Comprehensive Analysis of ArmouryLoader – Series Analysis of Typical Loader Families (Five)

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese Introduction With the development of network attack technology, the malware loader is becoming the key component of malware execution. Such loaders are a malicious to……

Continue Reading

Be Vigilant of Data Leaks Caused by the BlackCat Ransomware

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT (member of the CCTGA Ransomware Prevention and Response Working Group) has found a number of BlackCat [1] ransomware attacks. Blackcat r……

Continue Reading

A Comprehensive Analysis of the HijackLoader ——Analysis of the Typical Loader Family Series IV

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese Introduction to the Loader Series Analysis Report With the development of network attack technology, the malicious code loader is becoming the key component of malici……

Continue Reading

Continued Phishing Attempts Against Endpoint Targets——Recent Sample Analysis of the “BITTER” Attack Group

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Since 2012, Antiy Security Research and Emergency Response Center (Antiy CERT) has been continuously paying attention to and analyzing cyber attack act……

Continue Reading

The “SwimSnake” Cybercriminal Group Distributes Remote Control Trojans by Leveraging Counterfeit WPS Office Download Sites

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Antiy CERT discovered that the “SwimSnake” cybercriminal group used a counterfeit WPS Office download site to spread remote control Trojans. If……

Continue Reading

A Comprehensive Analysis of the SmokeLoader——Analysis of the Typical Loader Family Series III

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese Introduction to the Loader Series Analysis Report With the development of network attack technology, the malicious code loader is becoming the key component of malici……

Continue Reading

“SwimSnake” Cybercriminal Operations Rampant! Launch Special Inspection and Handling Immediately!

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The “SwimSnake” cybercriminal group (also known as “Silver Fox”, “Valley Thief”, “UTG-Q-1000”, etc.) has be……

Continue Reading

Hidden Threats: Analysis of Active “Poisoning” Incidents Disguised as Open-source Projects

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In recent years, the use of open source ecological trust in GitHub disguised open source projects for malicious code “poisoning” attacks contin……

Continue Reading

A Comprehensive Analysis of the DBatLoader Malicious Loader ——Analysis of Typical Loader Families II

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Introduction As cyberattack techniques continue to evolve, malicious code loaders have gradually become a key component of malicious code execution. Such loaders are ……

Continue Reading

Analysis of a Group of Phishing Attacks by Taiwan’s “Green Spot” Attack Organization Using Open-source Remote Control Trojan

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In the second half of 2024, Antiy Emergency Response Center tracked APT attacks by Green Spots against specific industry targets in our country. The at……

Continue Reading

8 High-risk Instructions! Counterfeit DeepSeek Can Actually Remotely Enable VNC Monitoring, and Your Phone May Become a Zombie

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese Recently, DeepSeek, a large domestic AI model, has gained widespread attention worldwide thanks to its outstanding performance, and at the same time has become a target ……

Continue Reading

A Review of Active Ransomware Attack Organizations in 2024

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Extortion attacks have now become one of the major cyber security threats to organizations around the world, and have been used by attackers as a criminal ……

Continue Reading

Analysis of Three Variants of the HailBot Botnet Attacking DeepSeek

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Antiy CERT released the report “Analysis of Botnet Samples Related to Attacks on DeepSeek”, analyzing the two active botnet systems RapperBot a……

Continue Reading

A Review of Active Mining Trojans in 2024

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The mining Trojanuses various means to implant the mining program into the victim’s computer, and without the user’s knowledge, uses the comput……

Continue Reading

Analysis of Botnet Samples Related to Attacks on Deepseek

1.Overview Recently, the online service of DeepSeek, a domestic AI model, was attacked by a large-scale cyber attack, resulting in multiple service interruptions. This has attracted the attention of the domestic security industry. According to the monitoring report of Qianxin XLab, it was foun……

Continue Reading

Special Series Analysis on Popular Malicious Loader Families – Part One | XLoader

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Introduction As cyberattack techniques continue to evolve, malicious code loaders have gradually become a key component of malicious code execution. Such loaders ar……

Continue Reading

Recent Activity Analysis of the Outlaw Mining Botnet

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has detected a number of cyber attacks on Outlaw mining zombies, which were first discovered in 2018 and mainly engaged in mining acti……

Continue Reading

Phishing Download Websites Spread the “Swimming Snake” Threat, with Malicious Installers Hiding Remote Control Trojans

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Since being active in the second half of 2022, the “Swimming Snake” Black Producer Group (also known as “Silver Fox,” “Valley R……

Continue Reading

Analysis of the InterLock Ransomware Attacking Group’s Situation

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The InterLock ransomware attack group was discovered in September 2024. This group penetrates victims’ networks through various means such as phish……

Continue Reading

Analysis of the Mining Trojan “app Miner” Activity

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT detected a mining Trojan attack incident. This mining Trojan first appeared in March 2024 and has continuously updated its attack script……

Continue Reading

Safeguarding China Operation (Part 5)——APT Capture, Analysis and Traceability

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese On the occasion of the 75th anniversary of the National Day, Antiy CERT has gathered and sorted out the historical work in security event handling, major event analysis, a……

Continue Reading

Safeguarding China Operation (Part 4)——Mobile Security Threat Analysis, Response, and Disposal

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese On the occasion of the 75th anniversary of the National Day, Antiy CERT has gathered and sorted out the historical work in security event handling, major event analysis, a……

Continue Reading

Safeguarding China Operation (Part 3)——Analysis and Judgment of Major Events and Response to High-Risk Vulnerabilities

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese On the occasion of the 75th anniversary of the National Day, Antiy CERT has gathered and sorted out the historical work in security event handling, major event analysis, a……

Continue Reading

Safeguarding China Operation (Part 2)——Analysis, Response and Disposal of Black Market Activities Such as Ransomware

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese On the occasion of the 75th anniversary of the National Day, Antiy CERT has gathered and sorted out the historical work in security event handling, major event analysis, a……

Continue Reading

Safeguarding China Operation (Part 1)——Analysis and Response to Major Worm and Botnet Events

