Author: Cyble

Summary:

The German CERT has issued a critical warning regarding the exploitation of two vulnerabilities in Palo Alto Networks’ PAN-OS, urging immediate patching to prevent unauthorized access and command execution. These vulnerabilities, CVE-2024-0012 and CVE-2024-9474, pose significant risks to organizations worldwide. The urgency for remediation is heightened as active attacks are already underway.…
Read More
Short Summary:

The Cybersecurity and Infrastructure Security Agency (CISA) has added Fortinet’s FortiManager to its known Exploited Vulnerabilities (KEV) catalog due to a critical vulnerability (CVE-2024-47575) with a CVSS score of 9.8. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands or code, posing significant risks to organizations.…

Read More
Short Summary

Cyble Research and Intelligence Labs (CRIL) has identified a sophisticated multi-stage malware attack targeting job seekers and digital marketing professionals, particularly those involved with Meta Ads. The attack uses a malicious LNK file to deploy Quasar RAT, employing various evasion techniques to avoid detection and maintain persistence on compromised systems.…

Read More
Short Summary:

The “ErrorFather” campaign, identified by Cyble Research and Intelligence Labs, utilizes an undetected Cerberus Android Banking Trojan payload. This sophisticated malware employs a multi-stage infection chain, including session-based droppers and encrypted payloads, making detection challenging. The campaign has ramped up since September 2024, showcasing advanced techniques like keylogging, overlay attacks, and a Domain Generation Algorithm (DGA) for resilient command and control operations.…

Read More
Short Summary

Cyble Research and Intelligence Labs (CRIL) has discovered a new loader builder named “MisterioLNK,” which is open-source and available on GitHub. This tool allows threat actors to create obfuscated files that evade detection by traditional security systems. MisterioLNK supports multiple scripting formats and obfuscation techniques, making it a significant challenge for cybersecurity defenses.…

Read More
Short Summary:

The Patchwork APT group has launched a sophisticated campaign targeting Chinese entities and Bhutan, utilizing a malicious LNK file to initiate infections. The campaign employs DLL sideloading techniques to execute malware that evades detection and steals sensitive information from compromised systems.

Key Points: Patchwork APT group continues targeting Chinese and Bhutanese entities.…
Read More
Short Summary:

CISA has added critical vulnerabilities affecting Microsoft Windows MSHTML Platform (CVE-2024-43461) and Progress WhatsUp Gold (CVE-2024-6670) to its Known Exploited Vulnerabilities catalog. Users are urged to update affected products immediately due to active exploits and the severity of these vulnerabilities.

Key Points: CISA has added CVE-2024-43461 and CVE-2024-6670 to its Known Exploited Vulnerabilities catalog.…
Read More
Short Summary:

CISA has added critical vulnerabilities affecting Microsoft Windows MSHTML Platform (CVE-2024-43461) and Progress WhatsUp Gold (CVE-2024-6670) to its Known Exploited Vulnerabilities catalog. Users are urged to update affected products promptly due to active exploitation.

Key Points: CISA has included CVE-2024-43461 and CVE-2024-6670 in its Known Exploited Vulnerabilities catalog.…
Read More
Short Summary:

Cyble Research and Intelligence Labs (CRIL) uncovered a sophisticated cyber campaign targeting individuals associated with the upcoming US-Taiwan Defense Industry Conference. The attack utilizes a deceptive ZIP file containing a malicious LNK file disguised as a PDF registration form, which, when executed, establishes persistence and exfiltrates sensitive data while evading detection.…

Read More
Short Summary:

On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) reported active exploitation of CVE-2024-32113, a critical path traversal vulnerability in Apache OFBiz. This vulnerability allows attackers to execute arbitrary commands through specially crafted requests. The situation worsened with the discovery of CVE-2024-45195, which bypasses previous patches, leading to increased exploitation attempts, including the deployment of the Mirai botnet.…

Read More
Short Summary:

The Head Mare hacktivist group targets Russian and Belarusian organizations, leveraging cyberattacks as a means to influence geopolitical tensions related to the Russo-Ukrainian conflict. Their operations involve sophisticated phishing and ransomware techniques, exploiting vulnerabilities to destabilize key institutions in these nations.

