For each discovered drive, ROADSWEEP will initialize a new thread which is responsible for encrypting all files within that drive. This thread enumerates the file system using the Windows FindFirstFileW and FindNextFileW APIs. For each root directory, a ransomware note is created with the content and filename noted above.…
By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.
Executive SummaryDark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.…The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy and National Defense Being Distributed‘.…
This blog post was authored by Ankur Saini and Hossein Jazi
The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.
This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.…
FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as “RapperBot” since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.…
This post is also available in: 日本語 (Japanese)
Executive SummaryAmong the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim.…
LockBit has been receiving a fair share of attention recently. Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings.…
Key points from our research:
Robin Banks is a phishing-as-a-service (PhaaS) platform, first seen in March 2022, selling ready-made phishing kits to cyber criminals aiming to gain access to the financial information of individuals residing in the U.S., as well as the U.K., Canada, and Australia.…
Continuing our initiative of sharing VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, we are proud to announce our “Deception at scale: How malware abuses trust” report.
This time, we focused on different techniques used by malware to bypass defenses and make social engineering attacks more effective.…
Read More By: Joshua Platt and Jason Reaves
PrivateLoader[1,2,3,4] continues to function as an effective loading service, recently leveraging the use of SmokeLoader for their loads.
A recent sample of their SmokeLoader can be seen here(b01195c3e828d9a79c958e4c810a363d804d51996337db89a5d248096846b27a), the C2 domains for the sample are a hallmark for PrivateLoader:
host-file-host6.comhost-host-file8.com…
New Stealer Being Sold Via MaaS Model
Read More Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”
LOLI Stealer is an Info Stealer that steals sensitive information such as passwords, cookies, screenshots, etc.,…
Table of Contents
Read More In this blog, the Qualys Research Team explains the mechanics of a Linux malware variant named BPFdoor. We then demonstrate the efficacy of Qualys Custom Assessment and Remediation to detect it, and Qualys Multi-Vector EDR to protect against it.
BPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.…
Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat group appears to only exfiltrate and ransom data, while in other cases they encrypt, exfiltrate and ransom data. Industrial Spy started as a data extortion marketplace where criminals could buy large companies’ internal data; they promoted this marketplace using README.txt…
This blog entry offers a technical analysis of a new SolidBit variant that is posing as different applications to lure gamers and social media users. The SolidBit ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.…
Cisco Talos recently discovered a new attack framework called “Manjusaka” being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.
The implants for the new malware family are written in the Rust language for Windows and Linux.…
Read More
Info Stealer Targeting Browsers and Crypto Wallets
Read More The popularity of Cryptocurrency has increased exponentially over the recent years as dealing with crypto has become relatively hassle-free and more accessible. The financial returns of crypto investments have attracted many investors to invest in crypto markets.
As the demand for crypto investment has increased over the years, we can also see a corresponding rise in the number of crypto wallets.…
Executive Summary: What is Redline Stealer?
Read More RedLine is a stealer distributed as cracked games, applications, and services.
The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc.…
Executive Summary
Read More This paper investigates a recent Emotet intrusion and details how the final Emotet payload is installed onto the system. The key observations are:
Obfuscated Excel macros used to download and run the Emotet loader. Emotet loader executed using regsvr32.exe. Encrypted Emotet payload embedded in loader’s .rsrc…A few months ago, we reported on an interesting site called the Chameleon Phishing Page. These websites have the capability to change their background and logo depending on the user’s domain. The phishing site is stored in IPFS (InterPlanetary File System) and after reviewing the URLs used by the attacker, we noticed an increasing number of phishing emails containing IPFS URLs as their payload. …
BlogBy:
David Ledbetter
Read More July 25, 2022
The sample today is an Office DocumentSha256: 2cc30a017cf7312c737be593f36f2d84dd38c285a75512c9ab2e78f0bc1ba48b
Found Here on InQuest Labs.
We see the lure here trying to get the user to enable content in order to run whatever surprise they have hidden inside. After viewing these in a hex editor to see what I am dealing with I usually decompress them and look thru the folder system.…