Dissecting the “Kraken”
In January 2015, unidentified attackers attempted to infiltrate a multi-national enterprise based in the United Arab Emirates, using a spear phishing attack with a crafted MS Word document attached to the message. Once it has reached its target, the payload used was designed to work as an…
Staying alert when buying banners: Google's advertising service misused for distributing malware
The recent case of malware distribution via Google AdSense advertising banners is an arresting example of how quickly a huge number of websites across the world can become embroiled in cyber attacks. A supplier of the advertising network has apparently been compromised. The attackers deployed the…
The Andromeda/Gamarue botnet is on the rise again
Attacks carried out with documents pepped up with macros seem to become in vogue again. G DATA’s security experts have analyzed several cases within the last weeks, in which active content in documents triggers an infection. The experts want to explain two different approaches for the same current…
Casper: the newest member of the cartoon malware family
Casper is considered to be EvilBunny’s and Babar’s successor, believed to be originating from the same group of programmers – possibly connected to a French intelligence agency. Two very interesting changes the malware has undergone: it now has a modular structure which allows the attackers to…
Babar: espionage software finally found and put under the microscope
Almost a year after Operation SNOWGLOBE was publicly mentioned for the first time by the famous French newspaper Le Monde, security experts have now laid hands on malware samples that match the descriptions made by the Communication Security Establishment Canada (CSEC). The following analysis is the…
Analysis of Project Cobra
Project Cobra and the Carbon System were mentioned by Kaspersky in the article called “The Epic Turla Operation” . This malware is used by the same actors as Uroburos (aka Snake/Turla) and Agent.BTZ. We estimate that Carbon System was developed after Agent.BTZ and before Uroburos. The Carbon System…
Evolution of sophisticated spyware: from Agent.BTZ to ComRAT
In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit. We assume that the actor behind these campaigns uses several different malware strains in order to compromise the…
BKA strikes a blow against botnet operators
The Federal Criminal Police Office (Bundeskriminalamt; BKA) has made a successful strike against cyber criminals by halting the distribution of Dropperbot. The main task of the malware, which, according to initial reports, has infected 11,000 computers across the world, was to steal data from…
Money is what matters, and visitors are money
Gambling has always been a somewhat shady area – online and offline. In the digital world, the proportion of legal gambling sites is vanishingly small, in Germany at least, compared to the almost countless number of providers. Every provider is on the lookout for customers and so has to have a…
Regin, an old but sophisticated cyber espionage toolkit platform
Regin is one of the latest cyber espionage toolkits targeting a range or organizations, companies and individuals around the world. This malware is very sophisticated and it can mentioned in the same breath with other cyberespionage campaigns like Duqu, Stuxnet, Flame, Uroburos (aka Snake/Turla).…
Karsten Hahn
Virus Analyst
Tim Berghoff
Security Evangelist
