Dridex Downloader Tries New Sandbox-Evasion Techniques

Dridex is currently one of the most active and widespread banking malwares. Like Locky ransomware also Dridex is dispatched through a massive spam mail campaign that uses the Necurs botnet. Our sensors have long been tracking these spam campaigns and recent captured emails contain a Word document that drops Dridex. In our latest samples we have observed a delay on execution of the downloader stage that wasn’t present before, we have further investigated to figure out whether Dridex’s authors were experimenting with new, even if basic, anti-sandbox techniques.

Continue reading “Dridex Downloader Tries New Sandbox-Evasion Techniques”

Uncovering a ransomware-distribution campaign part 2

Uncovering a ransomware distribution operation – Part 2

In Part 1 we’ve analyzed a vast Crypt0L0cker ransomware distribution operation currently affecting continental Europe and ready to jump to new countries. In this second post we’ll analyze in detail the server side code used to dispatch the victims towards the correct websites, up to the ransomware itself. We’ll also analyze the ransomware behaviour and how it infects the victim’s computer.
Continue reading “Uncovering a ransomware distribution operation – Part 2”

Nemucod meets 7zip

Nemucod meets 7-Zip to launch ransomware attacks

Nemucod is a Javascript downloader used to perform all kind of nasty stuff, recently a “ransomware” routine has been found in some samples, even if a simple one: a XOR with a predefined 255 bytes key. In other instances we have observed the download of a malicious executable responsible for the encryption process. What we will analyze this time is a variant that downloads the infamous Kovter together with the official 7zip CLI application.

Continue reading “Nemucod meets 7-Zip to launch ransomware attacks”

poweliks persistence registry

Poweliks File-less Malware Keeps Evolving – Update 1

Poweliks (actually we should say Kovter) is a well-known and studied click-fraud malware that made its first appearance in early August 2014, it became famous very quickly due the fact that it used a persistence mechanism that allowed it to be fileless on disk, taking advantage of the Windows Registry and also because it adopted new techniques to stay persistent on the system. Its evolution apparently never stopped, in this post we will analyze what appears to be a new strain of the malware with an incredibly low detection rate.

Continue reading “Poweliks File-less Malware Keeps Evolving – Update 1”