On February 22, 2025, the Critical Infrastructure and Security Agency (CISA) issued a #StopRansomware: ALPHV Blackcat ransomware alert. This alert builds upon earlier Federal Bureau of Investigation (FBI) work and …
Author: Securonix
Elastic Security Labs has identified an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining. Additionally, the team discovered …
Politically-motivated hacktivist groups are increasingly utilizing ransomware payloads both to disrupt targets and draw attention to their political causes. Notable among these hacktivist groups is Ikaruz Red Team, a threat …
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. KolesnikovMay 21st, 2024
tldr:An interesting attack campaign has been uncovered which leverages Google Drive and …
There’s a new version …
HijackLoader is a loader malware that possesses strong evasion capabilities, allowing it to bypass mainstream security solutions. It has been observed to deliver numerous persistent malware …
Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Although not as popular as other stealers, …
First observed in late 2022, Rhadamanthys is an advanced info-stealer that targets Windows platforms. It is distributed through the malware-as-a-service (MaaS) model. This, in conjunction …
Eml -> zip -> html -> url (evasive) -> zip -> hta -> ps1 -> zip -> a3x (Encoded Script file) -> shellcode
HTML contains basic obfuscation which …
The Uptycs Threat Research Team has uncovered a large-scale, ongoing operation within the Log4j campaign. Initially detected within our honeypot collection, upon discovery, the team promptly initiated an in-depth analysis …
NOTE: I started this story before Operation Cronos. Hence you can see tiny details getting unfold before the FBI/Europol Compromise and afterwards. This article mainly focuses on the mighty comeback …
The North Korean hacking group known as Kimsuky has been reported to employ sophisticated methods involving social media platforms and system management tools to conduct espionage activities.
This revelation highlights …
Last updated at Thu, 16 May 2024 17:30:35 GMT
Co-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann
Executive SummaryRapid7 has identified an ongoing social engineering campaign …
Last updated at Thu, 16 May 2024 17:38:34 GMT
Executive SummaryRapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly …
Malicious Google ad redirects to FakeBat, dropping zgRAT.
FakeBat, tested on May 5, 2024
FakeBat (EugenLoader) is a type of malware loader packaged in Microsoft installers (MSI or MSIX) distributed …
AhnLab SEcurity Intelligence Center (ASEC) has been continuously covering malware disguised as copyright violation warnings and resumes as a means of distributing ransomware and Infostealers.
[Warning] Distribution of Malware Disguised…近期,安天CERT通过网络安全监测发现了一起新的挖矿木马攻击事件,该挖矿木马从2023年11月开始出现,期间多次升级组件,目前版本为3.0。截止到发稿前,该挖矿木马攻击事件持续活跃,感染量呈上升态势。主要特点是隐蔽性强、反分析、DLL劫持后门和shellcode注入等,因此安天CERT将该挖矿木马命名为“匿铲”。
在此次攻击活动中,攻击者利用了两个比较新颖的技术以对抗反病毒软件,第一个技术是滥用反病毒软件的旧版本内核驱动程序中的功能来结束反病毒软件和EDR,这个技术通过一个主体的PowerShell脚本、一个独立的PowerShell脚本和一个控制器(内存加载的小型可执行文件)来完成,主体的PowerShell脚本用于下载并安装反病毒软件的旧版本内核驱动程序,独立的PowerShell脚本用于解密并内存加载控制器,控制器用来控制内核驱动程序。虽然被滥用的旧版本内核驱动程序早已更新,但目前仍能被非法利用并有效结束大多数反病毒软件。第二个技术是利用MSDTC服务加载后门DLL,实现自启动后门,达到持久化的目的。这个技术利用了MSDTC服务中MTxOCI组件的机制,在开启MSDTC服务后,该组件会搜索oci.dll,默认情况下Windows系统不包含oci.dll。攻击者会下载后门DLL重命名为oci.dll并放在指定目录下,通过PowerShell脚本中的命令创建MSDTC服务,这样该服务会加载oci.dll后门,形成持久化操作。
经验证,安天智甲终端防御系统不会被反病毒软件的旧版本内核驱动程序所阻断,也能够对该后门DLL的有效查杀。
2.攻击流程“匿铲”挖矿木马首先会从放马服务器上下载名为“get.png”的PowerShell脚本,解码后执行哈希验证、创建计划任务、禁用系统自带杀毒软件和创建服务等操作。之后会下载“kill.png”脚本和“delete.png”、“kill(1).png”两个压缩文件,脚本解码出shellcode代码,shellcode代码经过解密得到控制器(一个可执行文件)并注入到powershell.exe进程中,两个压缩文件经过解压缩得到反病毒厂商的旧版本内核驱动程序“aswArPots.sys”和“IObitUnlockers.sys”,由控制器调用,终止杀毒软件和EDR程序等。还会根据受害主机自身系统型号下载对应的“86/64.png”的压缩文件,解压缩后会得到oci.dll文件,通过MSDTC服务调用实现DLL劫持后门。在“get.png”脚本中还看到了下载“backup.png”脚本的地址,但下载函数还未实现,可能后续版本会加,该脚本主要功能是发送心跳接收命令等。最后“get.png”脚本会下载“smartsscreen.exe”程序,该程序会下载挖矿程序及其组件进行挖矿。
图2-1 攻击流程图
3.样本梳理与功能分析 3.1 样本梳理针对该挖矿木马攻击,对其样本及功能进行梳理,如下表所示:
表3-1 样本及功能梳理
样本名
落地名
样本路径
功能
get.png
不落地
内存中
初始投放载荷,下载后续样本,持久化
backup.png
无
无
初始投放载荷没有定义下载该样本,推测后续增加
run.bat
run.bat
C:UsersPublic
powershell命令下载get.png…
Advanced Persistent Threat Group 31 (APT31), also known by aliases like ZIRCONIUM or Judgment Panda, represents a sophisticated cybersecurity threat with ties to state-sponsored activities.
Threat Actor Card of APT31…
Infostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in …
This week, the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions. Based on technical indicators and similarity to attacks described in …
Juniper Threat Labs has been monitoring exploitation attempts targeting an Ivanti Pulse Secure authentication bypass with remote code execution vulnerabilities. We have observed instances of Mirai botnet delivery in …
Nitrogen via Google ad for Advanced IP Scanner
Nitrogen, tested on May 3, 2024
Malvertising, the use of ads to deliver malware, has become very popular in the past couple …
AhnLab SEcurity intelligence Center (ASEC) has discovered evidence of a malware strain being distributed to web servers in South Korea, leading users to an illegal gambling site. After initially infiltrating …
Written by Lex Crumpton and Charles Clancy.
Image Credit: GPT4 / Dall-E 3This is the second blog post in a series, sharing MITRE’s experiences detecting and responding to a …
As many people know, popular websites often display a dialog window when you first visit them. This could be a paywall to read an article, a notice about cookies, or …
On April 24, 2024, we found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after …
It’s been little more than a week since Apple rolled out an unprecedented 74 new rules to its XProtect malware signature list in version 2192. A further 10 rules were …
An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.
The technique was most …
Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim …
BI.ZONE
·
Follow
6 min read ·
2 days ago
—
The BI.ZONE Threat Intelligence team has uncovered a fresh campaign by the group targeting Russian and Belarusian organizations
Key…Threat actors consistently alter and develop their schemes in order to further escalate their payoffs. In a new trend, ransomware affiliates are actively re-monetizing stolen data outside of their original …
On April 11, 2024, BlackBerry released a new blog detailing a new VirusTotal upload of the LightSpy mobile spyware framework. BlackBerry stated that this malware was an iOS implant, yet …
This blog contains an excerpt of our new paper that unveils a previously unpublished multi-year operation using Domain Name System (DNS) queries, open DNS resolvers, and China’s Great Firewall. We …
The Black Lotus Labs team at Lumen Technologies is tracking a malware platform we’ve named Cuttlefish, that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. This …
Apr 24, 2024
tldr:The Securonix Threat Research Team has been …
I’ve been working on comparing data from different DShield [1] honeypots to understand differences when the honeypots reside on different networks. One point of comparison is malware submitted to the honeypots. During a review of …
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr:The Securonix Threat Research team (STR) observed an interesting attack campaign which leveraged SSLoad malware and Cobalt Strike implants …
Back in November of 2023, we published a blog post highlighting the technical details of a sophisticated attack in npm attributed to North Korea. We subsequently published a follow-up in …
Estimated reading time: 13 minutes
In the recent past, cyberattacks on Indian government entities by Pakistan-linked APTs have gained significant momentum. Seqrite Labs APT team has discovered multiple such campaigns …
Have you ever encountered the term ‘double agent’? Recently, we’ve had the opportunity to revisit this concept in Austria. Setting aside real-world affairs for prosecutors and journalists, let’s explore what …
We have been tracking a threat actor who’s behind several malvertising campaigns impersonating popular software downloads. That advertiser uses different identities but their tactics, techniques and procedures are very similar …
Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials …
Attackers are constantly seeking new vulnerabilities to compromise Kubernetes environments. Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage …
Password-manager LastPass users were recently targeted by a convincing phishing campaign that used a combination of email, SMS, and voice calls to trick targets into divulging their …
Recently, NSFOCUS CERT detected that Palo Alto Networks issued a security announcement and fixed the command injection vulnerability (CVE-2024-3400) in PAN-OS. Since GlobalProtect gateway or portal configured in PAN-OS …
On 15 April 2024, Fabian Bäumer and Marcus Brinkmann of Ruhr University Bochum identified a vulnerable implementation of DSA for certain elliptic curve configurations in the 0.68 – 0.80 versions …
Recent findings from a Microsoft security blog reveal that attackers exploit newly discovered critical vulnerabilities in the OpenMetadata platform to target Kubernetes workloads. Subsequently, they use these workloads for cryptomining operations.
What…