Short Summary:
Since mid-September 2024, there has been a notable rise in the deployment of “Lumma Stealer” malware through the “HijackLoader” malicious loader. A significant detection occurred on October 2, 2024, when a signed HijackLoader sample was blocked. The report discusses the methodology for hunting abused code-signing certificates and provides indicators of compromise.…
Short Summary:
In July 2024, Sentinel Labs detailed the “FIN7 reboot” tooling, particularly the anti-EDR tool “AvNeutralizer” and its associated packer “PackXOR”. The article discusses how AvNeutralizer disables EDR software and highlights the potential broader use of PackXOR beyond FIN7.
Key Points:
AvNeutralizer is an anti-EDR tool used by FIN7 to disable endpoint detection software.…Short Summary:
This report introduces Cyclops, a newly discovered malware platform written in Go, believed to have been deployed against targets in the Middle-East in 2024. Cyclops allows operators to execute arbitrary commands and pivot within infected networks. It is controlled through an HTTP REST API exposed via an SSH tunnel and is attributed to the threat actor Charming Kitten, likely developed as a successor to the BellaCiao malware.…
This report investigates the Doppelgänger information operations by Russian actors, particularly during the June 2024 snap election in France. It highlights their tactics of impersonating news websites to spread disinformation through social networks, primarily X/Twitter. The report outlines the operational infrastructure, the nature of the disinformation campaigns, and the political implications of these activities, emphasizing the ongoing threat to democratic processes in Europe and the United States.…
Identifier: TRR240701.
SummaryThis report delves into Doppelgänger information operations conducted by Russian actors, focusing on their activities from early June to late-July 2024. Our investigation was motivated by the unexpected snap general election in France, prompting a closer look at Doppelgänger activities during this period.…
Identifier: TRR240601.
SummaryHunting for malicious infrastructure possibly targeting the Israeli government, we identified a previously unreported, long-standing and suspicious domain. The latter is still active at the time of this report, and is leveraged as a command and control server (C2), as part of an infection chain themed around an Israeli government entity.…
Identifier: TRR240501.
SummaryEarlier in May, our security product spotted a malicious payload, which was tentatively delivered to a computer in Brazil, via an intricate infection chain involving Python scripts and a Delphi-developed loader.
The final malicious payload, that we named “AllaSenha”, is specifically aimed at stealing credentials that are required to access Brazilian bank accounts, leverages Azure cloud as command and control (C2) infrastructure, and is another custom variant of “AllaKore”, an infamous open-source RAT which is frequently leveraged to target users in Latin America.…
Identifier: TRR240402.
SummaryWe have been closely monitoring the activities of the Iranian state-sponsored threat actor MuddyWater since the beginning of 2024. Our investigations reveal an active campaign that has been ramping up since October 2023, aligning with the Hamas attack that took place that month1.…
Identifier: TRR240401
On March 25, 2024, the U.S. Department of Justice (DoJ) released an indictment of seven hackers associated with APT31, a “hacking group in support of China’s Ministry of State Security” (MSS) which has been active for 14 years. On the same day, the Department of Treasury enacted sanctions on several entities listed in the document.…
Identifier: TRR240201.
SummaryFollowing an X post by IntezerLab about an attack campaign that they dubbed “SameCoin”, we analyzed the samples they discovered and found a few identical variants. The infection vector appears to be an email impersonating the Israeli National Cyber Directorate, which tricks the reader into downloading malicious files which are presented as ‘security patches’.…
In June 2023, we’ve observed multiple alerts that seemingly came from different sources. A quick search through our telemetry allowed us to identify multiple infected machines across our clients. Although they would sometimes present different behaviour, the initial infection vector stayed the same.
The servers were still actively delivering the initial payloads in early August in an intermittent fashion, and some of the malware sill went undetected by antivirus engines.…
Identifier: TRR240101.
On 2023-12-28, the Ukrainian government computer emergency and incident response team (CERT-UA) described a malicious espionage campaign that targeted government organizations in Ukraine. CERT-UA attributed the campaign to the APT28 threat-actor (aka Sofacy, Fancy Bear, etc.).
The malicious campaign leveraged spear-phishing to trick users into visiting a remote HTML page and opening a Windows shortcut, which in turn enabled the deployment of remote execution tools (MASEPIE, OCEANMAP), a credential stealer (STEELHOOK) as well as publicly available reconnaissance and credentials harvesting tool (Impacket).…
As we step into 2024, we anticipate a year that is poised to set several significant precedents. In this blogpost, we provide our Threatscape report, presenting our predictions for the global threats that lie ahead in the upcoming year. These are rooted in the trends we’ve been monitoring, with the goal of providing insights to decision-makers at all levels for proactive protections.…
About a month ago, we started seeing reports on activities from DuckTail , a cybercrime outfit reportedly based in Vietnam. Detonating one of the samples, we observed that a new account was being created on the analysis machine, followed by an RDP connection from an operator who downloaded additional tools, stole cookies, etc. …