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese On the occasion of the 75th anniversary of the National Day, Antiy CERT has gathered and sorted out the historical work in security event handling, major event analysis, a……

Continue Reading

Innovative Breakthrough – Dedicated to China

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese At 10: 00 a.m. on October 1, 2024, the first CPU architecture version of the VILLM was transplanted successfully and the internal test was completed. The model used activa……

Continue Reading

Analysis and Research on the Bombing Incident of BPMs in Lebanon

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese Note: On the 17th, a large number of pagers exploded in Lebanon, and Antiy organized an analysis team to follow up, analyze and report the incident on the Internet, and……

Continue Reading

Analysis of the Active RansomHub Ransomware Attacking Group Situation

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The RansomHub ransomware attacking group was found in February 2024 and has continued to be active since its emergence, operating on a ransomware-as-a-servic……

Continue Reading

Analysis of the Activity of “Black Myth Wukong Modifier” Spreading Malware

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese This report is a machine-translated version. 1.Overview Recently, Antiy CERT has discovered the spread of malware by using the “Black Myth Wukong Modifier̶……

Continue Reading

Risk Warning and Temporary Mitigation Tool for Windows Server RDL Remote Execution Vulnerability

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1. Vulnerability overview Microsoft in July fixed three Windows Server Remote Desktop Licensing Service (RDL) remote code execution vulnerabilities, identified as CVE-2……

Continue Reading

Analysis Notes on CrowdStrike’s Library Loading and Rapid Upgrade Mechanism

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese In response to a large Window host blue screen event caused by CrowdStrike, Antiy Cloud Security Center, Antiy CERT and Antiy Attack and Defense Laboratory released a long……

Continue Reading

The Emergency Response Input Method High-risk Vulnerability of Antiy IEP EDR

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Vulnerability overview On August 1, 2024, a third-party input method was found to have a vulnerability that bypasses the login authority of windows 10 and windows 11 ……

Continue Reading

Ransomware Attack Organizations Review In the First Half of 2024

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Ransomware is a highly destructive computer malware. In recent years, it has become one of the major cybersecurity threats to organizations around the world,……

Continue Reading

Analysis of Attack Activities Disguised as CrowdStrike Repair Files

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Windows operating system hosts using CrowdStrike ‘s terminal security products encountered a serious system crash, namely the “Blue Scr……

Continue Reading

A Technical Analysis of the CrowdStrike Global System Failure——Contemplating “Falcon’s Broken Wings”

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Basic Situation and Impact of the Incident Starting at noon on July 19, 2024, Beijing time, users in many parts of the world reported on social platforms such as X……

Continue Reading

Nacos Remote Code Execution Vulnerability Risk Advisory

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Vulnerability Overview Nacos is a dynamic service discovery, configuration management and service management platform that makes it easier to build cloud-native appli……

Continue Reading

FAQ About OpenSSH

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.What Is OpenSSH? Is It Widely Distributed? SSH (Secure Shell) is a secure network protocol used to securely transmit data between two untrusted hosts over an inse……

Continue Reading

OpenSSH Remote Code Execution Vulnerability (CVE-2024-6387) Risk Alert

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Vulnerability Description OpenSSH is a set of secure network utilities based on the Secure Shell (SSH) protocol, which provides encryption to protect privacy and secu……

Continue Reading

Analysis of Phishing Attack Activities Carried out by the SwimSnake Black Industry Gang Using Malicious Documents

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The “SwimSnake” black production gang has been active since the second half of 2022, launching a large number of fishing attacks and fraud acti……

Continue Reading

Analysis of the”Nichan”Mining Trojan Activity

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT discovered a new mining Trojan attack through network security monitoring. The mining Trojan began to appear in November 2023, and its……

Continue Reading

Analysis of the Recent Attack Activities of the “SwimSnake” Black Industry

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The black products of “SwimSnake” have been active since the second half of 2022, and have launched a large number of fishing attacks and fraud……

Continue Reading

Fight Against the Bald Eagle in the Fog -RELAYING, COOPERATING AND SPECIFIC CONTRIBUTION

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview On February 12, 2024, SentinelOne, an American cybersecurity company, released a report entitled “China’s Cyber Revenge/Why the PRC Fails t……

Continue Reading

Analysis of Attack Activities Spreading Data-Stealing Trojan via Github

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has detected an attack campaign that spreads data-stealing Trojans through GitHub. The attackers added malicious URLs to the requireme……

Continue Reading

Antiy Annual Security Report 2023

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Introduction At the beginning of each year, it is the tradition of Antiy Security Research and Emergency Response Center (Antiy CERT) for many years to analyze and ……

Continue Reading

2023 Active Mining Trojan Review

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Mining Trojans use various means to implant mining programs into victims’ computers, and use the computing power of victims’ computers to mine ……

Continue Reading

2023 Active Ransomware Attack Organizations Review

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Ransomware is a highly destructive computer Trojan program. In recent years, it has become one of the major cybersecurity threats to organizations arou……

Continue Reading

Analysis of the Mac Remote Control Trojan Attack Activities Spread by the “Dark Mosquito” Black Industry Gang through Domestic Download Sites

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT discovered a group of cases of poisoning and attacking downstream users by using unofficial software download stations, and analyzed i……

Continue Reading

Analysis and Review of the Ransomware Attack on Boeing——Analysis of the Threat Trend of Targeted Ransomware and Thoughts on Defense

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Foreword Around 2016, the mainstream threat form of blackmail attacks has gradually shifted from the spread of extortion gangs or the widespread release of ransomware……

Continue Reading

Analysis of Mirai Botnet Variant “Aquabot”

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has captured a new variant of the Mirai botnet, targeting MIPS, ARM, X86 and other architectures, infected targets with weak passwords a……

Continue Reading

Analysis of Phishing Attack Incidents on  Research Institutions in China by the “X-Elephant” Group

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In the second half of 2023, Antiy CERT (Security Research and Emergency Response Center) found in daily mail monitoring that overseas APT attack organizat……

