By Topic

  • Cloud Security (1)

By Industry

By Type

By Product Category

Education and Professional Services

  • financial services
  • Blog
Displaying 1 to 30 of 31

Misconfigured and Exposed: Container Services

The blog highlights the results from Unit 42’s research into misconfigured containers, methods for identifying services exposed to the public, and mitigation steps to secure container services. In this blog, we identify common misconfigurations in container services. This allows our readers to deploy their container platform structures in a more secure and private fashion, avoiding the methods of data gathering that we outline in this blog.
Nathaniel Quist,
  • 0

The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services

Unit 42 observes a wave of attacks leveraging popular third party services to deliver malicious decoy documents.
Josh Grunzweig,
  • 0

Threat Brief: A Declining Rig Exploit Kit Hops on the Coinmining Bandwagon

Criminals behind Rig Exploit Kits may be shifting efforts to coin mining, as they look to maximize financial return on investment.
Unit 42,
  • 0

Russian Language Malspam Pushing Redaman Banking Malware

Redaman is banking malware first noted in 2015 that targets recipients who conduct transactions using Russian financial institutions. We have found versions of Redaman in Russian language mass-distribution campaigns during the last four months of 2018.
Brad DuncanMike Harbison,
  • 0

Abusing the Service Control Manager to Establish Persistence for Non-Service Applications

Unit 42 investigates abusing the service control manager to establish persistence for non-service applications.
Dominik Reichel,
  • 0

BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat

In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.
Mark Lim,
  • 0

The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor

In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the
Robert FalconeBryan Lee,
  • 0

Cardinal RAT Sins Again, Targets Israeli Fin-Tech Firms

Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.
Tom LancasterJosh Grunzweig,
  • 0

SMS-Based In-App Purchase on Android Is Not Worth The Risk

In-App Purchase (IAP) has become a popular way to sell services and virtual items through mobile applications. In the Android ecosystem, in addition to the official IAP service by Google, there are many third-party IAP Software Development Kits (SDKs) spread around the world. Some of these third-party SDKs provide IAP services based on existing online
Claud XiaoZhi Xu,
  • 0

OilRig Targets Technology Service Provider and Government Agency with QUADAGENT

The OilRig group continues to adapt their tactics and bolster their toolset with newly developed tools. Get the full report from Unit 42.
Bryan LeeRobert Falcone,
  • 0

OilRig uses RGDoor IIS Backdoor on Targets in the Middle East

Unit 42’s continued look into OilRig reveals the use of an Internet Information Services backdoor deployed on government webservers in the Middle East.
Robert Falcone,
  • 0

AutoFocus Lenz: Taking the Blue (Team) Pill

The Palo Alto Networks AutoFocus threat intelligence services accelerates analysis and response workflows for unique, targeted attacks. The services further make an immense set of threat intelligence available via the AutoFocus API, which can enrich existing security systems or workflows. Today, security teams can easily build scripts on top of this data using the AutoFocus
Jeff White,
  • 0

TCP SACK Panics Linux Servers

The newly discovered Linux vulnerabilities, CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479, affect all Linux operating systems newer than kernel 2.6.29 (released on March 2009) or above can cause a kernel panic to systems with services listening on TCP connection. This remote attack can put a server into Denial of Service (DoS) state, but remote code execution is not of concern.
Unit 42,
  • 0

Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)

Unit 42 uncovers a new(ish) fully-featured Remote Access Tool (RAT), with web-based Command-and-Control (C2) included
Mike HarbisonSimon Conant,
  • 0

Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics

Unit 42 identifies a new malicious spam campaign using United States Postal Service themed emails redirecting to fake Microsoft Word online sites.
Brad Duncan,
  • 0

SpyDealer: Android Trojan Spying on More Than 40 Apps

Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature
Wenjun HuCong ZhengZhi Xu,
  • 0

PluginPhantom: New Android Trojan Abuses “DroidPlugin” Framework

Recently, we discovered a new Google Android Trojan named “PluginPhantom”, which steals many types of user information including: files, location data, contacts and Wi-Fi information. It also takes pictures, captures screenshots, records audios, intercepts and sends SMS messages. In addition, it can log the keyboard input by the Android accessibility service, acting as a keylogger.
Cong ZhengTongbo Luo,
  • 0

