Researchers at Palo Alto Networks discovered a tool named Swiss Army Suite (S.A.S) used by attackers for automated vulnerability scanning, particularly targeting SQL injection vulnerabilities. This tool operates differently from known commercial tools, making it challenging to detect. The findings emphasize the importance of machine learning in identifying unknown threats and highlight the need for robust defense mechanisms against such tools.…
Author: Unit42
Short Summary
Read More
Unit 42 researchers have identified two new malware samples associated with the North Korean threat group Sparkling Pisces, including a keylogger named KLogEXE and a backdoor variant called FPSpy. These findings highlight the group’s evolving capabilities and their continued targeting of South Korean entities.…
Short Summary:
The article investigates the Sniper Dz phishing-as-a-service (PhaaS) platform, which has gained popularity among phishers targeting social media and online services. Over the past year, more than 140,000 phishing websites have been linked to Sniper Dz. The platform offers free phishing tools and utilizes unique tactics, such as hiding phishing content behind public proxy servers and collecting stolen credentials through a centralized infrastructure.…
Short Summary
Read More
The article discusses the discovery of a new strain of the RomCom malware family, named SnipBot, which exhibits advanced techniques for evasion and obfuscation. This malware allows attackers to execute commands, download additional modules, and pivot through victim networks for data exfiltration. The investigation reveals the malware’s infection chain, post-infection activities, and the potential motivations behind the attacks.…
Short Summary:
This article discusses the discovery of a new post-exploitation red team tool called Splinter, identified on customer systems through Advanced WildFire’s memory scanning tools. It highlights the importance of continuous tracking and detection of such tools to enhance security. Splinter, developed in Rust, has standard post-exploitation features and poses a potential threat if misused.…
Short Summary:
Unit 42 researchers have identified an ongoing campaign that delivers Linux and macOS backdoors through poisoned Python packages, named PondRAT. This campaign is linked to the Gleaming Pisces threat actor, known for sophisticated attacks against the cryptocurrency industry. The researchers found significant code similarities between PondRAT and POOLRAT, another malware attributed to Gleaming Pisces.…
Short Summary
Read More
Unit 42 researchers reported a surge in phishing campaigns in 2024 that utilize HTTP response header refresh techniques. These campaigns, primarily targeting the financial sector and government domains, employ malicious URLs that automatically redirect users without interaction. The attackers leverage personalized approaches to enhance deception, making it challenging to identify malicious links.…
Short Summary:
Repellent Scorpius is a newly emerged ransomware-as-a-service (RaaS) group distributing Cicada3301 ransomware, first identified in May 2024. The group employs a double extortion scheme, encrypting data and threatening to publish it if the ransom is not paid. This report provides a technical analysis of their tactics, techniques, and procedures (TTPs), as well as insights into their operations and future plans.…
Short Summary:
This article provides a comprehensive overview of North Korean threat groups under the Reconnaissance General Bureau (RGB) and their associated malware. It highlights the various operations these groups conduct, including espionage, financial crime, and destructive attacks. The article also discusses the detection and prevention capabilities of Palo Alto Networks Cortex XDR against these threats.…
Short Summary
Read More
Unit 42 researchers uncovered that the Chinese APT group, Stately Taurus, exploited Visual Studio Code in espionage operations targeting government entities in Southeast Asia. This novel technique involved using the embedded reverse shell feature of Visual Studio Code to gain unauthorized access to networks, marking its first observed use in the wild.…
Short Summary
Read More
The Unit 42 Managed Threat Hunting team has identified a variant of WikiLoader, known as WailingCrab, which is being delivered through SEO poisoning and spoofing of GlobalProtect VPN software. This article discusses the evasion techniques employed by WikiLoader, the specific tradecraft observed, and the implications for threat hunting and detection.…
Short Summary
Read More
This article investigates 19 newly released top-level domains (TLDs) that have been associated with various cyber threats, including phishing campaigns, distribution of unwanted programs, and torrenting websites. The study highlights the correlation between the availability of these TLDs and their exploitation by malicious actors, emphasizing the need for proactive monitoring and security measures to mitigate risks associated with new TLDs.…
Short Summary:
Researchers have uncovered numerous scam campaigns utilizing deepfake videos of public figures to promote fraudulent investment schemes and giveaways. These campaigns, linked to a single threat actor group, target various countries and languages, leveraging deepfake technology to deceive potential victims. The analysis of the infrastructure behind these campaigns reveals a sophisticated network of newly registered domains and shared hosting services, complicating attribution and takedown efforts.…
Short Summary
Read More
The threat actor group Bling Libra, known for the ShinyHunters ransomware, has shifted tactics from selling stolen data to extorting victims. They gained access to an organization’s AWS environment using legitimate credentials obtained from public repositories. Despite limited permissions, they conducted reconnaissance and deleted data from S3 buckets, ultimately sending an extortion email to the victim.…
Short Summary
Read More
This article discusses the implementation of a deep learning method to detect malicious DNS traffic patterns. By profiling DNS traffic, the Palo Alto Networks Advanced DNS Security service can identify suspicious domains and block malicious requests in real-time. The article highlights various detection techniques, including classification, clustering, and anomaly detection, to uncover different types of cyberattacks and their associated DNS behaviors.…
Short Summary
Read More
Unit 42 researchers uncovered a cloud extortion campaign that exploited misconfigurations, particularly exposed environment variable files (.env files), to compromise and extort multiple organizations. The attackers utilized various tactics, including scanning for sensitive information and leveraging cloud services, to execute their operations and ransom data without encryption.…
Short Summary
Read More
This research highlights vulnerabilities in GitHub repositories related to the misuse of GitHub Actions artifacts, which can lead to the exposure of sensitive tokens and potential compromise of cloud environments. It emphasizes the risks associated with misconfigurations in CI/CD workflows and the importance of securing these artifacts to prevent unauthorized access to repositories and services.…
“`html Short Summary:
The article discusses a campaign by the Russian threat actor Fighting Ursa, which used a car advertisement as a lure to distribute the HeadLace backdoor malware targeting diplomats. The campaign began in March 2024 and involved sophisticated tactics, including the use of legitimate services to host malicious content.…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn this post, we explore the evolution of domain registration and network attacks associated with terms related to generative AI (GenAI). These trends are strongly correlated with the key milestones and developments in GenAI such as the launch of ChatGPT and its integration into the Bing search engine – and the buzz of interest around these events.…
Executive Summary
Read More
In this post, we share information about how security professionals can take analysis shortcuts to quickly triage and analyze multiple malware samples. Within minutes, we can determine the malware families from a group of samples, parse the embedded configuration and extract the associated network indicators of compromise (IoCs).…