Continue Reading

Using ARK Tool (ATool) To Remove the Typical Worm MyDoom

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In the long-term monitoring of daily security events, Antiy CERT often captures a large number of MyDoom worm samples and phishing emails that spread the wor……

Continue Reading

Analysis of LockBit Ransomware Samples and Considerations for Defense Against Targeted Ransomware

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, there has been an incident involving a financial institution falling victim to a ransomware attack. Information from various sources indicates a close asso……

Continue Reading

Analysis of the Latest Attack Activities by the “Swimming Snake” Criminal Gang Targeting Financial Personnel and E-commerce Customer Service Staff

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has detected a new round of phishing attacks against financial personnel and customer services of small stores (such as Kuaishou, Douyin……

Continue Reading

Analysis of Ransomware PLAY

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT monitors the PLAY blackmail event to present the active trend. Play ransomware, also known as PlayCrypt, was developed and operated by t……

Continue Reading

Analysis of Recent Activities of the WatchDog Mining Organization

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT captured a batch of active WatchDog mining samples. This group primarily exploits exposed Docker Engine API endpoints and Redis servers ……

Continue Reading

Special Analysis Report on the “SwimSnake” Cybercrime Group

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The “SwimSnake” cybercrime group has been active since the second half of 2022, launching a large number of attacks against domestic users. This ……

Continue Reading

Activity Analysis of Malicious Code Spread by the “SwimSnake” Cybercrime Group Using WeChat

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview The “SwimSnake” cybercrime group, also known as “Silver Fox” and “Guduo,” primarily spreads malicious programs through va……

Continue Reading

Analysis Report on the Activities and Samples of the Commercial Data-Stealing Trojan ObserverStealer

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT discovered a stealing Trojan called ObserverStealer being sold on multiple hacker forums. This stealing Trojan can steal browser data, u……

Continue Reading

Konni Organization Suspected of Conducting Attack Activities Targeting South Korean Companies

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Antiy CERT recently discovered an attack campaign by the APT group Konni. Based on the content of the decoy documents and previous attacks, we speculate that……

Continue Reading

Be Wary of Ransomware Posing as Well-known Cybersecurity Companies – Sophos and Cylance

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT (member of the CCTGA Ransomware Prevention and Response Working Group) discovered the same name as the network security company Sophos [……

Continue Reading

Analysis of Recent Phishing Attacks by the “Swimming Snake” Cybercrime Gang

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has monitored a new round of fishing attacks launched by the “Swimming Snake” cybercrime gang. In this round of attacks, the……

Continue Reading

Analysis of Clipboard Hijackers Spread via Pirated System Image Resources

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has detected attacks propagating through mirror download stations. The attacker drops the Torrent resources into the image download stat……

Continue Reading

Analysis of the aminer Mining Trojan Activity

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.aminer Mining Trojan Recently, Antiy CERT captured a batch of active mining trojan samples through Attack Capture System[1] . This mining trojan mainly attacks the Li……

Continue Reading

“The “Quantum” System Penetrates Apple Phones——Analysis of Historical Samples of Equation Group Attacks on iOS Systems

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview: A2PT Sample Puzzle Covering Smart Terminals For over two decades, a major challenge facing global critical information infrastructure operators, security……

Continue Reading

Analysis of the RecordBreaker Data-Stealing Trojan Spread via Video Websites

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Attack Campaign Overview Recently, Antiy CERT detected an attack campaign spreading through video websites. The attackers stole the accounts of video creators with ov……

Continue Reading

Analysis of Akira Ransomware Suspected of Using Targeted Attack Patterns

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Akira Ransomware Overview Recently, Antiy CERT (a member of the CCTGA Ransomware Prevention and Response Working Group) discovered multiple Akira ransomware attacks. ……

Continue Reading

Latest Attack Campaign by White Elephant Organization Using BADNEWS and Remcos Commercial Trojans

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview White Elephant is an APT organization with an Indian background. Its attack activities can be traced back to November 2009. Antiy named the organization W……

Continue Reading

Analysis of the Large-scale Attack Activities Launched by the “Swimming Snake” Cybercrime Gang against Domestic Users

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview of the gang The “Swimming Snake” criminal gang has been active since the second half of 2022 and launched a large number of attacks against domes……

Continue Reading

yayaya Miner Mining Trojan Analysis

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview of the Active yayaya Mining Trojan Recently, Antiy CERT captured a batch of active mining Trojan samples, which mainly used SSH weak password brute force to ……

Continue Reading

Analysis of Phishing Activities That Deliver Qbot Banking Trojan Using XLL Files

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, the Antiy CERT discovered a malicious activity that utilized malicious Microsoft Excel add-in (XLL) files to deliver the Qbot banking Trojan. The a……

Continue Reading

Analysis of Phishing Activities Delivering Snake Keylogger via OneNote Documents

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has detected a phishing activity that uses OneNote documents to deliver the Snake Keylogger spyware. The attackers send phishing emails ……

Continue Reading

Analysis of the Criminal Gang that Delivers Remote Trojans by Cloud Note-taking Platform

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In the “Analysis of Attack Activities for Delivering Remote Trojans by Cloud Note-taking Platform,” [1], an attack activity was introduced by Ant……

Continue Reading

Analysis of Attack Activities Using Cloud Note Platforms to Deliver Remote Access Trojans

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT detected an attack activity that used a cloud note platform to deliver a remote access Trojan. The attacker hosted the remote access Tro……

Continue Reading

DarkPink’s Attacks on Indonesia’s Foreign Ministry and the Philippines’ Military

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Antiy CERT has recently detected multiple attacks by the APT group DarkPink against the Indonesian diplomatic department and the Philippine military departme……

Continue Reading

Typical Mining Family Series Analysis 4 ——LemonDuck Mining Botnet

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Introduction With the rise of blockchain technology and virtual currencies such as cryptocurrencies in recent years, the open source of mining Trojans has lowered the……

Continue Reading

Analysis of the Active Hoze Mining Trojan

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT captured a batch of active hoze mining trojan samples through the Attack Capture System [1] .This mining trojan mainly attacks the Linux……

