Summary
RisePro is a multifunctional information-stealer often sold on underground forums as part of a Malware-as-a-Service (MaaS) offering. Although this malware family was initially observed in late 2022, a sharp …
Summary
RisePro is a multifunctional information-stealer often sold on underground forums as part of a Malware-as-a-Service (MaaS) offering. Although this malware family was initially observed in late 2022, a sharp …
Last updated at Fri, 28 Jun 2024 18:00:03 GMT
The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins.
Executive SummaryOn Tuesday, …
While reviewing common TTPs in malware campaigns used last year Outpost24’s Cyber Threat Intelligence team, KrakenLabs, came across several reports and …
On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past …
After Microsoft disabled office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have surged in popularity. However, these other techniques …
On June 21, we announced on our official X page that our company had …
Since 2019, Guloader has been in operation as a downloader. GuLoader spreads through spam campaigns with malicious archived attachments. GuLoader downloads the bulk of malware, with the most …
P2Pinfect is a rust-based malware covered extensively by Cado Security in the past. It is a fairly sophisticated malware sample that uses a peer-to-peer (P2P) botnet for its command and …
NJRAT – Active IOCsJune 24, 2024CVE-2024-38319 – IBM Security SOAR VulnerabilityJune 24, 2024
Analysis SummaryThe French information security agency ANSSI reported that Russia-linked APT group APT29, also known as …
CVE-2024-33001 – SAP NetWeaver and ABAP Platform VulnerabilityJune 24, 2024Donot APT Group – Active IOCsJune 24, 2024
Analysis SummaryThe Mirai botnet is a type of malware that infects Internet …
The research team has been analyzing a series of info-stealing malware, and they have recently come across an interesting campaign involving the PHP version of Ducktail Infostealer. This malware is …
The Remcos (Remote Control & Surveillance) RAT malware provides attackers with complete control over an infected system. It can be used for data theft, espionage, and other malicious activities. Understanding …
The Securonix Threat Research (STR) team has identified the use of a stealthy backdoor payload likely targeting …
ModiLoader aka DBatLoader – Active IOCsJune 21, 2024Multiple IBM i and WebSphere Application Server VulnerabilitiesJune 21, 2024
Analysis SummaryThe SideWinder APT (Advanced Persistent Threat) Group is a sophisticated cyber …
Every now and then you come across new malware variants and find something that attracts a little attention. A few days ago I acquired a VBS file, directed via a …
⚠️This is only a small excerpt from the original report, which can be found in the corresponding section, the report has been created thanks to the collaboration of Josh Penny …
documented by Trend in 2023. A version of the legitimate VLC Media Player masquerading as a Google file (googleupdate.exe) was used to sideload a Coolclient loader (file name: libvlc.dll). The loader …
I am @unixfreaxjp of MalwareMustDie team. This is the English translation of APT overall analysis I made in Japanese at my Japan security blog: “#OCJP-136: 「FHAPPI」 Geocities.jpとPoison Ivy(スパイウェア)のAPT事件”, it has …
By Jason Reaves and Joshua Platt
Spectre RAT was previously discussed a few years ago[1] in an excellent overview by Yoroi but recently has resurfaced in campaigns being distributed on …
By Ale Houspanossian · June 17, 2024
Case SummaryIt was a quiet Monday morning in March 2024 when the EDR researchers with our Trellix Advanced Research Center identified an …
Highlights:
Check Point Research (CPR) warns about online phishing scams related to summer vacations 1 in every 33 new summer vacation related domain registered in the previous month of May…Last updated at Tue, 18 Jun 2024 16:24:59 GMT
The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.
Executive SummaryRapid7 …
With that background covered, let’s delve into several active campaigns we’ve observed, each leveraging the .LNK file format as the initial trigger for initiating the …
The executables and the command constitute a component of the threat actor’s attempt to hijack SSH connections with the objective of acquiring SSH credentials. Analysis of the executables and their …
At the end of May 2024, the largest ever operation against botnets, dubbed Operation Endgame, targeted several botnets including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. This operation significantly impacted …
FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with …
It’s amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport[1] client …
The North Korean state-sponsored group known as Kimsuky has launched a sophisticated cyber-espionage campaign targeting a prominent weapons manufacturer in Western Europe.
This attack released on LinkedIn, discovered on May …
It’s amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport[1] client …
Resecurity has identified a new activity of Smishing Triad, which has expanded its operations to Pakistan. The group’s latest tactic involves sending malicious messages on behalf of Pakistan Post …
Beginning in May 2024, and carrying into early June, eSentire has identified an increase in observations of Matanbuchus malware. Matanbuchus is a loader type malware that was first …
Devcore announced a critical remote code execution (RCE) vulnerability in PHP, designated CVE-2024-4577. This flaw affects all PHP versions from 5.x onward running on Windows servers, making it a significant …
2024年5月29日,美国司法部发布通告,声称其执法活动摧毁了”史上最大的僵尸网络” 911 S5,查封了相关域名,并且逮捕了其管理员YunHe Wang。Wang及其同伙通过创建并分发包含恶意代码的免费VPN程序感染用户,并且在名为911 S5的住宅代理服务中出售对被感染设备构成的代理网络的访问权。
按照360威胁情报中心的分析,911S5从2014年开始运营,到2022年7月关停,在2023年10月又摇身一变,化名CloudRouter继续其肮脏生意,终于在2024年5月被多国联合执法摧毁。911S5的僵尸网络运行时间长、涉及多个国家的19M个IP地址、行为高调,虽然经过执法行动后大势已去,但是其数字遗产仍然对网络空间构成了现实且显著的威胁,下文是我们对威胁分析的结果。
911S5出售的代理服务背后是数千万被感染的设备。受害者主动或被动下载捆绑了恶意代码的软件、免费VPN程序等。在程序启动后,恶意代码将会创建持久化服务作为后门,为911S5客户提供代理服务。
在2023年以前,911S5使用的免费VPN包括:ProxyGate、MaskVPN、DewVPN与ShineVPN。我们观察到最早出现的VPN程序是ProxyGate,在2016年至2020年间活跃。
911S5与VPN程序的强关联 共同的基础设施将911S5与一众免费VPN关联起来的关键性证据就是它们共用了一部分基础设施。我们注意到,911.re、searchsafe.com、maskvpn.org、proxygate、911.gg、dewvpn.com的电子邮件服务都曾被解析到同一个服务器:173.244.211.96,证明911S5和特定免费VPN程序拥有共同的运营者。
更多数据,请查看最后一部分”共用IP”。
相似的样本行为MaskVPN、DewVPN以及ShineVPN拥有相似的编码方式、进程链结构:
MaskVPN进程链 DewVPN进程链2022年7月,911S5的运营者停止了911S5的服务,但是它们也并未蛰伏太长时间。2023年2月,911S5的继任者CloudRouter被研究人员发现;10月,CloudRouter正式发布,提供类似911S5的住宅服务,它使用PaladinVPN、Shield VPN感染设备并继续构建代理网络,我们确认这是换汤不换药的911S5。
CloudRouter,换汤不换药 共用基础设施与911S5类似,cloudrouter.pro、paladinvpn.com、shieldvpn.org的电子邮件服务解析到了相同的服务器:209.126.108.53。
更多数据,请查看最后一部分”共用IP”。
样本的强关联 CloudRouter使用的PaladinVPN、ShineVPN的编码方式、进程链与MaskVPN、DewVPN高度相似。 PaladinVPN进程链 根据美国法院的扣押文件,在2023年8月份,分析人员观察到了从MaskVPN到ShieldVPN的升级,该文件声称ShieldVPN、PaladinVPN与reachfresh.com通信,并从updatepanel.cc&upgradeportal.org接受更新指令。 PaladinVPN的推广域名我们注意到,有150+个推广域名都解析到了同一个地址148.72.152.203 ,如:
soccerstreamingvpn.com freevpnlebanon.com…This blog is part of my Tracking Adversaries blog series, whereby I perform a summary analysis of a particular adversary that has caught my attention and made me feel like …
By Gi7w0rm, Asheer Malhotra and Vitor Ventura.
Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing…In this walkthrough, we test SmartApeSG, a malware campaign distributed via compromised sites.
SmartApeSG, tested on June 11, 2024
DistributionSocial engineering attacks via fake browser updates are increasingly common. …
Recently, Imperva Threat Research reported on attacker activity leveraging the new PHP vulnerability, CVE-2024-4577. From as early as June 8th, we have detected attacker activity leveraging this vulnerability to …
Elastic Security Labs observed a wave of email campaigns in late April targeting environments by deploying a new backdoor we’re calling WARMCOOKIE based on data sent …
In the ever-evolving landscape of digital security, cyber threats are continually adapting and becoming more sophisticated. Among these threats, …
SSLoad is a stealthy malware that is used to infiltrate systems through phishing emails, gather reconnaissance and transmit it back to its operators while delivering various payloads. Recently, Unit42 highlighted …
The Grandoreiro banking trojan was first observed in 2016. This threat is described as a highly sophisticated and adaptive Windows-based banking trojan. Grandoreiro uses a Malware-as-a-Service (MaaS) model, making it easily accessible …
The Grandoreiro banking trojan was first observed in 2016. This threat is described as a highly sophisticated and adaptive Windows-based banking trojan. Grandoreiro uses a Malware-as-a-Service (MaaS) model, making it easily accessible …
All the malicious files used by the adversaries in the campaign have certain functional similarities.
By opening such a file a victim unknowingly creates the folder %AppData%MicrosoftEdgeUpdate and copies to it MicrosoftEdgeUpdate.exe from Resources.MicrosoftEdgeUpdate.
To get a foothold in the compromised system, the adversaries create a task …
We have detected a new variant of an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters in our customers’ cloud environments.
In this incident, the threat actor abused anonymous access to …