Author: TrendMicro

IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024
This article discusses the ongoing large-scale DDoS attacks orchestrated by an IoT botnet that exploits vulnerable devices, primarily targeting companies in Japan and other countries. The botnet utilizes malware derived from Mirai and Bashlite, affecting various sectors and employing multiple DDoS attack methods. Affected: Japan, North America, Europe

Keypoints :

Large-scale DDoS attacks monitored since the end of 2024.…
Read More
How Cracks and Installers Bring Malware to Your Device
This article discusses the tactics used by attackers to distribute fake installers via trusted platforms like YouTube and file hosting services. By employing encryption and social engineering, these attackers aim to evade detection and steal sensitive browser data from unsuspecting users. Affected: YouTube, Mediafire, Mega.nz, OpenSea, SoundCloud

Keypoints :

Attackers exploit user trust by using platforms like YouTube to share fake installer links.…
Read More
Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit
This article discusses a fake proof-of-concept (PoC) exploit for LDAPNightmare (CVE-2024-49113) that is being used to distribute information-stealing malware. The exploit lures security researchers into downloading malicious software disguised as a legitimate PoC. Affected: CVE-2024-49112, CVE-2024-49113

Keypoints :

Two critical LDAP vulnerabilities were patched by Microsoft in December 2024.…
Read More

Summary :

The latest variant of NodeStealer has evolved into a sophisticated Python-based malware that targets sensitive data, including Facebook Ads Manager accounts. Delivered through spear-phishing attacks, this malware employs advanced techniques to exfiltrate data via Telegram. #NodeStealer #Cybersecurity #Malware

Keypoints :

NodeStealer has transitioned from JavaScript to Python, enhancing its data theft capabilities.…
Read More

Summary :

Earth Koshchei, an APT group allegedly sponsored by the SVR, executed a sophisticated rogue RDP campaign targeting high-profile sectors through spear-phishing emails and advanced anonymization techniques, resulting in potential data breaches and malware installations. #EarthKoshchei #RDPattack #CyberEspionage

Keypoints :

Earth Koshchei utilized a rogue RDP attack methodology involving RDP relays and configuration files to gain control of targeted machines.…
Read More
Summary: Trend Micro’s research on the Earth Minotaur threat actor reveals the use of the MOONSHINE exploit kit to target vulnerabilities in Android messaging apps, particularly affecting Tibetan and Uyghur communities. The exploit kit installs the DarkNimbus backdoor for surveillance, which has both Android and Windows versions.…
Read More
Summary: Threat actors are exploiting misconfigured Docker servers to deploy Gafgyt malware, traditionally targeting IoT devices. This shift in behavior allows attackers to launch DDoS attacks on vulnerable servers. Enhanced security measures are recommended to mitigate these risks. #GafgytMalware #DockerSecurity #DDoSAttacks Keypoints: Trend Micro Research identified Gafgyt malware targeting misconfigured Docker Remote API servers.…
Read More
Summary: Trend Micro has reported a spear-phishing campaign in Japan linked to Earth Kasha, utilizing the backdoor ANEL and the modular backdoor NOOPDOOR. The campaign targets individuals in political and research sectors, employing various evasion techniques and malware delivery methods. This marks a shift in Earth Kasha’s tactics, focusing on personal rather than enterprise targets.…
Read More
Summary: Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023, employing advanced techniques and backdoors like GHOSTSPIDER and MASOL RAT for espionage. Their operations have affected numerous organizations across various industries, indicating a sophisticated and coordinated approach to cyberattacks. #APTGroup #CyberEspionage #GHOSTSPIDER Keypoints: Earth Estries has targeted critical sectors including telecommunications and government entities since 2023.…
Read More

Summary:

LODEINFO is a malware utilized by the Earth Kasha group, primarily targeting Japan since 2019. Recent campaigns have revealed significant updates in their tactics, techniques, and procedures, expanding their targets to Taiwan and India. The group employs various backdoors, including LODEINFO and NOOPDOOR, and exploits vulnerabilities in public-facing applications for initial access.…
Read More

Summary:

Earth Estries employs sophisticated attack chains utilizing various malware, including Zingdoor and Snappybee, to exploit vulnerabilities in systems like Microsoft Exchange servers. Their tactics involve maintaining persistence, lateral movement, and data exfiltration through a combination of custom tools and established malware.

Keypoints:

Earth Estries targets government and tech sectors since at least 2020.…
Read More
Short Summary: Trend Micro researchers reported an attack exploiting the Atlassian Confluence vulnerability CVE-2023-22527, allowing remote code execution for cryptomining via the Titan Network. The attacker utilized various system commands to gather information and executed multiple shell scripts to install Titan binaries, connecting compromised machines to the Titan Network for financial gain.…
Read More

Short Summary:

This article discusses the prevalence of cyberattacks utilizing web shells and VPN compromises, emphasizing the need for behavioral analysis and anomaly detection in cybersecurity measures. It highlights two case studies analyzed by Trend Micro MXDR, detailing the attack chains, methods used by attackers, and recommendations for organizations to enhance their security posture.…

Read More
Short Summary: The Prometei botnet, analyzed through a Managed Extended Detection and Response (MXDR) investigation, employs stealthy tactics to infiltrate systems primarily for cryptocurrency mining and credential theft. This analysis details its operation, including initial access methods, credential dumping, lateral movement, and persistence techniques, highlighting the importance of proactive threat detection and response.…
Read More
Short Summary: We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware. The attack involves creating a Docker container, executing a Base64 encoded payload, and employing evasion techniques to avoid detection. This article highlights the attack sequence and emphasizes the need for securing Docker Remote API servers.…
Read More
Short Summary

This article discusses a Golang ransomware that exploits AWS S3 for data theft while masquerading as LockBit to intimidate victims. The discovery of hard-coded AWS credentials in the ransomware samples led to the suspension of the associated AWS accounts.

Key Points Golang ransomware samples utilize AWS S3 Transfer Acceleration to exfiltrate files to attacker-controlled buckets.…
Read More