Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
Last Updated: July 20, 2022
IntroductionThe Securonix Threat Research (STR) team has been observing and investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries. The attack campaign has been tracked by STR as STIFF#BIZON.…
The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched.
Atlassian’s Confluence is a major collaboration platform used by many companies across the globe. Being a web-based platform, services such as managing projects and collaboration are mainly provided by Confluence Servers (or Confluence Data Centers).…
In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.…
July 21, 2022
Bryan Campbell, Pim Trouerbach, Selena Larson and the Proofpoint Threat Research Team
Key FindingsTA4563 is a threat actor leveraging EvilNum malware to target European financial and investment entities, especially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). EvilNum is a backdoor that can be used for data theft or to load additional payloads.…By Jim Walter & Aleksandar Milenkoski
LockBit 3.0 ransomware (aka LockBit Black) is an evolution of the prolific LockBit ransomware-as-a-service (RaaS) family, which has roots that extend back to BlackMatter and related entities. After critical bugs were discovered in LockBit 2.0 in March 2022, the authors began work on updating their encryption routines and adding several new features designed to thwart researchers.…
Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits.
Year after year Linux environments increasingly become the target of malware due to continued threat actor interest in the space. Malware targeting Linux environments surged in 2021, with a large amount of innovation resulting in new malicious code, especially in ransomwares, trojans, and botnets.…
Upon execution of Base-Update.exe, it proceeds to download, Base64-decode, and execute another time stomped downloader written in Go from http://194.31.98.124:443/i with the arguments –a 0CyCcrhI/6B5wKE8XLOd+w==:
%TEMP%java-sdk.exe (MD5: 36ff9ec87c458d6d76b2afbd5120dfae)Downloader written in Go Base64 encoded – MD5: 2f14b3d5ab01568e2707925783f8eafe Compile time: 1970-01-01 00:00:00 C&C: 194.31.98.124:443Java-sdk.exe sets persistence for itself via setting a Run registry key.…
Fortinet’s FortiGuard Labs captured a phishing email as part of a phishing campaign spreading a new variant of QakBot. Also known as QBot, QuackBot, or Pinkslipbot, QakBot is an information stealer and banking Trojan that has been captured and analyzed by security researchers since 2007.
I performed a deep analysis on this phishing campaign and the new QakBot variant using the captured email.…
Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it has been sold in illegal forums and used by various attackers.
The ASEC analysis team previously revealed cases where Amadey was used on attacks in the ASEC blog posted in 2019 (English version unavailable).…
Published On : 2022-07-13
NukeSped RAT ReportSuspected Malware: NukeSped MalwareFunction: RATRisk Score: 8Confidence Level: HighThreat actor Associations: Lazarus Group (North Korea)
Executive Summary:The NukeSped malware is a remote access trojan (RAT) and has been attributed to the threat actor Lazarus Group. The group has been active since 2009 and remain active in 2022 and continue its operation to target countries mainly in Asia Pacific Region.…
Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.…
Summary
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.…
Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations. In a recent campaign, the group was observed making use of a new version of the IRC botnet, PwnRig cryptocurrency miner, and its generic infection script.…
This post is also available in: 日本語 (Japanese)
Executive SummaryInstalling a web shell on a web server is a common approach malware authors take to launch exploits or run commands remotely. In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP PBX system, by installing a web shell on its web server.…
Cybercriminals are always looking for innovative techniques to evade security solutions. Based on the Resecurity® HUNTER assessment, attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.
Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500’s worldwide, has detected an update to one of them most popular tools used by cybercriminals.…
This post is also available in: 日本語 (Japanese)
Executive SummaryOrganizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google Drive – to conduct day-to-day operations. However, our latest research shows that threat actors are finding ways to take advantage of that trust to make their attacks extremely difficult to detect and prevent.…
Victim: Ministry of Agriculture Rebublic Indonesia Country : ID Actor: vicesociety Source: Discovered: 2022-06-27 21:44:54.942418
Description: Indonesia’s rich natural resources are influenced by its tropical climate and geographical location between two continents, Asia and Australia, and two oceans, the Pacific Ocean and the Indian Ocean. Therefore, Indonesia is known as an agrarian country with a variety of products from agriculture, plantations, livestock, fisheries and forestry.…
The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.…