A new spam campaign pretending to be a ‘Critical Microsoft Windows Update’ has been discovered that attempts to deliver the Cyborg Ransomware, but turns out to be an utter failure.

In a report from Trustwave that was released today, researchers outline how an attacker is sending spam email that pretends to be a ‘Critical’ Windows update and prompts the recipient to install it. Read more »

During the first half of 2019, the Shade Ransomware (also known as Troldesh) was the most actively distributed malware via malicious email phishing campaigns according to Singapore-based Group-IB security outfit.

Out of all malspam emails detected and examined by Group-IB’s Computer Emergency Response Team (CERT-GIB), Shade Ransomware was the main malware strain used by attackers to infect their targets’ computers in H1 2019.

“Currently, three of the most widespread tools used in attacks tracked by Group-IB’s Computer Emergency Response Team have been Troldesh (53%), RTM (17%) and Pony Formgrabber (6%),” the researchers claim.

Based on their results, ransomware has seen a huge boost in usage during malicious campaigns when compared to malware activity from 2018 dominated by backdoors and banking Trojans, with attacks detected during this year even surpassing the ransomware boom from 2017.

“In 2018, the major vector for financial losses was via bank Trojans and backdoors, whereas the first half of 2019 showed a rapid increase in ransomware usage,” the report says.

Read more »

A new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and that it targets clients of the NextCloud file sync and share service.

The malware targets Nextcloud instances and for the time being there is no free decryption tool available for victims.

Zero detection

xact64, a Nextcloud user, posted some details about the malware in an attempt to find a way to decrypt personal files.

Although his system was backed up, the synchronization process had started to update files on a laptop with their encrypted version on the server. He took action the moment he saw the files renamed but some of them still got processed by NextCry, otherwise known as Next-Cry.

“I realized immediately that my server got hacked and those files got encrypted. The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)” – xact64

Looking at the malware binary, Michael Gillespie said that the threat seems new and pointed out the NextCry ransomware uses Base64 to encode the file names. The odd part is that an encrypted file’s content is also encoded this way, after first being encrypted.

The malware has not been submitted to the ID Ransomware service before but some details are available.

NextCry is a Python script compiled in a Linux ELF binary using pyInstaller. At the moment of writing, not one antivirus engine on the VirusTotal scanning platform detects it.

Read more »

Hundreds of millions of devices, especially Android smartphones and tablets, using Qualcomm chipsets, are vulnerable to a new set of potentially serious vulnerabilities.

According to a report cybersecurity firm CheckPoint shared, the flaws could allow attackers to steal sensitive data stored in a secure area that is otherwise supposed to be the most protected part of a mobile device.

The vulnerabilities reside in Qualcomm’s Secure Execution Environment (QSEE), an implementation of Trusted Execution Environment (TEE) based on ARM TrustZone technology.

Also known as Qualcomm’s Secure World, QSEE is a hardware-isolated secure area on the main processor that aims to protect sensitive information and provides a separate secure environment (REE) for executing Trusted Applications.

Along with other personal information, QSEE usually contains private encryption keys, passwords, credit, and debit card credentials.

Read more »

Security researchers have tracked down activities of a new group of financially-motivated hackers that are targeting several businesses and organizations in Germany, Italy, and the United States in an attempt to infect them with backdoor, banking Trojan, or ransomware malware.

Though the new malware campaigns are not customized for each organization, the threat actors appear to be more interested in businesses, IT services, manufacturing, and healthcare industries who possess critical data and can likely afford high ransom payouts.

According to a report ProofPoint shared, the newly discovered threat actors are sending out low-volume emails impersonating finance-related government entities with tax assessment and refund lured emails to targeted organizations.

“Tax-themed Email Campaigns Target 2019 Filers, finance-related lures have been used seasonally with upticks in tax-related malware and phishing campaigns leading up to the annual tax filing deadlines in different geographies,” the researchers said.

Read more »