Windows IIS 6.0 CVE-2017-7269 Is Targeted Again to Mine Electroneum

article / Apr 12, 2018 (MODIFIED: Apr 17, 2018)

by Andrey Shalnev

Attackers are targeting a Windows IIS vulnerability first disclosed a year ago to mine Electroneum.

Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond

/ Apr 03, 2018

by David Holmes

People are mining coins all over the place-all it costs is money for the power bill. So, of course, clever people are figuring out how to use other people’s power to mine cryptocurrency.

Old Dog, New Targets: Switching to Windows to Mine Electroneum

article / Mar 28, 2018 (MODIFIED: Apr 10, 2018)

by Andrey Shalnev

Apache Struts 2 Jakarta Multipart Parser RCE crypto-mining campaign is now targeting Windows, not just Linux systems.

rTorrent Client Exploited In The Wild To Deploy Monero Crypto-Miner

article / Feb 28, 2018 (MODIFIED: Apr 17, 2018)

by Andrey Shalnev

A previously undisclosed misconfiguration vulnerability in the rTorrent client is being exploited in the wild to mine Monero.

XMRig Miner Now Targeting Oracle WebLogic and Jenkins Servers to Mine Monero

blog / Feb 21, 2018 (MODIFIED: Apr 06, 2018)

by Andrey Shalnev

The same drop zone server used last week to mine Monero on compromised Jenkins automation servers is now being used in a new Monero mining campaign targeting Oracle Web Logic servers.

Ramnit Goes on a Holiday Shopping Spree, Targeting Retailers and Banks

article / Jan 15, 2018 (MODIFIED: Mar 02, 2018)

by Doron Voolf

Ramnit’s latest twist includes targeting the most widely used web services during the holidays: online retailers, entertainment, banking, food delivery, and shipping sites.

A Spectre of Meltdowns Could be in Store for 2018, Including Fileless Malware Attacks and More Costly Bots

blog / Jan 10, 2018 (MODIFIED: Mar 01, 2018)

by Lori MacVittie

Every week another bug, vulnerability, or exploit is released - we need a multi-layered security strategy (beyond our standard patch “spin cycles”) to deal with threats like Spectre and Meltdown.

New Python-Based Crypto-Miner Botnet Flying Under the Radar

article / Jan 03, 2018 (MODIFIED: Mar 08, 2018)

by Maxim Zavodchik, Liron Segal, Aaron Brailsford

A new Python-based botnet that mines Monero spreads via SSH and leverages Pastebin to publish new C&C server addresses.

TrickBot Rapidly Expands its Targets in August, Shifting Focus to US Banks and Credit Card Companies

article / Sept 14, 2017 (MODIFIED: Oct 17, 2017)

by Sara Boddy, Jesse Smith, Doron Voolf

TrickBot kicked into high gear coming into August with the most targeted URLs since its launch. It released a new worm module, shifted its focus towards the US, and soared past the one thousand target URL mark in a single configuration.

TrickBot Focuses on Wealth Management Services from its Dyre Core

article / Jul 27, 2017 (MODIFIED: Sept 01, 2017)

by Sara Boddy, Jesse Smith, Doron Voolf

As TrickBot evolves, we examine version 24, which heavily targets Nordic financial institutions, and we take a close look at the Dyre–TrickBot connection.

TrickBot Expands Global Targets Beyond Banks and Payment Processors to CRMs

blog / Jun 15, 2017 (MODIFIED: Aug 01, 2017)

by Sara Boddy, Jesse Smith, Doron Voolf

TrickBot shows no signs of slowing down as new targets are added and command and control servers hide within web hosting providers’ networks.

From NSA Exploit to Widespread Ransomware: WannaCry is on the Loose

blog / May 12, 2017 (MODIFIED: Jul 24, 2017)

by Ray Pompon

The new EternalBlue NSA exploit is powering a wave of virulent ransomware sweeping across Europe.

Marcher Gets Close to Users by Targeting Mobile Banking, Android Apps, Social Media, and Email

article / Apr 07, 2017 (MODIFIED: Sept 11, 2017)

by Doron Voolf

Marcher targets focused on European, Australian, and Latin American banks, along with PayPal, eBay, Facebook, WhatsApp, Viber, Gmail, and Yahoo—all in the month of March.

From DDoS to Server Ransomware: APACHE STRUTS 2 - CVE-2017-5638 Campaign

article / Mar 27, 2017 (MODIFIED: Jul 24, 2017)

by Maxim Zavodchik, Julia Karpin, Ilya Chernyakov, Dylan Syme

A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is...

