malware


On March 16, FortiGuard Labs captured a new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X and Microsoft Windows systems. We then analyzed the sample, and in this blog we are going to explain how it works, step by step. When the Word file is opened, it shows notifies victims to enable the Macro security option, which allows the malicious VBA code to be executed. Malicious Word File is Opened Figure 1. Asks victim to enable Macro security option Once... [Read More]
by RSS Xiaopeng Zhang & Chris Navarrete  |  Mar 22, 2017  |  Filed in: Security Research
Ztorg, also known as Qysly, is one of those big families of Android malware. It first appeared in April 2015, and now has over 25 variants, some of which are still active in 2017. Yet, there aren't many technical descriptions for it - except for the initial Ztorg.A sample - so I decided to have a look at one of the newer variants, Android/Ztorg.AM!tr, that we detected on January 20, 2017. The sample poses a "Cool Video Player" and its malicious activity was so well hidden I initially thought I had run into... [Read More]
by RSS Axelle Apvrille  |  Mar 15, 2017  |  Filed in: Security Research
In the part 1 of this blog, we saw that Android/Ztorg.AM!tr silently downloads a remote encrypted APK, then installs it and launches a method named c() in the n.a.c.q class. In this blog post, we’ll investigate what this does. This is the method c() of n.a.c.q: This prints "world," then waits for 200 seconds before starting a thread named n.a.c.a. I'll spare you a few hops, but among the first things we notice is that the sample uses the same string obfuscation routine, except this time it is not... [Read More]
by RSS Axelle Apvrille  |  Mar 15, 2017  |  Filed in: Security Research
Over the last few years we have received a number of emails with attached Word files that spread malware.  Now it seems that it is becoming more and more popular to spread malware using malicious Excel files. Lately, Fortinet has collected a number of email samples with Excel files attached (.xls, .xlsm) that spread malware by executing malicious VBA (Visual Basic for Applications) code. VBA is a programming language used by Microsoft Office suite. Normally, VBA is used to develop programs for Excel to perform some tasks. I’ll use... [Read More]
by RSS Xiaopeng Zhang  |  Mar 08, 2017  |  Filed in: Security Research
Attacks targeting and originating from IoT devices began grabbing news headlines toward the last quarter of 2016. Insecure IoT devices became the low-hanging fruit for threat actors to easily exploit. Some were even notoriously used as botnets to launch DDoS attacks against selected targets. For example, the infamous Mirai botnet exploited weak login vulnerabilities in insecure IoT devices such as IP cameras and home routers, and was responsible for one of the largest known DDoS attacks to date. Besides being used in DDoS attacks, exploited IoT... [Read More]
by RSS Gavin Chow  |  Mar 06, 2017  |  Filed in: Security Research
Over the weekend, we encountered an interesting variation of a phishing email targeting Apple users. The email contained an alleged receipt for five movies purchased from the iTunes Store that was so detailed that the user who received it, and who knows better, still almost fell for the scam. Figure 1. Phishing Apple email Similar cases were reported in 2015 by users in the UK and Australia, except in those cases the fake receipt contained songs and books, respectively. Last year, similar emails targeting users in the US were also reported,... [Read More]
by RSS Lilia Elena Gonzalez Medina  |  Feb 23, 2017  |  Filed in: Security Research
Introduction Dyzap belongs to a family of malware designed to steal confidential information from enormous target applications by installing a “man in the browser” attack into common browsers. FortiGuard Researchers recently discovered a new variant of this Trojan virus. Stolen information may include, but is not limited to, system information and application credentials stored on infected systems. In this blog, we will explain how the malware steals user accounts, acts as a keylogger, and communicates with its C&C server. Stealing... [Read More]
by RSS Bahare Sabouri and He Xu  |  Feb 22, 2017  |  Filed in: Security Research
Given the popularity and success of ransomware, it is no surprise that malware authors have been developing more ransomware than ever before. Last year’s cost of ransomware attacks reached $1 billion, which not only shows how this affects businesses, but for cybercriminals the potential pay-out for cyber-extortion can be very lucrative. The rise of ransomware infections may also be attributed to the attractiveness growing availability of Ransomware-as-a-Service (Raas). Ransomware authors posts are now developing user-friendly... [Read More]
by RSS Rommel Joven  |  Feb 16, 2017  |  Filed in: Security Research
Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time. This article demonstrates how this commercialized RAT is being used in an attack, and what its latest version (v1.7.3) is capable of doing. Remcos is currently being sold from $58 to $389, depending on the license period and the maximum number of masters or clients... [Read More]
by RSS Floser Bacurio and Joie Salvio  |  Feb 14, 2017  |  Filed in: Security Research
Every year during holiday seasons, the number of phishing websites increases. This is particularly true for online gaming distribution platforms. In some cases, users not only have their login credentials stolen, but they also end up downloading and executing malicious executables. As expected, the more popular a platform is, the more targeted it will be, which is why this research blog focuses on two malware samples obtained from fake Origin and Steam websites. Figure 1. Fake Origin phishing website Origin Malware Sample In addition... [Read More]
by RSS Lilia Elena Gonzalez Medina  |  Feb 06, 2017  |  Filed in: Security Research