Can I spam from here: An Unusually Clever Spambot Tests Blacklists

Unit 42 researchers recently observed an unusually clever spambot’s attempts to increase delivery efficacy by abusing reputation blacklist service APIs. Rather than sending spam as soon as the host is infected, the bot checks common blacklists to confirm its e-mails will actually be delivered, and if not, shuts itself down. This spambot, commonly downloaded by
Brandon LeveneBrandon Young,
  • 0

Confucius Says…Malware Families Get Further By Abusing Legitimate Websites

Introduction When malware wants to communicate home, most use domain names, allowing them to resolve host names to IP addresses of their servers. In order to increase the likelihood of their malware successfully communicating home, cyber espionage threat actors are increasingly abusing legitimate web services, in lieu of DNS lookups to retrieve a command and
Tom LancasterMicah Yates,
  • 0

Exploring the Cybercrime Underground: Part 2 – The Forum Ecosystem

In this second part of Unit 42’s Cybercrime Underground blog series, we dive into the cybercrime forum ecosystem and focus on observed cybercriminal roles, as well as prevalent tools and services bought and sold in the underground. The goal of this post is not to provide an exhaustive directory, but rather to provide additional context
Vicky RayRob Downs,
  • 0

KRBanker Targets South Korea Through Adware and Exploit Kits

Online banking services have been a prime target of cyber criminals for many years and attacks continue to grow. Targeting online banking users and stealing their credentials has yielded huge profits for the criminals behind these campaigns. Unit 42 has been tracking “KRBanker” AKA ‘Blackmoon’, since late last year. This campaign specifically targets banks of
Kaoru HayashiVicky Ray,
  • 0

Python-Based PWOBot Targets European Organizations

We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.
Josh Grunzweig,
  • 0

Banload Malware Affecting Brazil Exhibits Unusually Complex Infection Process

As previously discussed by Unit 42, banking Trojans have been targeting Brazilian systems for years given the popularity of online banking services in the country. Recently, we analyzed a handful of samples targeting Brazilian systems that exhibited a unique and complex multi-stage loading process. Antivirus detection names for this malware typically are detected as generic
Anthony Kasza,
  • 0

APT Group UPS Targets US Government with Hacking Team Flash Exploit

On July 8, 2015, Unit 42 used the AutoFocus Threat Intelligence service to locate and investigate activity consistent with a spear-phishing attack targeting the US Government. The attack exploited an Adobe Flash vulnerability that stems from the zero-day vulnerabilities exposed from this month’s Hacking Team data breach. The spear-phishing attack used a link to a
Bryan LeeRobert Falcone,
  • 0

New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries

NOTICE: We have updated this blog to clarify that Airpush is not responsible for Gunpoder. Airpush’s platform was abused by the malware author to hide malicious activity. Executive Summary Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family “Gunpoder”
Cong ZhengZhi Xu,
  • 0

Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets

Summary Palo Alto Networks Unit 42 used the AutoFocus threat intelligence service to identify a series of phishing attacks against Japanese organizations. Using AutoFocus to quickly search and correlate artifacts across the collective set of WildFire and other Palo Alto Networks threat intelligence, we were able to associate the attacks with the group publicly known
Jen Miller-OsbornJosh Grunzweig,
  • 0

Scareware App Downloaded Over a Million Times from Google Play

We have recently been investigating an antivirus app in the Google Play store that was displaying fake virus detection results to scare users into purchasing a premium service. According to the Google Play store statistics, users have downloaded “AntiVirus for Android™” more than one million times and the app was listed in Top 100 free
Claud Xiao,
  • 0

Don’t Miss A Single Threat Intelligence Update from Unit 42!

Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments. You
Chad Berndtson,
  • 0

Funtasy Trojan Targets Spanish Android Users with Sneaky SMS Charges

Summary A new Android Trojan, named Funtasy, began targeting Spanish Android users in mid-April. Users have downloaded 18 different variants of Funtasy between 13,500 and 67,000 times from the Google Play store. Funtasy currently targets users of multiple Spanish mobile networks, and one Australian mobile network. Funtasy subscribes victim’s phones to premium SMS services which
Zhi XuClaud XiaoRyan Olson,
  • 0

Mac Malware Steals Cryptocurrency Exchanges’ Cookies

Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform. This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims, stealing saved passwords in Chrome and seeks to steal iPhone text messages from iTunes backups on the tethered Mac.
Yue ChenCong ZhengWenjun HuZhi Xu,
  • 0
Displaying 1 to 30 of 31