The Zscaler ThreatLabZ team is continually hunting new threats, analyzing them, and sharing their findings in blogs and reports on the Zscaler site. What follows are the most read and shared blogs of 2018.
Android apps infected with Windows malware reemerge
By Gaurav Shinde
This blog explores apps available on Google Play that were infected with malicious iFrames. Though the malware posed no immediate threat to users, its discovery highlights the fact that infections can be propagated across different platforms. This vector can be leveraged by a clever attacker to serve second-level malicious payloads, depending on the type of device platform visiting the URL. Read more.
Fake Fortnite apps scamming and spying on Android gamers
By Viral Gandhi
Fortnite is a co-op sandbox survival game and, at the time of the ThreatLabZ report, had 45 million players and more than three million concurrent users. In 2918, its maker, Epic Games, announced a version for iOS. Malware authors, knowing that Android users would be anxious to get Fornite, created fake Fortnite for Android apps to spread their payloads, including spyware, a coin miner, and some unwanted apps. Read more.
CVE-2017-8570 and CVE-2018-0802 exploits being used to spread LokiBot
By Mohd Sadique
This blog provides an overview of the use of malicious RTF documents that leverage the CVE-2017-8570 and CVE-2018-0802 vulnerability exploits to install malicious payloads on victims’ machines. The team shares its analysis of a campaign leveraging these two exploits to deliver LokiBot. Read more.
The latest cloud hosting service to serve malware
Cloud services are under attack because they enable bad actors to open inexpensive hosting accounts for hiding malicious content in the cloud-based domains of well-known brands. The ThreatLabZ team discovered that a popular managed cloud hosting service provider has been serving phishing attacks and other malware in the wild as far back as February 2018. Read more.
Meltdown and Spectre vulnerabilities: What you need to know
By Deepen Desai
With the ability to allow attackers to gain unauthorized access to sensitive information in system memory, Meltdown and Spectre represent a new class of microarchitectural attacks that use processor chip performance optimization features to exploit built-in security mechanisms. This blog provides an analysis of the vulnerabilities as well as mitigation information. Read more.
Cryptominers and stealers – malware edition
By Atinderpal Singh and Rajdeepsinh Dodia
Due to their decentralized nature, cryptocurrencies are impossible to control or censor by any single authority—and that makes them attractive to cybercriminals. With more than 4,000 cryptocurrencies on the market rising in both value and popularity, we’ve seen a rise in the use of malware that targets bitcoins or altcoins for financial gain. This blog provides insight into various cryptominers and stealer variants. Read more.
By Nirmal Singh
Following on its report about cryptomining and wallet stealing techniques, this blog provides a technical analysis of yet another type of cryptominer malware that uses a bootkit and other kernel-level shellcode for persistence. Read more.
Spam campaigns leveraging .tk domains
By Mohd Sadique
ThreatLabZ identified a campaign using the “.tk” top-level domain, which started with compromised sites that redirect users to either fake blog sites to generate ad revenue or fake tech support sites that claim to remove viruses. We estimated at the time that at least USD 20K per month in revenue was being generated from the fraudulent ad activities alone. Read more.
Magecart campaign remains active
By Rubin Azad
Magecart is a notorious hacker group that has been responsible for large-scale attacks on the e-commerce sites of well-known brands. In this blog, we examine the campaign’s recent activity and its methods for skimming credit and debit card information for financial gain. Read more.
Ubiquitous SEO poisoning URLs
By Jim Wang
SEO poisoning is an attack method that involves creating web pages packed with trending keywords in an effort to get a higher ranking in search results. SEO poisoning is also a way to redirect users to unwanted applications, phishing, exploit kits and malware, porn, advertisements, and so on. This blog includes examples and analysis of the techniques in use. Read more.