Checking your Android device for known malware

Check All APK's is a set of two scripts that leverage Drozer and the VirusTotal API to check whether a phone is running applications known to be malware. This is practical during security breaches, when an analyst has to identify malicious applications among hundreds of legitimate ones.

WannaCry Ransomware Webcast

The number of individuals, organizations and countries affected by the WannaCry malware attack is growing at an alarming rate. After the initial infection is executed, no user intervention at all is required for the malware to spread. As this is one of the largest cybersecurity attacks in history, it's important that you have all the facts. … Continue reading WannaCry Ransomware Webcast

iOS malware: myth or reality?

Introduction The 2015 DBIR report from Verizon contained a small section on mobile malware but the part on iOS said that all alerts on this platform were all false positives that were in fact triggered by Android devices ("most of the suspicious activity logged from iOS devices was just failed Android exploits"). This is great as … Continue reading iOS malware: myth or reality?

Honey! Where is my POS??

Introduction Not a month goes by without news about another new POS (point-of-sale) malware or credit card data breach. Obviously, details of this kind of breach cannot be made public (banks, ongoing investigation, reputation …). But what do we know really about POS malware? Can we create groups of malware and relate them to groups of cyber … Continue reading Honey! Where is my POS??

Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT

The Kudelski Security Cyber Fusion Center together with the KS-CERT has been monitoring and investigating the “Sphinx Moth” threat activity since mid-2014. When Kaspersky and Symantec released reports on a powerful threat actor earlier this year, it became clear that what they had respectively called “Wild Neutron” or “Butterfly”/“Morpho”, corresponded with the “Sphinx Moth” advanced … Continue reading Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT

Dridex static configuration extractor

Despite recent takedowns of multiple CnCs related to dridex, we still see a significant amount of Dridex samples. To facilitate triage and extraction of IOCs, we developed a configuration extractor that is able to obtain the version and "server list" (CnC) of dridex version 120, 220 and 301. This tool performs a static analysis by enumerating … Continue reading Dridex static configuration extractor

Volatility plugin for Dyre

Dyre is a banking malware discovered in middle of 2014. It can intercept HTTPS traffic, using techniques documented in this Introduction to Dyreza. In the context of our review of malware faced by customers, we need to rapidly respond and assess the risk. Dyre is malware found in such context, and we are releasing a … Continue reading Volatility plugin for Dyre