The only thing worse than a powerful piece of malware, is a powerful piece of malware which has evolved into something more dangerous, just like IcedID.

IcedID first emerged onto the digital landscape in 2017, when it was classed as a banking trojan and started targeting financial institutions in the US, Canada, and UK. IcedID’s main objective, in 2017, was to steal sensitive data such as credit card details. However, the very best threat actors are those that regularly update and repurpose their malware to evade detection and become more effective. And that’s exactly what they have done with IcedID, turning it from a banking trojan into something much more complex.

What is IcedID’s New Strategy?

IcedID has evolved, but what exactly has it evolved in to? Well, the objective of retrieving sensitive financial details appears to have been removed. However, IcedID is now concentrating its efforts on delivering further malicious payloads to compromised systems. Essentially, it’s opening your IT systems up to a whole new world of pain.

Using the BackConnect module, IcedID communicates with a command-and-control server which allows the transfer of commands and files to the infected system. Originally, this attack was easy to detect as IcedID used TCP port 8080 to transfer data and communications. However, the threat actors behind this new wave of attacks, quickly changed their approach and began to compromise TCP port 443, which is much harder for security software to detect as it usually only handles encrypted data.

At least 20 command-and-control servers have been detected since April 2023, indicating that the threat actors behind IcedID are keen to not only disguise their tracks, but also keep security experts guessing. IcedID appears to compromise its victims by carrying out a sustained campaign of data harvesting and using them as a connection point in spamming campaigns, which are used to spread IcedID even further.

Staying Safe from IcedID

The exact point at which this current IcedID campaign infects a host is currently unknown, but earlier variants of IcedID from 2023 used malicious email attachments. Therefore, it’s important for all your PC users to remain vigilant against the threat of infected emails arriving in their inbox. In particular, make sure they look out for the following:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


As the popularity of AI apps soars, the latest being Google’s Bard, it’s becoming clearer that threat actors are taking advantage of this popularity.

The latest attack to be launched revolves around BundleBot, a new brand of malware which is as stealthy as it is dangerous. Bundlebot is typically found lurking within Facebook ads that promise to take you to websites containing AI utilities and games. These websites, however, are malicious. Users report that these malicious websites are similar, in terms of design, to Bard, but their main objective is to encourage users to download malicious files, most typically hosted on an external storage site such as Dropbox.

As we become more and more interested in AI, it’s important that we remain on guard against threats such as BundleBox, so let’s take a more in-depth look at what it is.

The Lowdown on BundleBox

Once the malicious file – an RAR archive file often named Google_AI.rar – is downloaded and executed, the BundleBox campaign begins. Within this archive file, is an executable file called GoogleAI.exe which, once activated, retrieves a ZIP file (ADSNEW-1.0.0.3.zip). Once opened, this ZIP file contains a further application by the name of RiotClientServices.exe. This executable is used to fully launch, through the use of a .dll file, the BundleBox attack.

Thanks to junk code being built into Bundlebox’s design, it is able to operate stealthily and away from the attentions of anti-malware software. While it remains hidden, BundleBox utilizes a ‘command and control’ function to steal sensitive data and transmit it to a remote location. The perpetrators behind BundleBox, currently, remain a mystery, but it’s believed they are from Vietnam, due to similar Vietnamese-based attacks being launched through Facebook in recent months.

Staying Safe from BundleBox and Similar Threats

There is no definitive solution to a BundleBox infection at present, but there are plenty of ways you can protect your PCs from falling victim. Make sure that your organization enforces the following:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


State-sponsored hacking remains a serious problem for PC users around the world, and the latest headline grabber – with links to North Korea – is EarlyRAT. 

A remote access trojan (RAT) is nothing new in the world of cybercrime, with the earliest examples believed to have been released in the late 1980s. However, their impact has grown significantly over the last 30 years, and this means they need to be taken seriously. There’s a culture of evolution in the world of hacking and, as a result, new RATs are always more powerful than the previous generation. And that’s why the emergence of EarlyRAT has got so many IT professionals concerned. 

What is a Remote Access Trojan? 

You may not be familiar with the ins and outs of a RAT, so we’re going to take a second to explain what they are and why they are so dangerous. A RAT is a malicious software program designed to provide unauthorized remote access and control over a targeted PC. They tend to be disguised as genuine files – this is why RATs are often distributed through phishing emails – but are nothing short of digital chaos. 

Once installed, a RAT allows attackers to gain control of the victim’s computer, and this is all carried out remotely. This allows the threat actors to steal sensitive information, monitor user activity, execute commands, and even activate the webcam or microphone to carry out surveillance. All of these dangers put the victim at risk of data theft and further cyber-attacks. 

How Does EarlyRAT Work? 

EarlyRAT was first detected by security experts at Kaspersky, who were analyzing a hacking campaign from 2022. The attack was made possible due to a flaw discovered in Log4j, a Java library used to log error messages generated by applications. This vulnerability was exploited by the Andariel hacking group, a team believed to be sponsored by North Korea. Once Log4j had been compromised, Andariel was able to download malware to the victims’ PCs. 

