One month ago we captured a Word document infected with malicious VBA code, which was detected as WM/Agent!tr by the Fortinet AntiVirus service. Its file name is InternalFax.doc, and its MD5 is 4F2139E3961202B1DFEAE288AED5CB8F.  By our analysis, the Word document was used to download and spread the botnet TrickBot. TrickBot aims at stealing online banking information from browsers when victims are visiting online banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United States, Israel, and... [Read More]
by RSS Xiaopeng Zhang  |  Dec 06, 2016  |  Filed in: Security Research
New variants of android banking malware target even more German banks, popular social media apps, and more Summary In my previous blog I provided a detailed analysis of a new android banking malware that spoofed the mobile applications of several large German banks to trick users into revealing their banking credentials. This week I found several new variants of this growing malware, and in this update I am sharing these new findings. Install the malware One of these variants masquerades as another German mobile banking app. Once installed,... [Read More]
by RSS Kai Lu  |  Nov 18, 2016  |  Filed in: Security Research
Active users of mobile banking apps should be aware of a new Android banking malware campaign targeting customers of large banks in the United States, Germany, France, Australia, Turkey, Poland, and Austria. This banking malware can steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. Additionally, it also contains modules to target some popular social media apps. Install the malware The malware masquerades... [Read More]
by RSS Kai Lu  |  Nov 01, 2016  |  Filed in: Security Research
Overview Over the last few months, the Shifu banking Trojan has become more common in the wild prevalent and the malware family has been getting a fair amount of attention both from researchers and the mainstream media. there have been a number of discussions surrounding the malware family. We also became aware that this malware attempts to bypass our sandbox technology, FortiSandbox. In this post, we will share some of our findings on this new banking Trojan and also talk about how our technologies can support and address Shifu. Prevalence While... [Read More]
by RSS Floser Bacurio  |  Nov 03, 2015  |  Filed in: Industry Trends
[Editor's Note: If you haven't yet watched the season finale of Mr. Robot, there are some spoilers here. It's not a recap and it won't ruin the whole episode, but you might want to watch it first before you keep reading.] Within the first four minutes of last night's Mr. Robot finale (postponed from last week because of sensitivity to the on-air shooting in Virginia), we saw a character who's life had been destroyed by the Ashley Madison data dump and heard how astoundingly difficult it is to prosecute computer... [Read More]
by RSS Chris Dawson  |  Sep 03, 2015  |  Filed in: Industry Trends
[Read More]
by RSS Stefanie Hoffman  |  Jun 28, 2014  |  Filed in: Industry Trends
Researchers recently discovered a new banking trojan that, like the recently fallen Zeus botnet, is also capable of bypassing the Secure Sockets Layer (SSL). Some speculation even suggests that this baddy is filling the empty shoes that Zeus has left behind. Let's take a closer look and figure out how to tell if you're infected. Banking URLs Within the malware code, a list of URLs for banking and other financial institutions can be found. Figure1 shows these strings in the memory. Figure... [Read More]
by RSS Raul Alvarez  |  Jun 20, 2014  |  Filed in: Security Research
Following the disappointment at the failure of the end of the world, we decided to do a little recap on the Project Blitzkrieg that has been widely talked about in the security community over the past couple of months following a report by RSA. It might be on a smaller scale than the former but it certainly has a bigger chance of coming true. The operation was named and announced by a Russian hacker called vorVzakone (seen bragging about a car and his house in this video) in a post (translated version, courtesy Krebs on Security) on a Russian semi-private... [Read More]
by RSS Ruchna Nigam  |  Dec 21, 2012  |  Filed in: Security Research