Continue Reading

Analysis of Phishing Activities Using the GuLoader to deliver AgentTesla

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In recent years, the AgentTesla Trojan horse continues to be active, and Antiy CERT has repeatedly monitored attacks on domestic government, enterprise and i……

Continue Reading

The Rattlesnake Organization Used Epidemic Themes to Launch Attacks against China

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In November 2022, Antiy CERT found a case of spear-phishing mail from an Indian direction rattlesnake organization targeting a Chinese university. The at……

Continue Reading

Analysis and Response to ATW’s Data Breach Incident in China

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Since October 2021, a hacker group called “AgainstTheWest” (ATW) has attacked platforms such as SonarQube, Gitblit and Gogs, stealing codes and d……

Continue Reading

Analysis of Attack Activities Using Spam to Spread Remote Control Trojans

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, the Harbin Institute of Technology and Antiy Joint CERT Labs has monitored multiple attacks using spam to spread remote control Trojans. Attackers ……

Continue Reading

2022 Active Mining Trojan Review

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Mining Trojans use various means to implant mining programs into victims’ computers, and use the computing power of victims’ computers to mine wi……

Continue Reading

2022 Ransomware Trends Review

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Ransomware is a type of highly destructive computer Trojan program. In recent years, ransomware has become one of the main cybersecurity threats faced by glo……

Continue Reading

Typical Mining Family Series Analysis 3——Sysrv-hello Mining Worm

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Introduction With the rise of blockchain technology and virtual currencies such as cryptocurrencies in recent years, the open source of mining Trojans has lowered the……

Continue Reading

2022 Antiy Annual Security Report

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Advanced Persistent Threat (APT) The overall situation of global advanced persistent threat (APT) activities in 2022 remains very severe. Based on internal and extern……

Continue Reading

Analysis of “Ferry” Trojan of the CNC  Organization Targeting the Military Industry and Education Sector

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, CERT discovered two downloaders used by CNC when combing the attack activities, one of which has the capability of ferry attack and uses the mobile……

Continue Reading

“Eternity” Organization: A Continuously Active Commercial Arsenal

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview In May 2022, Antiy CERT released the report “The Active Jester Stealer Trojan and the Hacking Gang Behind It” [1], which not only analyzed a mali……

Continue Reading

Typical Mining Organization Analysis Series II | TeamTNT Mining Organization

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Introduction With the rise of virtual currencies such as blockchain technology and cryptocurrency in recent years, the open source of mining Trojan has reduced the co……

Continue Reading

Analysis of Torii’s Remote-Controlled Cyber Attacks by the OceanLotus Organization

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT has captured a number of active remote control Trojans for the Internet of Things, and the attackers behind it are not for economic b……

Continue Reading

Follow up Analysis of RedLine Stealer Trojan Spread Through Video Websites

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Since the release of the report “Analysis of RedLine Stealer Trojan Spread Through Video Websites”[1] in November 2021, Antiy has been keeping a ……

Continue Reading

Analysis of Typical Mining Family Series 1——Outlaw Mining Botnet

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Introduction With the rise of blockchain technology and virtual currencies such as cryptocurrencies in recent years, the open source of mining Trojans has led to a de……

Continue Reading

Analysis of Suspected Lazarus Organization’s Attack Activities Against South Korea

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Recently, Antiy CERT discovered an attack campaign targeting South Korea. The decoy document was titled “Sogang KLEC.docx” (Sogang University Kor……

Continue Reading

Analysis of the Recent Cyber Attack Activities of the White Elephant Organization

1.Overview In late September 2022, Antiy CERT detected a series of cyberattacks carried out by the White Elephant organization. The attackers deployed decoy documents by attaching malicious links. The documents were primarily targeted at research institutes and contained exploits for the CVE-2……

Continue Reading

2022 Popular Data-Stealing Trojans Review

The original report is in Chinese, and this version is an AI-translated edition. Download PDF View in Chinese 1.Overview Data-stealing Trojans are malicious executors used to steal sensitive data from user systems. Attackers often deploy data-stealing Trojans through phishing, ……

Continue Reading

Antiy Research Institute and Key Laboratory of Ministry of Education of Symbolic Computation and Knowledge Engineering, Jilin University Jointly Establish Joint Laboratory of Cyber Security Threat Knowledge Engineering

Antiy Research Institute and Key Laboratory of Ministry of Education of Symbolic Computation and Knowledge Engineering, Jilin University jointly establish Joint Laboratory of Cyber Security Threat Knowledge Engineering. Both sides will work together to promote the frontier research of knowledge en……

Continue Reading

Analysis of Cyberattacks against the National Bank of Malawi

1、Overview Recently, Antiy CERT (Computer Emergency Response Team) found a number of samples of phishing email attacks against the National Bank of Malawi during the relevant security incidents. The Republic of Malawi is a landlocked country in southeastern Africa with a land area of 118,000……

Continue Reading

Antiy Released Technical Analysis of Industrial Control Malware TRISIS

1、Overview In August 2017, Antiy listed TRISIS (also known as TRITON or HATMAN), a malware targeting industrial control system, as a threat that needs to be analyzed and focused based on comprehensive intelligence research and judgment, and named it "TRISIS". The malicious code w……

Continue Reading

Be Aware of New Variant of AgentTesla Commercial Keylogger

一、Overview Recently, Antiy CERT discovered a new variant of Agent Tesla commercial keylogger. Agent Tesla was originally a simple keylogger that recorded every keystroke of the user and sent it back to the attacker’s server. Since 2014, the developers have added more features to it, t……

Continue Reading

Be Aware of FlawedAmmyy Remote Control Trojan Spread by Spam

1、Overview Recently, Antiy CERT (Computer Emergency Response Team) discovered a new type of remote access Trojan when sorting out network security incidents. The Trojan/Win32.RA-based belongs to the "FlawedAmmyy" family and is a modified version of the remote control software Ammyy……