Key Points: Head Mare targets Russian and Belarusian organizations to influence political and economic stability.…
Read More
Short Summary

Cyble Research and Intelligence Lab (CRIL) has uncovered a targeted cyber-attack campaign in Malaysia, aimed at political figures and government officials. The attack utilizes malicious ISO files containing components designed to deploy the Babylon RAT, an open-source Remote Access Trojan, enabling unauthorized access and data exfiltration from compromised systems.…

Read More
Short Summary

Iranian state-backed actors, known as “Pioneer Kitten,” are increasingly targeting critical infrastructure in the U.S. and allied nations. They have evolved into access brokers for ransomware gangs, monetizing network access while also conducting espionage aligned with Iranian government interests. A joint advisory from the FBI, CISA, and DC3 emphasizes the need for organizations to enhance their cybersecurity measures.…

Read More
Short Summary

RansomHub ransomware, which emerged in February 2024, poses a significant threat to various sectors, including critical infrastructure. Utilizing a double-extortion model, it encrypts and exfiltrates data to demand ransoms. The ransomware employs sophisticated techniques such as exploiting zero-day vulnerabilities and advanced data exfiltration methods, making it a formidable challenge for cybersecurity defenses.…

Read More
Short Summary

Cyble Research and Intelligence Labs (CRIL) has discovered a phishing site that impersonates Zoom to trick users into downloading ScreenConnect software. This software allows attackers to gain unauthorized remote access to victims’ computers, facilitating further malicious activities. The campaign also involves spam emails targeting Social Security Administration (SSA) account holders, urging them to download applications under false pretenses.…

Read More
Short Summary

Cyble Research and Intelligence Labs (CRIL) uncovered a phishing site that mimics the official World Agricultural Cycling Competition (WACC) website. The site, launched shortly after the event, aims to deceive users into downloading malicious files disguised as event photos, ultimately delivering a Havoc Command and Control (C2) framework.…

Read More
Short Summary

The UTG-Q-010 group, a financially motivated APT actor from East Asia, has been identified in a sophisticated campaign targeting cryptocurrency enthusiasts and HR departments. Utilizing spear phishing tactics with malicious LNK files, the group exploits vulnerabilities through social engineering and advanced malware delivery methods, including the use of the Pupy RAT.…

Read More
Short Summary:

Since July 2024, there has been a surge in the detection of a new variant of Gigabud malware, which employs sophisticated phishing tactics by masquerading as legitimate airline applications. The malware’s operations have expanded to target users in multiple countries, and analysis suggests a connection between Gigabud and Golddigger malware, indicating a coordinated approach by the same threat actor.…

Read More
Short Summary

Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated phishing campaign that uses a fake Google Safety Centre page to distribute malicious software. The phishing site tricks users into downloading a file disguised as Google Authenticator, which actually installs two types of malware: Latrodectus and ACR Stealer.…

Read More

On July 19th, 2024, CrowdStrike, a leading cybersecurity provider of advanced end-point security detection and protection solutions, released a sensor configuration update to Windows systems. This update contained a logic error that resulted in system crashes and Blue Screen of Death (BSOD) incidents. The faulty software update caused widespread disruptions on Friday, affecting critical services in banks, airlines, hospitals, stock markets, and IT industries globally.…

Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) has uncovered a multi-stage cyberattack campaign with a Zip file containing a malicious shortcut (.lnk) file.  

When the shortcut is executed, it downloads a PowerShell script, initiating a chain of events that ultimately allows the Threat Actor (TA) to gain Remote Desktop Protocol (RDP) access to the victim’s system. …
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) has come across a new .NET-based ShellCode loader named Jellyfish Loader. 

Jellyfish Loader uses asynchronous task method builders to execute code. 

The loader utilizes Fody and Costura to embed dependencies as resources within the executable. 

Jellyfish Loader has the capability to send system information upon initial infection and employs SSL certificate validation before Command and Control (C&C) communication. …
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently came across an active campaign exploiting the Microsoft SmartScreen vulnerability (CVE-2024-21412).  

The ongoing campaign targets multiple regions, including Spain, the US, and Australia. 

It employs lures related to healthcare insurance schemes, transportation notices, and tax-related communications to deceive individuals and organizations into downloading malicious payloads onto their machines. …
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently came across a malware campaign involving a malicious lnk file associated with the UAC-0184 threat actor group. 

Previously, UAC-0184 targeted Ukrainian entities in Finland, utilizing the Remcos RAT in their operations. 

In their latest campaign, there are signs suggesting the group may be focusing on Ukraine, using disguised lure documents to distribute the XWorm RAT. …
Read More

Key Takeaways: 

Cyble Research and Intelligence Labs (CRIL) recently came across a campaign employing Windows shortcut (LNK) files associated with the Mustang Panda APT group. 

Mustang Panda, with its Chinese affiliation, suggests potential state-sponsored or state-affiliated cyber espionage activities targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S.,…
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently encountered a campaign using a malicious Excel document linked to the UNC1151 APT group.  

The UNC1151 APT group, originating from Belarus, is notorious for targeting Eastern European countries, including Ukraine, Lithuania, Latvia, Poland, and others. 

In the recent campaign, there are indications that the group is possibly targeting Ukraine, with a potential focus on the Ministry of Defence based on the lure document. …
Read More

Key Takeaways 

Cyble Research & Intelligence Labs (CRIL) identified a sample of Embargo ransomware, developed in Rust. 

The Threat Actors behind this ransomware are using double extortion tactics. 

We observed an instance where the ransomware group Initially demanded a $1 million ransom payment, threatening data leak and notifications to various parties upon non-payment. …
Read More

Key Takeaways 

A new Android Banking Trojan, “Antidot,” masquerading as a Google Play update application, displays fake Google Play update pages in multiple languages, indicating a wide range of targets.  

Antidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to compromise devices and harvest sensitive information. …
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently uncovered a malicious website associated with the SideCopy APT group. 

Since 2019, the SideCopy threat group has been actively targeting South Asian nations, with a particular focus on India. 

Analysis of the malware website revealed a collection of files utilized in executing the malware campaign, indicating a sophisticated and coordinated effort by the threat actors. …
Read More

Key Takeaways

CRIL (Cyble Research and Intelligence Labs) has discovered a new ransomware variant named Trinity. This variant employs a double extortion technique to target victims. 

The Threat Actors (TA) behind Trinity ransomware utilize both victim support and data leak sites.  

CRIL’s analysis unveiled that a ransomware called “2023Lock” shares a similar ransom note format and underlying codebase with Trinity, indicating it could be a new variant of 2023Lock. …
Read More

Key Takeaways

A new Android Banking Trojan, “Brokewell”, was identified as distributing via a fake Chrome Update phishing site. 

The malware’s development is attributed to the developer, “Baron Samedit,” who manages the “Brokewell Cyber Labs” project. 

Utilizing Gitea, the malware developer hosts the Brokewell Android Loader project repository and shares underground forum links related to their profile. …
Read More

Key Takeaways

Cyble Research & Intelligence Labs (CRIL) identified a DragonForce ransomware binary based on LOCKBIT Black ransomware, suggesting the threat actors behind DragonForce used a leaked builder of LOCKBIT Black ransomware to generate their binary. 

In September 2022, an X (Twitter) user shared the download link for the LockBit ransomware builder, which allows threat actors to customize ransomware payloads according to their preferences. …
Read More

TransparentTribe primarily targets Indian government organizations, military personnel, and defense contractors. Its objective is usually to gather sensitive information, conduct cyber espionage, and compromise the security of its targets.  

TransparentTribe is known to have exploited various platforms, including Windows and Android, in their endeavours. The threat actors often create fake websites and documents that mimic legitimate government entities or organizations.…

Read More

Cyble Global Sensor Intelligence observed active exploitation of critical D-Link Vulnerability 

Recently, the security community has raised concerns regarding the vulnerabilities found in D-Link Network Attached Storage (NAS) devices. The vulnerabilities, identified as CVE-2024-3272 and CVE-2024-3273 were disclosed initially by an individual who goes by the alias “netsecfish” on GitHub on March 26, 2024.…

Read More

Key Takeaways

Cyble Research and Intelligence Labs (CRIL) has uncovered a novel phishing campaign tailored to cryptocurrency users.

This campaign was deploying a well-known FatalRAT along with additional malware such as Clipper and Keylogger.

The Threat Actors (TAs) orchestrating this campaign employ the DLL side-loading technique to load and execute FatalRAT, Clipper, and Keylogger modules.…
Read More

Key Takeaways

Once again, a fake e-shop campaign has been detected, this time targeting 18 Malaysian banks with upgraded malicious applications. 

The campaign has progressed from its initial focus on Malaysian banks to a broader scope that now encompasses banks in Vietnam and Myanmar. 

The latest version of the malware introduces advanced features such as screen-sharing functionality, the utilization of accessibility services, and intricate communication with command and control servers, signifying an elevated level of sophistication and perseverance. …
Read More
Key Takeaways

Threat actors (TAs) are actively exploiting platforms like Google Ads and social media platforms such as X (formerly Twitter) to disseminate crypto drainers, employing tactics such as compromising famous accounts, generating counterfeit profiles, and using malicious advertisements. 

Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer’s source code. …
Read More
Key Takeaways In February, the FBI took down the WarzoneRAT malware operation, seizing its infrastructure and arrested two individuals linked to the cybercrime operation.  Recently, Cyble Research and Intelligence Labs (CRIL) observed few samples of malware campaign possibly distributed via tax-themed spam emails, deploying WarzoneRAT (Avemaria) as the final payload. …
Read More