malware analysis Archives

Tech Optimizer

June 2, 2025

Hackers Allegedly Selling Windows Crypter Claims Bypass of All Antiviruses

Underground cybercriminal forums are seeing an increase in advanced malware tools, including a Windows crypter that claims to bypass major antivirus solutions. This crypter is marketed as fully activated and capable of achieving Full Undetectable (FUD) status against contemporary antivirus engines. It employs advanced obfuscation techniques to evade detection, including code injection methods, entropy manipulation, and anti-debugging features. The tool allows for granular control over obfuscation parameters, enabling customization for specific target environments. The rise of such sophisticated evasion tools poses challenges for traditional endpoint security, making organizations vulnerable if they rely solely on signature-based antivirus solutions. To defend against these threats, organizations should adopt multi-layered security architectures, including behavioral analysis and endpoint detection and response (EDR) solutions.

Tech Optimizer

May 28, 2025

Hackers Mimic Popular Antivirus Site to Deliver VenomRAT & Steal Finance Data

Cybercriminals are executing a sophisticated malware campaign through a counterfeit Bitdefender antivirus website, specifically the domain “bitdefender-download[.]co,” which mimics the legitimate site. This fraudulent site distributes three types of malware: VenomRAT, StormKitty, and SilentTrinity, aimed at stealing financial data and maintaining persistent access to victims’ computers. When users click the “Download For Windows” button, they inadvertently download a ZIP file containing these malicious programs. VenomRAT acts as a remote access tool, allowing attackers to steal files, cryptocurrency wallets, and browser data, including credit card information. StormKitty quickly harvests sensitive credentials, while SilentTrinity provides stealthy long-term access for further exploitation. The fake Bitdefender site is linked to other malicious domains impersonating banks, indicating a coordinated phishing operation. The attackers utilize the same command and control infrastructure, with the IP address 67.217.228.160:4449 identified as a connection point. Bitdefender is working to take down the fraudulent site, and Google Chrome has begun flagging the link as malicious. Security experts recommend verifying website authenticity and downloading software only from official sources.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Tech Optimizer

May 5, 2025

VIPRE Advanced Security Awarded Highest Ranking in AV-Comparatives’ Malware Protection Test 2025

VIPRE® Advanced Security received the Advanced+ award from AV-Comparatives in the March 2025 Malware Protection Test for its effectiveness against cyber threats. The test evaluated 19 security products using 10,030 malware samples on a Windows 11 system, focusing on both online and offline threats. VIPRE achieved a 98.7% detection rate in all scenarios, a 99.93% overall protection rate during execution testing, and had one of the lowest false positive counts among the products tested. VIPRE's security solutions are integrated into other Ziff Davis products, enhancing their protection capabilities. VIPRE is a subsidiary of Ziff Davis, Inc., specializing in cybersecurity solutions with over 25 years of experience.

Tech Optimizer

April 22, 2025

VIPRE Security Crushes Competition with 99.93% Protection Rate in Latest Test

VIPRE® Advanced Security received the Advanced+ distinction from AV-Comparatives in their March 2025 Malware Protection Test, demonstrating strong capabilities against cyber threats. The test evaluated 19 security products using 10,030 malware samples and included both online and offline scenarios. VIPRE achieved a 98.7% detection rate and a 99.93% overall protection rate during execution testing, with one of the lowest false positive counts among the products tested. VIPRE's security solutions also enhance other Ziff Davis consumer security products, utilizing its threat intelligence cloud to block malicious sites and improve overall protection.

Tech Optimizer

April 22, 2025

VIPRE Security Crushes Competition with 99.93% Protection Rate in Latest Test

VIPRE® Advanced Security received the Advanced+ distinction from AV-Comparatives in their March 2025 Malware Protection Test for its exceptional performance in detecting and preventing malware threats. The test evaluated 19 security products using 10,030 malware samples on a Windows 11 system, focusing on both online and offline threats. VIPRE achieved a 98.7% detection rate in all scenarios, a 99.93% overall protection rate during execution testing, and had one of the lowest false positive counts. VIPRE's security features also enhance other Ziff Davis products, utilizing its threat intelligence cloud to improve protection across various platforms. VIPRE is a subsidiary of Ziff Davis, Inc., and has over 25 years of experience in cybersecurity solutions.

Tech Optimizer

March 20, 2025

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs

Microsoft Incident Response has identified a new remote access trojan (RAT) called StilachiRAT, which extracts sensitive information from infected computers, including passwords, cryptocurrency wallet details, operating system specifications, and device identifiers. StilachiRAT has a self-reinstatement mechanism that allows it to reinstall itself if removed. It targets digital wallets from platforms like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. The malware can harvest credentials from web browsers, monitor clipboard data, gather system information, detect camera presence, and track active Remote Desktop Protocol (RDP) sessions. It can extract credentials from Google Chrome, monitor clipboard activity, and maintain its presence using the Windows service control manager. StilachiRAT can impersonate users to monitor RDP sessions and employs anti-forensics mechanisms to evade detection. Discovered in November of the previous year, it has not yet achieved widespread distribution. Microsoft advises users to download software from official websites, use robust security software, install reputable antivirus, be vigilant against phishing attacks, avoid clicking on unexpected links, and consider using a VPN and password manager for enhanced security.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

AppWizard

February 7, 2025

Google is ramping up Android security protection with new Android app safety tools

Google's Android Security and Privacy Team has partnered with Mandiant FLARE to enhance the capa open source binary analysis tool, which analyzes ARM ELF files used in Android malware. The integration of Gemini AI into this toolset aims to improve malware analysis and decision-making. A case study demonstrated the detection of an illegal gambling app disguised as a music app that used various anti-analysis techniques. By employing static analysis with capa, Google was able to identify and remove the app from the Google Play Store. New rules have been developed for capa to detect Android-specific malware behaviors, such as ptrace API calls and code downloading and decrypting methods. The incorporation of Gemini AI aids analysts by summarizing flagged functions and assessing risk levels, thereby accelerating malware detection and rule formulation.

Winsage

February 5, 2025

0-Day Vulnerabilities in Microsoft Sysinternals Tools Allow Attackers To Launch DLL Injection Attacks on Windows

A critical 0-Day vulnerability has been identified in Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute harmful code. This vulnerability has been verified and remains unresolved despite being disclosed to Microsoft over 90 days ago. The Sysinternals tools, including Process Explorer, Autoruns, and Bginfo, are widely used for system analysis and troubleshooting but lack integration with the Windows Update system, requiring manual management of security patches. The vulnerability stems from how Sysinternals tools load DLL files, prioritizing untrusted paths over secure system directories. Attackers can place a malicious DLL in the same directory as a legitimate Sysinternals executable, leading to the execution of arbitrary code under the user's privileges. A real-world example demonstrated that an attacker could deploy a Trojan via the Bginfo tool by loading a malicious DLL from a network directory. The vulnerability affects multiple Sysinternals applications, and a comprehensive list is available from the researcher. Microsoft has classified the issue as a "defense-in-depth" enhancement rather than a critical vulnerability, focusing on local execution rather than risks associated with network paths. As of December 2024, the vulnerability remains unpatched, prompting users to take precautionary steps such as avoiding running tools from network locations and verifying DLL integrity.