Anton Cherepanov

After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one

Win32/Corkow is banking malware with a focus on corporate banking users. We can confirm that several thousand users, mostly in Russia and Ukraine, were victims of the Trojan in 2013. In this post, we expand on its unique functionality.

In his blog post last week, Graham Cluley introduced the Win32/Corkow banking trojan. The malware has demonstrated continuous activity in the past year, infecting thousands of users - various indicators point to the fact the malware authors are continually developing the trojan.

In this blog post we confirm that the Avatar rootkit continues to thrive in the wild, and disclose some new information about its kernel-mode self-defense tricks. We continue our research into this malware family.

The mysterious Avatar rootkit, detected by ESET as Win32/Rootkit.Avatar, appears to reflect a heavy investment in code development, with an API and a SDK available, plus an interesting abuse of Yahoo Groups for C&C communications.