Research by: Jiri Vinopal
Highlights: Check Point Research (CPR) reveals the increasing abuse of BoxedApp products to deploy multiple known malware families. BoxedApp products are general packers built on top of its SDK, which provides the ability to create Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking).…Author: Checkpoint
Packers or crypters are widely used to protect malicious software from detection and static analysis. These auxiliary tools, through the use of compression and encryption algorithms, enable cybercriminals to prepare unique samples of malicious software for each campaign or even per victim, which complicates the work of antivirus software.…
Key Findings
Sharp Dragon’s (Formerly referred to as Sharp Panda) operations continue, expanding their focus now to new regions – Africa and the Caribbean.
Sharp Dragon, a Chinese threat actor, utilizes trusted government entities to infect new ones and establish initial footholds in new territories.
The threat actors demonstrate increased caution in selecting their targets, broadening their reconnaissance efforts, and adopting Cobalt Strike Beacon over custom backdoors.…
Read More
Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). They carry out destructive wiping attacks combined with influence operations.
The threat actor operates several online personas, with the most prominent among them being Homeland Justice for attacks in Albania and Karma for attacks carried out in Israel.…
Read More
Research by: Antonis Terefos
IntroductionPDF (Portable Document Format) files have become an integral part of modern digital communication. Renowned for their universality and fidelity, PDFs offer a robust platform for sharing documents across diverse computing environments. PDFs have evolved into a standard format for presenting text, images, and multimedia content with consistent layout and formatting, irrespective of the software, hardware, or operating system used to view them.…
Research by: Raman Ladutska
We chose a fantasy decoration style at certain points of the article to attract attention to the described problem. We hope that visualizing a fantasy adventure as a fight against the source of evil will transform the real world and make it a safer and better place.…
Key takeaways
Dating apps often use location data, to show users nearby and their distances. However, openly sharing distances can lead to security issues. Techniques like trilateration allow attackers to determine user coordinates using distance information.
Despite safety measures, the Hornet dating app (a popular gay dating app with over 10 million downloads) had vulnerabilities, allowing precise location determination, even if users disabled the display of their distances.…
Read More
Author: Yoav Arad Pinkas
Key Findings AI is already extensively utilized in election campaigns worldwide. Deepfakes and voice cloning have been employed in elections in three main venues: By candidates for self-promotion. By candidates to attack and defame political opponents. By foreign nation-state actors to defame specific candidates.…Research by: Antonis Terefos, Raman Ladutska
Part I from the series E-Crime & Punishment
When considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to add to this area anymore – all paths traced, all words said, all “i”s dotted.…
______________________Summary: The blog post analyzes the Linux version of DinodasRAT, a malware used by Chinese-nexus APT threat actors. The Linux version, known as Linodas, has separate development and introduces auxiliary modules with separate configuration files. It focuses on establishing and controlling reverse shells, collecting user activity from logs, and manipulating local file content.…
Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published.…
Read More
Introduction
Read More
Recently, Check Point Research released a white paper titled “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors”, detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations.…
Key Findings
Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time.
Raspberry Robin is continually updated with new features and evasions to be even stealthier than before.…
Read More
By Oded Vanunu, Dikla Barda, Roman Zaikin
A recent investigation conducted by Check Point Research has revealed a sophisticated NFT scam campaign operating on a large scale:
This campaign is unique in its methodology, employing a source spoofing technique to target a broad spectrum of token holders.…
Research by: Jiri Vinopal
Key Points Check Point Research (CPR) provides an introduction to .NET managed hooking using the Harmony library. We cover the most common examples of implementation using different types of Harmony patches. The practical example using Harmony hooking to defeat the notorious “ConfuserEx2” obfuscator results in the “ConfuserEx2_String_Decryptor” tool.…By Oded Vanunu, Dikla Barda, Roman Zaikin
Unmasking Deceptive Tactics: A recent investigation by Check Point Research exposes a troubling trend in the cryptocurrency landscape. The cryptocurrency community has been witnessing an alarming increase in sophisticated phishing attacks.
These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique.…
Research by: hasherezade
Highlights The Rhadamanthys stealer is a multi-layer malware, sold on the black market, and frequently updated. Recently the author released a new major version, 0.5.0. In the new version, the malware expands its stealing capabilities and also introduces some general-purpose spying functions. A new plugin system makes the malware expandable for specific distributor needs.…By Oded Vanunu, Dikla Barda, Roman Zaikin
Unmasking Deceptive Tactics: A recent investigation by Check Point Research exposes a troubling trend in the cryptocurrency landscape. Deceptive actors are manipulating pool liquidity, sending token prices soaring by a shocking 22,000%. $80,000 Heist Unveiled: The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders.…
Key Findings
Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel.
Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities.…
Read More
By Oded Vanunu, Dikla Barda, Roman Zaikin
Highlights Blockchain Vigilance Unveils Million-Dollar Heist: Our Threat Intel Blockchain system uncovered an ongoing Rug Pull event, and traced the actor behind this scheme The Scammer’s Tactics: Exploiting Hype for Ill-Gotten Gains, The perpetrator lured unsuspecting victims into investing.…