Ramnit Goes on a Holiday Shopping Spree, Targeting Retailers and Banks

article / Jan 15, 2018 (MODIFIED: Jan 19, 2018)

by Doron Voolf

Ramnit’s latest twist includes targeting the most widely used web services during the holidays: online retailers, entertainment, banking, food delivery, and shipping sites.

A Spectre of Meltdowns Could be in Store for 2018, Including Fileless Malware Attacks and More Costly Bots

blog / Jan 10, 2018 (MODIFIED: Jan 15, 2018)

by Lori MacVittie

Every week another bug, vulnerability, or exploit is released - we need a multi-layered security strategy (beyond our standard patch “spin cycles”) to deal with threats like Spectre and Meltdown.

New Python-Based Crypto-Miner Botnet Flying Under the Radar

article / Jan 03, 2018 (MODIFIED: Jan 16, 2018)

by Maxim Zavodchik, Liron Segal, Aaron Brailsford

A new Python-based botnet that mines Monero spreads via SSH and leverages Pastebin to publish new C&C server addresses.

TrickBot Rapidly Expands its Targets in August, Shifting Focus to US Banks and Credit Card Companies

article / Sept 14, 2017 (MODIFIED: Oct 17, 2017)

by Sara Boddy, Jesse Smith, Doron Voolf

TrickBot kicked into high gear coming into August with the most targeted URLs since its launch. It released a new worm module, shifted its focus towards the US, and soared past the one thousand target URL mark in a single configuration.

TrickBot Focuses on Wealth Management Services from its Dyre Core

article / Jul 27, 2017 (MODIFIED: Sept 01, 2017)

by Sara Boddy, Jesse Smith, Doron Voolf

As TrickBot evolves, we examine version 24, which heavily targets Nordic financial institutions, and we take a close look at the Dyre–TrickBot connection.

TrickBot Expands Global Targets Beyond Banks and Payment Processors to CRMs

blog / Jun 15, 2017 (MODIFIED: Aug 01, 2017)

by Sara Boddy, Jesse Smith, Doron Voolf

TrickBot shows no signs of slowing down as new targets are added and command and control servers hide within web hosting providers’ networks.

From NSA Exploit to Widespread Ransomware: WannaCry is on the Loose

blog / May 12, 2017 (MODIFIED: Jul 24, 2017)

by Ray Pompon

The new EternalBlue NSA exploit is powering a wave of virulent ransomware sweeping across Europe.

Marcher Gets Close to Users by Targeting Mobile Banking, Android Apps, Social Media, and Email

article / Apr 07, 2017 (MODIFIED: Sept 11, 2017)

by Doron Voolf

Marcher targets focused on European, Australian, and Latin American banks, along with PayPal, eBay, Facebook, WhatsApp, Viber, Gmail, and Yahoo—all in the month of March.

From DDoS to Server Ransomware: APACHE STRUTS 2 - CVE-2017-5638 Campaign

article / Mar 27, 2017 (MODIFIED: Jul 24, 2017)

by Maxim Zavodchik, Julia Karpin, Ilya Chernyakov, Dylan Syme

A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is...

Ramnit's Twist: A Disappearing Configuration

blog / Feb 17, 2017 (MODIFIED: Jul 06, 2017)

by Anna Dorfman

The Ramnit banking Trojan continues to evolve, this time with the intent of making the malware harder to detect.

TrickBot Now Targeting German Banking Group Sparkassen-Finanzgruppe

blog / Dec 01, 2016 (MODIFIED: Jul 06, 2017)

by Shaul Vilkomir-Preisman

TrickBot, the latest arrival to the banking malware scene and successor to the infamous Dyre botnet, is in constant flux.

Malware Targeting Bank Accounts Has a Swapping Pattern

article / Sept 01, 2016 (MODIFIED: Jul 06, 2017)

by Elman Reyes, Doron Voolf

F5 Labs analysts discovered a target pattern in the IBAN number formats as well as weekly changes to the script injection content. In May 2016, the F5 Security Operations Center (SOC) detected a generic form grabber and IBAN (International Bank...

Dridex is Watching You

article / Jun 17, 2016 (MODIFIED: Jul 06, 2017)

by Anna Dorfman

And we're watching Dridex. Here's the latest in this malware's evolution.

Webinject Crafting Goes Professional: Gozi Sharing Tinba Webinjects

blog / May 26, 2016 (MODIFIED: Jul 06, 2017)

by Doron Voolf

Webinject crafting is a separate profession now. Hackers write webinjects and sell them to fraudsters, who use them to weaponize Trojans.

Dridex Update: Moving to US Financials with VNC

article / Apr 26, 2016 (MODIFIED: Jul 06, 2017)

by Doron Voolf

Ongoing campaign analysis has revealed that Dridex malware's latest focus has strongly shifted in recent months to US banks.

Dridex BOTnet 220 Campaign: Targeting UK Financials with Webinjects

article / Feb 25, 2016 (MODIFIED: Jul 06, 2017)

by Maxim Zavodchik

Like many other financial Trojans, the notorious Dridex malware keeps evolving and strengthening its presence.

Yasuo-Bot: Flexible, Customized, Fraudulent Content

report / Dec 14, 2015 (MODIFIED: Jul 06, 2017)

by Shaul Vilkomir-Preisman

Standard mobile banking trojans post their own fraudulent content over banking applications. Yasuo-Bot goes further.

Webinject Analysis: Newsidran.com

report / Dec 12, 2015 (MODIFIED: Jul 06, 2017)

by Elman Reyes

Webinject attacks modify webpages to allow fraudsters to collect credentials, or act more directly against user accounts.

Dyre Update: Moving to Edge and Windows 10 with Anti-Antivirus

blog / Nov 11, 2015 (MODIFIED: Jul 06, 2017)

by Julia Karpin

Dyre malware requires little introduction as it has been the focus of many publications, and it is a well-known threat. One of the reasons for it being so infamous is the frequent changes the authors incorporate in...

Slave Malware Analysis: Evolving from IBAN Swaps to Persistent Webinjects

report / Jun 24, 2015 (MODIFIED: Jul 06, 2017)

by Elman Reyes, Pavel Asinovsky, Julia Karpin, Nathan Jester

Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping.

VBKlip Banking Trojan Goes Man-In-The-Browser

article / Apr 30, 2015 (MODIFIED: Jul 06, 2017)

by Julia Karpin

VBKlip has evolved significantly from searching for IBAN data in copy-paste functionality to MITB techniques.

Dyre In-Depth: Server-side Webinjects, I2P Evasion, and Sophisticated Encryption

report / Apr 12, 2015 (MODIFIED: Jul 06, 2017)

by Anna Dorfman, Avi Shulman

Dyre is one of the most sophisticated banking malware agents in the wild.

Tinba Malware: Domain Generation Algorithm Means New, Improved, and Persistent

report / Oct 15, 2014 (MODIFIED: Jul 06, 2017)

by Pasel Asinovsky

Tinba, also known as "Tinybanker", "Zusy" and "HµNT€R$", is a banking Trojan.

Shellshock: Malicious Bash, Obfuscated perlb0t, Echo Probes, and More

report / Oct 10, 2014 (MODIFIED: Jul 06, 2017)

by Maxim Zavodchik, Oz Elisyan

Shellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to Bash.

perlb0t: Still in the Wild with UDP Flood DDoS Attacks

article / Jul 24, 2014 (MODIFIED: Jul 06, 2017)

by Maxim Zavodchik

Despite being around since 2005, perlb0t is still being used against unpatched servers.

stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.