Latest Batloader Campaigns Use Pyarmor Pro for Evasion
In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we’ve covered in previous blog entries. Read More HERE…
Trend Micro Research : Malware
TargetCompany Ransomware Abuses FUD Obfuscator Packers
In this entry, we detail our analysis of how the TargetCompany ransomware abused an iteration of fully undetectable (FUD) obfuscator engine BatCloak to infect vulnerable systems. Read More HERE…
Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns
Trend Micro’s Mobile Application Reputation Service (MARS) team discovered two new related Android malware families involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users. Read More HERE…
Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad
We recently found that an MSI installer built by the National Information Technology Board (NITB), a Pakistani government entity, delivered a Shadowpad sample, suggesting a possible supply-chain attack. Read More HERE…
Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad
We recently found that a modified installer of the E-Office app used by the Pakistani government delivered a Shadowpad sample, suggesting a possible supply-chain attack. Read More HERE…
Detecting BPFDoor Backdoor Variants Abusing BPF Filters
An analysis of advanced persistent threat (APT) group Red Menshen’s different variants of backdoor BPFDoor as it evolves since it was first documented in 2021. Read More HERE…
Hunting for A New Stealthy Universal Rootkit Loader
In this entry, we discuss the findings of our investigation into a piece of a signed rootkit, whose main binary functions as a universal loader that enables attackers to directly load a second-stage unsigned kernel module. Read More HERE…
Tailing Big Head Ransomware’s Variants, Tactics, and Impact
We analyze the technical details of a new ransomware family named Big Head. In this entry, we discuss the Big Head ransomware’s similarities and distinct markers that add more technical details to initial reports on the ransomware. Read More HERE…
Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents. Read More HERE…
SeroXen Mechanisms: Exploring Distribution, Risks, and Impact
This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators. Read More HERE…