Análisis-De-Malware

The U.S. Department of Justice (DoJ) has announced the indictment of 54 individuals for their alleged involvement in an automated teller machine (ATM) “jackpotting” scheme that diverted millions of dollars. The large-scale conspiracy involved the use of Ploutus malware to force ATMs across the country to dispense cash. According to authorities, the defendants are part of the Venezuelan criminal group Tren de Aragua (TdA), which has been designated as a foreign terrorist organization by the US Department of State. ...

What are TLS Callbacks? Thread Local Storage (TLS) is a Windows operating system mechanism that allows each thread in a process to have its own copy of specific variables. To support this, Windows PE (Portable Executable) executable files contain a TLS directory (IMAGE_TLS_DIRECTORY). This directory not only describes where the TLS data is stored and its size, but also includes a list of callback functions. TLS callbacks are an execution mechanism that allows code to run automatically when a process or thread starts, even before the program’s normal entry point (main or WinMain for EXEs, or DllMain for DLLs) is reached. ...

A joint investigation by Amnesty International, Haaretz, Inside Story and Inside IT has revealed that the human rights lawyer from Balochistan province, Pakistan, was the target of Intellexa’s Predator spyware. This incident marks the first time that a member of civil society in Pakistan has been targeted by this surveillance tool. The attack was carried out using a suspicious link sent by WhatsApp, which Amnesty International identified as an “attempted Predator attack” based on its technical behavior and characteristics. ...

Financially motivated cybercriminal group GoldFactory has launched a new wave of attacks targeting mobile users in Indonesia, Thailand and Vietnam. Attackers are using a government spoofing technique to distribute legitimate banking applications modified with malware. The activity, observed since October 2024, involves the distribution of apps that act as conduits for advanced Android malware, according to a Group-IB white paper. The GoldFactory Threat Actor GoldFactory is a Chinese-speaking cybercrime group, active since at least June 2023. The group is known for using custom malware families such as GoldPickaxe, GoldDigger, and GoldDiggerPlus, which previously targeted Android and iOS devices. Research suggests that GoldFactory has close ties to Gigabud, another Android malware detected in mid-2023. Despite differences in code base, GoldDigger and Gigabud share similarities in their spoofing targets and landing pages. ...