Summary:
Fortinet’s FortiGuard Labs has identified a high-severity phishing campaign targeting Windows users, utilizing a malicious Excel document to exploit CVE-2017-0199. This campaign spreads a new variant of the Remcos Remote Access Trojan (RAT), allowing attackers to gain full control over victims’ computers.Keypoints:
Phishing emails contain malicious Excel attachments.…Summary:
Winos4.0 is a sophisticated malware framework that compromises Microsoft Windows systems, particularly targeting the education sector through malicious game-related applications. It utilizes a multi-stage attack process to gain control over infected machines, enabling extensive data collection and remote command execution.Keypoints:
Winos4.0 is built on the Gh0strat framework.…FortiGuard Labs reported on a critical security incident involving the Ivanti Cloud Services Appliance (CSA), where an advanced adversary exploited multiple vulnerabilities, including CVE-2024-8190, to gain unauthorized access and control over affected systems. The attack involved chaining zero-day vulnerabilities and demonstrated sophisticated techniques to maintain persistence and exfiltrate sensitive data.…
Short Summary:
The article discusses the Emansrepo Python infostealer, which has been active since November 2023 and is distributed through phishing emails containing fake purchase orders. The malware collects sensitive information from victims’ browsers and files, sending it to the attacker’s email. The article details the attack flow and the evolution of the malware’s capabilities over time.…
Short Summary:
FortiGuard Labs reports on the Underground ransomware, which encrypts files on Windows machines and demands ransom for decryption. The ransomware is deployed by the Russia-based RomCom group, exploiting vulnerabilities and using various infection vectors. The report outlines the ransomware’s methods, victimology, and Fortinet’s protective measures against it.…
Short Summary:
The article discusses a phishing campaign that delivers a new variant of the Snake Keylogger through a malicious Excel document. This keylogger is capable of collecting sensitive information from victims’ computers, including saved credentials, keystrokes, and screenshots. The campaign exploits a known vulnerability to execute its payload and employs various techniques to evade detection.…
Short Summary:
The ValleyRAT campaign targets Chinese-speaking Windows users, utilizing multi-stage malware to monitor and control victims. It employs various techniques, including shellcode execution and sandbox evasion, to maintain a low profile and evade detection. The malware is capable of delivering additional payloads and plugins, posing a significant threat to the targeted systems.…
Short Summary:
This article discusses a sophisticated phishing attack campaign that utilizes multiple layers of obfuscation and evasion techniques to distribute various types of malware, including VenomRAT and PureHVNC. The campaign targets organizations through deceptive emails, leading to the execution of malicious payloads and the collection of sensitive information from infected systems.…
“`html Short Summary:
The FortiGuard Labs team has identified a malicious PyPI package named zlibxjson version 8.2, which poses a high risk to users by stealing sensitive information such as Discord tokens, browser cookies, and saved passwords. The report emphasizes the importance of security practices in managing software dependencies to prevent such threats.…
Impacted Users: iPhone users in IndiaImpact: Possible financial loss; stolen information can be used for future attacksSeverity Level: Medium
The FortiGuard Labs Threat Research team recently observed a number of social media posts commenting on a fraud campaign targeting India Post users. India Post is India’s government-operated postal system.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The stolen information can be used for future attackSeverity Level: High
Spyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.…
Affected Platforms: Linux DistributionsImpacted Users: Any organizationImpact: Remote attackers gain control of the vulnerable systemsSeverity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The stolen information can be used for future attackSeverity Level: High
The past few years have seen a significant increase in the number of Rust developers. Rust is a programming language focused on performance and reliability. However, for an attacker, its complicated assembly code is a significant merit.…
FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Affected Platforms: Microsoft WindowsImpacted Users: Windows UsersImpact: Collects sensitive information from a victim’s computerSeverity Level: Critical
A new phishing campaign was recently captured by our FortiGuard Labs that spreads a new Agent Tesla variant targeting Spanish-speaking people.
