cybersecurity research


Introduction Recently, there have been a series of high profile attacks using browser extensions. Having dealt with this threat vector in the past, we here at FortiGuard Labs decided to conduct a large-scale study of browser extensions. Before diving into the results, we want to make a distinction between two seemingly similar browser technologies: browser plugins and browser extensions. Both are mechanisms that allow an end user to customize their browser to suit their needs, however there are some fine distinctions between them. The former... [Read More]
by RSS Minh Tran  |  Sep 14, 2017  |  Filed in: Security Research
A few days ago, a variant of Mirai hit a German telco, forcing 900,000 customers off the Internet. The FortiGuard team has issued an AV signature for it, named Linux/Mirai.B!worm. Several binaries were found in the wild for different architectures. I'll examine the one for ARM here, as that's the architecture I'm the most familiar with. A look at the strings in the binary reveals the following: [Read More]
by RSS Axelle Apvrille  |  Dec 08, 2016  |  Filed in: Security Research
The Fortinet research team has been developing a industrial-grade analysis system that allows us to concentrate information from samples collected from a variety of sources. Using this tool, we recently started to see the recurrence of URLs from the domains hopto.org and myftp.biz. In most cases, each sample was connected to a unique URL in one of the domains, although we also found some samples that connected to the same URL.  Figure 1. Examples of the domains and samples collected by the team’s FortiGuard analysis system This... [Read More]
by RSS Lilia Elena Gonzalez Medina  |  Nov 30, 2016  |  Filed in: Security Research
  Introduction The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger. This particular botnet is downloaded by the Andromeda botnet. The handful of malicious features densely packed in this new malware also includes the ability to drop other malware. We have compiled its main features in this brief analysis. Data Encryption All C&C communication is encrypted with a symmetrical algorithm.... [Read More]
by RSS Donna Wang, Jacob (Kuan Long) Leong  |  Nov 28, 2016  |  Filed in: Security Research
Summary We recently found an Android banking malware masquerading as an email app that targets several large German banks. This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching. Install the malware The malware masquerades as an email app. Once installed, its icon appears in the launcher, as shown below. Figure 1. Malware App Icon   Figure... [Read More]
by RSS Kai Lu  |  Nov 18, 2016  |  Filed in: Security Research