Summary:
Check Point Research (CPR) analyzes WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware, which has been active for over a year, was recently distributed via phishing emails impersonating the Israeli National Cyber Directorate. WezRat can execute various commands, including keylogging and file uploads, and has evolved significantly over time.…Author: Checkpoint
Summary:
Check Point Research has identified ongoing activities of the WIRTE threat actor, linked to Hamas, which continues its espionage and disruptive operations in the Middle East despite regional conflicts. The group has evolved its tactics, utilizing custom malware and phishing campaigns targeting entities in various countries, including Israel.…Summary:
Check Point Research has identified a sophisticated phishing campaign named CopyRh(ight)adamantys, which targets various regions by impersonating companies and exploiting copyright infringement themes. This campaign deploys the latest version of the Rhadamanthys stealer (0.7) and utilizes automated methods for lure distribution, raising concerns about the potential use of AI tools.…Summary:
APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations and military facilities. This report details the evolution of their Windows RAT, ElizaRAT, which has undergone significant enhancements since its discovery in 2023, including improved evasion techniques and the introduction of a new payload, ApoloStealer.…Short Summary:
This research by Check Point focuses on the increasing number of vulnerable Windows drivers and their exploitation potential. It highlights the characteristics shared by these drivers, the methodologies used to identify them, and the importance of addressing design flaws to mitigate risks. The study emphasizes that many vulnerabilities are not complex and can be easily fixed, yet they continue to pose significant security threats.…
Short Summary
Read More
Check Point Research (CPR) discovered a malicious app on Google Play that targeted mobile users to steal cryptocurrency, marking a new trend in crypto draining tactics. The app masqueraded as a legitimate WalletConnect tool, utilizing social engineering and advanced evasion techniques to remain undetected for nearly five months, resulting in losses exceeding $70,000 from over 150 victims.…
Short Summary
Read More
Check Point Research (CPR) discovered a malicious app on Google Play that targeted mobile users to steal cryptocurrency, marking a significant shift in the tactics used by crypto drainers. The app masqueraded as a legitimate WalletConnect tool and employed advanced evasion techniques to avoid detection, resulting in over $70,000 in stolen funds from more than 150 victims before its removal.…
Short Summary
Read More
DLL Hijacking is a technique that exploits legitimate applications to execute malicious code. This write-up provides an overview of DLL Hijacking, its purpose, and the various documented instances of its use over the past decade. It highlights the methods employed by attackers, the tools available for developers to mitigate such attacks, and a proof-of-concept for a protective tool that utilizes digital signatures.…
Short Summary:
Check Point Research has uncovered a new attack vector where threat actors exploit Windows Internet Shortcut files (.url) to lure users into executing remote code. By utilizing the retired Internet Explorer browser and employing tricks like the “mhtml” prefix and hiding the .hta extension, attackers can deceive victims into believing they are opening harmless PDF files, ultimately leading to malicious code execution.…
Short Summary
Read More
Check Point Research has identified new malware families, Veaty and Spearal, used in targeted attacks against Iraqi government networks. These malware samples employ various techniques, including a passive IIS backdoor, DNS tunneling, and command and control (C2) communication via compromised email accounts. The campaign shows strong ties to the Iranian threat actor APT34, with similarities to previously identified malware families like Karkoff and Saitama.…
Short Summary:
Check Point Research has uncovered Styx Stealer, a new malware variant capable of stealing sensitive data from browsers, messaging apps, and cryptocurrency wallets. The developer, linked to the Agent Tesla threat actor, made significant operational security mistakes that led to the exposure of personal and operational details.…
Short Summary
Read More
Server-Side Template Injection (SSTI) vulnerabilities allow attackers to inject malicious code into server-side templates, leading to arbitrary code execution, data theft, and potential server compromise. Recent trends show an increase in critical CVEs affecting various web applications, particularly in sectors like Retail/Wholesale and Finance/Banking.…
Research by: Antonis Terefos (@Tera0017)
Key Points Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate.…
Key Findings
MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. This parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal.
The threat actors consistently use phishing campaigns sent from compromised organizational email accounts.…
Read More
by Haifei Li
Introduction and BackgroundCheck Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL.…
Author: Moshe Marelus
IntroductionIn recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to analyze statically.…
Introduction
Read More
Cryptographic attacks, even more advanced ones, are often made more difficult to understand than they need to be. Sometimes it’s because the explanation is “too much too soon” — it skips the simple general idea and goes straight to real world attacks with all their messy details.…
Research by: Jiri Vinopal
Highlights: Check Point Research (CPR) reveals the increasing abuse of BoxedApp products to deploy multiple known malware families. BoxedApp products are general packers built on top of its SDK, which provides the ability to create Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking).…Packers or crypters are widely used to protect malicious software from detection and static analysis. These auxiliary tools, through the use of compression and encryption algorithms, enable cybercriminals to prepare unique samples of malicious software for each campaign or even per victim, which complicates the work of antivirus software.…
Key Findings
Sharp Dragon’s (Formerly referred to as Sharp Panda) operations continue, expanding their focus now to new regions – Africa and the Caribbean.