Continue Reading

“GreenSpot”Operations Grow For Many Years

1、Overview In the past few years, various APT attacks against China have been monitored, analyzed and tracked by Antiy Labs, disclosing the activities and toolsets of many APT groups, such as the “APT-TOCS” (http://www.antiy.com/response/APT-TOCS.html), “White Elephant”……

Continue Reading

DON’T BE PANIC WHEN YOU RECEIVE A SCAM EMAIL FROM “YOURSELF”

1、Overview      Antiy CERT has recently received feedback from customers who received scam emails from themselves, extorting bitcoin. Analysis on this event revealed that it was a new fraud since October.      Since the sender addres……

Continue Reading

The Application Case of Antiy Provincial Situational Awareness Platform Won the Excellence Award of “2018 Network Security Solution”

2018 China Cybersecurity Week is in full swing throughout the country. On “network security standards and industry sub-forum” in Chengdu conference area on September 18, the Heilongjiang provincial network security situational awareness and emergency disposal platform (or situational awareness……

Continue Reading

Technical Analysis of Industrial Control Malware TRISIS

Technical Analysis of Industrial Control Malware TRISIS Antiy CERT 1、Overview In August 2017, based on comprehensive intelligence research and judgment, Antiy Computer Emergency Response Team (Antiy CERT) analyzed malware TRISIS (also known as TRITON, HATMAN) that targeted industrial control ……

Continue Reading

A Hidden Way of Malware on Android

A Hidden Way of Malware on Android Background In Android operation system, APK is the ZIP format file that contains several normal files and executable files. In a normal APK file, the compressed root directory includes a DEX executable file named classes.dex, and it may contain a shared object fi……

Continue Reading

Challenge Caused by DLL Hijacking Malware against Active Defense Technology

Challenge Caused by DLL Hijacking Malware against Active Defense Technology The malware, taking advantage of DLL to hijack vulnerabilities, which appeared in 2000 has began to make further use of normal signature software to confront active defense now. This method has become more and more popular……

Continue Reading

The Encoding Rules about Floating-point Instruction

The Encoding Rules about Floating-point Instruction Recently, we find that some samples call floating-point instruction when OPCODE extracting some samples. The existing disassemble machine has no support for the floating-point instruction, so the support needs to be added. However, we have some d……

Continue Reading

Processor Class A vulnerability Meltdown and Specter FAQ

Processor Class A vulnerability Meltdown and Specter FAQ After Antiy analyzed “Processor Class A vulnerability Meltdown and Specter Analysis Report”[2]on January 4 and January 5, some users have asked about the impact of the Class A vulnerability event Methods and how to detect the problem, thus i……

Continue Reading

“Meltdown” in the Eyes of a Hardware Security Engineer

“Meltdown” in the Eyes of a Hardware Security Engineer Download This article is written by Doctor Tbsoft of Antiy Micro–electronics and Embedded Technology R&D Center. Modern Computer Architecture and CPU Microarchitecture Modern computer architecture is basically based on von Neumann Archit……

Continue Reading

2017 GLOBAL BOTNET DDOS ATTACK THREAT REPORT

2017 Global botnet DDoS attack threat report Antiy Capture Wind Team & Telecom Yundi 1. Overview The report was jointly released by Antiy Honey net Capture Group and China Telecom DamDDoS. Based on monitoring data by ACS(Antiy Capture System) and Telecom DamDDoS, it mainly focuses on DDoS att……

Continue Reading

Update: Herds of Elephants Attacking over Everest

Update: Herds of Elephants Attacking over Everest Anity CERT Draft: 17:00 PM July 1, 2017 Published: 18:00 PM July 9, 2017 Updated: 16:00 PM Dec. 29, 2017   Abstract: Antiy publishes a reserve report, which analyzes the attacking background from multiple groups and ponders over the scientifi……

Continue Reading

COMPREHENSIVE ANALYTICAL REPORT ON THE MAJOR VULNERABILITY DISCOVERED IN WPA2 WI-FI SECURITY PROTOCOL

Comprehensive Analytical Report on the Major Vulnerability Discovered in WPA2 WI-FI Security Protocol     Download Draft: 22:08 PM October 17, 2017 Published: 12:00 PM October 23, 2017 Updated: 12:00 PM October 23, 2017  1          Overview October 15, Mathy Vanhoef, postdoctoral secu……

Continue Reading

IN-DEPTH ANALYSIS REPORT ON WANNACRY RANSOMWARE

IN-DEPTH ANALYSIS REPORT ON WANNACRY RANSOMWARE Antiy CERT Draft: May 13, 2017 05:38 Published: May 13, 2017 05:38 Updated: June 6, 2017 19:00 1          Overview May 12, 2017(8 p.m.), Antiy CERT found that a large scale of ransomware infection incidents broke out. As of May 13(11p.m.), the infe……

Continue Reading

Antiy Responses to Ransomware WannaCry FAQ 3

Antiy Responses to Ransomware WannaCry FAQ 3 Antiy CERT 1.Why WannaCry is named “魔窟” in Chinese? After the outbreak of WannaCry ransomware, there appears several version of Chinese name for the ransomware, such as “香菇”, “不哭”,but these names can not reflect the relat……

Continue Reading

Antiy Responses to Ransomware WannaCry FAQ 2

Antiy Responses to Ransomware WannaCry FAQ 2 Antiy CERT 1.I found that someone has said that the author of ransomware “Wannacry” apologized in a sudden and released the main decryption key that can decrypt encrypted documents on the Internet. Is this true? False. It is the main key of ransomware ……

Continue Reading

Antiy Responses to Ransomware WannaCry FAQ 1

Antiy Responses to Ransomware WannaCry FAQ  1 (Antiy CERT) This morning (May 13), Antiy released the report named as “Antiy takes emergency response to the global outbreak of ransomware WannaCry ”. Many customers have questions related to this event, so we put the high-frequency ones together in……

Continue Reading

New Ransomware Breaks Out Globally, Antiy Releases Emergency Analysis and Solutions

On May 12, 2017(Beijing time), the global outbreak of large-scale ransomware incident happened at about 8:00 p.m. According to BBC news, this kind of ransomware came out in many parts of the world today, the users must pay high ransom (like Bitcoin) for decrypting data; a number of hospitals in UK……

