Author: Sabrina Berkenkopf. Matthias Meyer

The recent case of malware distribution via Google AdSense advertising banners is an arresting example of how quickly a huge number of websites across the world can become embroiled in cyber attacks. A supplier of the advertising network has apparently been compromised. The attackers deployed the Nuclear exploit kit with the aim of infecting millions of users with malware. Since mid-March, Nuclear has been using an exploit for a fairly new security hole in Adobe Flash Player that has evidently not yet been closed on many computers. The innovative G DATA Exploit Protection has been preventing attacks since the outset. ... read more

The Andromeda/Gamarue botnet is on the rise again

Attackers use complex multi-stage macro dropper to deliver malware


Author: Paul Rascagnères

Attacks carried out with documents pepped up with macros seem to become in vogue again. G DATA’s security experts have analyzed several cases within the last weeks, in which active content in documents triggers an infection. The experts want to explain two different approaches for the same current goal: infect the user with malware that enlists the machine as zombie PC in the Andromeda/Gamarue botnet.  ... read more

Casper: the newest member of the cartoon malware family

Third malware connected to CSEC Snowden leaks now comes with modular structure


Author: Sabrina Berkenkopf

Casper is considered to be EvilBunny’s and Babar’s successor, believed to be originating from the same group of programmers – possibly connected to a French intelligence agency. Two very interesting changes the malware has undergone: it now has a modular structure which allows the attackers to download and install attack plug-ins at will and its anti AV strategies improved. ... read more
The case of the “Superfish” adware has caused quite a sensation through its association with computer technology company Lenovo. However, the following report shows that “Superfish” is just the tip of the iceberg. It explains the implications of and possibilities for misuse. By way of an example, experts at G DATA SecurityLabs have investigated a piece of update software involved in the case, to illustrate the risks of certificate misuse. ... read more

Analysis of Project Cobra

Another extensible framework used by the Uroburos’ actors


Author: Paul Rascagnères

Project Cobra and the Carbon System were mentioned by Kaspersky in the article called “The Epic Turla Operation” . This malware is used by the same actors as Uroburos (aka Snake/Turla) and Agent.BTZ. We estimate that Carbon System was developed after Agent.BTZ and before Uroburos. The Carbon System shares some technical details with Uroburos and Agent.BTZ (encryption key, encryption algorithm, design, …) and some other links, such as the name of the snake-related project: Cobra. Uroburos could be considered as a kernel centric “snake” and Cobra Carbon System as a userland centric “snake”. ... read more

Author: Paul Rascagnères

In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit. We assume that the actor behind these campaigns uses several different malware strains in order to compromise the targeted infrastructure: Uroburos, a rootkit; Agent.BTZ/ComRAT, remote administration tools or Linux malware and maybe even more. ... read more