There used to be a time when malware signed with a legitimate certificate was the mark of a sophisticated, nation-state-backed attacker. Now anyone can have signed malware.
The FIN7 attack group is still alive and well, despite arrests of some alleged members and intense attention from researchers and law enforcement.
The DNSpionage attack group is now using a new backdoor called Karkoff, which may have ties to the OilRig leaks as well.
Bromium researchers have been tracking a phishing and malware campaign, possibly linked to the Necurs botnet, that uses infrastructure in the U.S.
Researchers are still trying to figure out how LockerGoga infects its targets, and what the group behind this damaging ransomware variant really wants. Can't be just money.