In this blog entry, we focus on Earth Preta’s campaign that employed a variant of the DOPLUGS malware to target Asian countries.
IntroductionIn July 2023, Check Point disclosed a campaign called SMUGX, which focused on European countries and was attributed to the advanced persistent threat (APT) group Earth Preta (also known as Mustang Panda and Bronze President).…
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group we track as Water Hydra (aka DarkCasino) that targeted financial market traders.…
To help defenders learn more about Pawn Storm’s activities and adjust their defenses, we offer a technical analysis of some of the threat actor’s recent and updated techniques.
Introduction
Pawn Storm (also known as APT28 and Forest Blizzard) is an advanced persistent threat (APT) actor that shows incessant and lasting repetitions in its tactics, techniques, and procedures (TTPs).…
In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.
Following an increase in bring-your-own-vulnerable-driver (BYOVD) attacks launched by ransomware groups in 2023, the Kasseika ransomware is among the latest groups to take part in the trend.…
This blog delves into the Phemedrone Stealer campaign’s exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware’s payload.
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.…
A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.
Pikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the Intrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the start of September 2023.…
This blog entry delves into MxDR’s unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications.
During our recent investigations, the Trend Micro Managed XDR (MxDR) team handled various cases involving AsyncRAT, a Remote Access Tool (RAT) with multiple capabilities, such as keylogging and remote desktop control, that make it a substantial threat to victims.…
The Open Radio Access Network (ORAN) architecture provides standardized interfaces and protocols to previously closed systems. However, our research on ORAN demonstrates the potential threat posed by malicious xApps that are capable of compromising the entire Ran Intelligent Controller (RIC) subsystem.
The Open Radio Access Network (Open RAN or O-RAN) architecture has provided access to previously closed Radio Access Network (RAN) systems by establishing standard interfaces and protocols.…
We detail the modular framework of malicious Chrome extensions that consist of various highly obfuscated components that leverage Google Chrome API to monitor, intercept, and exfiltrate victim data.
Our investigations on potential security threats uncovered a malicious Google Chrome extension that we named “ParaSiteSnatcher.” The ParaSiteSnatcher framework allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources.…
We analyzed a phishing campaign involving malicious emails containing a link to a file-sharing solution, which further leads to a PDF document with a secondary link designed to steal login info and session cookies.
We recently uncovered a phishing campaign involving threat actors sending socially engineered emails containing a link to DRACOON.team,…
This blog discusses how threat actors abuse Discord’s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware.
Our latest investigation revealed that threat actors are now delivering an information-stealing malware called Lumma Stealer via Discord, a popular chat platform for online gamers, content creators, and streamers.…
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment.
From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA)…
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.…
This entry delves into threat actors’ intricate methods to implant malicious payloads within seemingly legitimate applications and codebases.
IntroductionAs technology evolves and the world becomes more interconnected, so do the techniques used by threat actors against their victims. Threat actors pose a significant risk to organizations, individuals, and communities by continuously exploiting the intricate interdependencies within supply chains and codebases.…
We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia.…
With contributions from Shingo Matsugaya
We delve into three of the most active ransomware families that dominated the first half of 2023: LockBit, Clop, and BlackCat.
Since 2022, our telemetry has consistently pointed to LockBit and BlackCat as two of the most detected RaaS providers.
LockBit’s level of pervasiveness is reflected in a joint cybersecurity advisory from The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other international security bureaus.…
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor’s server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we’ve dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca.…
In this blog, we investigate how threat actors used information-stealing malware with EV code signing certificates and later delivered ransomware payloads to its victims via the same delivery method.
We have been observing malware families RedLine and Vidar since the middle of 2022, when both were used by threat actors to target victims via spear-phishing scams.…
The Trend Micro Mobile Application Reputation Service (MARS) team discovered a new, fully undetected Android banking trojan, dubbed MMRat, that has been targeting mobile users in Southeast Asia since late June 2023.
The Trend Micro Mobile Application Reputation Service (MARS) team discovered a new, fully undetected Android banking trojan, dubbed MMRat (detected by TrendMicro as AndroidOS_MMRat.HRX),…
In this entry, we discuss how a threat actor abuses paid Facebook promotions featuring LLMs to spread malicious code, with the goal of installing a malicious browser add-on and stealing victims’ credentials.
Large language models (LLMs) are currently a hot topic nowadays, drawing much attention as the emergence of general artificial intelligence seems to near.…