Prince of Persia: Infy Malware Active In Decade of Targeted Attacks

posted by: and on May 2, 2016 5:00 AM

filed in: Malware, Threat Prevention, Unit 42
tagged: , , ,

Attack campaigns that have very limited scope often remain hidden for years. If only a few malware samples are deployed, it’s less likely that security industry researchers will identify and connect them together.

In May 2015, Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account, sent to an Israeli industrial organization. One e-mail carried a Microsoft PowerPoint file named “thanks.pps” (VirusTotal), the other a Microsoft Word document named “request.docx”.

Around the same time, WildFire also captured an e-mail containing a Word document (“hello.docx”) with an identical hash as the earlier Word document, this time sent to a U.S. Government recipient. …Continue reading

Palo Alto Networks News of the Week – April 30

posted by: on April 30, 2016 4:00 AM

filed in: Events, News of the Week
tagged: , , , , ,

We’ve rounded up all of the top Palo Alto Networks news from the past week right here.

Unit 42 discussed Afraidgate, a major exploit kit campaign swapping Locky ransomware for CryptXXX. The team also highlighted the threat intelligence it contributed to the 2016 Verizon Data Breach Investigations Report (DBIR).

Want to keep up with Palo Alto Networks threat intelligence? Sign up here in the “Get Updates” box, and receive updates from the Unit 42 threat intelligence blog in real time.

blog-title-unit42-500x68 …Continue reading

Afraidgate: Major Exploit Kit Campaign Swaps Locky Ransomware for CryptXXX

posted by: on April 28, 2016 1:00 PM

filed in: Malware, Threat Prevention, Unit 42
tagged: , , , , , ,

In mid-April 2016, a campaign using Nuclear Exploit Kit (EK) to distribute Locky ransomware switched to using the Angler EK to install CryptXXX ransomware. This campaign uses gates registered through FreeDNS at We are calling this the Afraidgate campaign. Although we continue to see Locky distributed through malicious spam, we have not noticed Locky from EK traffic since mid-April.

An Evolving Campaign

In March 2016, we observed Nuclear EK from the Afraidgate campaign spreading Locky ransomware. A consistent gate pattern in the infection chain pointed to the same campaign using Neutrino EK the previous month. Now this campaign points to Angler EK. Also with the change in EKs, the malware has switched from Locky to CryptXXX. Both of these malware families employ the ransomware business model, in which they encrypt a user’s files and demand a ransom in return for the decryption keys. The following chart illustrates the changes in this particular campaign: …Continue reading

Older posts →