VB Blog

VB2020 update - currently business as usual

Posted by   Virus Bulletin on   Mar 16, 2020

Here at VB we are keeping a close eye on the global situation regarding the COVID-19 outbreak and the various travel restrictions and health advice, but in the meantime planning and arrangements for VB2020 are going ahead as usual, including the selection of papers.

Read more  

VB2019 paper: Defeating APT10 compiler-level obfuscations

Posted by   Virus Bulletin on   Mar 13, 2020

At VB2019 in London, Carbon Black researcher Takahiro Haruyama presented a paper on defeating compiler-level obfuscations used by the APT10 group. Today we publish both Takahiro's paper and the recording of his presentation.

Read more  

VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers

Posted by   Virus Bulletin on   Mar 12, 2020

At VB2019 in London Michael Raggi (Proofpoint) and Ghareeb Saad (Anomali) presented a paper on the 'Royal Road' exploit builder (or weaponizer) and how the properties of RTF files can be used to track weaponizers and their users. Today we publish both their paper and the recording of their presentation.

Read more  

VB2019 presentation: Nexus between OT and IT threat intelligence

Posted by   Virus Bulletin on   Mar 11, 2020

Operational technology, the mission critical IT in ICS, shares many similarities with traditional IT systems, but also some crucial differences. During the Threat Intelligence Practitioners’ Summit at VB2019, Dragos cyber threat intelligence analyst Selena Larson gave a keynote on these similarities and differences. Today we release the recording of her presentation.

Read more  

VB2019 paper: Kimsuky group: tracking the king of the spear-phishing

Posted by   Virus Bulletin on   Mar 10, 2020

In a paper presented at VB2019 in London, researchers fron the Financial Security Institute detailed the tools and activities used by the APT group 'Kimsuky', some of which they were able to analyse through OpSec failures by the group. Today, we publish their paper.

Read more  

VB2019 paper: Play fuzzing machine - hunting iOS and macOS kernel vulnerabilities automatically and smartly

Posted by   Virus Bulletin on   Mar 9, 2020

In a paper presented at VB2019 in London, Trend Micro researchers Lilang Wu and Moony Li explained how the hunt for vulnerabilities in MacOS and iOS operating systems can be made both smarter and more automatic. Today we publish both their paper and the recording of their presentation.

Read more  

VB2019 paper: Finding drive-by rookies using an automated active observation platform

Posted by   Virus Bulletin on   Mar 6, 2020

In a last-minute paper presented at VB2019 in London, Rintaro Koike (NTT Security) and Yosuke Chubachi (Active Defense Institute, Ltd) discussed the platform they have built to automatically detect and analyse exploit kits. Today we publish the recording of their presentation.

Read more  

VB2019 paper: Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation state adversary

Posted by   Virus Bulletin on   Feb 28, 2020

The activities of China-based threat actor PKPLUG were detailed in a VB2019 paper by Palo Alto Networks researcher Alex Hinchliffe, who described the playbook of this long-standing adversary. Today we publish both Alex's paper and the recording of his presentation.

Read more  

VB2019 paper: Static analysis methods for detection of Microsoft Office exploits

Posted by   Virus Bulletin on   Feb 25, 2020

Today we publish the VB2019 paper and presentation by McAfee researcher Chintan Shah in which he described static analysis methods for the detection of Microsoft Office exploits.

Read more  

New paper: LokiBot: dissecting the C&C panel deployments

Posted by   Helen Martin on   Feb 17, 2020

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. In a new paper researcher Aditya Sood analyses the URL structure of the LokiBot C&C panels and how they have evolved over time.

Read more  
Previous1234567...215Next

Search blog

Emotet continues to bypass many email security products

Having returned from a summer hiatus, Emotet is back targeting inboxes and, as seen in the VBSpam test lab, doing a better job than most other malicious campaigns at bypassing email security products.
Emails with a malicious link or attachment form only a small minority of the spam that is sent every day. If it appears that such emails are more common than that, it is not just… https://www.virusbulletin.com/blog/2019/11/emotet-continues-bypass-many-email-security-products/

Stalkerware poses particular challenges to anti-virus products

Malware used in domestic abuse situations is a growing threat, and the standard way for anti-virus products to handle such malware may not be good enough. But that doesn't mean there isn't an important role for anti-virus to play.
Did you know that October has been Cyber Security Awareness Month? Of course you did ─ it has been pretty hard to avoid it. But did you know that it has also, at least in the… https://www.virusbulletin.com/blog/2019/10/stalkerware-poses-particular-challenges-anti-virus-products/

