Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Hackers Leverage Cloud Platforms to Spread Phishing Under the Radar

New detection for Trustwave SWG (which is also part of Blended Threat Module for select Trustwave SEG customers). The detection was specifically crafted to target this kit using Trustwave’s SWG dynamic analysis feature.

Still Scanning IP Addresses? You’re Doing it Wrong

The traditional approach to a vulnerability scan or penetration test is to find the IP addresses that you want tested, throw them in and kick things off. But doing a test based purely on IP addresses is a bad idea and can often miss things.

GoldenSpy Chapter 3: New and Improved Uninstaller

This blog shows our analysis of a new binary, now being distributed by Intelligent Tax software, that is identical in operations to the original GoldenSpy Uninstallers, but specifically designed to evade detection by the YARA rule provided in our blog.

PhishINvite with Malicious ICS Files

Employing a popular type of file as an attachment to malicious emails is a common trick by cybercriminals to boost the success rate of their cyber-attacks. As iCalendars files are not included in the list of automatically blocked attachments by email clients like Outlook, the possibility of the maliciously crafted iCalendar falling to the targets’ mailbox is increased.

GoldenSpy: Chapter Two – The Uninstaller 

On June 28, 2020, our Threat Fusion team identified a new file being downloaded by the Aisino Intelligent Tax product. But this time it had nothing to do with remote command and control of the victim. Rather, this new sample’s sole mission is to delete GoldenSpy and remove any trace it existed.

Adventures in ATM Hacking

Previously, I had some experience with PoS (Point of Sale) devices and entertained myself with kiosks at hacking conferences, but never had touched an ATM before. My companion on this saga had already some fun hacking with these devices and had some precious insights to guide us during our engagement.

The Golden Tax Department and the Emergence of GoldenSpy Malware

Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that a Chinese bank requires corporations to install to conduct business operations in China.

Pillowmint: FIN7’s Monkey Thief

In this blog, we take an in-depth technical look at Pillowmint malware samples received from our incident response investigations. Pillowmint is point-of-sale malware capable of capturing Track 1 and Track 2 credit card data. We came across Pillowmint a couple of times in the last year and there is not much information around on it. The malware has been attributed to the FIN7 group that has been actively attacking the hospitality and restaurant industry for the past three years. This is a notorious financially-motivated cybercriminal group also referred to as the Carbanak group, after the Carbanak malware which it has used in the past.

Copy-Paste Threat Actor in the Asia Pacific Region

Australian Prime Minister Scott Morrison announced today that multiple Australian public and private organisations are being urged to safeguard their technology networks, as the country comes under a major cyber-attack. He further stated that all levels of government and the private sectors are being targeted in a "Sophisticated State-based" cyber-attack.

Cisco WebEx Memory for the Taking: CVE-2020-3347

Due to the global pandemic of COVID-19, there’s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment. Vulnerabilities in this type of software now present an even greater risk to its users.

TrickBot Disguised as COVID-19 Map

Cybercriminals are continuously exploiting the Coronavirus (COVID-19) pandemic. In our quest to monitor the COVID-19 related spams, we recently spotted one interesting campaign which uses an unusual email attachment to deliver TrickBot malware.

Compromising Android Applications with Intent Manipulation

As a mobile app tester, I have encountered numerous varied vulnerabilities. During one of my mobile engagements, I was able to achieve an Authentication Bypass by simply invoking each exposed Activity component of the Android application.

Patch Tuesday, June 2020

June's Patch Tuesday has crept upon us and while our minds may be elsewhere, the need to keep our systems up to date never goes away. Microsoft is releasing patches for 129 CVEs today. A dozen of those are rated as "Critical", 115 rated "Important", one rated "Moderate", and one oddly rated as "Not a Vulnerability".

System Takeover Through New SAP ASE Vulnerabilities

Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments. This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.

Securing SSH: What To Do and What Not To Do

The SSH service is critical, ensuring its security is key. This blog will describe how best to secure the SSH service from threat actors.

Phishing in a Bucket: Utilizing Google Firebase Storage

Credential phishing is a real threat that's targeting organizations globally. Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.

Vaccine for COVID-19 and Other Scams on the Dark Web

This blog post will cover some of the more interesting reactions to COVID-19 we’ve encountered on the underground, both good and bad. Read on to learn more (spoiler alert: The coronavirus vaccine is a scam!)

Patch Tuesday, May 2020

May's Patch Tuesday includes patches for 111 unique CVEs. Of those CVEs 17 are rated "Critical" and 94 rated as "Important". Aside from the common vulnerabilities in Microsoft's scripting engine, Sharepoint is the hardest hit on the "Critical" list with four separate Remote Code Execution (RCE) vulnerabilities and an Information Disclosure vulnerability patched for that server package.

Work From Home: The New New and What To Do

Here at SpiderLabs, we take the security of all our clients extremely seriously.  While the attacks that we see and use align with a recent note from US-CERT, they are not to be considered new or novel, however, their impact is even more profound during these uncertain times, where Work From Home (WFH) has become the new normal.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics