Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
By Jer O’Donovan, Cofense Phishing Defense Center
COVID-19 has become an ever-present topic in our lives since the start of 2020. With this we’ve seen threat actors leveraging the pandemic with themes related to remote working, vaccination status, and back to the office surveys or general updates.…
We discovered active exploitation of a vulnerability in the Spring Framework designated as CVE-2022-22965 that allows malicious actors to download the Mirai botnet malware.
Trend Micro Threat Research observed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965, which allows malicious actors to weaponize and execute the Mirai botnet malware.…
Introduction
Credential stealing malware is commonly observed in the landscape of cyber attacks today. Zscaler ThreatLabz team has discovered many new types of stealer malwares across different attack campaigns. Stealers are malicious programs that threat actors use to collect sensitive information with various techniques including keylogging, cookie stealing, and sending stolen information to the Command and Control Server. …
Over the last several years, the Cybereason Nocturnus Team has been tracking different APT groups operating in the Middle East region, including two main sub-groups of the Hamas cyberwarfare division: Molerats and APT-C-23. Both groups are Arabic-speaking and politically-motivated that operate on behalf of Hamas, the Palestinian Islamic-fundamentalist movement and a terrorist organization that has controlled the Gaza strip since 2006.…
Remcos RAT (Remote Access Trojan) was originally designed as a professional tool to remotely control computers. Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims’ devices since its first version was published on July 21, 2016.…
A new Traffic Direction System (TDS) we are calling Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.…
As Russia’s invasion of Ukraine continues, new wiper malware has surfaced attacking Ukrainian infrastructure. Caddywiper was first detected on March 14, 2022. It destroys user data, partitions information from attached drives, and has been spotted on several dozen systems in a limited number of organizations. CaddyWiper has been deployed via GPO, suggesting the attackers had initially compromised the target’s Active Directory server.…
By Edmund Brumaghin, with contributions from Alex Karkins.
Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. The infections leverage process injection to evade detection by endpoint security software. These campaigns appear to be linked to a new version of the 3LOSH crypter, previously covered here.…Authored by Vallabh Chole and Oliver Devane
Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.…
Introduction
Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal. These malicious Excel files are distributed as email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset. This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.…Broadcom, have found.
Activity on infected networksIn several cases, the initial activity on victim networks is seen on Microsoft Exchange Servers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.…
LOADOUT is an obfuscated VBScript-based downloader which harvests extensive information from the infected system. The harvested information is then sent to a command-and-control (C2) server. C2 server responses for LOADOUT infections delivered GRIFFON, a JavaScript-based downloader which retrieves additional JavaScript modules using HTTP or DNS and executes them in memory.…