New Emotet spam campaign continues to bypass email security products

On Monday, the infamous Emotet malware resumed its spam campaign to spread the latest version of the malware. As before, the malware successfully bypasses many email security products.
Following the resumption of activity by Emotet's C&C servers in August, it was only a matter of time before the botnet started sending out spam again. This did indeed happen on… https://www.virusbulletin.com/blog/2019/09/new-emotet-spam-campaign-continues-bypass-email-security-products/

The malspam security products miss: Emotet, Ursnif, and a spammer's blunder

The set-up of the VBSpam test lab gives us a unique insight into the kinds of emails that are more likely to bypass email filters. This week we look at the malspam that was missed: a very international email with a link serving Emotet, an Italian Ursnif c…
This blog post was put together in collaboration with VB test engineers Adrian Luca and Ionuţ Răileanu. Virus Bulletin uses email feeds provided by Abusix and Project Honey Pot.… https://www.virusbulletin.com/blog/2019/02/malspam-security-products-miss-emotet-ursnif-and-spammers-blunder/

From Amazon to Emotet: a look at those phishing and malware emails that bypassed email security products

We see a lot of spam in the VBSpam test lab, and we also see how well such emails are being blocked by email security products. Recently some of the emails that bypassed security products included a broken Amazon phishing campaign, a large fake UPS campai…
This blog post was put together in collaboration with VB test engineers Adrian Luca and Ionuţ Răileanu. On this blog, we regularly look at those phishing and malware emails… https://www.virusbulletin.com/blog/2019/02/amazon-ups-emotet-formbook-and-lokibot-look-those-phishing-and-malware-emails-bypassed-email-security-products/

From HSBC to product descriptions: the malicious emails bypassing your filters

Using data from our VBSpam lab, we looked at the malicious emails that have been missed recently by a large number of email security products.
Over a one-week period earlier this month, the average email with a malicious attachment was almost three times as likely to bypass email security products than a spam email… https://www.virusbulletin.com/blog/2019/01/hsbc-product-descriptions-malicious-emails-bypassing-your-filters/

VB2018 paper: Inside Formbook infostealer

The Formbook information-stealing trojan may not be APT-grade malware, but its continuing spread means it can still be effective. At VB2018 in Montreal, Gabriela Nicolao, a researcher from Deloitte in Argentina, presented a short paper in which she looked…
The Formbook information-stealing trojan has been spread by a number of recent spam campaigns. The malware was advertised in hacking forums as long ago as January 2016, but wasn't… https://www.virusbulletin.com/blog/2019/01/vb2018-paper-inside-formbook-infostealer/

VB2018 paper: From Hacking Team to hacked team to…?

Today we publish the VB2018 paper and video by ESET researcher Filip Kafka, who looked at the new malware by Hacking Team, after the company had recovered from the 2015 breach.
It is good practice not to mock or laugh at hacking victims. But when the victim is a company that itself is in the business of hacking and has a habit of selling its products and… https://www.virusbulletin.com/blog/2019/01/vb2018-paper-hacking-team-hacked-team/

The spam that is hardest to block is often the most damaging

We see a lot of spam in the VBSpam test lab, and we also see how well such emails are being blocked by email security products. Worryingly, it is often the emails with a malicious attachment or a phishing link that are most likely to be missed.
This blog post was put together in collaboration with VB test engineers Adrian Luca and Ionuţ Răileanu. In a talk I gave at IRISSCON last year (the video of which you will find… https://www.virusbulletin.com/blog/2019/01/spam-hardest-block-often-most-damaging/

VB2018 paper: Unpacking the packed unpacker: reversing an Android anti-analysis library

Today, we publish a VB2018 paper by Google researcher Maddie Stone in which she looks at one of the most interesting anti-analysis native libraries in the Android ecosystem. We also release the recording of Maddie's presentation.
Though still relatively new (the first VB conference paper on Android malware was presented in 2011), malware targeting the Android mobile operating system has evolved quickly, in… https://www.virusbulletin.com/blog/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-library/

