Security Affairs
Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A review of the Kofer Ransomware Campaign

Researchers spotted a massive ransomware campaign in which the threat actors developed a new intriguing evasion detection technique. A new and massive ransomware operation dubbed “Operation Kofer” was discovered by a team of Cybereason Labs researchers. This campaign generates new variants of the same malware in order to evade detection and becoming APT-grade in their […]

A review of the Kofer Ransomware Campaign

Researchers spotted a massive ransomware campaign in which the threat actors developed a new intriguing evasion detection technique.

A new and massive ransomware operation dubbed “Operation Kofer” was discovered by a team of Cybereason Labs researchers. This campaign generates new variants of the same malware in order to evade detection and becoming APT-grade in their sophistication. All of the variants were found and compiled during the last couple of weeks, while new ones are generated every few days or even hours. This seems to be a Euro-centric threat as these variants have been mostly seen in Spanish, Polish, Swiss and Turkish organizations

Security experts from Cambridge-based Company found out that each of generated ransomware has a unique characteristic, and therefore, different hash which makes them difficult to detect, but the shared similarities among them can be observed and leads finding a connection between them. These similarities give us enough confidence to believe that they were all created through mixing and matching different components by using an automated algorithm.

A fake icon especially PDF icon and bogus file name were used for all of the analyzed Kofer variants in an effort to deceive the recipient into double-clicking the file delivered to them mostly by email campaigns that target specific organizations or countries.

Some anti-detection techniques are used for higher success of the ransomware variants. Firstly, some of them check whether they are being executed inside a virtual machine and if so, refuse to run. In addition, execution as a child process helps evade detection by some sandboxes. The ransomware payload masquerade as a benign-looking resource that are stored encrypted inside the PE. Finally, the original executable is deleted after it runs.

CryptoWall 3.0 and Crypt0L0cker were detected to be a part of the operation even though there are other suspects. Tor is acquired by some of the variants for C&C communications and to prevent any possibility of file recovery, Shadow Copies on the local machine are destroyed.

“Our best suggestion to minimize the impact of ransomware is to run frequent backups using an external drive and use endpoint monitoring and detection technologies to limit the scope of such attacks.” said Uri Sternfeld, Senior Security Researcher at Cybereason.

Furthermore, all the observed variants look for “C:\myapp.exe,” and if such a file exists, they refuse to run. So one preventive countermeasure is to copy an executable file and rename it to myapp.exe. It’s foreseeable that this behavior will be modified in the future.

As Kofer cannot be detected by signature-detection, it is advised to monitor behavior on the endpoint and compare it to all other behaviors on other endpoints in the organization to find suspicious behavior.

kofer ransomware

About the Author

Ali Taherian (@ali_taherian) is an enthusiastic information security Officer. He’s finished his education in information security and has recently been involved in banking software and payment security industry. Taherian is proud to be certified IBM Cloud Computing Solution Advisor and ECSA and enjoys sharing and tweeting about security advances and news.

Edited by Pierluigi Paganini

(Security Affairs – Kofer, ransomware)