Author: Checkpoint

FunkSec – Alleged Top Ransomware Group Powered by AI
The FunkSec ransomware group emerged in late 2024, quickly gaining notoriety for claiming over 85 victims in December alone. Utilizing AI-assisted malware development, the group blurs the lines between hacktivism and cybercrime, complicating assessments of their true motivations and capabilities. Their operations raise questions about the authenticity of their claims and the reliability of current threat evaluation methods.…
Read More
Summary: Check Point Research provides an in-depth analysis of the Akira ransomware’s Rust version, which specifically targets ESXi servers. The report highlights the complexities of reverse-engineering Rust binaries and the design choices made by the malware authors. It emphasizes the unique features of the ransomware and the challenges faced in understanding its control flow and encryption logic.…
Read More

Summary:

Check Point Research (CPR) analyzes WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware, which has been active for over a year, was recently distributed via phishing emails impersonating the Israeli National Cyber Directorate. WezRat can execute various commands, including keylogging and file uploads, and has evolved significantly over time.…
Read More

Summary:

Check Point Research has identified a sophisticated phishing campaign named CopyRh(ight)adamantys, which targets various regions by impersonating companies and exploiting copyright infringement themes. This campaign deploys the latest version of the Rhadamanthys stealer (0.7) and utilizes automated methods for lure distribution, raising concerns about the potential use of AI tools.…
Read More

Summary:

APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations and military facilities. This report details the evolution of their Windows RAT, ElizaRAT, which has undergone significant enhancements since its discovery in 2023, including improved evasion techniques and the introduction of a new payload, ApoloStealer.…
Read More

Short Summary:

This research by Check Point focuses on the increasing number of vulnerable Windows drivers and their exploitation potential. It highlights the characteristics shared by these drivers, the methodologies used to identify them, and the importance of addressing design flaws to mitigate risks. The study emphasizes that many vulnerabilities are not complex and can be easily fixed, yet they continue to pose significant security threats.…

Read More
Short Summary

Check Point Research (CPR) discovered a malicious app on Google Play that targeted mobile users to steal cryptocurrency, marking a new trend in crypto draining tactics. The app masqueraded as a legitimate WalletConnect tool, utilizing social engineering and advanced evasion techniques to remain undetected for nearly five months, resulting in losses exceeding $70,000 from over 150 victims.…

Read More
Short Summary

Check Point Research (CPR) discovered a malicious app on Google Play that targeted mobile users to steal cryptocurrency, marking a significant shift in the tactics used by crypto drainers. The app masqueraded as a legitimate WalletConnect tool and employed advanced evasion techniques to avoid detection, resulting in over $70,000 in stolen funds from more than 150 victims before its removal.…

Read More
Short Summary

DLL Hijacking is a technique that exploits legitimate applications to execute malicious code. This write-up provides an overview of DLL Hijacking, its purpose, and the various documented instances of its use over the past decade. It highlights the methods employed by attackers, the tools available for developers to mitigate such attacks, and a proof-of-concept for a protective tool that utilizes digital signatures.…

Read More

Short Summary:

Check Point Research has uncovered a new attack vector where threat actors exploit Windows Internet Shortcut files (.url) to lure users into executing remote code. By utilizing the retired Internet Explorer browser and employing tricks like the “mhtml” prefix and hiding the .hta extension, attackers can deceive victims into believing they are opening harmless PDF files, ultimately leading to malicious code execution.…

Read More
Short Summary

Check Point Research has identified new malware families, Veaty and Spearal, used in targeted attacks against Iraqi government networks. These malware samples employ various techniques, including a passive IIS backdoor, DNS tunneling, and command and control (C2) communication via compromised email accounts. The campaign shows strong ties to the Iranian threat actor APT34, with similarities to previously identified malware families like Karkoff and Saitama.…

Read More
Short Summary

Server-Side Template Injection (SSTI) vulnerabilities allow attackers to inject malicious code into server-side templates, leading to arbitrary code execution, data theft, and potential server compromise. Recent trends show an increase in critical CVEs affecting various web applications, particularly in sectors like Retail/Wholesale and Finance/Banking.…

Read More

Research by: Antonis Terefos (@Tera0017)

Key Points Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate.…
Read More
Key Findings MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. This parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal. The threat actors consistently use phishing campaigns sent from compromised organizational email accounts.…
Read More

by Haifei Li

Introduction and Background

Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL.…

Read More

Author: Moshe Marelus

Introduction

In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to analyze statically.…

Read More