malware analysis Archives

Tech Optimizer

May 5, 2025

VIPRE Advanced Security Awarded Highest Ranking in AV-Comparatives’ Malware Protection Test 2025

VIPRE® Advanced Security received the Advanced+ award from AV-Comparatives in the March 2025 Malware Protection Test for its effectiveness against cyber threats. The test evaluated 19 security products using 10,030 malware samples on a Windows 11 system, focusing on both online and offline threats. VIPRE achieved a 98.7% detection rate in all scenarios, a 99.93% overall protection rate during execution testing, and had one of the lowest false positive counts among the products tested. VIPRE's security solutions are integrated into other Ziff Davis products, enhancing their protection capabilities. VIPRE is a subsidiary of Ziff Davis, Inc., specializing in cybersecurity solutions with over 25 years of experience.

Tech Optimizer

April 22, 2025

VIPRE Security Crushes Competition with 99.93% Protection Rate in Latest Test

VIPRE® Advanced Security received the Advanced+ distinction from AV-Comparatives in their March 2025 Malware Protection Test, demonstrating strong capabilities against cyber threats. The test evaluated 19 security products using 10,030 malware samples and included both online and offline scenarios. VIPRE achieved a 98.7% detection rate and a 99.93% overall protection rate during execution testing, with one of the lowest false positive counts among the products tested. VIPRE's security solutions also enhance other Ziff Davis consumer security products, utilizing its threat intelligence cloud to block malicious sites and improve overall protection.

Tech Optimizer

April 22, 2025

VIPRE Security Crushes Competition with 99.93% Protection Rate in Latest Test

VIPRE® Advanced Security received the Advanced+ distinction from AV-Comparatives in their March 2025 Malware Protection Test for its exceptional performance in detecting and preventing malware threats. The test evaluated 19 security products using 10,030 malware samples on a Windows 11 system, focusing on both online and offline threats. VIPRE achieved a 98.7% detection rate in all scenarios, a 99.93% overall protection rate during execution testing, and had one of the lowest false positive counts. VIPRE's security features also enhance other Ziff Davis products, utilizing its threat intelligence cloud to improve protection across various platforms. VIPRE is a subsidiary of Ziff Davis, Inc., and has over 25 years of experience in cybersecurity solutions.

Tech Optimizer

March 20, 2025

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs

Microsoft Incident Response has identified a new remote access trojan (RAT) called StilachiRAT, which extracts sensitive information from infected computers, including passwords, cryptocurrency wallet details, operating system specifications, and device identifiers. StilachiRAT has a self-reinstatement mechanism that allows it to reinstall itself if removed. It targets digital wallets from platforms like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. The malware can harvest credentials from web browsers, monitor clipboard data, gather system information, detect camera presence, and track active Remote Desktop Protocol (RDP) sessions. It can extract credentials from Google Chrome, monitor clipboard activity, and maintain its presence using the Windows service control manager. StilachiRAT can impersonate users to monitor RDP sessions and employs anti-forensics mechanisms to evade detection. Discovered in November of the previous year, it has not yet achieved widespread distribution. Microsoft advises users to download software from official websites, use robust security software, install reputable antivirus, be vigilant against phishing attacks, avoid clicking on unexpected links, and consider using a VPN and password manager for enhanced security.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

AppWizard

February 7, 2025

Google is ramping up Android security protection with new Android app safety tools

Google's Android Security and Privacy Team has partnered with Mandiant FLARE to enhance the capa open source binary analysis tool, which analyzes ARM ELF files used in Android malware. The integration of Gemini AI into this toolset aims to improve malware analysis and decision-making. A case study demonstrated the detection of an illegal gambling app disguised as a music app that used various anti-analysis techniques. By employing static analysis with capa, Google was able to identify and remove the app from the Google Play Store. New rules have been developed for capa to detect Android-specific malware behaviors, such as ptrace API calls and code downloading and decrypting methods. The incorporation of Gemini AI aids analysts by summarizing flagged functions and assessing risk levels, thereby accelerating malware detection and rule formulation.

Winsage

February 5, 2025

0-Day Vulnerabilities in Microsoft Sysinternals Tools Allow Attackers To Launch DLL Injection Attacks on Windows

A critical 0-Day vulnerability has been identified in Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute harmful code. This vulnerability has been verified and remains unresolved despite being disclosed to Microsoft over 90 days ago. The Sysinternals tools, including Process Explorer, Autoruns, and Bginfo, are widely used for system analysis and troubleshooting but lack integration with the Windows Update system, requiring manual management of security patches. The vulnerability stems from how Sysinternals tools load DLL files, prioritizing untrusted paths over secure system directories. Attackers can place a malicious DLL in the same directory as a legitimate Sysinternals executable, leading to the execution of arbitrary code under the user's privileges. A real-world example demonstrated that an attacker could deploy a Trojan via the Bginfo tool by loading a malicious DLL from a network directory. The vulnerability affects multiple Sysinternals applications, and a comprehensive list is available from the researcher. Microsoft has classified the issue as a "defense-in-depth" enhancement rather than a critical vulnerability, focusing on local execution rather than risks associated with network paths. As of December 2024, the vulnerability remains unpatched, prompting users to take precautionary steps such as avoiding running tools from network locations and verifying DLL integrity.

Winsage

October 31, 2024

New Windows Theme Zero-Day Vulnerability Let Attackers Steal Credentials

Security researchers at Acros have identified a new zero-day vulnerability (CVE-2024-38030) related to Windows theme files that can lead to the potential exposure of NTLM credentials. This vulnerability affects multiple Windows platforms, including Windows 11 (version 24H2). The issue arises when a theme file specifies a network file path for certain properties, causing Windows to send authenticated network requests to remote hosts, which can result in credential leaks if a malicious theme file is used. Microsoft issued a patch for an earlier related vulnerability (CVE-2024-21320), but researchers found it insufficient for systems that had stopped receiving updates. A more comprehensive patch has been developed by researchers to address all execution paths that could lead to credential leaks, and users of the micropatch service 0patch are currently protected against this vulnerability. The micropatches are available for all supported Windows versions and some legacy versions, specifically for Windows Workstation, and not for Windows Server.

Tech Optimizer

August 25, 2024

Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited – Help Net Security

- PostgreSQL databases on Linux systems are being targeted by cryptojacking attacks due to inadequate security. - Cisco Talos has found vulnerabilities in Microsoft applications for macOS that could allow unauthorized access to microphones and cameras. - Google has fixed a zero-day vulnerability in Chrome, CVE-2024-7971, which was being actively exploited. - OpenCTI, an open-source cyber threat intelligence platform, has been launched to help organizations manage cyber threat data. - A compilation of cybersecurity job openings indicates a growing demand for professionals in the field. - A critical vulnerability in GitHub Enterprise Server, CVE-2024-6800, has been patched to prevent unauthorized access. - SolarWinds has released a patch for a critical flaw in its Web Help Desk solution following a previous fix for a code-injection vulnerability. - Hiya reported nearly 20 billion calls flagged as spam in the first half of 2024, with a rise in AI-driven scams. - Microsoft will implement mandatory multi-factor authentication for all Azure sign-ins. - North Korean hackers exploited a zero-day vulnerability in a Windows driver, CVE-2024-38193, to deploy a rootkit. - NGate malware has been identified, which uses NFC technology to steal funds from victims' payment cards on Android devices. - Many organizations face security vulnerabilities in APIs, particularly with exposed secrets. - Microchip Technology Incorporated experienced operational disruptions due to a cyberattack. - Experts are questioning the future of national data privacy legislation in the U.S. amid discussions on federal privacy laws. - Research indicates that fraudsters can exploit digital wallet apps to use stolen payment cards even after they are reported compromised. - x64dbg is gaining popularity among security professionals for malware analysis and reverse engineering. - Current vulnerability management approaches focus on risk prioritization as a starting point for security strategy. - Building a positive cybersecurity culture within organizations is essential for risk reduction and resilience. - Higher education institutions are exploring ways to enhance cybersecurity measures despite resource constraints. - A new phishing campaign targeting Android and iPhone users has been uncovered by ESET researchers. - Organizations are recognizing the importance of managing enterprise data to improve cybersecurity, despite challenges from siloed systems. - The federal government is focusing on food security as a critical infrastructure issue. - Organizations are adopting biometric solutions to counter the risks posed by deepfake technology. - New information security products have been released by companies including Entrust, Fortanix, McAfee, Own, RightCrowd, and Wallarm.

AppWizard

August 2, 2024

New Android malware drains your bank accounts and completely wipes your device — how to stay safe

A new strain of Android malware called BingoMod has been discovered by Cleafy, which targets users' bank accounts and can wipe devices clean after compromising them. It spreads through phishing messages disguised as legitimate Android security software, often using familiar icons to deceive users into downloading malicious applications. Once installed, BingoMod requests permissions for Android's Accessibility Service, allowing it to steal login credentials, capture screenshots, and intercept text messages. It can bypass traditional anti-fraud measures by manipulating the victim's device directly. The malware can also uninstall antivirus applications, evade detection through advanced techniques, and remotely wipe device data if registered as a device admin app. Currently, it appears to target English, Romanian, and Italian-speaking Android users. Users are advised to avoid engaging with phishing messages to protect themselves from this threat.