Continue Reading

ANALYSIS OF GENERIC PASSWORD FOUND IN CRYPTKEEPER

ANALYSIS OF GENERIC PASSWORD FOUND IN CRYPTKEEPER Antiy CERT Draft: February 02, 2017, 15:00 Published: February 02, 2017, 15:00 Updated: February 02, 2017, 15:00 Background On January 31, 2017, an article entitled “Cryptkeeper Linux Encryption App Fails at Job, Has One Letter Skeleton Key -……

Continue Reading

THE ANALYSIS OF EQUATION DRUG —THE FOURTH ANALYSIS REPORT OF EQUATION GROUP

the Analysis of EQUATION DRUG —the FOURTH analysis REPORT OF Equation group Antiy CERT Download   Draft: January 13, 2017 16:00 Published: January 16, 2017 10:00 Updated: January 25, 2017 14:30   Words for This Version On the basis of previously published reports, Antiy CERT has provid……

Continue Reading

FROM EQUATION TO EQUATIONS

         FROM EQUATION TO EQUATIONS Revealing the multi-platform operational capability of Equation Group                 Antiy CERT     Download Draft: Jan. 15, 2014 16:43 (UTC+8) Published: Nov. 4, 2016 10:00 (UTC+8) Updated: Nov. 4, 2016 13:00 (UTC+8) 1 Background From February 2015, An……

Continue Reading

The Dances of White Elephant – A Cyber Attack from South Asian Subcontinent

The Dances of White Elephant – A Cyber Attack from South Asian Subcontinent PDF Download Antiy CERT  First version: 17:00, July 1, 2016 First release: 10:00, July 10, 2016 Updated version: 15:00, July 18, 2016   1 Overview During the past four years, engineers from Antiy Labs have paid clos……

Continue Reading

TECHNOLOGICAL AND CHARACTERISTIC ANALYSIS OF NEW VARIANT OF RANSOMWARE FAMILY TESLACRYPT

Technological and characteristic analysis of new variant of Ransomware family TeslaCrypt Antiy CERT download First Edition: 17:44, Apr.7, 2016 Pub Date: 14:23, Apr.8, 2016 Update: 10:07, Apr.8, 2016 1 Introduction Antiy CERT recently found a new variant of ransomware TeslaCrypt, named TeslaCrypt ……

Continue Reading

Comprehensive Analysis Report on Ukraine Power System Attacks

Comprehensive Analysis Report on Ukraine Power System Attacks     1 Event Overview   December 23, 2015, the Ukrainian power sector suffered malware attacks. Ukrainian news media TSN reported on the 24th: “At least three power regions were attacked, leading to hours of blackou……

Continue Reading

FIRST BITCOIN RANSOMWARE WITH CHINESE PROMPTS“LOCKY”

First Bitcoin ransomware with chinese prompts“locky” Antiy CERT Download First Edition: 9:26, Feb.18, 2016 Pub Date: 14:04, Feb.19, 2016 Update: 14:04, Feb.19, 2016     1          Introduction   Antiy CERT found a new kind of ransomware named “Locky” that can encrypt more than 100……

Continue Reading

2015 Network Security Retrospect and Prospect

2015 Network Security Retrospect and Prospect 2015 Antiy Annual Security Report Antiy CERT Download       First Edition: 14:21, Dec 8, 2015 Pub Date: 09:00, Jan 7, 2016 Update: 17:30, Jan 7, 2016     Content   Introduction The Layered APT                        Th……

Continue Reading

A TROJAN THAT CAN MODIFY THE HARD DISK FIRMWARE ——A Discovery to the Attack Components of the EQUATION Group

A Trojan That Can Modify the Hard Disk Firmware ——A Discovery to the Attack Components of the EQUATION Group Antiy Labs Time of the first version: 10:00 a.m. March 5, 2015 The updated time of this version: 09:45 a.m. March 9, 2015   1. Background   According to the emergency study, An……

Continue Reading

An Analysis on the Principle of CVE-2015-8651

An Analysis on the Principle of CVE-2015-8651 Antiy PTA Team 0x00 Preface   On December 28, 2015, Adobe issued a security announcement that they have repaired 19 vulnerabilities in one breath. The vulnerability CVE-2015-8651 submitted by Huawei security research department was mentioned in t……

Continue Reading

AN ANALYSIS REPORT OF DDOS SAMPLE WITH THE DIGITAL SIGNATURE

An Analysis Report of DDoS Sample with the Digital Signature By Antiy PTA Team 1    Overview   Recently, a malicious DDoS program with the expired signature has been detected by Antiy PTA team through the situation awareness system. The digital signature of the sample is stole from NHN USA I……

Continue Reading

AN ANALYSIS ON TARGETED TROJAN ATTACK WITH “INTERVIEW” AS A SOCIAL ENGINEERING TOOL

An Analysis on Targeted Trojan Attack with “Interview” as a Social Engineering Tool By Antiy CERT Download   First release: December 3, 2015, 10:21 Update: December 5, 2015, 5:21   1. Overview   In the evening of December 2, 2015, Antiy earlier-warning monitor system perceived the……

Continue Reading

AN ANALYSIS REPORT OF BLACKMAILER TROJAN SPREAD BY EMAILING JS SCRIPT

An Analysis Report of Blackmailer Trojan Spread by Emailing JS Script By Antiy PTA Group Download First draft: December 4, 2015, 11: 11 1      Introduction   A new blackmailer variant email with new transmission characters was captured by Antiy Threat Situational Awareness System on Decembe……

Continue Reading

Analysis and Review of Xcode Unofficial Supply Chain Pollution Incident (XcodeGhost)

Analysis and Review of Xcode Unofficial Supply Chain Pollution Incident (XcodeGhost) AVL TEAM & ANTIY CERT     First release time: Sep. 20, 2015,22:00 Updating time: Sep. 30, 2015,8:41     Abstract   Xcode is the integrated development tool (IDE) running on Mac OS ……

