We’ve recently seen a surge in attacks involving the Mekotio banking trojan. In this blog entry, we’ll provide an overview of the trojan and what it does.
IntroductionThe Mekotio banking trojan is a sophisticated piece of malware that has been active since at least 2015, primarily targeting Latin American countries with the goal of stealing sensitive information — particularly banking credentials — from its targets.…
We analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner.
Summary Water Sigbin continues to exploit CVE-2017-3506 and CVE-2023-21839 to deploy cryptocurrency miners via a PowerShell script. The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms.…We recently discovered a new threat actor group that we dubbed Void Arachne. This group targets Chinese-speaking users with malicious Windows Installer (MSI) files in a recent campaign. These MSI files contain legitimate software installer files for AI software and other popular software but are bundled with malicious Winos payloads.…
This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime.
This blog is based on our presentation at Botconf 2024. It can be viewed here.
IntroductionSince 2022, we have been investigating numerous targeted attacks in the Asia-Pacific region that used the same ELF backdoor.…
We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project.
Summary We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project.…In this blog entry, our researchers provide an analysis of TargetCompany ransomware’s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution.
Summary
The TargetCompany ransomware group is now employing a new Linux variant that uses a custom shell script as a means of payload delivery and execution, a technique not seen in previous variants.…Water Sigbin (aka the 8220 Gang) exploited Oracle WebLogic vulnerabilities to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against.
Summary Water Sigbin exploited the vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner via a PowerShell script.…This report describes how Waterbear and Deuterbear — two of the tools in Earth Hundun’s arsenal — operate, based on a campaign from 2024.
Summary Earth Hundun is known for targeting the Asia-Pacific and now employs updated tactics for infection spread and communication. This report details how Waterbear and Deuterbear operate, including the stages of infection, command and control (C&C) interaction, and malware component behavior.…This blog entry aims to highlight the dangers of internet-facing routers and elaborate on Pawn Storm’s exploitation of EdgeRouters, complementing the FBI’s advisory from February 27, 2024.
Key points Cybercriminals and nation state actors share a common interest in compromised routers that are used as an anonymization layer.…In this blog entry, we discuss Trend Micro’s contributions to an Interpol-coordinated operation to help Brazilian and Spanish law enforcement agencies analyze malware samples of the Grandoreiro banking trojan.
Last April 2023, the International Criminal Police Organization (Interpol) requested any indicators of compromise (IOCs) or information related to the banking trojan Grandoreiro, specifically for command-and-control (C&C) servers.…
Our blog entry provides an in-depth analysis of Earth Hundun’s Waterbear and Deuterbear malware.
Summary Earth Hundun is a cyberespionage-motivated threat actor that has been active for several years in the Asia-Pacific region, targeting the technology and government sectors. The group has been known for employing several tools and techniques, including Waterbear, a malware entity that has had over 10 versions since 2009.…Key Point : —————————— – Operation Cronos disrupted LockBit’s operations, leading to outages on LockBit-affiliated platforms and a takeover of its leak site by the UK’s National Crime Agency. – Authorities used the compromised leak site to distribute information about LockBit, highlighting the risks of paying ransoms and the impact on affected businesses.…
____________________ Summary: This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware called UNAPIMON.
Key Point: * Earth Freybug actors use DLL hijacking and API unhooking techniques to prevent monitoring of child processes.…
This blog entry discusses the Agenda ransomware group’s use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.
Since its discovery in 2022, the Agenda Ransomware group (also known as Qilin) has been active and in development. Agenda, which Trend Micro tracks as Water Galura, continues infecting victims globally with the US, Argentina, and Australia, and Thailand being among its top targets (based on the threat actor’s leak site data).…
CVE-2024-27198 and CVE-2024-27199 are vulnerabilities within the TeamCity On-Premises platform that can allow attackers to gain administrative control over affected systems.
On March 4, 2024, JetBrains disclosed two critical vulnerabilities — CVE-2024-27198 and CVE-2024-27199 — within the TeamCity On-Premises platform that allow attackers to bypass authentication measures and gain administrative control over affected servers.…
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
IntroductionSince early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.…
In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-21412.
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers.…
After examining the events around the time the file was created, we discovered that the threat actor executed the following actions:
We observed that the initial command employs PowerShell to download a file (curl.tmp) from the URL http://preston[.]melaniebest[.]com/ms/curl.tmp and saves it as curl.exe in the C:WindowsSystem32 directory.…
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software (CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier.…
The folder also contained an LNK file and a __MACOS folder with payload, this time timestamped Dec. 22, 2023.
Similar to the previously analyzed archive, several stages lead to this last stage (namely Cobalt Strike), only with different configurations. The C&C server name abuses the name of the cybersecurity company Cybereason.…