Ramnit's Twist: A Disappearing Configuration

blog / Feb 17, 2017 (MODIFIED: Jul 06, 2017)

by Anna Dorfman

The Ramnit banking Trojan continues to evolve, this time with the intent of making the malware harder to detect.

TrickBot Now Targeting German Banking Group Sparkassen-Finanzgruppe

blog / Dec 01, 2016 (MODIFIED: Jul 06, 2017)

by Shaul Vilkomir-Preisman

TrickBot, the latest arrival to the banking malware scene and successor to the infamous Dyre botnet, is in constant flux.

Malware Targeting Bank Accounts Has a Swapping Pattern

article / Sept 01, 2016 (MODIFIED: Jul 06, 2017)

by Elman Reyes, Doron Voolf

F5 Labs analysts discovered a target pattern in the IBAN number formats as well as weekly changes to the script injection content. In May 2016, the F5 Security Operations Center (SOC) detected a generic form grabber and IBAN (International Bank...

Dridex is Watching You

article / Jun 17, 2016 (MODIFIED: Jul 06, 2017)

by Anna Dorfman

And we're watching Dridex. Here's the latest in this malware's evolution.

Webinject Crafting Goes Professional: Gozi Sharing Tinba Webinjects

blog / May 26, 2016 (MODIFIED: Jul 06, 2017)

by Doron Voolf

Webinject crafting is a separate profession now. Hackers write webinjects and sell them to fraudsters, who use them to weaponize Trojans.

Dridex Update: Moving to US Financials with VNC

article / Apr 26, 2016 (MODIFIED: Jul 06, 2017)

by Doron Voolf

Ongoing campaign analysis has revealed that Dridex malware's latest focus has strongly shifted in recent months to US banks.

Dridex BOTnet 220 Campaign: Targeting UK Financials with Webinjects

article / Feb 25, 2016 (MODIFIED: Jul 06, 2017)

by Maxim Zavodchik

Like many other financial Trojans, the notorious Dridex malware keeps evolving and strengthening its presence.

Yasuo-Bot: Flexible, Customized, Fraudulent Content

report / Dec 14, 2015 (MODIFIED: Jul 06, 2017)

by Shaul Vilkomir-Preisman

Standard mobile banking trojans post their own fraudulent content over banking applications. Yasuo-Bot goes further.

Webinject Analysis: Newsidran.com

report / Dec 12, 2015 (MODIFIED: Jul 06, 2017)

by Elman Reyes

Webinject attacks modify webpages to allow fraudsters to collect credentials, or act more directly against user accounts.

Dyre Update: Moving to Edge and Windows 10 with Anti-Antivirus

blog / Nov 11, 2015 (MODIFIED: Jul 06, 2017)

by Julia Karpin

Dyre malware requires little introduction as it has been the focus of many publications, and it is a well-known threat. One of the reasons for it being so infamous is the frequent changes the authors incorporate in...

Slave Malware Analysis: Evolving from IBAN Swaps to Persistent Webinjects

report / Jun 24, 2015 (MODIFIED: Jul 06, 2017)

by Elman Reyes, Pavel Asinovsky, Julia Karpin, Nathan Jester

Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping.

VBKlip Banking Trojan Goes Man-In-The-Browser

article / Apr 30, 2015 (MODIFIED: Jul 06, 2017)

by Julia Karpin

VBKlip has evolved significantly from searching for IBAN data in copy-paste functionality to MITB techniques.

Dyre In-Depth: Server-side Webinjects, I2P Evasion, and Sophisticated Encryption

report / Apr 12, 2015 (MODIFIED: Jul 06, 2017)

by Anna Dorfman, Avi Shulman

Dyre is one of the most sophisticated banking malware agents in the wild.

Tinba Malware: Domain Generation Algorithm Means New, Improved, and Persistent

report / Oct 15, 2014 (MODIFIED: Jul 06, 2017)

by Pasel Asinovsky

Tinba, also known as "Tinybanker", "Zusy" and "HµNT€R$", is a banking Trojan.

Shellshock: Malicious Bash, Obfuscated perlb0t, Echo Probes, and More

report / Oct 10, 2014 (MODIFIED: Jul 06, 2017)

by Maxim Zavodchik, Oz Elisyan

Shellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to Bash.

perlb0t: Still in the Wild with UDP Flood DDoS Attacks

article / Jul 24, 2014 (MODIFIED: Jul 06, 2017)

by Maxim Zavodchik

Despite being around since 2005, perlb0t is still being used against unpatched servers.

stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.