Author: Cyble

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) has come across a new .NET-based ShellCode loader named Jellyfish Loader. 

Jellyfish Loader uses asynchronous task method builders to execute code. 

The loader utilizes Fody and Costura to embed dependencies as resources within the executable. 

Jellyfish Loader has the capability to send system information upon initial infection and employs SSL certificate validation before Command and Control (C&C) communication. …
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently came across an active campaign exploiting the Microsoft SmartScreen vulnerability (CVE-2024-21412).  

The ongoing campaign targets multiple regions, including Spain, the US, and Australia. 

It employs lures related to healthcare insurance schemes, transportation notices, and tax-related communications to deceive individuals and organizations into downloading malicious payloads onto their machines. …
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently came across a malware campaign involving a malicious lnk file associated with the UAC-0184 threat actor group. 

Previously, UAC-0184 targeted Ukrainian entities in Finland, utilizing the Remcos RAT in their operations. 

In their latest campaign, there are signs suggesting the group may be focusing on Ukraine, using disguised lure documents to distribute the XWorm RAT. …
Read More

Key Takeaways: 

Cyble Research and Intelligence Labs (CRIL) recently came across a campaign employing Windows shortcut (LNK) files associated with the Mustang Panda APT group. 

Mustang Panda, with its Chinese affiliation, suggests potential state-sponsored or state-affiliated cyber espionage activities targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S.,…
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently encountered a campaign using a malicious Excel document linked to the UNC1151 APT group.  

The UNC1151 APT group, originating from Belarus, is notorious for targeting Eastern European countries, including Ukraine, Lithuania, Latvia, Poland, and others. 

In the recent campaign, there are indications that the group is possibly targeting Ukraine, with a potential focus on the Ministry of Defence based on the lure document. …
Read More

Key Takeaways 

Cyble Research & Intelligence Labs (CRIL) identified a sample of Embargo ransomware, developed in Rust. 

The Threat Actors behind this ransomware are using double extortion tactics. 

We observed an instance where the ransomware group Initially demanded a $1 million ransom payment, threatening data leak and notifications to various parties upon non-payment. …
Read More

Key Takeaways 

A new Android Banking Trojan, “Antidot,” masquerading as a Google Play update application, displays fake Google Play update pages in multiple languages, indicating a wide range of targets.  

Antidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to compromise devices and harvest sensitive information. …
Read More

Key Takeaways 

Cyble Research and Intelligence Labs (CRIL) recently uncovered a malicious website associated with the SideCopy APT group. 

Since 2019, the SideCopy threat group has been actively targeting South Asian nations, with a particular focus on India. 

Analysis of the malware website revealed a collection of files utilized in executing the malware campaign, indicating a sophisticated and coordinated effort by the threat actors. …
Read More

Key Takeaways

CRIL (Cyble Research and Intelligence Labs) has discovered a new ransomware variant named Trinity. This variant employs a double extortion technique to target victims. 

The Threat Actors (TA) behind Trinity ransomware utilize both victim support and data leak sites.  

CRIL’s analysis unveiled that a ransomware called “2023Lock” shares a similar ransom note format and underlying codebase with Trinity, indicating it could be a new variant of 2023Lock. …
Read More

Key Takeaways

A new Android Banking Trojan, “Brokewell”, was identified as distributing via a fake Chrome Update phishing site. 

The malware’s development is attributed to the developer, “Baron Samedit,” who manages the “Brokewell Cyber Labs” project. 

Utilizing Gitea, the malware developer hosts the Brokewell Android Loader project repository and shares underground forum links related to their profile. …
Read More

Key Takeaways

Cyble Research & Intelligence Labs (CRIL) identified a DragonForce ransomware binary based on LOCKBIT Black ransomware, suggesting the threat actors behind DragonForce used a leaked builder of LOCKBIT Black ransomware to generate their binary. 

In September 2022, an X (Twitter) user shared the download link for the LockBit ransomware builder, which allows threat actors to customize ransomware payloads according to their preferences. …
Read More

TransparentTribe primarily targets Indian government organizations, military personnel, and defense contractors. Its objective is usually to gather sensitive information, conduct cyber espionage, and compromise the security of its targets.  

TransparentTribe is known to have exploited various platforms, including Windows and Android, in their endeavours. The threat actors often create fake websites and documents that mimic legitimate government entities or organizations.…

Read More

Cyble Global Sensor Intelligence observed active exploitation of critical D-Link Vulnerability 

Recently, the security community has raised concerns regarding the vulnerabilities found in D-Link Network Attached Storage (NAS) devices. The vulnerabilities, identified as CVE-2024-3272 and CVE-2024-3273 were disclosed initially by an individual who goes by the alias “netsecfish” on GitHub on March 26, 2024.…

Read More

Key Takeaways

Cyble Research and Intelligence Labs (CRIL) has uncovered a novel phishing campaign tailored to cryptocurrency users.

This campaign was deploying a well-known FatalRAT along with additional malware such as Clipper and Keylogger.

The Threat Actors (TAs) orchestrating this campaign employ the DLL side-loading technique to load and execute FatalRAT, Clipper, and Keylogger modules.…
Read More

Key Takeaways

Once again, a fake e-shop campaign has been detected, this time targeting 18 Malaysian banks with upgraded malicious applications. 

The campaign has progressed from its initial focus on Malaysian banks to a broader scope that now encompasses banks in Vietnam and Myanmar. 

The latest version of the malware introduces advanced features such as screen-sharing functionality, the utilization of accessibility services, and intricate communication with command and control servers, signifying an elevated level of sophistication and perseverance. …
Read More
Key Takeaways

Threat actors (TAs) are actively exploiting platforms like Google Ads and social media platforms such as X (formerly Twitter) to disseminate crypto drainers, employing tactics such as compromising famous accounts, generating counterfeit profiles, and using malicious advertisements. 

Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer’s source code. …
Read More