This week, the SonicWall Capture Labs Research team analyzed a new sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago.
Infection CycleThe malware is a Linux executable in ELF file format.…
The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in the Atlassian Confluence Data Center and Server, assessed its impact and developed mitigation measures. Confluence Server is a software to manage documentation and knowledge bases with an ubiquitous presence across the globe.…
The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability –an SQL injection in the WordPress plugin Automatic by ValvePress – assessed its impact and developed mitigation measures for it. Around ~38k active users have installed this premium plugin. The issue allows trivial SQL injection attacks against the plugin user’s authentication process, which could allow WordPress website takeovers.…
This week, the SonicWall Capture Labs threat research team investigated a sample of the RemcosRAT that uses a PrivateLoader module to provide additional data and persistence on the victim’s machine. By installing VB scripts, altering the registry and setting up services to restart the malware at variable times or by control, this malware is able to infiltrate a system completely and remain undetected.…
The SonicWall Capture Labs threat research team became aware of CVE-2024-31984, which is a code injection vulnerability in XWiki’s management of space titles and has a critical CVSS score of 9.9. After assessing the impact, we developed mitigation measures to address the vulnerability. This vulnerability, originating from insufficient input validation, allows remote, authenticated attackers to execute arbitrary code on the target server by creating documents with maliciously crafted titles.…
SonicWall Capture Labs threat research team became aware of a fully unauthenticated server-side template injection vulnerability within CrushFTP, assessed its impact, and developed mitigation measures. CrushFTP is an enterprise file transfer tool. Such tools have seen increased attention from attackers over the last several years.…
This week the SonicWall Capture Labs threat research team came across a sample purporting to be Windows Explorer. At a glance, everything checks out – it uses the legitimate Windows Explorer icon and the file properties say Microsoft – but, once executed, it installs and runs a crypto miner.…
The SonicWall Capture Labs threat research team has been regularly sharing information about malware targeting Android devices. We’ve encountered similar RAT samples before, but this one includes extra commands and phishing attacks designed to harvest credentials.
This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices.…
The SonicWall Capture Labs threat research team became aware of a cross-site scripting vulnerability in GitLab, assessed its impact and developed mitigation measures. GitLab, an open-source code-sharing platform, published an advisory on this vulnerability affecting GitLab CE/EE in all versions starting from 16.7 to 16.8.6, 16.9 before 16.9.4 and 16.10 before 16.10.2.…
Overview
SonicWall Capture Labs threat research team has observed fileless .Net managed code injection in a native 64-bit process. Native code or unmanaged code refers to low-level compiled code such as C/C++. Managed code refers to code that is written to target .NET and will not work without the CLR (Microsoft .NET…
Overview
The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability—an Unauthenticated Template Injection —in Atlassian Confluence platforms, assessed its impact and developed mitigation measures for it. Atlassian’s Confluence Server and Data Center published an advisory on this vulnerability affecting multiple Confluence releases.…
Overview
The SonicWall Capture Labs threat research team became aware of a couple of remote code execution vulnerabilities in JumpServer, assessed their impact and developed mitigation measures. JumpServer is an open-source bastion host and a professional operation and maintenance security audit system with a substantial presence in the China region.…
Overview
The SonicWall Capture Labs threat research team analyzed a malware purporting to be a Java utility. It arrives as an installer for Java Access Bridge, but ultimately installs the popular open-source cryptominer, XMRig.
Infection Cycle
The sample arrives as a Windows installer package (msi) file using the following file name:
JavaAccessBridge-64.msi…____________________ Summary: The SonicWall Capture Labs threat research team has discovered an Unauthenticated Command Injection vulnerability in Progress Kemp LoadMaster. This vulnerability allows attackers to bypass authentication and execute arbitrary commands on the system. LoadMaster users are advised to upgrade their instances immediately.
____________________ Key Point: * The vulnerability affects Progress Kemp LoadMaster releases after 7.2.48.1 and LoadMaster Multi-Tenant (MT) VFNs.…
Overview
This week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample. It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses have been used by AgentTesla, GuLoader, PureLog Stealer and others.…
Overview
SonicWall Capture Labs threat research team has observed a new variant of WhiteSnake Stealer. This stealer poses significant risks to users and organizations as it can steal critical sensitive data from compromised systems, including valuable information like web browser data, cryptocurrency wallets and much more.…
Overview
This week, the Sonicwall Capture Labs threat research team analyzed a ransomware calling itself Lighter Ransomware. Upon execution, it opens up a window with a countdown timer instructing the victim to reach out immediately before the timer ends – or face greater consequences.
Infection Cycle
The malware arrives as a portable executable that, once executed, immediately displays this warning window.…
Overview
The SonicWall Capture Labs threat research team recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file encryption code.
Infection Cycle
At the start of execution, it creates a string of msim32.dll…
Overview
The SonicWall Capture Labs threat research team has been tracking ransomware that has gained recent notoriety known as Medusa. Medusa surfaced as a Ransomware-as-a-Service (RaaS) platform in late 2022. The group behind Medusa predominantly propagates this malware through unpatched vulnerabilities and directs their attacks on various industry sectors such as technology, education, manufacturing, healthcare and retail.…