Continue Reading

A LARGE NUMBER OF SERVERS BY HFS ARE EXPLOITED TO SPREAD MALWARE

A large number of servers by HFS are exploited to spread malware Antiy CERT Download First publish time: 17:00, Sep 15, 2015. Update time: 17:00, Sep 15, 2015.   1      Production Recently, the third generation Honeypot Wind-capture System of Antiy captured a downloader sample. After the s……

Continue Reading

UNCOVERING THE FACE OF RANSOMWARE

UNCOVERING THE FACE OF RANSOMWARE ——Antiy CERT Download 1          Introduction Recently, more and more security threats posed by ransomware, researchers from Antiy Labs felt obliged to investigate them to uncover the face of ransomware. September 2013, SecureWorks, the threat response departmen……

Continue Reading

Association Analysis on Some Group Mail Samples Using Social Engineering Techniques

Association Analysis on Some Group Mail Samples Using Social Engineering Techniques Antiy Labs First release time: 16:37, April 28, 2015 Update time of this version: 16:37, May 27, 2015   Contents   1       Background 2       Analysis of E-mail  2.1        Extraction of Metadata of the……

Continue Reading

ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINA’S GOVERNMENT AGENCY

Analysis on APT-to-be Attack That Focusing on China’s Government Agency Antiy CERT Download First release time: 14:32, May 27, 2015 Updated time of this version: 14:32, May 27, 2015   Contents   1       Background 2       Analysis on incident sample 2.1         Leading files and……

Continue Reading

COMPREHENSIVE ANALYSIS REPORT ON TROJAN/ANDROID.EMIAL.AS[RMT,PRV,EXP], “PHOTO ALBUM”

COMPREHENSIVE ANALYSIS REPORT ON TROJAN/ANDROID.EMIAL.AS[RMT,PRV,EXP], “PHOTO ALBUM” Download AVL Mobile Security Team of Antiy     First Release Time: 15:02 May 15, 2015 Update Time of This Version: 21:13 May 15, 2015 Current Latest Version: V2.1   1          Overvie……

Continue Reading

Analysis on the Encryption Techniques of EQUATION Components

First Edition: April 16, 2015 Second Update Version: April 18, 2015   Antiy analysis team has started the analysis of “EQUATION” since February 2015. After the report of the first article, the subsequent analysis did not make more progress or even highlight. Based on this situat……

Continue Reading

Analysis on DDoS Attack Organization- “Chicken_mm”

ShadowHunter Team of Antiy Labs Abstract   This article focuses on a cross-platform DDoS attack organization called “Chicken_mm” and gives an analysis. DDoS tools developed by this organization use SSH weak passwords and server vulnerabilities to control many Linux chickens……

Continue Reading

Review of the Year of 2014, the Moment of Network Security

——The annual report of network security in 2014 Security Research and Emergency Response Center of Antiy Labs   Download Contents 1 PROLOGUE 2 APT 3 SEVERE VUNERABILITIES 4 THE GENERALIZATION AND DISTRIBUTION OF SECURITY THREATS 5 DATA BREACH 6 MALWARE ON PC PLATFORM 7 THE STATISTICS OF MAL……

Continue Reading

The Remote Execution Vulnerability of IIS Reoccurred: Watch out for the New Codered

Security Research and Emergency Response Center of Antiy Labs Release: 00:37, April 16, 2015 Latest version: 08:10, April 16, 2015   Introduction to the vulnerability Microsoft has patched several vulnerabilities in April 2015, which involved Windows, OFFICE, IE, IIS and so on. The amounts ……

Continue Reading

A TROJAN THAT CAN MODIFY THE HARD DISK FIRMWARE ——A Discovery to the Attack Components of the EQUATION Group

a Trojan that can modify the hard disk firmware_V1.3 ——A Discovery to the Attack Components of the EQUATION Group Antiy Labs Time of the first version: 10:00 a.m. March 5, 2015 The updated time of this version: 09:45 a.m. March 9, 2015   Download  

Continue Reading

A COMPREHENSIVE ANALYSIS REPORT ON SANDWORM-RELATED THREATS (CVE-2014-4114)_V0.7——and Analysis on the Problem Detected by ShadowBox

A COMPREHENSIVE ANALYSIS REPORT ON SANDWORM-RELATED THREATS (CVE-2014-4114)_V0.7 ——and Analysis on the Problem Detected by ShadowBox Security Research and Emergency Response Center of Antiy Labs   First Release Time: 21:40 Oct.15, 2014 Update Time of This Version: 14:30 Oct.24, 2014  ……

Continue Reading

The Association Threat Evolution of Bash and The Current Status of Malware in UNIX-Like System_V1.7 ——Series Three of Bash Shellshock Analysis

The Association Threat Evolution of Bash and The Current Status of Malware in UNIX-Like System_V1.7 ——Series Three of Bash ShellshockAnalysis Security Research and Emergency Response Center of Antiy Labs First Release Time: 10:00, October9, 2014 Update Time of This Version: 17:10, October14, 20……

Continue Reading

The Analysis Report About Relevant Malware Samples of Shellshock _V1.9 ——Series Two of Bash Shellshock

The Analysis Report About Relevant Malware Samples of Shellshock _V1.9 ——Series Two of Bash Shellshock Security Research and Emergency Response Center of Antiy Labs     First Release Time: 17:00, September 29, 2014 Update Time of This Version: 9:30, October 19, 2014 Contents 1 Outli……

Continue Reading

A Comprehensive Analysis on Bash Shellshock (CVE-2014-6271)_V1.53 ——Series One of Bash Shellshock Analysis

A Comprehensive Analysis on Bash Shellshock (CVE-2014-6271)_V1.53 ——Series One of Bash ShellshockAnalysis Security Research and Emergency Response Center of Antiy Labs     First Release Time: 10:00, September 25, 2014 Update Time of This Version: 11:20, October 13, 2014     ……

Continue Reading

A Comprehensive Analysis on Bash Shellshock (CVE-2014-6271)

