Category: threat analysis

Acronym: M is for Malware

A malware researcher known as Antelox recently tweeted about an unknown malware sample that caught our eye. Upon further investigation, it is a modular malware known as Acronym and could possibly be associated with the Win32/Potao malware family and the Operation Potao Express campaign. This […]

Read more

Flokibot Invades PoS: Trouble in Brazil

Introduction Threat actors salivate at the thought of an increased volume of credit and debit card transactions flowing through endpoints they have compromised with card-stealing malware. While there are many distinct malware families that scrape unencrypted process memory to obtain cards, some of these malware […]

Read more

Dismantling a Nuclear Bot

A recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on underground marketplaces. Its price starts around $2500 which is more than double the price of another recent entry to the market. This post dismantles a sample […]

Read more

FlokiBot: A Flock of Bots?

In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. It took some time before a sample was found in the wild, but a researcher known as hasherezade flagged one on VirusTotal in early November. […]

Read more

TrickBot Banker Insights

A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian authorities. Dyreza was used to target customers of over 1000 U.S. and U.K. banks and other […]

Read more

The Great DGA of Sphinx

This post takes a quick look at Sphinx’s domain generation algorithm (DGA). Sphinx, another Zeus-based banking trojan variant, has been around circa August 2015. The DGA domains are used as a backup mechanism for when the primary hardcoded command and control (C2) servers go down. […]

Read more