In security we spend a lot of time trying to decipher the future. Where’s the next technology breakthrough? What are cybercriminals going to do next?

Annual threat reports provide an opportunity to look back at significant events of the past 12 months and identify trends for future development, action and protection. Looking back in time a little further helps to provide context for how we arrived at our current situation and why some things are the way they are. A long view of history can point to subtle changes or seismic shifts within an industry.

As much of the world shifted to remote work in 2020, cybercriminals upped their game, devising ways to use the fears and anxieties of organizations and end users against them.

Kingminer is an opportunistic botnet that keeps quiet and flies under the radar. The operators are ambitious and capable, but don’t have endless resources – they use any solution and concept that is freely available, getting inspiration from public domain tools as well as techniques used by APT groups.

The botnet known as MyKings wields a wide range of automated methods to break into servers – all just to install cryptocurrency miners.

An investigation into an attack against a cloud computing server reveals an unusual and innovative way for malware to communicate through Amazon’s firewalls

What defenders should know about the most prevalent and persistent malware families.

Challenges the world faces for the coming year, securing data, devices, and people in an increasingly complex environment.

On May 12th, 2017, organizations across the world were attacked by a new, fast-spreading piece of malware we now know as WannaCry. It is now considered one of the most widespread, and notoriously destructive malware attacks in history, halted only by a researcher getting a lucky break, registering a domain name embedded in the malware that unexpectedly acted as a kill switch. But even today, more than two years hence, WannaCry continues to affect thousands of computers worldwide.

Cybersecurity threats have been growing significantly in both volume and sophistication over the past decade. This poses great challenges to malware detection without considerable automation. In this paper, we have proposed a novel approach by extending our recently suggested artificial neural network (ANN)- based model with feature selection using the principal component analysis (PCA) technique for malware detection.

The trend toward active, targeted attacks continues to grow in prominence. Matrix is the latest malware to use these tactics. In this report, SophosLabs takes a deeper look at this low-key, developing ransomware threat.

Victories against cybercrime demand radical change to defense.

In Baldr vs The World, we trace the malware's technical evolution and a peek into the ways that malware are marketed and sold by criminals to other criminals, and the varied business models such relationships can foster.

Due to the popularity of portable document format (PDF) and the increasing number of vulnerabilities in major PDF viewer applications, malware writers continue to use the format to deliver malware via web downloads, email attachments, and other methods in both targeted and non-targeted attacks. The topic of how to effectively block malicious PDF documents has received a huge amount of research interests in both cybersecurity industry and academia with no sign of slowing down.

An in-depth peek into the VM running in modern web browsers.

So what exactly is an adversarial autoencoder, and why might you want to use one? They are a clever idea leading to a flexible and general framework for a lot of interesting tasks. Take a deeper dive into AAEs in this paper.

Often, we would like to be able to model probability distributions of high-dimensional data points that represent an overall (much lower dimensional) concept. This lets us learn relevant characteristics of the data in question, and also allows us to easily sample from our data distribution.

As the year 2016 began, a ransomware threat appeared that attacked its victims unlike any previous ransomware attack. SamSam, named after the filename of the earliest sample we uncovered, uses a brutally minimalist, manual approach to target and compromise victims.

As mentioned in our previous1 report about VPNFilter malware, the rst stage implant relies on connecting either to one of 12 hardcoded Photobucket URLs or the Toknowall website to fetch an image that had been specially crafted to contain an encoded form of the command-and-control server’s IP address. The stage one sample extracts the address from the image’s EXIF metadata.

A technical investigation of the malicious components involved in the attack that infected over 500,000 routers and network storage devices

"It ain’t what you know that gets you in trouble, it’s what you know for sure that just ain’t so."

Last years’ news headlines were dominated by ransomware attacks like Wannacry and Petya, the constant presence of Cerber, the disappearance and return of Locky, and the growing popularity of Ransomware-as-a-Service (RaaS) and smaller campaigns like Jaff and BadRabbit.

Unlike the spam-like approach of garden-variety ransomware, this family exploits vulnerabilities to attack specific organizations

A Business Analysis of a Growing Fraud in Android

The malware family continues to frustrate efforts to keep it out of Google Play.

Cyber thieves are using aggressive ad platforms more and more to monetize free Android apps. The number of such apps in this disturbing trend finding their way into Google Play continues to grow every day. Find out more about these dangerous apps and what you can do to avoid them.

On the surface, it looked like a helpful toolbox app. But Super Clean Plus hid malicious intentions.

SophosLabs has discovered several malicious apps on Google Play hiding dynamic JavaScript that taps into the CPU of a victim’s phone while mining for cryptocurrency.

The Super Antivirus 2018 app adds some legitimate action to what is really not an antivirus program at all, in order to throw researchers off the track.

In this report, we review malicious activity SophosLabs analyzed and protected customers against in 2017 and use the findings to predict what might happen in 2018.

Sophos data scientists have written several articles about how machine learning works, how it will be applied to Sophos, and what that will mean for customers. This is a handy guide to that content.

A look at how Sophos develops its machine learning models. Here, we explain the concepts and show the development and evaluation of a toy model meant to solve the very real problem of detecting malicious URLs.

Kits available on the Dark Web allow the least technically savvy among us to do evil. Philadelphia is one of the slickest, most chilling examples.

The normal lifecycle of an Office exploit starts with the initial use in targeted attacks. Then, at some point, the information leaks out and cybercrime groups start using it more widely. Offensive security researchers then start experimenting with AV evasion, and the exploit finally ends up in underground exploit builders. Normally this cycle can take a few months. In the case of the CVE-2017-0199 Word exploit, we have observed this in a much more accelerated time scale.

This paper explores the inner workings of Betabot, including capabilities of the associated botnet server components and technical detail on how to extract and decrypt configuration data.

Attackers set their sights on the Internet of Things, Android and MacOS devices in this look ahead for 2017.

Document exploitation remains a favorite attack technique for distributing malicious content because it is easier to trick victims into opening document attachments than executables. Exploited documents have the added benefit of not requiring victims to manually enable macros, as is often the case for VBA downloaders. 

Document exploitation is a popular method of distributing malware in the malware community. Even though it was never the most prevalent infection vector, document exploitation has been on the rise for the last few years, hiding in the shadow of the more seasonal VBA or JavaScript downloaders. This technical paper explores why we're seeing more document exploitation malware in the wild, as well as the long-standing popularity of the document exploitation generator Ancalog, which is widely commercially available, and its various applications in cybercrime.

A couple of years ago, coin mining was a bubbling story. There were many threats that used infected machines to mine cryptocurrencies at the expense of the victim. The idea was perfect from the criminal's point of view, but as time went on the average PC was no longer powerful enough to mine even a single coin. It was time to give up on this type of attack and turn the attention to other ways to make money, like ransomware. Recently a new malware family has found a way to use PCs efficiently to mine new types of cryptocurrency. In this paper we examine this new trend.