Cisco Talos analyzed PowerShell trojan "DNSMessenger" that communicates with the command and control server using DNS TXT record queries.
IRC Botnet named GhostAdmin spreading as a fake security product, borrowing its name and icon from the Symantec, Avira, Avast.
Nice analysis of an admin panel used by spambot "Onliner". It was used for spreading Ursnif in the Italy and Canada.
The group known as the APT28, attributed to the Russia, is behind the spear phishing operation against the Japan. They have used PowerShell payload, which downloads additional DLL malware later.
New exploit kit called Nebula is up for a sale on the internet. Different payload is served according to the victim location.
German and Czech Android users are getting served with a banking Trojan directly through SMS messages.
Teddy bear seller CloudPets Mongo database full of customers' info leaked online.
This is from the beginning of February, some provoking thoughts on the cyber conflict around French elections.
Eset & Kaspersky released a decryption tool for the Dharma ransomware.
Matthew Green wrote about the use of advanced cryptography in the ransomware development. This is interesting, and partially related to my december blog.
Researchers from the Graz University of Technology published attack against the Intel Software Guard Extensions enclaves.
From the paper: "In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. [...] In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes."
whoishere.py - Identify people by assigning a name to a device performing a wireless probe request