Jaromír Hořejší

18 July 2016

The evolution of the Retefe banking Trojan

Three weeks ago, we published a blog post about the Retefe banking Trojan, which targeted banking customers in the United Kingdom. The Trojan steals login credentials and other personal information. Retefe is usually spread via a phishing email. The email contains a document, which is embedded with malicious JavaScript and user interaction is needed to activate the Trojan.

Another UK bank, the Smile online bank, has recently been added to the list of affected banks.

Read More

Threat Research

Alexej Savčin

11 July 2016

Tools deliver false promises to YouTubers and Gamers

shutterstock_406022581-392823-edited.jpgYouTube Subscriber Tools promise more fans than they can deliver.

If you have a YouTube account and are an aspiring YouTube star, you may have wondered if there’s an easy way to speed up the slow process of raising your channel to the top. If you’re a slow-moving gamer looking for a simple way to advance your skills, you may have wished for coins to make more in game purchases and progress. If you search the Internet, you will definitely find websites with good advice on how to promote your content and even tips on how to create good videos and how to improve your gaming abilities.

Read More

Threat Research

Ondrej Vlcek

23 June 2016

CyberCapture: Protection against zero-second attacks

This week we released a new version of our core PC antivirus product, which we refer to as the Avast Antivirus Nitro Update. The update’s name is Nitro, because it is filled with innovative, new ways to increase speed and increase protection. One of the new ways we are increasing protection is with a cool new proprietary technology called CyberCapture. CyberCapture dramatically raises the bar when it comes to protection against zero-second attacks.

IMAGE_nitro_cyber_capture_infographics_600x500px.jpgCyberCapture looks at the smallest bits of a file to determine its safety

Let me explain how it works, and take a look at the infographic below which shows the path of an unknown file.

Read More

Threat Research

Alexej Savčin

9 June 2016

The newest phishing spam: “Security Alert!!!”

Fake phishing email impersonating Avast warns of 5 deadly trojans. 

Guess who hackers disguised themselves as in a recent phishing campaign? That’s right Avast! A laughable fake Avast alert email trying to harvest webmail addresses is being sent out via a spam message which leads to several domains where attackers have prepared a simple form to collect victims’ email addresses and passwords. This is what it looks like:

email_small.png

Received spam in a phishing scheme impersonating Avast

Read More

Threat Research

Jan Piskacek

2 June 2016

Knock-off FIFA apps on Google Play

Fake football apps appear on the Google Play Store in time for Copa America and Euro Cup.

Copa America Centenario and Euro Cup start this Friday and next Friday respectively, and everyone across the Americas and Europe are in the football/soccer spirit.

I found four soccer/football apps on the Google Play Store, all with the same or similar names, that are pretty bad knock-offs of the popular FIFA app. All four apps have negative reviews claiming the apps do practically nothing but display ads. Clearly, the person or people behind these apps only intention is to make money and not to deliver quality apps.

I dug a little deeper and despite the fact that these four apps were uploaded under different developer names, they seem to be developed by one developer. All four apps have the same dex files and manifests. Each developer name has only uploaded one app and there are no links to any developer homepages.

Ad heavy soccer apps on Google Play

I decided to test each app to see if the negative reviews regarding the ads were true and unfortunately, they are.

Read More

Threat Research

Jan Piskacek

5 May 2016

Android Banker Trojan preys on credit card information

An Android Trojan is spying on its victims and even tricking some into giving up their credit card information.

Most of today’s malware authors create malware for one of two reasons: either to make money or to steal valuable data. In this blog post, we will show how an Android Trojan relies on social engineering.

Social engineering tactics are used to trick people into performing an action, like clicking on a link or downloading an application. The person being tricked thinks they are doing something innocent when they are really clicking on or downloading something malicious. This malware is associated with the banker family as it tries to steal user's credit card information.

Once installed, the Banker Trojan puts an icon in the launcher. The app name shown with the icon can vary from sample to sample -- some of the names we have seen were : AVITO-MMS, KupiVip and MMS Центр (MMS Center).

Read More

Threat Research

Alexej Savčin

3 May 2016

New fresh phishing campaign hits Facebook

A new phishing campaign takes advantage of Facebook’s security measures in order to appear legitimate.

In this case, the creators of the campaign have created an app which is, in essence, a simple <iframe> that displays a fraudulent version of Facebook’s login page. Cybercriminals are abusing the Facebook application platform to carry out phishing campaigns against users which appear legitimate thanks to the fraudulent use of Facebook's own Transport Layer Security (TLS) security certificates, a protocol used to help keep domains and user communication secure.

The phishing web site is hosted on hxxp://gator4207.hostgator.com/~labijuve/a2/, which leads to a identical yet fake copy of Facebook’s verification page. Despite the resemblance that the iframe bears to Facebook’s actual webpage, the differences between the two sites become obvious when they’re displayed next to one another.


screen3_1.png

Fraudulent Facebook login page ready for victims to log in.

 

Read More

Threat Research

Alexej Savčin

30 March 2016

WordPress and Joomla websites get hacked with fake jQuery

Hackers use the popular name of jQuery library to inject malicious code into websites powered by WordPress and Joomla.

JQuery is a very popular JavaScript library. The basic aim of this library is to erase the differences between implementations of JavaScript in various web browsers. If you have ever tried web coding you know how tedious it can be to make the code do the same thing in different browsers. Sometimes it is a really big challenge. In such situations, this library can be very useful.

Of course it is only a matter of time until such a well-known library gets the attention of those who want to use it for different purposes other than web coding. Fake jQuery injections have been very popular among hackers. And that brings us to one of the most popular infections of the last couple of months -  the attack that injects fake jQuery script into the head section of CMS websites powered by WordPress and Joomla.

What does it look like?

jQuery hack source codeThe script is located right before the tag </head> so as a normal visitor you can’t notice anything unless you look into source code

Read More

Threat Research

Jan Širmer

18 March 2016

Locky’s JavaScript downloader

Locky ransomware is a considerable security threat that is now widely spread.

It seems that Locky’s authors are now predominately using one campaign to spread the ransomware. Last week, we published a blog post about Locky Ransomware, the ransomware that is most likely being spread by the infamous Dridex botnet. In our last blog post, we described three campaigns the Locky authors are using to spread their malware. Now Locky’s authors are mainly using the campaign with javascript packed into a zip file sent to people through phishing emails.

Read More

Threat Research, Security News

Michal Krejdl

16 February 2016

In search of the perfect instruction

Knowing the language of common microprocessors is essential for the work of virus analysts across the AV industry.

Each program you run - clean, malicious, no matter - is actually a set of commands (called instructions) specific for particular processors. These instructions can be very simple, e.g. addition of two numbers, but we can see very complex cryptographic functions as well.

As the processor architecture evolves in time, it becomes more and more complicated and understanding or decoding the language is more difficult. It (hypothetically) does not have to be like this, but there's a hell called backward compatibility.

proc_comic

Read More

Threat Research, Security News