Virus Bulletin

Zscaler researchers have identified a novel Windows-based malware they call FFDroider. FFDroider is a stealer capable of stealing cookies and credentials from the victim’s machine. https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users …pic.twitter.com/jlLXf1UMqu

ESET's @LukasStefanko has analysed three malicious Android applications targeting the customers of eight Malaysian banks. The campaign tempts potential victims to download malicous apps from fake websites that pose as legitimate services in Facebook ads. https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/ …pic.twitter.com/hcHjLMprjl

On the SANS ISC blog, @malware_traffic analyses the new MetaStealer malware from malicious Excel files distributed in malspam. https://isc.sans.edu/diary/28522 pic.twitter.com/kXaWsts2N9

Symantec researchers look into a Cicada (aka APT10) attack targeting organizations around the globe in what is likely an espionage campaign that has been ongoing for several months. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks …pic.twitter.com/8iOSOpI5od

Avast's @NovakPauly & @JanRubin analyse a Traffic Direction System they call Parrot TDS. The TDS has infected various web servers hosting more than 16,500 websites and acts as a gateway for further malicious campaigns to reach potential victims. https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/ …pic.twitter.com/2UcGOkMMeE

Fortinet researchers analyse how Remcos RAT is delivered and executed, what sensitive information it could steal, how it connects to its C2 server and what commands Remcos provides to the victim’s device. https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing …pic.twitter.com/nXOOWZoBrY

On the NVISO Labs blog, @didierstevens presents a beginner-friendly guide on how to analyse a multilayer malicious document. The blog also describes how to install the different tools used. https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ …pic.twitter.com/QZqCfYEI9r

Security researcher @mars0x_ 's first blog post is an analysis of the WannaHusky ransomware emulator, complete with YARA rules and TTPs. https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909 …pic.twitter.com/a9oIfi04jj

Cybereason researchers have discovered a new possible APT-C-23 espionage campaign that targets Israeli individuals & officials.The attackers use fake Facebook profiles to trick individuals into downloading trojanized direct message apps for Android & PC. https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials …pic.twitter.com/WQhjpS1Yo0

Armorblox has details of a malspam campaign that spoofs a voice message notification from WhatsApp. On clicking the link an attempt is made to install infostealer malware on the machine. https://www.armorblox.com/blog/whatsapp-voicemail-phishing-attack/ …pic.twitter.com/J0RisjGoie

Cisco Talos' @b4n1shed & Alex Karkins write about ongoing malware distribution campaigns that use ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.These campaigns appear to be linked to a new version of the 3LOSH crypter. https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html …pic.twitter.com/HdJRuhsUX9

Malwarebytes' @kernelm0de, @h2jazi & @malwareinfosec describe Colibri Loader's persistence technique. Colibri is still in its infancy but it already offers many features for attackers and seems slowly to be gaining popularity. https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ …pic.twitter.com/cV0PYKULfy

Fortinet researchers observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers. https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign …pic.twitter.com/lUSErlirHQ

Intezer's @NicoleFishi19 & @joakimkennedy write about a recently developed malware framework called Elephant being delivered in targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses. https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/ …pic.twitter.com/NbnvlNuhTN