The Russian-linked cyber-espionage group Sofacy has developed a new version of their Zebrocy tool using the Go programming language, Palo Alto Networks security researchers warn. The first-stage malware was initially analyzed in April this year, and has been observed in numerous attacks in October and November. Last month, however, the researchers also observed a new Trojan being used in the group’s attacks.
Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the state-sponsored actor has been active for several years, focusing on cyber-espionage and believed to have orchestrated the attacks targeting the 2016 presidential election in the United States.
Read more about the new malware used by Sofacy on SecurityWeek.
A new worm has been discovered which spreads a modern variant of the remote access tool (RAT) Bladabindi. According to researchers from Trend Micro, the worm spreads Bladabindi — also known as njRAT/Njw0rm — in a fileless form by propagating through removable drives and storage.
In a blog post, the cybersecurity team said Bladabindi has been recompliled, refreshed, and rehashed for years, leading to its presence in countless cyberespionage campaigns. The worm which is now spreading a modern variant of Bladabindi is detected as Worm.Win32.BLADABINDI.AA.
Read more about the new worm that is capable of keylogging, spying, and far more, on ZDNet.
Researchers have uncovered the Octopus Trojan in a wave of cyberattacks being launched against diplomatic entities across central Asia. According to cybersecurity firm Kaspersky Lab, the targeted campaign has used the recent ban of Telegram messenger across Russia and reported attempts to ban the service across some former Soviet areas such as Kazakhstan to dupe victims into believing they are downloading an accessible, legitimate version of the true communications service.
The malicious payload looks like the Telegram messenger app but instead provides a remote access conduit for attackers to hijack victim PCs.
Read more about the wave of cyberattacks across central Asia on ZDNet.
A new Android trojan, dubbed “GPlayed” has been identified by Cisco Talos researchers who said the malware is both extremely dangerous and could herald a new and very dangerous age for malicious code.
The trojan has all of the capabilities of a banking trojan as well as harboring deep cyber-espionage tools, researchers said. But it really stands out because it has been engineered to adapt after it’s deployed. According to Cisco Talos, cyberattackers can remotely load plugins, inject scripts and even compile new .NET code that can be executed.
Read more about the GPlayed malware, which comes with a Swiss Army knife-like toolbox that can be used to target pretty much anyone, on Threatpost.
Adwind, a Remote Access Trojan (RAT) previously connected to attacks against industries worldwide, is back with a new toolkit designed to trick antivirus programs into allowing the malware to exploit systems. Cisco Talos, together with intelligence partner ReversingLabs, released the results of an investigation into the Adwind Trojan’s latest campaign.
Also known as AlienSpy, JSocket, and jRat, the Trojan is a malware variant that contains a wide variety of ‘skills.’ The RAT is able to collect PC information and keystrokes; steal credentials and data submitted via web forms; record video and sound; take screenshots; tamper with system files and transfer content without user consent.
Read more about the new Adwind Trojan campaign on ZDNet.
A new malware program called the Skygofree Trojan was discovered targeting Android smartphones and tablets with extensive spyware capabilities in order to gain access to user information and gather data from apps.
Kaspersky Labs found the Skygofree Trojan, which is distributed via fake mobile operator websites and is disguised as an update to improve mobile internet speed. It can be configured by the attacker to hide itself when it is installed and to set itself up on the device to always be running.
Read more about how this Trojan works and what makes it unique compared to other types of spyware, on TechTarget.
There’s a nasty new Android remote access Trojan (RAT) going around, and it’s capable of giving anyone GUI-based control over an infected device. Called HeroRat, this new suite of control tools abuses the Telegram messaging protocol popular with Android users to give attackers an alarming amount of access to infected devices, like recording calls, sending SMS messages, installing and uninstalling apps, and more.
HeroRat was discovered by ESET when the security company was researching the widespread growth of Android RATs that target Telegram, which are freely available for download online. HeroRat has a different distribution model, and costs money.
Read more about the new remote access Trojan dubbed HeroRat, and how to stay safe, on TechRepublic.
GravityRAT is a Trojan which checks the temperature of a system to detect the presence of virtual machines (VMs) and prevent efforts at analysis by researchers. By taking thermal readings, the Remote Access Trojan (RAT), which has become a recent menace in India, attempts to find out whether or not VMs are being employed for the purpose of decompiling efforts and reverse engineering.
The approach is not foolproof, but according to Cisco Talos researchers, GravityRAT is able to detect a number of virtual environments using this method. GravityRAT is a Trojan which is still in evolution. Over at least the past 18 months, the malware has been undergoing development and has been equipped with a range of features including file exfiltration, remote command execution capabilities, and anti-VM techniques.
Read more about the novel GravityRAT Trojan, which will grab thermal readings to detect and thwart research efforts, on ZDNet.
An Android trojan that started out as an open-source project has been updated to allow hackers to gain access to virtually all data on infected devices.
Silent installation, shell command execution and the collection of credentials, Wi-Fi passwords and screenshots are just some of the capabilities of AndroRAT, which exploits CVE-2015-1805, a Linux kernel vulnerability that was publicly disclosed in 2016.
Read how AndroRaT trojan can remotely hijack your older version Android smartphones and tablets on ZDNet.
Security experts are warning of a new Chinese trojan which they have discovered pre-loaded onto low-end smartphones popular in Asia and Africa. DeathRing is disguised as a ringtone app but in reality downloads SMS and WAP content from its command-and-control server to the victim’s phone, according to mobile security vendor Lookout.
This enables the attackers to phish personal information via fake texts or prompt the victim to download more malware disguised in APKs, the firm claimed.
Read more about the latest trojan called DeathRing which allegedly comes pre-loaded on Android smartphones on Info Security.