This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura
(2022-04-07): Added MITRE ATT&CK mappings
(2022-04-07): Changed the name of the final payload from Vidar to Mars Stealer
Colibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“.…
Last week, the ASEC analysis team uploaded a post named “Malicious Word File Targeting Corporate Users Being Distributed” that contained information about a malicious Word file. Currently, documents of the same type are being distributed with text that impersonates AhnLab. The Word files confirmed this time download another Word file containing malicious VBA macro via the external URL and run it.…
Morphisec Labs has detected a new wave of Remcos trojan infection. The theme of the phishing emails is again financial, this time as payment remittances sent from financial institutions. The attacker lures a user to open a malicious Excel file that contains “confidential information” which starts the infection chain.…
一、 事件概要
2022年2月,奇安信病毒响应中心移动安全团队关注到自2021年6月起至今,一个来自南亚某国背景的APT组织主要针对巴基斯坦军方展开了有组织、有计划、针对性的军事间谍情报活动。经过短短9个月的攻击,该组织已影响数十名巴基斯坦军方人员。这部分受害人员主要为巴基斯坦国家的边防军(FC)和特种部队(SSG),尤其是俾路支省边防军(FC BLN);此外还包含少量的联邦调查局(FIA)和警察(Police)。另攻击还影响了少量的尼泊尔人员,但我国国内用户不受其影响。图1.1 受影响的国家分布情况图
该组织通常使用公开的社交平台找到关注的目标后,结合色情话术等聊天诱导目标用户安装指定的诱饵聊天攻击应用进行钓鱼攻击。此外,攻击者还曾在国外某知名应用商店平台发布该恶意聊天应用,但目前相关链接已无法访问。 截至本报告发布之时,我们已经截获的该组织所有攻击活动,都是通过Android平台进行的,尚未发现任何通过Windows平台进行的攻击。累计捕获恶意应用下载服务器8个,服务器上至少可以下载到5个不同的Android平台攻击样本。所有样本均为含有恶意代码的专用聊天软件。我们将所有这些捕获的恶意样本命名为VajraSpy。 综合攻击活动特征、样本编码方式、C2服务器架构方式等多方面线索分析显示,该组织具有南亚某地区性大国政府背景,但又与该地区活跃的其他APT组织,如响尾蛇SideWinder、蔓灵花Bitter、肚脑虫Donot等没有显著关联(仅与肚脑虫Donot存在少量相似性),具有很强的独立性和独立特征。因此,我们判定该组织为活跃在南亚地区的新APT组织。我们将其命名为金刚象,英文名为VajraEleph,组织编号APT–Q–43。金刚象是奇安信独立发现并率先披露的第15个APT组织。二、 载荷投递 通过奇安信病毒响应中心移动安全团队与奇安信威胁情报平台(https://ti.qianxin.com/) 的联合追踪分析发现,金刚象组织最早的活动可以追溯到2021年6月。下图为我们截获的该组织最早的载荷服务器信息。图2.1 发现的最早域名载荷服务器相关截图(采用NameSilo注册商域名)
该组织早期的攻击,通常会将攻击载荷下载地址的的“短链接”,通过WhatsApp等社交软件发送给攻击目标。后期,随着各大社交平台对相关链接进行封禁,该组织转为将短链接以图片方式向目标人进行投递。载荷短链地址
对应实际下载地址
https://cutt.ly/qIrgCKo
https://appz.live/ichfghbtt/crazy.apk
https://bit.ly/3BrCxNU
https://appzshare.digital/coufgtdjvi/ZongChat(Beta).apk
https://bit.ly/39roCMd
https://apzshare.club/poahbcyskdh/cable.apk
https://rebrand.ly/Cable_v2
https://appzshare.club/poahbcyskdh/cable.apk
表1 已发现的载荷投递短链及其对应的实际下载地址
该组织采用的载荷域名服务器注册时间均不到一年,注册商主要是NameSilo和NameCheap。这与近期在南亚活跃的另一个高级攻击组织肚脑虫的活动相似。图2.2 部分域名载荷服务器whois情况
三、 攻击目标
金刚象组织具有明显的军事情报窃取意图,主要针对巴基斯坦军方人员,影响已涉及数种部队的数十名军方人员。以下是我们从攻击者C2服务器上截获的,部分受害者手机被窃取的照片和资料。图3.1 巴基斯坦边防军(FC ,Frontier Corps)人员被窃照片
图3.2 巴基斯坦俾路支省边防军( FC BLN ,FC Balochistan)人员被窃照片
图3.3 俾路支省边防军人员被窃资料
图3.4 巴基斯坦特种部队(SSG ,Special Service Group)人员被窃照片
图3.5 巴基斯坦警察被窃照片
图3.6 巴基斯坦警察被窃资料
图3.7 巴基斯坦联邦调查局(FIA,Federal Investigation Agency)人员被窃照片
图3.8 关于陆军参谋长(COAS,Chief of Army Staff)的被窃资料
四、 技术分析
通过分析发现,目前金刚象组织投入的攻击RAT针对的都是Android平台。分析显示,该组织的RAT定制化程度较高,我们将其命名为VajraSpy。VajraSpy支持间谍活动的所有经典功能,并将窃取到的数据存储到指定的谷歌云存储空间中。功能
对应的窃取后数据存储文件名称
窃取通话记录
logs.json
窃取通讯录
contacts.json
窃取短信
sms.json
窃取SD卡指定目录15种类型文件
files/文件名
窃取通知栏信息
noti/13位时间戳.json…
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.…
For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving.…
Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.
This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub.…