Cyren Security Blog

Subscribe to this Blog

Emotet: From a Banking Trojan to One of the Most Advanced Botnets

by Tinna Thuridur Sigurdardottir and Sarah Neubauer

Email Security Malware Threat Analysis

In 2014, the Emotet malware started as a banking Trojan targeting European bank customers. Back then, nobody expected this malware would evolve into one of the most dangerous botnets in the world.

Christmas Eve Warning! Malware Targeting Amazon Shoppers

by Maharlito Aquino and Kervin Alintanahin

Security Research & Analysis Threat Analysis

Shopping for Christmas gifts has never been easier, especially with Amazon—and who doesn’t use Amazon? This is why using fake Amazon orders is a favorite method bad actors have been using this time of year to bait rushed Christmas shoppers. As a warning to anybody (everybody?) caught up in receiving last-minute Amazon deliveries, we've come across a malicious email campaign (see image below) to install a variant of the Emotet malware, a polymorphic banking Trojan that is virtual machine-aware and primarily functions as a downloader or dropper of other malwares.

Fileless Malware Already Targeting Holiday Suppliers

by Maharlito Aquino and Kervin Alintanahin

Security Research & Analysis Threat Analysis

It gets earlier and earlier every year. The first Yuletide-related malware campaign has already been spotted. There’s always an expected and monumental amount of consumer spam and phishing in the run-up to Black Friday and then Christmas itself, but we’ve found one malware author getting into the Christmas “spirit” in late October by targeting backdoor-delivering emails at the Yuletide supply chain, specifically Christmas goods suppliers whose preparations for the year-end commercial convulsion are well underway.

Not-Really-Password-Protected Evasion Technique Resurfaces

by Maharlito Aquino and Kervin Alintanahin

Security Research & Analysis Threat Analysis

Today we came across an e-mail with an Excel Workbook attachment, which upon first inspection appears to be password-protected. The presence of the EncryptedPackage stream in an OLE2 document indicates that it is protected by a password, which obviously would require the user to enter one in order to open the document properly. Or at least that’s what the bad guys would like email or AV scanners to think. 

Police Phishing Attack Targets Bank Credentials

by Magni Reynir Sigurðsson

Phishing Security Research & Analysis Threat Analysis

An email impersonating the Icelandic police was sent to thousands of Icelanders this past weekend, falsely requesting the recipient come in for questioning.

Double Deceit: Bad Things Come in Pairs

by Maharlito Aquino and Kervin Alintanahin

Email Security Security Research & Analysis Threat Analysis Web Security

The chinese proverb may say that good things come in pairs, but in what appears to be a clever bit of social and technical engineering, we’ve discovered a new email threat carrying not one, but two different malicious attachments as bait, specifically a PDF file and a Microsoft Template file (OpenXML/DOTX), targeting a previously reported Microsoft Office vulnerability in order to deliver the remote access trojan (RAT) known as NetWiredRC. We believe the use of two attachments is intended to make the email seem more legitimate to recipients. Typically hackers only send one malicious attachment—by sending two, the hackers increase the chances that the target will open at least one of them. In addition, the techniques applied within the attachments add a few layers of complexity in both the delivery of the exploit and the final payload, and are intended to help evade detection.