to deploy their container platform structures in a more secure and private fashion, avoiding the methods of data gathering that we outline in this blog.
Redaman is banking malware first noted in 2015 that targets recipients who conduct transactions using Russian financial institutions. We have found versions of Redaman in Russian language mass-distribution campaigns during the last four months of 2018.
In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.
In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the
Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.
In-App Purchase (IAP) has become a popular way to sell services and virtual items through mobile applications. In the Android ecosystem, in addition to the official IAP service by Google, there are many third-party IAP Software Development Kits (SDKs) spread around the world. Some of these third-party SDKs provide IAP services based on existing online
The Palo Alto Networks AutoFocus threat intelligence services accelerates analysis and response workflows for unique, targeted attacks. The services further make an immense set of threat intelligence available via the AutoFocus API, which can enrich existing security systems or workflows. Today, security teams can easily build scripts on top of this data using the AutoFocus
The newly discovered Linux vulnerabilities, CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479, affect all Linux operating systems newer than kernel 2.6.29 (released on March 2009) or above can cause a kernel panic to systems with services listening on TCP connection. This remote attack can put a server into Denial of Service (DoS) state, but remote code execution is not of concern.
Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature
Recently, we discovered a new Google Android Trojan named “PluginPhantom”, which steals many types of user information including: files, location data, contacts and Wi-Fi information. It also takes pictures, captures screenshots, records audios, intercepts and sends SMS messages. In addition, it can log the keyboard input by the Android accessibility service, acting as a keylogger.
Unit 42 researchers recently observed an unusually clever spambot’s attempts to increase delivery efficacy by abusing reputation blacklist service APIs. Rather than sending spam as soon as the host is infected, the bot checks common blacklists to confirm its e-mails will actually be delivered, and if not, shuts itself down. This spambot, commonly downloaded by
Introduction When malware wants to communicate home, most use domain names, allowing them to resolve host names to IP addresses of their servers. In order to increase the likelihood of their malware successfully communicating home, cyber espionage threat actors are increasingly abusing legitimate web services, in lieu of DNS lookups to retrieve a command and
In this second part of Unit 42’s Cybercrime Underground blog series, we dive into the cybercrime forum ecosystem and focus on observed cybercriminal roles, as well as prevalent tools and services bought and sold in the underground. The goal of this post is not to provide an exhaustive directory, but rather to provide additional context
Online banking services have been a prime target of cyber criminals for many years and attacks continue to grow. Targeting online banking users and stealing their credentials has yielded huge profits for the criminals behind these campaigns. Unit 42 has been tracking “KRBanker” AKA ‘Blackmoon’, since late last year. This campaign specifically targets banks of
We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.
As previously discussed by Unit 42, banking Trojans have been targeting Brazilian systems for years given the popularity of online banking services in the country. Recently, we analyzed a handful of samples targeting Brazilian systems that exhibited a unique and complex multi-stage loading process. Antivirus detection names for this malware typically are detected as generic
On July 8, 2015, Unit 42 used the AutoFocus Threat Intelligence service to locate and investigate activity consistent with a spear-phishing attack targeting the US Government. The attack exploited an Adobe Flash vulnerability that stems from the zero-day vulnerabilities exposed from this month’s Hacking Team data breach. The spear-phishing attack used a link to a
NOTICE: We have updated this blog to clarify that Airpush is not responsible for Gunpoder. Airpush’s platform was abused by the malware author to hide malicious activity. Executive Summary Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family “Gunpoder”
Summary Palo Alto Networks Unit 42 used the AutoFocus threat intelligence service to identify a series of phishing attacks against Japanese organizations. Using AutoFocus to quickly search and correlate artifacts across the collective set of WildFire and other Palo Alto Networks threat intelligence, we were able to associate the attacks with the group publicly known
We have recently been investigating an antivirus app in the Google Play store that was displaying fake virus detection results to scare users into purchasing a premium service. According to the Google Play store statistics, users have downloaded “AntiVirus for Android™” more than one million times and the app was listed in Top 100 free
Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments. You
Summary A new Android Trojan, named Funtasy, began targeting Spanish Android users in mid-April. Users have downloaded 18 different variants of Funtasy between 13,500 and 67,000 times from the Google Play store. Funtasy currently targets users of multiple Spanish mobile networks, and one Australian mobile network. Funtasy subscribes victim’s phones to premium SMS services which
Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform.
This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims, stealing saved passwords in Chrome and seeks to steal iPhone text messages from iTunes backups on the tethered Mac.