Part of this initial attack also included a phishing campaign, and it was here that EarlyRAT was first detected. Phishing documents, once activated, would download EarlyRAT from servers well known for having connections to threat actors. EarlyRAT’s first objective was to start logging system information and, after this, it would begin downloading additional malware, affecting the productivity of infected machines and stealing user credentials. 

Keeping Safe from EarlyRAT 

It’s important that you protect your IT infrastructure and your data, so staying one step ahead of threats like EarlyRAT is vital. To achieve this, make sure you always practice the following: 

  • Identify malicious websites: a large number of RATs are located on malicious websites, so it’s important that you know how to spot one of these. With this knowledge at your disposal, you will be able to not only identify a malicious website, but you’ll be able to realize a link is malicious before you even click it. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


It’s always important to be cautious online, but it’s easy for people to fall victim to malware. Even security experts can fall for the tricks of hackers. 

Yes, even those skilled and highly experienced security researchers can find themselves on the receiving end of malware. The most recent piece of evidence for this phenomena is an attack which is as brazen as it is powerful. It revolves around a piece of bait left, by threat actors, on GitHub, an online repository for developers to store and share their code. And it was a piece of code, disguised as a highly tempting piece of software for a security expert, which led to many of these professionals being left embarrassed.  

How Were the Experts Fooled? 

The GitHub attack involved a piece of software being made available which claimed to be a proof-of-concept (POC). Typically, a POC is a demonstration of a software project, and is used to determine how feasible the project is and the potential of its long-term success. For a security researcher, a POC is a useful way to test for security vulnerabilities, and this is why they are frequently downloaded and analyzed. 

However, this specific ‘POC’ proved to be little more than malware in disguise. Within the fake POC structure was a malware downloader, which was used to download malware and set off a chain of malicious events. Once the malware was downloaded, it began by executing a Linux script to automate specific commands. This allowed the threat actors to start stealing data, which was automatically downloaded to a remote location, by scraping the entire directory of the infected PC. 

The fake POC also allowed the threat actors to gain full access to any of the infected systems. This was achieved by adding their secure shell (a protocol for operating network services) to the authorized keys file on the infected system. All of this was made possible, for the threat actors, due to a vulnerability – known as CVE-2023-35829 – discovered in the Linux operating system, an OS usually used by software developers. 

Avoid the Mistakes of the Experts 

You may be thinking that, if a security expert can fall victim to malware, what hope do you have in the face of targeted attacks? However, as we know, nobody is 100% immune from the efforts of threat actors, and this includes security researchers. As ever, vigilance is key to maintaining the security of your IT infrastructure: 

  • Be wary of malicious websites: while GitHub is far from malicious, the people using it often are. This means you should always do some research on what you’re downloading and who you’re downloading it from. So, for example, try Googling the username of whoever is offering you a download, and see whether there are any trustworthy results or otherwise. Alternatively, ask an IT professional to take a look and assess the risk – contrary to the GitHub attack, they can usually spot malware from a mile away. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More



Microsoft Teams has experienced a surge in popularity among businesses since the pandemic, and this makes it a highly prized target for hackers. 

Businesses find Microsoft Teams a powerful tool as it allows employees to work remotely, communicate and be productive. And it’s all through one app. This is why it’s a fantastic business solution and used by 280 million people. Naturally, the size of this audience is going to turn a threat actor’s head. Where there are high numbers of users, there’s an opportunity for malware to be successful. And that’s why the discovery of a vulnerability in Teams has caused so much concern. 

The Vulnerability Lying Within Microsoft Teams 

One of the main uses of Teams is as a communication tool, and this means that the potential for spreading malware via file transfers and linked hard drives is high. But this newly discovered vulnerability is very different. Therefore, it’s important you understand the threat it poses. 

Now, Microsoft Teams allows you to communicate with a wide range of people within your organization. It also allows you to communicate with external parties e.g. subcontractors, clients and facility management teams. Usually, these external users are unable to transmit files to other organizations through Teams. And this is a good thing, as it lowers the risk of malware being sent between businesses. 

However, the security protocols which are in place to stop unauthorized file sending can, it turns out, be compromised. Once this vulnerability is exploited, a threat actor can start sending malware direct to the Teams inbox of staff within that business. Often, the threat actors are increasing the chances of their attack being successful by setting up similar email addresses to that of their target. All it takes is for one employee to open the malware and it can start to spread. 

While the incoming message will still be tagged as “External”, the busy nature of many employees’ days means that it’s likely this message will be ignored. Also, this method of attack is relatively new. Users are well drilled in the telltale signs of a phishing email, but a Teams instant message is very different. Accordingly, the risk of falling victim to this attack is concerning. 

Staying Safe on Microsoft Teams 


Curiously, Microsoft has advised that this vulnerability doesn’t, at present, warrant fixing. No doubt, at some point, it will be patched, but for now you should remain cautious. To help strengthen your defenses, make sure you practice the following: 

  • Always update: there’s never an excuse for not carrying out software updates once they are available. It’s the quickest and simplest way to plug weak points in your cyber defenses, so, if they are not already in place, setting up automatic updates should be your priority. 
  • Reduce your availability: it’s possible to limit your communication through Teams to specific domains only. Again, this reduces your risk by ensuring that your staff can only communicate with trusted sources and not threat actors operating from similar, yet malicious domains. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

1 4 5 6 7 8 19