Increasing Cases of Wiperware Infection
  • Advisory
  • January 19, 2023

Wiperware is a Trojan similar to ransomware, therefore mode of delivery is typically via established social engineering or phishing techniques. Once infected, there may even be a ransom note in a README.txt file. The aim is to fool the victim into thinking it is ransomware and pay the ransom. Nevertheless, any file affected by wiperware can never be recovered.

In other instances, the aim is to bring down critical infrastructure, thus there is no pretence to being ransomware. Once persistence is achieved, the malware will infect critical files one-by-one in order to inhibit particular infrastructure from functioning as intended.

Phishing Emails with OneNote Attachments Used to Disseminate RATs
  • Advisory
  • January 24, 2023

These are delivered via phishing emails disguised as DHL shipping mails, invoices, ACH remittance forms, and so on. When the intended victim downloads the OneNote attachment, a malicious attachment in the form of a "notebook" is included. Threat actors place a "Double Click To View" banner over the notebook in order to load the attachment. When you click, the system will warn you about the dangers of opening attachments that could harm your system or data. Users usually ignore these, and if they click 'OK,' a RAT is downloaded from a C2 and installed. The Quasar RAT, AsyncRAT, and XWorm RAT are among the RATs being downloaded. 

New Phishing Apps Discovered on Google Play Store
  • Advisory
  • January 30, 2023

While some of the malicious apps have been removed, others are still active on the store. Below are the affected apps:

  1. Golden Hunt
  2. Reflector
  3. Seven Golden Wolf Blackjack
  4. Unlimited Score
  5. Big Decisions
  6. Jewel Sea
  7. Lux Fruits Game
  8. Lucky Clover
  9. King Blitz
  10. Lucky Hammer


After installing and opening the app, it will contact a remote server which will reply with instructions on what to do. These instructions typically include phishing pages that will be displayed to unsuspecting users in an attempt to collect their sensitive information.

Malicious Advertising Campaign Distributing FormBook Info-Stealer Malware
  • Advisory
  • February 13, 2023

Malvertising can appear on any advertisement on any website, including those you visit on a regular basis. Malvertising typically installs a small piece of code that connects your computer to criminal command and control (C&C) servers. The server searches your computer for its location and what software is installed on it before deciding which malware to send you. In this campaign, malvertising is the most common method of distribution, which involves inserting malicious advertisements into popular search engines when unsuspecting users conduct searches. By clicking on such a link, a device will be infected with the MalVirt loader, which uses a KoiVM virtualizing protector to avoid detection and analysis by anti-malware software. The loader will then install the FormBook malware and a signed Microsoft Process Explorer driver, allowing it to perform actions with elevated privileges. FormBook can also hide its C2 (command and control) traffic behind bogus HTTP requests to various dummy domains.

Increasing Watering Hole Attacks in Nigeria
  • Advisory
  • March 16, 2023

The threat actors behind these types of attacks will typically conduct reconnaissance on a specific group, primarily to determine which websites they visit on a regular basis. These can be discussion forums, social media platforms, blogs, or websites aimed at a specific industry or type of professional. They then either infect those sites with malware or create malicious third-party sites to lure users to the site. If users fall for it, their devices will become infected with malware, granting the threat actor unauthorised access. If the user connects to their organization's network using the compromised device, the actor may gain un-authorised access to organizational systems as well. Some of the techniques observed in this attack include: drive-by downloads, in which targets at a watering hole may download malicious content without their knowledge, consent, or action; Malvertising, in which hackers inject malicious code into advertisements at a watering hole in order to spread malware to their prey; and zero-day exploitation, in which threat actors exploit zero-day vulnerabilities in a website or browser that watering hole attackers can exploit.

Cybercriminals Using YouTube to Spread Malware
  • Advisory
  • March 23, 2023

To stimulate the interest of potential victims, video tutorials on how to pirate sought-after software such as AutoCAD, Adobe Photoshop, Adobe Premiere Pro, and other similar paid-for software are created. These videos are created with AI and feature humans with facial features that research has shown other humans find trustworthy. The tutorials in these videos are frequently bogus and steer viewers to links in the description that lead to information-stealing malware like Raccoon, Vidar, and RedLine.

AI-generated YouTube videos can be used for malware distribution in several ways:

  1.   Malicious actors can create AI-generated videos that include hidden or disguised malware. These videos may appear to be harmless or even entertaining, but they can contain malicious code that can infect a viewer's device when the video is downloaded or played.
  2.    Malicious actors can use AI-generated videos to trick viewers into downloading malware. For example, they can create a video that appears to be a legitimate software update or security patch, but in reality, it contains malware that infects the viewer's device.
  3.    Malicious actors can use AI-generated videos to distribute phishing scams. They can create a video that appears to be from a legitimate company or organization and prompts viewers to click on a link to enter their login credentials or personal information. Once the viewer clicks on the link, they are directed to a fake website that steals their information.
  4.    Malicious actors can use AI-generated videos to distribute ransomware. They can create a video that appears to be harmless, but when the viewer clicks on a link or downloads a file associated with the video, their device becomes infected with ransomware that locks them out of their files and demands payment to regain access.


Latest Articles