Security Research


It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet’s advanced  Kadena Threat Intelligence System [1](KTIS) Fig. 1 Encrypted files with .lukitus extension Fig. 2 Familiar Locky ransom note Same Locky, More Spam This... [Read More]
by RSS Joie Salvio, Rommel Joven and Floser Bacurio  |  Aug 17, 2017  |  Filed in: Security Research
In this blog post we will analyze a couple of Android malware samples in the Android VM of the FortiSandbox. We'll also share a few interesting and useful tricks. Running a sample in the VM To run a given sample in the Android VM, you should log into the FortiSandbox, make sure an Android VM is available, and then "Scan Input" / Submit a New File. Next, if the objective is to run the malware in the sandbox, you must make sure to skip "static scan," "AV scan," and "Cloud Query"... [Read More]
by RSS Axelle Apvrille  |  Aug 17, 2017  |  Filed in: Security Research
      KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look. KONNI is known to be distributed via campaigns that are believed to be targeting North Korea. This new variant isn’t different from previous variants, as it is dropped by a DOC file containing text that was drawn from a CNN article entitled 12 things... [Read More]
by RSS Jasper Manuel  |  Aug 15, 2017  |  Filed in: Security Research
A few days ago, while scouring through Fortinet’s Kadena Threat Intelligence System (KTIS), we found an emerging spam campaign. Initially, it was the scale that caught our attention, and then it got a lot more interesting when the payload was found out to be a new variant of the infamous Locky. [Read More]
by RSS Floser Bacurio, Joie Salvio, Rommel Joven  |  Aug 14, 2017  |  Filed in: Security Research
Over the past few days, FortiGuard Labs captured a number of JS (JavaScript) scripts. Based on my analysis, they were being used to spread the new GlobeImposter ransomware variants. [Read More]
by RSS Xiaopeng Zhang  |  Aug 05, 2017  |  Filed in: Security Research
Tags:
Joomla! is one of the world's most popular content management systems (CMS). It enables users to build Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share. As of July 2017, Joomla! has been downloaded over 82 million times. Over 7,800 free and commercial extensions are available from the official Joomla! Extension Directory, and more are available from other sources. In my last blog, I discovered 2 Cross-Site Scripting (XSS) vulnerabilities... [Read More]
by RSS Zhouyuan Yang  |  Jul 12, 2017  |  Filed in: Security Research
There have already been a lot of write-ups for the NotPetya malware. This article is just a supplement for what is already out there. Our focus is to highlight some key differences between a previous strain of the Petya ransomware and the malware that scared everyone a few weeks ago, which is now sometimes being referred to as NotPetya. I posted a blog post a couple of months ago about the MBR (Master Boot Record) infected by Petya. I explained how the ransomware infected the boot process and how it executed its own kernel code. In this post,... [Read More]
by RSS Raul Alvarez  |  Jul 09, 2017  |  Filed in: Security Research
Last week we started our technical analysis on Petya (also called NotPetya) and its so-called “killswitch.” In that blog post we mentioned that Petya looks for a file in the Windows folder that has the same filename (no extension) as itself (for example: C:\Windows\Petya). If it exists, it terminates by calling ExitProcess. If it doesn't exist, it creates a file with the attribute DELETE_ON_CLOSE. This seems to imply that instead of a killswitch, this file is meant to be a marker to check and see if the system has already been infected. After... [Read More]
by RSS Gabriel Hung and Margarette Joven  |  Jul 09, 2017  |  Filed in: Security Research
In this final blog in the Rootnik series we will finish our analysis of this new variant. Let’s start by looking into the script shell rsh. Analysis of the script shell Through our investigation we are able to see how the script shell works: First, it writes the content of the file .ir into /system/etc/install-recovery.sh. The file install-recovery.sh is a startup script. When the android device is booted, the script can be executed. The following is the content of the file .ir. Next, it writes some files... [Read More]
by RSS Kai Lu  |  Jul 09, 2017  |  Filed in: Security Research
In part I of this blog, I finished the analysis of the native layer of a newly discovered Rootnik malware variant, and got the decrypted real DEX file. Here in part II, we will continue our analysis. A look into the decrypted real DEX file The entry of the decrypted DEX file is the class demo.outerappshell.OuterShellApp. The definition of the class OuterShellApp is shown below. Figure 1. The class demo.outerappshell.OuterShellApp We will first analyze the function attachBaseContext(). The following is the function aBC() in the class... [Read More]
by RSS Kai Lu  |  Jul 09, 2017  |  Filed in: Security Research