Security researchers have detected Agent Tesla campaigns from time to time for years.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Compromised machines are under the control of the threat actorSeverity Level: High
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious “Cobalt Strike” payload and establish communication with a command and control (C2) server.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The stolen information can be used for future attackSeverity Level: High
Many game makers allow users to alter a game’s appearance or behavior to increase its enjoyment and replay value. Players can often also download packages created by others.…
Affected Platforms: D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlierImpacted Users: Any organizationImpact: Remote attackers gain control of the vulnerable systemsSeverity Level: High
In April, FortiGuard Labs observed a new botnet targeting a D-Link vulnerability from nearly a decade ago, CVE-2015-2051. This vulnerability allows remote attackers to execute arbitrary commands via a GetDeviceSettings action on the HNAP interface.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Affected platforms: All platforms where PyPI packages can be installedImpacted parties: Any individuals or institutions that have these malicious packages installedImpact: Leak of credentials, sensitive information, etc.Severity level: High
Vigilance is paramount in cybersecurity, especially when it comes to understanding and dissecting potentially malicious code. In this blog post, we’ll delve into a piece of code designed (discordpy_bypass-1.7 ) to extract sensitive data from user systems.…
Affected Platforms: TP-Link Archer AX21 (AX1800) Version 1.1.4 Build 20230219 or priorImpacted Users: Any organizationImpact: Remote attackers gain control of the vulnerable systemsSeverity Level: High
Last year, a command injection vulnerability, CVE-2023-1389, was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800).…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The stolen information can be used for future attackSeverity Level: High
Last year, FortiGuard Labs uncovered the 8220 Gang’s utilization of ScrubCrypt to launch attacks targeting exploitable Oracle WebLogic Servers. ScrubCrypt has been described as an “antivirus evasion tool” that converts executables into undetectable batch files.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The stolen information can be used for future attackSeverity Level: High
In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Affected platforms: All platforms with Java installed Impacted parties: Any organization Impact: Attackers gain control of the infected systems Severity level: High
Recently, FortiGuard Labs uncovered a phishing campaign that entices users to download a malicious Java downloader with the intention of spreading new VCURMS and STRRAT remote access trojans (RAT).…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Controls victim’s device and collects sensitive informationSeverity Level: High
FortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Affected Platform: AndroidImpacted Users: Android users with mobile crypto wallet or banking applicationsImpact: Financial LossSeverity Level: Medium
Spynote is a Remote Access Trojan that initially surfaced in 2020. Since then, it has grown into one of the most common families of malware for Android, with multiple samples, integration of other RATs (e.g.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft Windows UsersImpact: This loader has been used to load multiple RATs and info stealers, which can lead to compromised credentials and enable further malicious activitiesSeverity Level: Medium
Executive SummaryWhile analyzing malware samples collected from several victims, the FortiGuard team identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The stolen information can be used for future attackSeverity Level: High
In January 2024, FortiGuard Labs obtained an Excel document distributing an info-stealer. From the fingerprints in this attack, it is related to a Vietnamese-based group that was first reported on in August 2023 and again in September.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
The Phobos ransomware family is a notorious group of malicious software designed to encrypt files on a victim’s computer. It emerged in 2019 and has since been involved in numerous cyber attacks. This ransomware typically appends encrypted files with a unique extension and demands a ransom payment in cryptocurrency for the decryption key.…
Affected platforms: All platforms where PyPI packages can be installedImpacted parties: Any individuals or institutions that have these malicious packages installedImpact: Leak of credentials, sensitive information, etc.Severity level: High
The Python Package Index (PyPI) is an open repository of software packages developed by the Python community to help people quickly develop or update applications.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The information collected can be used for future attacksSeverity Level: High
FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. We found and reported on a similar attack method via YouTube in March 2023.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Remote attackers gain control of the infected systemsSeverity Level: Critical
Bandook malware is a remote access trojan that has been continuously developed since it was first detected in 2007. It has been used in various campaigns by different threat actors over the years.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The information collected can be used for future attacksSeverity Level: High
FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file. The PDF downloads a .NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer.…
Affected Platforms: Any OS running Apache Active MQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3Impacted Parties: Any organizationImpact: Remote attackers gain control of the vulnerable systemsSeverity Level: Critical
This past October, Apache issued a critical advisory addressing CVE-2023-46604, a vulnerability involving the deserialization of untrusted data in Apache.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Remote attackers gain control of the infected systemsSeverity Level: Critical
FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document’s creation date of September, ongoing activity on the campaign’s C2 server is evident in internal telemetry, as shown in Figure 1.…
Affected Platforms: WindowsImpacted Users: Windows usersImpact: The information collected can be used for future attacksSeverity Level: Medium
In 2023, the InfoStealer market is a reasonably crowded affair. The likes of RedLine, Raccoon, and Vidar own a significant market share, with new entrants such as SaphireStealer appearing frequently.…
Affected Platforms: LinuxImpacted Users: Any organizationImpact: Remote attackers gain control of the vulnerable systemsSeverity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.…
Affected platforms: All platforms where NPM packages can be installedImpacted parties: Any individuals or institutions that have these malicious packages installedImpact: Leak of credentials, sensitive information, source code, etc.Severity level: High
Over the past few months, the FortiGuard Labs team has discovered several malicious packages hidden in NPM (Node Package Manager), the largest software registry for the JavaScript programming language.…
In 1923, the Soviet Union created the Nagorno-Karabakh Autonomous Oblast (an oblast is an administrative region or province) within the Azerbaijan Soviet Socialist Republic. This oblast has a 95% ethnically Armenian population. In 1988, Nagorno-Karabakh declared its intention to leave Azerbaijan and join the neighboring Republic of Armenia.…
Affected Platforms: WindowsImpacted Users: Windows usersImpact: Potential to deploy additional malware for additional purposesSeverity Level: Medium
One of the most exciting aspects of malware analysis is coming across a family that is new or rare to the reversing community. Determining the function of the malware, who created it, and the reasons behind it become a mystery to solve.…
Affected platforms: Microsoft WindowsImpacted parties: Windows UsersImpact: Collects sensitive information from a victim’s computerSeverity level: Critical
Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access.…
Affected platforms: Windows and macOSImpacted parties: Users of vulnerable versions of Adobe ColdFusionImpact: Remote attackers gain control of vulnerable systemsSeverity level: Critical
This past July, Adobe responded to reports of exploits targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution by releasing a series of security updates: APSB23-40, APSB23-41, and APSB23-47.…