Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda

For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts. The attackers target their victims both with Phishing emails, typo-squatted domains and malicious attachments that eventually lead to the installation of Zeus/Panda banking malware. The group appears to be active since at least 2015 and it’s most likely related to several campaigns identified by the security community in the past 3 years.
Continue reading “Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda”

Uncovering a ransomware-distribution campaign part 2

Uncovering a ransomware distribution operation – Part 2

In Part 1 we’ve analyzed a vast Crypt0L0cker ransomware distribution operation currently affecting continental Europe and ready to jump to new countries. In this second post we’ll analyze in detail the server side code used to dispatch the victims towards the correct websites, up to the ransomware itself. We’ll also analyze the ransomware behaviour and how it infects the victim’s computer.
Continue reading “Uncovering a ransomware distribution operation – Part 2”

Uncovering a ransomware distribution campaign

Uncovering a ransomware distribution operation – Part 1

Recently we uncovered a ransomware distribution operation targeting European users and carried out via phishing scams. In this post we will show how we have conducted the research: from the initial infection stage back to the person that is orchestrating the whole operation. These campaigns are targeting Italy, Denmark and Spain, although we have detected two new campaigns about to be started by the same author. The ransomware delivered is the infamous Crypt0L0cker, a descendant of TorrentLocker ransomware.
Continue reading “Uncovering a ransomware distribution operation – Part 1”