Sharp Dragon, a Chinese threat actor, utilizes trusted government entities to infect new ones and establish initial footholds in new territories.
The threat actors demonstrate increased caution in selecting their targets, broadening their reconnaissance efforts, and adopting Cobalt Strike Beacon over custom backdoors.…
Read More
Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). They carry out destructive wiping attacks combined with influence operations.
The threat actor operates several online personas, with the most prominent among them being Homeland Justice for attacks in Albania and Karma for attacks carried out in Israel.…
Read More
Research by: Antonis Terefos
IntroductionPDF (Portable Document Format) files have become an integral part of modern digital communication. Renowned for their universality and fidelity, PDFs offer a robust platform for sharing documents across diverse computing environments. PDFs have evolved into a standard format for presenting text, images, and multimedia content with consistent layout and formatting, irrespective of the software, hardware, or operating system used to view them.…
Research by: Raman Ladutska
We chose a fantasy decoration style at certain points of the article to attract attention to the described problem. We hope that visualizing a fantasy adventure as a fight against the source of evil will transform the real world and make it a safer and better place.…
Key takeaways
Dating apps often use location data, to show users nearby and their distances. However, openly sharing distances can lead to security issues. Techniques like trilateration allow attackers to determine user coordinates using distance information.
Despite safety measures, the Hornet dating app (a popular gay dating app with over 10 million downloads) had vulnerabilities, allowing precise location determination, even if users disabled the display of their distances.…
Read More
Author: Yoav Arad Pinkas
Key Findings AI is already extensively utilized in election campaigns worldwide. Deepfakes and voice cloning have been employed in elections in three main venues: By candidates for self-promotion. By candidates to attack and defame political opponents. By foreign nation-state actors to defame specific candidates.…Research by: Antonis Terefos, Raman Ladutska
Part I from the series E-Crime & Punishment
When considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to add to this area anymore – all paths traced, all words said, all “i”s dotted.…
______________________Summary: The blog post analyzes the Linux version of DinodasRAT, a malware used by Chinese-nexus APT threat actors. The Linux version, known as Linodas, has separate development and introduces auxiliary modules with separate configuration files. It focuses on establishing and controlling reverse shells, collecting user activity from logs, and manipulating local file content.…
Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published.…
Read More
Introduction
Read More
Recently, Check Point Research released a white paper titled “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors”, detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations.…
Key Findings
Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time.
Raspberry Robin is continually updated with new features and evasions to be even stealthier than before.…
Read More
By Oded Vanunu, Dikla Barda, Roman Zaikin
A recent investigation conducted by Check Point Research has revealed a sophisticated NFT scam campaign operating on a large scale:
This campaign is unique in its methodology, employing a source spoofing technique to target a broad spectrum of token holders.…
Research by: Jiri Vinopal
Key Points Check Point Research (CPR) provides an introduction to .NET managed hooking using the Harmony library. We cover the most common examples of implementation using different types of Harmony patches. The practical example using Harmony hooking to defeat the notorious “ConfuserEx2” obfuscator results in the “ConfuserEx2_String_Decryptor” tool.…By Oded Vanunu, Dikla Barda, Roman Zaikin
Unmasking Deceptive Tactics: A recent investigation by Check Point Research exposes a troubling trend in the cryptocurrency landscape. The cryptocurrency community has been witnessing an alarming increase in sophisticated phishing attacks.
These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique.…
Research by: hasherezade
Highlights The Rhadamanthys stealer is a multi-layer malware, sold on the black market, and frequently updated. Recently the author released a new major version, 0.5.0. In the new version, the malware expands its stealing capabilities and also introduces some general-purpose spying functions. A new plugin system makes the malware expandable for specific distributor needs.…By Oded Vanunu, Dikla Barda, Roman Zaikin
Unmasking Deceptive Tactics: A recent investigation by Check Point Research exposes a troubling trend in the cryptocurrency landscape. Deceptive actors are manipulating pool liquidity, sending token prices soaring by a shocking 22,000%. $80,000 Heist Unveiled: The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders.…
Key Findings
Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel.
Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities.…
Read More
By Oded Vanunu, Dikla Barda, Roman Zaikin
Highlights Blockchain Vigilance Unveils Million-Dollar Heist: Our Threat Intel Blockchain system uncovered an ongoing Rug Pull event, and traced the actor behind this scheme The Scammer’s Tactics: Exploiting Hype for Ill-Gotten Gains, The perpetrator lured unsuspecting victims into investing.…