VB2018 preview: Anatomy of an attack: detecting and defeating CRASHOVERRIDE

In today's blog post, we preview the VB2018 paper by Dragos Inc.'s Joe Slowik, who looks at the CRASHOVERRIDE malware, the first (publicly known) malware designed to impact electric grid operations.
One of the many highlights of last year's Virus Bulletin Conference was a last-minute paper by ESET researchers Anton Cherepanov and Robert Lipovsky on Industroyer, 'the first… https://www.virusbulletin.com/blog/2018/09/vb2018-preview-anatomy-attack-detecting-and-defeating-crashoverride/

VB2017 video: Client Maximus raises the bar

At VB2017, IBM Trusteer researcher Omer Agmon, presented a 'last-minute' paper in which he analysed the Client Maximum trojan, which targets Brazilian users of online banking. Today, we release the recording of his presentation.
Brazil has long been known as a hotbed of cybercrime, but what makes the country especially unique is that a lot of this cybercrime is inwards-focused. Thus there are many malware… https://www.virusbulletin.com/blog/2018/08/vb2017-video-client-maximus-raises-bar/

Malware authors' continued use of stolen certificates isn't all bad news

A new malware campaign that uses two stolen code-signing certificates shows that such certificates continue to be popular among malware authors. But there is a positive side to malware authors' use of stolen certificates.
A malware campaign has been using code-signing certificates stolen from Taiwanese companies to sign its samples, ESET researcher and regular VB conference speaker Anton Cherepanov… https://www.virusbulletin.com/blog/2018/07/malware-authors-continued-use-stolen-certificates-not-only-bad-news/

.SettingContent-ms files remind us that it is features, not bugs we should be most concerned about

Security researcher Matt Nelson has discovered how .SettingContent-ms files can be embedded into Office files to deliver malware.
One of the most significant developments in the threat landscape in recent years has been the return of malicious Office macros, their resurgence having started four years ago.… https://www.virusbulletin.com/blog/2018/07/settingcontent-ms-files-remind-us-it-features-not-bugs-we-should-be-most-concerned-about/

XMRig used in new macOS cryptominer

A new piece of cryptocurrency-mining malware on macOS has been found to use the popular XMRig miner.
Users complaining on Apple's official discussion forum about processes that use a lot of CPU have led to the discovery of a new piece of cryptocurrency-mining malware on macOS… https://www.virusbulletin.com/blog/2018/05/xmrig-used-new-macos-cryptominer/

GravityRAT malware takes your system's temperature

The GravityRAT malware, discovered by Cisco Talos researchers, gives some interesting insight into modern malware development.
Cisco Talos researchers Warren Mercer and Paul Rascagnères recently discovered and analysed 'GravityRAT', an advanced Remote Access Trojan (RAT) that appears to have been used in… https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/

Using Mailchimp makes malware campaigns a little bit more successful

In recent months, some malicious spam campaigns have been spreading via the systems of Mailchimp, a well-known email service provider - a tactic which may give the campaigns a slightly higher success rate.
Sending one email is easy. Sending thousands or millions of emails is hard: one effect of the anti-spam infrastructure we have collectively built is that the process of sending… https://www.virusbulletin.com/blog/2018/03/using-mailchimp-makes-malware-campaigns-little-bit-more-successful/

We need to continue the debate on the ethics and perils of publishing security research

An article by security researcher Collin Anderson reopens the debate on whether publishing threat analyses is always in the public interest.
At VB2015 in Prague, Juan Andrés Guerro-Saade, then of Kaspersky Lab, presented an important paper on the transformation of security researchers into intelligence brokers and how… https://www.virusbulletin.com/blog/2018/02/we-need-continue-debate-ethics-and-perils-publishing-security-research/

There is no evidence in-the-wild malware is using Meltdown or Spectre

Reports of malware using the Meltdown or Spectre attacks are likely based on proof-of-concept code rather than files written for a malicious purpose.
Almost a month after the Meltdown and Spectre attacks against various CPUs were discovered and revealed to the public, there have been reports of the existence of malware that… https://www.virusbulletin.com/blog/2018/02/there-no-evidence-wild-malware-using-meltdown-or-spectre/

Alleged author of creepy FruitFly macOS malware arrested

A 28-year old man from Ohio has been arrested on suspicion of having created the mysterious FruitFly malware that targeted macOS and used it to spy on its victims.
It is almost a year since the mysterious FruitFly malware for macOS was discovered. Malware targeting macOS is still uncommon enough to be newsworthy, but FruitFly seemed… https://www.virusbulletin.com/blog/2018/01/alleged-author-creepy-fruitfly-macos-malware-arrested/

« Previous 1234567 Next »

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.