More than 350 ecommerce stores infected with malware in a single day.
Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these …
More than 350 ecommerce stores infected with malware in a single day.
Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these …
Lorenz is a ransomware strain observed first in February of 2021, and is believed to be a rebranding of the “.sZ40” ransomware that was discovered in October 2020. Lorenz targets …
Recently, we’ve been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc., that deploy a range of remote access trojans (RATs). After a hunting session in our …
Over the past seven months, SophosLabs has monitored a series of new efforts to distribute SolarMarker, an information stealer and backdoor (also known as Jupyter or Polazert). First detected in …
These websites host Smokeloader payloads as part of three categories named “pab1”, “pab2” and “pab3”. These are not necessarily linked to the analogous “pub*” affiliate IDs, since we have seen …
In August 2021, a disgruntled CONTI affiliate leaked training documents, playbooks, and tools used to assist in CONTI ransomware operations. Mandiant has determined that some of the activity listed …
case study below, Antlion compromised the networks of at least two other organizations in Taiwan, including another financial organization and a manufacturing company. The activity the group carried out on …
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following …
Summary
Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. In this case, the threat actor has targeted people that …
February 3, 2022
[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would …
Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017.
This campaign targets Palestinian entities and activists…A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware.
A comma-separated values (CSV) file is a text file containing lines of …
Analysis of a new malware called Mars Stealer, which is a further development of Oski Stealer.
It has been noticed that Oski support stopped answering its customers and deleted its …
Over the past months, the Cybereason Nocturnus Team has been tracking the Iranian hacker group known as Moses Staff. The group was first spotted in October 2021 and claims their …
By: Joshua Platt, Jonathan Mccay and Jason Reaves
An actor recently has been starting up a RaaS solution that appears to primarily focus on individual computers instead of entire enterprises …
Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical …
Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions.
Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to…Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country.
Active since at least 2013, Shuckworm specializes in cyber-espionage campaigns mainly against entities in …
This blog was authored by Ankur Saini and Hossein Jazi
Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is …
The Belarusian Cyber Partisans have shared documents related to another hack, and explained that Curated Intel member, SttyK, would “understand some of the methods used.”
Written by @BushidoToken and edited …
The BlackBerry Research & Intelligence and Incident Response (IR) teams have found evidence correlating attacks by the Initial Access Broker (IAB) group Prophet Spider with exploitation of the Log4j vulnerability …
This blog post was authored by Roberto Santos
KONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is …
Chaes is a banking trojan that operates solely in Brazil and was first reported in November 2020 by Cybereason. In Q4 2021, Avast observed an increase in Chaes’ activities, …
Morphisec, through its breach prevention with Moving Target Defense technology, has identified a new, sophisticated campaign delivery which has been successfully evading the radar of many security vendors. Through a …
On November 11th, Google TAG published a blogpost about watering-hole attacks leading to exploits for the Safari web browser running on macOS. ESET researchers had been investigating this campaign the …
Co-authored by Gustavo Palazolo and Ghanashyam Satpathy
SummaryIn 2021, malicious Office documents accounted for 37% of all malware downloads detected by Netskope, showing favoritism for this infection vector among …
In our previous article “Mobile banking fraud: BRATA strikes again” we’ve described how threat actors (TAs) leverage the Android banking trojan BRATA to perpetrate fraud via unauthorized wire transfers. …
概述
奇安信红雨滴团队持续关注全球APT组织的攻击活动,其中包括海莲花(OceanLotus)APT组织。近期国外厂商Netskope发布了一篇关于mht格式文件(Web归档文件)通过携带的Office宏植入恶意软件的分析报告[1],因为其中提及的样本采用的攻击手法与海莲花组织存在相似之处,报告认为此次攻击活动是海莲花组织所为。
经过红雨滴团队研究人员对此类样本的深入分析,发现攻击流程中也存在着一些不同于海莲花过往攻击活动的特点,因此不排除其他攻击团伙模仿海莲花的可能性。基于现有的公开信息,暂时还不能确定此次攻击活动背后团伙的具体身份。此外,我们注意到此类样本利用Glitch平台下发后续恶意软件,进一步发现它们与奇安信威胁情报中心去年12月披露的攻击样本[2]一脉相承。
本文将深入分析此次攻击活动涉及的样本,梳理与之关联的其他攻击活动,并与海莲花组织历史攻击手法进行比较,总结攻击活动中相似的地方以及独有的特征。此类攻击样本具有如下特点:
1. 宏代码会根据系统版本释放32位或64位恶意DLL,释放恶意DLL时会插入一段随机数据;
2. 宏代码和恶意DLL均进行了代码混淆;
3. 恶意DLL将收集的信息回传给Glitch平台托管的C2服务,然后下载经过7z压缩的后续恶意软件并执行。
样本信息
收集到的攻击样本信息如下
MD5
文件类型
文件名
0ee738b3837bebb5ce93be890a196d3e
RAR
HS.rar
11d36c3b57d63ed9e2e91495dcda3655
RAR
Tai_lieu.rar
204cb61fce8fc4ac912dcb3bcef910ad
RAR
TL-3525.rar
a7a30d88c84ff7abe373fa41c9f52422
RAR
Note.rar
b1475bdbe04659e62f3c94bfb4571394
RAR
CV.rar…
We investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT …
Shipping is an indispensable part of modern life. It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from …
TrickBot Bolsters Layered Defenses to Prevent Injection Research
Limor Kessem and Charlotte Hammond.
The cyber crime gang that operates the TrickBot Trojan, as well as other malware and ransomware attacks, …
We found waves of Emotet spam campaigns using unconventional IP addresses to evade detection.
We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade …
01/13/2022
Executive SummaryRecorded Future analysts continue to monitor the activities of the FIN7 group as they adapt and expand their cybercrime operations. Gemini has conducted a more in-depth investigation …
While monitoring the distribution source of malware in Korea, the ASEC analysis team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards …
In December 2021, the ThreatLabz research team identified several macro-based MS office files uploaded from Middle Eastern countries such as Jordan to OSINT sources such as VT. These files …
Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting organizations and individuals in South Asia with Windows and …
During the back half of 2021, INKY began detecting phishing emails that impersonated the United States Department of Labor (DoL). Eventually, the campaign grew to hundreds of instances.
INKY caught …
In 2021, Kaspersky ICS CERT experts noticed a growing number of anomalous spyware attacks infecting ICS computers across the globe.
Although the malware used in these attacks belongs to well-known …
BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. While BlackCat is not the first ransomware written in the Rust language, …
At the end of 2021, we were made aware of a UEFI firmware-level compromise through logs from our Firmware Scanner, which has been integrated into Kaspersky products since …
BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh’s Central Bank back in 2016. A mysterious group with links to …