First Release Time: 10:00, September 25, 2014 Update Time: 13:20, September 29, 2014 In September 24th, 2014 Bash was announced to have remote code execution vulnerability, the Security Research and Emergency Response Center of Antiy Labs (Antiy CERT) determined according to the information at th……

Continue Reading

AVL SDK for Mobile Has Won the Security Award from AV-TEST

The world’s top security software certification authority— AV-TEST has announced on 11th February local time in Germany the winners of the AV-TEST AWARD 2013 which includes 5 awards in mobile platforms and traditional Windows platforms. AVL SDK for Mobile by Antiy Labs has won the award of &……

Continue Reading

A Hidden Way of Malware on Android

Background In Android operation system, APK is the ZIP format file that contains several normal files and executable files. In a normal APK file, the compressed root directory includes a DEX executable file named classes.dex, and it may contain a shared object file or several shared object files w……

Continue Reading

Anti-Virtual Machine and Anti-Sandbox in Malware

With the development of APT confrontation technology, people often use virtualization technology to detect the unknown malware when analyzing. Some security vendors in RSA Conference also use this technology to analyze anti-APT; what’s more, the traditional antivirus vendors and Botnet Tracking Te……

Continue Reading

Specification of Malicious URL

With the rapid development of internet in the recent years, malware is very prevalent and brings severe threats to users. Most kinds of malware depend on URL as transmission carrier to control or transmit in order to support themselves. Therefore, whether the URL is safe or not makes huge effects ……

Continue Reading

The Latest APT Attack by Exploiting CVE2012-0158 Vulnerability

Format overflow vulnerabilities are often exploited by APT attacks. In this type of vulnerabilities, CVE2012-0158 is the most commonly used one in the past year. Generally, the carrier of such vulnerability is a Rich Text Format (RTF) file, the internal data of which is saved as a hexadecimal stri……

Continue Reading

Challenge Caused by DLL Hijacking Malware against Active Defense Technology

The malware, taking advantage of DLL to hijack vulnerabilities, which appeared in 2000 has begun to make further use of normal signature software to confront active defense now. This method has become more and more popular. This kind of malware is usually made up of the following two parts: the no……

Continue Reading

The Encoding Rules about Floating-point Instruction

Recently, we find that some samples call floating-point instructions when OPCODE extracting them. The existing disassemble machine has no support for the floating-point instructions, so the support needs to be added. However, we have some difficulties when classifying the floating-point instructio……

Continue Reading

Analysis of Android Spyware

With the portable feature, intelligence terminals like mobile phone combine such privacy information as the user’s current location, contacts, and the communication record in one. Based on such feature, some applications have developed the functions of tracking and information monitoring to satisf……

Continue Reading

Analysis of a Sample Spread by New IE Zero-day (CVE-2012-4969)

On 17th, September 2012 the security researcher Eric Romang published an article Zero-Day Season Is Really Not Over Yet [1] at his blog, which reveals a new kind of IE Zero-Day vulnerability. This vulnerability has become the top topic and Microsoft has published the patch for it [2]. Antiy CERT a……

Continue Reading

Bitcoin Miner Malware

What is Bitcoin? Bitcoin [1] is a kind of digital currency generated by the open source P2P software. It possesses the quality of not being able to be frozen or tailed, no tax payment and low transaction cost. It can also be redeemed at real cash value according to the current exchange rate as sho……

Continue Reading

The Protection Mechanism and Removal Strategy of SMSZombie

Introduction In recent days, many security vendors like TrustGo and Symantec have followed the tracks of and made relevant analysis on this malware. More attentions are paid to its malicious behaviors (see references). The malware lures a user to install it by pornographic pictures or wallpaper ap……

Continue Reading

Analysis on the Flame

It is the first time that we are faced with such a situation: our research team has been analyzing Flame worm for almost one month and we plan to continue. When Stuxnet broke out, we attempted to carry out long-term analysis, but due to certain limits, we stopped the analysis after 10 days. After ……

Continue Reading

Analysis of Android Trojan Gapp

The analysis report of the Gapp trojan can be downloaded from here.

Continue Reading

Comprehensive Analysis of the Carrier IQ’s Products

Background Recently, Android developer Trevor Eckhart found Carrier IQ software could gather user privacy information. This software is pre-installed into phones by Carrier IQ and its wireless carriers. Carrier IQ officially claims: “Carrier IQ is the leading provider of Mobile Service intelligenc……

Continue Reading

34 Repackaged Android Applications are Found in Official Market

On May 30, Software with embedded malware appeared on the official Android market. On June 2, according to statistics from multiple parties, there were 34 infected applications uploaded via 6 developer accounts (see the Appendix). It was reported that 30,000 to 120,000 users had downloaded the sof……

Continue Reading

Vulnerabilities Found in Industrial Control Systems from Different Vendors

According to an alert published by US-CERT’s control system security team, 36 remote attack vulnerabilities were found this week. Several SCADA products of Siemens, Iconics, 7-Technologies and RealFlex Technologies, as well as human-computer interaction products of BroadWin are affected. Currently……

Continue Reading

Temporary Solution for Adobe Zero-day Vulnerability (CVE-2011-0609)

On March 16, 2011, Antiy CERT intercepted a malware sample targeting a vulnerability in Adobe products. Antiy engineers have confirmed that the vulnerability has been widely exploited. Attackers can send an Excel (.xls) document with an embedded Flash (.swf) file as an attachment. If users open th……

Continue Reading

Analysis of Android Trojan Adrd

The trojan ADRD (aka HongTouTou), spreading through a number of forums and downloads, has been embedded into more than 10 legal applications. It can open several system services. It can also upload infected cell phone’s information (IMEI, IMSI, and version) to the control server every 6 hours and ……

Continue Reading

Report on the Worm Stuxnet Attack

Recently, numerous news media have reported incidence about Stuxnet worm. Described as “super weapon”, “Pandora’s Box”, it has attacked the SIMATIC WinCC SCADA system of Siemens. The Stuxnet worm erupted in July this year. It utilizes at least four vulnerabilities of Microsoft operating system, in……

Continue Reading