Cisco Talos cybersecurity experts: The 1.1.1 malware added a Powershell keylogger and a VB script. The 1.1.7 update removed them, focusing on stealing passwords and cookies from browsers.
Cyber security experts found an update of the Karkoff implant, used by APT34. It proves that group is still operating and that a new campaign is active. The malware is delivered through spear-phishing emails.
Marco Ramilli, cyber security expert and Yoroi founder: The attacker, pretended to be a customer, sent to victims an email containing Microsoft XLS file, without Macro but with hidden malware.
Cisco Talos cyber security experts: The malware still attacks Australia and spreads via SMS. But latest version no longer has hardcoded package names and added a “poor man scripting engine”.
Cisco Talos cyber security experts found there campaigns that leverage OpenDocument Text format. But could be more in the future. Targets today are English and Arabic-speaking users.
Cisco Talos cyber security experts: It uses the system registry to bypass anti-virus scanning, a registry key to maintain persistence and PowerShell to install.
Cisco Talos cyber security experts: It features several changes and improvements to control where the malware can spread and avoid analysis by sandboxes and antivirus.
Cisco Talos Cyber Security experts: The banking trojan is utilizing an updated persistence mechanism that can make it harder for users to detect and remove it.
The cyber security experts: There are many similarities on TTPs, targets and purposes. The credential harvesting could be complementary to the WebMask project on DNS Hijack.
Cisco Talos cyber security experts: At least 40 organizations across 13 different countries were compromised by a state-sponsored actor who exploits DNS hijacking.