DTrack activity targeting Europe and Latin America

Introduction DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power […]

Continue Reading

APT trends report Q3 2022

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. […]

Continue Reading

APT10: Tracking down LODEINFO 2022, part II

In the previous publication ‘Tracking down LODEINFO 2022, part I‘, we mentioned that the initial infection methods vary in different attack scenarios and that the LODEINFO shellcode was regularly updated for use with each infection vector. In this article, we discuss improvements made to the LODEINFO backdoor shellcode in 2022. Kaspersky investigated new versions of […]

Continue Reading

APT10: Tracking down LODEINFO 2022, part I

Kaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new modifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated fileless malware first named in a blogpost from JPCERT/CC in February 2020. The malware was regularly modified and upgraded by the developers to target media, diplomatic, governmental […]

Continue Reading

News URSNIF variant doesn’t support banking features

A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data. Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data. The new variant, first observed […]

Continue Reading

AdvancedIPSpyware, un logiciel backdoored à l’architecture inhabituelle, cible des organisations du monde entier

Dans un récent rapport sur les logiciels criminels, les experts de Kaspersky ont notamment décrit AdvancedIPSpyware. Il s’agit d’une version backdoored (version dans laquelle une porte dérobée a été insérée) de la solution légitime Advanced IP Scanner, utilisée par les administrateurs réseau pour contrôler les réseaux locaux (LAN). Le programme malveillant a été diffusé à […]

Continue Reading

Uncommon infection and malware propagation methods

Introduction We are often asked how targets are infected with malware. Our answer is nearly always the same: (spear) phishing. There will be exceptions, naturally, as we will encounter RCE vulnerabilities every now and then, or if the attacker is already on the network, they will use tools like PsExec. But that’s it — most […]

Continue Reading

Attackers use novel technique, malware to compromise hypervisors and virtual machines

Unknown attackers wielding novel specialized malware have managed to compromise VMware ESXi hypervisors and guest Linux and Windows virtual machines, Mandiant threat analysts have discovered. They named the malware VirtualPITA (ESXi & Linux), VirtualPIE (ESXi), and VirtualGATE (Windows), and shared detection and hardening advice. The malware and techniques used by the attackers VirtualPITA and VirtualPIE […]

Continue Reading