Recent Posts

Recent Blog Posts

The PhishLabs Blog

Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis

Posted by Jason Davison, Threat Analyst on Aug 4, '17

 Sample Analyzed:

Read More

Topics: Malware, Smoke Loader

How Modern Banking Trojans Obstruct Malware Analysis

Posted by King Salemno on Oct 20, '16

Note to readers: PhishLabs will be represented by Paul Black at MalCon 2016 in Puerto Rico from October 18-21. At MalCon 2016, Paul will review the evolution of malware targeted at banks and financial institutions, reviewing notable trending data and methods to combat them. Contact PhishLabs for ongoing concern, questions and a deeper dive into the latest remediation techniques.

The cat and mouse game between malware researchers and threat actors operating banking Trojans began with the creation and propagation of the Zeus banking trojan in 2007. Since Zeus’s release, the number of banking trojans has increased continually, yet the anti-analysis mechanisms used by cybercriminals to obstruct researchers appear to have plateaued.

Read More

Topics: Malware, Banking Trojan, Malware Analysis, R.A.I.D.

Hurricane Matthew Cyber Scams

Posted by John LaCour on Oct 8, '16

PhishLabs is investigating multiple online scams involving news about Hurricane Matthew. Some of these scams are using news of the hurricane to distribute malware via email attachments and malicious links. Other scams are posing as charities and are requesting relief donations. Individuals should be on high alert and be suspicious of any online communication that mentions Hurricane Matthew.

Read More

Topics: Phishing, Malware, Hurricane Matthew

When Good Websites Turn Evil: How Cybercriminals Exploit File Upload Features to Host Phishing Sites

Posted by Amanda Kline on Aug 25, '16

Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks.  Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another reason is because legitimate sites that have only been recently compromised are less likely to be blacklisted by internet browsers and other security measures.

Read More

Topics: Phishing, Malware, GIF89a, whitelisting

Marcher Android Malware Increases its Geographic Reach

Posted by Joshua Shilko on Jun 23, '16

Earlier this year, PhishLabs wrote an in-depth analysis on Marcher, an Android Banking Trojan which is available for purchase as a kit on underground marketplaces. Marcher runs in the background on an infected device and monitors its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Recent samples of Marcher have demonstrated an increase in total number of targeted institutions as well as a spread to additional geographic locations.

Read More

Topics: Malware, Android, marcher

Olympic Vision Keylogger and BEC Scams

Posted by Eris Maelstrom on May 24, '16

During a recent analysis of a business email compromise (BEC) scam, we observed a lure attempting to install the Olympic Vision Keylogger. Further research determined that this keylogger and the accompanying Olympic Vision Crypter were used in a larger campaign, targeting multiple organizations using a variety of different lures, including invoice lures and shipment confirmation lures. This campaign appears to be originating out of South Africa, utilizing both maliciously registered free domains as well as compromised domains.

Read More

Topics: Malware, Threat Analysis, Threat Intelligence, BEC, business email compromise

Technical Dive into a Hardened Phish Kit

Posted by King Salemno on Apr 5, '16

 Many of the cybercriminals behind some of the most devastating cyber-attacks used phishing as the initial attack vector. At PhishLabs, we maintain a massive repository of phish kits that we continually analyze for intelligence about phishing tactics and techniques.  The complexity and sophistication of these kits vary greatly.

Read More

Topics: Phishing, Malware, Phish Kit, Hacker Tools

Android.Trojan.Marcher - Conclusion

About Parts One and Two

This post is a conclusion to a three-part blog analyzing "Marcher" malware that targets the Android platform. Read part one here and part two here.  To round out the discussion, let’s cover the network and host indicators associated with this trojan.
Read More

Topics: Phishing, Malware, Threat Intelligence, Android, Banking Trojan

Android.Trojan.Marcher - Part Two

About Part One

Last week I posted a blog analyzing "Marcher" - malware targeting the Android platform. Designed to steal mobile banking app credentials from banking customers, it is one of the most prevalent Android password stealers seen in the wild. Read part one here.

Read More

Topics: Malware, Trojan, Android, Banking Trojan


Part 1 of 3

"Marcher" is malware targeting the Android platform. It is designed to steal mobile banking app credentials from customers of many different financial institutions. Distributed through a variety of means, it is one of the most prevalent Android password stealers seen in the wild, second only to Svpeng.

Read More

Topics: Malware, Trojan, Android


What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events


Posts by Topic

see all