New NetWire RAT Variant Being Spread Via Phishing

A FortiGuard Labs Threat Analysis Background NetWire is a Remote Access Trojan (RAT) malware that has been widely used for many years. Recently, FortiGuard Labs noticed a malware spreading via phishing email, and during the analysis on it, we discovered that it was a new variant of NetWire RAT. In Continue Reading

FunkyBot: A New Android Malware Family Targeting Japan

Last year, FortiGuard Labs identified a malware campaign targeting Japanese users. The campaign impersonated a logistics company and deployed an Android malware called FakeSpy. We have been monitoring these actors and the phishing websites they created, and recently we noticed that they have started deploying a different Android payload. As Continue Reading

Fake Indian Income Tax Calculator Delivers xRAT Variant

A FortiGuard Labs Breaking Threat Report Tax-themed phishing and malware attacks rise during the tax filing season. FortiGuard Labs recently came upon an interesting Excel file claiming to provide an income tax calculator that purports to be from India’s Income Tax Department. It’s not. Instead, it’s a malicious file containing Continue Reading

A Deep Dive Into IcedID Malware: Part II – Analysis of the Core IcedID Payload (Parent Process)

In part I of the blog, I demonstrated how to unpack the IcedID malware, hooking and process injection techniques used by IcedID, as well as how to execute the IcedID payload. In this part, let’s take a closer look at the core payload. 0x01 Overview Of The Payload The following is Continue Reading

BianLian: A New Wave Emerges

FortiGuard Labs Breaking Threat Research Recently, during our daily malware analysis routine, members of the FortiGuard Labs team encountered an Android sample that did not look familiar.  Analysis At a first look, it seemed clear that the APK was heavily obfuscated, and was possibly packed using some technique we had Continue Reading

GandCrab Threat Actors Retire…Maybe

In a surprising announcement two weeks ago, the threat group behind the malware operation GandCrab announced that they had shut down their operations. Until that point, GandCrab had been one of the most active malware campaigns of the past year, both in terms of distribution and rapid development. FortiGuard Labs Continue Reading

Analysis of a New HawkEye Variant

Threat Analysis by FortiGuard Labs Background FortiGuard Labs recently captured a malware being spread by a phishing email. After a quick analysis, I discovered that it was a new variant of the HawkEye malware. HawkEye is known as a keylogger and an application credential stealing malware. Over past few years, Continue Reading

Analysis of a Fresh Variant of the Emotet Malware

Breaking Threat Analysis research paper by FortiGuard Labs     Emotet is not a new malware family. In fact, it’s been around for several years. We captured a JS file spreading Emotet in 2017, which I then analyzed it and published two research papers on it, Part I and Part II. Continue Reading

Fighting the Evolution of Malware

Malware is becoming increasingly destructive. Below is a short history of this trend, along with steps organizations can take to combat it. (This byline originally appeared in SC Media as a bylined article.) We begin with Mirai that, in the summer of 2016, was responsible for the largest DDoS attack Continue Reading

PDF Phishing Leads to Nanocore RAT, Targets French Nationals

Malware developers use a variety of distribution methods in order to confuse users and evade certain AV solutions. Recently, FortiGuard Labs found a phishing campaign targeting French Nationals. In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link. Continue Reading