From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager

Blog updated on 3 March 2023 to (i) remove a table containing data created on 09-01-23, more than one month earlier than publication of the original blog on 22-02-23 entitled ‘Backdoored ConnectWise R1Soft Server Backup Manager by Autonomous System Organization (Top 20 as of 2023-01-09)’; (ii) update a table containing data created on 09-01-23 entitled … Continue reading From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager →

Threat spotlight: Hydra

This publication is part of our Annual Threat Monitor report that was released on the 8th of Febuary 2023. The Annual threat Monitor report can be found here. Authored by Alberto Segura Introduction Hydra, also known as BianLian, has been one of the most active mobile banking malware families in 2022, alongside Sharkbot and Flubot … Continue reading Threat spotlight: Hydra →

Sharkbot is back in Google Play

Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Introduction After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper active in the Google Play and dropping a new version of Sharkbot.This new dropper doesn't … Continue reading Sharkbot is back in Google Play →

Bokbot: The (re)birth of a banker

This blogpost is a follow-up to a presentation with the same name, given at SecurityFest in Sweden by Alfred Klason. Summary Bokbot (aka: IcedID) came to Fox-IT’s attention around the end of May 2017 when we identified an unknown sample in our lab that appeared to be a banker. This sample was also provided by … Continue reading Bokbot: The (re)birth of a banker →

CryptoLocker ransomware intelligence report

In the beginning of September 2013, the CryptoLocker malware variant appeared in the wild, spread exclusively by the infamous P2P ZeuS (aka Gameover ZeuS) malware. CryptoLocker had a simple purpose: to act as ransomware, encrypting important files such as images and documents, and then asking the victim for money to unlock the files. Image source: … Continue reading CryptoLocker ransomware intelligence report →

Malicious advertisements served via Yahoo

Detection of the infection Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com. Infection Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those … Continue reading Malicious advertisements served via Yahoo →

Analysis of malicious advertisements on telegraaf.nl

Starting on Wed, 31 July 2013, 18:54:50 Fox-IT's monitoring system detected a redirect occurring on telegraaf.nl. It was another case of advertisement provider abuse. One of the advertisement providers loaded ads from an outside resource which returned an exploit kit named "FlimKit" exploit kit. After first being removed from telegraaf.nl a second exploit kit redirect … Continue reading Analysis of malicious advertisements on telegraaf.nl →