Interpol arrested three citizens of Nigeria in the country’s capital city Lagos as a part of an international operation dubbed Killer Bee. The men were suspected of using Agent Tesla remote administration tools (RAT) to redirect financial operations and corporate classified data theft. The search showed that the suspects had fake documents, including invoices and official letters.

Agent Tesla showed up for the first time in 2014. It is an extremely popular RAT-Trojan used for credential stealing, keylogging, clipboard data obtaining, and collecting other information from the victims. Cybercriminal syndicates and stand-alone hackers use Agent Tesla widely because of its stability, flexibility, and broad functionality.

The headquarters of the General Secretariat and the National central bureau of Interpol, together with law-enforcement agencies in 11 South Asian countries, took part in the Killer Bee operation.

Hendrix Omorume – one of the three suspects has already been charged and convicted for three episodes of financial fraud, and he faces a year in jail. The two other Nigerians are now under trial.

“Through its global police network and constant monitoring of cyberspace, Interpol had the globally sourced intelligence needed to alert Nigeria to a serious security threat where millions could have been lost without swift police action,” – Craig Jones, the Interpol’s Director of Cybercrime stated. He added: “Further arrests and prosecutions are foreseen worldwide as intelligence continues to come in and investigations unfold.”

The post Three Online Scammers Arrested in Nigeria in an Interpol’s Operation appeared first on Gridinsoft Blog.

Experts discovered Qbot in 2008; over the years, it has evolved from an ordinary info-stealer into a real “Swiss knife” for hackers.

Today, Qbot is capable of, for example, delivering other types of malware to the infected system, and can even be used to remotely connect to the target system to carry out banking transactions using the victim’s IP address.

As a rule, Qbot spreads in a classic way: through phishing emails that contain dangerous attachments or lure users to malicious sites controlled by hackers – say the researchers

Check Point experts remind that the updated version of Qbot can steal emails from its victims and then use them to send spam, thereby creating more believable decoys.

Between March and August 2020, Check Point researchers discovered several campaigns with an updated version of Qbot, including a campaign where malware was masked using Emotet. According to experts, in July 2020, this campaign affected 5% of organizations in the world.

Attackers are always looking for ways to improve malware. Now they are investing heavily in developing Qbot – it can be used to steal data massively from organizations and ordinary users. We have already seen active malicious spam campaigns that Qbot has been distributing. We also noted that sometimes Qbot is spread using another Trojan, Emotet – says Vasily Diaghilev, head of Check Point Software Technologies

Overall, in August 2020, the top most active malware looked like this:

• Emotet is an advanced self-spreading modular Trojan. Was once an ordinary banker but has recently been used to distribute malware and campaigns. New functionality allows sending phishing emails containing malicious attachments or links.
• Agent Tesla – Advanced Remote Access Trojan (RAT). AgentTesla has been infecting computers since 2014, acting as a keylogger and password stealer.
• FormBook is an info-stealer first discovered in 2016. It is marketed as MaaS in underground hacking forums due to its advanced evasion techniques and relatively low cost. FormBook collects credentials from various browsers, takes screenshots, monitors, and logs keystrokes, and can download and execute files as ordered from the command server.

Let me remind you that Emotet topped the rating of the most common threats in 2019 and, it seems, is not going to lose its positions.

Companies must consider introducing security solutions to prevent such content from reaching users. It is important to remind employees to be very careful when opening emails, even if they appear to come from a trusted source at a glance.

The post Qbot Trojan Entered The Top Of The Most Widespread Malware appeared first on Gridinsoft Blog.

The top includes malware designed to steal all types of confidential information, bank details, and remote access tools to control a hacked host.

No.1 Emotet – 36,026 samples

The Trojan was first discovered in 2014 and was used to intercept data transmitted through secure connections. Recall that in September of this year, Emotet returned to life after 4 months of inactivity. Operators sent emails containing malicious files and links for malware downloads. The victims of the campaign are users who speak Polish and German.

No.2 Agent Tesla – 10 324

Agent Tesla is an advanced tool for remote access (RAT). The malware has been infecting computers since 2014, acting as a keylogger and password stealer.

No.3 NanoCore – 6,527

NanoCore is the most popular tool among all RATs. In addition to providing remote access to the victim host, it can log keys, spy, execute files, capture video and audio, edit the registry, and control the mouse.

No.4 LokiBot – 5693

LokiBot has appeared in clandestine forums as an information thief and keylogger, but further development has added various features that allow it to avoid detection and collect confidential information.

No.5 Ursnif – 4,185

Ursnif is usually associated with data theft, but some versions come with such components as backdoors, spyware, or files’ embedding. Security researchers also associate with this threat the deployment of another malware, the GandCrab.

No.6 FormBook – 3,548

Malicious software was developed to capture data typed on the keyboard in web forms. Its functions include collecting credentials from web browsers (cookies, passwords), creating screenshots, stealing clipboard contents, keeping a key log, downloading and running executable files from the management and control server, and stealing passwords from email clients.

No. 7 HawkEye – 3,388

The keylogger supports intercepting keystrokes and allows stealing credentials from various applications and the clipboard.

No.8 AZORult – 2 898

The main function of the malware is to collect and extract data from a compromised system, including passwords stored in browsers, mail and FTP clients, cookies, web forms, cryptocurrency wallets, and correspondence in instant messengers.

No.9 TrickBot – 2,510

Initially, TrickBot was used only in attacks against Australian users, but in April 2017, it began to be used in attacks on banks in the USA, Great Britain, Germany, Ireland, Canada, New Zealand, Switzerland, and France. Typically, it is distributed through Emotet and can download other malicious programs to the system (for example, Ryuk ransomware).

No.10 njRAT – 2,355

njRAT is based on .NET and allows attackers to control the system completely. Previously, the Trojan was distributed via spam messages containing advertising of cheat codes and a license key generator for the game “Need for Speed: World”. It has also been used in several malicious campaigns that use OpenDocument Text (ODT) files.

As was said before, the Check Point Research Team published the Global Threat Index report, listing the most dangerous malware of November 2019, so in the November ranking, in addition to obvious threats to mobile devices, also was leading Emotet.

The post Emotet topped the rating of the most common threats in 2022 appeared first on Gridinsoft Blog.