In this report, we review malicious activity SophosLabs analyzed and protected customers against in 2017 and use the findings to predict what might happen in 2018.

Sophos data scientists have written several articles about how machine learning works, how it will be applied to Sophos, and what that will mean for customers. This is a handy guide to that content.

A look at how Sophos develops its machine learning models. Here, we explain the concepts and show the development and evaluation of a toy model meant to solve the very real problem of detecting malicious URLs.

Kits available on the Dark Web allow the least technically savvy among us to do evil. Philadelphia is one of the slickest, most chilling examples.

The normal lifecycle of an Office exploit starts with the initial use in targeted attacks. Then, at some point, the information leaks out and cybercrime groups start using it more widely. Offensive security researchers then start experimenting with AV evasion, and the exploit finally ends up in underground exploit builders. Normally this cycle can take a few months. In the case of the CVE-2017-0199 Word exploit, we have observed this in a much more accelerated time scale.

This paper explores the inner workings of Betabot, including capabilities of the associated botnet server components and technical detail on how to extract and decrypt configuration data.

Attackers set their sights on the Internet of Things, Android and MacOS devices in this look ahead for 2017.

Document exploitation remains a favorite attack technique for distributing malicious content because it is easier to trick victims into opening document attachments than executables. Exploited documents have the added benefit of not requiring victims to manually enable macros, as is often the case for VBA downloaders. 

Document exploitation is a popular method of distributing malware in the malware community. Even though it was never the most prevalent infection vector, document exploitation has been on the rise for the last few years, hiding in the shadow of the more seasonal VBA or JavaScript downloaders. This technical paper explores why we're seeing more document exploitation malware in the wild, as well as the long-standing popularity of the document exploitation generator Ancalog, which is widely commercially available, and its various applications in cybercrime.

A couple of years ago, coin mining was a bubbling story. There were many threats that used infected machines to mine cryptocurrencies at the expense of the victim. The idea was perfect from the criminal's point of view, but as time went on the average PC was no longer powerful enough to mine even a single coin. It was time to give up on this type of attack and turn the attention to other ways to make money, like ransomware. Recently a new malware family has found a way to use PCs efficiently to mine new types of cryptocurrency. In this paper we examine this new trend.