> Blog

AnMaXX, Gerber EDV and the Qrypter Connection

Published on 9th April 2018, 10:03:17 UTC

In August 2017, I've blogged about Adwind, a cross-platform RAT written in Java that is also known as "jRAT" and "JSocket". The main infection vector for Adwind is via spoofed email. The attacker doesn't have to care about the recipients operating system (OS): Adwind works on Windows, macOS and Linux. Recently, security researchers and AV vendors have published a handful interesting blog posts on Adwind. The recent uprise in Adwind campaigns seems to be related to Qrypter: a Malware-as-a-Service (MaaS) platform @Angelill0 blogged about in December 2017. The Qrypter MaaS platform is hosted in the Tor network, which makes it more resilient against takedowns and actions from law enforcement (LEA). [read on]


Cybercriminals taking advantage of Cryptocurrency Boom

Published on 8th January 2018, 11:55:29 UTC

It is fair to say that 2017 was the year of cryptocurrencies. In 2017, many cryptocurrencies went through the roof. Let's take Bitcoin (BTC) as an example: 1.0 BTC got traded for about 1,000 USD in beginning of 2017. In December 2017, one Bitcoin was more than 18,000 USD worth. An increase of 1800%! It was a very successful year for traders speculating on cryptocurrencies, and even more for cybercriminals: Cryptocurrencies like Bitcoin are the #1 means of payment when it comes to extortions. In the past years, the amount of extortions in cyberspace has grown rapidly. The most popular (and likely most easiest) way to extort money from not only random internet users but also small and medium businesses (like webshops) is DDoS extortion (DD4BC, Armada collective, you name it) and Ransomware (Crypt0L0cker, Locky, Cerber etc). Many of them demand Bitcoins as a ransom. [read on]


.bit - The next Generation of Bulletproof Hosting

Published on 25th Sptember 2017, 04:50:29 UTC

To control infected computers (so called bots), cybercriminals often use domain names for hosting their botnet Command&Control infrastructure (C&C). One of the advantages for botnet operators using domain names for botnet C&C hosting is that the A record (IP address) of the domain name can easily be changed in the case when the IP address where the botnet C&am;C is hosted gets disconnected or shut-down (for example as a result of an abuse complaint sent to the associated hosting provider). Another advantage is the fact that the Top-level domains (TLDs) where a domain name resides in are being maintained by the Internet Corporation for Assigned Names and Numbers (ICANN) which is more or less independent from governments. While ICANN is responsible for the governance of the domain names and e.g. publishes rules for registires and registrars how to operate and manage TLDs and domain names, ICANN can't take action against domain names. [read on]


Adwind: A cross-plattform RAT

Published on 28th August 2017, 09:49:00 UTC

Adwind (also known as "jRAT" and "JSocket") is a remote access tool (RAT) written in Java. The use of Java makes Adwind to a powerful cross-plattform malware: It does not only infected Systems running the Windows operating system but also macOS, Linux and meanwhile also Android. However, Java must be installed on the victims device. While Java is usually not pre-installed on Windows, macOS or Linux, Java is a very popular programming language in many corporates. If you look at small- and medium enterprises, you will have a hard time to not find at least one Java based application in any corporate network. As a result of that, it is fair to say that Java is installed on most of the corporate computers world wide. According to Oracle (the company who maintains Java), Java is installed on more than 3 Billion devices, including ATMs. In short: a wonderful target for malware. [read on]