Owowa is a C#-based .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA) to credential theft and remote access.

According to a study by Kaspersky, the classification of links based on the number of hours the pages survived shows the bulk of phishing pages were only active for less than 24 hours.

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering to target organizations or individuals, others refresh their toolsets and extend their scope.

An investigation into Lyceum has shown that the group has evolved its arsenal over the years and shifted its usage from the previously documented .NET malware to new versions, written in C++.

Although there are different vectors of malware distribution, most of the current crop of ransomware threats targeting businesses in the CIS penetrate the victim’s network via RDP.

GhostEmperor uses a formerly unknown Windows kernel mode rootkit dubbed Demodex and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.

Apart from the Trojanized installers, Kaspersky observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection is well known, details on the UEFI bootkit are newly revealed.

Researchers were able to identify several anti-analysis methods that were used to prevent reverse engineering and analysis of BloodyStealer, including the use of packers and anti-debugging techniques.

QakBot continues to grow in terms of functionality, with even more capabilities and new techniques such as logging keystrokes, a backdoor functionality, and techniques to evade detection.

Once the app is launched, the malware gathers unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed.