In January 2023, the FBI collaborated with law enforcement agencies in Germany and the Netherlands to successfully dismantle one of the most notorious ransomware groups known as Hive. Since June …
Search Results for: hive
Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing
December 2022, the automated synchronized fluxing of dynamic DNS records across Telegram channels and Telegraph sites at scale points …
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such …
New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware
phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, …
Last updated at Thu, 09 May 2024 16:11:11 GMT
How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.Rapid7 routinely conducts research into the wide …
2022年10月21日,360Netlab的蜜罐系统捕获了一个通过F5漏洞传播,VT 0检测的可疑ELF文件ee07a74d12c0bb3594965b51d0e45b6f,流量监控系统提示它和IP45.9.150.144产生了SSL流量,而且双方都使用了伪造的Kaspersky证书,这引起了我们的关注。经过分析,我们确认它由CIA被泄露的Hive项目server源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种,基于其内嵌Bot端证书的CN=xdr33, 我们内部将其命名为xdr33。关于CIA的Hive项目,互联网中有大量的源码分析的文章,读者可自行参阅,此处不再展开。
概括来说,xdr33是一个脱胎于CIA Hive项目的后门木马,主要目的是收集敏感信息,为后续的入侵提供立足点。从网络通信来看,xdr33使用XTEA或AES算法对原始流量进行加密,并采用开启了Client-Certificate Authentication模式的SSL对流量做进一步的保护;从功能来说,主要有beacon,trigger两大任务,其中beacon是周期性向硬编码的Beacon C2上报设备敏感信息,执行其下发的指令,而trigger则是监控网卡流量以识别暗藏Trigger C2的特定报文,当收到此类报文时,就和其中的Trigger C2建立通信,并等待执行下发的指令。
功能示意图如下所示:
Hive使用BEACON_HEADER_VERSION宏定义指定版本,在源码的Master分支上,它的值29,而xdr33中值为34,或许xdr33在视野之外已经有过了数轮的迭代更新。和源码进行对比,xdr33的更新体现在以下5个方面:
添加了新的CC指令 对函数进行了封装或展开 对结构体进行了调序,扩展 Trigger报文格式 Beacon任务中加入CC操作xdr33的这些修改在实现上来看不算非常精良,再加上此次传播所所用的漏洞为N-day,因此我们倾向于排除CIA在泄漏源码上继续改进的可能性,认为它是黑产团伙利用已经泄漏源码魔改的结果。考虑到原始攻击套件的巨大威力,这绝非安全社区乐见,我们决定编写本文向社区分享我们的发现,共同维护网络空间的安全。
我们捕获的Payload的md5为ad40060753bc3a1d6f380a5054c1403a,它的内容如下所示:
代码简单明了,它的主要目的是:
1:下载下一阶段的样本并将其伪装成/command/bin/hlogd。
2:安装logd服务以实现持久化。
我们只捕获了一个X86 架构的xdr33样本,它的基本信息如下所示:
MD5:ee07a74d12c0bb3594965b51d0e45b6f ELF 32-bit LSB executable, Intel…Summary
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.• Enable and enforce multifactor authentication with strong passwords• Close unused ports and remove …
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of …
Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same …
Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of …
By James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, and Shai Tilias
OverviewIn a recent IR engagement, our team happened upon a rather interesting packer (aka crypter …
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their …
One of our readers shared an interesting sample received via email. Like him, if you get access to interesting/suspicious data, please share it with us (if you’re authorized of course). …
Published On : 2024-07-06
EXECUTIVE SUMMARYAt CYFIRMA, we deliver timely insights into prevalent threats and malicious tactics impacting organizations and individuals. Our research team recently discovered a RAR archive …
This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can …
In this article, we will analyse an APT group that has attracted a lot of attention and has recently attracted attention for its activities: “Sea Turtle“.…
Key Points
In June 2024, ReliaQuest responded to detections from an endpoint detection and response (EDR) tool signaling the beginning of a ransomware attack by the “Medusa” ransomware group that…Last updated at Fri, 28 Jun 2024 18:00:03 GMT
The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins.
Executive SummaryOn Tuesday, …
Published On : 2024-06-29
Executive SummaryAt CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This …
The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins.
Executive SummaryOn Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious …
In March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This …
In this post we detail our comprehensive investigation into the phishing campaign encountered by our company. Our aim …
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.…
Cyble Research and Intelligence Labs (CRIL) recently came across a malware campaign involving a malicious lnk file associated with the UAC-0184 threat actor group.
Previously, UAC-0184 targeted Ukrainian…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats …
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats …
The Securonix Threat Research (STR) team has identified the use of a stealthy backdoor payload likely targeting …
Winnti is a notorious adversary that has been operational since at least 2010 and is believed to be operating in coordination with or supported by the Chinese government. The group …
documented by Trend in 2023. A version of the legitimate VLC Media Player masquerading as a Google file (googleupdate.exe) was used to sideload a Coolclient loader (file name: libvlc.dll). The loader …
We recently discovered a new threat actor group that we dubbed Void Arachne. This group targets Chinese-speaking users with malicious Windows Installer (MSI) files in a recent campaign. These MSI …
By Ale Houspanossian · June 17, 2024
Case SummaryIt was a quiet Monday morning in March 2024 when the EDR researchers with our Trellix Advanced Research Center identified an …
While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.
ExCobalt focuses on cyberespionage and includes several members …
With that background covered, let’s delve into several active campaigns we’ve observed, each leveraging the .LNK file format as the initial trigger for initiating the …
Key findings
Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. Researchers observed TA571 and the ClearFake activity cluster use this technique. …
AhnLab SEcurity intelligence Center (ASEC) has recently discovered an attack case where a threat actor attacked the ERP server of a Korean corporation and installed a VPN server. In the …
It’s amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport[1] client …
It’s amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport[1] client …
Summary: This content discusses the STR RAT, a remote access trojan (RAT) written in Java, its capabilities, and its history of updates.
Threat Actor: STR RAT | STR RAT Victim: …
ESET researchers have identified five campaigns targeting Android users with trojanized apps. Most probably carried out by the Arid Viper APT group, these campaigns started in 2022 and three of …
This blog is part of my Tracking Adversaries blog series, whereby I perform a summary analysis of a particular adversary that has caught my attention and made me feel like …
Beginning in May 2024, and carrying into early June, eSentire has identified an increase in observations of Matanbuchus malware. Matanbuchus is a loader type malware that was first …
In this walkthrough, we test SmartApeSG, a malware campaign distributed via compromised sites.
SmartApeSG, tested on June 11, 2024
DistributionSocial engineering attacks via fake browser updates are increasingly common. …
Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno
Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of …
Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a sophisticated understanding …
ValleyRAT is a remote access trojan (RAT) that was initially documented in early 2023. Its main objective is to infiltrate and compromise systems, providing remote attackers with unauthorized …
All the malicious files used by the adversaries in the campaign have certain functional similarities.
By opening such a file a victim unknowingly creates the folder %AppData%MicrosoftEdgeUpdate and copies to it MicrosoftEdgeUpdate.exe from Resources.MicrosoftEdgeUpdate.
To get a foothold in the compromised system, the adversaries create a task …
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats …