Zscaler ThreatLabz researchers recently encountered a significant number of websites associated with fraudulent activities being hosted on popular web hosting and blogging platforms. Threat actors intentionally create these sites to spread malware by using the proliferation of web hosting platforms to manipulate search engine results – something called SEO poisoning, a subset of Black Hat SEO techniques.…
Author: ZScaler
Introduction
Read More
Recently, a zero-day command-injection vulnerability, assigned to CVE-2024-3400, was found in the Palo Alto Networks PAN-OS. It was assigned the maximum severity score of 10.0 and can be exploited by an unauthenticated user to run arbitrary commands on the target system with root privileges.
Volexity was the first to identify and report the vulnerability.…
Introduction
Read More
Pikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers.…
Introduction
Read More
On February 19, 2024, ConnectWise released an advisory disclosing critical vulnerabilities impacting ScreenConnect Remote Monitoring and Management (RMM) software. The first vulnerability, tracked as CVE-2024-1709, allows threat actors to bypass authentication and exploit a second vulnerability, CVE-2024-1708. The second vulnerability is a path traversal flaw that enables attackers to upload a malicious file, potentially leading to Remote Code Execution (RCE) on affected versions of ScreenConnect instances.…
Introduction
Read More
Beginning in December 2023, Zscaler’s ThreatLabz discovered a threat actor creating fraudulent Skype, Google Meet, and Zoom websites to spread malware. The threat actor spreads SpyNote RAT to Android users and NjRAT and DCRat to Windows users. This article describes and shows how the threat actor’s malicious URLs and files can be identified on these fraudulent online meeting websites.…
Introduction
Read More
Zscaler’s ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain.…
Introduction
Read More
Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot.…
Introduction
Read More
Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware.…
Introduction
Read More
Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015. Zloader’s first run persisted until the beginning of 2018 when its activities abruptly ceased.…
Introduction
Read More
Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ.…
Introduction
Read More
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office.…
Introduction
Read More
DarkGate is a malware family, dating back to 2018, that gained prominence after the demise of Qakbot with a Malware-as-a-Service (MaaS) offering advertised in underground cybercrime forums starting in the summer of 2023. This blog examines DarkGate intrusion trends observed by ThreatLabz between June and October 2023. …
Introduction
Read More
On November 8 2023, SysAid published an advisory for CVE-2023-47246 regarding a critical zero-day vulnerability on their SysAid On-Premise software. SysAid describes the vulnerability as a path traversal vulnerability leading to code execution for the same software. This blog includes immediate recommendations for SysAid On-Premise software customers, best practices for long-term protection against these kinds of vulnerabilities, and a brief analysis of the attack chain.…
Introduction
Read More
On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs). …
Introduction
Read More
Mystic Stealer is a relatively new downloader and information stealer that emerged in early 2023. The malware harvests data from a large number of web browsers and cryptocurrency wallet applications. Mystic can also be used to steal Steam game credentials and arbitrary files from an infected system.…
Introduction
Read More
In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses.…
Introduction
Read More
In July 2023, Zscaler ThreatLabz discovered new malicious activity perpetuated by the Pakistan-based advanced persistent threat group (APT36). APT36 is a sophisticated cyber threat group with a history of conducting targeted espionage operations in South Asia. We observed APT36 targeting Indian government sectors using a previously undocumented Windows RAT, new cyber espionage utilities for Linux, new distribution mechanisms, and a new attack vector used against the Linux environment. …
Introduction
Read More
HijackLoader is a new malware loader, which has grown in popularity over the past few months. Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have.…
Introduction
Read More
The Zscaler ThreatLabz team recently observed a surge in tech-support scams, with a noteworthy focus on the utilization of Windows Action Center notifications to display misleading warning messages to users. While the majority of tech-support scams previously centered around counterfeit notifications related to Windows Defender, scammers have since expanded their tactics to include bogus web pages impersonating other security providers like McAfee and Avast. …
Introduction
Read More
Zscaler ThreatLabz recently discovered a new stealing campaign dubbed as the “Steal-It” campaign. In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs.
Through an in-depth analysis of the malicious payloads, our team observed a geofencing strategy employed by the campaign, with specific focus on targeting regions including Australia, Poland, and Belgium.…